Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Resolve some TLSv1.3 alert issues #6887
Ensure that we write out alerts correctly after early_data. If we sent early_data and then received back an HRR, the enc_write_ctx was stale resulting in errors if an alert needed to be sent.
Thanks to Quarkslab for reporting this.
In any case it makes little sense to encrypt alerts using the client_early_traffic_secret, so we add special handling for alerts sent after early_data. All such alerts are sent in plaintext (until we're using the handshake traffic secret).
Additionally, on the server side at certain points in the handshake we could receive either a plaintext or
Testing this is quite challenging. I've not been able to come up with tests for some of these corner cases, but I have tested the straight forward case of an unencrypted alert being sent where the server might normally expect an encrypted handshake message.