respond to negotiation attempt with alert warning no_renegotiation to try graceful continue if possible

cyassl/internal.h

@@ -1160,7 +1160,9 @@ enum AlertDescription {
     certificate_expired     = 45,
     certificate_unknown     = 46,
     illegal_parameter       = 47,
-    decrypt_error           = 51
+    decrypt_error           = 51,
+    protocol_version        = 70,
+    no_renegotiation        = 100
 };
 
 

src/internal.c

@@ -1709,6 +1709,36 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
 }
 
 
+static int DoHelloRequest(CYASSL* ssl, const byte* input, word32* inOutIdx)
+{
+    if (ssl->keys.encryptionOn) {
+        const byte* mac;
+        int         padSz = ssl->keys.encryptSz - HANDSHAKE_HEADER_SZ - 
+                            ssl->specs.hash_size;
+        byte        verify[SHA256_DIGEST_SIZE];
+       
+        ssl->hmac(ssl, verify, input + *inOutIdx - HANDSHAKE_HEADER_SZ,
+                  HANDSHAKE_HEADER_SZ, handshake, 1);
+        /* read mac and fill */
+        mac = input + *inOutIdx;
+        *inOutIdx += ssl->specs.hash_size;
+
+        if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
+            padSz -= ssl->specs.block_size;
+
+        *inOutIdx += padSz;
+
+        /* verify */
+        if (XMEMCMP(mac, verify, ssl->specs.hash_size)) {
+            CYASSL_MSG("    hello_request verify mac error");
+            return VERIFY_MAC_ERROR;
+        }
+    }
+
+    return SendAlert(ssl, alert_warning, no_renegotiation);
+}
+
+
 int DoFinished(CYASSL* ssl, const byte* input, word32* inOutIdx, int sniff)
 {
     byte   verifyMAC[SHA256_DIGEST_SIZE];
@@ -1802,6 +1832,11 @@ static int DoHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx,
 
     switch (type) {
 
+    case hello_request:
+        CYASSL_MSG("processing hello request");
+        ret = DoHelloRequest(ssl, input, inOutIdx);
+        break;
+
 #ifndef NO_CYASSL_CLIENT
     case hello_verify_request:
         CYASSL_MSG("processing hello verify request");