handshake: use the correct hash function for TLS_AES_256_GCM_SHA384

[marten-seemann]

TLS_AES_128_GCM_SHA256 and TLS_CHACHA20_POLY1305_SHA256 work fine, but if TLS happens to select TLS_AES_256_GCM_SHA384 during the handshake, we're deriving the wrong keys, causing a handshake failure.

Thanks to @MarcoPolo for discovering this when interop-ing with zig-libp2p.

[codecov]

Codecov Report

Merging #4031 (d36bd5e) into master (70f3f44) will not change coverage.
Report is 1 commits behind head on master.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #4031   +/-   ##
=======================================
  Coverage   82.83%   82.83%           
=======================================
  Files         147      147           
  Lines       14785    14785           
=======================================
  Hits        12247    12247           
  Misses       2037     2037           
  Partials      501      501           

[marten-seemann]

@mholt Yet another (and this time, very stupid copy-paste) bug introduced when switching to crypto/tls. Sorry for creating so much churn. Will ship v0.37.5 later today.

Lesson learned: We need some interop tests with a different QUIC implementation in this repo, running in CI.

[mholt]

No worries 😊 I don't know of any impacts our users experienced.