Replace random_byte() with random_read().

This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.

Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.

The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.

ssh2kex-client.c

@@ -556,17 +556,12 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
         {
             int klen = ssh_rsakex_klen(s->rsa_kex_key);
             int nbits = klen - (2*s->kex_alg->hash->hlen*8 + 49);
-            int i, byte = 0;
             strbuf *buf, *outstr;
 
+            mp_int *tmp = mp_random_bits(nbits - 1);
             s->K = mp_power_2(nbits - 1);
-
-            for (i = 0; i < nbits; i++) {
-                if ((i & 7) == 0) {
-                    byte = random_byte();
-                }
-                mp_set_bit(s->K, i, (byte >> (i & 7)) & 1);
-            }
+            mp_add_into(s->K, s->K, tmp);
+            mp_free(tmp);
 
             /*
              * Encode this as an mpint.