Fix wolfSSL_get_ciphers_compat() to return NULL for empty cipher list#9972
Merged
JacobBarthelmeh merged 1 commit intowolfSSL:masterfrom Mar 16, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes wolfSSL_get_ciphers_compat() to match OpenSSL semantics by returning NULL when cipher filtering results in no available ciphers, and adds a regression test to prevent reintroducing the behavior.
Changes:
- Free and null out the cached cipher stack when it ends up empty after filtering.
- Add a regression test ensuring
wolfSSL_get_ciphers_compat()returnsNULL(not an empty stack) when no ciphers are available. - Register the new test in the
OPENSSL_ALLtest suite list.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/api.c | Adds and registers a regression test for the empty-cipher-list NULL return behavior. |
| src/ssl.c | Adjusts wolfSSL_get_ciphers_compat() to free an empty stack and return NULL. |
Comments suppressed due to low confidence (1)
tests/api.c:1
- This test relies on
SSL_OP_NO_TLSv1_3being defined. If that macro is not available in some build configurations (e.g., certain feature-disable builds), this will fail to compile. To keep the test portable across configurations, guard use ofSSL_OP_NO_TLSv1_3with a preprocessor check (or build the options mask conditionally) so the test still compiles while disabling all supported protocol versions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Retest this please Jenkins |
SparkiDev
approved these changes
Mar 16, 2026
JacobBarthelmeh
approved these changes
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes
wolfSSL_get_ciphers_compat()to returnNULLwhen no cipher suites pass filtering, instead of returning a non-NULL empty stack.The refactoring of
wolfSSL_get_ciphers_compat()in commit fb82496 (PR #9831) changed the function to pre-allocate the cipher stack before the population loop. When all ciphers are filtered out, the function now returns a non-NULL empty stack instead of NULL.Since
wolfSSL_get_ciphers_compat()is defined asSSL_get_ciphers(), it should returnNULLwhen no ciphers are available, consistent with OpenSSL behavior (the pre-refactoring behavior).Testing
Adds regression test
test_wolfSSL_get_ciphers_compat_empty(). Caught when running wolfssljni JUnit tests.Checklist