decompress libssl. ok beck jsing

49 files changed, 77 insertions, 1469 deletions

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index f27588fcff..e25f69dbb6 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
+/* $OpenBSD: d1_both.c,v 1.24 2014/07/10 08:51:14 tedu Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -944,7 +944,6 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
  * ssl->s3->read_sequence               zero
  * ssl->s3->read_mac_secret             re-init
  * ssl->session->read_sym_enc           assign
- * ssl->session->read_compression       assign
  * ssl->session->read_hash              assign
  */
 int
@@ -1160,7 +1159,6 @@ dtls1_buffer_message(SSL *s, int is_ccs)
         /* save current state*/
         frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
         frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
-        frag->msg_header.saved_retransmit_state.compress = s->compress;
         frag->msg_header.saved_retransmit_state.session = s->session;
         frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
 
@@ -1229,7 +1227,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* save current state */
         saved_state.enc_write_ctx = s->enc_write_ctx;
         saved_state.write_hash = s->write_hash;
-        saved_state.compress = s->compress;
         saved_state.session = s->session;
         saved_state.epoch = s->d1->w_epoch;
 
@@ -1238,7 +1235,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* restore state in which the message was originally sent */
         s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
         s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
-        s->compress = frag->msg_header.saved_retransmit_state.compress;
         s->session = frag->msg_header.saved_retransmit_state.session;
         s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
 
@@ -1256,7 +1252,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* restore current state */
         s->enc_write_ctx = saved_state.enc_write_ctx;
         s->write_hash = saved_state.write_hash;
-        s->compress = saved_state.compress;
         s->session = saved_state.session;
         s->d1->w_epoch = saved_state.epoch;
 
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 65b59f7987..04ae11d7bc 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.26 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.27 2014/07/10 08:51:14 tedu Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -544,15 +544,6 @@ dtls1_connect(SSL *s)
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
-#ifdef OPENSSL_NO_COMP
-                        s->session->compress_meth = 0;
-#else
-                        if (s->s3->tmp.new_compression == NULL)
-                                s->session->compress_meth = 0;
-                        else
-                                s->session->compress_meth =
-                                    s->s3->tmp.new_compression->id;
-#endif
                         if (!s->method->ssl3_enc->setup_key_block(s)) {
                                 ret = -1;
                                 goto end;
@@ -768,9 +759,8 @@ dtls1_client_hello(SSL *s)
 {
         unsigned char *buf;
         unsigned char *p, *d;
-        unsigned int i, j;
+        unsigned int i;
         unsigned long l;
-        SSL_COMP *comp;
 
         buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
@@ -839,16 +829,8 @@ dtls1_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-                if (s->ctx->comp_methods == NULL)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
+                /* add in (no) COMPRESSION */
+                *(p++) = 1;
                 *(p++) = 0; /* Add the NULL method */
 
                 if ((p = ssl_add_clienthello_tlsext(s, p,
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index 104f233937..fe8df15a94 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.6 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -115,9 +115,6 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 56e6939aed..c9ffab1f3c 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.31 2014/07/09 16:06:14 miod Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.32 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -427,20 +427,6 @@ dtls1_process_record(SSL *s)
                 goto err;
         }
 
-        /* r->length is now just compressed */
-        if (s->expand != NULL) {
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
-                        al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                        goto f_err;
-                }
-                if (!ssl3_do_uncompress(s)) {
-                        al = SSL_AD_DECOMPRESSION_FAILURE;
-                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
-                        goto f_err;
-                }
-        }
-
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1373,16 +1359,8 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         /* we now 'read' from wr->input, wr->length bytes into
          * wr->data */
 
-        /* first we compress */
-        if (s->compress != NULL) {
-                if (!ssl3_do_compress(s)) {
-                        SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE);
-                        goto err;
-                }
-        } else {
-                memcpy(wr->data, wr->input, wr->length);
-                wr->input = wr->data;
-        }
+        memcpy(wr->data, wr->input, wr->length);
+        wr->input = wr->data;
 
         /* we should still have the output to wr->data and the input
          * from wr->input.  Length should be wr->length.
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index c01dc77254..9fdb6c290b 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.28 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.29 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -946,14 +946,7 @@ dtls1_send_server_hello(SSL *s)
                 p += i;
 
                 /* put the compression method */
-#ifdef OPENSSL_NO_COMP
                 *(p++) = 0;
-#else
-                if (s->s3->tmp.new_compression == NULL)
-                        *(p++) = 0;
-                else
-                        *(p++) = s->s3->tmp.new_compression->id;
-#endif
 
                 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
                         SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index c6e302faf4..e7229fb56b 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.13 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: dtls1.h,v 1.14 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -108,11 +108,6 @@ typedef struct dtls1_bitmap_st {
 struct dtls1_retransmit_state {
         EVP_CIPHER_CTX *enc_write_ctx;  /* cryptographic state */
         EVP_MD_CTX *write_hash;         /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *compress;             /* compression */
-#else
-        char *compress;
-#endif
         SSL_SESSION *session;
         unsigned short epoch;
 };
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 510e729d55..e2f1544486 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.29 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.30 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -293,10 +293,6 @@ ssl23_client_hello(SSL *s)
         int i;
         unsigned long l;
         int version = 0, version_major, version_minor;
-#ifndef OPENSSL_NO_COMP
-        int j;
-        SSL_COMP *comp;
-#endif
         int ret;
         unsigned long mask, options = s->options;
 
@@ -384,21 +380,8 @@ ssl23_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
+                /* add in (no) COMPRESSION */
                 *(p++) = 1;
-#else
-                if ((s->options & SSL_OP_NO_COMPRESSION) ||
-                    !s->ctx->comp_methods)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
-#endif
                 /* Add the NULL method */
                 *(p++) = 0;
 
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index cd1a5174a7..caeb34b78e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.29 2014/06/30 14:13:27 tedu Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.30 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -487,7 +487,7 @@ ssl23_get_client_hello(SSL *s)
                 }
                 s2n(j, dd);
 
-                /* COMPRESSION */
+                /* add in (no) COMPRESSION */
                 *(d++) = 1;
                 *(d++) = 0;
 
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 2da6b527e1..500387e372 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.25 2014/06/19 21:29:51 tedu Exp $ */
+/* $OpenBSD: s3_both.c,v 1.26 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -287,7 +287,6 @@ f_err:
  * ssl->s3->read_sequence               zero
  * ssl->s3->read_mac_secret             re-init
  * ssl->session->read_sym_enc           assign
- * ssl->session->read_compression       assign
  * ssl->session->read_hash              assign
  */
 int
@@ -640,10 +639,6 @@ ssl3_setup_read_buffer(SSL *s)
                         s->s3->init_extra = 1;
                         len += SSL3_RT_MAX_EXTRA;
                 }
-#ifndef OPENSSL_NO_COMP
-                if (!(s->options & SSL_OP_NO_COMPRESSION))
-                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
                 if ((p = malloc(len)) == NULL)
                         goto err;
                 s->s3->rbuf.buf = p;
@@ -676,10 +671,6 @@ ssl3_setup_write_buffer(SSL *s)
         if (s->s3->wbuf.buf == NULL) {
                 len = s->max_send_fragment +
                     SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
-#ifndef OPENSSL_NO_COMP
-                if (!(s->options & SSL_OP_NO_COMPRESSION))
-                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
                 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
                         len += headerlen + align +
                             SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index 24f0a22d07..74bd4b47c8 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.7 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.8 2014/07/10 08:51:14 tedu Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -169,8 +169,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
          * even length so the padding bug check cannot be performed. This bug
          * workaround has been around since SSLeay so hopefully it is either
          * fixed now or no buggy implementation supports compression [steve]
+         * (We don't support compression either, so it's not in operation.)
          */
-        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
+        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)) {
                 /* First packet is even in size, so check */
                 if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",
                     SSL3_SEQUENCE_SIZE) == 0) && !(padding_length & 1)) {
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 61de494244..079544da84 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.73 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.74 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -472,15 +472,6 @@ ssl3_connect(SSL *s)
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
-#ifdef OPENSSL_NO_COMP
-                        s->session->compress_meth = 0;
-#else
-                        if (s->s3->tmp.new_compression == NULL)
-                                s->session->compress_meth = 0;
-                        else
-                                s->session->compress_meth =
-                                    s->s3->tmp.new_compression->id;
-#endif
                         if (!s->method->ssl3_enc->setup_key_block(s)) {
                                 ret = -1;
                                 goto end;
@@ -656,10 +647,6 @@ ssl3_client_hello(SSL *s)
         unsigned char   *p, *d;
         int              i;
         unsigned long    l;
-#ifndef OPENSSL_NO_COMP
-        int              j;
-        SSL_COMP         *comp;
-#endif
 
         buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
@@ -752,22 +739,8 @@ ssl3_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
+                /* add in (no) COMPRESSION */
                 *(p++) = 1;
-#else
-
-                if ((s->options & SSL_OP_NO_COMPRESSION) ||
-                    !s->ctx->comp_methods)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
-#endif
                 *(p++) = 0; /* Add the NULL method */
 
                 /* TLS extensions*/
@@ -809,9 +782,6 @@ ssl3_get_server_hello(SSL *s)
         int                      i, al, ok;
         unsigned int             j;
         long                     n;
-#ifndef OPENSSL_NO_COMP
-        SSL_COMP                *comp;
-#endif
 
         n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
             SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
@@ -963,50 +933,12 @@ ssl3_get_server_hello(SSL *s)
         }
         /* lets get the compression algorithm */
         /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
         if (*(p++) != 0) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
                     SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                 goto f_err;
         }
-        /*
-         * If compression is disabled we'd better not try to resume a session
-         * using compression.
-         */
-        if (s->session->compress_meth != 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_INCONSISTENT_COMPRESSION);
-                goto f_err;
-        }
-#else
-        j= *(p++);
-        if (s->hit && j != s->session->compress_meth) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
-                goto f_err;
-        }
-        if (j == 0)
-                comp = NULL;
-        else if (s->options & SSL_OP_NO_COMPRESSION) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_COMPRESSION_DISABLED);
-                goto f_err;
-        } else
-                comp = ssl3_comp_find(s->ctx->comp_methods, j);
-
-        if ((j != 0) && (comp == NULL)) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
-                goto f_err;
-        } else {
-                s->s3->tmp.new_compression = comp;
-        }
-#endif
 
         /* TLS extensions*/
         if (s->version >= SSL3_VERSION) {
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 5c4e530d34..400c1b87e0 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.67 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.68 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2420,7 +2420,6 @@ ssl3_free(SSL *s)
         ssl3_release_read_buffer(s);
         ssl3_release_write_buffer(s);
 
-        free(s->s3->rrec.comp);
         DH_free(s->s3->tmp.dh);
         EC_KEY_free(s->s3->tmp.ecdh);
 
@@ -2444,9 +2443,6 @@ ssl3_clear(SSL *s)
         if (s->s3->tmp.ca_names != NULL)
                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
 
-        free(s->s3->rrec.comp);
-        s->s3->rrec.comp = NULL;
-
         DH_free(s->s3->tmp.dh);
         s->s3->tmp.dh = NULL;
         EC_KEY_free(s->s3->tmp.ecdh);
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index a508d5ee49..237d90c581 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.48 2014/06/19 21:29:51 tedu Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -469,21 +469,6 @@ again:
                 goto f_err;
         }
 
-        /* r->length is now just compressed */
-        if (s->expand != NULL) {
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
-                        al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
-                            SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                        goto f_err;
-                }
-                if (!ssl3_do_uncompress(s)) {
-                        al = SSL_AD_DECOMPRESSION_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
-                        goto f_err;
-                }
-        }
-
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
                 al = SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -516,46 +501,6 @@ err:
         return (ret);
 }
 
-int
-ssl3_do_uncompress(SSL *ssl)
-{
-#ifndef OPENSSL_NO_COMP
-        int i;
-        SSL3_RECORD *rr;
-
-        rr = &(ssl->s3->rrec);
-        i = COMP_expand_block(ssl->expand, rr->comp,
-        SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
-        if (i < 0)
-                return (0);
-        else
-                rr->length = i;
-        rr->data = rr->comp;
-#endif
-        return (1);
-}
-
-int
-ssl3_do_compress(SSL *ssl)
-{
-#ifndef OPENSSL_NO_COMP
-        int i;
-        SSL3_RECORD *wr;
-
-        wr = &(ssl->s3->wrec);
-        i = COMP_compress_block(ssl->compress, wr->data,
-            SSL3_RT_MAX_COMPRESSED_LENGTH,
-            wr->input, (int)wr->length);
-        if (i < 0)
-                return (0);
-        else
-                wr->length = i;
-
-        wr->input = wr->data;
-#endif
-        return (1);
-}
-
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
@@ -766,16 +711,8 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         /* we now 'read' from wr->input, wr->length bytes into wr->data */
 
-        /* first we compress */
-        if (s->compress != NULL) {
-                if (!ssl3_do_compress(s)) {
-                        SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
-                        goto err;
-                }
-        } else {
-                memcpy(wr->data, wr->input, wr->length);
-                wr->input = wr->data;
-        }
+        memcpy(wr->data, wr->input, wr->length);
+        wr->input = wr->data;
 
         /* we should still have the output to wr->data and the input
          * from wr->input.  Length should be wr->length.
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index a3e62ea323..200b3b6bf2 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.70 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -884,9 +884,6 @@ ssl3_get_client_hello(SSL *s)
         unsigned long id;
         unsigned char *p, *d, *q;
         SSL_CIPHER *c;
-#ifndef OPENSSL_NO_COMP
-        SSL_COMP *comp = NULL;
-#endif
         STACK_OF(SSL_CIPHER) *ciphers = NULL;
 
         /*
@@ -1173,96 +1170,11 @@ ssl3_get_client_hello(SSL *s)
         }
 
         /*
-         * Worst case, we will use the NULL compression, but if we have other
-         * options, we will now look for them.  We have i-1 compression
-         * algorithms from the client, starting at q.
-         */
-        s->s3->tmp.new_compression = NULL;
-#ifndef OPENSSL_NO_COMP
-        /* This only happens if we have a cache hit */
-        if (s->session->compress_meth != 0) {
-                int m, comp_id = s->session->compress_meth;
-                /* Perform sanity checks on resumed compression algorithm */
-                /* Can't disable compression */
-                if (s->options & SSL_OP_NO_COMPRESSION) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_INCONSISTENT_COMPRESSION);
-                        goto f_err;
-                }
-                /* Look for resumed compression method */
-                for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
-                        if (comp_id == comp->id) {
-                                s->s3->tmp.new_compression = comp;
-                                break;
-                        }
-                }
-                if (s->s3->tmp.new_compression == NULL) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_INVALID_COMPRESSION_ALGORITHM);
-                        goto f_err;
-                }
-                /* Look for resumed method in compression list */
-                for (m = 0; m < i; m++) {
-                        if (q[m] == comp_id)
-                                break;
-                }
-                if (m >= i) {
-                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
-                        goto f_err;
-                }
-        } else if (s->hit)
-                comp = NULL;
-        else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
-        { /* See if we have a match */
-                int m, nn, o, v, done = 0;
-
-                nn = sk_SSL_COMP_num(s->ctx->comp_methods);
-                for (m = 0; m < nn; m++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
-                        v = comp->id;
-                        for (o = 0; o < i; o++) {
-                                if (v == q[o]) {
-                                        done = 1;
-                                        break;
-                                }
-                        }
-                        if (done)
-                                break;
-                }
-                if (done)
-                        s->s3->tmp.new_compression = comp;
-                else
-                        comp = NULL;
-        }
-#else
-        /*
-         * If compression is disabled we'd better not try to resume a session
-         * using compression.
-         */
-        if (s->session->compress_meth != 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                    SSL_R_INCONSISTENT_COMPRESSION);
-                goto f_err;
-        }
-#endif
-
-        /*
          * Given s->session->ciphers and SSL_get_ciphers, we must
          * pick a cipher
          */
 
         if (!s->hit) {
-#ifdef OPENSSL_NO_COMP
-                s->session->compress_meth = 0;
-#else
-                s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
-#endif
                 if (s->session->ciphers != NULL)
                         sk_SSL_CIPHER_free(s->session->ciphers);
                 s->session->ciphers = ciphers;
@@ -1405,14 +1317,7 @@ ssl3_send_server_hello(SSL *s)
                 p += i;
 
                 /* put the compression method */
-#ifdef OPENSSL_NO_COMP
                 *(p++) = 0;
-#else
-                if (s->s3->tmp.new_compression == NULL)
-                        *(p++) = 0;
-                else
-                        *(p++) = s->s3->tmp.new_compression->id;
-#endif
                 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
                         SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
                             SSL_R_SERVERHELLO_TLSEXT);
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index f27588fcff..e25f69dbb6 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
+/* $OpenBSD: d1_both.c,v 1.24 2014/07/10 08:51:14 tedu Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -944,7 +944,6 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
  * ssl->s3->read_sequence               zero
  * ssl->s3->read_mac_secret             re-init
  * ssl->session->read_sym_enc           assign
- * ssl->session->read_compression       assign
  * ssl->session->read_hash              assign
  */
 int
@@ -1160,7 +1159,6 @@ dtls1_buffer_message(SSL *s, int is_ccs)
         /* save current state*/
         frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
         frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
-        frag->msg_header.saved_retransmit_state.compress = s->compress;
         frag->msg_header.saved_retransmit_state.session = s->session;
         frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
 
@@ -1229,7 +1227,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* save current state */
         saved_state.enc_write_ctx = s->enc_write_ctx;
         saved_state.write_hash = s->write_hash;
-        saved_state.compress = s->compress;
         saved_state.session = s->session;
         saved_state.epoch = s->d1->w_epoch;
 
@@ -1238,7 +1235,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* restore state in which the message was originally sent */
         s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
         s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
-        s->compress = frag->msg_header.saved_retransmit_state.compress;
         s->session = frag->msg_header.saved_retransmit_state.session;
         s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
 
@@ -1256,7 +1252,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
         /* restore current state */
         s->enc_write_ctx = saved_state.enc_write_ctx;
         s->write_hash = saved_state.write_hash;
-        s->compress = saved_state.compress;
         s->session = saved_state.session;
         s->d1->w_epoch = saved_state.epoch;
 
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 65b59f7987..04ae11d7bc 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.26 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.27 2014/07/10 08:51:14 tedu Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -544,15 +544,6 @@ dtls1_connect(SSL *s)
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
-#ifdef OPENSSL_NO_COMP
-                        s->session->compress_meth = 0;
-#else
-                        if (s->s3->tmp.new_compression == NULL)
-                                s->session->compress_meth = 0;
-                        else
-                                s->session->compress_meth =
-                                    s->s3->tmp.new_compression->id;
-#endif
                         if (!s->method->ssl3_enc->setup_key_block(s)) {
                                 ret = -1;
                                 goto end;
@@ -768,9 +759,8 @@ dtls1_client_hello(SSL *s)
 {
         unsigned char *buf;
         unsigned char *p, *d;
-        unsigned int i, j;
+        unsigned int i;
         unsigned long l;
-        SSL_COMP *comp;
 
         buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
@@ -839,16 +829,8 @@ dtls1_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-                if (s->ctx->comp_methods == NULL)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
+                /* add in (no) COMPRESSION */
+                *(p++) = 1;
                 *(p++) = 0; /* Add the NULL method */
 
                 if ((p = ssl_add_clienthello_tlsext(s, p,
diff --git a/src/lib/libssl/src/ssl/d1_enc.c b/src/lib/libssl/src/ssl/d1_enc.c
index 104f233937..fe8df15a94 100644
--- a/src/lib/libssl/src/ssl/d1_enc.c
+++ b/src/lib/libssl/src/ssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.6 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -115,9 +115,6 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index 56e6939aed..c9ffab1f3c 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.31 2014/07/09 16:06:14 miod Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.32 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -427,20 +427,6 @@ dtls1_process_record(SSL *s)
                 goto err;
         }
 
-        /* r->length is now just compressed */
-        if (s->expand != NULL) {
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
-                        al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                        goto f_err;
-                }
-                if (!ssl3_do_uncompress(s)) {
-                        al = SSL_AD_DECOMPRESSION_FAILURE;
-                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
-                        goto f_err;
-                }
-        }
-
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
                 al = SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1373,16 +1359,8 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         /* we now 'read' from wr->input, wr->length bytes into
          * wr->data */
 
-        /* first we compress */
-        if (s->compress != NULL) {
-                if (!ssl3_do_compress(s)) {
-                        SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE);
-                        goto err;
-                }
-        } else {
-                memcpy(wr->data, wr->input, wr->length);
-                wr->input = wr->data;
-        }
+        memcpy(wr->data, wr->input, wr->length);
+        wr->input = wr->data;
 
         /* we should still have the output to wr->data and the input
          * from wr->input.  Length should be wr->length.
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index c01dc77254..9fdb6c290b 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.28 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.29 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -946,14 +946,7 @@ dtls1_send_server_hello(SSL *s)
                 p += i;
 
                 /* put the compression method */
-#ifdef OPENSSL_NO_COMP
                 *(p++) = 0;
-#else
-                if (s->s3->tmp.new_compression == NULL)
-                        *(p++) = 0;
-                else
-                        *(p++) = s->s3->tmp.new_compression->id;
-#endif
 
                 if ((p = ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) {
                         SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
diff --git a/src/lib/libssl/src/ssl/dtls1.h b/src/lib/libssl/src/ssl/dtls1.h
index c6e302faf4..e7229fb56b 100644
--- a/src/lib/libssl/src/ssl/dtls1.h
+++ b/src/lib/libssl/src/ssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.13 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: dtls1.h,v 1.14 2014/07/10 08:51:14 tedu Exp $ */
 /* 
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
@@ -108,11 +108,6 @@ typedef struct dtls1_bitmap_st {
 struct dtls1_retransmit_state {
         EVP_CIPHER_CTX *enc_write_ctx;  /* cryptographic state */
         EVP_MD_CTX *write_hash;         /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *compress;             /* compression */
-#else
-        char *compress;
-#endif
         SSL_SESSION *session;
         unsigned short epoch;
 };
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 510e729d55..e2f1544486 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.29 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.30 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -293,10 +293,6 @@ ssl23_client_hello(SSL *s)
         int i;
         unsigned long l;
         int version = 0, version_major, version_minor;
-#ifndef OPENSSL_NO_COMP
-        int j;
-        SSL_COMP *comp;
-#endif
         int ret;
         unsigned long mask, options = s->options;
 
@@ -384,21 +380,8 @@ ssl23_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
+                /* add in (no) COMPRESSION */
                 *(p++) = 1;
-#else
-                if ((s->options & SSL_OP_NO_COMPRESSION) ||
-                    !s->ctx->comp_methods)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
-#endif
                 /* Add the NULL method */
                 *(p++) = 0;
 
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index cd1a5174a7..caeb34b78e 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.29 2014/06/30 14:13:27 tedu Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.30 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -487,7 +487,7 @@ ssl23_get_client_hello(SSL *s)
                 }
                 s2n(j, dd);
 
-                /* COMPRESSION */
+                /* add in (no) COMPRESSION */
                 *(d++) = 1;
                 *(d++) = 0;
 
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 2da6b527e1..500387e372 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.25 2014/06/19 21:29:51 tedu Exp $ */
+/* $OpenBSD: s3_both.c,v 1.26 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -287,7 +287,6 @@ f_err:
  * ssl->s3->read_sequence               zero
  * ssl->s3->read_mac_secret             re-init
  * ssl->session->read_sym_enc           assign
- * ssl->session->read_compression       assign
  * ssl->session->read_hash              assign
  */
 int
@@ -640,10 +639,6 @@ ssl3_setup_read_buffer(SSL *s)
                         s->s3->init_extra = 1;
                         len += SSL3_RT_MAX_EXTRA;
                 }
-#ifndef OPENSSL_NO_COMP
-                if (!(s->options & SSL_OP_NO_COMPRESSION))
-                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
                 if ((p = malloc(len)) == NULL)
                         goto err;
                 s->s3->rbuf.buf = p;
@@ -676,10 +671,6 @@ ssl3_setup_write_buffer(SSL *s)
         if (s->s3->wbuf.buf == NULL) {
                 len = s->max_send_fragment +
                     SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
-#ifndef OPENSSL_NO_COMP
-                if (!(s->options & SSL_OP_NO_COMPRESSION))
-                        len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
-#endif
                 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
                         len += headerlen + align +
                             SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
diff --git a/src/lib/libssl/src/ssl/s3_cbc.c b/src/lib/libssl/src/ssl/s3_cbc.c
index 24f0a22d07..74bd4b47c8 100644
--- a/src/lib/libssl/src/ssl/s3_cbc.c
+++ b/src/lib/libssl/src/ssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.7 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.8 2014/07/10 08:51:14 tedu Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -169,8 +169,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
          * even length so the padding bug check cannot be performed. This bug
          * workaround has been around since SSLeay so hopefully it is either
          * fixed now or no buggy implementation supports compression [steve]
+         * (We don't support compression either, so it's not in operation.)
          */
-        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
+        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)) {
                 /* First packet is even in size, so check */
                 if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",
                     SSL3_SEQUENCE_SIZE) == 0) && !(padding_length & 1)) {
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 61de494244..079544da84 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.73 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.74 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -472,15 +472,6 @@ ssl3_connect(SSL *s)
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
-#ifdef OPENSSL_NO_COMP
-                        s->session->compress_meth = 0;
-#else
-                        if (s->s3->tmp.new_compression == NULL)
-                                s->session->compress_meth = 0;
-                        else
-                                s->session->compress_meth =
-                                    s->s3->tmp.new_compression->id;
-#endif
                         if (!s->method->ssl3_enc->setup_key_block(s)) {
                                 ret = -1;
                                 goto end;
@@ -656,10 +647,6 @@ ssl3_client_hello(SSL *s)
         unsigned char   *p, *d;
         int              i;
         unsigned long    l;
-#ifndef OPENSSL_NO_COMP
-        int              j;
-        SSL_COMP         *comp;
-#endif
 
         buf = (unsigned char *)s->init_buf->data;
         if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
@@ -752,22 +739,8 @@ ssl3_client_hello(SSL *s)
                 s2n(i, p);
                 p += i;
 
-                /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
+                /* add in (no) COMPRESSION */
                 *(p++) = 1;
-#else
-
-                if ((s->options & SSL_OP_NO_COMPRESSION) ||
-                    !s->ctx->comp_methods)
-                        j = 0;
-                else
-                        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-                *(p++) = 1 + j;
-                for (i = 0; i < j; i++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-                        *(p++) = comp->id;
-                }
-#endif
                 *(p++) = 0; /* Add the NULL method */
 
                 /* TLS extensions*/
@@ -809,9 +782,6 @@ ssl3_get_server_hello(SSL *s)
         int                      i, al, ok;
         unsigned int             j;
         long                     n;
-#ifndef OPENSSL_NO_COMP
-        SSL_COMP                *comp;
-#endif
 
         n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
             SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
@@ -963,50 +933,12 @@ ssl3_get_server_hello(SSL *s)
         }
         /* lets get the compression algorithm */
         /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
         if (*(p++) != 0) {
                 al = SSL_AD_ILLEGAL_PARAMETER;
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
                     SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
                 goto f_err;
         }
-        /*
-         * If compression is disabled we'd better not try to resume a session
-         * using compression.
-         */
-        if (s->session->compress_meth != 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_INCONSISTENT_COMPRESSION);
-                goto f_err;
-        }
-#else
-        j= *(p++);
-        if (s->hit && j != s->session->compress_meth) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
-                goto f_err;
-        }
-        if (j == 0)
-                comp = NULL;
-        else if (s->options & SSL_OP_NO_COMPRESSION) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_COMPRESSION_DISABLED);
-                goto f_err;
-        } else
-                comp = ssl3_comp_find(s->ctx->comp_methods, j);
-
-        if ((j != 0) && (comp == NULL)) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                    SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
-                goto f_err;
-        } else {
-                s->s3->tmp.new_compression = comp;
-        }
-#endif
 
         /* TLS extensions*/
         if (s->version >= SSL3_VERSION) {
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 5111e0e4fa..d9fedfbb1a 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.51 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.52 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -225,9 +225,6 @@ ssl3_change_cipher_state(SSL *s, int which)
         const EVP_CIPHER *cipher;
         const EVP_MD *mac;
 
-#ifndef OPENSSL_NO_COMP
-        const SSL_COMP *comp;
-#endif
 
         cipher = s->s3->tmp.new_sym_enc;
         mac = s->s3->tmp.new_hash;
@@ -250,41 +247,6 @@ ssl3_change_cipher_state(SSL *s, int which)
         use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
             (which == SSL3_CHANGE_CIPHER_SERVER_READ));
 
-#ifndef OPENSSL_NO_COMP
-        comp = s->s3->tmp.new_compression;
-        if (is_read) {
-                if (s->expand != NULL) {
-                        COMP_CTX_free(s->expand);
-                        s->expand = NULL;
-                }
-                if (comp != NULL) {
-                        s->expand = COMP_CTX_new(comp->method);
-                        if (s->expand == NULL) {
-                                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                        if (s->s3->rrec.comp == NULL)
-                                s->s3->rrec.comp =
-                                    malloc(SSL3_RT_MAX_PLAIN_LENGTH);
-                        if (s->s3->rrec.comp == NULL)
-                                goto err;
-                }
-        } else {
-                if (s->compress != NULL) {
-                        COMP_CTX_free(s->compress);
-                        s->compress = NULL;
-                }
-                if (comp != NULL) {
-                        s->compress = COMP_CTX_new(comp->method);
-                        if (s->compress == NULL) {
-                                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                }
-        }
-#endif
 
         if (is_read) {
                 EVP_CIPHER_CTX_free(s->enc_read_ctx);
@@ -365,17 +327,10 @@ ssl3_setup_key_block(SSL *s)
         const EVP_CIPHER *cipher;
         const EVP_MD *mac;
         int ret = 0;
-        SSL_COMP *comp;
 
         if (s->s3->tmp.key_block_length != 0)
                 return (1);
 
-        if (!ssl_cipher_get_comp(s->session, &comp)) {
-                SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
-                    SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
-                return (0);
-        }
-
         if (!ssl_cipher_get_evp(s->session, &cipher, &mac, NULL, NULL)) {
                 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
                     SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
@@ -384,7 +339,6 @@ ssl3_setup_key_block(SSL *s)
 
         s->s3->tmp.new_sym_enc = cipher;
         s->s3->tmp.new_hash = mac;
-        s->s3->tmp.new_compression = comp;
 
         mac_len = EVP_MD_size(mac);
         key_len = EVP_CIPHER_key_length(cipher);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 5c4e530d34..400c1b87e0 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.67 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.68 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2420,7 +2420,6 @@ ssl3_free(SSL *s)
         ssl3_release_read_buffer(s);
         ssl3_release_write_buffer(s);
 
-        free(s->s3->rrec.comp);
         DH_free(s->s3->tmp.dh);
         EC_KEY_free(s->s3->tmp.ecdh);
 
@@ -2444,9 +2443,6 @@ ssl3_clear(SSL *s)
         if (s->s3->tmp.ca_names != NULL)
                 sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
 
-        free(s->s3->rrec.comp);
-        s->s3->rrec.comp = NULL;
-
         DH_free(s->s3->tmp.dh);
         s->s3->tmp.dh = NULL;
         EC_KEY_free(s->s3->tmp.ecdh);
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index a508d5ee49..237d90c581 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_pkt.c,v 1.48 2014/06/19 21:29:51 tedu Exp $ */
+/* $OpenBSD: s3_pkt.c,v 1.49 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -469,21 +469,6 @@ again:
                 goto f_err;
         }
 
-        /* r->length is now just compressed */
-        if (s->expand != NULL) {
-                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) {
-                        al = SSL_AD_RECORD_OVERFLOW;
-                        SSLerr(SSL_F_SSL3_GET_RECORD,
-                            SSL_R_COMPRESSED_LENGTH_TOO_LONG);
-                        goto f_err;
-                }
-                if (!ssl3_do_uncompress(s)) {
-                        al = SSL_AD_DECOMPRESSION_FAILURE;
-                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_DECOMPRESSION);
-                        goto f_err;
-                }
-        }
-
         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) {
                 al = SSL_AD_RECORD_OVERFLOW;
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -516,46 +501,6 @@ err:
         return (ret);
 }
 
-int
-ssl3_do_uncompress(SSL *ssl)
-{
-#ifndef OPENSSL_NO_COMP
-        int i;
-        SSL3_RECORD *rr;
-
-        rr = &(ssl->s3->rrec);
-        i = COMP_expand_block(ssl->expand, rr->comp,
-        SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
-        if (i < 0)
-                return (0);
-        else
-                rr->length = i;
-        rr->data = rr->comp;
-#endif
-        return (1);
-}
-
-int
-ssl3_do_compress(SSL *ssl)
-{
-#ifndef OPENSSL_NO_COMP
-        int i;
-        SSL3_RECORD *wr;
-
-        wr = &(ssl->s3->wrec);
-        i = COMP_compress_block(ssl->compress, wr->data,
-            SSL3_RT_MAX_COMPRESSED_LENGTH,
-            wr->input, (int)wr->length);
-        if (i < 0)
-                return (0);
-        else
-                wr->length = i;
-
-        wr->input = wr->data;
-#endif
-        return (1);
-}
-
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
@@ -766,16 +711,8 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         /* we now 'read' from wr->input, wr->length bytes into wr->data */
 
-        /* first we compress */
-        if (s->compress != NULL) {
-                if (!ssl3_do_compress(s)) {
-                        SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
-                        goto err;
-                }
-        } else {
-                memcpy(wr->data, wr->input, wr->length);
-                wr->input = wr->data;
-        }
+        memcpy(wr->data, wr->input, wr->length);
+        wr->input = wr->data;
 
         /* we should still have the output to wr->data and the input
          * from wr->input.  Length should be wr->length.
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index a3e62ea323..200b3b6bf2 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.69 2014/07/10 08:25:00 guenther Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.70 2014/07/10 08:51:14 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -884,9 +884,6 @@ ssl3_get_client_hello(SSL *s)
         unsigned long id;
         unsigned char *p, *d, *q;
         SSL_CIPHER *c;
-#ifndef OPENSSL_NO_COMP
-        SSL_COMP *comp = NULL;
-#endif
         STACK_OF(SSL_CIPHER) *ciphers = NULL;
 
         /*
@@ -1173,96 +1170,11 @@ ssl3_get_client_hello(SSL *s)
         }
 
         /*
-         * Worst case, we will use the NULL compression, but if we have other
-         * options, we will now look for them.  We have i-1 compression
-         * algorithms from the client, starting at q.
-         */
-        s->s3->tmp.new_compression = NULL;
-#ifndef OPENSSL_NO_COMP
-        /* This only happens if we have a cache hit */
-        if (s->session->compress_meth != 0) {
-                int m, comp_id = s->session->compress_meth;
-                /* Perform sanity checks on resumed compression algorithm */
-                /* Can't disable compression */
-                if (s->options & SSL_OP_NO_COMPRESSION) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_INCONSISTENT_COMPRESSION);
-                        goto f_err;
-                }
-                /* Look for resumed compression method */
-                for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
-                        if (comp_id == comp->id) {
-                                s->s3->tmp.new_compression = comp;
-                                break;
-                        }
-                }
-                if (s->s3->tmp.new_compression == NULL) {
-                        al = SSL_AD_INTERNAL_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_INVALID_COMPRESSION_ALGORITHM);
-                        goto f_err;
-                }
-                /* Look for resumed method in compression list */
-                for (m = 0; m < i; m++) {
-                        if (q[m] == comp_id)
-                                break;
-                }
-                if (m >= i) {
-                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                            SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
-                        goto f_err;
-                }
-        } else if (s->hit)
-                comp = NULL;
-        else if (!(s->options & SSL_OP_NO_COMPRESSION) && s->ctx->comp_methods)
-        { /* See if we have a match */
-                int m, nn, o, v, done = 0;
-
-                nn = sk_SSL_COMP_num(s->ctx->comp_methods);
-                for (m = 0; m < nn; m++) {
-                        comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
-                        v = comp->id;
-                        for (o = 0; o < i; o++) {
-                                if (v == q[o]) {
-                                        done = 1;
-                                        break;
-                                }
-                        }
-                        if (done)
-                                break;
-                }
-                if (done)
-                        s->s3->tmp.new_compression = comp;
-                else
-                        comp = NULL;
-        }
-#else
-        /*
-         * If compression is disabled we'd better not try to resume a session
-         * using compression.
-         */
-        if (s->session->compress_meth != 0) {
-                al = SSL_AD_INTERNAL_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                    SSL_R_INCONSISTENT_COMPRESSION);
-                goto f_err;
-        }
-#endif
-
-        /*
          * Given s->session->ciphers and SSL_get_ciphers, we must
          * pick a cipher
          */
 
         if (!s->hit) {
-#ifdef OPENSSL_NO_COMP
-                s->session->compress_meth = 0;
-#else
-                s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
-#endif
                 if (s->session->ciphers != NULL)
                         sk_SSL_CIPHER_free(s->session->ciphers);
                 s->session->ciphers = ciphers;
@@ -1405,14 +1317,7 @@ ssl3_send_server_hello(SSL *s)
                 p += i;
 
                 /* put the compression method */
-#ifdef OPENSSL_NO_COMP
                 *(p++) = 0;
-#else
-                if (s->s3->tmp.new_compression == NULL)
-                        *(p++) = 0;
-                else
-                        *(p++) = s->s3->tmp.new_compression->id;
-#endif
                 if (ssl_prepare_serverhello_tlsext(s) <= 0) {
                         SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,
                             SSL_R_SERVERHELLO_TLSEXT);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index b1eeb85c64..18218f4c61 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.57 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.58 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -145,9 +145,6 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
@@ -488,8 +485,6 @@ struct ssl_session_st {
         time_t time;
         int references;
 
-        unsigned int compress_meth;     /* Need to lookup the method */
-
         const SSL_CIPHER *cipher;
         unsigned long cipher_id;        /* when ASN.1 loaded, this
                                          * needs to be used to load
@@ -682,11 +677,6 @@ typedef struct ssl_comp_st SSL_COMP;
 struct ssl_comp_st {
         int id;
         const char *name;
-#ifndef OPENSSL_NO_COMP
-        COMP_METHOD *method;
-#else
-        char *method;
-#endif
 };
 
 DECLARE_STACK_OF(SSL_COMP)
@@ -1099,11 +1089,6 @@ struct ssl_st {
 
         EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
         EVP_MD_CTX *read_hash;                  /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *expand;                       /* uncompress */
-#else
-        char *expand;
-#endif
 
         SSL_AEAD_CTX *aead_write_ctx;   /* AEAD context. If non-NULL, then
                                            enc_write_ctx and write_hash are
@@ -1111,12 +1096,6 @@ struct ssl_st {
 
         EVP_CIPHER_CTX *enc_write_ctx;          /* cryptographic state */
         EVP_MD_CTX *write_hash;                 /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *compress;                     /* compression */
-#else
-        char *compress;
-
-#endif
 
         /* session info */
 
@@ -1836,20 +1815,6 @@ void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
 void SSL_set_tmp_ecdh_callback(SSL *ssl,
     EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
 
-#ifndef OPENSSL_NO_COMP
-const COMP_METHOD *SSL_get_current_compression(SSL *s);
-const COMP_METHOD *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-#else
-const void *SSL_get_current_compression(SSL *s);
-const void *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const void *comp);
-void *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, void *cm);
-#endif
-
 /* TLS extensions functions */
 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
 
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 235c359af2..f956c50987 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.23 2014/06/13 11:52:03 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.24 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -117,9 +117,6 @@
 #ifndef HEADER_SSL3_H 
 #define HEADER_SSL3_H 
 
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
@@ -285,12 +282,7 @@ extern "C" {
 
 /* If compression isn't used don't include the compression overhead */
 
-#ifdef OPENSSL_NO_COMP
 #define SSL3_RT_MAX_COMPRESSED_LENGTH           SSL3_RT_MAX_PLAIN_LENGTH
-#else
-#define SSL3_RT_MAX_COMPRESSED_LENGTH   \
-                (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD)
-#endif
 #define SSL3_RT_MAX_ENCRYPTED_LENGTH    \
                 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
 #define SSL3_RT_MAX_PACKET_SIZE         \
@@ -336,7 +328,6 @@ typedef struct ssl3_record_st {
 /*r */  unsigned int off;       /* read/write offset into 'buf' */
 /*rw*/  unsigned char *data;    /* pointer to the record data */
 /*rw*/  unsigned char *input;   /* where the decode bytes are */
-/*r */  unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
 } SSL3_RECORD;
@@ -492,11 +483,6 @@ typedef struct ssl3_state_st {
                 const EVP_MD *new_hash;
                 int new_mac_pkey_type;
                 int new_mac_secret_size;
-#ifndef OPENSSL_NO_COMP
-                const SSL_COMP *new_compression;
-#else
-                char *new_compression;
-#endif
                 int cert_request;
         } tmp;
 
diff --git a/src/lib/libssl/src/ssl/ssl_algs.c b/src/lib/libssl/src/ssl/ssl_algs.c
index 0518876ab4..ce051252f6 100644
--- a/src/lib/libssl/src/ssl/ssl_algs.c
+++ b/src/lib/libssl/src/ssl/ssl_algs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_algs.c,v 1.18 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_algs.c,v 1.19 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,12 +112,6 @@ SSL_library_init(void)
         EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
         EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
         EVP_add_digest(EVP_ecdsa());
-#ifndef OPENSSL_NO_COMP
-        /* This will initialise the built-in compression algorithms.
-           The value returned is a STACK_OF(SSL_COMP), but that can
-           be discarded safely */
-        (void)SSL_COMP_get_compression_methods();
-#endif
         /* initialize cipher/digest methods table */
         ssl_load_ciphers();
         return (1);
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index 8594408898..43366b33b8 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.26 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.27 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,10 +118,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2];
         int v6 = 0, v9 = 0, v10 = 0;
         unsigned char ibuf6[LSIZE2];
-#ifndef OPENSSL_NO_COMP
-        unsigned char cbuf;
-        int v11 = 0;
-#endif
         long l;
         SSL_SESSION_ASN1 a;
         M_ASN1_I2D_vars(in);
@@ -155,14 +151,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         buf[0] = ((unsigned char)(l >> 8L))&0xff;
         buf[1] = ((unsigned char)(l    ))&0xff;
 
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth) {
-                cbuf = (unsigned char)in->compress_meth;
-                a.comp_id.length = 1;
-                a.comp_id.type = V_ASN1_OCTET_STRING;
-                a.comp_id.data = &cbuf;
-        }
-#endif
 
         a.master_key.length = in->master_key_length;
         a.master_key.type = V_ASN1_OCTET_STRING;
@@ -248,10 +236,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10);
         if (in->tlsext_hostname)
                 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6);
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth)
-                M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
-#endif
 #ifndef OPENSSL_NO_PSK
         if (in->psk_identity_hint)
                 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7);
@@ -288,10 +272,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9);
         if (in->tlsext_tick)
                 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10);
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth)
-                M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
-#endif
         M_ASN1_I2D_finish();
 }
 
@@ -480,16 +460,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
                 os.length = 0;
         } else
                 ret->tlsext_tick = NULL;
-#ifndef OPENSSL_NO_COMP
-        os.length = 0;
-        os.data = NULL;
-        M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 11);
-        if (os.data) {
-                ret->compress_meth = os.data[0];
-                free(os.data);
-                os.data = NULL;
-        }
-#endif
 
 
         M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index d84e45764e..0ba66cc89f 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.58 2014/07/09 14:20:55 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.59 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,9 +142,6 @@
 
 #include <stdio.h>
 #include <openssl/objects.h>
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -175,8 +172,6 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
 #define SSL_COMP_ZLIB_IDX       1
 #define SSL_COMP_NUM_IDX        2
 
-static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
-
 #define SSL_MD_MD5_IDX  0
 #define SSL_MD_SHA1_IDX 1
 #define SSL_MD_GOST94_IDX 2
@@ -645,81 +640,14 @@ ssl_load_ciphers(void)
         ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
         EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
 }
-#ifndef OPENSSL_NO_COMP
-
-static int
-sk_comp_cmp(const SSL_COMP * const *a,
-    const SSL_COMP * const *b)
-{
-        return ((*a)->id - (*b)->id);
-}
-
-static void
-load_builtin_compressions(void)
-{
-        int got_write_lock = 0;
-
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL);
-        if (ssl_comp_methods == NULL) {
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-                got_write_lock = 1;
-
-                if (ssl_comp_methods == NULL) {
-                        SSL_COMP *comp = NULL;
-
-                        ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
-                        if (ssl_comp_methods != NULL) {
-                                comp = malloc(sizeof(SSL_COMP));
-                                if (comp != NULL) {
-                                        comp->method = COMP_zlib();
-                                        if (comp->method &&
-                                            comp->method->type == NID_undef)
-                                                free(comp);
-                                        else {
-                                                comp->id = SSL_COMP_ZLIB_IDX;
-                                                comp->name = comp->method->name;
-                                                sk_SSL_COMP_push(ssl_comp_methods, comp);
-                                        }
-                                }
-                                sk_SSL_COMP_sort(ssl_comp_methods);
-                        }
-                }
-        }
-
-        if (got_write_lock)
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-        else
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
-}
-#endif
 
 /* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
  * session and returns 1. On error it returns 0. */
 int
 ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
 {
-        SSL_COMP ctmp;
-        int i;
-
-#ifndef OPENSSL_NO_COMP
-        load_builtin_compressions();
-#endif
-
         *comp = NULL;
-        if (s->compress_meth == 0)
-                return 1;
-        if (ssl_comp_methods == NULL)
-                return 0;
-
-        ctmp.id = s->compress_meth;
-        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
-        if (i >= 0) {
-                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
-                return 1;
-        }
-
-        return 0;
+        return 1;
 }
 
 int
@@ -1919,102 +1847,3 @@ SSL_CIPHER_get_id(const SSL_CIPHER *c)
 {
         return c->id;
 }
-
-SSL_COMP *
-ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
-{
-        SSL_COMP *ctmp;
-        int i, nn;
-
-        if ((n == 0) || (sk == NULL))
-                return (NULL);
-        nn = sk_SSL_COMP_num(sk);
-        for (i = 0; i < nn; i++) {
-                ctmp = sk_SSL_COMP_value(sk, i);
-                if (ctmp->id == n)
-                        return (ctmp);
-        }
-        return (NULL);
-}
-
-#ifdef OPENSSL_NO_COMP
-void *
-SSL_COMP_get_compression_methods(void)
-{
-        return NULL;
-}
-
-int
-SSL_COMP_add_compression_method(int id, void *cm)
-{
-        return 1;
-}
-
-const char *
-SSL_COMP_get_name(const void *comp)
-{
-        return NULL;
-}
-#else
-STACK_OF(SSL_COMP) *
-SSL_COMP_get_compression_methods(void)
-{
-        load_builtin_compressions();
-        return (ssl_comp_methods);
-}
-
-int
-SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
-{
-        SSL_COMP *comp;
-
-        if (cm == NULL || cm->type == NID_undef)
-                return 1;
-
-        /* According to draft-ietf-tls-compression-04.txt, the
-           compression number ranges should be the following:
-
-           0 to 63:    methods defined by the IETF
-           64 to 192:  external party methods assigned by IANA
-           193 to 255: reserved for private use */
-        if (id < 193 || id > 255) {
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
-                return 1;
-        }
-
-        comp = malloc(sizeof(SSL_COMP));
-        if (comp == NULL) {
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    ERR_R_MALLOC_FAILURE);
-                return (1);
-        }
-        comp->id = id;
-        comp->method = cm;
-        load_builtin_compressions();
-        if (ssl_comp_methods &&
-            sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {
-                free(comp);
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    SSL_R_DUPLICATE_COMPRESSION_ID);
-                return (1);
-        } else if ((ssl_comp_methods == NULL) ||
-            !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
-                free(comp);
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    ERR_R_MALLOC_FAILURE);
-                return (1);
-        } else {
-                return (0);
-        }
-}
-
-const char *
-SSL_COMP_get_name(const COMP_METHOD *comp)
-{
-        if (comp)
-                return comp->name;
-        return NULL;
-}
-
-#endif
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index a5f2f3f751..765012e861 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.71 2014/07/10 08:18:55 bcook Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.72 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1793,9 +1793,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
 
         ret->extra_certs = NULL;
-        /* No compression for DTLS */
-        if (meth->version != DTLS1_VERSION)
-                ret->comp_methods = SSL_COMP_get_compression_methods();
 
         ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
@@ -2610,12 +2607,6 @@ ssl_clear_cipher_ctx(SSL *s)
                 s->aead_write_ctx = NULL;
         }
 
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX_free(s->expand);
-        s->expand = NULL;
-        COMP_CTX_free(s->compress);
-        s->compress = NULL;
-#endif
 }
 
 /* Fix this function so that it takes an optional type parameter */
@@ -2645,7 +2636,6 @@ SSL_get_current_cipher(const SSL *s)
                 return (s->session->cipher);
         return (NULL);
 }
-#ifdef OPENSSL_NO_COMP
 const void *
 SSL_get_current_compression(SSL *s)
 {
@@ -2657,24 +2647,6 @@ SSL_get_current_expansion(SSL *s)
 {
         return (NULL);
 }
-#else
-
-const COMP_METHOD *
-SSL_get_current_compression(SSL *s)
-{
-        if (s->compress != NULL)
-                return (s->compress->meth);
-        return (NULL);
-}
-
-const COMP_METHOD *
-SSL_get_current_expansion(SSL *s)
-{
-        if (s->expand != NULL)
-                return (s->expand->meth);
-        return (NULL);
-}
-#endif
 
 int
 ssl_init_wbio_buffer(SSL *s, int push)
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 2b3d1b8e44..b3bc4f4ae4 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.56 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.57 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -153,9 +153,6 @@
 
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/bio.h>
 #include <openssl/stack.h>
 #include <openssl/rsa.h>
@@ -547,15 +544,6 @@ struct ssl_aead_ctx_st {
         char variable_nonce_in_record;
 };
 
-#ifndef OPENSSL_NO_COMP
-/* Used for holding the relevant compression methods loaded into SSL_CTX */
-typedef struct ssl3_comp_st {
-        int comp_id;    /* The identifier byte for this compression type */
-        char *name;     /* Text name used for the compression type */
-        COMP_METHOD *method; /* The method :-) */
-} SSL3_COMP;
-#endif
-
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 extern SSL_CIPHER ssl3_ciphers[];
 
@@ -685,8 +673,6 @@ long tls1_default_timeout(void);
 int dtls1_do_write(SSL *s, int type);
 int ssl3_read_n(SSL *s, int n, int max, int extend);
 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
-int ssl3_do_compress(SSL *ssl);
-int ssl3_do_uncompress(SSL *ssl);
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
     unsigned int len);
 unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index 7932f20151..b3dd3e6117 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.34 2014/06/21 20:27:25 tedu Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.35 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -207,7 +207,6 @@ SSL_SESSION_new(void)
         ss->time = time(NULL);
         ss->prev = NULL;
         ss->next = NULL;
-        ss->compress_meth = 0;
         ss->tlsext_hostname = NULL;
 
         ss->tlsext_ecpointformatlist_length = 0;
@@ -233,7 +232,7 @@ SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 unsigned int
 SSL_SESSION_get_compress_id(const SSL_SESSION *s)
 {
-        return s->compress_meth;
+        return 0;
 }
 
 /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c
index c06e2d23b7..25f2290290 100644
--- a/src/lib/libssl/src/ssl/ssl_txt.c
+++ b/src/lib/libssl/src/ssl/ssl_txt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_txt.c,v 1.21 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_txt.c,v 1.22 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -182,22 +182,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                         goto err;
         }
 
-#ifndef OPENSSL_NO_COMP
-        if (x->compress_meth != 0) {
-                SSL_COMP *comp = NULL;
-
-                if (!ssl_cipher_get_comp(x, &comp))
-                        goto err;
-
-                if (comp == NULL) {
-                        if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
-                                goto err;
-                } else {
-                        if (BIO_printf(bp, "\n    Compression: %d (%s)", comp->id, comp->method->name) <= 0)
-                                goto err;
-                }
-        }
-#endif
         if (x->time != 0) {
                 if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
                         goto err;
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 26d98522d0..cccf17eab5 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.65 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.66 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,9 +137,6 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
@@ -470,9 +467,6 @@ tls1_change_cipher_state(SSL *s, int which)
         const EVP_AEAD *aead;
         char is_read, use_client_keys;
 
-#ifndef OPENSSL_NO_COMP
-        const SSL_COMP *comp;
-#endif
 
         cipher = s->s3->tmp.new_sym_enc;
         aead = s->s3->tmp.new_aead;
@@ -492,41 +486,6 @@ tls1_change_cipher_state(SSL *s, int which)
         use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
             (which == SSL3_CHANGE_CIPHER_SERVER_READ));
 
-#ifndef OPENSSL_NO_COMP
-        comp = s->s3->tmp.new_compression;
-        if (is_read) {
-                if (s->expand != NULL) {
-                        COMP_CTX_free(s->expand);
-                        s->expand = NULL;
-                }
-                if (comp != NULL) {
-                        s->expand = COMP_CTX_new(comp->method);
-                        if (s->expand == NULL) {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                        if (s->s3->rrec.comp == NULL)
-                                s->s3->rrec.comp =
-                                    malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
-                        if (s->s3->rrec.comp == NULL)
-                                goto err;
-                }
-        } else {
-                if (s->compress != NULL) {
-                        COMP_CTX_free(s->compress);
-                        s->compress = NULL;
-                }
-                if (comp != NULL) {
-                        s->compress = COMP_CTX_new(comp->method);
-                        if (s->compress == NULL) {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                }
-        }
-#endif
 
         /*
          * Reset sequence number to zero - for DTLS this is handled in
@@ -596,8 +555,6 @@ tls1_change_cipher_state(SSL *s, int which)
         return tls1_change_cipher_state_cipher(s, is_read, use_client_keys,
             mac_secret, mac_secret_size, key, key_len, iv, iv_len);
 
-err:
-        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
 err2:
         return (0);
 }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index b1eeb85c64..18218f4c61 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.57 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.58 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -145,9 +145,6 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
@@ -488,8 +485,6 @@ struct ssl_session_st {
         time_t time;
         int references;
 
-        unsigned int compress_meth;     /* Need to lookup the method */
-
         const SSL_CIPHER *cipher;
         unsigned long cipher_id;        /* when ASN.1 loaded, this
                                          * needs to be used to load
@@ -682,11 +677,6 @@ typedef struct ssl_comp_st SSL_COMP;
 struct ssl_comp_st {
         int id;
         const char *name;
-#ifndef OPENSSL_NO_COMP
-        COMP_METHOD *method;
-#else
-        char *method;
-#endif
 };
 
 DECLARE_STACK_OF(SSL_COMP)
@@ -1099,11 +1089,6 @@ struct ssl_st {
 
         EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
         EVP_MD_CTX *read_hash;                  /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *expand;                       /* uncompress */
-#else
-        char *expand;
-#endif
 
         SSL_AEAD_CTX *aead_write_ctx;   /* AEAD context. If non-NULL, then
                                            enc_write_ctx and write_hash are
@@ -1111,12 +1096,6 @@ struct ssl_st {
 
         EVP_CIPHER_CTX *enc_write_ctx;          /* cryptographic state */
         EVP_MD_CTX *write_hash;                 /* used for mac generation */
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX *compress;                     /* compression */
-#else
-        char *compress;
-
-#endif
 
         /* session info */
 
@@ -1836,20 +1815,6 @@ void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
 void SSL_set_tmp_ecdh_callback(SSL *ssl,
     EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
 
-#ifndef OPENSSL_NO_COMP
-const COMP_METHOD *SSL_get_current_compression(SSL *s);
-const COMP_METHOD *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-#else
-const void *SSL_get_current_compression(SSL *s);
-const void *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const void *comp);
-void *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, void *cm);
-#endif
-
 /* TLS extensions functions */
 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
 
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 235c359af2..f956c50987 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.23 2014/06/13 11:52:03 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.24 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -117,9 +117,6 @@
 #ifndef HEADER_SSL3_H 
 #define HEADER_SSL3_H 
 
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
@@ -285,12 +282,7 @@ extern "C" {
 
 /* If compression isn't used don't include the compression overhead */
 
-#ifdef OPENSSL_NO_COMP
 #define SSL3_RT_MAX_COMPRESSED_LENGTH           SSL3_RT_MAX_PLAIN_LENGTH
-#else
-#define SSL3_RT_MAX_COMPRESSED_LENGTH   \
-                (SSL3_RT_MAX_PLAIN_LENGTH+SSL3_RT_MAX_COMPRESSED_OVERHEAD)
-#endif
 #define SSL3_RT_MAX_ENCRYPTED_LENGTH    \
                 (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
 #define SSL3_RT_MAX_PACKET_SIZE         \
@@ -336,7 +328,6 @@ typedef struct ssl3_record_st {
 /*r */  unsigned int off;       /* read/write offset into 'buf' */
 /*rw*/  unsigned char *data;    /* pointer to the record data */
 /*rw*/  unsigned char *input;   /* where the decode bytes are */
-/*r */  unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
 } SSL3_RECORD;
@@ -492,11 +483,6 @@ typedef struct ssl3_state_st {
                 const EVP_MD *new_hash;
                 int new_mac_pkey_type;
                 int new_mac_secret_size;
-#ifndef OPENSSL_NO_COMP
-                const SSL_COMP *new_compression;
-#else
-                char *new_compression;
-#endif
                 int cert_request;
         } tmp;
 
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index 0518876ab4..ce051252f6 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_algs.c,v 1.18 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_algs.c,v 1.19 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,12 +112,6 @@ SSL_library_init(void)
         EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
         EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
         EVP_add_digest(EVP_ecdsa());
-#ifndef OPENSSL_NO_COMP
-        /* This will initialise the built-in compression algorithms.
-           The value returned is a STACK_OF(SSL_COMP), but that can
-           be discarded safely */
-        (void)SSL_COMP_get_compression_methods();
-#endif
         /* initialize cipher/digest methods table */
         ssl_load_ciphers();
         return (1);
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 8594408898..43366b33b8 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.26 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.27 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,10 +118,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2];
         int v6 = 0, v9 = 0, v10 = 0;
         unsigned char ibuf6[LSIZE2];
-#ifndef OPENSSL_NO_COMP
-        unsigned char cbuf;
-        int v11 = 0;
-#endif
         long l;
         SSL_SESSION_ASN1 a;
         M_ASN1_I2D_vars(in);
@@ -155,14 +151,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         buf[0] = ((unsigned char)(l >> 8L))&0xff;
         buf[1] = ((unsigned char)(l    ))&0xff;
 
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth) {
-                cbuf = (unsigned char)in->compress_meth;
-                a.comp_id.length = 1;
-                a.comp_id.type = V_ASN1_OCTET_STRING;
-                a.comp_id.data = &cbuf;
-        }
-#endif
 
         a.master_key.length = in->master_key_length;
         a.master_key.type = V_ASN1_OCTET_STRING;
@@ -248,10 +236,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10);
         if (in->tlsext_hostname)
                 M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, v6);
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth)
-                M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
-#endif
 #ifndef OPENSSL_NO_PSK
         if (in->psk_identity_hint)
                 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, 7, v7);
@@ -288,10 +272,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, v9);
         if (in->tlsext_tick)
                 M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, v10);
-#ifndef OPENSSL_NO_COMP
-        if (in->compress_meth)
-                M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
-#endif
         M_ASN1_I2D_finish();
 }
 
@@ -480,16 +460,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
                 os.length = 0;
         } else
                 ret->tlsext_tick = NULL;
-#ifndef OPENSSL_NO_COMP
-        os.length = 0;
-        os.data = NULL;
-        M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 11);
-        if (os.data) {
-                ret->compress_meth = os.data[0];
-                free(os.data);
-                os.data = NULL;
-        }
-#endif
 
 
         M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index d84e45764e..0ba66cc89f 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.58 2014/07/09 14:20:55 jsing Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.59 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,9 +142,6 @@
 
 #include <stdio.h>
 #include <openssl/objects.h>
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -175,8 +172,6 @@ static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
 #define SSL_COMP_ZLIB_IDX       1
 #define SSL_COMP_NUM_IDX        2
 
-static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
-
 #define SSL_MD_MD5_IDX  0
 #define SSL_MD_SHA1_IDX 1
 #define SSL_MD_GOST94_IDX 2
@@ -645,81 +640,14 @@ ssl_load_ciphers(void)
         ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
         EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
 }
-#ifndef OPENSSL_NO_COMP
-
-static int
-sk_comp_cmp(const SSL_COMP * const *a,
-    const SSL_COMP * const *b)
-{
-        return ((*a)->id - (*b)->id);
-}
-
-static void
-load_builtin_compressions(void)
-{
-        int got_write_lock = 0;
-
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL);
-        if (ssl_comp_methods == NULL) {
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-                got_write_lock = 1;
-
-                if (ssl_comp_methods == NULL) {
-                        SSL_COMP *comp = NULL;
-
-                        ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
-                        if (ssl_comp_methods != NULL) {
-                                comp = malloc(sizeof(SSL_COMP));
-                                if (comp != NULL) {
-                                        comp->method = COMP_zlib();
-                                        if (comp->method &&
-                                            comp->method->type == NID_undef)
-                                                free(comp);
-                                        else {
-                                                comp->id = SSL_COMP_ZLIB_IDX;
-                                                comp->name = comp->method->name;
-                                                sk_SSL_COMP_push(ssl_comp_methods, comp);
-                                        }
-                                }
-                                sk_SSL_COMP_sort(ssl_comp_methods);
-                        }
-                }
-        }
-
-        if (got_write_lock)
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-        else
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL);
-}
-#endif
 
 /* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
  * session and returns 1. On error it returns 0. */
 int
 ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
 {
-        SSL_COMP ctmp;
-        int i;
-
-#ifndef OPENSSL_NO_COMP
-        load_builtin_compressions();
-#endif
-
         *comp = NULL;
-        if (s->compress_meth == 0)
-                return 1;
-        if (ssl_comp_methods == NULL)
-                return 0;
-
-        ctmp.id = s->compress_meth;
-        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
-        if (i >= 0) {
-                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
-                return 1;
-        }
-
-        return 0;
+        return 1;
 }
 
 int
@@ -1919,102 +1847,3 @@ SSL_CIPHER_get_id(const SSL_CIPHER *c)
 {
         return c->id;
 }
-
-SSL_COMP *
-ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
-{
-        SSL_COMP *ctmp;
-        int i, nn;
-
-        if ((n == 0) || (sk == NULL))
-                return (NULL);
-        nn = sk_SSL_COMP_num(sk);
-        for (i = 0; i < nn; i++) {
-                ctmp = sk_SSL_COMP_value(sk, i);
-                if (ctmp->id == n)
-                        return (ctmp);
-        }
-        return (NULL);
-}
-
-#ifdef OPENSSL_NO_COMP
-void *
-SSL_COMP_get_compression_methods(void)
-{
-        return NULL;
-}
-
-int
-SSL_COMP_add_compression_method(int id, void *cm)
-{
-        return 1;
-}
-
-const char *
-SSL_COMP_get_name(const void *comp)
-{
-        return NULL;
-}
-#else
-STACK_OF(SSL_COMP) *
-SSL_COMP_get_compression_methods(void)
-{
-        load_builtin_compressions();
-        return (ssl_comp_methods);
-}
-
-int
-SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
-{
-        SSL_COMP *comp;
-
-        if (cm == NULL || cm->type == NID_undef)
-                return 1;
-
-        /* According to draft-ietf-tls-compression-04.txt, the
-           compression number ranges should be the following:
-
-           0 to 63:    methods defined by the IETF
-           64 to 192:  external party methods assigned by IANA
-           193 to 255: reserved for private use */
-        if (id < 193 || id > 255) {
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
-                return 1;
-        }
-
-        comp = malloc(sizeof(SSL_COMP));
-        if (comp == NULL) {
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    ERR_R_MALLOC_FAILURE);
-                return (1);
-        }
-        comp->id = id;
-        comp->method = cm;
-        load_builtin_compressions();
-        if (ssl_comp_methods &&
-            sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {
-                free(comp);
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    SSL_R_DUPLICATE_COMPRESSION_ID);
-                return (1);
-        } else if ((ssl_comp_methods == NULL) ||
-            !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
-                free(comp);
-                SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
-                    ERR_R_MALLOC_FAILURE);
-                return (1);
-        } else {
-                return (0);
-        }
-}
-
-const char *
-SSL_COMP_get_name(const COMP_METHOD *comp)
-{
-        if (comp)
-                return comp->name;
-        return NULL;
-}
-
-#endif
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index a5f2f3f751..765012e861 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.71 2014/07/10 08:18:55 bcook Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.72 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1793,9 +1793,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
 
         ret->extra_certs = NULL;
-        /* No compression for DTLS */
-        if (meth->version != DTLS1_VERSION)
-                ret->comp_methods = SSL_COMP_get_compression_methods();
 
         ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
@@ -2610,12 +2607,6 @@ ssl_clear_cipher_ctx(SSL *s)
                 s->aead_write_ctx = NULL;
         }
 
-#ifndef OPENSSL_NO_COMP
-        COMP_CTX_free(s->expand);
-        s->expand = NULL;
-        COMP_CTX_free(s->compress);
-        s->compress = NULL;
-#endif
 }
 
 /* Fix this function so that it takes an optional type parameter */
@@ -2645,7 +2636,6 @@ SSL_get_current_cipher(const SSL *s)
                 return (s->session->cipher);
         return (NULL);
 }
-#ifdef OPENSSL_NO_COMP
 const void *
 SSL_get_current_compression(SSL *s)
 {
@@ -2657,24 +2647,6 @@ SSL_get_current_expansion(SSL *s)
 {
         return (NULL);
 }
-#else
-
-const COMP_METHOD *
-SSL_get_current_compression(SSL *s)
-{
-        if (s->compress != NULL)
-                return (s->compress->meth);
-        return (NULL);
-}
-
-const COMP_METHOD *
-SSL_get_current_expansion(SSL *s)
-{
-        if (s->expand != NULL)
-                return (s->expand->meth);
-        return (NULL);
-}
-#endif
 
 int
 ssl_init_wbio_buffer(SSL *s, int push)
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 2b3d1b8e44..b3bc4f4ae4 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.56 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.57 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -153,9 +153,6 @@
 
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/bio.h>
 #include <openssl/stack.h>
 #include <openssl/rsa.h>
@@ -547,15 +544,6 @@ struct ssl_aead_ctx_st {
         char variable_nonce_in_record;
 };
 
-#ifndef OPENSSL_NO_COMP
-/* Used for holding the relevant compression methods loaded into SSL_CTX */
-typedef struct ssl3_comp_st {
-        int comp_id;    /* The identifier byte for this compression type */
-        char *name;     /* Text name used for the compression type */
-        COMP_METHOD *method; /* The method :-) */
-} SSL3_COMP;
-#endif
-
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 extern SSL_CIPHER ssl3_ciphers[];
 
@@ -685,8 +673,6 @@ long tls1_default_timeout(void);
 int dtls1_do_write(SSL *s, int type);
 int ssl3_read_n(SSL *s, int n, int max, int extend);
 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
-int ssl3_do_compress(SSL *ssl);
-int ssl3_do_uncompress(SSL *ssl);
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
     unsigned int len);
 unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 7932f20151..b3dd3e6117 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.34 2014/06/21 20:27:25 tedu Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.35 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -207,7 +207,6 @@ SSL_SESSION_new(void)
         ss->time = time(NULL);
         ss->prev = NULL;
         ss->next = NULL;
-        ss->compress_meth = 0;
         ss->tlsext_hostname = NULL;
 
         ss->tlsext_ecpointformatlist_length = 0;
@@ -233,7 +232,7 @@ SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 unsigned int
 SSL_SESSION_get_compress_id(const SSL_SESSION *s)
 {
-        return s->compress_meth;
+        return 0;
 }
 
 /* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index c06e2d23b7..25f2290290 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_txt.c,v 1.21 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: ssl_txt.c,v 1.22 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -182,22 +182,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                         goto err;
         }
 
-#ifndef OPENSSL_NO_COMP
-        if (x->compress_meth != 0) {
-                SSL_COMP *comp = NULL;
-
-                if (!ssl_cipher_get_comp(x, &comp))
-                        goto err;
-
-                if (comp == NULL) {
-                        if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
-                                goto err;
-                } else {
-                        if (BIO_printf(bp, "\n    Compression: %d (%s)", comp->id, comp->method->name) <= 0)
-                                goto err;
-                }
-        }
-#endif
         if (x->time != 0) {
                 if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
                         goto err;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 26d98522d0..cccf17eab5 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.65 2014/07/09 11:25:42 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.66 2014/07/10 08:51:15 tedu Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,9 +137,6 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_COMP
-#include <openssl/comp.h>
-#endif
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
@@ -470,9 +467,6 @@ tls1_change_cipher_state(SSL *s, int which)
         const EVP_AEAD *aead;
         char is_read, use_client_keys;
 
-#ifndef OPENSSL_NO_COMP
-        const SSL_COMP *comp;
-#endif
 
         cipher = s->s3->tmp.new_sym_enc;
         aead = s->s3->tmp.new_aead;
@@ -492,41 +486,6 @@ tls1_change_cipher_state(SSL *s, int which)
         use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
             (which == SSL3_CHANGE_CIPHER_SERVER_READ));
 
-#ifndef OPENSSL_NO_COMP
-        comp = s->s3->tmp.new_compression;
-        if (is_read) {
-                if (s->expand != NULL) {
-                        COMP_CTX_free(s->expand);
-                        s->expand = NULL;
-                }
-                if (comp != NULL) {
-                        s->expand = COMP_CTX_new(comp->method);
-                        if (s->expand == NULL) {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                        if (s->s3->rrec.comp == NULL)
-                                s->s3->rrec.comp =
-                                    malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
-                        if (s->s3->rrec.comp == NULL)
-                                goto err;
-                }
-        } else {
-                if (s->compress != NULL) {
-                        COMP_CTX_free(s->compress);
-                        s->compress = NULL;
-                }
-                if (comp != NULL) {
-                        s->compress = COMP_CTX_new(comp->method);
-                        if (s->compress == NULL) {
-                                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
-                                    SSL_R_COMPRESSION_LIBRARY_ERROR);
-                                goto err2;
-                        }
-                }
-        }
-#endif
 
         /*
          * Reset sequence number to zero - for DTLS this is handled in
@@ -596,8 +555,6 @@ tls1_change_cipher_state(SSL *s, int which)
         return tls1_change_cipher_state_cipher(s, is_read, use_client_keys,
             mac_secret, mac_secret_size, key, key_len, iv, iv_len);
 
-err:
-        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
 err2:
         return (0);
 }