diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
index ab8ccd1f6..906a26364 100644
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@@ -246,7 +246,6 @@ int dtls1_enc(SSL *s, int send)
                 }
 #endif	/* KSSL_DEBUG */
 
-		rec->orig_len = rec->length;
 		if ((bs != 1) && !send)
 			return tls1_cbc_remove_padding(s, rec, bs, mac_size);
 		}
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index cdbbe347d..d36752453 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -367,6 +367,7 @@ dtls1_process_record(SSL *s)
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
+	rr->orig_len=rr->length;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
 	if (enc_err <= 0)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 6471ac490..a7830a2d4 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -433,6 +433,15 @@ void ssl3_cleanup_key_block(SSL *s)
 	s->s3->tmp.key_block_length=0;
 	}
 
+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding is invalid or, if sending, an internal error
+ *       occured.
+ */
 int ssl3_enc(SSL *s, int send)
 	{
 	SSL3_RECORD *rec;
@@ -503,6 +512,7 @@ int ssl3_enc(SSL *s, int send)
 
 		if (s->read_hash != NULL)
 			mac_size = EVP_MD_size(s->read_hash);
+
 		if ((bs != 1) && !send)
 			return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
 		}
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 0d27f514a..e658edbb1 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -352,8 +352,13 @@ again:
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
+	rr->orig_len=rr->length;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
+	/* enc_err is:
+	 *    0: (in non-constant time) if the record is publically invalid.
+	 *    1: if the padding is valid
+	 *    -1: if the padding is invalid */
 	if (enc_err == 0)
 		{
 		/* SSLerr() and ssl3_send_alert() have been called */
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 6d6046b33..8968ed0ef 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -528,6 +528,15 @@ err:
 	return(0);
 	}
 
+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
+ *
+ * Returns:
+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
+ *       short etc).
+ *   1: if the record's padding is valid / the encryption was successful.
+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
+ *       an internal error occured.
+ */
 int tls1_enc(SSL *s, int send)
 	{
 	SSL3_RECORD *rec;
@@ -628,8 +637,6 @@ int tls1_enc(SSL *s, int send)
                 }
 #endif	/* KSSL_DEBUG */
 
-		rec->orig_len = rec->length;
-
 		ret = 1;
 		if (s->read_hash != NULL)
 			mac_size = EVP_MD_size(s->read_hash);