From 92c9ff5f48b837731902b6d90326dc012be1ecde Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Mon, 31 Jul 2017 16:21:39 -0600
Subject: [PATCH] reset cipher suites after call to wolfSSL_set_options

---
 src/internal.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 186dd4289..336757ce2 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -22890,15 +22890,18 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
          * set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
         if (!ssl->options.dtls && ssl->options.downgrade &&
                 ssl->options.mask > 0) {
+            byte reset = 0; /* check if suites need reset after version change*/
             if (ssl->version.minor == TLSv1_2_MINOR &&
              (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
                 WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
+                reset              = 1;
                 ssl->version.minor = TLSv1_1_MINOR;
             }
             if (ssl->version.minor == TLSv1_1_MINOR &&
              (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
                 WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
                 ssl->options.tls1_1 = 0;
+                reset              = 1;
                 ssl->version.minor = TLSv1_MINOR;
             }
             if (ssl->version.minor == TLSv1_MINOR &&
@@ -22906,6 +22909,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
                 ssl->options.tls    = 0;
                 ssl->options.tls1_1 = 0;
+                reset              = 1;
                 ssl->version.minor = SSLv3_MINOR;
             }
             if (ssl->version.minor == SSLv3_MINOR &&
@@ -22918,6 +22922,27 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                 WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
                 return VERSION_ERROR;
             }
+
+            if (reset == 1) {
+                word16 haveRSA = 0;
+                word16 havePSK = 0;
+                int    keySz   = 0;
+
+            #ifndef NO_RSA
+                haveRSA = 1;
+            #endif
+            #ifndef NO_PSK
+                havePSK = ssl->options.havePSK;
+            #endif
+            #ifndef NO_CERTS
+                keySz = ssl->buffers.keySz;
+            #endif
+                WOLFSSL_MSG("Reseting allowed cipher suites after downgrade");
+                InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
+                    ssl->options.haveDH, ssl->options.haveNTRU,
+                    ssl->options.haveECDSAsig, ssl->options.haveECC,
+                    ssl->options.haveStaticECC, ssl->options.side);
+            }
         }
 #endif