BN_rand_range() needs a BN_rand() variant that doesn't set the MSB.
This commit is contained in:
Ulf Möller
parent
15ed15d3e4
commit
faa624f9f9
2 changed files with 23 additions and 18 deletions
|
|
@ -100,24 +100,27 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (top)
|
||||
if (top != -1)
|
||||
{
|
||||
if (bit == 0)
|
||||
if (top)
|
||||
{
|
||||
buf[0]=1;
|
||||
buf[1]|=0x80;
|
||||
if (bit == 0)
|
||||
{
|
||||
buf[0]=1;
|
||||
buf[1]|=0x80;
|
||||
}
|
||||
else
|
||||
{
|
||||
buf[0]|=(3<<(bit-1));
|
||||
buf[0]&= ~(mask<<1);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
buf[0]|=(3<<(bit-1));
|
||||
buf[0]|=(1<<bit);
|
||||
buf[0]&= ~(mask<<1);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
buf[0]|=(1<<bit);
|
||||
buf[0]&= ~(mask<<1);
|
||||
}
|
||||
if (bottom) /* set bottom bits to whatever odd is */
|
||||
buf[bytes-1]|=1;
|
||||
if (!BN_bin2bn(buf,bytes,rnd)) goto err;
|
||||
|
|
@ -163,7 +166,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
|||
do
|
||||
{
|
||||
/* range = 11..._2, so each iteration succeeds with probability >= .75 */
|
||||
if (!BN_rand(r, n, 0, 0)) return 0;
|
||||
if (!BN_rand(r, n, -1, 0)) return 0;
|
||||
}
|
||||
while (BN_cmp(r, range) >= 0);
|
||||
}
|
||||
|
|
@ -173,7 +176,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
|||
* so 3*range (= 11..._2) is exactly one bit longer than range */
|
||||
do
|
||||
{
|
||||
if (!BN_rand(r, n + 1, 0, 0)) return 0;
|
||||
if (!BN_rand(r, n + 1, -1, 0)) return 0;
|
||||
/* If r < 3*range, use r := r MOD range
|
||||
* (which is either r, r - range, or r - 2*range).
|
||||
* Otherwise, iterate once more.
|
||||
|
|
|
|||
|
|
@ -17,10 +17,12 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
|
|||
=head1 DESCRIPTION
|
||||
|
||||
BN_rand() generates a cryptographically strong pseudo-random number of
|
||||
B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
|
||||
two most significant bits of the number will be set to 1, so that the
|
||||
product of two such random numbers will always have 2*B<bits> length.
|
||||
If B<bottom> is true, the number will be odd.
|
||||
B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
|
||||
most significant bit of the random number can be zero. If B<top> is 0,
|
||||
it is set to 1, and if B<top> is 1, the two most significant bits of
|
||||
the number will be set to 1, so that the product of two such random
|
||||
numbers will always have 2*B<bits> length. If B<bottom> is true, the
|
||||
number will be odd.
|
||||
|
||||
BN_pseudo_rand() does the same, but pseudo-random numbers generated by
|
||||
this function are not necessarily unpredictable. They can be used for
|
||||
|
|
@ -45,7 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
|
|||
=head1 HISTORY
|
||||
|
||||
BN_rand() is available in all versions of SSLeay and OpenSSL.
|
||||
BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range()
|
||||
in OpenSSL 0.9.6a.
|
||||
BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
|
||||
and the function BN_rand_range() were added in OpenSSL 0.9.6a.
|
||||
|
||||
=cut
|
||||
|
|
|
|||
Loading…
Reference in a new issue