The decryption_failed alert must not be sent by compliant implementations.

Use a bad_record_mac alert instead.

Found with tlsfuzzer's ChaCha20 test.

ok beck inoguchi jsing

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index d3a372fc6d9..c6ec67545da 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.19 2020/02/21 16:16:59 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.20 2020/02/23 17:59:03 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -437,7 +437,7 @@ ssl3_get_record(SSL *s)
 	 *    1: if the padding is valid
 	 *    -1: if the padding is invalid */
 	if (enc_err == 0) {
-		al = SSL_AD_DECRYPTION_FAILED;
+		al = SSL_AD_BAD_RECORD_MAC;
 		SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
 		goto f_err;
 	}