Fix wolfSSL_get_ciphers_compat to return NULL when no ciphers available

cconlon · cconlon · commit 428030a3e8f3 · 2026-03-13T15:07:25.000-06:00
diff --git a/src/ssl.c b/src/ssl.c
@@ -16098,6 +16098,12 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl)
                 break;
             }
         }
+
+        /* If no ciphers were added, free empty stack and return NULL */
+        if (ssl->suitesStack != NULL && wolfSSL_sk_num(ssl->suitesStack) == 0) {
+            wolfSSL_sk_CIPHER_free(ssl->suitesStack);
+            ((WOLFSSL*)ssl)->suitesStack = NULL;
+        }
     }
     return ssl->suitesStack;
 }
diff --git a/tests/api.c b/tests/api.c
@@ -19272,6 +19272,39 @@ static int test_wolfSSL_get_ciphers_compat(void)
     return EXPECT_RESULT();
 }
 
+/* Test that wolfSSL_get_ciphers_compat returns NULL (not an empty stack)
+ * when no ciphers are available for a given protocol configuration.
+ * wolfSSL_get_ciphers_compat() is mapped to SSL_get_ciphers(), which has
+ * an expected return of NULL when no ciphers are available. */
+static int test_wolfSSL_get_ciphers_compat_empty(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
+    const SSL_METHOD *method = NULL;
+    SSL_CTX *ctx = NULL;
+    WOLFSSL *ssl = NULL;
+    STACK_OF(SSL_CIPHER) *ciphers = NULL;
+
+    ExpectNotNull(method = SSLv23_client_method());
+    ExpectNotNull(ctx = SSL_CTX_new(method));
+    ExpectNotNull(ssl = SSL_new(ctx));
+
+    /* Disable all protocol versions via options mask so that
+     * sslCipherMinMaxCheck filters out every cipher suite */
+    wolfSSL_set_options(ssl, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
+        SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3);
+
+    ciphers = wolfSSL_get_ciphers_compat(ssl);
+
+    /* Must be NULL, not a non-NULL empty stack */
+    ExpectNull(ciphers);
+
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+#endif
+    return EXPECT_RESULT();
+}
+
 static int test_wolfSSL_CTX_ctrl(void)
 {
     EXPECT_DECLS;
@@ -34136,6 +34169,7 @@ TEST_CASE testCases[] = {
 #ifdef OPENSSL_ALL
     TEST_DECL(test_wolfSSL_sk_CIPHER_description),
     TEST_DECL(test_wolfSSL_get_ciphers_compat),
+    TEST_DECL(test_wolfSSL_get_ciphers_compat_empty),
 
     TEST_DECL(test_wolfSSL_CTX_ctrl),
 #endif /* OPENSSL_ALL */

Original file line number	Diff line number	Diff line change
`@@ -16098,6 +16098,12 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) wolfSSL_get_ciphers_compat(const WOLFSSL ssl)`
`16098`	`16098`	`break;`
`16099`	`16099`	`}`
`16100`	`16100`	`}`
	`16101`	`+`
	`16102`	`+ /* If no ciphers were added, free empty stack and return NULL */`
	`16103`	`+ if (ssl->suitesStack != NULL && wolfSSL_sk_num(ssl->suitesStack) == 0) {`
	`16104`	`+ wolfSSL_sk_CIPHER_free(ssl->suitesStack);`
	`16105`	`+ ((WOLFSSL*)ssl)->suitesStack = NULL;`
	`16106`	`+ }`
`16101`	`16107`	`}`
`16102`	`16108`	`return ssl->suitesStack;`
`16103`	`16109`	`}`