From fe7be3e15f09e5b7127ec4ff355b6ece5788195d Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 21 Jan 2021 14:48:10 -0800
Subject: [PATCH] Alerts Alerts the server sends between receiving the client's
 CCS message and before it sends its own CCS message should not be encrypted.

---
 src/internal.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index e2fdbcc71..579a8e692 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -209,15 +209,14 @@ int IsAtLeastTLSv1_3(const ProtocolVersion pv)
 
 static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
 {
-    (void)isSend;
-
     #ifdef WOLFSSL_DTLS
     /* For DTLS, epoch 0 is always not encrypted. */
     if (ssl->options.dtls && !isSend && ssl->keys.curEpoch == 0)
         return 0;
     #endif /* WOLFSSL_DTLS */
 
-    return ssl->keys.encryptionOn;
+    return ssl->keys.encryptionOn &&
+        (isSend ? ssl->encrypt.setup : ssl->decrypt.setup);
 }