only return an invalid first key phase error for decryptable packets

[marten-seemann]

This bug has remained undetected since we currently just ignore all errors coming from the AEAD (see #2755).

We need to make sure that we only return an error if we're actually sure that the packet came from the peer, i.e. when decrypting the packet succeeds. Otherwise, and attacker could inject random packet (each of those giving him a chance of 50% to get the key phase bit right) to trigger this error.

[codecov]

Codecov Report

Merging #2757 into master will increase coverage by 0.03%.
The diff coverage is 83.33%.

@@            Coverage Diff             @@
##           master    #2757      +/-   ##
==========================================
+ Coverage   86.52%   86.54%   +0.03%     
==========================================
  Files         128      128              
  Lines        9960     9964       +4     
==========================================
+ Hits         8617     8623       +6     
+ Misses       1010     1009       -1     
+ Partials      333      332       -1     

Impacted Files	Coverage Δ
internal/handshake/updatable_aead.go	93.13% <83.33%> (+1.79%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bed802a...34c3259. Read the comment docs.