Expain rationale for handling of consecutive empty AD records

commit: 70463dbb2daef69c23877eddff618f7a81087fee [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed May 08 10:38:32 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Mon May 20 15:32:36 2019 +0100
tree: 135a22c7a1bd2729efecd79b894d2fe8fba39330
parent: 78c430269b51af4c2a70424198601438727b26d3 [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 18a508d..a8c3de9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -4659,8 +4659,10 @@
             if( ssl->nb_zero > 3 )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
-                                    "messages, possible DoS attack" ) );
-                /* Q: Is that the right error code? */
+                                            "messages, possible DoS attack" ) );
+                /* Treat the records as if they were not properly authenticated,
+                 * thereby failing the connection if we see more than allowed
+                 * by the configured bad MAC threshold. */
                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
             }
         }
commit	70463dbb2daef69c23877eddff618f7a81087fee	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed May 08 10:38:32 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Mon May 20 15:32:36 2019 +0100
tree	135a22c7a1bd2729efecd79b894d2fe8fba39330
parent	78c430269b51af4c2a70424198601438727b26d3 [diff] [blame]