While half of all numbers don't have their most-significant bit set,
this is becoming increasingly impermissible for RSA moduli. In an
attempt to exclude weak keys, several bits of software either do, or
will, enforce that RSA moduli are >= 1024-bits.

However, Go often generates 1023-bit RSA moduli which this software
would then reject.

This change causes crypto/rsa to regenerate the primes in the event
that the result is shorter than requested.

It also alters crypto/rand in order to remove the performance impact
of this:

The most important change to crypto/rand is that it will now set the
top two bits in a generated prime (OpenSSL does the same thing).
Multiplying two n/2 bit numbers, where each have the top two bits set,
will always result in an n-bit product. (The effectively makes the
crypto/rsa change moot, but that seems too fragile to depend on.)

Also this change adds code to crypto/rand to rapidly eliminate some
obviously composite numbers and reduce the number of Miller-Rabin
tests needed to generate a prime.

R=rsc, minux.ma
CC=golang-dev
https://golang.org/cl/7002050