From d8299e2764c0a3a5f90bc58a0a2361fe1a788b6b Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 9 Oct 2020 13:48:08 -0700
Subject: [PATCH] Maintenance Fixes When building the list of ciphers with
 wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the
 renegotiation indication and the quantum-safe hybrid since they do not have
 encryption or mac algorithms associated to them.

---
 src/ssl.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/ssl.c b/src/ssl.c
index 70574db35..64aea9ca0 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -43501,6 +43501,21 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 
+
+static WC_INLINE int SKIP_SUITE(byte suite0, byte suite)
+{
+#ifdef HAVE_RENEGOTIATION_INDICATION
+    if (suite0 == CIPHER_BYTE && suite == TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
+        return 1;
+#endif
+#ifdef BUILD_TLS_QSH
+    if (suite0 == QSH_BYTE && suite == TLS_QSH)
+        return 1;
+#endif
+    return 0;
+}
+
+
 /* returns a pointer to internal cipher suite list. Should not be free'd by
  * caller.
  */
@@ -43532,7 +43547,15 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl)
         int j;
 #endif
         for (i = 0; i < suites->suiteSz; i+=2) {
-            WOLFSSL_STACK* add = wolfSSL_sk_new_node(ssl->heap);
+            WOLFSSL_STACK* add;
+
+            /* A couple of suites are placeholders for special options,
+             * skip those. */
+            if (SKIP_SUITE(suites->suites[i], suites->suites[i+1])) {
+                continue;
+            }
+
+            add = wolfSSL_sk_new_node(ssl->heap);
             if (add != NULL) {
                 add->type = STACK_TYPE_CIPHER;
                 add->data.cipher.cipherSuite0 = suites->suites[i];