option for fail on no peer cert except PSK suites

examples/server/server.c

@@ -257,6 +257,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     int    useAnyAddr = 0;
     word16 port = wolfSSLPort;
     int    usePsk = 0;
+    int    usePskPlus = 0;
     int    useAnon = 0;
     int    doDTLS = 0;
     int    needDH = 0;
@@ -329,7 +330,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #ifdef WOLFSSL_VXWORKS
     useAnyAddr = 1;
 #else
-    while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:"))
+    while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:j"))
                          != -1) {
         switch (ch) {
             case '?' :
@@ -348,6 +349,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                 usePsk = 1;
                 break;
 
+            case 'j' :
+                usePskPlus = 1;
+                break;
+
             case 't' :
             #ifdef USE_WOLFSSL_MEMORY
                 trackMemory = 1;
@@ -609,7 +614,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
-    if (!usePsk && !useAnon) {
+    if ((!usePsk || usePskPlus) && !useAnon) {
         if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
                                          != SSL_SUCCESS)
             err_sys("can't load server cert file, check file and run from"
@@ -630,7 +635,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     }
 #endif
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
-    if (!useNtruKey && !usePsk && !useAnon) {
+    if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) {
         if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
                                          != SSL_SUCCESS)
             err_sys("can't load server private key file, check file and run "
@@ -638,14 +643,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     }
 #endif
 
-    if (usePsk) {
+    if (usePsk || usePskPlus) {
 #ifndef NO_PSK
         SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
 
         if (sendPskIdentityHint == 1)
             SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
 
-        if (cipherList == NULL) {
+        if (cipherList == NULL && !usePskPlus) {
             const char *defaultCipherList;
             #if defined(HAVE_AESGCM) && !defined(NO_DH)
                 defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
@@ -672,13 +677,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     }
 
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
-    /* if not using PSK, verify peer with certs */
-    if (doCliCertCheck && usePsk == 0 && useAnon == 0) {
+    /* if not using PSK, verify peer with certs
+       if using PSK Plus then verify peer certs except PSK suites */
+    if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
-                                SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
+                                ((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK :
+                                SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
         if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
             err_sys("can't load ca file, Please run from wolfSSL home dir");
-    }
+   }
 #endif
 
 #if defined(CYASSL_SNIFFER)
@@ -795,7 +802,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
             wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
         }
 #endif
-        if (usePsk == 0 || useAnon == 1 || cipherList != NULL || needDH == 1) {
+        if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
+                                                               || needDH == 1) {
             #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
                 CyaSSL_SetTmpDH_file(ssl, ourDhParam, SSL_FILETYPE_PEM);
             #elif !defined(NO_DH)

src/internal.c

@@ -1835,10 +1835,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     ssl->options.sessionCacheOff      = ctx->sessionCacheOff;
     ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
 
-    ssl->options.verifyPeer = ctx->verifyPeer;
-    ssl->options.verifyNone = ctx->verifyNone;
-    ssl->options.failNoCert = ctx->failNoCert;
-    ssl->options.sendVerify = ctx->sendVerify;
+    ssl->options.verifyPeer     = ctx->verifyPeer;
+    ssl->options.verifyNone     = ctx->verifyNone;
+    ssl->options.failNoCert     = ctx->failNoCert;
+    ssl->options.failNoCertxPSK = ctx->failNoCertxPSK;
+    ssl->options.sendVerify     = ctx->sendVerify;
 
     ssl->heap = ctx->heap;    /* defaults to self */
     ssl->options.partialWrite  = ctx->partialWrite;
@@ -16936,6 +16937,14 @@ int DoSessionTicket(WOLFSSL* ssl,
                     return NO_PEER_CERT;
                 }
             }
+
+            if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) {
+                if (!ssl->options.havePeerCert &&
+                                                 !ssl->options.usingPSK_cipher){
+                    WOLFSSL_MSG("client didn't present peer cert");
+                    return NO_PEER_CERT;
+                }
+            }
         #endif
 
         #ifdef WOLFSSL_CALLBACKS

src/ssl.c

@@ -4608,6 +4608,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
     if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
         ctx->failNoCert = 1;
 
+    if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) {
+        ctx->failNoCert    = 0; /* fail on all is set to fail on PSK */
+        ctx->failNoCertxPSK = 1;
+    }
+
     ctx->verifyCallback = vc;
 }
 
@@ -4628,6 +4633,11 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
     if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
         ssl->options.failNoCert = 1;
 
+    if (mode & SSL_VERIFY_FAIL_EXCEPT_PSK) {
+        ssl->options.failNoCert    = 0; /* fail on all is set to fail on PSK */
+        ssl->options.failNoCertxPSK = 1;
+    }
+
     ssl->verifyCallback = vc;
 }
 
@@ -17074,6 +17084,9 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
     if (ctx->failNoCert)
         mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
+    if (ctx->failNoCertxPSK)
+        mode |= SSL_VERIFY_FAIL_EXCEPT_PSK;
+
     WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
     return mode;
 }

wolfssl/internal.h

@@ -1818,6 +1818,7 @@ struct WOLFSSL_CTX {
     byte        verifyPeer;
     byte        verifyNone;
     byte        failNoCert;
+    byte        failNoCertxPSK;   /* fail if no cert with the exception of PSK*/
     byte        sessionCacheOff;
     byte        sessionCacheFlushOff;
     byte        sendVerify;       /* for client side */
@@ -2216,6 +2217,7 @@ typedef struct Options {
     word16            verifyPeer:1;
     word16            verifyNone:1;
     word16            failNoCert:1;
+    word16            failNoCertxPSK:1;   /* fail for no cert except with PSK */
     word16            downgrade:1;        /* allow downgrade of versions */
     word16            resuming:1;
     word16            haveSessionId:1;    /* server may not send */

wolfssl/ssl.h

@@ -698,6 +698,7 @@ enum { /* ssl Constants */
     SSL_VERIFY_PEER                 = 1,
     SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2,
     SSL_VERIFY_CLIENT_ONCE          = 4,
+    SSL_VERIFY_FAIL_EXCEPT_PSK      = 8,
 
     SSL_SESS_CACHE_OFF                = 30,
     SSL_SESS_CACHE_CLIENT             = 31,