Expain rationale for handling of consecutive empty AD records

2024-11-23 07:55:46 +01:00 · 2019-05-08 10:38:32 +01:00 · 2019-05-08 10:38:32 +01:00 · 6e7700df17
commit 6e7700df17
parent 76a79ab4a2
1 changed files with 4 additions and 2 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5081,8 +5081,10 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
            if( ssl->nb_zero > 3 )
            {
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
-                                    "messages, possible DoS attack" ) );
-                /* Q: Is that the right error code? */
+                                            "messages, possible DoS attack" ) );
+                /* Treat the records as if they were not properly authenticated,
+                 * thereby failing the connection if we see more than allowed
+                 * by the configured bad MAC threshold. */
                return( MBEDTLS_ERR_SSL_INVALID_MAC );
            }
        }