Improve RSA signing

[briansmith]

Roughly in order of priority:

• Get rid of the undefined behavior in BN_mod_exp_consttime, caused by strict aliasing violations.
• Get rid of the unnecessary reductions at the start (and end?) of BN_mod_exp_consttime. Done in 52879da.
• BN_reduce_montgomery should be reviewed and tested. I believe it can be simplified to a single multiplication.
• We should run BoringSSL's fuzz tests against the private key parser.
• GFp_rsa_private_transform should be redone in Rust: Implement RSA signing (using CRT) in Rust, replacing GFp_rsa_private_transform #365.
• The blinding logic should get redone in Rust, replacing blinding.c completely: Replace crypto/rsa/blinding.c with Rust code #364, Do RSA Blinding in Rust. #372.
• Add tests for keys that aren't multiples of 1024 bits.
• Add support (and tests) for keys larger than 4096 bits.
• At least for PSS, and maybe PKCS#1 1.5, it seems we can reduce allocations in the application of the padding; we should do that. Here's the key point from Implement RSA PSS verification and signing. #262: "Instead of setting out to "PS || 0x01 || salt" and then masking it with db_mask, why not fill out with the MGF1 output and then mask "PS || 0x01 || salt" onto it? Wouldn't this avoid the need for the extra buffer?": Done.

[briansmith]

I factored out some of the bullet points in the initial comment into their own issues. Besides the things noted above, there are many issues tagged "rsa", most of which are about RSA signing.

[briansmith]

Closing this since the remaining issues are each tracked separately.