crypto/tls: decouple handshake signatures from the handshake hash.

Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.

TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.

Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.

However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.

Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.

This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.

This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.

It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.

Much of this code was written by davidben@ for the purposes of testing
BoringSSL.

Partly addresses #9757

Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384

@@ -9,11 +9,11 @@
 00000070  08 04 01 04 03 02 01 02  03 ff 01 00 01 00 00 12  |................|
 00000080  00 00                                             |..|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 59 02 00 00  55 03 03 45 6f 12 3b 7d  |....Y...U..Eo.;}|
-00000010  30 71 fe ad ab 43 21 b1  68 78 42 2e cb b9 44 c9  |0q...C!.hxB...D.|
-00000020  93 0a f3 4a dc f6 b1 a1  fe e3 22 20 1b 24 38 d4  |...J......" .$8.|
-00000030  5c 84 2e c7 63 c1 a4 84  ca b6 2a 6c b3 90 04 9e  |\...c.....*l....|
-00000040  7e a6 60 d7 1d 76 26 2f  68 12 59 a3 c0 30 00 00  |~.`..v&/h.Y..0..|
+00000000  16 03 03 00 59 02 00 00  55 03 03 c1 99 f4 77 ba  |....Y...U.....w.|
+00000010  f5 46 ef 26 6d 0d e2 57  6f 04 28 01 4e 69 d8 e0  |.F.&m..Wo.(.Ni..|
+00000020  2f 70 03 fe 77 b9 d1 7b  fc 49 ed 20 e2 0f 35 19  |/p..w..{.I. ..5.|
+00000030  ae 5a 66 04 be cc 60 d3  4f 6d ce b2 25 7f 25 24  |.Zf...`.Om..%.%$|
+00000040  31 23 d8 40 bf 78 77 4d  fa 11 22 3d c0 30 00 00  |1#.@.xwM.."=.0..|
 00000050  0d ff 01 00 01 00 00 0b  00 04 03 00 01 02 16 03  |................|
 00000060  03 02 be 0b 00 02 ba 00  02 b7 00 02 b4 30 82 02  |.............0..|
 00000070  b0 30 82 02 19 a0 03 02  01 02 02 09 00 85 b0 bb  |.0..............|
@@ -59,20 +59,20 @@
 000002f0  5f 33 c4 b6 d8 c9 75 90  96 8c 0f 52 98 b5 cd 98  |_3....u....R....|
 00000300  1f 89 20 5f f2 a0 1c a3  1b 96 94 dd a9 fd 57 e9  |.. _..........W.|
 00000310  70 e8 26 6d 71 99 9b 26  6e 38 50 29 6c 90 a7 bd  |p.&mq..&n8P)l...|
-00000320  d9 16 03 03 00 cd 0c 00  00 c9 03 00 17 41 04 a9  |.............A..|
-00000330  2e 21 28 57 be bc 41 fd  5b a8 fa e2 d9 9d d5 47  |.!(W..A.[......G|
-00000340  08 f2 68 6c 30 3f da 1c  be 40 71 7f 1d 45 a6 24  |..hl0?...@q..E.$|
-00000350  73 42 86 16 f8 16 3b 12  87 90 19 dd 03 3a 9a 45  |sB....;......:.E|
-00000360  ac ad ce 9f fc 22 8d 1f  e7 3e b2 ba 62 29 90 04  |....."...>..b)..|
-00000370  01 00 80 a0 41 e8 bf 28  94 15 fa 7b 2c aa 42 08  |....A..(...{,.B.|
-00000380  e8 e0 20 5e e0 9b 86 92  c7 f4 78 ce 9a 72 49 19  |.. ^......x..rI.|
-00000390  45 cb ed 4f 23 11 3d a2  9a 9e f3 80 47 d3 16 96  |E..O#.=.....G...|
-000003a0  ea 91 8d 62 91 5c b6 04  46 7f d5 06 d3 8f 4d f8  |...b.\..F.....M.|
-000003b0  77 ae ee c4 42 b6 44 db  cd cf 76 aa 5b 3c b0 93  |w...B.D...v.[<..|
-000003c0  6d 2d 51 53 f8 f4 c5 3e  ba 9c 8f 35 95 7c 87 33  |m-QS...>...5.|.3|
-000003d0  95 0b 69 be 33 c0 a9 b7  f7 a8 de ae 1c 95 3a c1  |..i.3.........:.|
-000003e0  11 55 4e f6 82 6d 25 d7  96 e5 fd ab cc 72 58 5b  |.UN..m%......rX[|
-000003f0  6e 12 4c 16 03 03 00 2e  0d 00 00 26 03 01 02 40  |n.L........&...@|
+00000320  d9 16 03 03 00 cd 0c 00  00 c9 03 00 17 41 04 2b  |.............A.+|
+00000330  31 48 64 07 93 c0 be 1d  68 24 fc 3a e9 ab fa 89  |1Hd.....h$.:....|
+00000340  5f 30 31 4f 39 bf c5 a4  90 40 2f c1 f3 83 a6 2a  |_01O9....@/....*|
+00000350  00 aa d5 d3 4e 8b ac 3f  4f d6 a2 e5 e6 3b a7 75  |....N..?O....;.u|
+00000360  75 6d 9a de fa 86 ba b8  e5 c0 64 a0 a6 24 8e 04  |um........d..$..|
+00000370  01 00 80 0b 10 7f 53 50  56 f1 0d 66 42 b3 6a ab  |......SPV..fB.j.|
+00000380  8b 47 e5 c2 95 01 3b 1d  e6 00 43 3e 5e 1e 15 27  |.G....;...C>^..'|
+00000390  9c cb eb 71 8a 57 50 29  5d 46 5d a6 b1 66 13 a6  |...q.WP)]F]..f..|
+000003a0  59 0a 0d 8b a1 6f 8b 56  fd 6e 42 df 11 16 00 3c  |Y....o.V.nB....<|
+000003b0  e7 d4 10 6d 03 63 47 25  f5 fa 5d ae b9 67 fd 06  |...m.cG%..]..g..|
+000003c0  e0 c3 8d c3 62 d4 72 18  0b eb 8a c2 3e 40 35 fc  |....b.r.....>@5.|
+000003d0  ec 6f e1 52 95 4f b8 52  4c 8e 97 67 bc 63 9a 37  |.o.R.O.RL..g.c.7|
+000003e0  df 89 2b ae 42 88 b6 f7  5b 31 84 47 44 e2 d8 c2  |..+.B...[1.GD...|
+000003f0  79 a8 b0 16 03 03 00 2e  0d 00 00 26 03 01 02 40  |y..........&...@|
 00000400  00 1e 06 01 06 02 06 03  05 01 05 02 05 03 04 01  |................|
 00000410  04 02 04 03 03 01 03 02  03 03 02 01 02 02 02 03  |................|
 00000420  00 00 0e 00 00 00                                 |......|
@@ -114,26 +114,26 @@
 00000220  a7 24 20 3e b2 56 1c ce  97 28 5e f8 2b 2d 4f 9e  |.$ >.V...(^.+-O.|
 00000230  f1 07 9f 6c 4b 5b 83 56  e2 32 42 e9 58 b6 d7 49  |...lK[.V.2B.X..I|
 00000240  a6 b5 68 1a 41 03 56 6b  dc 5a 89 16 03 03 00 88  |..h.A.Vk.Z......|
-00000250  0f 00 00 84 05 01 00 80  38 ca f2 b9 60 19 01 9c  |........8...`...|
-00000260  ce 24 b2 10 54 62 0f a3  03 7a af 0d 64 aa e9 c9  |.$..Tb...z..d...|
-00000270  d5 47 40 ec a6 44 b3 5a  97 73 2c e8 2b 17 e9 fb  |.G@..D.Z.s,.+...|
-00000280  2b 87 4b cc 80 ee 8a 88  35 c2 4f 2f e7 f0 1e c7  |+.K.....5.O/....|
-00000290  c6 40 6b f8 c5 71 83 2b  c0 8e 41 62 3f 3a 80 96  |.@k..q.+..Ab?:..|
-000002a0  71 a5 25 50 d3 4e 01 86  ff 1f d3 a0 a8 23 ef 80  |q.%P.N.......#..|
-000002b0  3a 79 77 d6 88 5f 70 a2  98 7a 0a 71 1e 9b 81 5d  |:yw.._p..z.q...]|
-000002c0  14 61 ac 2f 96 22 49 18  57 47 42 cf 2d 6f c3 8b  |.a./."I.WGB.-o..|
-000002d0  95 24 24 87 75 4e 52 28  14 03 03 00 01 01 16 03  |.$$.uNR(........|
-000002e0  03 00 28 00 00 00 00 00  00 00 00 4b 1b ec 28 3a  |..(........K..(:|
-000002f0  02 86 9e 52 29 d1 73 ce  60 eb 80 92 0a 1a bc 07  |...R).s.`.......|
-00000300  14 15 98 1e f7 98 d1 28  eb b7 43                 |.......(..C|
+00000250  0f 00 00 84 04 01 00 80  0a 86 16 61 b0 61 19 af  |...........a.a..|
+00000260  0e 42 fc ec 44 c2 2b dd  27 cc 9a ee d1 a8 64 7c  |.B..D.+.'.....d||
+00000270  ac 69 55 22 3b b2 ba 56  c0 22 53 af 11 be cf f0  |.iU";..V."S.....|
+00000280  90 d1 0e 72 51 d0 f2 4e  cd e0 d2 d6 a0 2f 91 46  |...rQ..N...../.F|
+00000290  fa bd 97 b5 a6 ef 66 2e  5e 15 e2 89 df b0 ea 0e  |......f.^.......|
+000002a0  67 c4 8c 7e a1 4f 9a 00  dc 32 f9 d1 cd 72 ea 1f  |g..~.O...2...r..|
+000002b0  c6 6a 20 54 a2 0f e8 32  50 4e f6 b6 79 70 4c bb  |.j T...2PN..ypL.|
+000002c0  68 8f a8 5a 46 49 a6 54  b6 83 53 df 5f 2b 00 cb  |h..ZFI.T..S._+..|
+000002d0  09 36 86 f1 21 6b bb 98  14 03 03 00 01 01 16 03  |.6..!k..........|
+000002e0  03 00 28 00 00 00 00 00  00 00 00 af 07 a0 f1 0b  |..(.............|
+000002f0  cb 36 97 2c 38 96 e4 02  7c 4d 66 db d0 72 2c 00  |.6.,8...|Mf..r,.|
+00000300  2d ea 21 0a 55 7e 98 9d  65 9a 18                 |-.!.U~..e..|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 28 c3 0d 76 f6 6c  |..........(..v.l|
-00000010  2f 07 ca 24 51 2d 2b f3  92 72 82 49 79 70 a8 e9  |/..$Q-+..r.Iyp..|
-00000020  38 99 cf 1b ff 6c 7a 83  7c b0 3b f6 a5 f6 21 db  |8....lz.|.;...!.|
-00000030  56 1e 7c                                          |V.||
+00000000  14 03 03 00 01 01 16 03  03 00 28 27 8b bb 41 ea  |..........('..A.|
+00000010  84 0b 2b d3 d8 1b 13 7c  7c 9d fd 8d 2d 8e ed 2b  |..+....||...-..+|
+00000020  1f 32 d5 8d 61 e1 bd 7a  74 59 51 a9 b9 85 6f ae  |.2..a..ztYQ...o.|
+00000030  34 1f b1                                          |4..|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 00 9f 31  |...............1|
-00000010  ad 88 20 ee 78 04 8c 11  dc dd cb 50 f6 8b d7 fb  |.. .x......P....|
-00000020  2e 22 c2 15 03 03 00 1a  00 00 00 00 00 00 00 02  |."..............|
-00000030  e5 ab e8 1a 4e 58 d7 b1  eb 61 10 a8 5a be f5 2e  |....NX...a..Z...|
-00000040  f5 ae                                             |..|
+00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 0c f2 76  |...............v|
+00000010  e3 1c 31 7e bd 51 b4 4a  a8 82 d1 b6 64 51 5f 17  |..1~.Q.J....dQ_.|
+00000020  fc 28 5d 15 03 03 00 1a  00 00 00 00 00 00 00 02  |.(].............|
+00000030  14 1c ec a4 e3 2f 16 d9  22 94 ad be 2a 82 0a 68  |...../.."...*..h|
+00000040  31 d4                                             |1.|