From 6e7700df17f333d320aef4df56a4bbd08f3c37fc Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 8 May 2019 10:38:32 +0100
Subject: [PATCH] Expain rationale for handling of consecutive empty AD records

---
 library/ssl_tls.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d7291fec0e..1faac0734b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5081,8 +5081,10 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
             if( ssl->nb_zero > 3 )
             {
                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
-                                    "messages, possible DoS attack" ) );
-                /* Q: Is that the right error code? */
+                                            "messages, possible DoS attack" ) );
+                /* Treat the records as if they were not properly authenticated,
+                 * thereby failing the connection if we see more than allowed
+                 * by the configured bad MAC threshold. */
                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
             }
         }