Merge upstream go post-1.9 (master) crypto/tls changes

[Lekensteyn]

To reduce differences from upstream (and therefore improve maintainability and make it easier to upstream changes), this change applies the changes from the current master branch which will presumably become go1.10. This means that the pwu/client changes have to be rebased on top of it due to the clientHandshake split, but better now than doing it in the future.

Some upstreamed patches include:

• crypto/tls: replace signatureAndHash by SignatureScheme. (1 patch from #35)
• crypto/tls: fix first byte test for 255 CBC padding bytes (1 patch from #49)
• crypto/tls: disallow handshake messages fragmented across CCS (already in master)

Merge commit message follows:

---

Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream

Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts 96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2 f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes 54d04c2fcb crypto/tls: remove bookkeeping code from pHash function d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme. cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex" 5e42658fc0 all: prefer bytes.IndexByte over bytes.Index d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex 5a986eca86 all: fix article typos 0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate 85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache 4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS b3465646ff crypto/tls: add BenchmarkHandshakeServer d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:

• handshake_client.go: conflict between our ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.") and upstream ("crypto/tls: split clientHandshake into multiple methods"), resolve by applying the mutualVersion->pickVersion change in pickTLSVersion.
• handshake_server.go: trivial conflict due to upstreamed patch ("crypto/tls: replace signatureAndHash by SignatureScheme.") and ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:

• tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS 1.3 minimal server") was renamed as required by ("crypto/tls: replace signatureAndHash by SignatureScheme.").
• handshake_client.go: moved check from ("crypto/tls: check that client cipher suite matches version") to pickCipherSuite as required by ("crypto/tls: split clientHandshake into multiple methods").

[lziest]

LGTM! Good job!

[Lekensteyn]

Thanks for reviewing, pushed!