fix ecc w/ no rsa send cert verify and server flag for missing cert verify

cyassl/error.h

@@ -110,6 +110,7 @@ enum CyaSSL_ErrorCodes {
     SANITY_CIPHER_E        = -275,            /* sanity check on cipher error */
     RECV_OVERFLOW_E        = -276,            /* RXCB returned more than rqed */
     GEN_COOKIE_E           = -277,            /* Generate Cookie Error */
+    NO_PEER_VERIFY         = -278,            /* Need peer cert verify Error */
     /* add strings to SetErrorString !!!!! */
 
     /* begin negotiation parameter errors */

cyassl/internal.h

@@ -1317,6 +1317,7 @@ typedef struct Options {
     byte            haveECDSAsig;       /* server ECDSA signed cert */
     byte            haveStaticECC;      /* static server ECC private key */
     byte            havePeerCert;       /* do we have peer's cert */
+    byte            havePeerVerify;     /* and peer's cert verify */
     byte            usingPSK_cipher;    /* whether we're using psk as cipher */
     byte            sendAlertState;     /* nonblocking resume */ 
     byte            processReply;       /* nonblocking resume */

src/internal.c

@@ -1191,7 +1191,8 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
     ssl->options.haveNTRU      = ctx->haveNTRU;
     ssl->options.haveECDSAsig  = ctx->haveECDSAsig;
     ssl->options.haveStaticECC = ctx->haveStaticECC;
-    ssl->options.havePeerCert  = 0; 
+    ssl->options.havePeerCert    = 0; 
+    ssl->options.havePeerVerify  = 0;
     ssl->options.usingPSK_cipher = 0;
     ssl->options.sendAlertState = 0;
 #ifndef NO_PSK
@@ -4283,6 +4284,17 @@ int ProcessReply(CYASSL* ssl)
                         CYASSL_MSG("Malicious or corrupted ChangeCipher msg");
                         return LENGTH_ERROR;
                     }
+                    #ifndef NO_CERTS
+                        if (ssl->options.side == SERVER_END &&
+                                 ssl->options.verifyPeer &&
+                                 ssl->options.havePeerCert)
+                            if (!ssl->options.havePeerVerify) {
+                                CYASSL_MSG("client didn't send cert verify");
+                                return NO_PEER_VERIFY;
+                            }
+                    #endif
+
+
                     ssl->buffers.inputBuffer.idx++;
                     ssl->keys.encryptionOn = 1;
 
@@ -5437,6 +5449,10 @@ void SetErrorString(int error, char* str)
         XSTRNCPY(str, "Generate Cookie Error", max);
         break;
 
+    case NO_PEER_VERIFY:
+        XSTRNCPY(str, "Need peer certificate verify Error", max);
+        break;
+
     default :
         XSTRNCPY(str, "unknown error number", max);
     }
@@ -8882,6 +8898,9 @@ int SetCipherList(Suites* s, const char* list)
                ret = 0;   /* verified */ 
         }
 #endif
+        if (ret == 0)
+            ssl->options.havePeerVerify = 1;
+          
         return ret;
     }
 #endif /* !NO_RSA || HAVE_ECC */

src/ssl.c

@@ -2715,7 +2715,7 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl)
             CYASSL_MSG("connect state: FIRST_REPLY_SECOND");
 
         case FIRST_REPLY_SECOND :
-            #ifndef NO_RSA
+            #ifndef NO_CERTS
                 if (ssl->options.sendVerify)
                     if ( (ssl->error = SendCertificateVerify(ssl)) != 0) {
                         CYASSL_ERROR(ssl->error);