BN_rand_range() needs a BN_rand() variant that doesn't set the MSB.

crypto/bn/bn_rand.c

@@ -121,24 +121,27 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 		}
 #endif
 
-	if (top)
+	if (top != -1)
 		{
-		if (bit == 0)
+		if (top)
 			{
-			buf[0]=1;
-			buf[1]|=0x80;
+			if (bit == 0)
+				{
+				buf[0]=1;
+				buf[1]|=0x80;
+				}
+			else
+				{
+				buf[0]|=(3<<(bit-1));
+				buf[0]&= ~(mask<<1);
+				}
 			}
 		else
 			{
-			buf[0]|=(3<<(bit-1));
+			buf[0]|=(1<<bit);
 			buf[0]&= ~(mask<<1);
 			}
 		}
-	else
-		{
-		buf[0]|=(1<<bit);
-		buf[0]&= ~(mask<<1);
-		}
 	if (bottom) /* set bottom bits to whatever odd is */
 		buf[bytes-1]|=1;
 	if (!BN_bin2bn(buf,bytes,rnd)) goto err;
@@ -192,7 +195,7 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 		do
 			{
 			/* range = 11..._2, so each iteration succeeds with probability >= .75 */
-			if (!BN_rand(r, n, 0, 0)) return 0;
+			if (!BN_rand(r, n, -1, 0)) return 0;
 			}
 		while (BN_cmp(r, range) >= 0);
 		}
@@ -202,7 +205,7 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 		 * so  3*range (= 11..._2)  is exactly one bit longer than  range */
 		do
 			{
-			if (!BN_rand(r, n + 1, 0, 0)) return 0;
+			if (!BN_rand(r, n + 1, -1, 0)) return 0;
 			/* If  r < 3*range,  use  r := r MOD range
 			 * (which is either  r, r - range,  or  r - 2*range).
 			 * Otherwise, iterate once more.

doc/crypto/BN_rand.pod

@@ -17,10 +17,12 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
 =head1 DESCRIPTION
 
 BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
-two most significant bits of the number will be set to 1, so that the
-product of two such random numbers will always have 2*B<bits> length.
-If B<bottom> is true, the number will be odd.
+B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+most significant bit of the random number can be zero. If B<top> is 0,
+it is set to 1, and if B<top> is 1, the two most significant bits of
+the number will be set to 1, so that the product of two such random
+numbers will always have 2*B<bits> length.  If B<bottom> is true, the
+number will be odd.
 
 BN_pseudo_rand() does the same, but pseudo-random numbers generated by
 this function are not necessarily unpredictable. They can be used for
@@ -45,7 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
 =head1 HISTORY
 
 BN_rand() is available in all versions of SSLeay and OpenSSL.
-BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
-in OpenSSL 0.9.6a.
+BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
+and the function BN_rand_range() were added in OpenSSL 0.9.6a.
 
 =cut