Restore P>Q in RSA key generation (#558)

The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
diff --git a/library/rsa.c b/library/rsa.c
index 26d69c5..bf77cb5 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -97,6 +97,9 @@
     if( f_rng == NULL || nbits < 128 || exponent < 3 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
+    if( nbits % 2 )
+        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
     mpi_init( &P1 ); mpi_init( &Q1 );
     mpi_init( &H ); mpi_init( &G );
 
@@ -111,16 +114,8 @@
        MPI_CHK( mpi_gen_prime( &ctx->P, nbits >> 1, 0,
                                 f_rng, p_rng ) );
 
-        if( nbits % 2 )
-        {
-            MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits >> 1 ) + 1, 0,
+        MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
                                 f_rng, p_rng ) );
-        }
-        else
-        {
-            MPI_CHK( mpi_gen_prime( &ctx->Q, nbits >> 1, 0,
-                                f_rng, p_rng ) );
-        }
 
         if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
             continue;
@@ -129,6 +124,9 @@
         if( mpi_msb( &ctx->N ) != nbits )
             continue;
 
+        if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
+                         mpi_swap( &ctx->P, &ctx->Q );
+
         MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
         MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
         MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );