diff --git a/src/outputs/pair.h b/src/outputs/pair.h
index df063089..b2485207 100644
--- a/src/outputs/pair.h
+++ b/src/outputs/pair.h
@@ -102,6 +102,9 @@ pair_cipher_free(struct pair_cipher_context *cctx);
 const char *
 pair_cipher_errmsg(struct pair_cipher_context *cctx);
 
+/* Return 0 is success, -1 is general error, -2 is ciphertext_len shorter than
+ * blocklen in payload
+ */
 int
 pair_encrypt(uint8_t **ciphertext, size_t *ciphertext_len, uint8_t *plaintext, size_t plaintext_len, struct pair_cipher_context *cctx);
 int
diff --git a/src/outputs/pair_homekit.c b/src/outputs/pair_homekit.c
index 14def7bb..466098f5 100644
--- a/src/outputs/pair_homekit.c
+++ b/src/outputs/pair_homekit.c
@@ -1776,6 +1776,7 @@ pair_encrypt(uint8_t **ciphertext, size_t *ciphertext_len, uint8_t *plaintext, s
       if (ret < 0)
 	{
 	  cctx->errmsg = "Encryption with chacha poly1305 failed";
+	  cctx->encryption_counter = cctx->encryption_counter_prev;
 	  free(*ciphertext);
 	  return -1;
 	}
@@ -1820,9 +1821,10 @@ pair_decrypt(uint8_t **plaintext, size_t *plaintext_len, uint8_t *ciphertext, si
       memcpy(&block_len, cipher_block, sizeof(block_len)); // TODO BE or LE?
       if (cipher_block + block_len + sizeof(block_len) + AUTHTAG_LENGTH > ciphertext + ciphertext_len)
 	{
-	  cctx->errmsg = "Corrupt block length in encrypted data";
+	  cctx->errmsg = "Insufficient encrypted data or corrupt block length";
+	  cctx->decryption_counter = cctx->decryption_counter_prev;
 	  free(*plaintext);
-	  return -1; // Corrupt block_len, stop before we read over the end
+	  return -2; // Corrupt block_len, stop before we read over the end
 	}
 
       memcpy(tag, cipher_block + sizeof(block_len) + block_len, sizeof(tag));
@@ -1832,6 +1834,7 @@ pair_decrypt(uint8_t **plaintext, size_t *plaintext_len, uint8_t *ciphertext, si
       if (ret < 0)
 	{
 	  cctx->errmsg = "Decryption with chacha poly1305 failed";
+	  cctx->decryption_counter = cctx->decryption_counter_prev;
 	  free(*plaintext);
 	  return -1;
 	}