Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly

line wraps that resulted
author: beck <> 2017-01-26 12:16:13 +0000
committer: beck <> 2017-01-26 12:16:13 +0000
commit: 5ae189b08474853c519a12e66db1c17cfc3c9c8f (patch)
tree: b95866f4795db86411300333c648e4ce8e941899 /src
parent: 10f32610e82e44521c0094ae91acbca090d36a58 (diff)
download: openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.tar.gz
openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.tar.bz2
openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.zip
18 files changed, 335 insertions, 653 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index fb7e289d96..0e4317653d 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.47 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: d1_both.c,v 1.48 2017/01/26 12:16:13 beck Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -410,8 +410,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                S3I(s)->tmp.reuse_message = 0;
                if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                            SSL_R_UNEXPECTED_MESSAGE);
                        goto f_err;
                }
                *ok = 1;
@@ -476,14 +475,12 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
        /* sanity checking */
        if ((frag_off + frag_len) > msg_len) {
-                SSLerror(
+                SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                    SSL_R_EXCESSIVE_MESSAGE_SIZE);
                return SSL_AD_ILLEGAL_PARAMETER;
        }
        if ((frag_off + frag_len) > (unsigned long)max) {
-                SSLerror(
+                SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                    SSL_R_EXCESSIVE_MESSAGE_SIZE);
                return SSL_AD_ILLEGAL_PARAMETER;
        }
@@ -509,8 +506,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
                 * They must be playing with us! BTW, failure to enforce
                 * upper limit would open possibility for buffer overrun.
                 */
-                SSLerror(
+                SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                    SSL_R_EXCESSIVE_MESSAGE_SIZE);
                return SSL_AD_ILLEGAL_PARAMETER;
        }
@@ -803,8 +799,7 @@ again:
            /* parse the message fragment header */
            dtls1_get_message_header(wire, &msg_hdr) == 0) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                    SSL_R_UNEXPECTED_MESSAGE);
                goto f_err;
        }
@@ -846,8 +841,7 @@ again:
                else /* Incorrectly formated Hello request */
                {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                            SSL_R_UNEXPECTED_MESSAGE);
                        goto f_err;
                }
        }
@@ -878,8 +872,7 @@ again:
         */
        if (i != (int)frag_len) {
                al = SSL3_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL3_AD_ILLEGAL_PARAMETER);
-                    SSL3_AD_ILLEGAL_PARAMETER);
                goto f_err;
        }
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index fd981c5f8e..6e124c7a85 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.72 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.73 2017/01/26 12:16:13 beck Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -216,8 +216,7 @@ dtls1_connect(SSL *s)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                ret = -1;
                                goto end;
                        }
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index b98c04b7cf..82dc8bfdef 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.19 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.20 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -187,8 +187,7 @@ ssl_ctx_make_profiles(const char *profiles_string,
        SRTP_PROTECTION_PROFILE *p;
        if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) {
-                SSLerror(
+                SSLerror(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
-                    SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
                return 1;
        }
@@ -199,8 +198,7 @@ ssl_ctx_make_profiles(const char *profiles_string,
                    col ? col - ptr : (int)strlen(ptr))) {
                        sk_SRTP_PROTECTION_PROFILE_push(profiles, p);
                } else {
-                        SSLerror(
+                        SSLerror(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-                            SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
                        sk_SRTP_PROTECTION_PROFILE_free(profiles);
                        return 1;
                }
@@ -264,14 +262,12 @@ ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
        if (p) {
                if (ct == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
-                            SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
                        return 1;
                }
                if ((2 + ct * 2 + 1) > maxlen) {
-                        SSLerror(
+                        SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
-                            SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
                        return 1;
                }
@@ -304,8 +300,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
        CBS cbs, ciphers, mki;
        if (len < 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                goto done;
        }
@@ -314,8 +309,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
        /* Pull off the cipher suite list */
        if (!CBS_get_u16_length_prefixed(&cbs, &ciphers) ||
            CBS_len(&ciphers) % 2) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                goto done;
        }
@@ -324,8 +318,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
        while (CBS_len(&ciphers) > 0) {
                if (!CBS_get_u16(&ciphers, &id)) {
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-                            SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                        *al = SSL_AD_DECODE_ERROR;
                        goto done;
                }
@@ -339,8 +332,7 @@ ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, int len,
        /* Extract the MKI value as a sanity check, but discard it for now. */
        if (!CBS_get_u8_length_prefixed(&cbs, &mki) ||
            CBS_len(&cbs) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_MKI_VALUE);
-                    SSL_R_BAD_SRTP_MKI_VALUE);
                *al = SSL_AD_DECODE_ERROR;
                goto done;
        }
@@ -381,14 +373,12 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
 {
        if (p) {
                if (maxlen < 5) {
-                        SSLerror(
+                        SSLerror(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
-                            SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
                        return 1;
                }
                if (s->internal->srtp_profile == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_USE_SRTP_NOT_NEGOTIATED);
-                            SSL_R_USE_SRTP_NOT_NEGOTIATED);
                        return 1;
                }
                s2n(2, p);
@@ -411,8 +401,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
        CBS cbs, profile_ids, mki;
        if (len < 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                return 1;
        }
@@ -425,16 +414,14 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
         */
        if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) ||
            !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                return 1;
        }
        /* Must be no MKI, since we never offer one. */
        if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SRTP_MKI_VALUE);
-                    SSL_R_BAD_SRTP_MKI_VALUE);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 1;
        }
@@ -443,8 +430,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
        /* Throw an error if the server gave us an unsolicited extension. */
        if (clnt == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_SRTP_PROFILES);
-                    SSL_R_NO_SRTP_PROFILES);
                *al = SSL_AD_DECODE_ERROR;
                return 1;
        }
@@ -463,8 +449,7 @@ ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int
                }
        }
-        SSLerror(
+        SSLerror(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-            SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
        *al = SSL_AD_DECODE_ERROR;
        return 1;
 }
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 80d7d639c3..fa860b8d5a 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.82 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.83 2017/01/26 12:16:13 beck Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -506,8 +506,7 @@ dtls1_accept(SSL *s)
                                 * at this point and digest cached records.
                                 */
                                if (!S3I(s)->handshake_buffer) {
-                                        SSLerror(
+                                        SSLerror(ERR_R_INTERNAL_ERROR);
-                                            ERR_R_INTERNAL_ERROR);
                                        ret = -1;
                                        goto end;
                                }
@@ -706,8 +705,7 @@ dtls1_send_hello_verify_request(SSL *s)
                if (s->ctx->internal->app_gen_cookie_cb == NULL ||
                    s->ctx->internal->app_gen_cookie_cb(s,
                        D1I(s)->cookie, &(D1I(s)->cookie_len)) == 0) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return 0;
                }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 6287f6cbc6..108cc9f71e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.132 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.133 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1980,8 +1980,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        if (cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
                if (!ssl_cert_inst(&s->cert)) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        return (0);
                }
        }
@@ -2016,13 +2015,11 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                {
                        DH *dh = (DH *)parg;
                        if (dh == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
-                                    ERR_R_PASSED_NULL_PARAMETER);
                                return (ret);
                        }
                        if ((dh = DHparams_dup(dh)) == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_DH_LIB);
-                                    ERR_R_DH_LIB);
                                return (ret);
                        }
                        DH_free(s->cert->dh_tmp);
@@ -2044,21 +2041,18 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        EC_KEY *ecdh = NULL;
                        if (parg == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
-                                    ERR_R_PASSED_NULL_PARAMETER);
                                return (ret);
                        }
                        if (!EC_KEY_up_ref((EC_KEY *)parg)) {
-                                SSLerror(
+                                SSLerror(ERR_R_ECDH_LIB);
-                                    ERR_R_ECDH_LIB);
                                return (ret);
                        }
                        ecdh = (EC_KEY *)parg;
                        if (!(s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                                if (!EC_KEY_generate_key(ecdh)) {
                                        EC_KEY_free(ecdh);
-                                        SSLerror(
+                                        SSLerror(ERR_R_ECDH_LIB);
-                                            ERR_R_ECDH_LIB);
                                        return (ret);
                                }
                        }
@@ -2069,8 +2063,7 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                break;
        case SSL_CTRL_SET_TMP_ECDH_CB:
                {
-                        SSLerror(
+                        SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                        return (ret);
                }
                break;
@@ -2083,19 +2076,16 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        if (parg == NULL)
                                break;
                        if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
-                                SSLerror(
+                                SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME);
-                                    SSL_R_SSL3_EXT_INVALID_SERVERNAME);
                                return 0;
                        }
                        if ((s->tlsext_hostname = strdup((char *)parg))
                            == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                return 0;
                        }
                } else {
-                        SSLerror(
+                        SSLerror(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
-                            SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
                        return 0;
                }
                break;
@@ -2177,8 +2167,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
        if (cmd == SSL_CTRL_SET_TMP_DH_CB) {
                if (!ssl_cert_inst(&s->cert)) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        return (0);
                }
        }
@@ -2223,8 +2212,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                        dh = (DH *)parg;
                        if ((new = DHparams_dup(dh)) == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_DH_LIB);
-                                    ERR_R_DH_LIB);
                                return 0;
                        }
                        DH_free(cert->dh_tmp);
@@ -2246,21 +2234,18 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                        EC_KEY *ecdh = NULL;
                        if (parg == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_ECDH_LIB);
-                                    ERR_R_ECDH_LIB);
                                return 0;
                        }
                        ecdh = EC_KEY_dup((EC_KEY *)parg);
                        if (ecdh == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_EC_LIB);
-                                    ERR_R_EC_LIB);
                                return 0;
                        }
                        if (!(ctx->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                                if (!EC_KEY_generate_key(ecdh)) {
                                        EC_KEY_free(ecdh);
-                                        SSLerror(
+                                        SSLerror(ERR_R_ECDH_LIB);
-                                            ERR_R_ECDH_LIB);
                                        return 0;
                                }
                        }
@@ -2272,8 +2257,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                /* break; */
        case SSL_CTRL_SET_TMP_ECDH_CB:
                {
-                        SSLerror(
+                        SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                        return (0);
                }
                break;
@@ -2287,8 +2271,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                        if (!keys)
                                return 48;
                        if (larg != 48) {
-                                SSLerror(
+                                SSLerror(SSL_R_INVALID_TICKET_KEYS_LENGTH);
-                                    SSL_R_INVALID_TICKET_KEYS_LENGTH);
                                return 0;
                        }
                        if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 707feb6d09..0a33002809 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -365,8 +365,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)
                        if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
                            x, NULL)) {
-                                SSLerror(
+                                SSLerror(ERR_R_X509_LIB);
-                                    ERR_R_X509_LIB);
                                goto err;
                        }
                        X509_verify_cert(&xs_ctx);
@@ -420,8 +419,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                S3I(s)->tmp.reuse_message = 0;
                if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                            SSL_R_UNEXPECTED_MESSAGE);
                        goto f_err;
                }
                *ok = 1;
@@ -473,8 +471,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                if ((mt >= 0) && (*p != mt)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                            SSL_R_UNEXPECTED_MESSAGE);
                        goto f_err;
                }
@@ -488,8 +485,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                if (l > (unsigned long)max) {
                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerror(
+                        SSLerror(SSL_R_EXCESSIVE_MESSAGE_SIZE);
-                            SSL_R_EXCESSIVE_MESSAGE_SIZE);
                        goto f_err;
                }
                if (l && !BUF_MEM_grow_clean(s->internal->init_buf, l + 4)) {
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 4f714f751a..e608bcfea4 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.61 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.62 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -587,8 +587,7 @@ SSL_load_client_CA_file(const char *file)
                if (ret == NULL) {
                        ret = sk_X509_NAME_new_null();
                        if (ret == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_MALLOC_FAILURE);
-                                    ERR_R_MALLOC_FAILURE);
                                goto err;
                        }
                }
@@ -643,8 +642,7 @@ SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
        in = BIO_new(BIO_s_file_internal());
        if (in == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index c1dee99e58..f167244eb4 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.91 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.92 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1162,8 +1162,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                                 * it is no command or separator nor
                                 * alphanumeric, so we call this an error.
                                 */
-                                SSLerror(
+                                SSLerror(SSL_R_INVALID_COMMAND);
-                                    SSL_R_INVALID_COMMAND);
                                retval = found = 0;
                                l++;
                                break;
@@ -1309,8 +1308,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                        if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
                                ok = ssl_cipher_strength_sort(head_p, tail_p);
                        else
-                                SSLerror(
+                                SSLerror(SSL_R_INVALID_COMMAND);
-                                    SSL_R_INVALID_COMMAND);
                        if (ok == 0)
                                retval = 0;
                        /*
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index c8d4aca1c3..6f2edf5d90 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -211,8 +211,7 @@ ssl3_connect(SSL *s)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
                        if ((s->version & 0xff00 ) != 0x0300) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                ret = -1;
                                goto end;
                        }
@@ -551,8 +550,7 @@ ssl3_connect(SSL *s)
                        /* break; */
                default:
-                        SSLerror(
+                        SSLerror(SSL_R_UNKNOWN_STATE);
-                            SSL_R_UNKNOWN_STATE);
                        ret = -1;
                        goto end;
                        /* break; */
@@ -597,8 +595,7 @@ ssl3_client_hello(SSL *s)
                SSL_SESSION *sess = s->session;
                if (ssl_supported_version_range(s, NULL, &max_version) != 1) {
-                        SSLerror(
+                        SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);
-                            SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return (-1);
                }
                s->client_version = s->version = max_version;
@@ -668,8 +665,7 @@ ssl3_client_hello(SSL *s)
                *(p++) = i;
                if (i != 0) {
                        if (i > (int)sizeof(s->session->session_id)) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                        memcpy(p, s->session->session_id, i);
@@ -679,8 +675,7 @@ ssl3_client_hello(SSL *s)
                /* DTLS Cookie. */
                if (SSL_IS_DTLS(s)) {
                        if (D1I(s)->cookie_len > sizeof(D1I(s)->cookie)) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                        *(p++) = D1I(s)->cookie_len;
@@ -693,8 +688,7 @@ ssl3_client_hello(SSL *s)
                    bufend - &p[2], &outlen))
                        goto err;
                if (outlen == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_NO_CIPHERS_AVAILABLE);
-                            SSL_R_NO_CIPHERS_AVAILABLE);
                        goto err;
                }
                s2n(outlen, p);
@@ -706,8 +700,7 @@ ssl3_client_hello(SSL *s)
                /* TLS extensions*/
                if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -759,8 +752,7 @@ ssl3_get_server_hello(SSL *s)
                        } else {
                                /* Already sent a cookie. */
                                al = SSL_AD_UNEXPECTED_MESSAGE;
-                                SSLerror(
+                                SSLerror(SSL_R_BAD_MESSAGE_TYPE);
-                                    SSL_R_BAD_MESSAGE_TYPE);
                                goto f_err;
                        }
                }
@@ -768,8 +760,7 @@ ssl3_get_server_hello(SSL *s)
        if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_HELLO) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_BAD_MESSAGE_TYPE);
-                    SSL_R_BAD_MESSAGE_TYPE);
                goto f_err;
        }
@@ -777,8 +768,7 @@ ssl3_get_server_hello(SSL *s)
                goto truncated;
        if (ssl_supported_version_range(s, &min_version, &max_version) != 1) {
-                SSLerror(
+                SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);
-                    SSL_R_NO_PROTOCOLS_AVAILABLE);
                goto err;
        }
@@ -812,8 +802,7 @@ ssl3_get_server_hello(SSL *s)
        if ((CBS_len(&session_id) > sizeof(s->session->session_id)) ||
            (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) {
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_SSL3_SESSION_ID_TOO_LONG);
-                    SSL_R_SSL3_SESSION_ID_TOO_LONG);
                goto f_err;
        }
@@ -845,8 +834,7 @@ ssl3_get_server_hello(SSL *s)
                    s->sid_ctx, s->sid_ctx_length) != 0) {
                        /* actually a client application bug */
                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerror(
+                        SSLerror(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-                            SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                        goto f_err;
                }
                s->s3->flags |= SSL3_FLAGS_CCS_OK;
@@ -878,8 +866,7 @@ ssl3_get_server_hello(SSL *s)
        if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_UNKNOWN_CIPHER_RETURNED);
-                    SSL_R_UNKNOWN_CIPHER_RETURNED);
                goto f_err;
        }
@@ -887,8 +874,7 @@ ssl3_get_server_hello(SSL *s)
        if ((cipher->algorithm_ssl & SSL_TLSV1_2) &&
            (TLS1_get_version(s) < TLS1_2_VERSION)) {
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_WRONG_CIPHER_RETURNED);
-                    SSL_R_WRONG_CIPHER_RETURNED);
                goto f_err;
        }
@@ -897,8 +883,7 @@ ssl3_get_server_hello(SSL *s)
        if (i < 0) {
                /* we did not say we would use this cipher */
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_WRONG_CIPHER_RETURNED);
-                    SSL_R_WRONG_CIPHER_RETURNED);
                goto f_err;
        }
@@ -911,8 +896,7 @@ ssl3_get_server_hello(SSL *s)
                s->session->cipher_id = s->session->cipher->id;
        if (s->internal->hit && (s->session->cipher_id != cipher->id)) {
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                    SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
                goto f_err;
        }
        S3I(s)->tmp.new_cipher = cipher;
@@ -933,8 +917,7 @@ ssl3_get_server_hello(SSL *s)
        if (compression_method != 0) {
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
-                    SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                goto f_err;
        }
@@ -991,15 +974,13 @@ ssl3_get_server_certificate(SSL *s)
        if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_BAD_MESSAGE_TYPE);
-                    SSL_R_BAD_MESSAGE_TYPE);
                goto f_err;
        }
        if ((sk = sk_X509_new_null()) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1013,8 +994,7 @@ ssl3_get_server_certificate(SSL *s)
        if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||
            CBS_len(&cbs) != 0) {
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
@@ -1025,8 +1005,7 @@ ssl3_get_server_certificate(SSL *s)
                        goto truncated;
                if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_CERT_LENGTH_MISMATCH);
-                            SSL_R_CERT_LENGTH_MISMATCH);
                        goto f_err;
                }
@@ -1034,19 +1013,16 @@ ssl3_get_server_certificate(SSL *s)
                x = d2i_X509(NULL, &q, CBS_len(&cert));
                if (x == NULL) {
                        al = SSL_AD_BAD_CERTIFICATE;
-                        SSLerror(
+                        SSLerror(ERR_R_ASN1_LIB);
-                            ERR_R_ASN1_LIB);
                        goto f_err;
                }
                if (q != CBS_data(&cert) + CBS_len(&cert)) {
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_CERT_LENGTH_MISMATCH);
-                            SSL_R_CERT_LENGTH_MISMATCH);
                        goto f_err;
                }
                if (!sk_X509_push(sk, x)) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
                x = NULL;
@@ -1055,8 +1031,7 @@ ssl3_get_server_certificate(SSL *s)
        i = ssl_verify_cert_chain(s, sk);
        if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) {
                al = ssl_verify_alarm_type(s->verify_result);
-                SSLerror(
+                SSLerror(SSL_R_CERTIFICATE_VERIFY_FAILED);
-                    SSL_R_CERTIFICATE_VERIFY_FAILED);
                goto f_err;
        }
@@ -1082,8 +1057,7 @@ ssl3_get_server_certificate(SSL *s)
        if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
                x = NULL;
                al = SSL3_AL_FATAL;
-                SSLerror(
+                SSLerror(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
-                    SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
                goto f_err;
        }
@@ -1091,8 +1065,7 @@ ssl3_get_server_certificate(SSL *s)
        if (i < 0) {
                x = NULL;
                al = SSL3_AL_FATAL;
-                SSLerror(
+                SSLerror(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                    SSL_R_UNKNOWN_CERTIFICATE_TYPE);
                goto f_err;
        }
@@ -1118,8 +1091,7 @@ ssl3_get_server_certificate(SSL *s)
 truncated:
                /* wrong packet length */
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_BAD_PACKET_LENGTH);
-                    SSL_R_BAD_PACKET_LENGTH);
 f_err:
                ssl3_send_alert(s, SSL3_AL_FATAL, al);
        }
@@ -1337,8 +1309,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn)
        if ((nid = tls1_ec_curve_id2nid(curve_id)) == 0) {
                al = SSL_AD_INTERNAL_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
-                    SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
                goto f_err;
        }
@@ -1414,8 +1385,7 @@ ssl3_get_server_key_exchange(SSL *s)
                 * ephemeral keys.
                 */
                if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
-                        SSLerror(
+                        SSLerror(SSL_R_UNEXPECTED_MESSAGE);
-                            SSL_R_UNEXPECTED_MESSAGE);
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        goto f_err;
                }
@@ -1463,8 +1433,7 @@ ssl3_get_server_key_exchange(SSL *s)
                        int sigalg = tls12_get_sigid(pkey);
                        /* Should never happen */
                        if (sigalg == -1) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                        /*
@@ -1474,15 +1443,13 @@ ssl3_get_server_key_exchange(SSL *s)
                        if (2 > n)
                                goto truncated;
                        if (sigalg != (int)p[1]) {
-                                SSLerror(
+                                SSLerror(SSL_R_WRONG_SIGNATURE_TYPE);
-                                    SSL_R_WRONG_SIGNATURE_TYPE);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                        }
                        md = tls12_get_hash(p[0]);
                        if (md == NULL) {
-                                SSLerror(
+                                SSLerror(SSL_R_UNKNOWN_DIGEST);
-                                    SSL_R_UNKNOWN_DIGEST);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                        }
@@ -1500,8 +1467,7 @@ ssl3_get_server_key_exchange(SSL *s)
                if (i != n || n > j) {
                        /* wrong packet length */
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_WRONG_SIGNATURE_LENGTH);
-                            SSL_R_WRONG_SIGNATURE_LENGTH);
                        goto f_err;
                }
@@ -1533,15 +1499,13 @@ ssl3_get_server_key_exchange(SSL *s)
                            p, n, pkey->pkey.rsa);
                        if (i < 0) {
                                al = SSL_AD_DECRYPT_ERROR;
-                                SSLerror(
+                                SSLerror(SSL_R_BAD_RSA_DECRYPT);
-                                    SSL_R_BAD_RSA_DECRYPT);
                                goto f_err;
                        }
                        if (i == 0) {
                                /* bad signature */
                                al = SSL_AD_DECRYPT_ERROR;
-                                SSLerror(
+                                SSLerror(SSL_R_BAD_SIGNATURE);
-                                    SSL_R_BAD_SIGNATURE);
                                goto f_err;
                        }
                } else {
@@ -1554,23 +1518,20 @@ ssl3_get_server_key_exchange(SSL *s)
                        if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) {
                                /* bad signature */
                                al = SSL_AD_DECRYPT_ERROR;
-                                SSLerror(
+                                SSLerror(SSL_R_BAD_SIGNATURE);
-                                    SSL_R_BAD_SIGNATURE);
                                goto f_err;
                        }
                }
        } else {
                /* aNULL does not need public keys. */
                if (!(alg_a & SSL_aNULL)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
                /* still data left over */
                if (n != 0) {
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_EXTRA_DATA_IN_MESSAGE);
-                            SSL_R_EXTRA_DATA_IN_MESSAGE);
                        goto f_err;
                }
        }
@@ -1630,16 +1591,14 @@ ssl3_get_certificate_request(SSL *s)
        if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerror(
+                SSLerror(SSL_R_WRONG_MESSAGE_TYPE);
-                    SSL_R_WRONG_MESSAGE_TYPE);
                goto err;
        }
        /* TLS does not like anon-DH with client cert */
        if (S3I(s)->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerror(
+                SSLerror(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-                    SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
                goto err;
        }
@@ -1648,8 +1607,7 @@ ssl3_get_certificate_request(SSL *s)
        CBS_init(&cert_request, s->internal->init_msg, n);
        if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1662,8 +1620,7 @@ ssl3_get_certificate_request(SSL *s)
        if (!CBS_get_bytes(&cert_request, &ctypes, ctype_num) ||
            !CBS_write_bytes(&ctypes, (uint8_t *)S3I(s)->tmp.ctype,
            sizeof(S3I(s)->tmp.ctype), NULL)) {
-                SSLerror(
+                SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
-                    SSL_R_DATA_LENGTH_TOO_LONG);
                goto err;
        }
@@ -1671,8 +1628,7 @@ ssl3_get_certificate_request(SSL *s)
                CBS sigalgs;
                if (CBS_len(&cert_request) < 2) {
-                        SSLerror(
+                        SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
-                            SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                }
@@ -1681,32 +1637,28 @@ ssl3_get_certificate_request(SSL *s)
                 */
                if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) {
                        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerror(
+                        SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
-                            SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                }
                if ((CBS_len(&sigalgs) & 1) ||
                    !tls1_process_sigalgs(s, CBS_data(&sigalgs),
                    CBS_len(&sigalgs))) {
                        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerror(
+                        SSLerror(SSL_R_SIGNATURE_ALGORITHMS_ERROR);
-                            SSL_R_SIGNATURE_ALGORITHMS_ERROR);
                        goto err;
                }
        }
        /* get the CA RDNs */
        if (CBS_len(&cert_request) < 2) {
-                SSLerror(
+                SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
-                    SSL_R_DATA_LENGTH_TOO_LONG);
                goto err;
        }
        if (!CBS_get_u16_length_prefixed(&cert_request, &rdn_list) ||
            CBS_len(&cert_request) != 0) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto err;
        }
@@ -1714,15 +1666,13 @@ ssl3_get_certificate_request(SSL *s)
                CBS rdn;
                if (CBS_len(&rdn_list) < 2) {
-                        SSLerror(
+                        SSLerror(SSL_R_DATA_LENGTH_TOO_LONG);
-                            SSL_R_DATA_LENGTH_TOO_LONG);
                        goto err;
                }
                if (!CBS_get_u16_length_prefixed(&rdn_list, &rdn)) {
                        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerror(
+                        SSLerror(SSL_R_CA_DN_TOO_LONG);
-                            SSL_R_CA_DN_TOO_LONG);
                        goto err;
                }
@@ -1730,20 +1680,17 @@ ssl3_get_certificate_request(SSL *s)
                if ((xn = d2i_X509_NAME(NULL, &q, CBS_len(&rdn))) == NULL) {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_DECODE_ERROR);
-                        SSLerror(
+                        SSLerror(ERR_R_ASN1_LIB);
-                            ERR_R_ASN1_LIB);
                        goto err;
                }
                if (q != CBS_data(&rdn) + CBS_len(&rdn)) {
                        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-                        SSLerror(
+                        SSLerror(SSL_R_CA_DN_LENGTH_MISMATCH);
-                            SSL_R_CA_DN_LENGTH_MISMATCH);
                        goto err;
                }
                if (!sk_X509_NAME_push(ca_sk, xn)) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
                xn = NULL;      /* avoid free in err block */
@@ -1759,8 +1706,7 @@ ssl3_get_certificate_request(SSL *s)
        ret = 1;
        if (0) {
 truncated:
-                SSLerror(
+                SSLerror(SSL_R_BAD_PACKET_LENGTH);
-                    SSL_R_BAD_PACKET_LENGTH);
        }
 err:
        X509_NAME_free(xn);
@@ -1793,15 +1739,13 @@ ssl3_get_new_session_ticket(SSL *s)
        }
        if (S3I(s)->tmp.message_type != SSL3_MT_NEWSESSION_TICKET) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_BAD_MESSAGE_TYPE);
-                    SSL_R_BAD_MESSAGE_TYPE);
                goto f_err;
        }
        if (n < 0) {
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
@@ -1813,16 +1757,14 @@ ssl3_get_new_session_ticket(SSL *s)
            !CBS_get_u16_length_prefixed(&cbs, &session_ticket) ||
            CBS_len(&cbs) != 0) {
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
        s->session->tlsext_tick_lifetime_hint = (long)lifetime_hint;
        if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
            &s->session->tlsext_ticklen)) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1872,8 +1814,7 @@ ssl3_get_cert_status(SSL *s)
        if (n < 0) {
                /* need at least status type + length */
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
@@ -1882,23 +1823,20 @@ ssl3_get_cert_status(SSL *s)
            CBS_len(&cert_status) < 3) {
                /* need at least status type + length */
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
        if (status_type != TLSEXT_STATUSTYPE_ocsp) {
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_UNSUPPORTED_STATUS_TYPE);
-                    SSL_R_UNSUPPORTED_STATUS_TYPE);
                goto f_err;
        }
        if (!CBS_get_u24_length_prefixed(&cert_status, &response) ||
            CBS_len(&cert_status) != 0) {
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_LENGTH_MISMATCH);
-                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
@@ -1906,8 +1844,7 @@ ssl3_get_cert_status(SSL *s)
            &stow_len) || stow_len > INT_MAX) {
                s->internal->tlsext_ocsp_resplen = 0;
                al = SSL_AD_INTERNAL_ERROR;
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto f_err;
        }
        s->internal->tlsext_ocsp_resplen = (int)stow_len;
@@ -1918,14 +1855,12 @@ ssl3_get_cert_status(SSL *s)
                    s->ctx->internal->tlsext_status_arg);
                if (ret == 0) {
                        al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-                        SSLerror(
+                        SSLerror(SSL_R_INVALID_STATUS_RESPONSE);
-                            SSL_R_INVALID_STATUS_RESPONSE);
                        goto f_err;
                }
                if (ret < 0) {
                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto f_err;
                }
        }
@@ -1974,8 +1909,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
        if (pkey == NULL || pkey->type != EVP_PKEY_RSA ||
            pkey->pkey.rsa == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
@@ -1984,16 +1918,14 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        arc4random_buf(&pms[2], sizeof(pms) - 2);
        if ((enc_pms = malloc(RSA_size(pkey->pkey.rsa))) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
        enc_len = RSA_public_encrypt(sizeof(pms), pms, enc_pms, pkey->pkey.rsa,
            RSA_PKCS1_PADDING);
        if (enc_len <= 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_RSA_ENCRYPT);
-                    SSL_R_BAD_RSA_ENCRYPT);
                goto err;
        }
@@ -2031,8 +1963,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        /* Ensure that we have an ephemeral key for DHE. */
        if (sess_cert->peer_dh_tmp == NULL) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                SSLerror(
+                SSLerror(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
-                    SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
                goto err;
        }
        dh_srvr = sess_cert->peer_dh_tmp;
@@ -2048,8 +1979,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        }
        key_size = DH_size(dh_clnt);
        if ((key = malloc(key_size)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
        key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt);
@@ -2098,14 +2028,12 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
        if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL ||
            (point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
        if ((ecdh = EC_KEY_new()) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -2124,8 +2052,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
                goto err;
        }
        if ((key = malloc(key_size)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
        }
        key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL);
        if (key_len <= 0) {
@@ -2146,8 +2073,7 @@ ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb)
        }
        if ((bn_ctx = BN_CTX_new()) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -2233,8 +2159,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)
                        goto err;
        } else {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
@@ -2261,8 +2186,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
        /* Get server sertificate PKEY and create ctx from it */
        peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;
        if (peer_cert == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
-                    SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
                goto err;
        }
@@ -2298,8 +2222,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
         */
        ukm_hash = EVP_MD_CTX_create();
        if (ukm_hash == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -2371,8 +2294,7 @@ ssl3_send_client_key_exchange(SSL *s)
                if ((sess_cert = SSI(s)->sess_cert) == NULL) {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_UNEXPECTED_MESSAGE);
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -2395,8 +2317,7 @@ ssl3_send_client_key_exchange(SSL *s)
                } else {
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                            SSL_AD_HANDSHAKE_FAILURE);
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -2458,16 +2379,14 @@ ssl3_send_client_verify(SSL *s)
                            &hdata);
                        if (hdatalen <= 0 ||
                            !tls12_get_sigandhash(p, pkey, md)) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                        p += 2;
                        if (!EVP_SignInit_ex(&mctx, md, NULL) ||
                            !EVP_SignUpdate(&mctx, hdata, hdatalen) ||
                            !EVP_SignFinal(&mctx, p + 2, &u, pkey)) {
-                                SSLerror(
+                                SSLerror(ERR_R_EVP_LIB);
-                                    ERR_R_EVP_LIB);
                                goto err;
                        }
                        s2n(u, p);
@@ -2480,8 +2399,7 @@ ssl3_send_client_verify(SSL *s)
                        if (RSA_sign(NID_md5_sha1, data,
                            MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]),
                            &u, pkey->pkey.rsa) <= 0 ) {
-                                SSLerror(
+                                SSLerror(ERR_R_RSA_LIB);
-                                    ERR_R_RSA_LIB);
                                goto err;
                        }
                        s2n(u, p);
@@ -2491,8 +2409,7 @@ ssl3_send_client_verify(SSL *s)
                            &(data[MD5_DIGEST_LENGTH]),
                            SHA_DIGEST_LENGTH, &(p[2]),
                            (unsigned int *)&j, pkey->pkey.dsa)) {
-                                SSLerror(
+                                SSLerror(ERR_R_DSA_LIB);
-                                    ERR_R_DSA_LIB);
                                goto err;
                        }
                        s2n(j, p);
@@ -2502,8 +2419,7 @@ ssl3_send_client_verify(SSL *s)
                            &(data[MD5_DIGEST_LENGTH]),
                            SHA_DIGEST_LENGTH, &(p[2]),
                            (unsigned int *)&j, pkey->pkey.ec)) {
-                                SSLerror(
+                                SSLerror(ERR_R_ECDSA_LIB);
-                                    ERR_R_ECDSA_LIB);
                                goto err;
                        }
                        s2n(j, p);
@@ -2520,14 +2436,12 @@ ssl3_send_client_verify(SSL *s)
                        hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                        if (hdatalen <= 0) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                        if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
                            !(md = EVP_get_digestbynid(nid))) {
-                                SSLerror(
+                                SSLerror(ERR_R_EVP_LIB);
-                                                ERR_R_EVP_LIB);
                                goto err;
                        }
                        if (!EVP_DigestInit_ex(&mctx, md, NULL) ||
@@ -2540,8 +2454,7 @@ ssl3_send_client_verify(SSL *s)
                                               NULL) <= 0) ||
                            (EVP_PKEY_sign(pctx, &(p[2]), &sigsize,
                                           signbuf, u) <= 0)) {
-                                SSLerror(
+                                SSLerror(ERR_R_EVP_LIB);
-                                    ERR_R_EVP_LIB);
                                goto err;
                        }
                        if (!tls1_digest_cached_records(s))
@@ -2551,8 +2464,7 @@ ssl3_send_client_verify(SSL *s)
                        n = j + 2;
 #endif
                } else {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -2610,8 +2522,7 @@ ssl3_send_client_certificate(SSL *s)
                                i = 0;
                } else if (i == 1) {
                        i = 0;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
-                            SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
                }
                X509_free(x509);
@@ -2665,8 +2576,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
        sc = SSI(s)->sess_cert;
        if (sc == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
        dh = SSI(s)->sess_cert->peer_dh_tmp;
@@ -2678,8 +2588,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
                if (ssl_check_srvr_ecc_cert_and_alg(
                    sc->peer_pkeys[idx].x509, s) == 0) {
                        /* check failed */
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_ECC_CERT);
-                            SSL_R_BAD_ECC_CERT);
                        goto f_err;
                } else {
                        return (1);
@@ -2691,25 +2600,21 @@ ssl3_check_cert_and_algorithm(SSL *s)
        /* Check that we have a certificate if we require one. */
        if ((alg_a & SSL_aRSA) && !has_bits(i, EVP_PK_RSA|EVP_PKT_SIGN)) {
-                SSLerror(
+                SSLerror(SSL_R_MISSING_RSA_SIGNING_CERT);
-                    SSL_R_MISSING_RSA_SIGNING_CERT);
                goto f_err;
        } else if ((alg_a & SSL_aDSS) &&
            !has_bits(i, EVP_PK_DSA|EVP_PKT_SIGN)) {
-                SSLerror(
+                SSLerror(SSL_R_MISSING_DSA_SIGNING_CERT);
-                    SSL_R_MISSING_DSA_SIGNING_CERT);
                goto f_err;
        }
        if ((alg_k & SSL_kRSA) &&
            !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
-                SSLerror(
+                SSLerror(SSL_R_MISSING_RSA_ENCRYPTING_CERT);
-                    SSL_R_MISSING_RSA_ENCRYPTING_CERT);
                goto f_err;
        }
        if ((alg_k & SSL_kDHE) &&
            !(has_bits(i, EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) {
-                SSLerror(
+                SSLerror(SSL_R_MISSING_DH_KEY);
-                    SSL_R_MISSING_DH_KEY);
                goto f_err;
        }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 605fc428ad..898fdbc479 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.154 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.155 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,8 +226,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
        sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
            &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);
        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-                SSLerror(
+                SSLerror(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
-                    SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
                return (0);
        }
        return (1);
@@ -381,8 +380,7 @@ SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
    unsigned int sid_ctx_len)
 {
        if (sid_ctx_len > sizeof ctx->sid_ctx) {
-                SSLerror(
+                SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                return (0);
        }
        ctx->sid_ctx_length = sid_ctx_len;
@@ -396,8 +394,7 @@ SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
    unsigned int sid_ctx_len)
 {
        if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerror(
+                SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                return (0);
        }
        ssl->sid_ctx_length = sid_ctx_len;
@@ -873,13 +870,11 @@ SSL_CTX_check_private_key(const SSL_CTX *ctx)
 {
        if ((ctx == NULL) || (ctx->internal->cert == NULL) ||
            (ctx->internal->cert->key->x509 == NULL)) {
-                SSLerror(
+                SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
                return (0);
        }
        if (ctx->internal->cert->key->privatekey == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                    SSL_R_NO_PRIVATE_KEY_ASSIGNED);
                return (0);
        }
        return (X509_check_private_key(ctx->internal->cert->key->x509,
@@ -891,23 +886,19 @@ int
 SSL_check_private_key(const SSL *ssl)
 {
        if (ssl == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
-                    ERR_R_PASSED_NULL_PARAMETER);
                return (0);
        }
        if (ssl->cert == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
                return (0);
        }
        if (ssl->cert->key->x509 == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_CERTIFICATE_ASSIGNED);
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
                return (0);
        }
        if (ssl->cert->key->privatekey == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                    SSL_R_NO_PRIVATE_KEY_ASSIGNED);
                return (0);
        }
        return (X509_check_private_key(ssl->cert->key->x509,
@@ -1428,8 +1419,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
         * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2].
         */
        if (num < 2 || num > 0x10000 - 2) {
-                SSLerror(
+                SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                    SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
                return (NULL);
        }
@@ -1441,8 +1431,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
        CBS_init(&cbs, p, num);
        while (CBS_len(&cbs) > 0) {
                if (!CBS_get_u16(&cbs, &cipher_value)) {
-                        SSLerror(
+                        SSLerror(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                            SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
                        goto err;
                }
@@ -1454,8 +1443,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
                         * renegotiating.
                         */
                        if (s->internal->renegotiate) {
-                                SSLerror(
+                                SSLerror(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                                    SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                                ssl3_send_alert(s, SSL3_AL_FATAL,
                                    SSL_AD_HANDSHAKE_FAILURE);
@@ -1474,8 +1462,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
                         */
                        max_version = ssl_max_server_version(s);
                        if (max_version == 0 || s->version < max_version) {
-                                SSLerror(
+                                SSLerror(SSL_R_INAPPROPRIATE_FALLBACK);
-                                    SSL_R_INAPPROPRIATE_FALLBACK);
                                if (s->s3 != NULL)
                                        ssl3_send_alert(s, SSL3_AL_FATAL,
                                            SSL_AD_INAPPROPRIATE_FALLBACK);
@@ -1486,8 +1473,7 @@ ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
                if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
                        if (!sk_SSL_CIPHER_push(sk, c)) {
-                                SSLerror(
+                                SSLerror(ERR_R_MALLOC_FAILURE);
-                                    ERR_R_MALLOC_FAILURE);
                                goto err;
                        }
                }
@@ -1812,8 +1798,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
        }
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
-                SSLerror(
+                SSLerror(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
-                    SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
                goto err;
        }
@@ -1881,13 +1866,11 @@ SSL_CTX_new(const SSL_METHOD *meth)
                goto err;
        if ((ret->internal->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
-                    SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
                goto err2;
        }
        if ((ret->internal->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
-                    SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
                goto err2;
        }
@@ -2126,8 +2109,7 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                /* Key usage, if present, must allow signing. */
                if ((x->ex_flags & EXFLAG_KUSAGE) &&
                    ((x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) == 0)) {
-                        SSLerror(
+                        SSLerror(SSL_R_ECC_CERT_NOT_FOR_SIGNING);
-                            SSL_R_ECC_CERT_NOT_FOR_SIGNING);
                        return (0);
                }
        }
@@ -2448,24 +2430,21 @@ SSL_set_connect_state(SSL *s)
 int
 ssl_undefined_function(SSL *s)
 {
-        SSLerror(
+        SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return (0);
 }
 int
 ssl_undefined_void_function(void)
 {
-        SSLerror(
+        SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return (0);
 }
 int
 ssl_undefined_const_function(const SSL *s)
 {
-        SSLerror(
+        SSLerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
        return (0);
 }
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index a8462ffd84..9ffc27e9a7 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -106,8 +106,7 @@ ssl_convert_sslv2_client_hello(SSL *s)
                return -1;
        if (record_length < 9) {
-                SSLerror(
+                SSLerror(SSL_R_RECORD_LENGTH_MISMATCH);
-                    SSL_R_RECORD_LENGTH_MISMATCH);
                return -1;
        }
        if (record_length > 4096) {
@@ -150,8 +149,7 @@ ssl_convert_sslv2_client_hello(SSL *s)
        if (!CBS_get_bytes(&cbs, &challenge, challenge_length))
                return -1;
        if (CBS_len(&cbs) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_RECORD_LENGTH_MISMATCH);
-                    SSL_R_RECORD_LENGTH_MISMATCH);
                return -1;
        }
@@ -236,16 +234,14 @@ ssl_server_legacy_first_packet(SSL *s)
        if (ssl_is_sslv2_client_hello(&header) == 1) {
                /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
                if (ssl_enabled_version_range(s, &min_version, NULL) != 1) {
-                        SSLerror(
+                        SSLerror(SSL_R_NO_PROTOCOLS_AVAILABLE);
-                            SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return -1;
                }
                if (min_version > TLS1_VERSION)
                        return 1;
                if (ssl_convert_sslv2_client_hello(s) != 1) {
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_PACKET_LENGTH);
-                            SSL_R_BAD_PACKET_LENGTH);
                        return -1;
                }
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index f354fb82bf..38d011fdc3 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.6 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.7 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -364,8 +364,7 @@ ssl3_get_record(SSL *s)
                if (!CBS_get_u8(&header, &type) ||
                    !CBS_get_u16(&header, &ssl_version) ||
                    !CBS_get_u16(&header, &len)) {
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_PACKET_LENGTH);
-                            SSL_R_BAD_PACKET_LENGTH);
                        goto err;
                }
@@ -374,8 +373,7 @@ ssl3_get_record(SSL *s)
                /* Lets check version */
                if (!s->internal->first_packet && ssl_version != s->version) {
-                        SSLerror(
+                        SSLerror(SSL_R_WRONG_VERSION_NUMBER);
-                            SSL_R_WRONG_VERSION_NUMBER);
                        if ((s->version & 0xFF00) == (ssl_version & 0xFF00) &&
                            !s->internal->enc_write_ctx && !s->internal->write_hash)
                                /* Send back error using their minor version number :-) */
@@ -385,15 +383,13 @@ ssl3_get_record(SSL *s)
                }
                if ((ssl_version >> 8) != SSL3_VERSION_MAJOR) {
-                        SSLerror(
+                        SSLerror(SSL_R_WRONG_VERSION_NUMBER);
-                            SSL_R_WRONG_VERSION_NUMBER);
                        goto err;
                }
                if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {
                        al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerror(
+                        SSLerror(SSL_R_PACKET_LENGTH_TOO_LONG);
-                            SSL_R_PACKET_LENGTH_TOO_LONG);
                        goto f_err;
                }
@@ -510,8 +506,7 @@ ssl3_get_record(SSL *s)
                 * (e.g. via a logfile)
                 */
                al = SSL_AD_BAD_RECORD_MAC;
-                SSLerror(
+                SSLerror(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
-                    SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
                goto f_err;
        }
@@ -543,8 +538,7 @@ ssl3_get_record(SSL *s)
                 * empty record without forcing want_read.
                 */
                if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) {
-                        SSLerror(
+                        SSLerror(SSL_R_PEER_BEHAVING_BADLY);
-                            SSL_R_PEER_BEHAVING_BADLY);
                        return -1;
                }
                if (s->internal->empty_record_count > 1) {
@@ -588,8 +582,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                if (i < 0)
                        return (i);
                if (i == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
-                            SSL_R_SSL_HANDSHAKE_FAILURE);
                        return -1;
                }
        }
@@ -698,8 +691,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                        if (prefix_len >
                                (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
                                /* insufficient space */
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                goto err;
                        }
                }
@@ -961,8 +953,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (i < 0)
                        return (i);
                if (i == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
-                            SSL_R_SSL_HANDSHAKE_FAILURE);
                        return (-1);
                }
        }
@@ -1004,8 +995,7 @@ start:
                                       * reset by ssl3_get_finished */
            && (rr->type != SSL3_RT_HANDSHAKE)) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-                    SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
                goto f_err;
        }
@@ -1025,8 +1015,7 @@ start:
                if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
                        (s->enc_read_ctx == NULL)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_APP_DATA_IN_HANDSHAKE);
-                            SSL_R_APP_DATA_IN_HANDSHAKE);
                        goto f_err;
                }
@@ -1126,8 +1115,7 @@ start:
                                if (i < 0)
                                        return (i);
                                if (i == 0) {
-                                        SSLerror(
+                                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
-                                            SSL_R_SSL_HANDSHAKE_FAILURE);
                                        return (-1);
                                }
@@ -1200,15 +1188,13 @@ start:
                         */
                        else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerror(
+                                SSLerror(SSL_R_NO_RENEGOTIATION);
-                                    SSL_R_NO_RENEGOTIATION);
                                goto f_err;
                        }
                } else if (alert_level == SSL3_AL_FATAL) {
                        s->internal->rwstate = SSL_NOTHING;
                        S3I(s)->fatal_alert = alert_descr;
-                        SSLerror(
+                        SSLerror(SSL_AD_REASON_OFFSET + alert_descr);
-                            SSL_AD_REASON_OFFSET + alert_descr);
                        ERR_asprintf_error_data("SSL alert number %d",
                            alert_descr);
                        s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN;
@@ -1236,24 +1222,21 @@ start:
                if ((rr->length != 1) || (rr->off != 0) ||
                        (rr->data[0] != SSL3_MT_CCS)) {
                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                            SSL_R_BAD_CHANGE_CIPHER_SPEC);
                        goto f_err;
                }
                /* Check we have a cipher to change to */
                if (S3I(s)->tmp.new_cipher == NULL) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_CCS_RECEIVED_EARLY);
-                            SSL_R_CCS_RECEIVED_EARLY);
                        goto f_err;
                }
                /* Check that we should be receiving a Change Cipher Spec. */
                if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_CCS_RECEIVED_EARLY);
-                            SSL_R_CCS_RECEIVED_EARLY);
                        goto f_err;
                }
                s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
@@ -1285,8 +1268,7 @@ start:
                if (i < 0)
                        return (i);
                if (i == 0) {
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
-                            SSL_R_SSL_HANDSHAKE_FAILURE);
                        return (-1);
                }
@@ -1373,8 +1355,7 @@ ssl3_do_change_cipher_spec(SSL *s)
        if (S3I(s)->tmp.key_block == NULL) {
                if (s->session == NULL || s->session->master_key_length == 0) {
                        /* might happen if dtls1_read_bytes() calls this */
-                        SSLerror(
+                        SSLerror(SSL_R_CCS_RECEIVED_EARLY);
-                            SSL_R_CCS_RECEIVED_EARLY);
                        return (0);
                }
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 3efed227f0..facb8ac274 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.26 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.27 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -565,8 +565,7 @@ int
 SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
 {
        if (pkey == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_PASSED_NULL_PARAMETER);
-                    ERR_R_PASSED_NULL_PARAMETER);
                return (0);
        }
        if (!ssl_cert_inst(&ctx->internal->cert)) {
@@ -602,8 +601,7 @@ SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
                j = ERR_R_ASN1_LIB;
                pkey = d2i_PrivateKey_bio(in, NULL);
        } else {
-                SSLerror(
+                SSLerror(SSL_R_BAD_SSL_FILETYPE);
-                    SSL_R_BAD_SSL_FILETYPE);
                goto end;
        }
        if (pkey == NULL) {
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 5cd531ef59..5477e9a168 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.68 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.69 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -312,8 +312,7 @@ ssl_get_new_session(SSL *s, int session)
                        ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
                        break;
                default:
-                        SSLerror(
+                        SSLerror(SSL_R_UNSUPPORTED_SSL_VERSION);
-                            SSL_R_UNSUPPORTED_SSL_VERSION);
                        SSL_SESSION_free(ss);
                        return (0);
                }
@@ -336,8 +335,7 @@ ssl_get_new_session(SSL *s, int session)
                tmp = ss->session_id_length;
                if (!cb(s, ss->session_id, &tmp)) {
                        /* The callback failed */
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
-                        SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
                        SSL_SESSION_free(ss);
                        return (0);
                }
@@ -348,8 +346,7 @@ ssl_get_new_session(SSL *s, int session)
                 */
                if (!tmp || (tmp > ss->session_id_length)) {
                        /* The callback set an illegal length */
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
-                        SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
                        SSL_SESSION_free(ss);
                        return (0);
                }
@@ -358,8 +355,7 @@ ssl_get_new_session(SSL *s, int session)
                /* Finally, check for a conflict. */
                if (SSL_has_matching_session_id(s, ss->session_id,
                        ss->session_id_length)) {
-                        SSLerror(
+                        SSLerror(SSL_R_SSL_SESSION_ID_CONFLICT);
-                        SSL_R_SSL_SESSION_ID_CONFLICT);
                        SSL_SESSION_free(ss);
                        return (0);
                }
@@ -368,8 +364,7 @@ sess_id_done:
                if (s->tlsext_hostname) {
                        ss->tlsext_hostname = strdup(s->tlsext_hostname);
                        if (ss->tlsext_hostname == NULL) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                SSL_SESSION_free(ss);
                                return 0;
                        }
@@ -528,8 +523,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                 * applications to effectively disable the session cache by
                 * accident without anyone noticing).
                 */
-                SSLerror(
+                SSLerror(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-                    SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
                fatal = 1;
                goto err;
        }
@@ -729,8 +723,7 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                if (meth == NULL)
                        meth = s->method->internal->get_ssl_method(session->ssl_version);
                if (meth == NULL) {
-                        SSLerror(
+                        SSLerror(SSL_R_UNABLE_TO_FIND_SSL_METHOD);
-                            SSL_R_UNABLE_TO_FIND_SSL_METHOD);
                        return (0);
                }
@@ -810,8 +803,7 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
    unsigned int sid_ctx_len)
 {
        if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerror(
+                SSLerror(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                return 0;
        }
        s->sid_ctx_length = sid_ctx_len;
@@ -872,8 +864,7 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
                s->internal->tlsext_session_ticket =
                    malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
                if (!s->internal->tlsext_session_ticket) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        return 0;
                }
@@ -1080,13 +1071,11 @@ int
 SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
 {
        if (!ENGINE_init(e)) {
-                SSLerror(
+                SSLerror(ERR_R_ENGINE_LIB);
-                    ERR_R_ENGINE_LIB);
                return 0;
        }
        if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerror(
+                SSLerror(SSL_R_NO_CLIENT_CERT_METHOD);
-                    SSL_R_NO_CLIENT_CERT_METHOD);
                ENGINE_finish(e);
                return 0;
        }
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 46ca4d6c9c..0b110d6a72 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.3 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.4 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -253,8 +253,7 @@ ssl3_accept(SSL *s)
                                 * client that doesn't support secure
                                 * renegotiation.
                                 */
-                                SSLerror(
+                                SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-                                    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                                ssl3_send_alert(s, SSL3_AL_FATAL,
                                    SSL_AD_HANDSHAKE_FAILURE);
                                ret = -1;
@@ -484,8 +483,7 @@ ssl3_accept(SSL *s)
                                 * at this point and digest cached records.
                                 */
                                if (!S3I(s)->handshake_buffer) {
-                                        SSLerror(
+                                        SSLerror(ERR_R_INTERNAL_ERROR);
-                                            ERR_R_INTERNAL_ERROR);
                                        ret = -1;
                                        goto end;
                                }
@@ -673,8 +671,7 @@ ssl3_accept(SSL *s)
                        /* break; */
                default:
-                        SSLerror(
+                        SSLerror(SSL_R_UNKNOWN_STATE);
-                            SSL_R_UNKNOWN_STATE);
                        ret = -1;
                        goto end;
                        /* break; */
@@ -868,8 +865,7 @@ ssl3_get_client_hello(SSL *s)
                if (cookie_len > sizeof(D1I(s)->rcvd_cookie)) {
                        /* too much data */
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_COOKIE_MISMATCH);
-                            SSL_R_COOKIE_MISMATCH);
                        goto f_err;
                }
@@ -885,8 +881,7 @@ ssl3_get_client_hello(SSL *s)
                                if (s->ctx->internal->app_verify_cookie_cb(s,
                                    D1I(s)->rcvd_cookie, cookie_len) == 0) {
                                        al = SSL_AD_HANDSHAKE_FAILURE;
-                                        SSLerror(
+                                        SSLerror(SSL_R_COOKIE_MISMATCH);
-                                            SSL_R_COOKIE_MISMATCH);
                                        goto f_err;
                                }
                                /* else cookie verification succeeded */
@@ -894,8 +889,7 @@ ssl3_get_client_hello(SSL *s)
                            D1I(s)->cookie_len) != 0) {
                                /* default verification */
                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerror(
+                                SSLerror(SSL_R_COOKIE_MISMATCH);
-                                    SSL_R_COOKIE_MISMATCH);
                                goto f_err;
                        }
@@ -911,8 +905,7 @@ ssl3_get_client_hello(SSL *s)
        if ((i == 0) && (j != 0)) {
                /* we need a cipher if we are not resuming a session */
                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerror(
+                SSLerror(SSL_R_NO_CIPHERS_SPECIFIED);
-                    SSL_R_NO_CIPHERS_SPECIFIED);
                goto f_err;
        }
        if (p - d + i > n)
@@ -941,8 +934,7 @@ ssl3_get_client_hello(SSL *s)
                         * list if we are asked to reuse it
                         */
                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerror(
+                        SSLerror(SSL_R_REQUIRED_CIPHER_MISSING);
-                            SSL_R_REQUIRED_CIPHER_MISSING);
                        goto f_err;
                }
        }
@@ -962,8 +954,7 @@ ssl3_get_client_hello(SSL *s)
        if (j >= i) {
                /* no compress */
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_NO_COMPRESSION_SPECIFIED);
-                    SSL_R_NO_COMPRESSION_SPECIFIED);
                goto f_err;
        }
@@ -974,8 +965,7 @@ ssl3_get_client_hello(SSL *s)
                goto f_err;
        }
        if (ssl_check_clienthello_tlsext_early(s) <= 0) {
-                SSLerror(
+                SSLerror(SSL_R_CLIENTHELLO_TLSEXT);
-                    SSL_R_CLIENTHELLO_TLSEXT);
                goto err;
        }
@@ -1006,8 +996,7 @@ ssl3_get_client_hello(SSL *s)
                            SSL_get_ciphers(s));
                        if (pref_cipher == NULL) {
                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerror(
+                                SSLerror(SSL_R_NO_SHARED_CIPHER);
-                                    SSL_R_NO_SHARED_CIPHER);
                                goto f_err;
                        }
@@ -1032,8 +1021,7 @@ ssl3_get_client_hello(SSL *s)
                s->session->ciphers = ciphers;
                if (ciphers == NULL) {
                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerror(
+                        SSLerror(SSL_R_NO_CIPHERS_PASSED);
-                            SSL_R_NO_CIPHERS_PASSED);
                        goto f_err;
                }
                ciphers = NULL;
@@ -1042,8 +1030,7 @@ ssl3_get_client_hello(SSL *s)
                if (c == NULL) {
                        al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerror(
+                        SSLerror(SSL_R_NO_SHARED_CIPHER);
-                            SSL_R_NO_SHARED_CIPHER);
                        goto f_err;
                }
                S3I(s)->tmp.new_cipher = c;
@@ -1142,8 +1129,7 @@ ssl3_send_server_hello(SSL *s)
                sl = s->session->session_id_length;
                if (sl > (int)sizeof(s->session->session_id)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -1166,8 +1152,7 @@ ssl3_send_server_hello(SSL *s)
                if ((p = ssl_add_serverhello_tlsext(s, p + outlen,
                    bufend)) == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto err;
                }
@@ -1208,8 +1193,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
        if (s->cert->dh_tmp_auto != 0) {
                if ((dhp = ssl_get_auto_dh(s)) == NULL) {
                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        goto f_err;
                }
        } else
@@ -1221,14 +1205,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
        if (dhp == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_MISSING_TMP_DH_KEY);
-                    SSL_R_MISSING_TMP_DH_KEY);
                goto f_err;
        }
        if (S3I(s)->tmp.dh != NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
@@ -1299,14 +1281,12 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
        }
        if (ecdhp == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_MISSING_TMP_ECDH_KEY);
-                    SSL_R_MISSING_TMP_ECDH_KEY);
                goto f_err;
        }
        if (S3I(s)->tmp.ecdh != NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
@@ -1314,8 +1294,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
        if (s->cert->ecdh_tmp_auto != 0) {
                ecdh = ecdhp;
        } else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_ECDH_LIB);
-                    ERR_R_ECDH_LIB);
                goto err;
        }
        S3I(s)->tmp.ecdh = ecdh;
@@ -1324,8 +1303,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
            (EC_KEY_get0_private_key(ecdh) == NULL) ||
            (s->internal->options & SSL_OP_SINGLE_ECDH_USE)) {
                if (!EC_KEY_generate_key(ecdh)) {
-                        SSLerror(
+                        SSLerror(ERR_R_ECDH_LIB);
-                            ERR_R_ECDH_LIB);
                        goto err;
                }
        }
@@ -1333,8 +1311,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
        if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
            (EC_KEY_get0_public_key(ecdh)  == NULL) ||
            (EC_KEY_get0_private_key(ecdh) == NULL)) {
-                SSLerror(
+                SSLerror(ERR_R_ECDH_LIB);
-                    ERR_R_ECDH_LIB);
                goto err;
        }
@@ -1344,8 +1321,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
         */
        if ((curve_id = tls1_ec_nid2curve_id(
            EC_GROUP_get_curve_name(group))) == 0) {
-                SSLerror(
+                SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                    SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                goto err;
        }
@@ -1360,8 +1336,7 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb)
        bn_ctx = BN_CTX_new();
        if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1421,8 +1396,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
        /* Generate an X25519 key pair. */
        if (S3I(s)->tmp.x25519 != NULL) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                goto err;
        }
        if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL)
@@ -1433,8 +1407,7 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb)
        /* Serialize public key. */
        if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) {
-                SSLerror(
+                SSLerror(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
-                    SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                goto err;
        }
@@ -1509,8 +1482,7 @@ ssl3_send_server_key_exchange(SSL *s)
                                goto err;
                } else {
                        al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
-                            SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
                        goto f_err;
                }
@@ -1531,8 +1503,7 @@ ssl3_send_server_key_exchange(SSL *s)
                if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) +
                    params_len + kn)) {
-                        SSLerror(
+                        SSLerror(ERR_LIB_BUF);
-                            ERR_LIB_BUF);
                        goto err;
                }
@@ -1611,8 +1582,7 @@ ssl3_send_server_key_exchange(SSL *s)
                        } else {
                                /* Is this error check actually needed? */
                                al = SSL_AD_HANDSHAKE_FAILURE;
-                                SSLerror(
+                                SSLerror(SSL_R_UNKNOWN_PKEY_TYPE);
-                                    SSL_R_UNKNOWN_PKEY_TYPE);
                                goto f_err;
                        }
                }
@@ -1724,8 +1694,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
        if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
            (pkey->pkey.rsa == NULL)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_MISSING_RSA_CERTIFICATE);
-                    SSL_R_MISSING_RSA_CERTIFICATE);
                goto f_err;
        }
        rsa = pkey->pkey.rsa;
@@ -1734,8 +1703,7 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
                goto truncated;
        n2s(p, i);
        if (n != i + 2) {
-                SSLerror(
+                SSLerror(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-                    SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
                goto err;
        } else
                n = i;
@@ -1836,15 +1804,13 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
        if (S3I(s)->tmp.dh == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_MISSING_TMP_DH_KEY);
-                    SSL_R_MISSING_TMP_DH_KEY);
                goto f_err;
        }
        dh = S3I(s)->tmp.dh;
        if ((bn = BN_bin2bn(CBS_data(&dh_Yc), CBS_len(&dh_Yc), NULL)) == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_BN_LIB);
-                    SSL_R_BN_LIB);
                goto err;
        }
@@ -1894,8 +1860,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
        /* Initialize structures for server's ECDH key pair. */
        if ((srvr_ecdh = EC_KEY_new()) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1910,15 +1875,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
        if (!EC_KEY_set_group(srvr_ecdh, group) ||
            !EC_KEY_set_private_key(srvr_ecdh, priv_key)) {
-                SSLerror(
+                SSLerror(ERR_R_EC_LIB);
-                    ERR_R_EC_LIB);
                goto err;
        }
        /* Let's get client's public key */
        if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -1940,16 +1903,14 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                         * group.
                         */
                        al = SSL_AD_HANDSHAKE_FAILURE;
-                        SSLerror(
+                        SSLerror(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
-                            SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
                        goto f_err;
                }
                if (EC_POINT_copy(clnt_ecpoint,
                    EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec))
                    == 0) {
-                        SSLerror(
+                        SSLerror(ERR_R_EC_LIB);
-                            ERR_R_EC_LIB);
                        goto err;
                }
                ret = 2; /* Skip certificate verify processing */
@@ -1959,8 +1920,7 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                 * in the ClientKeyExchange message.
                 */
                if ((bn_ctx = BN_CTX_new()) == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
@@ -1969,14 +1929,12 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
                p += 1;
                if (n != 1 + i) {
-                        SSLerror(
+                        SSLerror(ERR_R_EC_LIB);
-                            ERR_R_EC_LIB);
                        goto err;
                }
                if (EC_POINT_oct2point(group,
                        clnt_ecpoint, p, i, bn_ctx) == 0) {
-                        SSLerror(
+                        SSLerror(ERR_R_EC_LIB);
-                            ERR_R_EC_LIB);
                        goto err;
                }
                /*
@@ -1989,15 +1947,13 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
        /* Compute the shared pre-master secret */
        key_size = ECDH_size(srvr_ecdh);
        if (key_size <= 0) {
-                SSLerror(
+                SSLerror(ERR_R_ECDH_LIB);
-                    ERR_R_ECDH_LIB);
                goto err;
        }
        i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh,
            NULL);
        if (i <= 0) {
-                SSLerror(
+                SSLerror(ERR_R_ECDH_LIB);
-                    ERR_R_ECDH_LIB);
                goto err;
        }
@@ -2114,16 +2070,14 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
        if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag,
            &Tclass, n) != V_ASN1_CONSTRUCTED ||
            Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
-                SSLerror(
+                SSLerror(SSL_R_DECRYPTION_FAILED);
-                    SSL_R_DECRYPTION_FAILED);
                goto gerr;
        }
        start = p;
        inlen = Tlen;
        if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
            start, inlen) <=0) {
-                SSLerror(
+                SSLerror(SSL_R_DECRYPTION_FAILED);
-                    SSL_R_DECRYPTION_FAILED);
                goto gerr;
        }
        /* Generate master secret */
@@ -2184,8 +2138,7 @@ ssl3_get_client_key_exchange(SSL *s)
                        goto err;
        } else {
                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_UNKNOWN_CIPHER_TYPE);
-                    SSL_R_UNKNOWN_CIPHER_TYPE);
                goto f_err;
        }
@@ -2228,8 +2181,7 @@ ssl3_get_cert_verify(SSL *s)
                S3I(s)->tmp.reuse_message = 1;
                if (peer != NULL) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
-                        SSLerror(
+                        SSLerror(SSL_R_MISSING_VERIFY_MESSAGE);
-                            SSL_R_MISSING_VERIFY_MESSAGE);
                        goto f_err;
                }
                ret = 1;
@@ -2237,22 +2189,19 @@ ssl3_get_cert_verify(SSL *s)
        }
        if (peer == NULL) {
-                SSLerror(
+                SSLerror(SSL_R_NO_CLIENT_CERT_RECEIVED);
-                    SSL_R_NO_CLIENT_CERT_RECEIVED);
                al = SSL_AD_UNEXPECTED_MESSAGE;
                goto f_err;
        }
        if (!(type & EVP_PKT_SIGN)) {
-                SSLerror(
+                SSLerror(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
-                    SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
                al = SSL_AD_ILLEGAL_PARAMETER;
                goto f_err;
        }
        if (S3I(s)->change_cipher_spec) {
-                SSLerror(
+                SSLerror(SSL_R_CCS_RECEIVED_EARLY);
-                    SSL_R_CCS_RECEIVED_EARLY);
                al = SSL_AD_UNEXPECTED_MESSAGE;
                goto f_err;
        }
@@ -2273,8 +2222,7 @@ ssl3_get_cert_verify(SSL *s)
                        int sigalg = tls12_get_sigid(pkey);
                        /* Should never happen */
                        if (sigalg == -1) {
-                                SSLerror(
+                                SSLerror(ERR_R_INTERNAL_ERROR);
-                                    ERR_R_INTERNAL_ERROR);
                                al = SSL_AD_INTERNAL_ERROR;
                                goto f_err;
                        }
@@ -2282,15 +2230,13 @@ ssl3_get_cert_verify(SSL *s)
                                goto truncated;
                        /* Check key type is consistent with signature */
                        if (sigalg != (int)p[1]) {
-                                SSLerror(
+                                SSLerror(SSL_R_WRONG_SIGNATURE_TYPE);
-                                    SSL_R_WRONG_SIGNATURE_TYPE);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                        }
                        md = tls12_get_hash(p[0]);
                        if (md == NULL) {
-                                SSLerror(
+                                SSLerror(SSL_R_UNKNOWN_DIGEST);
-                                    SSL_R_UNKNOWN_DIGEST);
                                al = SSL_AD_DECODE_ERROR;
                                goto f_err;
                        }
@@ -2306,8 +2252,7 @@ ssl3_get_cert_verify(SSL *s)
        }
        j = EVP_PKEY_size(pkey);
        if ((i > j) || (n > j) || (n <= 0)) {
-                SSLerror(
+                SSLerror(SSL_R_WRONG_SIGNATURE_SIZE);
-                    SSL_R_WRONG_SIGNATURE_SIZE);
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
        }
@@ -2317,23 +2262,20 @@ ssl3_get_cert_verify(SSL *s)
                void *hdata;
                hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                if (hdatalen <= 0) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
                if (!EVP_VerifyInit_ex(&mctx, md, NULL) ||
                    !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) {
-                        SSLerror(
+                        SSLerror(ERR_R_EVP_LIB);
-                            ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
                if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_SIGNATURE);
-                            SSL_R_BAD_SIGNATURE);
                        goto f_err;
                }
        } else
@@ -2343,14 +2285,12 @@ ssl3_get_cert_verify(SSL *s)
                    pkey->pkey.rsa);
                if (i < 0) {
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_RSA_DECRYPT);
-                            SSL_R_BAD_RSA_DECRYPT);
                        goto f_err;
                }
                if (i == 0) {
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_RSA_SIGNATURE);
-                            SSL_R_BAD_RSA_SIGNATURE);
                        goto f_err;
                }
        } else
@@ -2361,8 +2301,7 @@ ssl3_get_cert_verify(SSL *s)
                if (j <= 0) {
                        /* bad signature */
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_DSA_SIGNATURE);
-                            SSL_R_BAD_DSA_SIGNATURE);
                        goto f_err;
                }
        } else
@@ -2373,8 +2312,7 @@ ssl3_get_cert_verify(SSL *s)
                if (j <= 0) {
                        /* bad signature */
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_ECDSA_SIGNATURE);
-                            SSL_R_BAD_ECDSA_SIGNATURE);
                        goto f_err;
                }
        } else
@@ -2390,22 +2328,19 @@ ssl3_get_cert_verify(SSL *s)
                hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
                if (hdatalen <= 0) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
                if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) ||
                                !(md = EVP_get_digestbynid(nid))) {
-                        SSLerror(
+                        SSLerror(ERR_R_EVP_LIB);
-                                        ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
                pctx = EVP_PKEY_CTX_new(pkey, NULL);
                if (!pctx) {
-                        SSLerror(
+                        SSLerror(ERR_R_EVP_LIB);
-                            ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        goto f_err;
                }
@@ -2418,8 +2353,7 @@ ssl3_get_cert_verify(SSL *s)
                                       EVP_PKEY_CTRL_GOST_SIG_FORMAT,
                                       GOST_SIG_FORMAT_RS_LE,
                                       NULL) <= 0)) {
-                        SSLerror(
+                        SSLerror(ERR_R_EVP_LIB);
-                            ERR_R_EVP_LIB);
                        al = SSL_AD_INTERNAL_ERROR;
                        EVP_PKEY_CTX_free(pctx);
                        goto f_err;
@@ -2427,8 +2361,7 @@ ssl3_get_cert_verify(SSL *s)
                if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) {
                        al = SSL_AD_DECRYPT_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_BAD_SIGNATURE);
-                            SSL_R_BAD_SIGNATURE);
                        EVP_PKEY_CTX_free(pctx);
                        goto f_err;
                }
@@ -2437,8 +2370,7 @@ ssl3_get_cert_verify(SSL *s)
        } else
 #endif
        {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                al = SSL_AD_UNSUPPORTED_CERTIFICATE;
                goto f_err;
        }
@@ -2482,8 +2414,7 @@ ssl3_get_client_certificate(SSL *s)
        if (S3I(s)->tmp.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
                if ((s->verify_mode & SSL_VERIFY_PEER) &&
                    (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
-                        SSLerror(
+                        SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-                            SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        al = SSL_AD_HANDSHAKE_FAILURE;
                        goto f_err;
                }
@@ -2492,8 +2423,7 @@ ssl3_get_client_certificate(SSL *s)
                 * the client must return a 0 list.
                 */
                if (S3I(s)->tmp.cert_request) {
-                        SSLerror(
+                        SSLerror(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
-                            SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
                            );
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        goto f_err;
@@ -2504,8 +2434,7 @@ ssl3_get_client_certificate(SSL *s)
        if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE) {
                al = SSL_AD_UNEXPECTED_MESSAGE;
-                SSLerror(
+                SSLerror(SSL_R_WRONG_MESSAGE_TYPE);
-                    SSL_R_WRONG_MESSAGE_TYPE);
                goto f_err;
        }
@@ -2515,8 +2444,7 @@ ssl3_get_client_certificate(SSL *s)
        CBS_init(&cbs, s->internal->init_msg, n);
        if ((sk = sk_X509_new_null()) == NULL) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                goto err;
        }
@@ -2529,27 +2457,23 @@ ssl3_get_client_certificate(SSL *s)
                if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) {
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_CERT_LENGTH_MISMATCH);
-                            SSL_R_CERT_LENGTH_MISMATCH);
                        goto f_err;
                }
                q = CBS_data(&cert);
                x = d2i_X509(NULL, &q, CBS_len(&cert));
                if (x == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_ASN1_LIB);
-                            ERR_R_ASN1_LIB);
                        goto err;
                }
                if (q != CBS_data(&cert) + CBS_len(&cert)) {
                        al = SSL_AD_DECODE_ERROR;
-                        SSLerror(
+                        SSLerror(SSL_R_CERT_LENGTH_MISMATCH);
-                            SSL_R_CERT_LENGTH_MISMATCH);
                        goto f_err;
                }
                if (!sk_X509_push(sk, x)) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
                x = NULL;
@@ -2562,8 +2486,7 @@ ssl3_get_client_certificate(SSL *s)
                 */
                if ((s->verify_mode & SSL_VERIFY_PEER) &&
                    (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
-                        SSLerror(
+                        SSLerror(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-                            SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        al = SSL_AD_HANDSHAKE_FAILURE;
                        goto f_err;
                }
@@ -2576,8 +2499,7 @@ ssl3_get_client_certificate(SSL *s)
                i = ssl_verify_cert_chain(s, sk);
                if (i <= 0) {
                        al = ssl_verify_alarm_type(s->verify_result);
-                        SSLerror(
+                        SSLerror(SSL_R_NO_CERTIFICATE_RETURNED);
-                            SSL_R_NO_CERTIFICATE_RETURNED);
                        goto f_err;
                }
        }
@@ -2593,8 +2515,7 @@ ssl3_get_client_certificate(SSL *s)
        if (SSI(s)->sess_cert == NULL) {
                SSI(s)->sess_cert = ssl_sess_cert_new();
                if (SSI(s)->sess_cert == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
        }
@@ -2612,8 +2533,7 @@ ssl3_get_client_certificate(SSL *s)
        if (0) {
 truncated:
                al = SSL_AD_DECODE_ERROR;
-                SSLerror(
+                SSLerror(SSL_R_BAD_PACKET_LENGTH);
-                    SSL_R_BAD_PACKET_LENGTH);
 f_err:
                ssl3_send_alert(s, SSL3_AL_FATAL, al);
        }
@@ -2638,8 +2558,7 @@ ssl3_send_server_certificate(SSL *s)
        if (s->internal->state == SSL3_ST_SW_CERT_A) {
                if ((x = ssl_get_server_send_cert(s)) == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return (0);
                }
@@ -2857,8 +2776,7 @@ ssl3_get_next_proto(SSL *s)
         * extension in their ClientHello
         */
        if (!S3I(s)->next_proto_neg_seen) {
-                SSLerror(
+                SSLerror(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
-                    SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
                return (-1);
        }
@@ -2874,8 +2792,7 @@ ssl3_get_next_proto(SSL *s)
         * by ssl3_get_finished).
         */
        if (!S3I(s)->change_cipher_spec) {
-                SSLerror(
+                SSLerror(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
-                    SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
                return (-1);
        }
@@ -2905,8 +2822,7 @@ ssl3_get_next_proto(SSL *s)
        s->internal->next_proto_negotiated_len = 0;
        if (!CBS_stow(&proto, &s->internal->next_proto_negotiated, &len)) {
-                SSLerror(
+                SSLerror(ERR_R_MALLOC_FAILURE);
-                    ERR_R_MALLOC_FAILURE);
                return (0);
        }
        s->internal->next_proto_negotiated_len = (uint8_t)len;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index f79219561a..2ee521b073 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.94 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.95 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -228,8 +228,7 @@ tls1_digest_cached_records(SSL *s)
        }
        hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata);
        if (hdatalen <= 0) {
-                SSLerror(
+                SSLerror(SSL_R_BAD_HANDSHAKE_LENGTH);
-                    SSL_R_BAD_HANDSHAKE_LENGTH);
                goto err;
        }
@@ -240,8 +239,7 @@ tls1_digest_cached_records(SSL *s)
                S3I(s)->handshake_dgst[i] = EVP_MD_CTX_create();
                if (S3I(s)->handshake_dgst[i] == NULL) {
-                        SSLerror(
+                        SSLerror(ERR_R_MALLOC_FAILURE);
-                            ERR_R_MALLOC_FAILURE);
                        goto err;
                }
                if (!EVP_DigestInit_ex(S3I(s)->handshake_dgst[i], md, NULL)) {
@@ -385,8 +383,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
                        count++;
        }
        if (count == 0) {
-                SSLerror(
+                SSLerror(SSL_R_SSL_HANDSHAKE_FAILURE);
-                    SSL_R_SSL_HANDSHAKE_FAILURE);
                goto err;
        }
        len = slen / count;
@@ -397,8 +394,7 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
        for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
                if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) {
                        if (!md) {
-                                SSLerror(
+                                SSLerror(SSL_R_UNSUPPORTED_DIGEST_TYPE);
-                                    SSL_R_UNSUPPORTED_DIGEST_TYPE);
                                goto err;
                        }
                        if (!tls1_P_hash(md , S1, len + (slen&1), seed1,
@@ -474,8 +470,7 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
            EVP_AEAD_DEFAULT_TAG_LENGTH, NULL))
                return (0);
        if (iv_len > sizeof(aead_ctx->fixed_nonce)) {
-                SSLerror(
+                SSLerror(ERR_R_INTERNAL_ERROR);
-                    ERR_R_INTERNAL_ERROR);
                return (0);
        }
        memcpy(aead_ctx->fixed_nonce, iv, iv_len);
@@ -491,15 +486,13 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key,
        if (aead_ctx->xor_fixed_nonce) {
                if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) ||
                    aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return (0);
                }
        } else {
                if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len !=
                    EVP_AEAD_nonce_length(aead)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return (0);
                }
        }
@@ -736,8 +729,7 @@ tls1_setup_key_block(SSL *s)
        if (s->session->cipher &&
            (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) {
                if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
-                        SSLerror(
+                        SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                            SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                        return (0);
                }
                key_len = EVP_AEAD_key_length(aead);
@@ -745,8 +737,7 @@ tls1_setup_key_block(SSL *s)
        } else {
                if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type,
                    &mac_secret_size)) {
-                        SSLerror(
+                        SSLerror(SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                            SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                        return (0);
                }
                key_len = EVP_CIPHER_key_length(cipher);
@@ -1345,8 +1336,7 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
        goto ret;
 err1:
-        SSLerror(
+        SSLerror(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
-            SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
        rv = 0;
        goto ret;
 err2:
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b3e86c0a31..2e9d31112d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.113 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.114 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -742,8 +742,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                int el;
                if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -754,8 +753,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                s2n(el, ret);
                if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -780,8 +778,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                if (formatslen > lenmax)
                        return NULL;
                if (formatslen > 255) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -803,8 +800,7 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                if (curveslen * 2 > lenmax)
                        return NULL;
                if (curveslen * 2 > 65532) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -946,8 +942,7 @@ skip_ext:
                s2n(el, ret);
                if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
                ret += el;
@@ -1025,8 +1020,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                int el;
                if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -1037,8 +1031,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                s2n(el, ret);
                if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -1061,8 +1054,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                if (formatslen > lenmax)
                        return NULL;
                if (formatslen > 255) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
@@ -1108,8 +1100,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                s2n(el, ret);
                if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
-                        SSLerror(
+                        SSLerror(ERR_R_INTERNAL_ERROR);
-                            ERR_R_INTERNAL_ERROR);
                        return NULL;
                }
                ret += el;
@@ -1627,8 +1618,7 @@ ri_check:
        if (!renegotiate_seen && s->internal->renegotiate) {
                *al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-                    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                return 0;
        }
@@ -1880,8 +1870,7 @@ ri_check:
        if (!renegotiate_seen &&
            !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
                *al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerror(
+                SSLerror(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-                    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
                return 0;
        }
diff --git a/src/lib/libssl/t1_reneg.c b/src/lib/libssl/t1_reneg.c
index ea432554b0..596b96edd3 100644
--- a/src/lib/libssl/t1_reneg.c
+++ b/src/lib/libssl/t1_reneg.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_reneg.c,v 1.13 2017/01/26 10:40:21 beck Exp $ */
+/* $OpenBSD: t1_reneg.c,v 1.14 2017/01/26 12:16:13 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -123,8 +123,7 @@ ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
 {
        if (p) {
                if ((S3I(s)->previous_client_finished_len + 1) > maxlen) {
-                        SSLerror(
+                        SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG);
-                            SSL_R_RENEGOTIATE_EXT_TOO_LONG);
                        return 0;
                }
@@ -151,8 +150,7 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
        CBS cbs, reneg;
        if (len < 0) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);
-                    SSL_R_RENEGOTIATION_ENCODING_ERR);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
@@ -161,24 +159,21 @@ ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d, int len,
        if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||
            /* Consistency check */
            CBS_len(&cbs) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);
-                    SSL_R_RENEGOTIATION_ENCODING_ERR);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
        /* Check that the extension matches */
        if (CBS_len(&reneg) != S3I(s)->previous_client_finished_len) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_MISMATCH);
-                    SSL_R_RENEGOTIATION_MISMATCH);
                *al = SSL_AD_HANDSHAKE_FAILURE;
                return 0;
        }
        if (!CBS_mem_equal(&reneg, S3I(s)->previous_client_finished,
            S3I(s)->previous_client_finished_len)) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_MISMATCH);
-                    SSL_R_RENEGOTIATION_MISMATCH);
                *al = SSL_AD_HANDSHAKE_FAILURE;
                return 0;
        }
@@ -196,8 +191,7 @@ ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
        if (p) {
                if ((S3I(s)->previous_client_finished_len +
                    S3I(s)->previous_server_finished_len + 1) > maxlen) {
-                        SSLerror(
+                        SSLerror(SSL_R_RENEGOTIATE_EXT_TOO_LONG);
-                            SSL_R_RENEGOTIATE_EXT_TOO_LONG);
                        return 0;
                }
@@ -235,8 +229,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
        OPENSSL_assert(!expected_len || S3I(s)->previous_server_finished_len);
        if (len < 0) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);
-                    SSL_R_RENEGOTIATION_ENCODING_ERR);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
@@ -246,8 +239,7 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
        if (!CBS_get_u8_length_prefixed(&cbs, &reneg) ||
            /* Consistency check */
            CBS_len(&cbs) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_ENCODING_ERR);
-                    SSL_R_RENEGOTIATION_ENCODING_ERR);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
@@ -259,23 +251,20 @@ ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d, int len, i
            !CBS_get_bytes(&reneg, &previous_server,
            S3I(s)->previous_server_finished_len) ||
            CBS_len(&reneg) != 0) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_MISMATCH);
-                    SSL_R_RENEGOTIATION_MISMATCH);
                *al = SSL_AD_HANDSHAKE_FAILURE;
                return 0;
        }
        if (!CBS_mem_equal(&previous_client, S3I(s)->previous_client_finished,
            CBS_len(&previous_client))) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_MISMATCH);
-                    SSL_R_RENEGOTIATION_MISMATCH);
                *al = SSL_AD_HANDSHAKE_FAILURE;
                return 0;
        }
        if (!CBS_mem_equal(&previous_server, S3I(s)->previous_server_finished,
            CBS_len(&previous_server))) {
-                SSLerror(
+                SSLerror(SSL_R_RENEGOTIATION_MISMATCH);
-                    SSL_R_RENEGOTIATION_MISMATCH);
                *al = SSL_AD_ILLEGAL_PARAMETER;
                return 0;
        }
author	beck <>	2017-01-26 12:16:13 +0000
committer	beck <>	2017-01-26 12:16:13 +0000
commit	5ae189b08474853c519a12e66db1c17cfc3c9c8f (patch)
tree	b95866f4795db86411300333c648e4ce8e941899 /src
parent	10f32610e82e44521c0094ae91acbca090d36a58 (diff)
download	openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.tar.gz openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.tar.bz2 openbsd-5ae189b08474853c519a12e66db1c17cfc3c9c8f.zip