12 files changed, 12 insertions, 130 deletions

diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index ffc10774d8..297665430a 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.34 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_both.c,v 1.35 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,7 +194,6 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
 static void
 ssl3_take_mac(SSL *s)
@@ -217,7 +216,6 @@ ssl3_take_mac(SSL *s)
         s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
         sender, slen, s->s3->tmp.peer_finish_md);
 }
-#endif
 
 int
 ssl3_get_finished(SSL *s, int a, int b)
@@ -226,11 +224,6 @@ ssl3_get_finished(SSL *s, int a, int b)
         long n;
         unsigned char *p;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-        /* the mac has already been generated when we received the
-         * change cipher spec message and is in s->s3->tmp.peer_finish_md.
-         */ 
-#endif
 
         n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED,
             64, /* should actually be 36+4 :-) */ &ok);
@@ -505,12 +498,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 n -= i;
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         /* If receiving Finished, record MAC of prior handshake messages for
          * Finished verification. */
         if (*s->init_buf->data == SSL3_MT_FINISHED)
                 ssl3_take_mac(s);
-#endif
 
         /* Feed this message into MAC computation. */
         ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index e7741826ae..260154a097 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.99 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.100 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -465,14 +465,10 @@ ssl3_connect(SSL *s)
                         if (ret <= 0)
                                 goto end;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                        s->state = SSL3_ST_CW_FINISHED_A;
-#else
                         if (s->s3->next_proto_neg_seen)
                                 s->state = SSL3_ST_CW_NEXT_PROTO_A;
                         else
                                 s->state = SSL3_ST_CW_FINISHED_A;
-#endif
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
@@ -489,7 +485,6 @@ ssl3_connect(SSL *s)
 
                         break;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 case SSL3_ST_CW_NEXT_PROTO_A:
                 case SSL3_ST_CW_NEXT_PROTO_B:
                         ret = ssl3_send_next_proto(s);
@@ -497,7 +492,6 @@ ssl3_connect(SSL *s)
                                 goto end;
                         s->state = SSL3_ST_CW_FINISHED_A;
                         break;
-#endif
 
                 case SSL3_ST_CW_FINISHED_A:
                 case SSL3_ST_CW_FINISHED_B:
@@ -2634,7 +2628,6 @@ err:
         return (0);
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 int
 ssl3_send_next_proto(SSL *s)
 {
@@ -2658,7 +2651,6 @@ ssl3_send_next_proto(SSL *s)
 
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
 
 /*
  * Check to see if handshake is full or resumed. Usually this is just a
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 4beee2d53c..21e339525c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.87 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.88 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1927,11 +1927,9 @@ ssl3_clear(SSL *s)
         s->s3->in_read_app_data = 0;
         s->version = SSL3_VERSION;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         free(s->next_proto_negotiated);
         s->next_proto_negotiated = NULL;
         s->next_proto_negotiated_len = 0;
-#endif
 }
 
 
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 645caf4bc9..783b1df782 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.93 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.94 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -537,14 +537,10 @@ ssl3_accept(SSL *s)
                                  * the client uses its key from the certificate
                                  * for key exchange.
                                  */
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                                s->state = SSL3_ST_SR_FINISHED_A;
-#else
                                 if (s->s3->next_proto_neg_seen)
                                         s->state = SSL3_ST_SR_NEXT_PROTO_A;
                                 else
                                         s->state = SSL3_ST_SR_FINISHED_A;
-#endif
                                 s->init_num = 0;
                         } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
                                 s->state = SSL3_ST_SR_CERT_VRFY_A;
@@ -609,18 +605,13 @@ ssl3_accept(SSL *s)
                         if (ret <= 0)
                                 goto end;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                        s->state = SSL3_ST_SR_FINISHED_A;
-#else
                         if (s->s3->next_proto_neg_seen)
                                 s->state = SSL3_ST_SR_NEXT_PROTO_A;
                         else
                                 s->state = SSL3_ST_SR_FINISHED_A;
-#endif
                         s->init_num = 0;
                         break;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 case SSL3_ST_SR_NEXT_PROTO_A:
                 case SSL3_ST_SR_NEXT_PROTO_B:
                         ret = ssl3_get_next_proto(s);
@@ -629,7 +620,6 @@ ssl3_accept(SSL *s)
                         s->init_num = 0;
                         s->state = SSL3_ST_SR_FINISHED_A;
                         break;
-#endif
 
                 case SSL3_ST_SR_FINISHED_A:
                 case SSL3_ST_SR_FINISHED_B:
@@ -701,9 +691,6 @@ ssl3_accept(SSL *s)
                                 goto end;
                         s->state = SSL3_ST_SW_FLUSH;
                         if (s->hit) {
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                                s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
-#else
                                 if (s->s3->next_proto_neg_seen) {
                                         s->s3->flags |= SSL3_FLAGS_CCS_OK;
                                         s->s3->tmp.next_state =
@@ -711,7 +698,6 @@ ssl3_accept(SSL *s)
                                 } else
                                         s->s3->tmp.next_state =
                                             SSL3_ST_SR_FINISHED_A;
-#endif
                         } else
                                 s->s3->tmp.next_state = SSL_ST_OK;
                         s->init_num = 0;
@@ -2850,7 +2836,6 @@ ssl3_send_cert_status(SSL *s)
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
  * It sets the next_proto member in s if found
@@ -2921,4 +2906,3 @@ ssl3_get_next_proto(SSL *s)
 
         return (1);
 }
-# endif
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index ffc10774d8..297665430a 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.34 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_both.c,v 1.35 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,7 +194,6 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
 static void
 ssl3_take_mac(SSL *s)
@@ -217,7 +216,6 @@ ssl3_take_mac(SSL *s)
         s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
         sender, slen, s->s3->tmp.peer_finish_md);
 }
-#endif
 
 int
 ssl3_get_finished(SSL *s, int a, int b)
@@ -226,11 +224,6 @@ ssl3_get_finished(SSL *s, int a, int b)
         long n;
         unsigned char *p;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-        /* the mac has already been generated when we received the
-         * change cipher spec message and is in s->s3->tmp.peer_finish_md.
-         */ 
-#endif
 
         n = s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED,
             64, /* should actually be 36+4 :-) */ &ok);
@@ -505,12 +498,10 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 n -= i;
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         /* If receiving Finished, record MAC of prior handshake messages for
          * Finished verification. */
         if (*s->init_buf->data == SSL3_MT_FINISHED)
                 ssl3_take_mac(s);
-#endif
 
         /* Feed this message into MAC computation. */
         ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index e7741826ae..260154a097 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.99 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.100 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -465,14 +465,10 @@ ssl3_connect(SSL *s)
                         if (ret <= 0)
                                 goto end;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                        s->state = SSL3_ST_CW_FINISHED_A;
-#else
                         if (s->s3->next_proto_neg_seen)
                                 s->state = SSL3_ST_CW_NEXT_PROTO_A;
                         else
                                 s->state = SSL3_ST_CW_FINISHED_A;
-#endif
                         s->init_num = 0;
 
                         s->session->cipher = s->s3->tmp.new_cipher;
@@ -489,7 +485,6 @@ ssl3_connect(SSL *s)
 
                         break;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 case SSL3_ST_CW_NEXT_PROTO_A:
                 case SSL3_ST_CW_NEXT_PROTO_B:
                         ret = ssl3_send_next_proto(s);
@@ -497,7 +492,6 @@ ssl3_connect(SSL *s)
                                 goto end;
                         s->state = SSL3_ST_CW_FINISHED_A;
                         break;
-#endif
 
                 case SSL3_ST_CW_FINISHED_A:
                 case SSL3_ST_CW_FINISHED_B:
@@ -2634,7 +2628,6 @@ err:
         return (0);
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 int
 ssl3_send_next_proto(SSL *s)
 {
@@ -2658,7 +2651,6 @@ ssl3_send_next_proto(SSL *s)
 
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
 
 /*
  * Check to see if handshake is full or resumed. Usually this is just a
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 4beee2d53c..21e339525c 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.87 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.88 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1927,11 +1927,9 @@ ssl3_clear(SSL *s)
         s->s3->in_read_app_data = 0;
         s->version = SSL3_VERSION;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         free(s->next_proto_negotiated);
         s->next_proto_negotiated = NULL;
         s->next_proto_negotiated_len = 0;
-#endif
 }
 
 
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 645caf4bc9..783b1df782 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.93 2014/12/10 15:43:31 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.94 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -537,14 +537,10 @@ ssl3_accept(SSL *s)
                                  * the client uses its key from the certificate
                                  * for key exchange.
                                  */
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                                s->state = SSL3_ST_SR_FINISHED_A;
-#else
                                 if (s->s3->next_proto_neg_seen)
                                         s->state = SSL3_ST_SR_NEXT_PROTO_A;
                                 else
                                         s->state = SSL3_ST_SR_FINISHED_A;
-#endif
                                 s->init_num = 0;
                         } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
                                 s->state = SSL3_ST_SR_CERT_VRFY_A;
@@ -609,18 +605,13 @@ ssl3_accept(SSL *s)
                         if (ret <= 0)
                                 goto end;
 
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                        s->state = SSL3_ST_SR_FINISHED_A;
-#else
                         if (s->s3->next_proto_neg_seen)
                                 s->state = SSL3_ST_SR_NEXT_PROTO_A;
                         else
                                 s->state = SSL3_ST_SR_FINISHED_A;
-#endif
                         s->init_num = 0;
                         break;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 case SSL3_ST_SR_NEXT_PROTO_A:
                 case SSL3_ST_SR_NEXT_PROTO_B:
                         ret = ssl3_get_next_proto(s);
@@ -629,7 +620,6 @@ ssl3_accept(SSL *s)
                         s->init_num = 0;
                         s->state = SSL3_ST_SR_FINISHED_A;
                         break;
-#endif
 
                 case SSL3_ST_SR_FINISHED_A:
                 case SSL3_ST_SR_FINISHED_B:
@@ -701,9 +691,6 @@ ssl3_accept(SSL *s)
                                 goto end;
                         s->state = SSL3_ST_SW_FLUSH;
                         if (s->hit) {
-#ifdef OPENSSL_NO_NEXTPROTONEG
-                                s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
-#else
                                 if (s->s3->next_proto_neg_seen) {
                                         s->s3->flags |= SSL3_FLAGS_CCS_OK;
                                         s->s3->tmp.next_state =
@@ -711,7 +698,6 @@ ssl3_accept(SSL *s)
                                 } else
                                         s->s3->tmp.next_state =
                                             SSL3_ST_SR_FINISHED_A;
-#endif
                         } else
                                 s->s3->tmp.next_state = SSL_ST_OK;
                         s->init_num = 0;
@@ -2850,7 +2836,6 @@ ssl3_send_cert_status(SSL *s)
         return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
  * It sets the next_proto member in s if found
@@ -2921,4 +2906,3 @@ ssl3_get_next_proto(SSL *s)
 
         return (1);
 }
-# endif
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 4369ba587a..e809ff0bc0 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.93 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -333,9 +333,7 @@ SSL_new(SSL_CTX *ctx)
         s->tlsext_ocsp_resplen = -1;
         CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
         s->initial_ctx = ctx;
-# ifndef OPENSSL_NO_NEXTPROTONEG
         s->next_proto_negotiated = NULL;
-# endif
 
         if (s->ctx->alpn_client_proto_list != NULL) {
                 s->alpn_client_proto_list =
@@ -560,9 +558,7 @@ SSL_free(SSL *s)
         SSL_CTX_free(s->ctx);
 
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         free(s->next_proto_negotiated);
-#endif
         free(s->alpn_client_proto_list);
 
 #ifndef OPENSSL_NO_SRTP
@@ -1509,7 +1505,6 @@ SSL_get_servername_type(const SSL *s)
         return (-1);
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * SSL_select_next_proto implements the standard protocol selection. It is
  * expected that this function is called from the callback set by
@@ -1640,7 +1635,6 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
         ctx->next_proto_select_cb = cb;
         ctx->next_proto_select_cb_arg = arg;
 }
-# endif
 
 /*
  * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified
@@ -1879,10 +1873,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->tlsext_status_cb = 0;
         ret->tlsext_status_arg = NULL;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
         ret->next_protos_advertised_cb = 0;
         ret->next_proto_select_cb = 0;
-# endif
 #ifndef OPENSSL_NO_ENGINE
         ret->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 3b87d958cb..60cef857b5 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.73 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.74 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -867,7 +867,6 @@ skip_ext:
                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
                 /* The client advertises an emtpy extension to indicate its
                  * support for Next Protocol Negotiation */
@@ -876,7 +875,6 @@ skip_ext:
                 s2n(TLSEXT_TYPE_next_proto_neg, ret);
                 s2n(0, ret);
         }
-#endif
 
         if (s->alpn_client_proto_list != NULL &&
             s->s3->tmp.finish_md_len == 0) {
@@ -958,9 +956,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         int using_ecc, extdatalen = 0;
         unsigned long alg_a, alg_k;
         unsigned char *ret = p;
-#ifndef OPENSSL_NO_NEXTPROTONEG
         int next_proto_neg_seen;
-#endif
 
         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -1097,7 +1093,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += sizeof(cryptopro_ext);
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         next_proto_neg_seen = s->s3->next_proto_neg_seen;
         s->s3->next_proto_neg_seen = 0;
         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
@@ -1117,7 +1112,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                         s->s3->next_proto_neg_seen = 1;
                 }
         }
-#endif
 
         if (s->s3->alpn_selected != NULL) {
                 const unsigned char *selected = s->s3->alpn_selected;
@@ -1304,9 +1298,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
         s->servername_done = 0;
         s->tlsext_status_type = -1;
-#ifndef OPENSSL_NO_NEXTPROTONEG
         s->s3->next_proto_neg_seen = 0;
-#endif
         free(s->s3->alpn_selected);
         s->s3->alpn_selected = NULL;
 
@@ -1616,7 +1608,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                 s->tlsext_status_type = -1;
                         }
                 }
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 else if (type == TLSEXT_TYPE_next_proto_neg &&
                     s->s3->tmp.finish_md_len == 0 &&
                     s->s3->alpn_selected == NULL) {
@@ -1637,7 +1628,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                          * Finished message could have been computed.) */
                         s->s3->next_proto_neg_seen = 1;
                 }
-#endif
                 else if (type ==
                     TLSEXT_TYPE_application_layer_protocol_negotiation &&
                     s->ctx->alpn_select_cb != NULL &&
@@ -1676,7 +1666,6 @@ ri_check:
         return 1;
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  * elements of zero length are allowed and the set of elements must exactly fill
  * the length of the block. */
@@ -1694,7 +1683,6 @@ ssl_next_proto_validate(unsigned char *d, unsigned len)
 
         return off == len;
 }
-#endif
 
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
@@ -1707,9 +1695,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
         int tlsext_servername = 0;
         int renegotiate_seen = 0;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         s->s3->next_proto_neg_seen = 0;
-#endif
         free(s->s3->alpn_selected);
         s->s3->alpn_selected = NULL;
 
@@ -1797,7 +1783,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         /* Set flag to expect CertificateStatus message */
                         s->tlsext_status_expected = 1;
                 }
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 else if (type == TLSEXT_TYPE_next_proto_neg &&
                     s->s3->tmp.finish_md_len == 0) {
                         unsigned char *selected;
@@ -1826,7 +1811,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         s->next_proto_negotiated_len = selected_len;
                         s->s3->next_proto_neg_seen = 1;
                 }
-#endif
                 else if (type ==
                     TLSEXT_TYPE_application_layer_protocol_negotiation) {
                         unsigned int len;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4369ba587a..e809ff0bc0 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.92 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.93 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -333,9 +333,7 @@ SSL_new(SSL_CTX *ctx)
         s->tlsext_ocsp_resplen = -1;
         CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
         s->initial_ctx = ctx;
-# ifndef OPENSSL_NO_NEXTPROTONEG
         s->next_proto_negotiated = NULL;
-# endif
 
         if (s->ctx->alpn_client_proto_list != NULL) {
                 s->alpn_client_proto_list =
@@ -560,9 +558,7 @@ SSL_free(SSL *s)
         SSL_CTX_free(s->ctx);
 
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         free(s->next_proto_negotiated);
-#endif
         free(s->alpn_client_proto_list);
 
 #ifndef OPENSSL_NO_SRTP
@@ -1509,7 +1505,6 @@ SSL_get_servername_type(const SSL *s)
         return (-1);
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * SSL_select_next_proto implements the standard protocol selection. It is
  * expected that this function is called from the callback set by
@@ -1640,7 +1635,6 @@ SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
         ctx->next_proto_select_cb = cb;
         ctx->next_proto_select_cb_arg = arg;
 }
-# endif
 
 /*
  * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified
@@ -1879,10 +1873,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->tlsext_status_cb = 0;
         ret->tlsext_status_arg = NULL;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
         ret->next_protos_advertised_cb = 0;
         ret->next_proto_select_cb = 0;
-# endif
 #ifndef OPENSSL_NO_ENGINE
         ret->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 3b87d958cb..60cef857b5 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.73 2014/12/10 15:36:47 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.74 2014/12/14 14:34:43 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -867,7 +867,6 @@ skip_ext:
                         i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
                 /* The client advertises an emtpy extension to indicate its
                  * support for Next Protocol Negotiation */
@@ -876,7 +875,6 @@ skip_ext:
                 s2n(TLSEXT_TYPE_next_proto_neg, ret);
                 s2n(0, ret);
         }
-#endif
 
         if (s->alpn_client_proto_list != NULL &&
             s->s3->tmp.finish_md_len == 0) {
@@ -958,9 +956,7 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
         int using_ecc, extdatalen = 0;
         unsigned long alg_a, alg_k;
         unsigned char *ret = p;
-#ifndef OPENSSL_NO_NEXTPROTONEG
         int next_proto_neg_seen;
-#endif
 
         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -1097,7 +1093,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += sizeof(cryptopro_ext);
         }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         next_proto_neg_seen = s->s3->next_proto_neg_seen;
         s->s3->next_proto_neg_seen = 0;
         if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
@@ -1117,7 +1112,6 @@ ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                         s->s3->next_proto_neg_seen = 1;
                 }
         }
-#endif
 
         if (s->s3->alpn_selected != NULL) {
                 const unsigned char *selected = s->s3->alpn_selected;
@@ -1304,9 +1298,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 
         s->servername_done = 0;
         s->tlsext_status_type = -1;
-#ifndef OPENSSL_NO_NEXTPROTONEG
         s->s3->next_proto_neg_seen = 0;
-#endif
         free(s->s3->alpn_selected);
         s->s3->alpn_selected = NULL;
 
@@ -1616,7 +1608,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                 s->tlsext_status_type = -1;
                         }
                 }
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 else if (type == TLSEXT_TYPE_next_proto_neg &&
                     s->s3->tmp.finish_md_len == 0 &&
                     s->s3->alpn_selected == NULL) {
@@ -1637,7 +1628,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                          * Finished message could have been computed.) */
                         s->s3->next_proto_neg_seen = 1;
                 }
-#endif
                 else if (type ==
                     TLSEXT_TYPE_application_layer_protocol_negotiation &&
                     s->ctx->alpn_select_cb != NULL &&
@@ -1676,7 +1666,6 @@ ri_check:
         return 1;
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  * elements of zero length are allowed and the set of elements must exactly fill
  * the length of the block. */
@@ -1694,7 +1683,6 @@ ssl_next_proto_validate(unsigned char *d, unsigned len)
 
         return off == len;
 }
-#endif
 
 int
 ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
@@ -1707,9 +1695,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
         int tlsext_servername = 0;
         int renegotiate_seen = 0;
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
         s->s3->next_proto_neg_seen = 0;
-#endif
         free(s->s3->alpn_selected);
         s->s3->alpn_selected = NULL;
 
@@ -1797,7 +1783,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         /* Set flag to expect CertificateStatus message */
                         s->tlsext_status_expected = 1;
                 }
-#ifndef OPENSSL_NO_NEXTPROTONEG
                 else if (type == TLSEXT_TYPE_next_proto_neg &&
                     s->s3->tmp.finish_md_len == 0) {
                         unsigned char *selected;
@@ -1826,7 +1811,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         s->next_proto_negotiated_len = selected_len;
                         s->s3->next_proto_neg_seen = 1;
                 }
-#endif
                 else if (type ==
                     TLSEXT_TYPE_application_layer_protocol_negotiation) {
                         unsigned int len;