16 files changed, 0 insertions, 100 deletions

diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 54b73451eb..2a96c19914 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -550,11 +550,9 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
         } else if (i == EVP_PKEY_DSA) {
                 ret = SSL_PKEY_DSA_SIGN;
         }
-#ifndef OPENSSL_NO_EC
         else if (i == EVP_PKEY_EC) {
                 ret = SSL_PKEY_ECC;
         }
-#endif
         else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {
                 ret = SSL_PKEY_GOST94;
         } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 72492a3332..9aa72a9c4e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -151,9 +151,7 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_EC
 #include "../crypto/ec/ec_lcl.h"
-#endif /* OPENSSL_NO_EC */
 #include <openssl/md5.h>
 #include <openssl/dh.h>
 
@@ -2381,9 +2379,7 @@ ssl3_clear(SSL *s)
                 EC_KEY_free(s->s3->tmp.ecdh);
                 s->s3->tmp.ecdh = NULL;
         }
-#ifndef OPENSSL_NO_EC
         s->s3->is_probably_safari = 0;
-#endif /* !OPENSSL_NO_EC */
 
         rp = s->s3->rbuf.buf;
         wp = s->s3->wbuf.buf;
@@ -3031,7 +3027,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                         ok = (alg_k & mask_k) && (alg_a & mask_a);
                 }
 
-#ifndef OPENSSL_NO_EC
                 if (
                 /*
                  * if we are considering an ECC cipher suite that uses our
@@ -3167,7 +3162,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                         }
                         ok = ok && ec_ok;
                 }
-#endif /* OPENSSL_NO_EC */
 
                 if (!ok)
                         continue;
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 54b73451eb..2a96c19914 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -550,11 +550,9 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey)
         } else if (i == EVP_PKEY_DSA) {
                 ret = SSL_PKEY_DSA_SIGN;
         }
-#ifndef OPENSSL_NO_EC
         else if (i == EVP_PKEY_EC) {
                 ret = SSL_PKEY_ECC;
         }
-#endif
         else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {
                 ret = SSL_PKEY_GOST94;
         } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 72492a3332..9aa72a9c4e 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -151,9 +151,7 @@
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_EC
 #include "../crypto/ec/ec_lcl.h"
-#endif /* OPENSSL_NO_EC */
 #include <openssl/md5.h>
 #include <openssl/dh.h>
 
@@ -2381,9 +2379,7 @@ ssl3_clear(SSL *s)
                 EC_KEY_free(s->s3->tmp.ecdh);
                 s->s3->tmp.ecdh = NULL;
         }
-#ifndef OPENSSL_NO_EC
         s->s3->is_probably_safari = 0;
-#endif /* !OPENSSL_NO_EC */
 
         rp = s->s3->rbuf.buf;
         wp = s->s3->wbuf.buf;
@@ -3031,7 +3027,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                         ok = (alg_k & mask_k) && (alg_a & mask_a);
                 }
 
-#ifndef OPENSSL_NO_EC
                 if (
                 /*
                  * if we are considering an ECC cipher suite that uses our
@@ -3167,7 +3162,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                         }
                         ok = ok && ec_ok;
                 }
-#endif /* OPENSSL_NO_EC */
 
                 if (!ok)
                         continue;
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index d6f875a797..fd01ac9806 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -505,12 +505,10 @@ struct ssl_session_st {
          * efficient and to implement a maximum cache size. */
         struct ssl_session_st *prev, *next;
         char *tlsext_hostname;
-#ifndef OPENSSL_NO_EC
         size_t tlsext_ecpointformatlist_length;
         unsigned char *tlsext_ecpointformatlist; /* peer's list */
         size_t tlsext_ellipticcurvelist_length;
         unsigned char *tlsext_ellipticcurvelist; /* peer's list */
-#endif /* OPENSSL_NO_EC */
         /* RFC4507 info */
         unsigned char *tlsext_tick;     /* Session ticket */
         size_t tlsext_ticklen;          /* Session ticket length */
@@ -1204,12 +1202,10 @@ struct ssl_st {
 
         /* RFC4507 session ticket expected to be received or sent */
         int tlsext_ticket_expected;
-#ifndef OPENSSL_NO_EC
         size_t tlsext_ecpointformatlist_length;
         unsigned char *tlsext_ecpointformatlist; /* our list */
         size_t tlsext_ellipticcurvelist_length;
         unsigned char *tlsext_ellipticcurvelist; /* our list */
-#endif /* OPENSSL_NO_EC */
 
         /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
         void *tlsext_opaque_prf_input;
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index c264422a36..1d2bc2f5c0 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -519,12 +519,10 @@ typedef struct ssl3_state_st {
         int next_proto_neg_seen;
 #endif
 
-#ifndef OPENSSL_NO_EC
         /* This is set to true if we believe that this is a version of Safari
          * running on OS X 10.6 or newer. We wish to know this because Safari
          * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
         char is_probably_safari;
-#endif /* !OPENSSL_NO_EC */
 } SSL3_STATE;
 
 #endif
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 262b5a2130..1138ac5a69 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -536,10 +536,8 @@ SSL_free(SSL *s)
         free(s->tlsext_hostname);
         if (s->initial_ctx)
                 SSL_CTX_free(s->initial_ctx);
-#ifndef OPENSSL_NO_EC
         free(s->tlsext_ecpointformatlist);
         free(s->tlsext_ellipticcurvelist);
-#endif /* OPENSSL_NO_EC */
         free(s->tlsext_opaque_prf_input);
         if (s->tlsext_ocsp_exts)
                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
@@ -2120,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #define ku_reject(x, usage) \
         (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
-#ifndef OPENSSL_NO_EC
 
 int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
@@ -2190,7 +2187,6 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
         /* all checks are ok */
 }
 
-#endif
 
 /* THIS NEEDS CLEANING UP */
 CERT_PKEY *
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index ecf108d6a5..4aa2911da7 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -448,14 +448,12 @@
 #define CERT_PRIVATE_KEY        2
 */
 
-#ifndef OPENSSL_NO_EC
 /* From ECC-TLS draft, used in encoding the curve type in 
  * ECParameters
  */
 #define EXPLICIT_PRIME_CURVE_TYPE  1   
 #define EXPLICIT_CHAR2_CURVE_TYPE  2
 #define NAMED_CURVE_TYPE           3
-#endif  /* OPENSSL_NO_EC */
 
 typedef struct cert_pkey_st {
         X509 *x509;
@@ -830,10 +828,8 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
 
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 
-#ifndef OPENSSL_NO_EC
 int tls1_ec_curve_id2nid(int curve_id);
 int tls1_ec_nid2curve_id(int nid);
-#endif /* OPENSSL_NO_EC */
 
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
     unsigned char *limit);
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index de133a72ca..2900490ad2 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -210,12 +210,10 @@ SSL_SESSION_new(void)
         ss->compress_meth = 0;
         ss->tlsext_hostname = NULL;
 
-#ifndef OPENSSL_NO_EC
         ss->tlsext_ecpointformatlist_length = 0;
         ss->tlsext_ecpointformatlist = NULL;
         ss->tlsext_ellipticcurvelist_length = 0;
         ss->tlsext_ellipticcurvelist = NULL;
-#endif
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 #ifndef OPENSSL_NO_PSK
         ss->psk_identity_hint = NULL;
@@ -359,7 +357,6 @@ ssl_get_new_session(SSL *s, int session)
                                 return 0;
                         }
                 }
-#ifndef OPENSSL_NO_EC
                 if (s->tlsext_ecpointformatlist) {
                         free(ss->tlsext_ecpointformatlist);
                         if ((ss->tlsext_ecpointformatlist = malloc(s->tlsext_ecpointformatlist_length)) == NULL) {
@@ -380,7 +377,6 @@ ssl_get_new_session(SSL *s, int session)
                         ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
                         memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
                 }
-#endif
         } else {
                 ss->session_id_length = 0;
         }
@@ -691,12 +687,10 @@ SSL_SESSION_free(SSL_SESSION *ss)
                 sk_SSL_CIPHER_free(ss->ciphers);
         free(ss->tlsext_hostname);
         free(ss->tlsext_tick);
-#ifndef OPENSSL_NO_EC
         ss->tlsext_ecpointformatlist_length = 0;
         free(ss->tlsext_ecpointformatlist);
         ss->tlsext_ellipticcurvelist_length = 0;
         free(ss->tlsext_ellipticcurvelist);
-#endif /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_PSK
         free(ss->psk_identity_hint);
         free(ss->psk_identity);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 5d442558dd..3546a45df1 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -209,7 +209,6 @@ tls1_clear(SSL *s)
         s->version = s->method->version;
 }
 
-#ifndef OPENSSL_NO_EC
 
 static int nid_list[] = {
         NID_sect163k1,          /* sect163k1 (1) */
@@ -348,7 +347,6 @@ tls1_ec_nid2curve_id(int nid)
                 return 0;
         }
 }
-#endif /* OPENSSL_NO_EC */
 
 
 /* List of supported signature algorithms and hashes. Should make this
@@ -460,7 +458,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         }
 
 
-#ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
             s->version != DTLS1_VERSION) {
                 /* Add TLS extension ECPointFormats to the ClientHello message */
@@ -515,7 +512,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                     s->tlsext_ellipticcurvelist_length);
                 ret += s->tlsext_ellipticcurvelist_length;
         }
-#endif /* OPENSSL_NO_EC */
 
         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
                 int ticklen;
@@ -743,7 +739,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += el;
         }
 
-#ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
             s->version != DTLS1_VERSION) {
                 /* Add TLS extension ECPointFormats to the ServerHello message */
@@ -770,7 +765,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 
         }
         /* Currently the server should not respond with a SupportedCurves extension */
-#endif /* OPENSSL_NO_EC */
 
         if (s->tlsext_ticket_expected &&
             !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -875,7 +869,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         return ret;
 }
 
-#ifndef OPENSSL_NO_EC
 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
  * Safari, since 10.6, sends exactly these extensions, in this order:
@@ -956,7 +949,6 @@ ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,
 
         s->s3->is_probably_safari = 1;
 }
-#endif /* !OPENSSL_NO_EC */
 
 int
 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
@@ -975,10 +967,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
         s->s3->next_proto_neg_seen = 0;
 #endif
 
-#ifndef OPENSSL_NO_EC
         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
                 ssl_check_for_safari(s, data, d, n);
-#endif /* !OPENSSL_NO_EC */
 
         if (data >= (d + n - 2))
                 goto ri_check;
@@ -1095,7 +1085,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
                 }
 
-#ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
                     s->version != DTLS1_VERSION) {
                         unsigned char *sdata = data;
@@ -1142,7 +1131,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                         }
                 }
-#endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
                     s->version != DTLS1_VERSION) {
@@ -1408,7 +1396,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         tlsext_servername = 1;
 
                 }
-#ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
                     s->version != DTLS1_VERSION) {
                         unsigned char *sdata = data;
@@ -1430,7 +1417,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                 }
-#endif /* OPENSSL_NO_EC */
                 else if (type == TLSEXT_TYPE_session_ticket) {
                         if (s->tls_session_ticket_ext_cb &&
                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
@@ -1576,7 +1562,6 @@ ri_check:
 int
 ssl_prepare_clienthello_tlsext(SSL *s)
 {
-#ifndef OPENSSL_NO_EC
         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
          * and elliptic curves we support.
          */
@@ -1624,7 +1609,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
                         s2n(id, j);
                 }
         }
-#endif /* OPENSSL_NO_EC */
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
         {
@@ -1667,7 +1651,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
 int
 ssl_prepare_serverhello_tlsext(SSL *s)
 {
-#ifndef OPENSSL_NO_EC
         /* If we are server and using an ECC cipher suite, send the point formats we support
          * if the client sent us an ECPointsFormat extension.  Note that the server is not
          * supposed to send an EllipticCurves extension.
@@ -1689,7 +1672,6 @@ ssl_prepare_serverhello_tlsext(SSL *s)
                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
         }
-#endif /* OPENSSL_NO_EC */
 
         return 1;
 }
@@ -1700,14 +1682,12 @@ ssl_check_clienthello_tlsext_early(SSL *s)
         int ret = SSL_TLSEXT_ERR_NOACK;
         int al = SSL_AD_UNRECOGNIZED_NAME;
 
-#ifndef OPENSSL_NO_EC
         /* The handling of the ECPointFormats extension is done elsewhere, namely in
          * ssl3_choose_cipher in s3_lib.c.
          */
         /* The handling of the EllipticCurves extension is done elsewhere, namely in
          * ssl3_choose_cipher in s3_lib.c.
          */
-#endif
 
         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
@@ -1850,7 +1830,6 @@ ssl_check_serverhello_tlsext(SSL *s)
         int ret = SSL_TLSEXT_ERR_NOACK;
         int al = SSL_AD_UNRECOGNIZED_NAME;
 
-#ifndef OPENSSL_NO_EC
         /* If we are client and using an elliptic curve cryptography cipher
          * suite, then if server returns an EC point formats lists extension
          * it must contain uncompressed.
@@ -1879,7 +1858,6 @@ ssl_check_serverhello_tlsext(SSL *s)
                 }
         }
         ret = SSL_TLSEXT_ERR_OK;
-#endif /* OPENSSL_NO_EC */
 
         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index d6f875a797..fd01ac9806 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -505,12 +505,10 @@ struct ssl_session_st {
          * efficient and to implement a maximum cache size. */
         struct ssl_session_st *prev, *next;
         char *tlsext_hostname;
-#ifndef OPENSSL_NO_EC
         size_t tlsext_ecpointformatlist_length;
         unsigned char *tlsext_ecpointformatlist; /* peer's list */
         size_t tlsext_ellipticcurvelist_length;
         unsigned char *tlsext_ellipticcurvelist; /* peer's list */
-#endif /* OPENSSL_NO_EC */
         /* RFC4507 info */
         unsigned char *tlsext_tick;     /* Session ticket */
         size_t tlsext_ticklen;          /* Session ticket length */
@@ -1204,12 +1202,10 @@ struct ssl_st {
 
         /* RFC4507 session ticket expected to be received or sent */
         int tlsext_ticket_expected;
-#ifndef OPENSSL_NO_EC
         size_t tlsext_ecpointformatlist_length;
         unsigned char *tlsext_ecpointformatlist; /* our list */
         size_t tlsext_ellipticcurvelist_length;
         unsigned char *tlsext_ellipticcurvelist; /* our list */
-#endif /* OPENSSL_NO_EC */
 
         /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
         void *tlsext_opaque_prf_input;
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index c264422a36..1d2bc2f5c0 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -519,12 +519,10 @@ typedef struct ssl3_state_st {
         int next_proto_neg_seen;
 #endif
 
-#ifndef OPENSSL_NO_EC
         /* This is set to true if we believe that this is a version of Safari
          * running on OS X 10.6 or newer. We wish to know this because Safari
          * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
         char is_probably_safari;
-#endif /* !OPENSSL_NO_EC */
 } SSL3_STATE;
 
 #endif
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 262b5a2130..1138ac5a69 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -536,10 +536,8 @@ SSL_free(SSL *s)
         free(s->tlsext_hostname);
         if (s->initial_ctx)
                 SSL_CTX_free(s->initial_ctx);
-#ifndef OPENSSL_NO_EC
         free(s->tlsext_ecpointformatlist);
         free(s->tlsext_ellipticcurvelist);
-#endif /* OPENSSL_NO_EC */
         free(s->tlsext_opaque_prf_input);
         if (s->tlsext_ocsp_exts)
                 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
@@ -2120,7 +2118,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #define ku_reject(x, usage) \
         (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
-#ifndef OPENSSL_NO_EC
 
 int
 ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
@@ -2190,7 +2187,6 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
         /* all checks are ok */
 }
 
-#endif
 
 /* THIS NEEDS CLEANING UP */
 CERT_PKEY *
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index ecf108d6a5..4aa2911da7 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -448,14 +448,12 @@
 #define CERT_PRIVATE_KEY        2
 */
 
-#ifndef OPENSSL_NO_EC
 /* From ECC-TLS draft, used in encoding the curve type in 
  * ECParameters
  */
 #define EXPLICIT_PRIME_CURVE_TYPE  1   
 #define EXPLICIT_CHAR2_CURVE_TYPE  2
 #define NAMED_CURVE_TYPE           3
-#endif  /* OPENSSL_NO_EC */
 
 typedef struct cert_pkey_st {
         X509 *x509;
@@ -830,10 +828,8 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
 
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 
-#ifndef OPENSSL_NO_EC
 int tls1_ec_curve_id2nid(int curve_id);
 int tls1_ec_nid2curve_id(int nid);
-#endif /* OPENSSL_NO_EC */
 
 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
     unsigned char *limit);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index de133a72ca..2900490ad2 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -210,12 +210,10 @@ SSL_SESSION_new(void)
         ss->compress_meth = 0;
         ss->tlsext_hostname = NULL;
 
-#ifndef OPENSSL_NO_EC
         ss->tlsext_ecpointformatlist_length = 0;
         ss->tlsext_ecpointformatlist = NULL;
         ss->tlsext_ellipticcurvelist_length = 0;
         ss->tlsext_ellipticcurvelist = NULL;
-#endif
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 #ifndef OPENSSL_NO_PSK
         ss->psk_identity_hint = NULL;
@@ -359,7 +357,6 @@ ssl_get_new_session(SSL *s, int session)
                                 return 0;
                         }
                 }
-#ifndef OPENSSL_NO_EC
                 if (s->tlsext_ecpointformatlist) {
                         free(ss->tlsext_ecpointformatlist);
                         if ((ss->tlsext_ecpointformatlist = malloc(s->tlsext_ecpointformatlist_length)) == NULL) {
@@ -380,7 +377,6 @@ ssl_get_new_session(SSL *s, int session)
                         ss->tlsext_ellipticcurvelist_length = s->tlsext_ellipticcurvelist_length;
                         memcpy(ss->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length);
                 }
-#endif
         } else {
                 ss->session_id_length = 0;
         }
@@ -691,12 +687,10 @@ SSL_SESSION_free(SSL_SESSION *ss)
                 sk_SSL_CIPHER_free(ss->ciphers);
         free(ss->tlsext_hostname);
         free(ss->tlsext_tick);
-#ifndef OPENSSL_NO_EC
         ss->tlsext_ecpointformatlist_length = 0;
         free(ss->tlsext_ecpointformatlist);
         ss->tlsext_ellipticcurvelist_length = 0;
         free(ss->tlsext_ellipticcurvelist);
-#endif /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_PSK
         free(ss->psk_identity_hint);
         free(ss->psk_identity);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 5d442558dd..3546a45df1 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -209,7 +209,6 @@ tls1_clear(SSL *s)
         s->version = s->method->version;
 }
 
-#ifndef OPENSSL_NO_EC
 
 static int nid_list[] = {
         NID_sect163k1,          /* sect163k1 (1) */
@@ -348,7 +347,6 @@ tls1_ec_nid2curve_id(int nid)
                 return 0;
         }
 }
-#endif /* OPENSSL_NO_EC */
 
 
 /* List of supported signature algorithms and hashes. Should make this
@@ -460,7 +458,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         }
 
 
-#ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
             s->version != DTLS1_VERSION) {
                 /* Add TLS extension ECPointFormats to the ClientHello message */
@@ -515,7 +512,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                     s->tlsext_ellipticcurvelist_length);
                 ret += s->tlsext_ellipticcurvelist_length;
         }
-#endif /* OPENSSL_NO_EC */
 
         if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
                 int ticklen;
@@ -743,7 +739,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += el;
         }
 
-#ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
             s->version != DTLS1_VERSION) {
                 /* Add TLS extension ECPointFormats to the ServerHello message */
@@ -770,7 +765,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
 
         }
         /* Currently the server should not respond with a SupportedCurves extension */
-#endif /* OPENSSL_NO_EC */
 
         if (s->tlsext_ticket_expected &&
             !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
@@ -875,7 +869,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         return ret;
 }
 
-#ifndef OPENSSL_NO_EC
 /* ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
  * Safari, since 10.6, sends exactly these extensions, in this order:
@@ -956,7 +949,6 @@ ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d,
 
         s->s3->is_probably_safari = 1;
 }
-#endif /* !OPENSSL_NO_EC */
 
 int
 ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
@@ -975,10 +967,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
         s->s3->next_proto_neg_seen = 0;
 #endif
 
-#ifndef OPENSSL_NO_EC
         if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
                 ssl_check_for_safari(s, data, d, n);
-#endif /* !OPENSSL_NO_EC */
 
         if (data >= (d + n - 2))
                 goto ri_check;
@@ -1095,7 +1085,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
                 }
 
-#ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
                     s->version != DTLS1_VERSION) {
                         unsigned char *sdata = data;
@@ -1142,7 +1131,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                 memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                         }
                 }
-#endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
                 else if (type == TLSEXT_TYPE_opaque_prf_input &&
                     s->version != DTLS1_VERSION) {
@@ -1408,7 +1396,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         tlsext_servername = 1;
 
                 }
-#ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
                     s->version != DTLS1_VERSION) {
                         unsigned char *sdata = data;
@@ -1430,7 +1417,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                         memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                 }
-#endif /* OPENSSL_NO_EC */
                 else if (type == TLSEXT_TYPE_session_ticket) {
                         if (s->tls_session_ticket_ext_cb &&
                             !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
@@ -1576,7 +1562,6 @@ ri_check:
 int
 ssl_prepare_clienthello_tlsext(SSL *s)
 {
-#ifndef OPENSSL_NO_EC
         /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats
          * and elliptic curves we support.
          */
@@ -1624,7 +1609,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
                         s2n(id, j);
                 }
         }
-#endif /* OPENSSL_NO_EC */
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
         {
@@ -1667,7 +1651,6 @@ ssl_prepare_clienthello_tlsext(SSL *s)
 int
 ssl_prepare_serverhello_tlsext(SSL *s)
 {
-#ifndef OPENSSL_NO_EC
         /* If we are server and using an ECC cipher suite, send the point formats we support
          * if the client sent us an ECPointsFormat extension.  Note that the server is not
          * supposed to send an EllipticCurves extension.
@@ -1689,7 +1672,6 @@ ssl_prepare_serverhello_tlsext(SSL *s)
                 s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
                 s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
         }
-#endif /* OPENSSL_NO_EC */
 
         return 1;
 }
@@ -1700,14 +1682,12 @@ ssl_check_clienthello_tlsext_early(SSL *s)
         int ret = SSL_TLSEXT_ERR_NOACK;
         int al = SSL_AD_UNRECOGNIZED_NAME;
 
-#ifndef OPENSSL_NO_EC
         /* The handling of the ECPointFormats extension is done elsewhere, namely in
          * ssl3_choose_cipher in s3_lib.c.
          */
         /* The handling of the EllipticCurves extension is done elsewhere, namely in
          * ssl3_choose_cipher in s3_lib.c.
          */
-#endif
 
         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
@@ -1850,7 +1830,6 @@ ssl_check_serverhello_tlsext(SSL *s)
         int ret = SSL_TLSEXT_ERR_NOACK;
         int al = SSL_AD_UNRECOGNIZED_NAME;
 
-#ifndef OPENSSL_NO_EC
         /* If we are client and using an elliptic curve cryptography cipher
          * suite, then if server returns an EC point formats lists extension
          * it must contain uncompressed.
@@ -1879,7 +1858,6 @@ ssl_check_serverhello_tlsext(SSL *s)
                 }
         }
         ret = SSL_TLSEXT_ERR_OK;
-#endif /* OPENSSL_NO_EC */
 
         if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
                 ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);