From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 15 Jun 2022 08:34:52 +0000 (+0200)
Subject: openssl: Use dynamically allocated array to determine EC curves
X-Git-Tag: 5.9.7dr2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8dbcff1e8b65b6beeb8f768a6109ab00756e2222;p=thirdparty%2Fstrongswan.git

openssl: Use dynamically allocated array to determine EC curves

This avoids the use of a variable length array, which should probably
be avoided in general due to potential performance, portability and
security issues (not in this particular case, though).

Closes strongswan/strongswan#1095
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 77422f8bed..ed5b14ef08 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -345,22 +345,26 @@ static bool ecdh_group_supported(EC_builtin_curve *curves, size_t num_curves,
 static void add_ecdh_features(plugin_feature_t *features,
 							  plugin_feature_t *to_add, int count, int *pos)
 {
+	EC_builtin_curve *curves;
 	size_t num_curves;
 	int i;
 
 	num_curves = EC_get_builtin_curves(NULL, 0);
 
-	EC_builtin_curve curves[num_curves];
-
-	num_curves = EC_get_builtin_curves(curves, num_curves);
-
-	for (i = 0; i < count; i++)
+	if (num_curves)
 	{
-		if (to_add[i].kind != FEATURE_PROVIDE ||
-			ecdh_group_supported(curves, num_curves, to_add[i].arg.dh_group))
+		curves = calloc(num_curves, sizeof(EC_builtin_curve));
+		num_curves = EC_get_builtin_curves(curves, num_curves);
+
+		for (i = 0; i < count; i++)
 		{
-			features[(*pos)++] = to_add[i];
+			if (to_add[i].kind != FEATURE_PROVIDE ||
+				ecdh_group_supported(curves, num_curves, to_add[i].arg.dh_group))
+			{
+				features[(*pos)++] = to_add[i];
+			}
 		}
+		free(curves);
 	}
 }
 #endif /* OPENSSL_NO_ECDH */