crypto/tls: rewrite some messages with golang.org/x/crypto/cryptobyte

As a first round, rewrite those handshake message types which can be
reused in TLS 1.3 with golang.org/x/crypto/cryptobyte. All other types
changed significantly in TLS 1.3 and will require separate
implementations. They will be ported to cryptobyte in a later CL.

The only semantic changes should be enforcing the random length on the
marshaling side, enforcing a couple more "must not be empty" on the
unmarshaling side, and checking the rest of the SNI list even if we only
take the first.

Change-Id: Idd2ced60c558fafcf02ee489195b6f3b4735fe22
Reviewed-on: https://go-review.googlesource.com/c/144115
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

handshake_client.go

@@ -471,7 +471,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 
 	if chainToSend != nil && len(chainToSend.Certificate) > 0 {
 		certVerify := &certificateVerifyMsg{
-			hasSignatureAndHash: c.vers >= VersionTLS12,
+			hasSignatureAlgorithm: c.vers >= VersionTLS12,
 		}
 
 		key, ok := chainToSend.PrivateKey.(crypto.Signer)
@@ -486,7 +486,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 			return err
 		}
 		// SignatureAndHashAlgorithm was introduced in TLS 1.2.
-		if certVerify.hasSignatureAndHash {
+		if certVerify.hasSignatureAlgorithm {
 			certVerify.signatureAlgorithm = signatureAlgorithm
 		}
 		digest, err := hs.finishedHash.hashForClientCertificate(sigType, hashFunc, hs.masterSecret)
@@ -739,7 +739,7 @@ func (hs *clientHandshakeState) getCertificate(certReq *certificateRequestMsg) (
 	if c.config.GetClientCertificate != nil {
 		var signatureSchemes []SignatureScheme
 
-		if !certReq.hasSignatureAndHash {
+		if !certReq.hasSignatureAlgorithm {
 			// Prior to TLS 1.2, the signature schemes were not
 			// included in the certificate request message. In this
 			// case we use a plausible list based on the acceptable