crypto/tls: decouple handshake signatures from the handshake hash.

Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.

TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.

Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.

However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.

Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.

This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.

This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.

It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.

Much of this code was written by davidben@ for the purposes of testing
BoringSSL.

Partly addresses #9757

Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven

@@ -1,11 +1,10 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 5c 01 00 00  58 03 03 52 cc 57 59 65  |....\...X..R.WYe|
-00000010  ae b3 ec a4 7a 05 f7 ec  39 22 7d 8c 91 96 6b e0  |....z...9"}...k.|
-00000020  69 81 ff 88 28 17 60 ac  94 19 ff 00 00 04 00 05  |i...(.`.........|
-00000030  00 ff 01 00 00 2b 00 0d  00 22 00 20 06 01 06 02  |.....+...". ....|
-00000040  06 03 05 01 05 02 05 03  04 01 04 02 04 03 03 01  |................|
-00000050  03 02 03 03 02 01 02 02  02 03 01 01 00 0f 00 01  |................|
-00000060  01                                                |.|
+00000000  16 03 01 00 5b 01 00 00  57 03 03 3b 02 c7 94 b7  |....[...W..;....|
+00000010  61 d9 c9 d4 1f 4e 9a a0  73 77 d7 6b 4f 42 af 97  |a....N..sw.kOB..|
+00000020  3c 12 f8 10 38 c7 3d 56  11 a3 09 00 00 04 00 05  |<...8.=V........|
+00000030  00 ff 02 01 00 00 29 00  0d 00 20 00 1e 06 01 06  |......)... .....|
+00000040  02 06 03 05 01 05 02 05  03 04 01 04 02 04 03 03  |................|
+00000050  01 03 02 03 03 02 01 02  02 02 03 00 0f 00 01 01  |................|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -54,9 +53,9 @@
 000002c0  50 56 5c d5 82 5a 2d 5a  5f 33 c4 b6 d8 c9 75 90  |PV\..Z-Z_3....u.|
 000002d0  96 8c 0f 52 98 b5 cd 98  1f 89 20 5f f2 a0 1c a3  |...R...... _....|
 000002e0  1b 96 94 dd a9 fd 57 e9  70 e8 26 6d 71 99 9b 26  |......W.p.&mq..&|
-000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 0f 0d 00  |n8P)l...........|
-00000300  00 0b 02 01 40 00 04 04  01 04 03 00 00 16 03 03  |....@...........|
-00000310  00 04 0e 00 00 00                                 |......|
+000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 13 0d 00  |n8P)l...........|
+00000300  00 0f 02 01 40 00 08 04  01 04 03 02 01 02 03 00  |....@...........|
+00000310  00 16 03 03 00 04 0e 00  00 00                    |..........|
 >>> Flow 3 (client to server)
 00000000  16 03 03 02 0a 0b 00 02  06 00 02 03 00 02 00 30  |...............0|
 00000010  82 01 fc 30 82 01 5e 02  09 00 9a 30 84 6c 26 35  |...0..^....0.l&5|
@@ -91,32 +90,33 @@
 000001e0  be e8 91 b3 da 1a f5 5d  a3 23 f5 26 8b 45 70 8d  |.......].#.&.Ep.|
 000001f0  65 62 9b 7e 01 99 3d 18  f6 10 9a 38 61 9b 2e 57  |eb.~..=....8a..W|
 00000200  e4 fa cc b1 8a ce e2 23  a0 87 f0 e1 67 51 eb 16  |.......#....gQ..|
-00000210  03 03 00 86 10 00 00 82  00 80 47 5a 2f b8 78 46  |..........GZ/.xF|
-00000220  9f 3c fc ab 8b 35 c9 77  da c3 96 78 31 7c 2b 4f  |.<...5.w...x1|+O|
-00000230  56 be 0f 33 bd 17 bc 1c  86 5a ae b3 0f 8b 18 2f  |V..3.....Z...../|
-00000240  48 0d e0 0a 20 d3 53 96  88 d2 8a 7d b6 58 13 44  |H... .S....}.X.D|
-00000250  a5 e8 19 6d 02 df a6 1b  79 c5 54 c2 ef 4d 41 4f  |...m....y.T..MAO|
-00000260  04 1c eb 37 55 b7 2b f4  7c 6d 37 9c f1 89 a0 2c  |...7U.+.|m7....,|
-00000270  0f ba 10 09 e4 a1 ee 0a  7e 9a fd 2c 32 63 1c 55  |........~..,2c.U|
-00000280  85 38 de d0 7b 5f 46 03  1f cc 4d 69 51 97 d8 d7  |.8..{_F...MiQ...|
-00000290  88 6f ba 43 04 b0 42 09  61 5e 16 03 03 00 92 0f  |.o.C..B.a^......|
-000002a0  00 00 8e 04 03 00 8a 30  81 87 02 41 14 3d 4c 71  |.......0...A.=Lq|
-000002b0  c2 32 4a 20 ee b7 69 17  55 e8 99 55 11 76 51 7a  |.2J ..i.U..U.vQz|
-000002c0  74 55 e7 e8 c3 3b b3 70  db 1c 8e f6 8a d4 99 40  |tU...;.p.......@|
-000002d0  6e da 04 fd 7a 47 41 d6  ae c0 63 ad fd 91 a8 58  |n...zGA...c....X|
-000002e0  24 b9 ac 2f 7a 4c bf 5b  24 12 cb 3a f3 02 42 00  |$../zL.[$..:..B.|
-000002f0  90 f9 48 97 0e d4 33 99  09 9f 1d a8 97 16 60 82  |..H...3.......`.|
-00000300  85 cc 5a 5d 79 f7 2f 03  2a c0 b8 12 61 ac 9f 88  |..Z]y./.*...a...|
-00000310  1d 0d 9e 0a ee 28 a8 5a  e2 42 b7 94 e2 e6 0e 13  |.....(.Z.B......|
-00000320  c8 64 dc 4e d3 6b 10 d6  83 41 9c dc d4 53 c3 08  |.d.N.k...A...S..|
-00000330  19 14 03 03 00 01 01 16  03 03 00 24 ef bd e3 23  |...........$...#|
-00000340  10 23 ae 6e b5 12 eb 9c  21 78 db 36 fd bf 7f ee  |.#.n....!x.6....|
-00000350  6f c8 00 2d b6 35 cc 2f  38 73 ae a4 34 cf 0d df  |o..-.5./8s..4...|
+00000210  03 03 00 86 10 00 00 82  00 80 ba 08 cf e6 45 d3  |..............E.|
+00000220  24 3f 4a 7e 0d 68 5f ed  5d a2 0e ad fa 41 6c 71  |$?J~.h_.]....Alq|
+00000230  43 ce 20 cf 12 c2 e1 45  78 9c 00 0b 69 f5 5f b1  |C. ....Ex...i._.|
+00000240  45 48 27 32 51 44 d8 cd  3b dc 78 1b df ee 82 68  |EH'2QD..;.x....h|
+00000250  3e 1e 26 bf e5 8d 8f 0a  6c 62 a0 f0 47 65 50 8d  |>.&.....lb..GeP.|
+00000260  2c 9a 80 bb 0a 2b e4 14  25 c6 2c 86 17 67 1b e8  |,....+..%.,..g..|
+00000270  ca 89 78 79 00 a2 d8 0e  b1 02 49 28 12 a3 a1 46  |..xy......I(...F|
+00000280  bb 6c 59 bf 59 4b 5b 48  0c 24 38 ee 7f 9f fd dd  |.lY.YK[H.$8.....|
+00000290  62 07 41 0c 5a bd 29 a4  3a ef 16 03 03 00 93 0f  |b.A.Z.).:.......|
+000002a0  00 00 8f 04 03 00 8b 30  81 88 02 42 00 9d ee a7  |.......0...B....|
+000002b0  23 08 8d 08 61 7a 5c 97  0a 6b 3e 65 3f 1e d2 36  |#...az\..k>e?..6|
+000002c0  4e 25 27 96 8f 92 08 b8  da 69 f9 3d 1e 77 88 dc  |N%'......i.=.w..|
+000002d0  33 3e 5f c5 eb 40 16 ab  32 3e c6 f5 a5 9f 42 22  |3>_..@..2>....B"|
+000002e0  f6 56 86 1f e0 95 c8 83  2d 5a c9 b9 79 b2 02 42  |.V......-Z..y..B|
+000002f0  01 2d 43 06 1d 79 3b ca  84 b2 81 21 51 01 4e 3b  |.-C..y;....!Q.N;|
+00000300  9d 5a b2 c5 87 e4 ea f9  08 2e bb 28 cc 9f a6 c6  |.Z.........(....|
+00000310  f7 6a 5c 2a f0 c8 02 33  ba 56 ea bc 3b ac 97 bc  |.j\*...3.V..;...|
+00000320  4b d0 e0 19 18 14 a6 8c  d5 60 05 b3 a2 20 7f c3  |K........`... ..|
+00000330  24 f9 14 03 03 00 01 01  16 03 03 00 24 99 58 7b  |$...........$.X{|
+00000340  e7 5d 19 95 f0 8b d5 86  7d 87 19 03 98 24 3d e8  |.]......}....$=.|
+00000350  cc c0 79 58 f9 81 b8 6c  fb d6 ed a4 84 96 13 b7  |..yX...l........|
+00000360  d0                                                |.|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 a7 50 0f 50 b4  |..........$.P.P.|
-00000010  1c c3 4d f3 7a 64 df 65  ac 35 22 13 46 cc ec 36  |..M.zd.e.5".F..6|
-00000020  e6 d2 f3 67 94 6a 18 85  9f 4a 3c 44 a3 58 b0 17  |...g.j...J<D.X..|
-00000030  03 03 00 21 51 0a 41 8c  fd 50 e3 54 8b 6a 1f 83  |...!Q.A..P.T.j..|
-00000040  a5 37 98 e1 5b 1e ec 03  1d c7 0e 28 6d 79 3f 34  |.7..[......(my?4|
-00000050  de 1c 38 6d 7e 15 03 03  00 16 06 fc b1 7d ad 70  |..8m~........}.p|
-00000060  1a de d4 b7 b5 e7 a2 6d  1b 9a b0 31 0c cc 7b 70  |.......m...1..{p|
+00000000  14 03 03 00 01 01 16 03  03 00 24 50 c9 ae 5b 73  |..........$P..[s|
+00000010  ce 45 98 b1 88 74 25 bd  18 6c 08 aa e4 7c 39 0b  |.E...t%..l...|9.|
+00000020  d3 e9 c2 29 fe a1 fd 0e  46 80 63 0a a0 b2 55 17  |...)....F.c...U.|
+00000030  03 03 00 21 89 28 af 50  62 c3 63 39 5b 13 03 45  |...!.(.Pb.c9[..E|
+00000040  48 c9 3c 74 93 1a 01 47  ec 28 0b 7d 37 1d 15 48  |H.<t...G.(.}7..H|
+00000050  ac eb dc 62 04 15 03 03  00 16 f6 84 ba 7b 57 9d  |...b.........{W.|
+00000060  b5 c7 d4 01 cd 04 8a d3  5a c9 c0 72 61 12 3f a1  |........Z..ra.?.|