Provable primes: be more careful about max_bits_needed.

When judging how many bits of the generated prime we can afford to
consume with factors of p-1 and still have enough last few bits to
vary to find an actual prime in the range, I started by setting
max_bits_needed to the total size of the required output number, and
then subtracting a safety margin.

But that doesn't account for the fact that some bits may _already_
have been used by prior requirements from the PrimeCandidateSource,
such as the 'firstbits' used in RSA generation, or the 160-bit factor
of p-1 used in DSA.

So now we start by initialising max_bits_needed by asking the PCS how
many bits of entropy it still has left, and making sure not to reduce
_that_ by too much. Should fix another cause of hangs during prime
generation.

(Also, while I'm here, I've tweaked one of the compiled-out
diagnostics so that it reports how many bits it _does_ have left once
it starts trying to find a prime. That should make it easier to spot
any further problems in this area.)

sshprime.c

@@ -358,7 +358,7 @@ static mp_int *provableprime_generate_inner(
             mp_free(to_free);
         }
 
-        max_bits_needed = mp_get_nbits(upperbound);
+        max_bits_needed = pcs_get_bits_remaining(pcs);
 
         /*
          * We need a prime that is greater than or equal to
@@ -619,7 +619,8 @@ static mp_int *provableprime_generate_inner(
         debug_f("ppgi(%u) no need to recurse", bits);
     }
 
-    debug_f("ppgi(%u) ready", bits);
+    debug_f("ppgi(%u) ready, %u bits remaining",
+            bits, pcs_get_bits_remaining(pcs));
     pcs_ready(pcs);
 
     while (true) {