* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

1 files changed, 246 insertions, 157 deletions

diff --git a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
index ad641c37..7103acfe 100644
--- a/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
+++ b/Cryptlib/OpenSSL/crypto/bn/bn_prime.c
@@ -1,125 +1,18 @@
-/* crypto/bn/bn_prime.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+/*
+ * WARNING: do not edit!
+ * Generated by crypto/bn/bn_prime.pl
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
  */
 
 #include <stdio.h>
 #include <time.h>
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
 #include "bn_lcl.h"
-#include <openssl/rand.h>
-
-/*
- * NB: these functions have been "upgraded", the deprecated versions (which
- * are compatibility wrappers using these functions) are in bn_depr.c. -
- * Geoff
- */
 
 /*
  * The quick sieve algorithm approach to weeding out primes is Philip
@@ -132,11 +25,56 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                    const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                    BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods);
-static int probable_prime_dh(BIGNUM *rnd, int bits,
-                             const BIGNUM *add, const BIGNUM *rem,
-                             BN_CTX *ctx);
-static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,
-                                  const BIGNUM *rem, BN_CTX *ctx);
+static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
+                                  const BIGNUM *add, const BIGNUM *rem,
+                                  BN_CTX *ctx);
+
+static const int prime_offsets[480] = {
+    13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83,
+    89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163,
+    167, 169, 173, 179, 181, 191, 193, 197, 199, 211, 221, 223, 227, 229,
+    233, 239, 241, 247, 251, 257, 263, 269, 271, 277, 281, 283, 289, 293,
+    299, 307, 311, 313, 317, 323, 331, 337, 347, 349, 353, 359, 361, 367,
+    373, 377, 379, 383, 389, 391, 397, 401, 403, 409, 419, 421, 431, 433,
+    437, 439, 443, 449, 457, 461, 463, 467, 479, 481, 487, 491, 493, 499,
+    503, 509, 521, 523, 527, 529, 533, 541, 547, 551, 557, 559, 563, 569,
+    571, 577, 587, 589, 593, 599, 601, 607, 611, 613, 617, 619, 629, 631,
+    641, 643, 647, 653, 659, 661, 667, 673, 677, 683, 689, 691, 697, 701,
+    703, 709, 713, 719, 727, 731, 733, 739, 743, 751, 757, 761, 767, 769,
+    773, 779, 787, 793, 797, 799, 809, 811, 817, 821, 823, 827, 829, 839,
+    841, 851, 853, 857, 859, 863, 871, 877, 881, 883, 887, 893, 899, 901,
+    907, 911, 919, 923, 929, 937, 941, 943, 947, 949, 953, 961, 967, 971,
+    977, 983, 989, 991, 997, 1003, 1007, 1009, 1013, 1019, 1021, 1027, 1031,
+    1033, 1037, 1039, 1049, 1051, 1061, 1063, 1069, 1073, 1079, 1081, 1087,
+    1091, 1093, 1097, 1103, 1109, 1117, 1121, 1123, 1129, 1139, 1147, 1151,
+    1153, 1157, 1159, 1163, 1171, 1181, 1187, 1189, 1193, 1201, 1207, 1213,
+    1217, 1219, 1223, 1229, 1231, 1237, 1241, 1247, 1249, 1259, 1261, 1271,
+    1273, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1313, 1319,
+    1321, 1327, 1333, 1339, 1343, 1349, 1357, 1361, 1363, 1367, 1369, 1373,
+    1381, 1387, 1391, 1399, 1403, 1409, 1411, 1417, 1423, 1427, 1429, 1433,
+    1439, 1447, 1451, 1453, 1457, 1459, 1469, 1471, 1481, 1483, 1487, 1489,
+    1493, 1499, 1501, 1511, 1513, 1517, 1523, 1531, 1537, 1541, 1543, 1549,
+    1553, 1559, 1567, 1571, 1577, 1579, 1583, 1591, 1597, 1601, 1607, 1609,
+    1613, 1619, 1621, 1627, 1633, 1637, 1643, 1649, 1651, 1657, 1663, 1667,
+    1669, 1679, 1681, 1691, 1693, 1697, 1699, 1703, 1709, 1711, 1717, 1721,
+    1723, 1733, 1739, 1741, 1747, 1751, 1753, 1759, 1763, 1769, 1777, 1781,
+    1783, 1787, 1789, 1801, 1807, 1811, 1817, 1819, 1823, 1829, 1831, 1843,
+    1847, 1849, 1853, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1891, 1901,
+    1907, 1909, 1913, 1919, 1921, 1927, 1931, 1933, 1937, 1943, 1949, 1951,
+    1957, 1961, 1963, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011, 2017,
+    2021, 2027, 2029, 2033, 2039, 2041, 2047, 2053, 2059, 2063, 2069, 2071,
+    2077, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2117, 2119, 2129, 2131,
+    2137, 2141, 2143, 2147, 2153, 2159, 2161, 2171, 2173, 2179, 2183, 2197,
+    2201, 2203, 2207, 2209, 2213, 2221, 2227, 2231, 2237, 2239, 2243, 2249,
+    2251, 2257, 2263, 2267, 2269, 2273, 2279, 2281, 2287, 2291, 2293, 2297,
+    2309, 2311
+};
+
+static const int prime_offset_count = 480;
+static const int prime_multiplier = 2310;
+static const int prime_multiplier_bits = 11; /* 2^|prime_multiplier_bits| <=
+                                              * |prime_multiplier| */
+static const int first_prime_index = 5;
 
 int BN_GENCB_call(BN_GENCB *cb, int a, int b)
 {
@@ -170,9 +108,20 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
     prime_t *mods = NULL;
     int checks = BN_prime_checks_for_size(bits);
 
-    mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES);
+    if (bits < 2) {
+        /* There are no prime numbers this small. */
+        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
+        return 0;
+    } else if (bits == 2 && safe) {
+        /* The smallest safe prime (7) is three bits. */
+        BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
+        return 0;
+    }
+
+    mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES);
     if (mods == NULL)
         goto err;
+
     ctx = BN_CTX_new();
     if (ctx == NULL)
         goto err;
@@ -190,11 +139,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
             if (!probable_prime_dh_safe(ret, bits, add, rem, ctx))
                 goto err;
         } else {
-            if (!probable_prime_dh(ret, bits, add, rem, ctx))
+            if (!bn_probable_prime_dh(ret, bits, add, rem, ctx))
                 goto err;
         }
     }
-    /* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */
+
     if (!BN_GENCB_call(cb, 0, c1++))
         /* aborted */
         goto err;
@@ -235,10 +184,9 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
     found = 1;
  err:
     OPENSSL_free(mods);
-    if (ctx != NULL) {
+    if (ctx != NULL)
         BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
+    BN_CTX_free(ctx);
     bn_check_top(ret);
     return found;
 }
@@ -270,9 +218,13 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         /* a is even => a is prime if and only if a == 2 */
         return BN_is_word(a, 2);
     if (do_trial_division) {
-        for (i = 1; i < NUMPRIMES; i++)
-            if (BN_mod_word(a, primes[i]) == 0)
+        for (i = 1; i < NUMPRIMES; i++) {
+            BN_ULONG mod = BN_mod_word(a, primes[i]);
+            if (mod == (BN_ULONG)-1)
+                goto err;
+            if (mod == 0)
                 return 0;
+        }
         if (!BN_GENCB_call(cb, 1, -1))
             goto err;
     }
@@ -288,7 +240,8 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         BIGNUM *t;
         if ((t = BN_CTX_get(ctx)) == NULL)
             goto err;
-        BN_copy(t, a);
+        if (BN_copy(t, a) == NULL)
+            goto err;
         t->neg = 0;
         A = t;
     } else
@@ -347,12 +300,88 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,
         if (ctx_passed == NULL)
             BN_CTX_free(ctx);
     }
-    if (mont != NULL)
-        BN_MONT_CTX_free(mont);
+    BN_MONT_CTX_free(mont);
 
     return (ret);
 }
 
+int bn_probable_prime_dh_retry(BIGNUM *rnd, int bits, BN_CTX *ctx)
+{
+    int i;
+    int ret = 0;
+
+ loop:
+    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+        goto err;
+
+    /* we now have a random number 'rand' to test. */
+
+    for (i = 1; i < NUMPRIMES; i++) {
+        /* check that rnd is a prime */
+        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+        if (mod == (BN_ULONG)-1)
+            goto err;
+        if (mod <= 1) {
+            goto loop;
+        }
+    }
+    ret = 1;
+
+ err:
+    bn_check_top(rnd);
+    return (ret);
+}
+
+int bn_probable_prime_dh_coprime(BIGNUM *rnd, int bits, BN_CTX *ctx)
+{
+    int i;
+    BIGNUM *offset_index;
+    BIGNUM *offset_count;
+    int ret = 0;
+
+    OPENSSL_assert(bits > prime_multiplier_bits);
+
+    BN_CTX_start(ctx);
+    if ((offset_index = BN_CTX_get(ctx)) == NULL)
+        goto err;
+    if ((offset_count = BN_CTX_get(ctx)) == NULL)
+        goto err;
+
+    if (!BN_add_word(offset_count, prime_offset_count))
+        goto err;
+
+ loop:
+    if (!BN_rand(rnd, bits - prime_multiplier_bits,
+                 BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+        goto err;
+    if (BN_is_bit_set(rnd, bits))
+        goto loop;
+    if (!BN_rand_range(offset_index, offset_count))
+        goto err;
+
+    if (!BN_mul_word(rnd, prime_multiplier)
+        || !BN_add_word(rnd, prime_offsets[BN_get_word(offset_index)]))
+        goto err;
+
+    /* we now have a random number 'rand' to test. */
+
+    /* skip coprimes */
+    for (i = first_prime_index; i < NUMPRIMES; i++) {
+        /* check that rnd is a prime */
+        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+        if (mod == (BN_ULONG)-1)
+            goto err;
+        if (mod <= 1)
+            goto loop;
+    }
+    ret = 1;
+
+ err:
+    BN_CTX_end(ctx);
+    bn_check_top(rnd);
+    return ret;
+}
+
 static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
                    const BIGNUM *a1_odd, int k, BN_CTX *ctx,
                    BN_MONT_CTX *mont)
@@ -383,37 +412,87 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
 static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
 {
     int i;
-    BN_ULONG delta, maxdelta;
+    BN_ULONG delta;
+    BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
+    char is_single_word = bits <= BN_BITS2;
 
  again:
-    if (!BN_rand(rnd, bits, 1, 1))
+    if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
         return (0);
-    /* we now have a random number 'rand' to test. */
-    for (i = 1; i < NUMPRIMES; i++)
-        mods[i] = (prime_t) BN_mod_word(rnd, (BN_ULONG)primes[i]);
-    maxdelta = BN_MASK2 - primes[NUMPRIMES - 1];
+    /* we now have a random number 'rnd' to test. */
+    for (i = 1; i < NUMPRIMES; i++) {
+        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+        if (mod == (BN_ULONG)-1)
+            return 0;
+        mods[i] = (prime_t) mod;
+    }
+    /*
+     * If bits is so small that it fits into a single word then we
+     * additionally don't want to exceed that many bits.
+     */
+    if (is_single_word) {
+        BN_ULONG size_limit;
+
+        if (bits == BN_BITS2) {
+            /*
+             * Shifting by this much has undefined behaviour so we do it a
+             * different way
+             */
+            size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
+        } else {
+            size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
+        }
+        if (size_limit < maxdelta)
+            maxdelta = size_limit;
+    }
     delta = 0;
- loop:for (i = 1; i < NUMPRIMES; i++) {
-        /*
-         * check that rnd is not a prime and also that gcd(rnd-1,primes) == 1
-         * (except for 2)
+ loop:
+    if (is_single_word) {
+        BN_ULONG rnd_word = BN_get_word(rnd);
+
+        /*-
+         * In the case that the candidate prime is a single word then
+         * we check that:
+         *   1) It's greater than primes[i] because we shouldn't reject
+         *      3 as being a prime number because it's a multiple of
+         *      three.
+         *   2) That it's not a multiple of a known prime. We don't
+         *      check that rnd-1 is also coprime to all the known
+         *      primes because there aren't many small primes where
+         *      that's true.
          */
-        if (((mods[i] + delta) % primes[i]) <= 1) {
-            delta += 2;
-            if (delta > maxdelta)
-                goto again;
-            goto loop;
+        for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
+            if ((mods[i] + delta) % primes[i] == 0) {
+                delta += 2;
+                if (delta > maxdelta)
+                    goto again;
+                goto loop;
+            }
+        }
+    } else {
+        for (i = 1; i < NUMPRIMES; i++) {
+            /*
+             * check that rnd is not a prime and also that gcd(rnd-1,primes)
+             * == 1 (except for 2)
+             */
+            if (((mods[i] + delta) % primes[i]) <= 1) {
+                delta += 2;
+                if (delta > maxdelta)
+                    goto again;
+                goto loop;
+            }
         }
     }
     if (!BN_add_word(rnd, delta))
         return (0);
+    if (BN_num_bits(rnd) != bits)
+        goto again;
     bn_check_top(rnd);
     return (1);
 }
 
-static int probable_prime_dh(BIGNUM *rnd, int bits,
-                             const BIGNUM *add, const BIGNUM *rem,
-                             BN_CTX *ctx)
+int bn_probable_prime_dh(BIGNUM *rnd, int bits,
+                         const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
 {
     int i, ret = 0;
     BIGNUM *t1;
@@ -422,7 +501,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits,
     if ((t1 = BN_CTX_get(ctx)) == NULL)
         goto err;
 
-    if (!BN_rand(rnd, bits, 0, 1))
+    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -441,15 +520,20 @@ static int probable_prime_dh(BIGNUM *rnd, int bits,
 
     /* we now have a random number 'rand' to test. */
 
- loop:for (i = 1; i < NUMPRIMES; i++) {
+ loop:
+    for (i = 1; i < NUMPRIMES; i++) {
         /* check that rnd is a prime */
-        if (BN_mod_word(rnd, (BN_ULONG)primes[i]) <= 1) {
+        BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
+        if (mod == (BN_ULONG)-1)
+            goto err;
+        if (mod <= 1) {
             if (!BN_add(rnd, rnd, add))
                 goto err;
             goto loop;
         }
     }
     ret = 1;
+
  err:
     BN_CTX_end(ctx);
     bn_check_top(rnd);
@@ -473,7 +557,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_rshift1(qadd, padd))
         goto err;
 
-    if (!BN_rand(q, bits, 0, 1))
+    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -497,13 +581,17 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_add_word(p, 1))
         goto err;
 
- loop:for (i = 1; i < NUMPRIMES; i++) {
+ loop:
+    for (i = 1; i < NUMPRIMES; i++) {
         /* check that p and q are prime */
         /*
          * check that for p and q gcd(p-1,primes) == 1 (except for 2)
          */
-        if ((BN_mod_word(p, (BN_ULONG)primes[i]) == 0) ||
-            (BN_mod_word(q, (BN_ULONG)primes[i]) == 0)) {
+        BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
+        BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
+        if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1)
+            goto err;
+        if (pmod == 0 || qmod == 0) {
             if (!BN_add(p, p, padd))
                 goto err;
             if (!BN_add(q, q, qadd))
@@ -512,6 +600,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
         }
     }
     ret = 1;
+
  err:
     BN_CTX_end(ctx);
     bn_check_top(p);