Add constants for BN_rand and use them.

See upstream's f67cbb74437842a0f88f84f43a0faa968ca77b35 and
2301d91dd58d9827865e360d616291f2549ec5bf.

Change-Id: I3b79323847a7610143a9dfb9b5b45bf7a33d8690
Reviewed-on: https://boringssl-review.googlesource.com/10369
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

crypto/bn/bn_test.cc

@@ -668,8 +668,7 @@ static bool TestBN2BinPadded(BN_CTX *ctx) {
 
   // Test a random numbers at various byte lengths.
   for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
-    if (!BN_rand(n.get(), bytes * 8, 0 /* make sure top bit is 1 */,
-                 0 /* don't modify bottom bit */)) {
+    if (!BN_rand(n.get(), bytes * 8, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
       ERR_print_errors_fp(stderr);
       return false;
     }
@@ -915,34 +914,34 @@ static bool TestRand() {
 
   // Test BN_rand accounts for degenerate cases with |top| and |bottom|
   // parameters.
-  if (!BN_rand(bn.get(), 0, 0 /* top */, 0 /* bottom */) ||
+  if (!BN_rand(bn.get(), 0, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY) ||
       !BN_is_zero(bn.get())) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
   }
-  if (!BN_rand(bn.get(), 0, 1 /* top */, 1 /* bottom */) ||
+  if (!BN_rand(bn.get(), 0, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD) ||
       !BN_is_zero(bn.get())) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
   }
 
-  if (!BN_rand(bn.get(), 1, 0 /* top */, 0 /* bottom */) ||
+  if (!BN_rand(bn.get(), 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY) ||
       !BN_is_word(bn.get(), 1)) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
   }
-  if (!BN_rand(bn.get(), 1, 1 /* top */, 0 /* bottom */) ||
+  if (!BN_rand(bn.get(), 1, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY) ||
       !BN_is_word(bn.get(), 1)) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
   }
-  if (!BN_rand(bn.get(), 1, -1 /* top */, 1 /* bottom */) ||
+  if (!BN_rand(bn.get(), 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ODD) ||
       !BN_is_word(bn.get(), 1)) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
   }
 
-  if (!BN_rand(bn.get(), 2, 1 /* top */, 0 /* bottom */) ||
+  if (!BN_rand(bn.get(), 2, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY) ||
       !BN_is_word(bn.get(), 3)) {
     fprintf(stderr, "BN_rand gave a bad result.\n");
     return false;
@@ -1291,7 +1290,8 @@ static bool TestBadModulus(BN_CTX *ctx) {
 // TestExpModZero tests that 1**0 mod 1 == 0.
 static bool TestExpModZero() {
   ScopedBIGNUM zero(BN_new()), a(BN_new()), r(BN_new());
-  if (!zero || !a || !r || !BN_rand(a.get(), 1024, 0, 0)) {
+  if (!zero || !a || !r ||
+      !BN_rand(a.get(), 1024, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
     return false;
   }
   BN_zero(zero.get());

crypto/bn/prime.c

@@ -651,7 +651,7 @@ static int probable_prime(BIGNUM *rnd, int bits) {
   char is_single_word = bits <= BN_BITS2;
 
 again:
-  if (!BN_rand(rnd, bits, 1, 1)) {
+  if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) {
     return 0;
   }
 
@@ -735,7 +735,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
     goto err;
   }
 
-  if (!BN_rand(rnd, bits, 0, 1)) {
+  if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
     goto err;
   }
 
@@ -798,7 +798,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     goto err;
   }
 
-  if (!BN_rand(q, bits, 0, 1)) {
+  if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {
     goto err;
   }
 

crypto/bn/random.c

@@ -123,6 +123,17 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
     return 0;
   }
 
+  if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
+      top != BN_RAND_TOP_TWO) {
+    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+
+  if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
+    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+
   if (bits == 0) {
     BN_zero(rnd);
     return 1;
@@ -143,8 +154,8 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
     goto err;
   }
 
-  if (top != -1) {
-    if (top && bits > 1) {
+  if (top != BN_RAND_TOP_ANY) {
+    if (top == BN_RAND_TOP_TWO && bits > 1) {
       if (bit == 0) {
         buf[0] = 1;
         buf[1] |= 0x80;
@@ -158,8 +169,8 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
 
   buf[0] &= ~mask;
 
-  /* set bottom bit if requested */
-  if (bottom)  {
+  /* Set the bottom bit if requested, */
+  if (bottom == BN_RAND_BOTTOM_ODD)  {
     buf[bytes - 1] |= 1;
   }
 
@@ -210,8 +221,7 @@ int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
       /* range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer
        * than range. This is a common scenario when generating a random value
        * modulo an RSA public modulus, e.g. for RSA base blinding. */
-      if (!BN_rand(r, n + 1, -1 /* don't set most significant bits */,
-                   0 /* don't set least significant bits */)) {
+      if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
         return 0;
       }
 
@@ -230,7 +240,7 @@ int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
       }
     } else {
       /* range = 11..._2  or  range = 101..._2 */
-      if (!BN_rand(r, n, -1, 0)) {
+      if (!BN_rand(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
         return 0;
       }
     }

crypto/dh/dh.c

@@ -311,7 +311,7 @@ int DH_generate_key(DH *dh) {
         priv_bits = p_bits - 1;
       }
 
-      if (!BN_rand(priv_key, priv_bits, 0, 0)) {
+      if (!BN_rand(priv_key, priv_bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
         goto err;
       }
     }

include/openssl/bn.h

@@ -577,15 +577,27 @@ OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p,
 
 /* Random and prime number generation. */
 
-/* BN_rand sets |rnd| to a random number of length |bits|. If |top| is zero, the
- * most-significant bit, if any, will be set. If |top| is one, the two most
- * significant bits, if any, will be set.
+/* The following are values for the |top| parameter of |BN_rand|. */
+#define BN_RAND_TOP_ANY    -1
+#define BN_RAND_TOP_ONE     0
+#define BN_RAND_TOP_TWO     1
+
+/* The following are values for the |bottom| parameter of |BN_rand|. */
+#define BN_RAND_BOTTOM_ANY  0
+#define BN_RAND_BOTTOM_ODD  1
+
+/* BN_rand sets |rnd| to a random number of length |bits|. It returns one on
+ * success and zero otherwise.
  *
- * If |top| is -1 then no extra action will be taken and |BN_num_bits(rnd)| may
- * not equal |bits| if the most significant bits randomly ended up as zeros.
+ * |top| must be one of the |BN_RAND_TOP_*| values. If |BN_RAND_TOP_ONE|, the
+ * most-significant bit, if any, will be set. If |BN_RAND_TOP_TWO|, the two
+ * most significant bits, if any, will be set. If |BN_RAND_TOP_ANY|, no extra
+ * action will be taken and |BN_num_bits(rnd)| may not equal |bits| if the most
+ * significant bits randomly ended up as zeros.
  *
- * If |bottom| is non-zero, the least-significant bit, if any, will be set. The
- * function returns one on success or zero otherwise. */
+ * |bottom| must be one of the |BN_RAND_BOTTOM_*| values. If
+ * |BN_RAND_BOTTOM_ODD|, the least-significant bit, if any, will be set. If
+ * |BN_RAND_BOTTOM_ANY|, no extra action will be taken. */
 OPENSSL_EXPORT int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
 
 /* BN_pseudo_rand is an alias for |BN_rand|. */