Make the bn_rand_interval() API a bit more ergonomic

Provide bn_rand_in_range() which is a slightly tweaked version of what was
previously called bn_rand_range().

The way bn_rand_range() is called in libcrypto, the lower bound is always
expressible as a word. In fact, most of the time it is 1, the DH code uses
a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in
the Tonelli-Shanks implementation where we use 32. Converting these lower
bounds to BIGNUMs on the call site is annoying so let bn_rand_interval()
do that internally and route that through bn_rand_in_range(). This way we
can avoid using BN_sub_word().

Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the
only caller that uses actual BIGNUMs as lower bounds.

ok jsing

1 files changed, 4 insertions, 8 deletions

diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c
index a4bd6894836..050d1143f8f 100644
--- a/lib/libcrypto/dh/dh_key.c
+++ b/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */
+/* $OpenBSD: dh_key.c,v 1.40 2023/08/03 18:53:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,7 +109,7 @@ generate_key(DH *dh)
 	unsigned l;
 	BN_CTX *ctx;
 	BN_MONT_CTX *mont = NULL;
-	BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL;
+	BIGNUM *pub_key = NULL, *priv_key = NULL;
 
 	if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
 		DHerror(DH_R_MODULUS_TOO_LARGE);
@@ -139,11 +139,7 @@ generate_key(DH *dh)
 
 	if (dh->priv_key == NULL) {
 		if (dh->q) {
-			if ((two = BN_new()) == NULL)
-				goto err;
-			if (!BN_add(two, BN_value_one(), BN_value_one()))
-				goto err;
-			if (!bn_rand_interval(priv_key, two, dh->q))
+			if (!bn_rand_interval(priv_key, 2, dh->q))
 				goto err;
 		} else {
 			/* secret exponent length */
@@ -169,7 +165,7 @@ generate_key(DH *dh)
 	if (dh->priv_key == NULL)
 		BN_free(priv_key);
 	BN_CTX_free(ctx);
-	BN_free(two);
+
 	return ok;
 }