From a8515e2d28736090a18cf66345c9bd07cfd6ffcc Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 4 Jan 2011 19:33:30 +0000
Subject: [PATCH] Since DTLS 1.0 is based on TLS 1.1 we should never return a
 decryption_failed alert.

---
 ssl/d1_enc.c | 6 +-----
 ssl/d1_pkt.c | 3 ++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
index 8fa57347a9..becbab91c2 100644
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@@ -231,11 +231,7 @@ int dtls1_enc(SSL *s, int send)
 		if (!send)
 			{
 			if (l == 0 || l%bs != 0)
-				{
-				SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-				return 0;
-				}
+				return -1;
 			}
 		
 		EVP_Cipher(ds,rec->data,rec->input,l);
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index ee67561a89..467711077e 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -414,7 +414,8 @@ dtls1_process_record(SSL *s)
 			goto err;
 
 		/* otherwise enc_err == -1 */
-		goto err;
+		al=SSL_AD_BAD_RECORD_MAC;
+		goto f_err;
 		}
 
 #ifdef TLS_DEBUG
-- 
2.25.1