Send the error function codes to rot in the depths of hell where they belong

We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

24 files changed, 572 insertions, 798 deletions

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index a9a4c1a13b..fb7e289d96 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.46 2017/01/23 13:36:12 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.47 2017/01/26 10:40:21 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -410,7 +410,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 S3I(s)->tmp.reuse_message = 0;
                 if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_DTLS1_GET_MESSAGE,
+                        SSLerror(
                             SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
@@ -476,13 +476,13 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
 
         /* sanity checking */
         if ((frag_off + frag_len) > msg_len) {
-                SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
+                SSLerror(
                     SSL_R_EXCESSIVE_MESSAGE_SIZE);
                 return SSL_AD_ILLEGAL_PARAMETER;
         }
 
         if ((frag_off + frag_len) > (unsigned long)max) {
-                SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
+                SSLerror(
                     SSL_R_EXCESSIVE_MESSAGE_SIZE);
                 return SSL_AD_ILLEGAL_PARAMETER;
         }
@@ -495,7 +495,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
                  */
                 if (!BUF_MEM_grow_clean(s->internal->init_buf,
                     msg_len + DTLS1_HM_HEADER_LENGTH)) {
-                        SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
+                        SSLerror(ERR_R_BUF_LIB);
                         return SSL_AD_INTERNAL_ERROR;
                 }
 
@@ -509,7 +509,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
                  * They must be playing with us! BTW, failure to enforce
                  * upper limit would open possibility for buffer overrun.
                  */
-                SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
+                SSLerror(
                     SSL_R_EXCESSIVE_MESSAGE_SIZE);
                 return SSL_AD_ILLEGAL_PARAMETER;
         }
@@ -803,7 +803,7 @@ again:
             /* parse the message fragment header */
             dtls1_get_message_header(wire, &msg_hdr) == 0) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
+                SSLerror(
                     SSL_R_UNEXPECTED_MESSAGE);
                 goto f_err;
         }
@@ -846,7 +846,7 @@ again:
                 else /* Incorrectly formated Hello request */
                 {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
+                        SSLerror(
                             SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
@@ -878,7 +878,7 @@ again:
          */
         if (i != (int)frag_len) {
                 al = SSL3_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
+                SSLerror(
                     SSL3_AD_ILLEGAL_PARAMETER);
                 goto f_err;
         }
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index c0f90dce6f..fd981c5f8e 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.71 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.72 2017/01/26 10:40:21 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -216,7 +216,7 @@ dtls1_connect(SSL *s)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
                         if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {
-                                SSLerr(SSL_F_DTLS1_CONNECT,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 ret = -1;
                                 goto end;
@@ -571,7 +571,7 @@ dtls1_connect(SSL *s)
                         /* break; */
 
                 default:
-                        SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
+                        SSLerror(SSL_R_UNKNOWN_STATE);
                         ret = -1;
                         goto end;
                         /* break; */
@@ -632,7 +632,7 @@ dtls1_get_hello_verify(SSL *s)
                 goto truncated;
 
         if (ssl_version != s->version) {
-                SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
+                SSLerror(SSL_R_WRONG_SSL_VERSION);
                 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
                 al = SSL_AD_PROTOCOL_VERSION;
                 goto f_err;
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index e193d4ab81..bd78494e66 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.39 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.40 2017/01/26 10:40:21 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -406,7 +406,7 @@ dtls1_check_timeout_num(SSL *s)
 
         if (D1I(s)->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
                 /* fail the connection, enough alerts have been sent */
-                SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
+                SSLerror(SSL_R_READ_TIMEOUT_EXPIRED);
                 return -1;
         }
 
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 3ea02700b5..5e33a966de 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.60 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.61 2017/01/26 10:40:21 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -255,7 +255,7 @@ err:
         free(rdata->rbuf.buf);
 
 init_err:
-        SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+        SSLerror(ERR_R_INTERNAL_ERROR);
         free(rdata);
         pitem_free(item);
         return (-1);
@@ -354,7 +354,7 @@ dtls1_process_record(SSL *s)
         /* check is not needed I believe */
         if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+                SSLerror(SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
                 goto f_err;
         }
 
@@ -396,7 +396,7 @@ dtls1_process_record(SSL *s)
                     (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                     orig_len < mac_size + 1)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
+                        SSLerror(SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
                 }
 
@@ -433,7 +433,7 @@ dtls1_process_record(SSL *s)
 
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
+                SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
                 goto f_err;
         }
 
@@ -650,7 +650,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         if ((type &&
              type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) ||
             (peek && (type != SSL3_RT_APPLICATION_DATA))) {
-                SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
 
@@ -667,7 +667,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
                         return (-1);
                 }
         }
@@ -731,7 +731,7 @@ start:
                  */
                 if (dtls1_buffer_record(s, &(D1I(s)->buffered_app_data),
                     rr->seq_num) < 0) {
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                        SSLerror(ERR_R_INTERNAL_ERROR);
                         return (-1);
                 }
                 rr->length = 0;
@@ -754,7 +754,7 @@ start:
                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
                         (s->enc_read_ctx == NULL)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
+                        SSLerror(SSL_R_APP_DATA_IN_HANDSHAKE);
                         goto f_err;
                 }
 
@@ -817,7 +817,7 @@ start:
 
                         /* Not certain if this is the right error handling */
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+                        SSLerror(SSL_R_UNEXPECTED_RECORD);
                         goto f_err;
                 }
 
@@ -862,7 +862,7 @@ start:
                     (D1I(s)->handshake_fragment[2] != 0) ||
                     (D1I(s)->handshake_fragment[3] != 0)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);
+                        SSLerror(SSL_R_BAD_HELLO_REQUEST);
                         goto err;
                 }
 
@@ -883,7 +883,7 @@ start:
                                 if (i < 0)
                                         return (i);
                                 if (i == 0) {
-                                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+                                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
                                         return (-1);
                                 }
 
@@ -940,7 +940,7 @@ start:
                 {
                         s->internal->rwstate = SSL_NOTHING;
                         S3I(s)->fatal_alert = alert_descr;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+                        SSLerror(SSL_AD_REASON_OFFSET + alert_descr);
                         ERR_asprintf_error_data("SSL alert number %d",
                             alert_descr);
                         s->internal->shutdown|=SSL_RECEIVED_SHUTDOWN;
@@ -948,7 +948,7 @@ start:
                         return (0);
                 } else {
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+                        SSLerror(SSL_R_UNKNOWN_ALERT_TYPE);
                         goto f_err;
                 }
 
@@ -974,7 +974,7 @@ start:
                 if ((rr->length != ccs_hdr_len) ||
                     (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) {
                         i = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                        SSLerror(SSL_R_BAD_CHANGE_CIPHER_SPEC);
                         goto err;
                 }
 
@@ -1038,7 +1038,7 @@ start:
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
                         return (-1);
                 }
 
@@ -1068,7 +1068,7 @@ start:
                         goto start;
                 }
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+                SSLerror(SSL_R_UNEXPECTED_RECORD);
                 goto f_err;
         case SSL3_RT_CHANGE_CIPHER_SPEC:
         case SSL3_RT_ALERT:
@@ -1077,7 +1077,7 @@ start:
                  * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that
                  * should not happen when type != rr->type */
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto f_err;
         case SSL3_RT_APPLICATION_DATA:
                 /* At this point, we were expecting handshake data,
@@ -1099,7 +1099,7 @@ start:
                         return (-1);
                 } else {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+                        SSLerror(SSL_R_UNEXPECTED_RECORD);
                         goto f_err;
                 }
         }
@@ -1122,13 +1122,13 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
                         return -1;
                 }
         }
 
         if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
-                SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG);
+                SSLerror(SSL_R_DTLS_MESSAGE_TOO_BIG);
                 return -1;
         }
 
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index a9f45a2d9a..b98c04b7cf 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.18 2017/01/24 15:04:12 jsing Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.19 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -187,7 +187,7 @@ ssl_ctx_make_profiles(const char *profiles_string,
         SRTP_PROTECTION_PROFILE *p;
 
         if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) {
-                SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
+                SSLerror(
                     SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
                 return 1;
         }
@@ -199,7 +199,7 @@ ssl_ctx_make_profiles(const char *profiles_string,
                     col ? col - ptr : (int)strlen(ptr))) {
                         sk_SRTP_PROTECTION_PROFILE_push(profiles, p);
                 } else {
-                        SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
+                        SSLerror(
                             SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
                         sk_SRTP_PROTECTION_PROFILE_free(profiles);
                         return 1;
@@ -264,13 +264,13 @@ ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
 
         if (p) {
                 if (ct == 0) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
+                        SSLerror(
                             SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
                         return 1;
                 }
 
                 if ((2 + ct * 2 + 1) > maxlen) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
+                        SSLerror(
                             SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
                         return 1;
                 }
@@ -304,7 +304,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
         CBS cbs, ciphers, mki;
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                 *al = SSL_AD_DECODE_ERROR;
                 goto done;
@@ -314,7 +314,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
         /* Pull off the cipher suite list */
         if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
             CBS_len(&ciphers) % 2) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                 *al = SSL_AD_DECODE_ERROR;
                 goto done;
@@ -324,7 +324,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
 
         while (CBS_len(&ciphers) > 0) {
                 if (!CBS_get_u16(&ciphers, &id)) {
-                        SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+                        SSLerror(
                             SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                         *al = SSL_AD_DECODE_ERROR;
                         goto done;
@@ -339,7 +339,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
         /* Extract the MKI value as a sanity check, but discard it for now. */
         if (!CBS_get_u8_length_prefixed(&cbs, &mki) ||
             CBS_len(&cbs) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_MKI_VALUE);
                 *al = SSL_AD_DECODE_ERROR;
                 goto done;
@@ -381,13 +381,13 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
 {
         if (p) {
                 if (maxlen < 5) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
+                        SSLerror(
                             SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
                         return 1;
                 }
 
                 if (s->internal->srtp_profile == 0) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
+                        SSLerror(
                             SSL_R_USE_SRTP_NOT_NEGOTIATED);
                         return 1;
                 }
@@ -411,7 +411,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
         CBS cbs, profile_ids, mki;
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                 *al = SSL_AD_DECODE_ERROR;
                 return 1;
@@ -425,7 +425,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
          */
         if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) ||
             !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                 *al = SSL_AD_DECODE_ERROR;
                 return 1;
@@ -433,7 +433,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
 
         /* Must be no MKI, since we never offer one. */
         if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_BAD_SRTP_MKI_VALUE);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 1;
@@ -443,7 +443,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
 
         /* Throw an error if the server gave us an unsolicited extension. */
         if (clnt == NULL) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
+                SSLerror(
                     SSL_R_NO_SRTP_PROFILES);
                 *al = SSL_AD_DECODE_ERROR;
                 return 1;
@@ -463,7 +463,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
                 }
         }
 
-        SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
+        SSLerror(
             SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
         *al = SSL_AD_DECODE_ERROR;
         return 1;
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index f36d3f40cd..80d7d639c3 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.81 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.82 2017/01/26 10:40:21 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -202,7 +202,7 @@ dtls1_accept(SSL *s)
         D1I(s)->listen = listen;
 
         if (s->cert == NULL) {
-                SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
+                SSLerror(SSL_R_NO_CERTIFICATE_SET);
                 ret = -1;
                 goto end;
         }
@@ -225,7 +225,7 @@ dtls1_accept(SSL *s)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
                         if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
-                                SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
+                                SSLerror(ERR_R_INTERNAL_ERROR);
                                 ret = -1;
                                 goto end;
                         }
@@ -506,7 +506,7 @@ dtls1_accept(SSL *s)
                                  * at this point and digest cached records.
                                  */
                                 if (!S3I(s)->handshake_buffer) {
-                                        SSLerr(SSL_F_SSL3_ACCEPT,
+                                        SSLerror(
                                             ERR_R_INTERNAL_ERROR);
                                         ret = -1;
                                         goto end;
@@ -659,7 +659,7 @@ dtls1_accept(SSL *s)
                         /* break; */
 
                 default:
-                        SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE);
+                        SSLerror(SSL_R_UNKNOWN_STATE);
                         ret = -1;
                         goto end;
                         /* break; */
@@ -706,7 +706,7 @@ dtls1_send_hello_verify_request(SSL *s)
                 if (s->ctx->internal->app_gen_cookie_cb == NULL ||
                     s->ctx->internal->app_gen_cookie_cb(s,
                         D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {
-                        SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return 0;
                 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 977c170403..6287f6cbc6 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.131 2017/01/24 14:57:31 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.132 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1980,7 +1980,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 
         if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
                 if (!ssl_cert_inst(&s->cert)) {
-                        SSLerr(SSL_F_SSL3_CTRL,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         return (0);
                 }
@@ -2010,18 +2010,18 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                 break;
         case SSL_CTRL_SET_TMP_RSA:
         case SSL_CTRL_SET_TMP_RSA_CB:
-                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 break;
         case SSL_CTRL_SET_TMP_DH:
                 {
                         DH *dh = (DH *)parg;
                         if (dh == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     ERR_R_PASSED_NULL_PARAMETER);
                                 return (ret);
                         }
                         if ((dh = DHparams_dup(dh)) == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     ERR_R_DH_LIB);
                                 return (ret);
                         }
@@ -2032,7 +2032,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                 break;
 
         case SSL_CTRL_SET_TMP_DH_CB:
-                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return (ret);
 
         case SSL_CTRL_SET_DH_AUTO:
@@ -2044,12 +2044,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                         EC_KEY *ecdh = NULL;
 
                         if (parg == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     ERR_R_PASSED_NULL_PARAMETER);
                                 return (ret);
                         }
                         if (!EC_KEY_up_ref((EC_KEY *)parg)) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     ERR_R_ECDH_LIB);
                                 return (ret);
                         }
@@ -2057,7 +2057,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                         if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                                 if (!EC_KEY_generate_key(ecdh)) {
                                         EC_KEY_free(ecdh);
-                                        SSLerr(SSL_F_SSL3_CTRL,
+                                        SSLerror(
                                             ERR_R_ECDH_LIB);
                                         return (ret);
                                 }
@@ -2069,7 +2069,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                 break;
         case SSL_CTRL_SET_TMP_ECDH_CB:
                 {
-                        SSLerr(SSL_F_SSL3_CTRL,
+                        SSLerror(
                             ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                         return (ret);
                 }
@@ -2083,18 +2083,18 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                         if (parg == NULL)
                                 break;
                         if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     SSL_R_SSL3_EXT_INVALID_SERVERNAME);
                                 return 0;
                         }
                         if ((s->tlsext_hostname = strdup((char *)parg))
                             == NULL) {
-                                SSLerr(SSL_F_SSL3_CTRL,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 return 0;
                         }
                 } else {
-                        SSLerr(SSL_F_SSL3_CTRL,
+                        SSLerror(
                             SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
                         return 0;
                 }
@@ -2177,7 +2177,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 
         if (cmd == SSL_CTRL_SET_TMP_DH_CB) {
                 if (!ssl_cert_inst(&s->cert)) {
-                        SSLerr(SSL_F_SSL3_CALLBACK_CTRL,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         return (0);
                 }
@@ -2185,7 +2185,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
 
         switch (cmd) {
         case SSL_CTRL_SET_TMP_RSA_CB:
-                SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 break;
         case SSL_CTRL_SET_TMP_DH_CB:
                 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -2215,7 +2215,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 return (0);
         case SSL_CTRL_SET_TMP_RSA:
         case SSL_CTRL_SET_TMP_RSA_CB:
-                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return (0);
         case SSL_CTRL_SET_TMP_DH:
                 {
@@ -2223,7 +2223,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 
                         dh = (DH *)parg;
                         if ((new = DHparams_dup(dh)) == NULL) {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,
+                                SSLerror(
                                     ERR_R_DH_LIB);
                                 return 0;
                         }
@@ -2234,7 +2234,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 /*break; */
 
         case SSL_CTRL_SET_TMP_DH_CB:
-                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return (0);
 
         case SSL_CTRL_SET_DH_AUTO:
@@ -2246,20 +2246,20 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                         EC_KEY *ecdh = NULL;
 
                         if (parg == NULL) {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,
+                                SSLerror(
                                     ERR_R_ECDH_LIB);
                                 return 0;
                         }
                         ecdh = EC_KEY_dup((EC_KEY *)parg);
                         if (ecdh == NULL) {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,
+                                SSLerror(
                                     ERR_R_EC_LIB);
                                 return 0;
                         }
                         if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                                 if (!EC_KEY_generate_key(ecdh)) {
                                         EC_KEY_free(ecdh);
-                                        SSLerr(SSL_F_SSL3_CTX_CTRL,
+                                        SSLerror(
                                             ERR_R_ECDH_LIB);
                                         return 0;
                                 }
@@ -2272,7 +2272,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 /* break; */
         case SSL_CTRL_SET_TMP_ECDH_CB:
                 {
-                        SSLerr(SSL_F_SSL3_CTX_CTRL,
+                        SSLerror(
                             ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                         return (0);
                 }
@@ -2287,7 +2287,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                         if (!keys)
                                 return 48;
                         if (larg != 48) {
-                                SSLerr(SSL_F_SSL3_CTX_CTRL,
+                                SSLerror(
                                     SSL_R_INVALID_TICKET_KEYS_LENGTH);
                                 return 0;
                         }
@@ -2361,7 +2361,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
 
         switch (cmd) {
         case SSL_CTRL_SET_TMP_RSA_CB:
-                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                 return (0);
         case SSL_CTRL_SET_TMP_DH_CB:
                 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 707dc24d08..bcd1ddf83c 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.47 2016/12/26 15:34:01 jsing Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.48 2017/01/26 10:40:21 beck Exp $ */
 
 /*
  * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
@@ -232,7 +232,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
 
         if (s == NULL) {
                 if ((s = SSL_SESSION_new()) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+                        SSLerror(ERR_R_MALLOC_FAILURE);
                         return (NULL);
                 }
         }
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 9d0dadef83..707feb6d09 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -244,7 +244,7 @@ ssl3_get_finished(SSL *s, int a, int b)
         /* If this occurs, we have missed a message */
         if (!S3I(s)->change_cipher_spec) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
+                SSLerror(SSL_R_GOT_A_FIN_BEFORE_A_CCS);
                 goto f_err;
         }
         S3I(s)->change_cipher_spec = 0;
@@ -253,7 +253,7 @@ ssl3_get_finished(SSL *s, int a, int b)
 
         if (n < 0) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
+                SSLerror(SSL_R_BAD_DIGEST_LENGTH);
                 goto f_err;
         }
 
@@ -262,13 +262,13 @@ ssl3_get_finished(SSL *s, int a, int b)
         if (S3I(s)->tmp.peer_finish_md_len != md_len ||
             CBS_len(&cbs) != md_len) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_BAD_DIGEST_LENGTH);
+                SSLerror(SSL_R_BAD_DIGEST_LENGTH);
                 goto f_err;
         }
 
         if (!CBS_mem_equal(&cbs, S3I(s)->tmp.peer_finish_md, CBS_len(&cbs))) {
                 al = SSL_AD_DECRYPT_ERROR;
-                SSLerr(SSL_F_SSL3_GET_FINISHED, SSL_R_DIGEST_CHECK_FAILED);
+                SSLerror(SSL_R_DIGEST_CHECK_FAILED);
                 goto f_err;
         }
 
@@ -365,7 +365,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)
 
                         if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
                             x, NULL)) {
-                                SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,
+                                SSLerror(
                                     ERR_R_X509_LIB);
                                 goto err;
                         }
@@ -420,7 +420,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 S3I(s)->tmp.reuse_message = 0;
                 if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,
+                        SSLerror(
                             SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
@@ -473,7 +473,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
                 if ((mt >= 0) && (*p != mt)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,
+                        SSLerror(
                             SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
@@ -481,19 +481,19 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 CBS_init(&cbs, p, 4);
                 if (!CBS_get_u8(&cbs, &u8) ||
                     !CBS_get_u24(&cbs, &l)) {
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+                        SSLerror(ERR_R_BUF_LIB);
                         goto err;
                 }
                 S3I(s)->tmp.message_type = u8;
 
                 if (l > (unsigned long)max) {
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE,
+                        SSLerror(
                             SSL_R_EXCESSIVE_MESSAGE_SIZE);
                         goto f_err;
                 }
                 if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) {
-                        SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+                        SSLerror(ERR_R_BUF_LIB);
                         goto err;
                 }
                 S3I(s)->tmp.message_size = l;
@@ -684,7 +684,7 @@ ssl3_setup_read_buffer(SSL *s)
         return 1;
 
 err:
-        SSLerr(SSL_F_SSL3_SETUP_READ_BUFFER, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
         return 0;
 }
 
@@ -717,7 +717,7 @@ ssl3_setup_write_buffer(SSL *s)
         return 1;
 
 err:
-        SSLerr(SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
         return 0;
 }
 
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 218a55c197..4f714f751a 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.60 2017/01/24 15:04:12 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.61 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -178,7 +178,7 @@ ssl_cert_new(void)
 
         ret = calloc(1, sizeof(CERT));
         if (ret == NULL) {
-                SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
         ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
@@ -195,7 +195,7 @@ ssl_cert_dup(CERT *cert)
 
         ret = calloc(1, sizeof(CERT));
         if (ret == NULL) {
-                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
 
@@ -212,13 +212,13 @@ ssl_cert_dup(CERT *cert)
         if (cert->dh_tmp != NULL) {
                 ret->dh_tmp = DHparams_dup(cert->dh_tmp);
                 if (ret->dh_tmp == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
+                        SSLerror(ERR_R_DH_LIB);
                         goto err;
                 }
                 if (cert->dh_tmp->priv_key) {
                         BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
                         if (!b) {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+                                SSLerror(ERR_R_BN_LIB);
                                 goto err;
                         }
                         ret->dh_tmp->priv_key = b;
@@ -226,7 +226,7 @@ ssl_cert_dup(CERT *cert)
                 if (cert->dh_tmp->pub_key) {
                         BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
                         if (!b) {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+                                SSLerror(ERR_R_BN_LIB);
                                 goto err;
                         }
                         ret->dh_tmp->pub_key = b;
@@ -238,7 +238,7 @@ ssl_cert_dup(CERT *cert)
         if (cert->ecdh_tmp) {
                 ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
                 if (ret->ecdh_tmp == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
+                        SSLerror(ERR_R_EC_LIB);
                         goto err;
                 }
         }
@@ -284,7 +284,7 @@ ssl_cert_dup(CERT *cert)
 
                         default:
                                 /* Can't happen. */
-                                SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
+                                SSLerror(SSL_R_LIBRARY_BUG);
                         }
                 }
         }
@@ -354,12 +354,12 @@ ssl_cert_inst(CERT **o)
          */
 
         if (o == NULL) {
-                SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (*o == NULL) {
                 if ((*o = ssl_cert_new()) == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
+                        SSLerror(ERR_R_MALLOC_FAILURE);
                         return (0);
                 }
         }
@@ -374,7 +374,7 @@ ssl_sess_cert_new(void)
 
         ret = calloc(1, sizeof *ret);
         if (ret == NULL) {
-                SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
         ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
@@ -418,7 +418,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 
         x = sk_X509_value(sk, 0);
         if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
-                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
+                SSLerror(ERR_R_X509_LIB);
                 return (0);
         }
         X509_STORE_CTX_set_ex_data(&ctx,
@@ -574,7 +574,7 @@ SSL_load_client_CA_file(const char *file)
         in = BIO_new(BIO_s_file_internal());
 
         if ((sk == NULL) || (in == NULL)) {
-                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
@@ -587,7 +587,7 @@ SSL_load_client_CA_file(const char *file)
                 if (ret == NULL) {
                         ret = sk_X509_NAME_new_null();
                         if (ret == NULL) {
-                                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,
+                                SSLerror(
                                     ERR_R_MALLOC_FAILURE);
                                 goto err;
                         }
@@ -643,7 +643,7 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
         in = BIO_new(BIO_s_file_internal());
 
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -713,7 +713,7 @@ SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir)
         if (!ret) {
                 SYSerr(SYS_F_OPENDIR, errno);
                 ERR_asprintf_error_data("opendir ('%s')", dir);
-                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
         }
         return ret;
 }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 5a5bb165d8..c1dee99e58 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.90 2017/01/24 01:44:00 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.91 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1072,7 +1072,7 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 
         number_uses = calloc((max_strength_bits + 1), sizeof(int));
         if (!number_uses) {
-                SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
 
@@ -1162,7 +1162,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                                  * it is no command or separator nor
                                  * alphanumeric, so we call this an error.
                                  */
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                                SSLerror(
                                     SSL_R_INVALID_COMMAND);
                                 retval = found = 0;
                                 l++;
@@ -1309,7 +1309,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                         if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
                                 ok = ssl_cipher_strength_sort(head_p, tail_p);
                         else
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                                SSLerror(
                                     SSL_R_INVALID_COMMAND);
                         if (ok == 0)
                                 retval = 0;
@@ -1379,7 +1379,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         num_of_ciphers = ssl_method->num_ciphers();
         co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER));
         if (co_list == NULL) {
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return(NULL);   /* Failure */
         }
 
@@ -1459,7 +1459,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *));
         if (ca_list == NULL) {
                 free(co_list);
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return(NULL);   /* Failure */
         }
         ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index f7bbca0d78..c8d4aca1c3 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -211,7 +211,7 @@ ssl3_connect(SSL *s)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
                         if ((s->version & 0xff00 ) != 0x0300) {
-                                SSLerr(SSL_F_SSL3_CONNECT,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 ret = -1;
                                 goto end;
@@ -551,7 +551,7 @@ ssl3_connect(SSL *s)
                         /* break; */
 
                 default:
-                        SSLerr(SSL_F_SSL3_CONNECT,
+                        SSLerror(
                             SSL_R_UNKNOWN_STATE);
                         ret = -1;
                         goto end;
@@ -597,7 +597,7 @@ ssl3_client_hello(SSL *s)
                 SSL_SESSION *sess = s->session;
 
                 if (ssl_supported_version_range(s, NULL, &max_version) != 1) {
-                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_NO_PROTOCOLS_AVAILABLE);
                         return (-1);
                 }
@@ -668,7 +668,7 @@ ssl3_client_hello(SSL *s)
                 *(p++) = i;
                 if (i != 0) {
                         if (i > (int)sizeof(s->session->session_id)) {
-                                SSLerr(SSL_F_SSL3_CLIENT_HELLO,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
@@ -679,7 +679,7 @@ ssl3_client_hello(SSL *s)
                 /* DTLS Cookie. */
                 if (SSL_IS_DTLS(s)) {
                         if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) {
-                                SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
@@ -693,7 +693,7 @@ ssl3_client_hello(SSL *s)
                     bufend - &p[2], &outlen))
                         goto err;
                 if (outlen == 0) {
-                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_NO_CIPHERS_AVAILABLE);
                         goto err;
                 }
@@ -706,7 +706,7 @@ ssl3_client_hello(SSL *s)
 
                 /* TLS extensions*/
                 if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
-                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -759,7 +759,7 @@ ssl3_get_server_hello(SSL *s)
                         } else {
                                 /* Already sent a cookie. */
                                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                                SSLerror(
                                     SSL_R_BAD_MESSAGE_TYPE);
                                 goto f_err;
                         }
@@ -768,7 +768,7 @@ ssl3_get_server_hello(SSL *s)
 
         if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_BAD_MESSAGE_TYPE);
                 goto f_err;
         }
@@ -777,13 +777,13 @@ ssl3_get_server_hello(SSL *s)
                 goto truncated;
 
         if (ssl_supported_version_range(s, &min_version, &max_version) != 1) {
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_NO_PROTOCOLS_AVAILABLE);
                 goto err;
         }
 
         if (server_version < min_version || server_version > max_version) {
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
+                SSLerror(SSL_R_WRONG_SSL_VERSION);
                 s->version = (s->version & 0xff00) | (server_version & 0xff);
                 al = SSL_AD_PROTOCOL_VERSION;
                 goto f_err;
@@ -793,7 +793,7 @@ ssl3_get_server_hello(SSL *s)
         if ((method = tls1_get_client_method(server_version)) == NULL)
                 method = dtls1_get_client_method(server_version);
         if (method == NULL) {
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto err;
         }
         s->method = method;
@@ -812,7 +812,7 @@ ssl3_get_server_hello(SSL *s)
         if ((CBS_len(&session_id) > sizeof(s->session->session_id)) ||
             (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_SSL3_SESSION_ID_TOO_LONG);
                 goto f_err;
         }
@@ -845,7 +845,7 @@ ssl3_get_server_hello(SSL *s)
                     s->sid_ctx, s->sid_ctx_length) != 0) {
                         /* actually a client application bug */
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                        SSLerror(
                             SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                         goto f_err;
                 }
@@ -878,7 +878,7 @@ ssl3_get_server_hello(SSL *s)
 
         if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_UNKNOWN_CIPHER_RETURNED);
                 goto f_err;
         }
@@ -887,7 +887,7 @@ ssl3_get_server_hello(SSL *s)
         if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
             (TLS1_get_version(s) < TLS1_2_VERSION)) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_WRONG_CIPHER_RETURNED);
                 goto f_err;
         }
@@ -897,7 +897,7 @@ ssl3_get_server_hello(SSL *s)
         if (i < 0) {
                 /* we did not say we would use this cipher */
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_WRONG_CIPHER_RETURNED);
                 goto f_err;
         }
@@ -911,7 +911,7 @@ ssl3_get_server_hello(SSL *s)
                 s->session->cipher_id = s->session->cipher->id;
         if (s->internal->hit && (s->session->cipher_id != cipher->id)) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
                 goto f_err;
         }
@@ -933,7 +933,7 @@ ssl3_get_server_hello(SSL *s)
 
         if (compression_method != 0) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                SSLerror(
                     SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                 goto f_err;
         }
@@ -942,11 +942,11 @@ ssl3_get_server_hello(SSL *s)
         p = (unsigned char *)CBS_data(&cbs);
         if (!ssl_parse_serverhello_tlsext(s, &p, CBS_len(&cbs), &al)) {
                 /* 'al' set by ssl_parse_serverhello_tlsext */
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
+                SSLerror(SSL_R_PARSE_TLSEXT);
                 goto f_err;
         }
         if (ssl_check_serverhello_tlsext(s) <= 0) {
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
+                SSLerror(SSL_R_SERVERHELLO_TLSEXT);
                 goto err;
         }
 
@@ -959,7 +959,7 @@ ssl3_get_server_hello(SSL *s)
 truncated:
         /* wrong packet length */
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
 f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
@@ -991,14 +991,14 @@ ssl3_get_server_certificate(SSL *s)
 
         if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_BAD_MESSAGE_TYPE);
                 goto f_err;
         }
 
 
         if ((sk = sk_X509_new_null()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1013,7 +1013,7 @@ ssl3_get_server_certificate(SSL *s)
         if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||
             CBS_len(&cbs) != 0) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
@@ -1025,7 +1025,7 @@ ssl3_get_server_certificate(SSL *s)
                         goto truncated;
                 if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                        SSLerror(
                             SSL_R_CERT_LENGTH_MISMATCH);
                         goto f_err;
                 }
@@ -1034,18 +1034,18 @@ ssl3_get_server_certificate(SSL *s)
                 x = d2i_X509(NULL, &q, CBS_len(&cert));
                 if (x == NULL) {
                         al = SSL_AD_BAD_CERTIFICATE;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                        SSLerror(
                             ERR_R_ASN1_LIB);
                         goto f_err;
                 }
                 if (q != CBS_data(&cert) + CBS_len(&cert)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                        SSLerror(
                             SSL_R_CERT_LENGTH_MISMATCH);
                         goto f_err;
                 }
                 if (!sk_X509_push(sk, x)) {
-                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -1055,7 +1055,7 @@ ssl3_get_server_certificate(SSL *s)
         i = ssl_verify_cert_chain(s, sk);
         if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) {
                 al = ssl_verify_alarm_type(s->verify_result);
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_CERTIFICATE_VERIFY_FAILED);
                 goto f_err;
 
@@ -1082,7 +1082,7 @@ ssl3_get_server_certificate(SSL *s)
         if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
                 x = NULL;
                 al = SSL3_AL_FATAL;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
                 goto f_err;
         }
@@ -1091,7 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
         if (i < 0) {
                 x = NULL;
                 al = SSL3_AL_FATAL;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                 goto f_err;
         }
@@ -1118,7 +1118,7 @@ ssl3_get_server_certificate(SSL *s)
 truncated:
                 /* wrong packet length */
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                SSLerror(
                     SSL_R_BAD_PACKET_LENGTH);
 f_err:
                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1150,21 +1150,21 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
         CBS_init(&cbs, *pp, *nn);
 
         if ((dh = DH_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
 
         if (!CBS_get_u16_length_prefixed(&cbs, &dhp))
                 goto truncated;
         if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                SSLerror(ERR_R_BN_LIB);
                 goto err;
         }
 
         if (!CBS_get_u16_length_prefixed(&cbs, &dhg))
                 goto truncated;
         if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                SSLerror(ERR_R_BN_LIB);
                 goto err;
         }
 
@@ -1172,7 +1172,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
                 goto truncated;
         if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk),
             NULL)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                SSLerror(ERR_R_BN_LIB);
                 goto err;
         }
 
@@ -1181,7 +1181,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
          * Discard keys weaker than 1024 bits.
          */
         if (DH_size(dh) < 1024 / 8) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH);
+                SSLerror(SSL_R_BAD_DH_P_LENGTH);
                 goto err;
         }
 
@@ -1202,7 +1202,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
 
  truncated:
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
 
  err:
@@ -1227,16 +1227,16 @@ ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public)
          */
 
         if ((ecdh = EC_KEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
         if ((ngroup = EC_GROUP_new_by_curve_name(nid)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
+                SSLerror(ERR_R_EC_LIB);
                 goto err;
         }
         if (EC_KEY_set_group(ecdh, ngroup) == 0) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EC_LIB);
+                SSLerror(ERR_R_EC_LIB);
                 goto err;
         }
 
@@ -1244,13 +1244,13 @@ ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public)
 
         if ((point = EC_POINT_new(group)) == NULL ||
             (bn_ctx = BN_CTX_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
         if (EC_POINT_oct2point(group, point, CBS_data(public),
             CBS_len(public), bn_ctx) == 0) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
+                SSLerror(SSL_R_BAD_ECPOINT);
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                 goto err;
         }
@@ -1276,18 +1276,18 @@ ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public)
         size_t outlen;
 
         if (nid != NID_X25519) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto err;
         }
 
         if (CBS_len(public) != X25519_KEY_LENGTH) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT);
+                SSLerror(SSL_R_BAD_ECPOINT);
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                 goto err;
         }
 
         if (!CBS_stow(public, &sc->peer_x25519_tmp, &outlen)) {
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
@@ -1321,7 +1321,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
             curve_type != NAMED_CURVE_TYPE ||
             !CBS_get_u16(&cbs, &curve_id)) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
+                SSLerror(SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
         }
 
@@ -1331,13 +1331,13 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
          */
         if (tls1_check_curve(s, curve_id) != 1) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE);
+                SSLerror(SSL_R_WRONG_CURVE);
                 goto f_err;
         }
 
         if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) {
                 al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
                 goto f_err;
         }
@@ -1373,7 +1373,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
 
  truncated:
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
 
  f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1414,7 +1414,7 @@ ssl3_get_server_key_exchange(SSL *s)
                  * ephemeral keys.
                  */
                 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                        SSLerror(
                             SSL_R_UNEXPECTED_MESSAGE);
                         al = SSL_AD_UNEXPECTED_MESSAGE;
                         goto f_err;
@@ -1451,7 +1451,7 @@ ssl3_get_server_key_exchange(SSL *s)
                         goto err;
         } else if (alg_k != 0) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+                SSLerror(SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
         }
 
@@ -1463,7 +1463,7 @@ ssl3_get_server_key_exchange(SSL *s)
                         int sigalg = tls12_get_sigid(pkey);
                         /* Should never happen */
                         if (sigalg == -1) {
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
@@ -1474,14 +1474,14 @@ ssl3_get_server_key_exchange(SSL *s)
                         if (2 > n)
                                 goto truncated;
                         if (sigalg != (int)p[1]) {
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_WRONG_SIGNATURE_TYPE);
                                 al = SSL_AD_DECODE_ERROR;
                                 goto f_err;
                         }
                         md = tls12_get_hash(p[0]);
                         if (md == NULL) {
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_UNKNOWN_DIGEST);
                                 al = SSL_AD_DECODE_ERROR;
                                 goto f_err;
@@ -1500,7 +1500,7 @@ ssl3_get_server_key_exchange(SSL *s)
                 if (i != n || n > j) {
                         /* wrong packet length */
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                        SSLerror(
                             SSL_R_WRONG_SIGNATURE_LENGTH);
                         goto f_err;
                 }
@@ -1533,14 +1533,14 @@ ssl3_get_server_key_exchange(SSL *s)
                             p, n, pkey->pkey.rsa);
                         if (i < 0) {
                                 al = SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_BAD_RSA_DECRYPT);
                                 goto f_err;
                         }
                         if (i == 0) {
                                 /* bad signature */
                                 al = SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_BAD_SIGNATURE);
                                 goto f_err;
                         }
@@ -1554,7 +1554,7 @@ ssl3_get_server_key_exchange(SSL *s)
                         if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
                                 /* bad signature */
                                 al = SSL_AD_DECRYPT_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_BAD_SIGNATURE);
                                 goto f_err;
                         }
@@ -1562,14 +1562,14 @@ ssl3_get_server_key_exchange(SSL *s)
         } else {
                 /* aNULL does not need public keys. */
                 if (!(alg_a & SSL_aNULL)) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
                 /* still data left over */
                 if (n != 0) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+                        SSLerror(
                             SSL_R_EXTRA_DATA_IN_MESSAGE);
                         goto f_err;
                 }
@@ -1583,7 +1583,7 @@ ssl3_get_server_key_exchange(SSL *s)
  truncated:
         /* wrong packet length */
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
 
  f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1630,7 +1630,7 @@ ssl3_get_certificate_request(SSL *s)
 
         if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_WRONG_MESSAGE_TYPE);
                 goto err;
         }
@@ -1638,7 +1638,7 @@ ssl3_get_certificate_request(SSL *s)
         /* TLS does not like anon-DH with client cert */
         if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
                 goto err;
         }
@@ -1648,7 +1648,7 @@ ssl3_get_certificate_request(SSL *s)
         CBS_init(&cert_request, s->internal->init_msg, n);
 
         if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1662,7 +1662,7 @@ ssl3_get_certificate_request(SSL *s)
         if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) ||
             !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype,
             sizeof(S3I(s)->tmp.ctype), NULL)) {
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_DATA_LENGTH_TOO_LONG);
                 goto err;
         }
@@ -1671,7 +1671,7 @@ ssl3_get_certificate_request(SSL *s)
                 CBS sigalgs;
 
                 if (CBS_len(&cert_request) < 2) {
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_DATA_LENGTH_TOO_LONG);
                         goto err;
                 }
@@ -1681,7 +1681,7 @@ ssl3_get_certificate_request(SSL *s)
                  */
                 if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_DATA_LENGTH_TOO_LONG);
                         goto err;
                 }
@@ -1689,7 +1689,7 @@ ssl3_get_certificate_request(SSL *s)
                     !tls1_process_sigalgs(s, CBS_data(&sigalgs),
                     CBS_len(&sigalgs))) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_SIGNATURE_ALGORITHMS_ERROR);
                         goto err;
                 }
@@ -1697,7 +1697,7 @@ ssl3_get_certificate_request(SSL *s)
 
         /* get the CA RDNs */
         if (CBS_len(&cert_request) < 2) {
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_DATA_LENGTH_TOO_LONG);
                 goto err;
         }
@@ -1705,7 +1705,7 @@ ssl3_get_certificate_request(SSL *s)
         if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
             CBS_len(&cert_request) != 0) {
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto err;
         }
@@ -1714,14 +1714,14 @@ ssl3_get_certificate_request(SSL *s)
                 CBS rdn;
 
                 if (CBS_len(&rdn_list) < 2) {
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_DATA_LENGTH_TOO_LONG);
                         goto err;
                 }
 
                 if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_CA_DN_TOO_LONG);
                         goto err;
                 }
@@ -1730,19 +1730,19 @@ ssl3_get_certificate_request(SSL *s)
                 if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
                             SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             ERR_R_ASN1_LIB);
                         goto err;
                 }
 
                 if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             SSL_R_CA_DN_LENGTH_MISMATCH);
                         goto err;
                 }
                 if (!sk_X509_NAME_push(ca_sk, xn)) {
-                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -1759,7 +1759,7 @@ ssl3_get_certificate_request(SSL *s)
         ret = 1;
         if (0) {
 truncated:
-                SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+                SSLerror(
                     SSL_R_BAD_PACKET_LENGTH);
         }
 err:
@@ -1793,14 +1793,14 @@ ssl3_get_new_session_ticket(SSL *s)
         }
         if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
+                SSLerror(
                     SSL_R_BAD_MESSAGE_TYPE);
                 goto f_err;
         }
 
         if (n < 0) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
@@ -1813,7 +1813,7 @@ ssl3_get_new_session_ticket(SSL *s)
             !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
             CBS_len(&cbs) != 0) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
@@ -1821,7 +1821,7 @@ ssl3_get_new_session_ticket(SSL *s)
 
         if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
             &s->session->tlsext_ticklen)) {
-                SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1872,7 +1872,7 @@ ssl3_get_cert_status(SSL *s)
         if (n < 0) {
                 /* need at least status type + length */
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
@@ -1882,14 +1882,14 @@ ssl3_get_cert_status(SSL *s)
             CBS_len(&cert_status) < 3) {
                 /* need at least status type + length */
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
 
         if (status_type != TLSEXT_STATUSTYPE_ocsp) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                SSLerror(
                     SSL_R_UNSUPPORTED_STATUS_TYPE);
                 goto f_err;
         }
@@ -1897,7 +1897,7 @@ ssl3_get_cert_status(SSL *s)
         if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
             CBS_len(&cert_status) != 0) {
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                SSLerror(
                     SSL_R_LENGTH_MISMATCH);
                 goto f_err;
         }
@@ -1906,7 +1906,7 @@ ssl3_get_cert_status(SSL *s)
             &stow_len) || stow_len > INT_MAX) {
                 s->internal->tlsext_ocsp_resplen = 0;
                 al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto f_err;
         }
@@ -1918,13 +1918,13 @@ ssl3_get_cert_status(SSL *s)
                     s->ctx->internal->tlsext_status_arg);
                 if (ret == 0) {
                         al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-                        SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                        SSLerror(
                             SSL_R_INVALID_STATUS_RESPONSE);
                         goto f_err;
                 }
                 if (ret < 0) {
                         al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_STATUS,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto f_err;
                 }
@@ -1950,7 +1950,7 @@ ssl3_get_server_done(SSL *s)
         if (n > 0) {
                 /* should contain no data */
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH);
+                SSLerror(SSL_R_LENGTH_MISMATCH);
                 return (-1);
         }
         ret = 1;
@@ -1974,7 +1974,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
         if (pkey == NULL || pkey->type != EVP_PKEY_RSA ||
             pkey->pkey.rsa == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -1984,7 +1984,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         arc4random_buf(&pms[2], sizeof(pms) - 2);
 
         if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1992,7 +1992,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa,
             RSA_PKCS1_PADDING);
         if (enc_len <= 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_BAD_RSA_ENCRYPT);
                 goto err;
         }
@@ -2031,7 +2031,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         /* Ensure that we have an ephemeral key for DHE. */
         if (sess_cert->peer_dh_tmp == NULL) {
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
                 goto err;
         }
@@ -2039,22 +2039,22 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 
         /* Generate a new random key. */
         if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
         if (!DH_generate_key(dh_clnt)) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
         key_size = DH_size(dh_clnt);
         if ((key = malloc(key_size)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
         key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt);
         if (key_len <= 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
 
@@ -2098,38 +2098,38 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
 
         if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL ||
             (point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
 
         if ((ecdh = EC_KEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
         if (!EC_KEY_set_group(ecdh, group)) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
+                SSLerror(ERR_R_EC_LIB);
                 goto err;
         }
 
         /* Generate a new ECDH key pair. */
         if (!(EC_KEY_generate_key(ecdh))) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                SSLerror(ERR_R_ECDH_LIB);
                 goto err;
         }
         if ((key_size = ECDH_size(ecdh)) <= 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                SSLerror(ERR_R_ECDH_LIB);
                 goto err;
         }
         if ((key = malloc(key_size)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
         }
         key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL);
         if (key_len <= 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                SSLerror(ERR_R_ECDH_LIB);
                 goto err;
         }
 
@@ -2141,12 +2141,12 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
         encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh),
             POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
         if (encoded_len == 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                SSLerror(ERR_R_ECDH_LIB);
                 goto err;
         }
 
         if ((bn_ctx = BN_CTX_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -2233,7 +2233,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
                         goto err;
         } else {
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -2261,7 +2261,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         /* Get server sertificate PKEY and create ctx from it */
         peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
         if (peer_cert == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
                 goto err;
         }
@@ -2298,7 +2298,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
          */
         ukm_hash = EVP_MD_CTX_create();
         if (ukm_hash == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -2315,7 +2315,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         EVP_MD_CTX_destroy(ukm_hash);
         if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
             EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG);
+                SSLerror(SSL_R_LIBRARY_BUG);
                 goto err;
         }
 
@@ -2325,7 +2325,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         msglen = 255;
         if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret,
             32) < 0) {
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSL_R_LIBRARY_BUG);
+                SSLerror(SSL_R_LIBRARY_BUG);
                 goto err;
         }
 
@@ -2371,7 +2371,7 @@ ssl3_send_client_key_exchange(SSL *s)
                 if ((sess_cert = SSI(s)->sess_cert) == NULL) {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
                             SSL_AD_UNEXPECTED_MESSAGE);
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -2395,7 +2395,7 @@ ssl3_send_client_key_exchange(SSL *s)
                 } else {
                         ssl3_send_alert(s, SSL3_AL_FATAL,
                             SSL_AD_HANDSHAKE_FAILURE);
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -2458,7 +2458,7 @@ ssl3_send_client_verify(SSL *s)
                             &hdata);
                         if (hdatalen <= 0 ||
                             !tls12_get_sigandhash(p, pkey, md)) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
@@ -2466,7 +2466,7 @@ ssl3_send_client_verify(SSL *s)
                         if (!EVP_SignInit_ex(&mctx, md, NULL) ||
                             !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
                             !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_EVP_LIB);
                                 goto err;
                         }
@@ -2480,7 +2480,7 @@ ssl3_send_client_verify(SSL *s)
                         if (RSA_sign(NID_md5_sha1, data,
                             MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
                             &u, pkey->pkey.rsa) <= 0 ) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_RSA_LIB);
                                 goto err;
                         }
@@ -2491,7 +2491,7 @@ ssl3_send_client_verify(SSL *s)
                             &(data[MD5_DIGEST_LENGTH]),
                             SHA_DIGEST_LENGTH, &(p[2]),
                             (unsigned int *)&j, pkey->pkey.dsa)) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_DSA_LIB);
                                 goto err;
                         }
@@ -2502,7 +2502,7 @@ ssl3_send_client_verify(SSL *s)
                             &(data[MD5_DIGEST_LENGTH]),
                             SHA_DIGEST_LENGTH, &(p[2]),
                             (unsigned int *)&j, pkey->pkey.ec)) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_ECDSA_LIB);
                                 goto err;
                         }
@@ -2520,13 +2520,13 @@ ssl3_send_client_verify(SSL *s)
 
                         hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                         if (hdatalen <= 0) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
                         if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
                             !(md = EVP_get_digestbynid(nid))) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                                 ERR_R_EVP_LIB);
                                 goto err;
                         }
@@ -2540,7 +2540,7 @@ ssl3_send_client_verify(SSL *s)
                                                NULL) <= 0) ||
                             (EVP_PKEY_sign(pctx, &(p[2]), &sigsize,
                                            signbuf, u) <= 0)) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                                SSLerror(
                                     ERR_R_EVP_LIB);
                                 goto err;
                         }
@@ -2551,7 +2551,7 @@ ssl3_send_client_verify(SSL *s)
                         n = j + 2;
 #endif
                 } else {
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -2610,7 +2610,7 @@ ssl3_send_client_certificate(SSL *s)
                                 i = 0;
                 } else if (i == 1) {
                         i = 0;
-                        SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
                 }
 
@@ -2665,7 +2665,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
 
         sc = SSI(s)->sess_cert;
         if (sc == NULL) {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -2678,7 +2678,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
                 if (ssl_check_srvr_ecc_cert_and_alg(
                     sc->peer_pkeys[idx].x509, s) == 0) {
                         /* check failed */
-                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                        SSLerror(
                             SSL_R_BAD_ECC_CERT);
                         goto f_err;
                 } else {
@@ -2691,24 +2691,24 @@ ssl3_check_cert_and_algorithm(SSL *s)
 
         /* Check that we have a certificate if we require one. */
         if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                SSLerror(
                     SSL_R_MISSING_RSA_SIGNING_CERT);
                 goto f_err;
         } else if ((alg_a & SSL_aDSS) &&
             !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                SSLerror(
                     SSL_R_MISSING_DSA_SIGNING_CERT);
                 goto f_err;
         }
         if ((alg_k & SSL_kRSA) &&
             !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                SSLerror(
                     SSL_R_MISSING_RSA_ENCRYPTING_CERT);
                 goto f_err;
         }
         if ((alg_k & SSL_kDHE) &&
             !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
-                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
+                SSLerror(
                     SSL_R_MISSING_DH_KEY);
                 goto f_err;
         }
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 967811f1fe..525ba2146b 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.31 2017/01/26 09:16:01 jsing Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.32 2017/01/26 10:40:21 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -70,227 +70,7 @@
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
 
 static ERR_STRING_DATA SSL_str_functs[]= {
-        {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),    "CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_CLIENT_FINISHED),       "CLIENT_FINISHED"},
-        {ERR_FUNC(SSL_F_CLIENT_HELLO),  "CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),     "CLIENT_MASTER_KEY"},
-        {ERR_FUNC(SSL_F_D2I_SSL_SESSION),       "d2i_SSL_SESSION"},
-        {ERR_FUNC(SSL_F_DO_DTLS1_WRITE),        "DO_DTLS1_WRITE"},
-        {ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
-        {ERR_FUNC(SSL_F_DTLS1_ACCEPT),  "DTLS1_ACCEPT"},
-        {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
-        {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD),   "DTLS1_BUFFER_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM),       "DTLS1_CHECK_TIMEOUT_NUM"},
-        {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO),    "DTLS1_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
-        {ERR_FUNC(SSL_F_DTLS1_ENC),     "DTLS1_ENC"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY),        "DTLS1_GET_HELLO_VERIFY"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE),     "DTLS1_GET_MESSAGE"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),    "DTLS1_GET_MESSAGE_FRAGMENT"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_RECORD),      "DTLS1_GET_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT),  "DTLS1_HANDLE_TIMEOUT"},
-        {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT),       "DTLS1_HEARTBEAT"},
-        {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN),       "DTLS1_OUTPUT_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT),     "DTLS1_PREPROCESS_FRAGMENT"},
-        {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),      "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
-        {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD),  "DTLS1_PROCESS_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_READ_BYTES),      "DTLS1_READ_BYTES"},
-        {ERR_FUNC(SSL_F_DTLS1_READ_FAILED),     "DTLS1_READ_FAILED"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),        "DTLS1_SEND_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),        "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY),      "DTLS1_SEND_CLIENT_VERIFY"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST),       "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO),       "DTLS1_SEND_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),        "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),    "DTLS1_WRITE_APP_DATA_BYTES"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),   "GET_CLIENT_FINISHED"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_HELLO),      "GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
-        {ERR_FUNC(SSL_F_GET_SERVER_FINISHED),   "GET_SERVER_FINISHED"},
-        {ERR_FUNC(SSL_F_GET_SERVER_HELLO),      "GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_GET_SERVER_VERIFY),     "GET_SERVER_VERIFY"},
-        {ERR_FUNC(SSL_F_I2D_SSL_SESSION),       "i2d_SSL_SESSION"},
-        {ERR_FUNC(SSL_F_READ_N),        "READ_N"},
-        {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),   "REQUEST_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
-        {ERR_FUNC(SSL_F_SERVER_HELLO),  "SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL23_ACCEPT),  "SSL23_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),    "SSL23_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO),        "SSL23_GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO),        "SSL23_GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_PEEK),    "SSL23_PEEK"},
-        {ERR_FUNC(SSL_F_SSL23_READ),    "SSL23_READ"},
-        {ERR_FUNC(SSL_F_SSL23_WRITE),   "SSL23_WRITE"},
-        {ERR_FUNC(SSL_F_SSL2_ACCEPT),   "SSL2_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL2_CONNECT),  "SSL2_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
-        {ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),    "SSL2_GENERATE_KEY_MATERIAL"},
-        {ERR_FUNC(SSL_F_SSL2_PEEK),     "SSL2_PEEK"},
-        {ERR_FUNC(SSL_F_SSL2_READ),     "SSL2_READ"},
-        {ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),    "SSL2_READ_INTERNAL"},
-        {ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE),  "SSL2_SET_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL2_WRITE),    "SSL2_WRITE"},
-        {ERR_FUNC(SSL_F_SSL3_ACCEPT),   "SSL3_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF),  "SSL3_ADD_CERT_TO_BUF"},
-        {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),    "SSL3_CALLBACK_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),      "SSL3_CHANGE_CIPHER_STATE"},
-        {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
-        {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),       "SSL3_CHECK_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),     "SSL3_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),    "SSL3_DIGEST_CACHED_RECORDS"},
-        {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),    "SSL3_DO_CHANGE_CIPHER_SPEC"},
-        {ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
-        {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS),  "SSL3_GET_CERT_STATUS"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),  "SSL3_GET_CERT_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),   "SSL3_GET_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),  "SSL3_GET_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_FINISHED),     "SSL3_GET_FINISHED"},
-        {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),      "SSL3_GET_MESSAGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET),   "SSL3_GET_NEW_SESSION_TICKET"},
-        {ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO),   "SSL3_GET_NEXT_PROTO"},
-        {ERR_FUNC(SSL_F_SSL3_GET_RECORD),       "SSL3_GET_RECORD"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),   "SSL3_GET_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE),  "SSL3_GET_SERVER_DONE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC),    "ssl3_handshake_mac"},
-        {ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET),       "SSL3_NEW_SESSION_TICKET"},
-        {ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN),        "SSL3_OUTPUT_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_SSL3_PEEK),     "SSL3_PEEK"},
-        {ERR_FUNC(SSL_F_SSL3_READ_BYTES),       "SSL3_READ_BYTES"},
-        {ERR_FUNC(SSL_F_SSL3_READ_N),   "SSL3_READ_N"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),  "SSL3_SEND_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),       "SSL3_SEND_CLIENT_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE),  "SSL3_SEND_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO),        "SSL3_SEND_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),  "SSL3_SETUP_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER),        "SSL3_SETUP_READ_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER),       "SSL3_SETUP_WRITE_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),      "SSL3_WRITE_BYTES"},
-        {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),    "SSL3_WRITE_PENDING"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),   "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),    "SSL_ADD_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),      "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),    "SSL_add_dir_cert_subjects_to_stack"},
-        {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),   "SSL_add_file_cert_subjects_to_stack"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),   "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),    "SSL_ADD_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),      "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_BAD_METHOD),        "SSL_BAD_METHOD"},
-        {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),      "SSL_BYTES_TO_CIPHER_LIST"},
-        {ERR_FUNC(SSL_F_SSL_CERT_DUP),  "SSL_CERT_DUP"},
-        {ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
-        {ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE),  "SSL_CERT_INSTANTIATE"},
-        {ERR_FUNC(SSL_F_SSL_CERT_NEW),  "SSL_CERT_NEW"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT),  "SSL_CHECK_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),       "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"},
-        {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),    "SSL_CIPHER_PROCESS_RULESTR"},
-        {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),      "SSL_CIPHER_STRENGTH_SORT"},
-        {ERR_FUNC(SSL_F_SSL_CLEAR),     "SSL_clear"},
-        {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),       "SSL_COMP_add_compression_method"},
-        {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),        "SSL_CREATE_CIPHER_LIST"},
-        {ERR_FUNC(SSL_F_SSL_CTRL),      "SSL_ctrl"},
-        {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
-        {ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"},
-        {ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE),        "SSL_CTX_set_client_cert_engine"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),     "SSL_CTX_set_trust"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),       "SSL_CTX_use_certificate"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),  "SSL_CTX_use_certificate_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),    "SSL_CTX_use_certificate_chain_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),  "SSL_CTX_use_certificate_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY),        "SSL_CTX_use_PrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1),   "SSL_CTX_use_PrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE),   "SSL_CTX_use_PrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY),     "SSL_CTX_use_RSAPrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),        "SSL_CTX_use_RSAPrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),        "SSL_CTX_use_RSAPrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE),      "SSL_do_handshake"},
-        {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),   "SSL_GET_NEW_SESSION"},
-        {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),  "SSL_GET_PREV_SESSION"},
-        {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),      "SSL_GET_SERVER_SEND_CERT"},
-        {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY),      "SSL_GET_SERVER_SEND_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),     "SSL_GET_SIGN_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),  "SSL_INIT_WBIO_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),       "SSL_load_client_CA_file"},
-        {ERR_FUNC(SSL_F_SSL_NEW),       "SSL_new"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),  "SSL_PARSE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT),    "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),  "SSL_PARSE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT),    "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PEEK),      "SSL_peek"},
-        {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),        "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),        "SSL_PREPARE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_READ),      "SSL_read"},
-        {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),       "SSL_RSA_PRIVATE_DECRYPT"},
-        {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),        "SSL_RSA_PUBLIC_ENCRYPT"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_NEW),       "SSL_SESSION_new"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),  "SSL_SESSION_print_fp"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT),   "SSL_SESSION_set1_id_context"},
-        {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),     "SSL_SESS_CERT_NEW"},
-        {ERR_FUNC(SSL_F_SSL_SET_CERT),  "SSL_SET_CERT"},
-        {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),   "SSL_set_cipher_list"},
-        {ERR_FUNC(SSL_F_SSL_SET_FD),    "SSL_set_fd"},
-        {ERR_FUNC(SSL_F_SSL_SET_PKEY),  "SSL_SET_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_SET_PURPOSE),       "SSL_set_purpose"},
-        {ERR_FUNC(SSL_F_SSL_SET_RFD),   "SSL_set_rfd"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION),       "SSL_set_session"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),    "SSL_set_session_id_context"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),    "SSL_set_session_ticket_ext"},
-        {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
-        {ERR_FUNC(SSL_F_SSL_SET_WFD),   "SSL_set_wfd"},
-        {ERR_FUNC(SSL_F_SSL_SHUTDOWN),  "SSL_shutdown"},
-        {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT),      "SSL_SRP_CTX_init"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),  "SSL_UNDEFINED_CONST_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),        "SSL_UNDEFINED_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION),   "SSL_UNDEFINED_VOID_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),   "SSL_use_certificate"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),      "SSL_use_certificate_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),      "SSL_use_certificate_file"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY),    "SSL_use_PrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1),       "SSL_use_PrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE),       "SSL_use_PrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT),     "SSL_use_psk_identity_hint"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),    "SSL_use_RSAPrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),    "SSL_use_RSAPrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_SSL_WRITE),     "SSL_write"},
-        {ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"},
-        {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC),  "tls1_cert_verify_mac"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"},
-        {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_ENC),      "TLS1_ENC"},
-        {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),   "TLS1_EXPORT_KEYING_MATERIAL"},
-        {ERR_FUNC(SSL_F_TLS1_HEARTBEAT),        "SSL_F_TLS1_HEARTBEAT"},
-        {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),       "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),       "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_PRF),      "tls1_prf"},
-        {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),  "TLS1_SETUP_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+        {ERR_FUNC(0xfff), "SSL_internal"},
         {0, NULL}
 };
 
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 6d5d5c468b..605fc428ad 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.153 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.154 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -163,7 +163,7 @@ int
 SSL_clear(SSL *s)
 {
         if (s->method == NULL) {
-                SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED);
+                SSLerror(SSL_R_NO_METHOD_SPECIFIED);
                 return (0);
         }
 
@@ -177,7 +177,7 @@ SSL_clear(SSL *s)
         s->internal->shutdown = 0;
 
         if (s->internal->renegotiate) {
-                SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return (0);
         }
 
@@ -226,7 +226,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
         sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
             &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);
         if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-                SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
+                SSLerror(
                     SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
                 return (0);
         }
@@ -239,21 +239,21 @@ SSL_new(SSL_CTX *ctx)
         SSL     *s;
 
         if (ctx == NULL) {
-                SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX);
+                SSLerror(SSL_R_NULL_SSL_CTX);
                 return (NULL);
         }
         if (ctx->method == NULL) {
-                SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
+                SSLerror(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
                 return (NULL);
         }
 
         if ((s = calloc(1, sizeof(*s))) == NULL) {
-                SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
         if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) {
                 free(s);
-                SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
 
@@ -372,7 +372,7 @@ SSL_new(SSL_CTX *ctx)
 
  err:
         SSL_free(s);
-        SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
         return (NULL);
 }
 
@@ -381,7 +381,7 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
     unsigned int sid_ctx_len)
 {
         if (sid_ctx_len > sizeof ctx->sid_ctx) {
-                SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
+                SSLerror(
                     SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                 return (0);
         }
@@ -396,7 +396,7 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
     unsigned int sid_ctx_len)
 {
         if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
+                SSLerror(
                     SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                 return (0);
         }
@@ -634,7 +634,7 @@ SSL_set_fd(SSL *s, int fd)
         bio = BIO_new(BIO_s_socket());
 
         if (bio == NULL) {
-                SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto err;
         }
         BIO_set_fd(bio, fd, BIO_NOCLOSE);
@@ -655,7 +655,7 @@ SSL_set_wfd(SSL *s, int fd)
                 bio = BIO_new(BIO_s_socket());
 
                 if (bio == NULL) {
-                        SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB);
+                        SSLerror(ERR_R_BUF_LIB);
                         goto err;
                 }
                 BIO_set_fd(bio, fd, BIO_NOCLOSE);
@@ -678,7 +678,7 @@ SSL_set_rfd(SSL *s, int fd)
                 bio = BIO_new(BIO_s_socket());
 
                 if (bio == NULL) {
-                        SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB);
+                        SSLerror(ERR_R_BUF_LIB);
                         goto err;
                 }
                 BIO_set_fd(bio, fd, BIO_NOCLOSE);
@@ -873,12 +873,12 @@ SSL_CTX_check_private_key(const SSL_CTX *ctx)
 {
         if ((ctx == NULL) || (ctx->internal->cert == NULL) ||
             (ctx->internal->cert->key->x509 == NULL)) {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
+                SSLerror(
                     SSL_R_NO_CERTIFICATE_ASSIGNED);
                 return (0);
         }
         if (ctx->internal->cert->key->privatekey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
+                SSLerror(
                     SSL_R_NO_PRIVATE_KEY_ASSIGNED);
                 return (0);
         }
@@ -891,22 +891,22 @@ int
 SSL_check_private_key(const SSL *ssl)
 {
         if (ssl == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
+                SSLerror(
                     ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (ssl->cert == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
+                SSLerror(
                     SSL_R_NO_CERTIFICATE_ASSIGNED);
                 return (0);
         }
         if (ssl->cert->key->x509 == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
+                SSLerror(
                     SSL_R_NO_CERTIFICATE_ASSIGNED);
                 return (0);
         }
         if (ssl->cert->key->privatekey == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
+                SSLerror(
                     SSL_R_NO_PRIVATE_KEY_ASSIGNED);
                 return (0);
         }
@@ -942,7 +942,7 @@ int
 SSL_read(SSL *s, void *buf, int num)
 {
         if (s->internal->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
+                SSLerror(SSL_R_UNINITIALIZED);
                 return (-1);
         }
 
@@ -957,7 +957,7 @@ int
 SSL_peek(SSL *s, void *buf, int num)
 {
         if (s->internal->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
+                SSLerror(SSL_R_UNINITIALIZED);
                 return (-1);
         }
 
@@ -971,13 +971,13 @@ int
 SSL_write(SSL *s, const void *buf, int num)
 {
         if (s->internal->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
+                SSLerror(SSL_R_UNINITIALIZED);
                 return (-1);
         }
 
         if (s->internal->shutdown & SSL_SENT_SHUTDOWN) {
                 s->internal->rwstate = SSL_NOTHING;
-                SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN);
+                SSLerror(SSL_R_PROTOCOL_IS_SHUTDOWN);
                 return (-1);
         }
         return (s->method->internal->ssl_write(s, buf, num));
@@ -994,7 +994,7 @@ SSL_shutdown(SSL *s)
          */
 
         if (s->internal->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
+                SSLerror(SSL_R_UNINITIALIZED);
                 return (-1);
         }
 
@@ -1306,7 +1306,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
         if (sk == NULL)
                 return (0);
         else if (sk_SSL_CIPHER_num(sk) == 0) {
-                SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+                SSLerror(SSL_R_NO_CIPHER_MATCH);
                 return (0);
         }
         return (1);
@@ -1324,7 +1324,7 @@ SSL_set_cipher_list(SSL *s, const char *str)
         if (sk == NULL)
                 return (0);
         else if (sk_SSL_CIPHER_num(sk) == 0) {
-                SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
+                SSLerror(SSL_R_NO_CIPHER_MATCH);
                 return (0);
         }
         return (1);
@@ -1428,20 +1428,20 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
          * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2].
          */
         if (num < 2 || num > 0x10000 - 2) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                SSLerror(
                     SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
                 return (NULL);
         }
 
         if ((sk = sk_SSL_CIPHER_new_null()) == NULL) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
         CBS_init(&cbs, p, num);
         while (CBS_len(&cbs) > 0) {
                 if (!CBS_get_u16(&cbs, &cipher_value)) {
-                        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                        SSLerror(
                             SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
                         goto err;
                 }
@@ -1454,7 +1454,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
                          * renegotiating.
                          */
                         if (s->internal->renegotiate) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                                SSLerror(
                                     SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                                 ssl3_send_alert(s, SSL3_AL_FATAL,
                                     SSL_AD_HANDSHAKE_FAILURE);
@@ -1474,7 +1474,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
                          */
                         max_version = ssl_max_server_version(s);
                         if (max_version == 0 || s->version < max_version) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                                SSLerror(
                                     SSL_R_INAPPROPRIATE_FALLBACK);
                                 if (s->s3 != NULL)
                                         ssl3_send_alert(s, SSL3_AL_FATAL,
@@ -1486,7 +1486,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
 
                 if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
                         if (!sk_SSL_CIPHER_push(sk, c)) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                                SSLerror(
                                     ERR_R_MALLOC_FAILURE);
                                 goto err;
                         }
@@ -1797,22 +1797,22 @@ SSL_CTX_new(const SSL_METHOD *meth)
         SSL_CTX *ret;
 
         if (meth == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
+                SSLerror(SSL_R_NULL_SSL_METHOD_PASSED);
                 return (NULL);
         }
 
         if ((ret = calloc(1, sizeof(*ret))) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
         if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) {
                 free(ret);
-                SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
 
         if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
+                SSLerror(
                     SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
                 goto err;
         }
@@ -1872,7 +1872,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
             &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
         if (ret->cipher_list == NULL ||
             sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+                SSLerror(SSL_R_LIBRARY_HAS_NO_CIPHERS);
                 goto err2;
         }
 
@@ -1881,12 +1881,12 @@ SSL_CTX_new(const SSL_METHOD *meth)
                 goto err;
 
         if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
+                SSLerror(
                     SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
                 goto err2;
         }
         if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
+                SSLerror(
                     SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
                 goto err2;
         }
@@ -1942,7 +1942,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
 
         return (ret);
 err:
-        SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
 err2:
         SSL_CTX_free(ret);
         return (NULL);
@@ -2126,7 +2126,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                 /* Key usage, if present, must allow signing. */
                 if ((x->ex_flags & EXFLAG_KUSAGE) &&
                     ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
-                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
+                        SSLerror(
                             SSL_R_ECC_CERT_NOT_FOR_SIGNING);
                         return (0);
                 }
@@ -2159,7 +2159,7 @@ ssl_get_server_send_pkey(const SSL *s)
         } else if (alg_a & SSL_aGOST01) {
                 i = SSL_PKEY_GOST01;
         } else { /* if (alg_a & SSL_aNULL) */
-                SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return (NULL);
         }
 
@@ -2199,7 +2199,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
             (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
                 idx = SSL_PKEY_ECC;
         if (idx == -1) {
-                SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return (NULL);
         }
         if (pmd)
@@ -2403,7 +2403,7 @@ SSL_do_handshake(SSL *s)
         int     ret = 1;
 
         if (s->internal->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET);
+                SSLerror(SSL_R_CONNECTION_TYPE_NOT_SET);
                 return (-1);
         }
 
@@ -2448,7 +2448,7 @@ SSL_set_connect_state(SSL *s)
 int
 ssl_undefined_function(SSL *s)
 {
-        SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,
+        SSLerror(
             ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
         return (0);
 }
@@ -2456,7 +2456,7 @@ ssl_undefined_function(SSL *s)
 int
 ssl_undefined_void_function(void)
 {
-        SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,
+        SSLerror(
             ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
         return (0);
 }
@@ -2464,7 +2464,7 @@ ssl_undefined_void_function(void)
 int
 ssl_undefined_const_function(const SSL *s)
 {
-        SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,
+        SSLerror(
             ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
         return (0);
 }
@@ -2700,7 +2700,7 @@ ssl_init_wbio_buffer(SSL *s, int push)
         (void)BIO_reset(bbio);
 /*      if (!BIO_set_write_buffer_size(bbio,16*1024)) */
         if (!BIO_set_read_buffer_size(bbio, 1)) {
-                SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 return (0);
         }
         if (push) {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 215d4ad0b0..1ce9350ba6 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.171 2017/01/26 07:20:57 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.172 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1368,6 +1368,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
     size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
     unsigned mac_secret_length);
 
+#define SSLerror(r)  ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__)
+
 __END_HIDDEN_DECLS
 
 #endif
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index 0c5b4c463b..a8462ffd84 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -106,12 +106,12 @@ ssl_convert_sslv2_client_hello(SSL *s)
                 return -1;
 
         if (record_length < 9) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                SSLerror(
                     SSL_R_RECORD_LENGTH_MISMATCH);
                 return -1;
         }
         if (record_length > 4096) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);
+                SSLerror(SSL_R_RECORD_TOO_LARGE);
                 return -1;
         }
 
@@ -150,7 +150,7 @@ ssl_convert_sslv2_client_hello(SSL *s)
         if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
                 return -1;
         if (CBS_len(&cbs) != 0) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                SSLerror(
                     SSL_R_RECORD_LENGTH_MISMATCH);
                 return -1;
         }
@@ -236,7 +236,7 @@ ssl_server_legacy_first_packet(SSL *s)
         if (ssl_is_sslv2_client_hello(&header) == 1) {
                 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
                 if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
-                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_NO_PROTOCOLS_AVAILABLE);
                         return -1;
                 }
@@ -244,7 +244,7 @@ ssl_server_legacy_first_packet(SSL *s)
                         return 1;
 
                 if (ssl_convert_sslv2_client_hello(s) != 1) {
-                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_BAD_PACKET_LENGTH);
                         return -1;
                 }
@@ -254,7 +254,7 @@ ssl_server_legacy_first_packet(SSL *s)
 
         /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
         if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
         data = (const char *)CBS_data(&header);
@@ -264,15 +264,15 @@ ssl_server_legacy_first_packet(SSL *s)
             strncmp("POST ", data, 5) == 0 ||
             strncmp("HEAD ", data, 5) == 0 ||
             strncmp("PUT ", data, 4) == 0) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST);
+                SSLerror(SSL_R_HTTP_REQUEST);
                 return -1;
         }
         if (strncmp("CONNE", data, 5) == 0) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST);
+                SSLerror(SSL_R_HTTPS_PROXY_REQUEST);
                 return -1;
         }
 
-        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+        SSLerror(SSL_R_UNKNOWN_PROTOCOL);
 
         return -1;
 }
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 2fa7852b80..f354fb82bf 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.5 2017/01/26 08:19:43 beck Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.6 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -224,7 +224,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
 
         if (n > (int)(rb->len - rb->offset)) {
                 /* does not happen */
-                SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
 
@@ -248,7 +248,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend)
                         s->internal->rwstate = SSL_READING;
                         i = BIO_read(s->rbio, pkt + len + left, max - left);
                 } else {
-                        SSLerr(SSL_F_SSL3_READ_N, SSL_R_READ_BIO_NOT_SET);
+                        SSLerror(SSL_R_READ_BIO_NOT_SET);
                         i = -1;
                 }
 
@@ -364,7 +364,7 @@ ssl3_get_record(SSL *s)
                 if (!CBS_get_u8(&header, &type) ||
                     !CBS_get_u16(&header, &ssl_version) ||
                     !CBS_get_u16(&header, &len)) {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                        SSLerror(
                             SSL_R_BAD_PACKET_LENGTH);
                         goto err;
                 }
@@ -374,7 +374,7 @@ ssl3_get_record(SSL *s)
 
                 /* Lets check version */
                 if (!s->internal->first_packet && ssl_version != s->version) {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                        SSLerror(
                             SSL_R_WRONG_VERSION_NUMBER);
                         if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&
                             !s->internal->enc_write_ctx && !s->internal->write_hash)
@@ -385,14 +385,14 @@ ssl3_get_record(SSL *s)
                 }
 
                 if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                        SSLerror(
                             SSL_R_WRONG_VERSION_NUMBER);
                         goto err;
                 }
 
                 if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {
                         al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                        SSLerror(
                             SSL_R_PACKET_LENGTH_TOO_LONG);
                         goto f_err;
                 }
@@ -428,7 +428,7 @@ ssl3_get_record(SSL *s)
         /* check is not needed I believe */
         if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+                SSLerror(SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
                 goto f_err;
         }
 
@@ -442,7 +442,7 @@ ssl3_get_record(SSL *s)
          *    -1: if the padding is invalid */
         if (enc_err == 0) {
                 al = SSL_AD_DECRYPTION_FAILED;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+                SSLerror(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
                 goto f_err;
         }
 
@@ -470,7 +470,7 @@ ssl3_get_record(SSL *s)
                     (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
                     orig_len < mac_size + 1)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
+                        SSLerror(SSL_R_LENGTH_TOO_SHORT);
                         goto f_err;
                 }
 
@@ -510,14 +510,14 @@ ssl3_get_record(SSL *s)
                  * (e.g. via a logfile)
                  */
                 al = SSL_AD_BAD_RECORD_MAC;
-                SSLerr(SSL_F_SSL3_GET_RECORD,
+                SSLerror(
                     SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
                 goto f_err;
         }
 
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
-                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
+                SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
                 goto f_err;
         }
 
@@ -543,7 +543,7 @@ ssl3_get_record(SSL *s)
                  * empty record without forcing want_read.
                  */
                 if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                        SSLerror(
                             SSL_R_PEER_BEHAVING_BADLY);
                         return -1;
                 }
@@ -575,7 +575,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         int i;
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
 
@@ -588,7 +588,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_SSL3_WRITE_BYTES,
+                        SSLerror(
                             SSL_R_SSL_HANDSHAKE_FAILURE);
                         return -1;
                 }
@@ -698,7 +698,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                         if (prefix_len >
                                 (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
                                 /* insufficient space */
-                                SSLerr(SSL_F_DO_SSL3_WRITE,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 goto err;
                         }
@@ -842,7 +842,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
         if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) &&
             !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
             (S3I(s)->wpend_type != type)) {
-                SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);
+                SSLerror(SSL_R_BAD_WRITE_RETRY);
                 return (-1);
         }
 
@@ -854,7 +854,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len)
                         (char *)&(wb->buf[wb->offset]),
                         (unsigned int)wb->left);
                 } else {
-                        SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET);
+                        SSLerror(SSL_R_BIO_NOT_SET);
                         i = -1;
                 }
                 if (i == wb->left) {
@@ -919,14 +919,14 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                         return (-1);
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
 
         if ((type && type != SSL3_RT_APPLICATION_DATA &&
             type != SSL3_RT_HANDSHAKE) ||
             (peek && (type != SSL3_RT_APPLICATION_DATA))) {
-                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return -1;
         }
 
@@ -961,7 +961,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_SSL_HANDSHAKE_FAILURE);
                         return (-1);
                 }
@@ -1004,7 +1004,7 @@ start:
                                        * reset by ssl3_get_finished */
             && (rr->type != SSL3_RT_HANDSHAKE)) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES,
+                SSLerror(
                     SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
                 goto f_err;
         }
@@ -1025,7 +1025,7 @@ start:
                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
                         (s->enc_read_ctx == NULL)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_APP_DATA_IN_HANDSHAKE);
                         goto f_err;
                 }
@@ -1108,7 +1108,7 @@ start:
                     (S3I(s)->handshake_fragment[2] != 0) ||
                     (S3I(s)->handshake_fragment[3] != 0)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);
+                        SSLerror(SSL_R_BAD_HELLO_REQUEST);
                         goto f_err;
                 }
 
@@ -1126,7 +1126,7 @@ start:
                                 if (i < 0)
                                         return (i);
                                 if (i == 0) {
-                                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                                        SSLerror(
                                             SSL_R_SSL_HANDSHAKE_FAILURE);
                                         return (-1);
                                 }
@@ -1200,14 +1200,14 @@ start:
                          */
                         else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
                                 al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_READ_BYTES,
+                                SSLerror(
                                     SSL_R_NO_RENEGOTIATION);
                                 goto f_err;
                         }
                 } else if (alert_level == SSL3_AL_FATAL) {
                         s->internal->rwstate = SSL_NOTHING;
                         S3I(s)->fatal_alert = alert_descr;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_AD_REASON_OFFSET + alert_descr);
                         ERR_asprintf_error_data("SSL alert number %d",
                             alert_descr);
@@ -1216,7 +1216,7 @@ start:
                         return (0);
                 } else {
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+                        SSLerror(SSL_R_UNKNOWN_ALERT_TYPE);
                         goto f_err;
                 }
 
@@ -1236,7 +1236,7 @@ start:
                 if ((rr->length != 1) || (rr->off != 0) ||
                         (rr->data[0] != SSL3_MT_CCS)) {
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_BAD_CHANGE_CIPHER_SPEC);
                         goto f_err;
                 }
@@ -1244,7 +1244,7 @@ start:
                 /* Check we have a cipher to change to */
                 if (S3I(s)->tmp.new_cipher == NULL) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_CCS_RECEIVED_EARLY);
                         goto f_err;
                 }
@@ -1252,7 +1252,7 @@ start:
                 /* Check that we should be receiving a Change Cipher Spec. */
                 if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_CCS_RECEIVED_EARLY);
                         goto f_err;
                 }
@@ -1285,7 +1285,7 @@ start:
                 if (i < 0)
                         return (i);
                 if (i == 0) {
-                        SSLerr(SSL_F_SSL3_READ_BYTES,
+                        SSLerror(
                             SSL_R_SSL_HANDSHAKE_FAILURE);
                         return (-1);
                 }
@@ -1315,7 +1315,7 @@ start:
                         goto start;
                 }
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+                SSLerror(SSL_R_UNEXPECTED_RECORD);
                 goto f_err;
         case SSL3_RT_CHANGE_CIPHER_SPEC:
         case SSL3_RT_ALERT:
@@ -1324,7 +1324,7 @@ start:
                  * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that
                  * should not happen when type != rr->type */
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto f_err;
         case SSL3_RT_APPLICATION_DATA:
                 /* At this point, we were expecting handshake data,
@@ -1346,7 +1346,7 @@ start:
                         return (-1);
                 } else {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+                        SSLerror(SSL_R_UNEXPECTED_RECORD);
                         goto f_err;
                 }
         }
@@ -1373,7 +1373,7 @@ ssl3_do_change_cipher_spec(SSL *s)
         if (S3I(s)->tmp.key_block == NULL) {
                 if (s->session == NULL || s->session->master_key_length == 0) {
                         /* might happen if dtls1_read_bytes() calls this */
-                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
+                        SSLerror(
                             SSL_R_CCS_RECEIVED_EARLY);
                         return (0);
                 }
@@ -1400,7 +1400,7 @@ ssl3_do_change_cipher_spec(SSL *s)
         i = tls1_final_finish_mac(s, sender, slen,
             S3I(s)->tmp.peer_finish_md);
         if (i == 0) {
-                SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 return 0;
         }
         S3I(s)->tmp.peer_finish_md_len = i;
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 03eedc0d8a..3efed227f0 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.25 2017/01/24 14:57:31 jsing Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.26 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,11 +74,11 @@ int
 SSL_use_certificate(SSL *ssl, X509 *x)
 {
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         return (ssl_set_cert(ssl->cert, x));
@@ -94,12 +94,12 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_ASN1) {
@@ -111,12 +111,12 @@ SSL_use_certificate_file(SSL *ssl, const char *file, int type)
                     ssl->ctx->default_passwd_callback,
                     ssl->ctx->default_passwd_callback_userdata);
         } else {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
 
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
+                SSLerror(j);
                 goto end;
         }
 
@@ -135,7 +135,7 @@ SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
 
         x = d2i_X509(NULL, &d,(long)len);
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -151,15 +151,15 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
         int ret;
 
         if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         if ((pkey = EVP_PKEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
+                SSLerror(ERR_R_EVP_LIB);
                 return (0);
         }
 
@@ -178,7 +178,7 @@ ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 
         i = ssl_cert_type(NULL, pkey);
         if (i < 0) {
-                SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+                SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                 return (0);
         }
 
@@ -222,12 +222,12 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_ASN1) {
@@ -239,11 +239,11 @@ SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
                     ssl->ctx->default_passwd_callback,
                     ssl->ctx->default_passwd_callback_userdata);
         } else {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
         if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
+                SSLerror(j);
                 goto end;
         }
         ret = SSL_use_RSAPrivateKey(ssl, rsa);
@@ -262,7 +262,7 @@ SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
 
         p = d;
         if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -277,11 +277,11 @@ SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
         int ret;
 
         if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         ret = ssl_set_pkey(ssl->cert, pkey);
@@ -297,12 +297,12 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_PEM) {
@@ -314,11 +314,11 @@ SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
                 j = ERR_R_ASN1_LIB;
                 pkey = d2i_PrivateKey_bio(in, NULL);
         } else {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
         if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
+                SSLerror(j);
                 goto end;
         }
         ret = SSL_use_PrivateKey(ssl, pkey);
@@ -337,7 +337,7 @@ SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
 
         p = d;
         if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -350,11 +350,11 @@ int
 SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
 {
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ctx->internal->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         return (ssl_set_cert(ctx->internal->cert, x));
@@ -368,13 +368,13 @@ ssl_set_cert(CERT *c, X509 *x)
 
         pkey = X509_get_pubkey(x);
         if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
+                SSLerror(SSL_R_X509_LIB);
                 return (0);
         }
 
         i = ssl_cert_type(x, pkey);
         if (i < 0) {
-                SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+                SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                 EVP_PKEY_free(pkey);
                 return (0);
         }
@@ -427,12 +427,12 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_ASN1) {
@@ -443,12 +443,12 @@ SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
                 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
                     ctx->default_passwd_callback_userdata);
         } else {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
 
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
+                SSLerror(j);
                 goto end;
         }
 
@@ -467,7 +467,7 @@ SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
 
         x = d2i_X509(NULL, &d,(long)len);
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -483,15 +483,15 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
         EVP_PKEY *pkey;
 
         if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ctx->internal->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         if ((pkey = EVP_PKEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
+                SSLerror(ERR_R_EVP_LIB);
                 return (0);
         }
 
@@ -512,12 +512,12 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_ASN1) {
@@ -529,11 +529,11 @@ SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
                     ctx->default_passwd_callback,
                     ctx->default_passwd_callback_userdata);
         } else {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
         if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
+                SSLerror(j);
                 goto end;
         }
         ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
@@ -552,7 +552,7 @@ SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
 
         p = d;
         if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -565,12 +565,12 @@ int
 SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
 {
         if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,
+                SSLerror(
                     ERR_R_PASSED_NULL_PARAMETER);
                 return (0);
         }
         if (!ssl_cert_inst(&ctx->internal->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
         return (ssl_set_pkey(ctx->internal->cert, pkey));
@@ -585,12 +585,12 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
         if (type == SSL_FILETYPE_PEM) {
@@ -602,12 +602,12 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
                 j = ERR_R_ASN1_LIB;
                 pkey = d2i_PrivateKey_bio(in, NULL);
         } else {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,
+                SSLerror(
                     SSL_R_BAD_SSL_FILETYPE);
                 goto end;
         }
         if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
+                SSLerror(j);
                 goto end;
         }
         ret = SSL_CTX_use_PrivateKey(ctx, pkey);
@@ -627,7 +627,7 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
 
         p = d;
         if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
+                SSLerror(ERR_R_ASN1_LIB);
                 return (0);
         }
 
@@ -653,7 +653,7 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
         x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
             ctx->default_passwd_callback_userdata);
         if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+                SSLerror(ERR_R_PEM_LIB);
                 goto end;
         }
 
@@ -713,12 +713,12 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 
         in = BIO_new(BIO_s_file_internal());
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
         if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
+                SSLerror(ERR_R_SYS_LIB);
                 goto end;
         }
 
@@ -737,7 +737,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
 
         in = BIO_new_mem_buf(buf, len);
         if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 goto end;
         }
 
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 8c802b170e..5cd531ef59 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.67 2017/01/24 09:03:21 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.68 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -200,12 +200,12 @@ SSL_SESSION_new(void)
         SSL_SESSION *ss;
 
         if ((ss = calloc(1, sizeof(*ss))) == NULL) {
-                SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
         if ((ss->internal = calloc(1, sizeof(*ss->internal))) == NULL) {
                 free(ss);
-                SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (NULL);
         }
 
@@ -312,7 +312,7 @@ ssl_get_new_session(SSL *s, int session)
                         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
                         break;
                 default:
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                        SSLerror(
                             SSL_R_UNSUPPORTED_SSL_VERSION);
                         SSL_SESSION_free(ss);
                         return (0);
@@ -336,7 +336,7 @@ ssl_get_new_session(SSL *s, int session)
                 tmp = ss->session_id_length;
                 if (!cb(s, ss->session_id, &tmp)) {
                         /* The callback failed */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                        SSLerror(
                         SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
                         SSL_SESSION_free(ss);
                         return (0);
@@ -348,7 +348,7 @@ ssl_get_new_session(SSL *s, int session)
                  */
                 if (!tmp || (tmp > ss->session_id_length)) {
                         /* The callback set an illegal length */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                        SSLerror(
                         SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
                         SSL_SESSION_free(ss);
                         return (0);
@@ -358,7 +358,7 @@ ssl_get_new_session(SSL *s, int session)
                 /* Finally, check for a conflict. */
                 if (SSL_has_matching_session_id(s, ss->session_id,
                         ss->session_id_length)) {
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                        SSLerror(
                         SSL_R_SSL_SESSION_ID_CONFLICT);
                         SSL_SESSION_free(ss);
                         return (0);
@@ -368,7 +368,7 @@ sess_id_done:
                 if (s->tlsext_hostname) {
                         ss->tlsext_hostname = strdup(s->tlsext_hostname);
                         if (ss->tlsext_hostname == NULL) {
-                                SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 SSL_SESSION_free(ss);
                                 return 0;
@@ -379,7 +379,7 @@ sess_id_done:
         }
 
         if (s->sid_ctx_length > sizeof ss->sid_ctx) {
-                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 SSL_SESSION_free(ss);
                 return 0;
         }
@@ -528,7 +528,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                  * applications to effectively disable the session cache by
                  * accident without anyone noticing).
                  */
-                SSLerr(SSL_F_SSL_GET_PREV_SESSION,
+                SSLerror(
                     SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
                 fatal = 1;
                 goto err;
@@ -729,7 +729,7 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                 if (meth == NULL)
                         meth = s->method->internal->get_ssl_method(session->ssl_version);
                 if (meth == NULL) {
-                        SSLerr(SSL_F_SSL_SET_SESSION,
+                        SSLerror(
                             SSL_R_UNABLE_TO_FIND_SSL_METHOD);
                         return (0);
                 }
@@ -810,7 +810,7 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
     unsigned int sid_ctx_len)
 {
         if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
+                SSLerror(
                     SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                 return 0;
         }
@@ -872,7 +872,7 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
                 s->internal->tlsext_session_ticket =
                     malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
                 if (!s->internal->tlsext_session_ticket) {
-                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
@@ -1080,12 +1080,12 @@ int
 SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
 {
         if (!ENGINE_init(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                SSLerror(
                     ERR_R_ENGINE_LIB);
                 return 0;
         }
         if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                SSLerror(
                     SSL_R_NO_CLIENT_CERT_METHOD);
                 ENGINE_finish(e);
                 return 0;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index a716947ab9..46ca4d6c9c 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.2 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -189,7 +189,7 @@ ssl3_accept(SSL *s)
                 SSL_clear(s);
 
         if (s->cert == NULL) {
-                SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
+                SSLerror(SSL_R_NO_CERTIFICATE_SET);
                 ret = -1;
                 goto end;
         }
@@ -212,7 +212,7 @@ ssl3_accept(SSL *s)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
                         if ((s->version >> 8) != 3) {
-                                SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+                                SSLerror(ERR_R_INTERNAL_ERROR);
                                 ret = -1;
                                 goto end;
                         }
@@ -253,7 +253,7 @@ ssl3_accept(SSL *s)
                                  * client that doesn't support secure
                                  * renegotiation.
                                  */
-                                SSLerr(SSL_F_SSL3_ACCEPT,
+                                SSLerror(
                                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                                 ssl3_send_alert(s, SSL3_AL_FATAL,
                                     SSL_AD_HANDSHAKE_FAILURE);
@@ -484,7 +484,7 @@ ssl3_accept(SSL *s)
                                  * at this point and digest cached records.
                                  */
                                 if (!S3I(s)->handshake_buffer) {
-                                        SSLerr(SSL_F_SSL3_ACCEPT,
+                                        SSLerror(
                                             ERR_R_INTERNAL_ERROR);
                                         ret = -1;
                                         goto end;
@@ -673,7 +673,7 @@ ssl3_accept(SSL *s)
                         /* break; */
 
                 default:
-                        SSLerr(SSL_F_SSL3_ACCEPT,
+                        SSLerror(
                             SSL_R_UNKNOWN_STATE);
                         ret = -1;
                         goto end;
@@ -765,7 +765,7 @@ ssl3_get_client_hello(SSL *s)
         p += 2;
 
         if (ssl_max_shared_version(s, s->client_version, &shared_version) != 1) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
+                SSLerror(SSL_R_WRONG_VERSION_NUMBER);
                 if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
                     !s->internal->enc_write_ctx && !s->internal->write_hash) {
                         /*
@@ -782,7 +782,7 @@ ssl3_get_client_hello(SSL *s)
         if ((method = tls1_get_server_method(shared_version)) == NULL)
                 method = dtls1_get_server_method(shared_version);
         if (method == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto err;
         }
         s->method = method;
@@ -868,7 +868,7 @@ ssl3_get_client_hello(SSL *s)
                 if (cookie_len > sizeof(D1I(s)->rcvd_cookie)) {
                         /* too much data */
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_COOKIE_MISMATCH);
                         goto f_err;
                 }
@@ -885,7 +885,7 @@ ssl3_get_client_hello(SSL *s)
                                 if (s->ctx->internal->app_verify_cookie_cb(s,
                                     D1I(s)->rcvd_cookie, cookie_len) == 0) {
                                         al = SSL_AD_HANDSHAKE_FAILURE;
-                                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                                        SSLerror(
                                             SSL_R_COOKIE_MISMATCH);
                                         goto f_err;
                                 }
@@ -894,7 +894,7 @@ ssl3_get_client_hello(SSL *s)
                             D1I(s)->cookie_len) != 0) {
                                 /* default verification */
                                 al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                                SSLerror(
                                     SSL_R_COOKIE_MISMATCH);
                                 goto f_err;
                         }
@@ -911,7 +911,7 @@ ssl3_get_client_hello(SSL *s)
         if ((i == 0) && (j != 0)) {
                 /* we need a cipher if we are not resuming a session */
                 al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                SSLerror(
                     SSL_R_NO_CIPHERS_SPECIFIED);
                 goto f_err;
         }
@@ -941,7 +941,7 @@ ssl3_get_client_hello(SSL *s)
                          * list if we are asked to reuse it
                          */
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_REQUIRED_CIPHER_MISSING);
                         goto f_err;
                 }
@@ -962,7 +962,7 @@ ssl3_get_client_hello(SSL *s)
         if (j >= i) {
                 /* no compress */
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                SSLerror(
                     SSL_R_NO_COMPRESSION_SPECIFIED);
                 goto f_err;
         }
@@ -970,11 +970,11 @@ ssl3_get_client_hello(SSL *s)
         /* TLS extensions*/
         if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
                 /* 'al' set by ssl_parse_clienthello_tlsext */
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
+                SSLerror(SSL_R_PARSE_TLSEXT);
                 goto f_err;
         }
         if (ssl_check_clienthello_tlsext_early(s) <= 0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                SSLerror(
                     SSL_R_CLIENTHELLO_TLSEXT);
                 goto err;
         }
@@ -1006,7 +1006,7 @@ ssl3_get_client_hello(SSL *s)
                             SSL_get_ciphers(s));
                         if (pref_cipher == NULL) {
                                 al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                                SSLerror(
                                     SSL_R_NO_SHARED_CIPHER);
                                 goto f_err;
                         }
@@ -1032,7 +1032,7 @@ ssl3_get_client_hello(SSL *s)
                 s->session->ciphers = ciphers;
                 if (ciphers == NULL) {
                         al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_NO_CIPHERS_PASSED);
                         goto f_err;
                 }
@@ -1042,7 +1042,7 @@ ssl3_get_client_hello(SSL *s)
 
                 if (c == NULL) {
                         al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                        SSLerror(
                             SSL_R_NO_SHARED_CIPHER);
                         goto f_err;
                 }
@@ -1074,7 +1074,7 @@ ssl3_get_client_hello(SSL *s)
 
         /* Handles TLS extensions that we couldn't check earlier */
         if (ssl_check_clienthello_tlsext_late(s) <= 0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+                SSLerror(SSL_R_CLIENTHELLO_TLSEXT);
                 goto err;
         }
 
@@ -1083,7 +1083,7 @@ ssl3_get_client_hello(SSL *s)
         if (0) {
 truncated:
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_BAD_PACKET_LENGTH);
+                SSLerror(SSL_R_BAD_PACKET_LENGTH);
 f_err:
                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
         }
@@ -1142,7 +1142,7 @@ ssl3_send_server_hello(SSL *s)
 
                 sl = s->session->session_id_length;
                 if (sl > (int)sizeof(s->session->session_id)) {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -1166,7 +1166,7 @@ ssl3_send_server_hello(SSL *s)
 
                 if ((p = ssl_add_serverhello_tlsext(s, p + outlen,
                     bufend)) == NULL) {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto err;
                 }
@@ -1208,7 +1208,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
         if (s->cert->dh_tmp_auto != 0) {
                 if ((dhp = ssl_get_auto_dh(s)) == NULL) {
                         al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         goto f_err;
                 }
@@ -1221,13 +1221,13 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
 
         if (dhp == NULL) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_MISSING_TMP_DH_KEY);
                 goto f_err;
         }
 
         if (S3I(s)->tmp.dh != NULL) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -1235,12 +1235,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
         if (s->cert->dh_tmp_auto != 0) {
                 dh = dhp;
         } else if ((dh = DHparams_dup(dhp)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
         S3I(s)->tmp.dh = dh;
         if (!DH_generate_key(dh)) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 goto err;
         }
 
@@ -1299,13 +1299,13 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
         }
         if (ecdhp == NULL) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_MISSING_TMP_ECDH_KEY);
                 goto f_err;
         }
 
         if (S3I(s)->tmp.ecdh != NULL) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -1314,7 +1314,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
         if (s->cert->ecdh_tmp_auto != 0) {
                 ecdh = ecdhp;
         } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_ECDH_LIB);
                 goto err;
         }
@@ -1324,7 +1324,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
             (EC_KEY_get0_private_key(ecdh) == NULL) ||
             (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                 if (!EC_KEY_generate_key(ecdh)) {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_ECDH_LIB);
                         goto err;
                 }
@@ -1333,7 +1333,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
         if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
             (EC_KEY_get0_public_key(ecdh)  == NULL) ||
             (EC_KEY_get0_private_key(ecdh) == NULL)) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_ECDH_LIB);
                 goto err;
         }
@@ -1344,7 +1344,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
          */
         if ((curve_id = tls1_ec_nid2curve_id(
             EC_GROUP_get_curve_name(group))) == 0) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                 goto err;
         }
@@ -1360,7 +1360,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
 
         bn_ctx = BN_CTX_new();
         if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1369,7 +1369,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
             POINT_CONVERSION_UNCOMPRESSED, encodedPoint, encodedlen, bn_ctx);
 
         if (encodedlen == 0) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                SSLerror(ERR_R_ECDH_LIB);
                 goto err;
         }
 
@@ -1421,7 +1421,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
 
         /* Generate an X25519 key pair. */
         if (S3I(s)->tmp.x25519 != NULL) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 goto err;
         }
@@ -1433,7 +1433,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
 
         /* Serialize public key. */
         if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                 goto err;
         }
@@ -1509,7 +1509,7 @@ ssl3_send_server_key_exchange(SSL *s)
                                 goto err;
                 } else {
                         al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                        SSLerror(
                             SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
                         goto f_err;
                 }
@@ -1531,7 +1531,7 @@ ssl3_send_server_key_exchange(SSL *s)
 
                 if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) +
                     params_len + kn)) {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_LIB_BUF);
                         goto err;
                 }
@@ -1575,9 +1575,7 @@ ssl3_send_server_key_exchange(SSL *s)
                                 }
                                 if (RSA_sign(NID_md5_sha1, md_buf, j,
                                     &(p[2]), &u, pkey->pkey.rsa) <= 0) {
-                                        SSLerr(
-                                            SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                            ERR_LIB_RSA);
+                                        SSLerror(ERR_R_RSA_LIB);
                                         goto err;
                                 }
                                 s2n(u, p);
@@ -1588,9 +1586,7 @@ ssl3_send_server_key_exchange(SSL *s)
                                         if (!tls12_get_sigandhash(p, pkey, md)) {
                                                 /* Should never happen */
                                                 al = SSL_AD_INTERNAL_ERROR;
-                                                SSLerr(
-                                                    SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                                    ERR_R_INTERNAL_ERROR);
+                                                SSLerror(ERR_R_INTERNAL_ERROR);
                                                 goto f_err;
                                         }
                                         p += 2;
@@ -1605,9 +1601,7 @@ ssl3_send_server_key_exchange(SSL *s)
                                 EVP_SignUpdate(&md_ctx, d, n);
                                 if (!EVP_SignFinal(&md_ctx, &p[2],
                                         (unsigned int *)&i, pkey)) {
-                                        SSLerr(
-                                            SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                            ERR_LIB_EVP);
+                                        SSLerror(ERR_R_EVP_LIB);
                                         goto err;
                                 }
                                 s2n(i, p);
@@ -1617,7 +1611,7 @@ ssl3_send_server_key_exchange(SSL *s)
                         } else {
                                 /* Is this error check actually needed? */
                                 al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+                                SSLerror(
                                     SSL_R_UNKNOWN_PKEY_TYPE);
                                 goto f_err;
                         }
@@ -1684,9 +1678,7 @@ ssl3_send_certificate_request(SSL *s)
                                 if (!BUF_MEM_grow_clean(buf,
                                     ssl3_handshake_msg_hdr_len(s) + n + j
                                     + 2)) {
-                                        SSLerr(
-                                            SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
-                                            ERR_R_BUF_LIB);
+                                        SSLerror(ERR_R_BUF_LIB);
                                         goto err;
                                 }
                                 p = ssl3_handshake_msg_start(s,
@@ -1732,7 +1724,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
         if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
             (pkey->pkey.rsa == NULL)) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_MISSING_RSA_CERTIFICATE);
                 goto f_err;
         }
@@ -1742,7 +1734,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
                 goto truncated;
         n2s(p, i);
         if (n != i + 2) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
                 goto err;
         } else
@@ -1756,7 +1748,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
 
         if (i != SSL_MAX_MASTER_KEY_LENGTH) {
                 al = SSL_AD_DECODE_ERROR;
-                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
+                /* SSLerror(SSL_R_BAD_RSA_DECRYPT); */
         }
 
         if (p - d + 2 > n)      /* needed in the SSL3 case */
@@ -1778,7 +1770,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
                     (p[0] == (s->version >> 8)) &&
                     (p[1] == (s->version & 0xff)))) {
                         al = SSL_AD_DECODE_ERROR;
-                        /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
+                        /* SSLerror(SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
 
                         /*
                          * The Klima-Pokorny-Rosa extension of
@@ -1816,7 +1808,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
         return (1);
 truncated:
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
 f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
@@ -1844,21 +1836,21 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
 
         if (S3I(s)->tmp.dh == NULL) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_MISSING_TMP_DH_KEY);
                 goto f_err;
         }
         dh = S3I(s)->tmp.dh;
 
         if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_BN_LIB);
                 goto err;
         }
 
         key_size = DH_compute_key(p, bn, dh);
         if (key_size <= 0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
+                SSLerror(ERR_R_DH_LIB);
                 BN_clear_free(bn);
                 goto err;
         }
@@ -1878,7 +1870,7 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
 
  truncated:
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
  f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
  err:
@@ -1902,7 +1894,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
 
         /* Initialize structures for server's ECDH key pair. */
         if ((srvr_ecdh = EC_KEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1918,14 +1910,14 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
 
         if (!EC_KEY_set_group(srvr_ecdh, group) ||
             !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_EC_LIB);
                 goto err;
         }
 
         /* Let's get client's public key */
         if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -1948,7 +1940,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                          * group.
                          */
                         al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
                         goto f_err;
                 }
@@ -1956,7 +1948,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                 if (EC_POINT_copy(clnt_ecpoint,
                     EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
                     == 0) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_EC_LIB);
                         goto err;
                 }
@@ -1967,7 +1959,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                  * in the ClientKeyExchange message.
                  */
                 if ((bn_ctx = BN_CTX_new()) == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -1977,13 +1969,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
 
                 p += 1;
                 if (n != 1 + i) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_EC_LIB);
                         goto err;
                 }
                 if (EC_POINT_oct2point(group,
                         clnt_ecpoint, p, i, bn_ctx) == 0) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                        SSLerror(
                             ERR_R_EC_LIB);
                         goto err;
                 }
@@ -1997,14 +1989,14 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
         /* Compute the shared pre-master secret */
         key_size = ECDH_size(srvr_ecdh);
         if (key_size <= 0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_ECDH_LIB);
                 goto err;
         }
         i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh,
             NULL);
         if (i <= 0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     ERR_R_ECDH_LIB);
                 goto err;
         }
@@ -2122,7 +2114,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
         if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag,
             &Tclass, n) != V_ASN1_CONSTRUCTED ||
             Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_DECRYPTION_FAILED);
                 goto gerr;
         }
@@ -2130,7 +2122,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
         inlen = Tlen;
         if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
             start, inlen) <=0) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_DECRYPTION_FAILED);
                 goto gerr;
         }
@@ -2154,7 +2146,7 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
 
  truncated:
         al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_PACKET_LENGTH);
+        SSLerror(SSL_R_BAD_PACKET_LENGTH);
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
  err:
         return (-1);
@@ -2192,7 +2184,7 @@ ssl3_get_client_key_exchange(SSL *s)
                         goto err;
         } else {
                 al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                SSLerror(
                     SSL_R_UNKNOWN_CIPHER_TYPE);
                 goto f_err;
         }
@@ -2236,7 +2228,7 @@ ssl3_get_cert_verify(SSL *s)
                 S3I(s)->tmp.reuse_message = 1;
                 if (peer != NULL) {
                         al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_MISSING_VERIFY_MESSAGE);
                         goto f_err;
                 }
@@ -2245,21 +2237,21 @@ ssl3_get_cert_verify(SSL *s)
         }
 
         if (peer == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                SSLerror(
                     SSL_R_NO_CLIENT_CERT_RECEIVED);
                 al = SSL_AD_UNEXPECTED_MESSAGE;
                 goto f_err;
         }
 
         if (!(type & EVP_PKT_SIGN)) {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                SSLerror(
                     SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
                 al = SSL_AD_ILLEGAL_PARAMETER;
                 goto f_err;
         }
 
         if (S3I(s)->change_cipher_spec) {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                SSLerror(
                     SSL_R_CCS_RECEIVED_EARLY);
                 al = SSL_AD_UNEXPECTED_MESSAGE;
                 goto f_err;
@@ -2281,7 +2273,7 @@ ssl3_get_cert_verify(SSL *s)
                         int sigalg = tls12_get_sigid(pkey);
                         /* Should never happen */
                         if (sigalg == -1) {
-                                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                                SSLerror(
                                     ERR_R_INTERNAL_ERROR);
                                 al = SSL_AD_INTERNAL_ERROR;
                                 goto f_err;
@@ -2290,14 +2282,14 @@ ssl3_get_cert_verify(SSL *s)
                                 goto truncated;
                         /* Check key type is consistent with signature */
                         if (sigalg != (int)p[1]) {
-                                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                                SSLerror(
                                     SSL_R_WRONG_SIGNATURE_TYPE);
                                 al = SSL_AD_DECODE_ERROR;
                                 goto f_err;
                         }
                         md = tls12_get_hash(p[0]);
                         if (md == NULL) {
-                                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                                SSLerror(
                                     SSL_R_UNKNOWN_DIGEST);
                                 al = SSL_AD_DECODE_ERROR;
                                 goto f_err;
@@ -2314,7 +2306,7 @@ ssl3_get_cert_verify(SSL *s)
         }
         j = EVP_PKEY_size(pkey);
         if ((i > j) || (n > j) || (n <= 0)) {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                SSLerror(
                     SSL_R_WRONG_SIGNATURE_SIZE);
                 al = SSL_AD_DECODE_ERROR;
                 goto f_err;
@@ -2325,14 +2317,14 @@ ssl3_get_cert_verify(SSL *s)
                 void *hdata;
                 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                 if (hdatalen <= 0) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         al = SSL_AD_INTERNAL_ERROR;
                         goto f_err;
                 }
                 if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
                     !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             ERR_R_EVP_LIB);
                         al = SSL_AD_INTERNAL_ERROR;
                         goto f_err;
@@ -2340,7 +2332,7 @@ ssl3_get_cert_verify(SSL *s)
 
                 if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_SIGNATURE);
                         goto f_err;
                 }
@@ -2351,13 +2343,13 @@ ssl3_get_cert_verify(SSL *s)
                     pkey->pkey.rsa);
                 if (i < 0) {
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_RSA_DECRYPT);
                         goto f_err;
                 }
                 if (i == 0) {
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_RSA_SIGNATURE);
                         goto f_err;
                 }
@@ -2369,7 +2361,7 @@ ssl3_get_cert_verify(SSL *s)
                 if (j <= 0) {
                         /* bad signature */
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_DSA_SIGNATURE);
                         goto f_err;
                 }
@@ -2381,7 +2373,7 @@ ssl3_get_cert_verify(SSL *s)
                 if (j <= 0) {
                         /* bad signature */
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_ECDSA_SIGNATURE);
                         goto f_err;
                 }
@@ -2398,21 +2390,21 @@ ssl3_get_cert_verify(SSL *s)
 
                 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                 if (hdatalen <= 0) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         al = SSL_AD_INTERNAL_ERROR;
                         goto f_err;
                 }
                 if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
                                 !(md = EVP_get_digestbynid(nid))) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                                         ERR_R_EVP_LIB);
                         al = SSL_AD_INTERNAL_ERROR;
                         goto f_err;
                 }
                 pctx = EVP_PKEY_CTX_new(pkey, NULL);
                 if (!pctx) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             ERR_R_EVP_LIB);
                         al = SSL_AD_INTERNAL_ERROR;
                         goto f_err;
@@ -2426,7 +2418,7 @@ ssl3_get_cert_verify(SSL *s)
                                        EVP_PKEY_CTRL_GOST_SIG_FORMAT,
                                        GOST_SIG_FORMAT_RS_LE,
                                        NULL) <= 0)) {
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             ERR_R_EVP_LIB);
                         al = SSL_AD_INTERNAL_ERROR;
                         EVP_PKEY_CTX_free(pctx);
@@ -2435,7 +2427,7 @@ ssl3_get_cert_verify(SSL *s)
 
                 if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) {
                         al = SSL_AD_DECRYPT_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                        SSLerror(
                             SSL_R_BAD_SIGNATURE);
                         EVP_PKEY_CTX_free(pctx);
                         goto f_err;
@@ -2445,7 +2437,7 @@ ssl3_get_cert_verify(SSL *s)
         } else
 #endif
         {
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 al = SSL_AD_UNSUPPORTED_CERTIFICATE;
                 goto f_err;
@@ -2456,7 +2448,7 @@ ssl3_get_cert_verify(SSL *s)
         if (0) {
 truncated:
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_PACKET_LENGTH);
+                SSLerror(SSL_R_BAD_PACKET_LENGTH);
 f_err:
                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
         }
@@ -2490,7 +2482,7 @@ ssl3_get_client_certificate(SSL *s)
         if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
                 if ((s->verify_mode & SSL_VERIFY_PEER) &&
                     (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                         al = SSL_AD_HANDSHAKE_FAILURE;
                         goto f_err;
@@ -2500,7 +2492,7 @@ ssl3_get_client_certificate(SSL *s)
                  * the client must return a 0 list.
                  */
                 if (S3I(s)->tmp.cert_request) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
                             );
                         al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -2512,7 +2504,7 @@ ssl3_get_client_certificate(SSL *s)
 
         if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                SSLerror(
                     SSL_R_WRONG_MESSAGE_TYPE);
                 goto f_err;
         }
@@ -2523,7 +2515,7 @@ ssl3_get_client_certificate(SSL *s)
         CBS_init(&cbs, s->internal->init_msg, n);
 
         if ((sk = sk_X509_new_null()) == NULL) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 goto err;
         }
@@ -2537,7 +2529,7 @@ ssl3_get_client_certificate(SSL *s)
 
                 if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_CERT_LENGTH_MISMATCH);
                         goto f_err;
                 }
@@ -2545,18 +2537,18 @@ ssl3_get_client_certificate(SSL *s)
                 q = CBS_data(&cert);
                 x = d2i_X509(NULL, &q, CBS_len(&cert));
                 if (x == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             ERR_R_ASN1_LIB);
                         goto err;
                 }
                 if (q != CBS_data(&cert) + CBS_len(&cert)) {
                         al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_CERT_LENGTH_MISMATCH);
                         goto f_err;
                 }
                 if (!sk_X509_push(sk, x)) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -2570,7 +2562,7 @@ ssl3_get_client_certificate(SSL *s)
                  */
                 if ((s->verify_mode & SSL_VERIFY_PEER) &&
                     (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                         al = SSL_AD_HANDSHAKE_FAILURE;
                         goto f_err;
@@ -2584,7 +2576,7 @@ ssl3_get_client_certificate(SSL *s)
                 i = ssl_verify_cert_chain(s, sk);
                 if (i <= 0) {
                         al = ssl_verify_alarm_type(s->verify_result);
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             SSL_R_NO_CERTIFICATE_RETURNED);
                         goto f_err;
                 }
@@ -2601,7 +2593,7 @@ ssl3_get_client_certificate(SSL *s)
         if (SSI(s)->sess_cert == NULL) {
                 SSI(s)->sess_cert = ssl_sess_cert_new();
                 if (SSI(s)->sess_cert == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
@@ -2620,7 +2612,7 @@ ssl3_get_client_certificate(SSL *s)
         if (0) {
 truncated:
                 al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                SSLerror(
                     SSL_R_BAD_PACKET_LENGTH);
 f_err:
                 ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -2646,7 +2638,7 @@ ssl3_send_server_certificate(SSL *s)
 
         if (s->internal->state == SSL3_ST_SW_CERT_A) {
                 if ((x = ssl_get_server_send_cert(s)) == NULL) {
-                        SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return (0);
                 }
@@ -2865,7 +2857,7 @@ ssl3_get_next_proto(SSL *s)
          * extension in their ClientHello
          */
         if (!S3I(s)->next_proto_neg_seen) {
-                SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
+                SSLerror(
                     SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
                 return (-1);
         }
@@ -2882,7 +2874,7 @@ ssl3_get_next_proto(SSL *s)
          * by ssl3_get_finished).
          */
         if (!S3I(s)->change_cipher_spec) {
-                SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
+                SSLerror(
                     SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
                 return (-1);
         }
@@ -2913,7 +2905,7 @@ ssl3_get_next_proto(SSL *s)
         s->internal->next_proto_negotiated_len = 0;
 
         if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
-                SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,
+                SSLerror(
                     ERR_R_MALLOC_FAILURE);
                 return (0);
         }
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index c3626dc03a..f654d0b3a1 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_txt.c,v 1.26 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_txt.c,v 1.27 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -95,7 +95,7 @@ SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
         int ret;
 
         if ((b = BIO_new(BIO_s_file_internal())) == NULL) {
-                SSLerr(SSL_F_SSL_SESSION_PRINT_FP, ERR_R_BUF_LIB);
+                SSLerror(ERR_R_BUF_LIB);
                 return (0);
         }
         BIO_set_fp(b, fp, BIO_NOCLOSE);
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 3181b63e39..f79219561a 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.93 2017/01/23 14:35:42 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.94 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -203,7 +203,7 @@ tls1_finish_mac(SSL *s, const unsigned char *buf, int len)
                 if (S3I(s)->handshake_dgst[i] == NULL)
                         continue;
                 if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], buf, len)) {
-                        SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB);
+                        SSLerror(ERR_R_EVP_LIB);
                         return 0;
                 }
         }
@@ -223,12 +223,12 @@ tls1_digest_cached_records(SSL *s)
 
         S3I(s)->handshake_dgst = calloc(SSL_MAX_DIGEST, sizeof(EVP_MD_CTX *));
         if (S3I(s)->handshake_dgst == NULL) {
-                SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
         hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
         if (hdatalen <= 0) {
-                SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS,
+                SSLerror(
                     SSL_R_BAD_HANDSHAKE_LENGTH);
                 goto err;
         }
@@ -240,17 +240,17 @@ tls1_digest_cached_records(SSL *s)
 
                 S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create();
                 if (S3I(s)->handshake_dgst[i] == NULL) {
-                        SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS,
+                        SSLerror(
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
                 if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) {
-                        SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB);
+                        SSLerror(ERR_R_EVP_LIB);
                         goto err;
                 }
                 if (!EVP_DigestUpdate(S3I(s)->handshake_dgst[i], hdata,
                     hdatalen)) {
-                        SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_EVP_LIB);
+                        SSLerror(ERR_R_EVP_LIB);
                         goto err;
                 }
         }
@@ -385,7 +385,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
                         count++;
         }
         if (count == 0) {
-                SSLerr(SSL_F_TLS1_PRF,
+                SSLerror(
                     SSL_R_SSL_HANDSHAKE_FAILURE);
                 goto err;
         }
@@ -397,7 +397,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
         for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
                 if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) {
                         if (!md) {
-                                SSLerr(SSL_F_TLS1_PRF,
+                                SSLerror(
                                     SSL_R_UNSUPPORTED_DIGEST_TYPE);
                                 goto err;
                         }
@@ -446,7 +446,7 @@ tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
 
         *aead_ctx = malloc(sizeof(SSL_AEAD_CTX));
         if (*aead_ctx == NULL) {
-                SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 return (0);
         }
 
@@ -474,7 +474,7 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
             EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
                 return (0);
         if (iv_len > sizeof(aead_ctx->fixed_nonce)) {
-                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
+                SSLerror(
                     ERR_R_INTERNAL_ERROR);
                 return (0);
         }
@@ -491,14 +491,14 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
         if (aead_ctx->xor_fixed_nonce) {
                 if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
                     aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
-                        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return (0);
                 }
         } else {
                 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
                     EVP_AEAD_nonce_length(aead)) {
-                        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return (0);
                 }
@@ -610,7 +610,7 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys,
         return (1);
 
 err:
-        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
         return (0);
 }
 
@@ -695,7 +695,7 @@ tls1_change_cipher_state(SSL *s, int which)
         }
 
         if (key_block - S3I(s)->tmp.key_block != S3I(s)->tmp.key_block_length) {
-                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+                SSLerror(ERR_R_INTERNAL_ERROR);
                 goto err2;
         }
 
@@ -736,7 +736,7 @@ tls1_setup_key_block(SSL *s)
         if (s->session->cipher &&
             (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) {
                 if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
-                        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                        SSLerror(
                             SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                         return (0);
                 }
@@ -745,7 +745,7 @@ tls1_setup_key_block(SSL *s)
         } else {
                 if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type,
                     &mac_secret_size)) {
-                        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                        SSLerror(
                             SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                         return (0);
                 }
@@ -767,7 +767,7 @@ tls1_setup_key_block(SSL *s)
 
         if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,
             2)) == NULL) {
-                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
         key_block_len = (mac_secret_size + key_len + iv_len) * 2;
@@ -776,7 +776,7 @@ tls1_setup_key_block(SSL *s)
         S3I(s)->tmp.key_block = key_block;
 
         if ((tmp_block = malloc(key_block_len)) == NULL) {
-                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
+                SSLerror(ERR_R_MALLOC_FAILURE);
                 goto err;
         }
 
@@ -1114,7 +1114,7 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
                 }
         }
         if (d == NULL) {
-                SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST);
+                SSLerror(SSL_R_NO_REQUIRED_DIGEST);
                 return 0;
         }
 
@@ -1345,12 +1345,12 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
 
         goto ret;
 err1:
-        SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL,
+        SSLerror(
             SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
         rv = 0;
         goto ret;
 err2:
-        SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
+        SSLerror(ERR_R_MALLOC_FAILURE);
         rv = 0;
 ret:
         free(buff);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 3585a3ac55..b3e86c0a31 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.112 2017/01/26 06:32:58 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.113 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -742,7 +742,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 int el;
 
                 if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -754,7 +754,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 s2n(el, ret);
 
                 if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -780,7 +780,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 if (formatslen > lenmax)
                         return NULL;
                 if (formatslen > 255) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -803,7 +803,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 if (curveslen * 2 > lenmax)
                         return NULL;
                 if (curveslen * 2 > 65532) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -946,7 +946,7 @@ skip_ext:
                 s2n(el, ret);
 
                 if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -1025,7 +1025,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 int el;
 
                 if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -1037,7 +1037,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 s2n(el, ret);
 
                 if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -1061,7 +1061,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 if (formatslen > lenmax)
                         return NULL;
                 if (formatslen > 255) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -1108,7 +1108,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 s2n(el, ret);
 
                 if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT,
+                        SSLerror(
                             ERR_R_INTERNAL_ERROR);
                         return NULL;
                 }
@@ -1627,7 +1627,7 @@ ri_check:
 
         if (!renegotiate_seen && s->internal->renegotiate) {
                 *al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,
+                SSLerror(
                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                 return 0;
         }
@@ -1880,7 +1880,7 @@ ri_check:
         if (!renegotiate_seen &&
             !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
                 *al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
+                SSLerror(
                     SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                 return 0;
         }
@@ -2016,7 +2016,7 @@ ssl_check_serverhello_tlsext(SSL *s)
                         }
                 }
                 if (!found_uncompressed) {
-                        SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
+                        SSLerror(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
                         return -1;
                 }
         }
diff --git a/src/lib/libssl/t1_reneg.c b/src/lib/libssl/t1_reneg.c
index 52f17b7d2b..ea432554b0 100644
--- a/src/lib/libssl/t1_reneg.c
+++ b/src/lib/libssl/t1_reneg.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_reneg.c,v 1.12 2017/01/22 09:02:07 jsing Exp $ */
+/* $OpenBSD: t1_reneg.c,v 1.13 2017/01/26 10:40:21 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,7 +123,7 @@ ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
 {
         if (p) {
                 if ((S3I(s)->previous_client_finished_len + 1) > maxlen) {
-                        SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,
+                        SSLerror(
                             SSL_R_RENEGOTIATE_EXT_TOO_LONG);
                         return 0;
                 }
@@ -151,7 +151,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
         CBS cbs, reneg;
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_ENCODING_ERR);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
@@ -161,7 +161,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
         if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||
             /* Consistency check */
             CBS_len(&cbs) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_ENCODING_ERR);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
@@ -169,7 +169,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
 
         /* Check that the extension matches */
         if (CBS_len(&reneg) != S3I(s)->previous_client_finished_len) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_MISMATCH);
                 *al = SSL_AD_HANDSHAKE_FAILURE;
                 return 0;
@@ -177,7 +177,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
 
         if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
             S3I(s)->previous_client_finished_len)) {
-                SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_MISMATCH);
                 *al = SSL_AD_HANDSHAKE_FAILURE;
                 return 0;
@@ -196,7 +196,7 @@ ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
         if (p) {
                 if ((S3I(s)->previous_client_finished_len +
                     S3I(s)->previous_server_finished_len + 1) > maxlen) {
-                        SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,
+                        SSLerror(
                             SSL_R_RENEGOTIATE_EXT_TOO_LONG);
                         return 0;
                 }
@@ -235,7 +235,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
         OPENSSL_assert(!expected_len || S3I(s)->previous_server_finished_len);
 
         if (len < 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_ENCODING_ERR);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
@@ -246,7 +246,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
         if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||
             /* Consistency check */
             CBS_len(&cbs) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_ENCODING_ERR);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;
@@ -259,7 +259,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
             !CBS_get_bytes(&reneg, &previous_server,
             S3I(s)->previous_server_finished_len) ||
             CBS_len(&reneg) != 0) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_MISMATCH);
                 *al = SSL_AD_HANDSHAKE_FAILURE;
                 return 0;
@@ -267,14 +267,14 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
 
         if (!CBS_mem_equal(&previous_client, S3I(s)->previous_client_finished,
             CBS_len(&previous_client))) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_MISMATCH);
                 *al = SSL_AD_HANDSHAKE_FAILURE;
                 return 0;
         }
         if (!CBS_mem_equal(&previous_server, S3I(s)->previous_server_finished,
             CBS_len(&previous_server))) {
-                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
+                SSLerror(
                     SSL_R_RENEGOTIATION_MISMATCH);
                 *al = SSL_AD_ILLEGAL_PARAMETER;
                 return 0;