Fix lower bound in e in FIPS RSA checking.

SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/
that's section B.3.1 which says:

  (b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶.

But that means that e has to be at least 17 bits. The check for
BN_is_odd ensures that 2¹⁶ itself is rejected.

Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291
Reviewed-on: https://boringssl-review.googlesource.com/15324
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/rsa/rsa.c b/crypto/rsa/rsa.c
index 1b62d03..cc4aa75 100644
--- a/crypto/rsa/rsa.c
+++ b/crypto/rsa/rsa.c
@@ -669,7 +669,7 @@
   /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
   /* TODO(svaldez): Check that n is composite and not a power of a prime using
    * extended Miller-Rabin. */
-  if (BN_num_bits(key->e) < 16 ||
+  if (BN_num_bits(key->e) <= 16 ||
       BN_num_bits(key->e) > 256 ||
       !BN_is_odd(key->n) ||
       !BN_is_odd(key->e) ||