Fix ECDHE_PSK key exchange.

The current implementation switches the order of other_secret and psk;
other_secret is first. Fix it and rewrite with CBB instead. The server half got
fixed on accident in a prior refactor.

Change-Id: Ib52a756aadd66e4bf22c66794447f71f4772da09
Reviewed-on: https://boringssl-review.googlesource.com/2052
Reviewed-by: Adam Langley <agl@google.com>

ssl/s3_clnt.c

@@ -2192,23 +2192,23 @@ int ssl3_send_client_key_exchange(SSL *s)
 			/* ECDHE PSK ciphersuites from RFC 5489 */
 			if ((alg_a & SSL_aPSK) && psk_len != 0)
 				{
-				uint8_t *t;
+				CBB cbb, child;
 
-				pms_len = 2+psk_len+2+n;
-				pms = OPENSSL_malloc(pms_len);
-				if (pms == NULL)
+				if (!CBB_init(&cbb, 2+psk_len+2+n))
 					{
 					OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
-
-				t = pms;
-				memset(t, 0, pms_len);
-				s2n(psk_len, t);
-				memcpy(t, psk, psk_len);
-				t += psk_len;
-				s2n(n, t);
-				memcpy(t, p, n);
+				if (!CBB_add_u16_length_prefixed(&cbb, &child) ||
+					!CBB_add_bytes(&child, p, n) ||
+					!CBB_add_u16_length_prefixed(&cbb, &child) ||
+					!CBB_add_bytes(&child, psk, psk_len) ||
+					!CBB_finish(&cbb, &pms, &pms_len))
+					{
+					CBB_cleanup(&cbb);
+					OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange, ERR_R_INTERNAL_ERROR);
+					goto err;
+					}
 				}
 			if (!(alg_a & SSL_aPSK))
 				{