crypto/tls: decouple handshake signatures from the handshake hash.

Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.

TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.

Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.

However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.

Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.

This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.

This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.

It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.

Much of this code was written by davidben@ for the purposes of testing
BoringSSL.

Partly addresses #9757

Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

testdata/Server-TLSv12-ClientAuthRequestedAndGiven

@@ -1,11 +1,10 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 5c 01 00 00  58 03 03 52 cc 57 59 6b  |....\...X..R.WYk|
-00000010  11 07 04 39 77 20 c2 b4  3f cb 0a c9 53 fe 5b 3e  |...9w ..?...S.[>|
-00000020  5f 58 2c 7e 30 69 e1 8e  6c 9d c8 00 00 04 00 05  |_X,~0i..l.......|
-00000030  00 ff 01 00 00 2b 00 0d  00 22 00 20 06 01 06 02  |.....+...". ....|
-00000040  06 03 05 01 05 02 05 03  04 01 04 02 04 03 03 01  |................|
-00000050  03 02 03 03 02 01 02 02  02 03 01 01 00 0f 00 01  |................|
-00000060  01                                                |.|
+00000000  16 03 01 00 5b 01 00 00  57 03 03 23 82 04 e6 b7  |....[...W..#....|
+00000010  a4 1e 2c 61 ae c0 cd ef  d3 2a 30 0b d7 19 88 16  |..,a.....*0.....|
+00000020  e3 af 68 6c 45 83 df f5  02 b0 43 00 00 04 00 05  |..hlE.....C.....|
+00000030  00 ff 02 01 00 00 29 00  0d 00 20 00 1e 06 01 06  |......)... .....|
+00000040  02 06 03 05 01 05 02 05  03 04 01 04 02 04 03 03  |................|
+00000050  01 03 02 03 03 02 01 02  02 02 03 00 0f 00 01 01  |................|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -54,9 +53,9 @@
 000002c0  50 56 5c d5 82 5a 2d 5a  5f 33 c4 b6 d8 c9 75 90  |PV\..Z-Z_3....u.|
 000002d0  96 8c 0f 52 98 b5 cd 98  1f 89 20 5f f2 a0 1c a3  |...R...... _....|
 000002e0  1b 96 94 dd a9 fd 57 e9  70 e8 26 6d 71 99 9b 26  |......W.p.&mq..&|
-000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 0f 0d 00  |n8P)l...........|
-00000300  00 0b 02 01 40 00 04 04  01 04 03 00 00 16 03 03  |....@...........|
-00000310  00 04 0e 00 00 00                                 |......|
+000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 13 0d 00  |n8P)l...........|
+00000300  00 0f 02 01 40 00 08 04  01 04 03 02 01 02 03 00  |....@...........|
+00000310  00 16 03 03 00 04 0e 00  00 00                    |..........|
 >>> Flow 3 (client to server)
 00000000  16 03 03 01 fb 0b 00 01  f7 00 01 f4 00 01 f1 30  |...............0|
 00000010  82 01 ed 30 82 01 58 a0  03 02 01 02 02 01 00 30  |...0..X........0|
@@ -90,32 +89,32 @@
 000001d0  8b ec ab 67 be c8 64 b0  11 50 46 58 17 6b 99 1c  |...g..d..PFX.k..|
 000001e0  d3 1d fc 06 f1 0e e5 96  a8 0c f9 78 20 b7 44 18  |...........x .D.|
 000001f0  51 8d 10 7e 4f 94 67 df  a3 4e 70 73 8e 90 91 85  |Q..~O.g..Nps....|
-00000200  16 03 03 00 86 10 00 00  82 00 80 44 89 7d aa 26  |...........D.}.&|
-00000210  30 ce 6b db 25 70 b0 1e  16 fa 5b 3a dd 4a 4b bd  |0.k.%p....[:.JK.|
-00000220  ec ee 50 9d 21 ba 52 b5  51 4f a8 65 d8 2e 41 e2  |..P.!.R.QO.e..A.|
-00000230  e1 dc f3 1a df 58 4f 87  7a d3 e1 e1 1c 13 b2 0b  |.....XO.z.......|
-00000240  b7 43 b7 92 f2 df 19 bb  79 71 e0 71 44 ab 19 2f  |.C......yq.qD../|
-00000250  37 11 ac 62 50 b6 f1 53  fe aa b4 bc 29 8e 0b 4c  |7..bP..S....)..L|
-00000260  0b 12 8d d5 84 a9 fa a9  ea 16 aa c3 0d da 32 c8  |..............2.|
-00000270  e0 4c 9f 99 f8 69 cd a8  c3 b1 76 42 67 f3 ff 15  |.L...i....vBg...|
-00000280  52 95 43 66 da 49 43 25  9d e5 eb 16 03 03 00 88  |R.Cf.IC%........|
-00000290  0f 00 00 84 04 01 00 80  01 d5 0e 1c 75 97 89 52  |............u..R|
-000002a0  1a f0 cc ef 93 6e 71 b2  b1 38 8c 50 11 f7 a3 02  |.....nq..8.P....|
-000002b0  71 c4 d5 6f 8d 01 83 06  2e ea 5a 10 8a 0d d0 fc  |q..o......Z.....|
-000002c0  b6 a2 63 af 4f 99 b5 eb  ab fd 01 c2 fb 26 fc fd  |..c.O........&..|
-000002d0  ad 2c b3 63 b3 87 a6 f5  14 ea 7d e7 fe a8 e7 7e  |.,.c......}....~|
-000002e0  20 ab b9 f6 c3 58 bd c0  f3 96 eb 83 dc 42 6c 0d  | ....X.......Bl.|
-000002f0  5e e8 09 55 c7 b8 24 05  dd e1 7c af 9f 2c 22 6c  |^..U..$...|..,"l|
-00000300  fa b8 94 13 3b f1 09 e1  38 59 fc a1 8c cb aa ca  |....;...8Y......|
-00000310  f8 e0 2a 9c 36 f9 c3 2b  14 03 03 00 01 01 16 03  |..*.6..+........|
-00000320  03 00 24 d0 12 7c cc d2  3e 37 1f f4 7d b4 c0 fc  |..$..|..>7..}...|
-00000330  19 f6 c8 ea 62 12 e0 0d  af 62 d4 69 f7 96 5a c0  |....b....b.i..Z.|
-00000340  97 d3 bb b0 a3 f7 3f                              |......?|
+00000200  16 03 03 00 86 10 00 00  82 00 80 a9 2f ef 94 68  |............/..h|
+00000210  e5 de 70 a0 f6 ef 70 e6  db 01 69 b1 0b e6 ee 21  |..p...p...i....!|
+00000220  48 e0 39 28 4d 19 61 b4  67 9d e6 a1 c5 93 49 b4  |H.9(M.a.g.....I.|
+00000230  5c ed 60 72 1a 01 aa b3  21 18 47 20 f0 0b cd e7  |\.`r....!.G ....|
+00000240  68 fa ca 35 65 86 06 42  9c 36 45 f3 36 42 17 88  |h..5e..B.6E.6B..|
+00000250  9f 0b 0b 99 35 28 d4 98  a3 86 4d 55 0b d0 2c 31  |....5(....MU..,1|
+00000260  64 d6 ce e4 50 a5 4e d6  a4 4b 9c b8 d2 4a 35 61  |d...P.N..K...J5a|
+00000270  0d f0 28 ad 96 91 59 04  5c 55 5a 0b 2d 12 a1 d1  |..(...Y.\UZ.-...|
+00000280  60 e8 55 a2 90 55 9a 55  ad 1d 05 16 03 03 00 88  |`.U..U.U........|
+00000290  0f 00 00 84 04 01 00 80  0f 8a 5c 80 aa 8e d3 c9  |..........\.....|
+000002a0  2c 97 a1 0b 0c 54 b4 66  4e 92 59 89 4e 3b 58 71  |,....T.fN.Y.N;Xq|
+000002b0  e0 d7 5a 5a 85 90 de 1e  b2 61 1b 0b f1 a2 1c d6  |..ZZ.....a......|
+000002c0  02 44 da 1e 10 fd 41 62  3f 11 13 0f 59 43 40 cb  |.D....Ab?...YC@.|
+000002d0  f4 6a e4 c9 a7 f4 20 be  d2 8c ac cb b9 24 40 51  |.j.... ......$@Q|
+000002e0  a9 83 c5 a9 34 b2 16 e2  4a 7b 0f d1 df a0 fc 15  |....4...J{......|
+000002f0  85 89 0c f7 5a bc bb c6  90 da e2 81 c3 c5 4d 58  |....Z.........MX|
+00000300  f3 04 73 8f ab 03 39 e5  88 52 bd 3a bd ca 0a 09  |..s...9..R.:....|
+00000310  23 36 68 dc b3 2b 1b 07  14 03 03 00 01 01 16 03  |#6h..+..........|
+00000320  03 00 24 64 3e ca cf ab  6e 8b 5e 2d bb b0 09 55  |..$d>...n.^-...U|
+00000330  68 c6 88 08 25 15 fc a5  6c 95 9a d8 b4 58 f9 a3  |h...%...l....X..|
+00000340  55 a0 92 c2 08 72 1c                              |U....r.|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 cd 20 85 1e 74  |..........$. ..t|
-00000010  18 b2 71 48 d5 10 61 c6  b0 18 26 83 c2 7f f1 b1  |..qH..a...&.....|
-00000020  2f b5 35 d0 47 a8 99 9a  9a a5 62 64 fb f9 29 17  |/.5.G.....bd..).|
-00000030  03 03 00 21 22 7b ed 61  e3 9b 6d 98 b9 23 98 e3  |...!"{.a..m..#..|
-00000040  55 11 b8 0f 7e 2b e1 c1  d4 f1 83 79 c3 f8 03 f0  |U...~+.....y....|
-00000050  02 5c 61 24 d7 15 03 03  00 16 14 2b a3 5a 56 f0  |.\a$.......+.ZV.|
-00000060  92 da d0 e6 32 91 d8 30  7a b4 d0 a2 93 f5 01 ea  |....2..0z.......|
+00000000  14 03 03 00 01 01 16 03  03 00 24 4e b8 9c fd 56  |..........$N...V|
+00000010  81 68 9d 5a 41 5c 53 f9  10 a5 d0 8e 93 79 4e 87  |.h.ZA\S......yN.|
+00000020  f8 92 09 09 0f ea 04 08  e8 14 e1 8a 0b f8 23 17  |..............#.|
+00000030  03 03 00 21 1f 22 bc 5a  ce d7 5e ca c4 d3 be f5  |...!.".Z..^.....|
+00000040  d4 f6 4e b9 aa 10 be d3  b6 a9 ad 3e f5 f6 69 fd  |..N........>..i.|
+00000050  23 a8 cd e2 4d 15 03 03  00 16 29 1d 72 73 aa 62  |#...M.....).rs.b|
+00000060  c7 ac 8b 19 8f 72 27 b2  12 ac ce 72 2c c4 47 19  |.....r'....r,.G.|