Fixed ECDHE_PSK cipher suites implementation. (#342)

* Restored ECC_CIPHERSUITE ifdef code.
* Added ifdefs to exclude PSK code when build options require it.

Author: fdesbiens

nx_secure/src/nx_secure_generate_client_key_exchange.c

@@ -98,7 +98,6 @@ const NX_CRYPTO_METHOD               *public_cipher_method;
 VOID                                 *handler = NX_NULL;
 #endif
 UINT                                  data_size;
-UINT                                  key_size;
 UCHAR                                *encrypted_data_ptr;
 #ifndef NX_SECURE_DISABLE_X509
 UCHAR                                 rand_byte;
@@ -133,50 +132,17 @@ NX_CRYPTO_EXTENDED_OUTPUT             extended_output;
     if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH ||
         ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE)
     {
-    	data_size = 0;
+        data_size = (UINT)(1 + tls_key_material -> nx_secure_tls_new_key_material_data[0]);
 
-    	if (ciphersuite -> nx_secure_tls_public_auth -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK)
-    	{
-    		if ((tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint_size >
-    		sizeof(tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint)) ||
-    				(tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_hint_size >
-    		(buffer_length - 2)))
-    		{
-
-    			/* Packet buffer too small. */
-    			return(NX_SECURE_TLS_PACKET_BUFFER_TOO_SMALL);
-    		}
-
-    		/* Pointer to the output encrypted pre-master secret. */
-    		encrypted_data_ptr = &data_buffer[2];
-
-    		/* Send the PSK Identity string to the remote server along with its length. */
-    		NX_SECURE_MEMCPY(encrypted_data_ptr, tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id,
-    				tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_size); /* Use case of memcpy is verified. */
-
-    		/* Make sure our size is correct. */
-    		data_size = tls_credentials -> nx_secure_tls_client_psk.nx_secure_tls_psk_id_size;
-
-    		/* Put the length into our outgoing packet buffer. */
-    		data_buffer[0] = (UCHAR)((data_size & 0xFF00) >> 8);
-    		data_buffer[1] = (UCHAR)(data_size & 0x00FF);
-
-    		data_size += 2;
-    		data_buffer += data_size;
-    	}
-
-        key_size = (UINT)(1 + tls_key_material -> nx_secure_tls_new_key_material_data[0]);
-        data_size += key_size;
-
-        if ((key_size > sizeof(tls_key_material -> nx_secure_tls_new_key_material_data)) ||
+        if ((data_size > sizeof(tls_key_material -> nx_secure_tls_new_key_material_data)) ||
             (data_size > buffer_length))
         {
 
             /* Packet buffer too small. */
             return(NX_SECURE_TLS_PACKET_BUFFER_TOO_SMALL);
         }
 
-        NX_SECURE_MEMCPY(data_buffer, tls_key_material -> nx_secure_tls_new_key_material_data, key_size); /* Use case of memcpy is verified. */
+        NX_SECURE_MEMCPY(data_buffer, tls_key_material -> nx_secure_tls_new_key_material_data, data_size); /* Use case of memcpy is verified. */
     }
     else
 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE */

nx_secure/src/nx_secure_generate_premaster_secret.c

@@ -98,8 +98,10 @@ const NX_CRYPTO_METHOD    *ecdh_method;
 NX_SECURE_EC_PUBLIC_KEY   *ec_pubkey;
 VOID                      *handler = NX_NULL;
 NX_CRYPTO_EXTENDED_OUTPUT  extended_output;
+#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
 UCHAR					   pre_master_secret_cpy[NX_SECURE_TLS_PREMASTER_SIZE];
 UINT					   pre_master_secret_size;
+#endif
 #endif /* NX_SECURE_ENABLE_ECC_CIPHERSUITE && !NX_SECURE_DISABLE_X509 */
 
 #if !defined(NX_SECURE_ENABLE_ECC_CIPHERSUITE) || defined(NX_SECURE_DISABLE_X509)
@@ -122,6 +124,7 @@ UINT					   pre_master_secret_size;
 #if defined(NX_SECURE_ENABLE_ECC_CIPHERSUITE) && !defined(NX_SECURE_DISABLE_X509)
     if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDHE)
     {
+    #ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES    
     	if(ciphersuite->nx_secure_tls_public_auth->nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_PSK)
     	{
     		/* From RFC 5489:
@@ -173,6 +176,7 @@ UINT					   pre_master_secret_size;
     		NX_SECURE_MEMSET(pre_master_secret_cpy, 0x0, sizeof(pre_master_secret_cpy));
 #endif /* NX_SECURE_KEY_CLEAR  */
     	}
+    #endif
         return(NX_SECURE_TLS_SUCCESS);
     }
     else if (ciphersuite -> nx_secure_tls_public_cipher -> nx_crypto_algorithm == NX_CRYPTO_KEY_EXCHANGE_ECDH)

nx_secure/src/nx_secure_process_server_key_exchange.c

@@ -139,7 +139,6 @@ UCHAR                                *current_buffer;
 UCHAR                                 hash_algorithm;
 UCHAR                                 signature_algorithm;
 USHORT                                signature_algorithm_id;
-ULONG 								  size_param;
 #if (NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED)
 UINT                                  i;
 #endif /* NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED */
@@ -295,16 +294,11 @@ UINT                                  i;
             protocol_version == NX_SECURE_TLS_VERSION_TLS_1_1)
 #endif /* NX_SECURE_ENABLE_DTLS */
         {
-        	if(auth_method ->nx_crypto_algorithm != NX_CRYPTO_KEY_EXCHANGE_PSK)
-        	{
-        		size_param = 6;
-        	}
-        	else
-        	{
-        		size_param = 6 + tls_credentials -> nx_secure_tls_remote_psk_id_size;
-        	}
-
-            if ((UINT)key_length + size_param > message_length)
+ 		#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
+			if ((UINT)6 + tls_credentials -> nx_secure_tls_remote_psk_id_size > message_length)
+		#else
+			if ((UINT)key_length + 8 > message_length)
+		#endif
             {
                 return(NX_SECURE_TLS_INCORRECT_MESSAGE_LENGTH);
             }
@@ -322,16 +316,11 @@ UINT                                  i;
         else
 #endif /* NX_SECURE_TLS_TLS_1_0_ENABLED || NX_SECURE_TLS_TLS_1_1_ENABLED */
         {
-        	if(auth_method ->nx_crypto_algorithm != NX_CRYPTO_KEY_EXCHANGE_PSK)
-        	{
-        		size_param = 8;
-        	}
-        	else
-        	{
-        		size_param = 6 + tls_credentials -> nx_secure_tls_remote_psk_id_size;
-        	}
-
-            if ((UINT)key_length + size_param > message_length)
+ 		#ifdef NX_SECURE_ENABLE_PSK_CIPHERSUITES
+			if ((UINT)6 + tls_credentials -> nx_secure_tls_remote_psk_id_size > message_length)
+		#else
+			if ((UINT)key_length + 8 > message_length)
+		#endif
             {
                 return(NX_SECURE_TLS_INCORRECT_MESSAGE_LENGTH);
             }