[openssl] master update

Dr. Paul Dale pauli at openssl.org
Wed Jun 2 06:34:55 UTC 2021


The branch master has been updated
       via  4cedf30e995f9789cf6bb103e248d33285a84067 (commit)
       via  71653965b3aa58a2106909ee52f9883bc0157130 (commit)
       via  60e91cc4099c8db88d314910a744bbedca52fa52 (commit)
       via  4c3c2633b226d930db7578346a1f5ddc48fd3466 (commit)
       via  3b90a847ece93b3886f14adc7061e70456d564e1 (commit)
       via  4656d9ecd1794a2555384ae8bd9b13dd3afbe5b1 (commit)
       via  3dc12810fa8320df3298602dd8ac9bd690c65a6a (commit)
       via  26b3e44a661899f0d0cb709482170cc411a94233 (commit)
       via  79cabd7e277ccb0763bd2f6438abcb089dcbdff1 (commit)
       via  c6472fec64d83a196e1ccc4636b552bf0f23addd (commit)
       via  e73a08b4007c2713aa707d44c8e8d5d63f57aca0 (commit)
       via  126e37716fc4c5dc55805b721c38f5ef94c75612 (commit)
       via  29cfba8599a649bc70a9414e701c68efceab13a3 (commit)
       via  e0a7ef0b5148156a64c2b9c4b30f7cef9a0dc6a4 (commit)
       via  1486b1fbd356cc0d64e941d3f8ead8e324cd72e0 (commit)
       via  6f6c8b0e3c3c9d627a3e211d49b1cdeb0114a6c7 (commit)
       via  75e1191f4d1185ebf7b94e620b15a73f22af146e (commit)
       via  69e21cb648f140c173ba238a761ce700bef643f6 (commit)
       via  1c8c5d4755cb4bd7fec527071f81a522834759c4 (commit)
       via  10dbfcc91eb84b9818393e48745dcb53914c57d4 (commit)
       via  0848b943a8c481e3fb1e08b70735392d6d6d70f4 (commit)
       via  407820c0e311efaafff7fdc8eafdff6e70f89eb2 (commit)
       via  fd009d763a931c4cd01f5181a2b0801d205f782a (commit)
       via  fb6ad22e36a1ade653f4b6881ddeee128e8b5001 (commit)
       via  db70dc2cdac6dec2366138fe1f46bf433ee1c2c8 (commit)
      from  0d7d5e24909d2af7608bf5f09397895470ac64c6 (commit)


- Log -----------------------------------------------------------------
commit 4cedf30e995f9789cf6bb103e248d33285a84067
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:37:37 2021 +1000

    utils: remove TODO
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 71653965b3aa58a2106909ee52f9883bc0157130
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:30:07 2021 +1000

    crypto: remove TODOs
    
    Fixes #15451
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 60e91cc4099c8db88d314910a744bbedca52fa52
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    http: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 4c3c2633b226d930db7578346a1f5ddc48fd3466
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    evp: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 3b90a847ece93b3886f14adc7061e70456d564e1
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    err: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 4656d9ecd1794a2555384ae8bd9b13dd3afbe5b1
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    ec: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 3dc12810fa8320df3298602dd8ac9bd690c65a6a
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    dso: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 26b3e44a661899f0d0cb709482170cc411a94233
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:55 2021 +1000

    bn: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 79cabd7e277ccb0763bd2f6438abcb089dcbdff1
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:34 2021 +1000

    rsa: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit c6472fec64d83a196e1ccc4636b552bf0f23addd
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:34 2021 +1000

    store: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit e73a08b4007c2713aa707d44c8e8d5d63f57aca0
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:34 2021 +1000

    pem: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 126e37716fc4c5dc55805b721c38f5ef94c75612
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:34 2021 +1000

    ocsp: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 29cfba8599a649bc70a9414e701c68efceab13a3
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:33 2021 +1000

    ct: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit e0a7ef0b5148156a64c2b9c4b30f7cef9a0dc6a4
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:33 2021 +1000

    crmf: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 1486b1fbd356cc0d64e941d3f8ead8e324cd72e0
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:33 2021 +1000

    comp: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 6f6c8b0e3c3c9d627a3e211d49b1cdeb0114a6c7
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:33 2021 +1000

    cms: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 75e1191f4d1185ebf7b94e620b15a73f22af146e
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:29:33 2021 +1000

    cmp: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 69e21cb648f140c173ba238a761ce700bef643f6
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:28:45 2021 +1000

    x509: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 1c8c5d4755cb4bd7fec527071f81a522834759c4
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:28:32 2021 +1000

    bio: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 10dbfcc91eb84b9818393e48745dcb53914c57d4
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:28:15 2021 +1000

    asn.1: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 0848b943a8c481e3fb1e08b70735392d6d6d70f4
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:27:58 2021 +1000

    providers: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit 407820c0e311efaafff7fdc8eafdff6e70f89eb2
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:27:48 2021 +1000

    tls: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit fd009d763a931c4cd01f5181a2b0801d205f782a
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:27:31 2021 +1000

    test: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit fb6ad22e36a1ade653f4b6881ddeee128e8b5001
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:27:18 2021 +1000

    fuzz: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

commit db70dc2cdac6dec2366138fe1f46bf433ee1c2c8
Author: Pauli <pauli at openssl.org>
Date:   Mon May 31 14:27:04 2021 +1000

    apps: remove TODOs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15539)

-----------------------------------------------------------------------

Summary of changes:
 apps/cmp.c                                               |  6 ------
 apps/dhparam.c                                           |  7 +++----
 apps/lib/apps.c                                          |  3 ---
 apps/lib/cmp_mock_srv.c                                  |  2 --
 apps/lib/http_server.c                                   |  1 -
 apps/rsa.c                                               |  2 +-
 apps/x509.c                                              |  1 -
 crypto/asn1/bio_asn1.c                                   |  2 --
 crypto/bio/b_sock.c                                      |  1 -
 crypto/bio/bf_buff.c                                     |  2 --
 crypto/bio/bf_lbuf.c                                     |  2 --
 crypto/bio/bf_nbio.c                                     |  2 --
 crypto/bio/bf_null.c                                     |  2 --
 crypto/bio/bss_acpt.c                                    |  2 --
 crypto/bio/bss_bio.c                                     |  2 --
 crypto/bio/bss_conn.c                                    |  2 --
 crypto/bio/bss_dgram.c                                   |  4 ----
 crypto/bio/bss_fd.c                                      |  2 --
 crypto/bio/bss_file.c                                    |  4 ----
 crypto/bio/bss_log.c                                     |  1 -
 crypto/bio/bss_mem.c                                     |  4 ----
 crypto/bio/bss_null.c                                    |  2 --
 crypto/bio/bss_sock.c                                    |  2 --
 crypto/bn/bn_ctx.c                                       | 13 -------------
 crypto/bn/bn_prime.c                                     |  1 -
 crypto/cmp/cmp_client.c                                  | 15 ++-------------
 crypto/cmp/cmp_ctx.c                                     |  4 ++--
 crypto/cmp/cmp_local.h                                   |  5 -----
 crypto/cmp/cmp_msg.c                                     | 12 ------------
 crypto/cmp/cmp_protect.c                                 |  1 -
 crypto/cmp/cmp_server.c                                  | 13 ++-----------
 crypto/cmp/cmp_vfy.c                                     |  2 +-
 crypto/cms/cms_kari.c                                    |  1 -
 crypto/comp/c_zlib.c                                     |  2 --
 crypto/crmf/crmf_asn.c                                   |  4 ----
 crypto/crmf/crmf_lib.c                                   | 12 +-----------
 crypto/crmf/crmf_local.h                                 |  7 -------
 crypto/crmf/crmf_pbm.c                                   |  2 --
 crypto/cryptlib.c                                        |  6 ------
 crypto/ct/ct_local.h                                     |  5 -----
 crypto/dso/dso_dlfcn.c                                   |  1 -
 crypto/ec/ec_mult.c                                      |  2 +-
 crypto/err/err.c                                         |  1 -
 crypto/err/err_blocks.c                                  |  1 -
 crypto/err/err_prn.c                                     |  1 -
 crypto/evp/asymcipher.c                                  |  6 ------
 crypto/evp/bio_b64.c                                     |  2 --
 crypto/evp/bio_enc.c                                     |  2 --
 crypto/evp/bio_md.c                                      |  2 --
 crypto/evp/bio_ok.c                                      |  2 --
 crypto/evp/exchange.c                                    |  6 ------
 crypto/evp/m_sigver.c                                    |  6 ------
 crypto/evp/pmeth_gn.c                                    |  1 -
 crypto/evp/pmeth_lib.c                                   |  3 +--
 crypto/evp/signature.c                                   |  6 ------
 crypto/http/http_client.c                                |  2 +-
 crypto/ocsp/ocsp_vfy.c                                   |  3 +--
 crypto/pem/pem_pkey.c                                    |  2 --
 crypto/provider_core.c                                   |  2 --
 crypto/rsa/rsa_backend.c                                 |  1 -
 crypto/rsa/rsa_ossl.c                                    | 10 ----------
 crypto/store/store_local.h                               |  2 +-
 crypto/store/store_result.c                              |  2 --
 crypto/x509/t_x509.c                                     |  6 ------
 crypto/x509/v3_addr.c                                    |  1 -
 crypto/x509/v3_bcons.c                                   |  1 -
 crypto/x509/v3_utl.c                                     |  1 -
 crypto/x509/x509_lu.c                                    |  1 -
 crypto/x509/x509_vfy.c                                   |  7 +++----
 crypto/x509/x_pubkey.c                                   |  1 -
 fuzz/client.c                                            |  4 ----
 fuzz/server.c                                            |  6 ------
 include/crypto/asn1.h                                    |  4 ----
 include/openssl/x509.h.in                                |  9 ++++-----
 providers/common/provider_util.c                         |  3 ---
 providers/implementations/encode_decode/encode_key2any.c |  1 -
 providers/implementations/rands/seeding/rand_unix.c      |  2 +-
 providers/implementations/rands/seeding/rand_vms.c       |  2 +-
 ssl/build.info                                           |  8 ++++----
 ssl/d1_lib.c                                             |  1 -
 ssl/record/rec_layer_s3.c                                |  4 ----
 ssl/record/ssl3_record.c                                 | 12 ------------
 ssl/record/ssl3_record_tls13.c                           |  2 --
 ssl/s3_cbc.c                                             |  1 -
 ssl/s3_enc.c                                             |  1 -
 ssl/ssl_ciph.c                                           |  1 -
 ssl/ssl_lib.c                                            |  5 -----
 ssl/ssl_local.h                                          |  2 +-
 ssl/ssl_txt.c                                            |  1 -
 ssl/statem/extensions.c                                  |  2 --
 ssl/statem/extensions_clnt.c                             |  8 +++-----
 ssl/statem/extensions_srvr.c                             |  9 ---------
 ssl/statem/statem_clnt.c                                 |  9 +++------
 ssl/statem/statem_srvr.c                                 |  2 +-
 ssl/t1_enc.c                                             |  1 -
 ssl/t1_lib.c                                             |  2 +-
 ssl/tls13_enc.c                                          |  1 -
 test/algorithmid_test.c                                  | 10 ----------
 test/bntest.c                                            |  8 ++++----
 test/cmp_asn_test.c                                      |  5 -----
 test/cmp_client_test.c                                   |  3 ---
 test/cmp_hdr_test.c                                      |  5 -----
 test/helpers/handshake.c                                 |  8 +-------
 test/helpers/pkcs12.c                                    |  7 -------
 test/ssl_old_test.c                                      |  2 +-
 test/sslapitest.c                                        |  8 --------
 util/find-doc-nits                                       |  1 -
 107 files changed, 45 insertions(+), 362 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 5912090701..03530f2584 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -643,10 +643,6 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc)
     return cert;
 }
 
-/*
- * TODO potentially move this and related functions to apps/lib/
- * or even better extend OSSL_STORE with type OSSL_STORE_INFO_CRL
- */
 static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
 {
     X509_REQ *csr;
@@ -1051,7 +1047,6 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
         }
         X509_free(cert);
     }
-    /* TODO find a cleaner solution not requiring type casts */
     if (!setup_certs(opt_rsp_extracerts,
                      "CMP extra certificates for mock server", srv_ctx,
                      (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut))
@@ -1318,7 +1313,6 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
         /* enable and parameterize server hostname/IP address check */
         if (!truststore_set_host_etc(trust_store,
                                      opt_tls_host != NULL ? opt_tls_host : host))
-            /* TODO: is the server host name correct for TLS via proxy? */
             goto err;
         SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
     }
diff --git a/apps/dhparam.c b/apps/dhparam.c
index ba3119b2ce..982b2db549 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -273,10 +273,9 @@ int dhparam_main(int argc, char **argv)
                 */
                 keytype = "DHX";
                 /*
-                    * BIO_reset() returns 0 for success for file BIOs only!!!
-                    * This won't work for stdin (and never has done)
-                    * TODO: We should fix this at some point
-                    */
+                 * BIO_reset() returns 0 for success for file BIOs only!!!
+                 * This won't work for stdin (and never has done)
+                 */
                 if (BIO_reset(in) == 0)
                     done = 0;
             }
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 12a17fceed..3d6588ba23 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -885,7 +885,6 @@ int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
     const char *input_type;
     OSSL_PARAM itp[2];
     const OSSL_PARAM *params = NULL;
-    /* TODO make use of the engine reference 'eng' when loading pkeys */
 
     if (ppkey != NULL) {
         *ppkey = NULL;
@@ -2258,8 +2257,6 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md,
         if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier",
                              "keyid, issuer", !self_sign))
             goto end;
-
-        /* TODO any further measures for ensuring default RFC 5280 compliance */
     }
 
     if (mctx != NULL && do_sign_init(mctx, pkey, md, sigopts) > 0)
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index 1e6a27210c..1caaa2f0eb 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c
@@ -204,7 +204,6 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     }
     if (ctx->certOut != NULL
             && (*certOut = X509_dup(ctx->certOut)) == NULL)
-        /* TODO better return a cert produced from data in request template */
         goto err;
     if (ctx->chainOut != NULL
             && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
@@ -312,7 +311,6 @@ static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
     if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
         BIO_printf(bio_err, "errorDetails absent\n");
     } else {
-        /* TODO could use sk_ASN1_UTF8STRING2text() if exported */
         BIO_printf(bio_err, "errorDetails: ");
         for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
             if (i > 0)
diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c
index 46065d2dd0..1858d04ccb 100644
--- a/apps/lib/http_server.c
+++ b/apps/lib/http_server.c
@@ -405,7 +405,6 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
         log_message(prog, LOG_WARNING,
                     "HTTP request does not begin with %sPOST: %s",
                     accept_get ? "GET or " : "", reqbuf);
-        /* TODO provide better diagnosis in case client tries TLS */
         (void)http_server_send_status(cbio, 400, "Bad Request");
         goto out;
     }
diff --git a/apps/rsa.c b/apps/rsa.c
index 5710893c7a..c4f65cac10 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -25,7 +25,7 @@
 #include <openssl/encoder.h>
 
 /*
- * TODO: This include is to get OSSL_KEYMGMT_SELECT_*, which feels a bit
+ * This include is to get OSSL_KEYMGMT_SELECT_*, which feels a bit
  * much just for those macros...  they might serve better as EVP macros.
  */
 #include <openssl/core_dispatch.h>
diff --git a/apps/x509.c b/apps/x509.c
index 9632d72260..8ec6ba2db5 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -745,7 +745,6 @@ int x509_main(int argc, char **argv)
 
     if (!noout || text || next_serial)
         OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
-    /* TODO: why is this strange object created (and no error checked)? */
 
     if (alias)
         X509_alias_set1(x, (unsigned char *)alias, -1);
diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index 3742b0096f..fa81b3a28a 100644
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -79,10 +79,8 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
 static const BIO_METHOD methods_asn1 = {
     BIO_TYPE_ASN1,
     "asn1",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     asn1_bio_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     asn1_bio_read,
     asn1_bio_puts,
diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c
index 5804465dfe..b827c5b902 100644
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -383,7 +383,6 @@ int BIO_sock_info(int sock,
     return 1;
 }
 
-/* TODO simplify by BIO_socket_wait() further other uses of select() in apps/ */
 /*
  * Wait on fd at most until max_time; succeed immediately if max_time == 0.
  * If for_read == 0 then assume to wait for writing, else wait for reading.
diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index d12cbf9d37..cfed63bd72 100644
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -25,10 +25,8 @@ static long buffer_callback_ctrl(BIO *h, int cmd, BIO_info_cb *fp);
 static const BIO_METHOD methods_buffer = {
     BIO_TYPE_BUFFER,
     "buffer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     buffer_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     buffer_read,
     buffer_puts,
diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
index 946ff0d23b..73f1216987 100644
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -30,10 +30,8 @@ static long linebuffer_callback_ctrl(BIO *h, int cmd, BIO_info_cb *fp);
 static const BIO_METHOD methods_linebuffer = {
     BIO_TYPE_LINEBUFFER,
     "linebuffer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     linebuffer_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     linebuffer_read,
     linebuffer_puts,
diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c
index f5b83a89f9..f9e9fe718e 100644
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -34,10 +34,8 @@ typedef struct nbio_test_st {
 static const BIO_METHOD methods_nbiof = {
     BIO_TYPE_NBIO_TEST,
     "non-blocking IO test filter",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     nbiof_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     nbiof_read,
     nbiof_puts,
diff --git a/crypto/bio/bf_null.c b/crypto/bio/bf_null.c
index fff9938ca1..aca4c5eb6d 100644
--- a/crypto/bio/bf_null.c
+++ b/crypto/bio/bf_null.c
@@ -25,10 +25,8 @@ static long nullf_callback_ctrl(BIO *h, int cmd, BIO_info_cb *fp);
 static const BIO_METHOD methods_nullf = {
     BIO_TYPE_NULL_FILTER,
     "NULL filter",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     nullf_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     nullf_read,
     nullf_puts,
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index 834c2ffef1..c25f71cec2 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -56,10 +56,8 @@ static void BIO_ACCEPT_free(BIO_ACCEPT *a);
 static const BIO_METHOD methods_acceptp = {
     BIO_TYPE_ACCEPT,
     "socket accept",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     acpt_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     acpt_read,
     acpt_puts,
diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c
index 0b972b2b3f..699e6bf106 100644
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -38,10 +38,8 @@ static void bio_destroy_pair(BIO *bio);
 static const BIO_METHOD methods_biop = {
     BIO_TYPE_BIO,
     "BIO pair",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     bio_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     bio_read,
     bio_puts,
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 3ab2c0d4ba..d146c97b82 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -63,10 +63,8 @@ void BIO_CONNECT_free(BIO_CONNECT *a);
 static const BIO_METHOD methods_connectp = {
     BIO_TYPE_CONNECT,
     "socket connect",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     conn_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     conn_read,
     conn_puts,
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index af3d941abb..a530832dd8 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -68,10 +68,8 @@ static void get_current_time(struct timeval *t);
 static const BIO_METHOD methods_dgramp = {
     BIO_TYPE_DGRAM,
     "datagram socket",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     dgram_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     dgram_read,
     dgram_puts,
@@ -86,10 +84,8 @@ static const BIO_METHOD methods_dgramp = {
 static const BIO_METHOD methods_dgramp_sctp = {
     BIO_TYPE_DGRAM_SCTP,
     "datagram sctp socket",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     dgram_sctp_write,
-    /* TODO: Convert to new style write function */
     bread_conv,
     dgram_sctp_read,
     dgram_sctp_puts,
diff --git a/crypto/bio/bss_fd.c b/crypto/bio/bss_fd.c
index 65e0b10311..f756225edb 100644
--- a/crypto/bio/bss_fd.c
+++ b/crypto/bio/bss_fd.c
@@ -60,10 +60,8 @@ int BIO_fd_should_retry(int s);
 static const BIO_METHOD methods_fdp = {
     BIO_TYPE_FD,
     "file descriptor",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     fd_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     fd_read,
     fd_puts,
diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
index affd67ac02..a6143b6abc 100644
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -42,10 +42,8 @@ static int file_free(BIO *data);
 static const BIO_METHOD methods_filep = {
     BIO_TYPE_FILE,
     "FILE pointer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     file_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     file_read,
     file_puts,
@@ -407,10 +405,8 @@ static int file_free(BIO *a)
 static const BIO_METHOD methods_filep = {
     BIO_TYPE_FILE,
     "FILE pointer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     file_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     file_read,
     file_puts,
diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c
index b42cc4af8f..82abfd5cec 100644
--- a/crypto/bio/bss_log.c
+++ b/crypto/bio/bss_log.c
@@ -87,7 +87,6 @@ static void xcloselog(BIO *bp);
 static const BIO_METHOD methods_slg = {
     BIO_TYPE_MEM,
     "syslog",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     slg_write,
     NULL,                      /* slg_write_old,    */
diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
index 5e48669e1e..7e501762bb 100644
--- a/crypto/bio/bss_mem.c
+++ b/crypto/bio/bss_mem.c
@@ -26,10 +26,8 @@ static int mem_buf_sync(BIO *h);
 static const BIO_METHOD mem_method = {
     BIO_TYPE_MEM,
     "memory buffer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     mem_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     mem_read,
     mem_puts,
@@ -43,10 +41,8 @@ static const BIO_METHOD mem_method = {
 static const BIO_METHOD secmem_method = {
     BIO_TYPE_MEM,
     "secure memory buffer",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     mem_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     mem_read,
     mem_puts,
diff --git a/crypto/bio/bss_null.c b/crypto/bio/bss_null.c
index f677bbbb15..371d5b7cd8 100644
--- a/crypto/bio/bss_null.c
+++ b/crypto/bio/bss_null.c
@@ -20,10 +20,8 @@ static long null_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static const BIO_METHOD null_method = {
     BIO_TYPE_NULL,
     "NULL",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     null_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     null_read,
     null_puts,
diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c
index e142de1674..f5d8810230 100644
--- a/crypto/bio/bss_sock.c
+++ b/crypto/bio/bss_sock.c
@@ -38,10 +38,8 @@ int BIO_sock_should_retry(int s);
 static const BIO_METHOD methods_sockp = {
     BIO_TYPE_SOCKET,
     "socket",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     sock_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     sock_read,
     sock_puts,
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index ec401032ad..35a7ddbab7 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -11,19 +11,6 @@
 #include "internal/cryptlib.h"
 #include "bn_local.h"
 
-/*-
- * TODO list
- *
- * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and
- * check they can be safely removed.
- *  - Check +1 and other ugliness in BN_from_montgomery()
- *
- * 2. Consider allowing a BN_new_ex() that, at least, lets you specify an
- * appropriate 'block' size that will be honoured by bn_expand_internal() to
- * prevent piddly little reallocations. OTOH, profiling bignum expansions in
- * BN_CTX doesn't show this to be a big issue.
- */
-
 /* How many bignums are in each "pool item"; */
 #define BN_CTX_POOL_SIZE        16
 /* The stack frame info is resizing, set a first-time expansion size; */
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 64c7cd6a63..9e2f6861a5 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -483,7 +483,6 @@ static int probable_prime(BIGNUM *rnd, int bits, int safe, prime_t *mods,
     BN_ULONG maxdelta = BN_MASK2 - primes[trial_divisions - 1];
 
  again:
-    /* TODO: Not all primes are private */
     if (!BN_priv_rand_ex(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD, 0,
                          ctx))
         return 0;
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 367ddfd207..e7761ae7d9 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -71,7 +71,6 @@ static int unprotected_exception(const OSSL_CMP_CTX *ctx,
 
             if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1)
                 return -1;
-            /* TODO: handle potentially multiple CertResponses in CertRepMsg */
             if (crep == NULL)
                 return -1;
             if (ossl_cmp_pkisi_get_status(crep->status)
@@ -262,7 +261,6 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
                   "received 'waiting' PKIStatus, starting to poll for response");
     *rep = NULL;
     for (;;) {
-        /* TODO: handle potentially multiple poll requests per message */
         if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL)
             goto err;
 
@@ -277,7 +275,6 @@ static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
             char str[OSSL_CMP_PKISI_BUFLEN];
             int len;
 
-            /* TODO: handle potentially multiple elements in pollRep */
             if (sk_OSSL_CMP_POLLREP_num(prc) > 1) {
                 ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
                 goto err;
@@ -551,7 +548,6 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
         ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
         return 0;
     }
-    /* TODO: handle potentially multiple CertResponses in CertRepMsg */
     crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
     if (crep == NULL)
         return 0;
@@ -622,11 +618,6 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
     if (fail_info != 0) /* immediately log error before any certConf exchange */
         ossl_cmp_log1(ERROR, ctx,
                       "rejecting newly enrolled cert with subject: %s", subj);
-
-    /*
-     * TODO: better move certConf exchange to do_certreq_seq() such that
-     * also more low-level errors with CertReqMessages get reported to server
-     */
     if (!ctx->disableConfirm
             && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) {
         if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt))
@@ -687,9 +678,8 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
     } else {
         if (req_type < 0)
             return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
-                                           0 /* TODO better fail_info value? */,
-                                           "polling aborted", 0 /* errorCode */,
-                                           "by application");
+                                           0, "polling aborted",
+                                           0 /* errorCode */, "by application");
         res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter);
         if (res <= 0) /* waiting or error */
             return res;
@@ -707,7 +697,6 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
  * certConf, PKIconf, and polling if required.
  * Will sleep as long as indicated by the server (according to checkAfter).
  * All enrollment options need to be present in the context.
- * TODO: another function to request two certificates at once should be created.
  * Returns pointer to received certificate, or NULL if none was received.
  */
 X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index b0f676201e..f514ab27e0 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -770,7 +770,7 @@ DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
 
 /*
  * Set the (newly received in IP/KUP/CP) certificate in the context.
- * TODO: this only permits for one cert to be enrolled at a time.
+ * This only permits for one cert to be enrolled at a time.
  */
 int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
 {
@@ -784,7 +784,7 @@ int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
 
 /*
  * Get the (newly received in IP/KUP/CP) client certificate from the context
- * TODO: this only permits for one client cert to be received...
+ * This only permits for one client cert to be received...
  */
 X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
 {
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index fec4916ed3..2b22db3e82 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -120,12 +120,9 @@ struct ossl_cmp_ctx_st {
 
     /* result returned in responses */
     int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
-    /* TODO: this should be a stack since there could be more than one */
     OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
     int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
-    /* TODO: this should be a stack since there could be more than one */
     X509 *newCert; /* newly enrolled cert received from the CA */
-    /* TODO: this should be a stack since there could be more than one */
     STACK_OF(X509) *newChain; /* chain of newly enrolled cert received */
     STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
     STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
@@ -708,8 +705,6 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
  *   }       -- or HMAC [RFC2104, RFC2202])
  */
 /*-
- *  TODO: this is not yet defined here - but DH is anyway not used yet
- *
  *   id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
  *   DHBMParameter ::= SEQUENCE {
  *           owf                 AlgorithmIdentifier,
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 77b2175b11..b9c347afb8 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -399,7 +399,6 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
         if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
             goto err;
         local_crm = NULL;
-        /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
     }
 
     if (!ossl_cmp_msg_protect(ctx, msg))
@@ -465,7 +464,6 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
     if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
         goto err;
     resp = NULL;
-    /* TODO: here optional 2nd certrep could be pushed to the stack */
 
     if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
             && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
@@ -529,11 +527,6 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
         goto err;
     rd = NULL;
 
-    /*
-     * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
-     *       set here if set in ctx
-     */
-
     if (!ossl_cmp_msg_protect(ctx, msg))
         goto err;
 
@@ -749,10 +742,6 @@ int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
     return 1;
 }
 
-/*
- * TODO: handle potential 2nd certificate when signing and encrypting
- * certificates have been requested/received
- */
 OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
                                     const char *text)
 {
@@ -827,7 +816,6 @@ OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
         goto err;
 
-    /* TODO: support multiple cert request IDs to poll */
     if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
             || !ASN1_INTEGER_set(preq->certReqId, crid)
             || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 91a66f5d6e..a7ca580cc9 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -258,7 +258,6 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
 
     /*
      * For the case of re-protection remove pre-existing protection.
-     * TODO: Consider also removing any pre-existing extraCerts.
      */
     X509_ALGOR_free(msg->header->protectionAlg);
     msg->header->protectionAlg = NULL;
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index 73c14841ca..c4ef5fa203 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -189,7 +189,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     } else {
         OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */
 
-        if (sk_OSSL_CRMF_MSG_num(reqs) != 1) { /* TODO: handle case > 1 */
+        if (sk_OSSL_CRMF_MSG_num(reqs) != 1) {
             ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
             return NULL;
         }
@@ -228,10 +228,6 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
                                certOut, chainOut, caPubs, 0 /* encrypted */,
                                srv_ctx->sendUnprotectedErrors);
-    /*
-     * TODO when implemented in ossl_cmp_certrep_new():
-     * in case OSSL_CRMF_POPO_KEYENC, set encrypted
-     */
     if (msg == NULL)
         ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
 
@@ -258,7 +254,6 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
         return NULL;
 
     if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) {
-        /* TODO: handle multiple elements if multiple requests have been sent */
         ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
         return NULL;
     }
@@ -393,7 +388,7 @@ static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
         return NULL;
 
     prc = req->body->value.pollReq;
-    if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) { /* TODO: handle case > 1 */
+    if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) {
         ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
         return NULL;
     }
@@ -559,7 +554,6 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
             rsp = process_pollReq(srv_ctx, req);
         break;
     default:
-        /* TODO possibly support further request message types */
         ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
         break;
     }
@@ -571,7 +565,6 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
         int flags = 0;
         unsigned long err = ERR_peek_error_data(&data, &flags);
         int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
-        /* TODO fail_info could be more specific */
         OSSL_CMP_PKISI *si = NULL;
 
         if (ctx->transactionID == NULL) {
@@ -615,8 +608,6 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
     case OSSL_CMP_PKIBODY_PKICONF:
     case OSSL_CMP_PKIBODY_GENP:
     case OSSL_CMP_PKIBODY_ERROR:
-        /* TODO possibly support further terminating response message types */
-        /* prepare for next transaction, ignoring any errors here: */
         (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL);
         (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL);
         ctx->status = -1; /* transaction closed */
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 064e8e37b3..28c9a984d2 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -672,7 +672,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
     /* validate sender name of received msg */
     if (hdr->sender->type != GEN_DIRNAME) {
         ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
-        return 0; /* TODO FR#42: support for more than X509_NAME */
+        return 0;
     }
     /*
      * Compare actual sender name of response with expected sender name.
diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 47132fcbe8..a2f422a78d 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -432,7 +432,6 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
         return 0;
     keylen = EVP_CIPHER_get_key_length(cipher);
     if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_GET_WRAP_CIPHER) != 0) {
-        /* TODO: make this not get a method we can call directly */
         ret = EVP_CIPHER_meth_get_ctrl(cipher)(NULL, EVP_CTRL_GET_WRAP_CIPHER,
                                                0, &kekcipher);
         if (ret <= 0)
diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index a27bbeacb1..b36a562d88 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -293,10 +293,8 @@ static long bio_zlib_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp);
 static const BIO_METHOD bio_meth_zlib = {
     BIO_TYPE_COMP,
     "zlib",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     bio_zlib_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     bio_zlib_read,
     NULL,                      /* bio_zlib_puts, */
diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c
index 0f6de3ce8d..4c3a7f7dd2 100644
--- a/crypto/crmf/crmf_asn.c
+++ b/crypto/crmf/crmf_asn.c
@@ -88,10 +88,6 @@ ASN1_CHOICE(OSSL_CRMF_POPOPRIVKEY) = {
     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.subsequentMessage, ASN1_INTEGER, 1),
     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.dhMAC, ASN1_BIT_STRING, 2),
     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.agreeMAC, OSSL_CRMF_PKMACVALUE, 3),
-    /*
-     * TODO: This is not ASN1_NULL but CMS_ENVELOPEDDATA which should be somehow
-     * taken from crypto/cms which exists now - this is not used anywhere so far
-     */
     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.encryptedKey, ASN1_NULL, 4),
 } ASN1_CHOICE_END(OSSL_CRMF_POPOPRIVKEY)
 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index f402086823..d03904a7bc 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -358,7 +358,7 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
         return 0;
     }
     if (ps->poposkInput != NULL) {
-        /* TODO: support cases 1+2 defined in RFC 4211, section 4.1 */
+        /* We do not support cases 1+2 defined in RFC 4211, section 4.1 */
         ERR_raise(ERR_LIB_CRMF, CRMF_R_POPOSKINPUT_NOT_SUPPORTED);
         return 0;
     }
@@ -484,10 +484,6 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY);
                 return 0;
             }
-            /*
-             * TODO check the contents of the authInfo sub-field,
-             * see RFC 4211 https://tools.ietf.org/html/rfc4211#section-4.1
-             */
             it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT);
             asn = sig->poposkInput;
         } else {
@@ -504,12 +500,6 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
             return 0;
         break;
     case OSSL_CRMF_POPO_KEYENC:
-        /*
-         * TODO: when OSSL_CMP_certrep_new() supports encrypted certs,
-         * return 1 if the type of req->popo->value.keyEncipherment
-         * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and
-         * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT
-         */
     case OSSL_CRMF_POPO_KEYAGREE:
     default:
         ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
diff --git a/crypto/crmf/crmf_local.h b/crypto/crmf/crmf_local.h
index ee1ec7b07a..e7e89f73ef 100644
--- a/crypto/crmf/crmf_local.h
+++ b/crypto/crmf/crmf_local.h
@@ -188,11 +188,6 @@ typedef struct ossl_crmf_popoprivkey_st {
         ASN1_INTEGER *subsequentMessage; /* 1 */
         ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */
         OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */
-        /*
-         * TODO: This is not ASN1_NULL but CMS_ENVELOPEDDATA which should be
-         * somehow taken from crypto/cms which exists now
-         * - this is not used anywhere so far
-         */
         ASN1_NULL *encryptedKey; /* 4 */
     } value;
 } OSSL_CRMF_POPOPRIVKEY;
@@ -335,13 +330,11 @@ struct ossl_crmf_certtemplate_st {
 struct ossl_crmf_certrequest_st {
     ASN1_INTEGER *certReqId;
     OSSL_CRMF_CERTTEMPLATE *certTemplate;
-    /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */
     STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;
 } /* OSSL_CRMF_CERTREQUEST */;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
 
-/* TODO: isn't there a better way to have this for ANY type? */
 struct ossl_crmf_attributetypeandvalue_st {
     ASN1_OBJECT *type;
     union {
diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c
index 5641bee65a..0c217295d3 100644
--- a/crypto/crmf/crmf_pbm.c
+++ b/crypto/crmf/crmf_pbm.c
@@ -125,7 +125,6 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
  * |outlen| if not NULL, will set variable to the length of the mac on success
  * returns 1 on success, 0 on error
  */
-/* TODO try to combine with other MAC calculations in the libray */
 int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
                       const OSSL_CRMF_PBMPARAMETER *pbmp,
                       const unsigned char *msg, size_t msglen,
@@ -207,7 +206,6 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
         ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
         goto err;
     }
-    /* TODO generalize to non-HMAC: */
     if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen,
                   msg, msglen, mac_res, EVP_MAX_MD_SIZE, &maclen) == NULL)
         goto err;
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index 46e2e31475..6e73b8352c 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -194,12 +194,6 @@ void OPENSSL_showfatal(const char *fmta, ...)
 # if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
 #  ifdef OPENSSL_SYS_WIN_CORE
     /* ONECORE is always NONGUI and NT >= 0x0601 */
-
-    /*
-    * TODO: (For non GUI and no std error cases)
-    * Add event logging feature here.
-    */
-
 #   if !defined(NDEBUG)
         /*
         * We are in a situation where we tried to report a critical
diff --git a/crypto/ct/ct_local.h b/crypto/ct/ct_local.h
index 554f6b362a..e5614ddf5e 100644
--- a/crypto/ct/ct_local.h
+++ b/crypto/ct/ct_local.h
@@ -190,11 +190,6 @@ __owur int SCT_is_complete(const SCT *sct);
  */
 __owur int SCT_signature_is_complete(const SCT *sct);
 
-/*
- * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature
- * and o2i_SCT_signature conform to the i2d/d2i conventions.
- */
-
 /*
 * Serialize (to TLS format) an |sct| signature and write it to |out|.
 * If |out| is null, no signature will be output but the length will be returned.
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index 76bc6055bc..b317ae2ad1 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -437,7 +437,6 @@ static int dlfcn_pathbyaddr(void *addr, char *path, int sz)
         return len;
     }
 
-    /* TODO: what error report does this attach to? */
     ERR_add_error_data(2, "dlfcn_pathbyaddr(): ", dlerror());
 # endif
     return -1;
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index ed5d403270..c6ec2964b7 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -387,7 +387,7 @@ int ossl_ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
 #undef EC_POINT_BN_set_flags
 
 /*
- * TODO: table should be optimised for the wNAF-based implementation,
+ * Table could be optimised for the wNAF-based implementation,
  * sometimes smaller windows will give better performance (thus the
  * boundaries should be increased)
  */
diff --git a/crypto/err/err.c b/crypto/err/err.c
index c77c1920a2..84bb429c64 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -7,7 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* TODO: When ERR_STATE becomes opaque, this musts be removed */
 #define OSSL_FORCE_ERR_STATE
 
 #include <stdio.h>
diff --git a/crypto/err/err_blocks.c b/crypto/err/err_blocks.c
index 5a572e02ea..a658df0576 100644
--- a/crypto/err/err_blocks.c
+++ b/crypto/err/err_blocks.c
@@ -7,7 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* TODO: When ERR_STATE becomes opaque, this musts be removed */
 #define OSSL_FORCE_ERR_STATE
 
 #include <string.h>
diff --git a/crypto/err/err_prn.c b/crypto/err/err_prn.c
index 5b588db18e..028811eede 100644
--- a/crypto/err/err_prn.c
+++ b/crypto/err/err_prn.c
@@ -7,7 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* TODO: When ERR_STATE becomes opaque, this musts be removed */
 #define OSSL_FORCE_ERR_STATE
 
 #include <stdio.h>
diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c
index 52be1c2d7c..c70e1e9554 100644
--- a/crypto/evp/asymcipher.c
+++ b/crypto/evp/asymcipher.c
@@ -34,10 +34,6 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
     evp_pkey_ctx_free_old_ops(ctx);
     ctx->operation = operation;
 
-    /*
-     * TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
-     * calls can be removed.
-     */
     ERR_set_mark();
 
     if (evp_pkey_ctx_is_legacy(ctx))
@@ -90,7 +86,6 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
     }
 
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
@@ -134,7 +129,6 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
 
  legacy:
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c
index e21661d5a4..f58e55c04d 100644
--- a/crypto/evp/bio_b64.c
+++ b/crypto/evp/bio_b64.c
@@ -46,10 +46,8 @@ typedef struct b64_struct {
 static const BIO_METHOD methods_b64 = {
     BIO_TYPE_BASE64,
     "base64 encoding",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     b64_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     b64_read,
     b64_puts,
diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c
index 0483c726d2..4eafaf6209 100644
--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@@ -44,10 +44,8 @@ typedef struct enc_struct {
 static const BIO_METHOD methods_enc = {
     BIO_TYPE_CIPHER,
     "cipher",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     enc_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     enc_read,
     NULL,                       /* enc_puts, */
diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c
index 26a30c698b..1a85be1811 100644
--- a/crypto/evp/bio_md.c
+++ b/crypto/evp/bio_md.c
@@ -28,10 +28,8 @@ static long md_callback_ctrl(BIO *h, int cmd, BIO_info_cb *fp);
 static const BIO_METHOD methods_md = {
     BIO_TYPE_MD,
     "message digest",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     md_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     md_read,
     NULL,                       /* md_puts, */
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index 7e3d23f2dc..97641d11d1 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -111,10 +111,8 @@ typedef struct ok_struct {
 static const BIO_METHOD methods_ok = {
     BIO_TYPE_CIPHER,
     "reliable",
-    /* TODO: Convert to new style write function */
     bwrite_conv,
     ok_write,
-    /* TODO: Convert to new style read function */
     bread_conv,
     ok_read,
     NULL,                       /* ok_puts, */
diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
index 2a066082d7..6503f479fa 100644
--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@@ -201,10 +201,6 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
     evp_pkey_ctx_free_old_ops(ctx);
     ctx->operation = EVP_PKEY_OP_DERIVE;
 
-    /*
-     * TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
-     * calls can be removed.
-     */
     ERR_set_mark();
 
     if (evp_pkey_ctx_is_legacy(ctx))
@@ -275,7 +271,6 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
     }
 
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
@@ -300,7 +295,6 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
 
  legacy:
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index dba549503d..0da6498030 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -76,10 +76,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
     if (props == NULL)
         props = locpctx->propquery;
 
-    /*
-     * TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
-     * calls can be removed.
-     */
     ERR_set_mark();
 
     if (evp_pkey_ctx_is_legacy(locpctx))
@@ -133,7 +129,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
     }
 
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
@@ -223,7 +218,6 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 
  legacy:
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c
index 9af18d90fc..2d96e3c227 100644
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@@ -199,7 +199,6 @@ int EVP_PKEY_generate(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
 
     /*
      * Because we still have legacy keys
-     * TODO remove this #legacy internal keys are gone
      */
     (*ppkey)->type = ctx->legacy_keytype;
 
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index bcc601ee59..1256e981eb 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -271,7 +271,6 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
          * values. We go through all keymgmt names, because the keytype
          * that's passed to this function doesn't necessarily translate
          * directly.
-         * TODO: Remove this when #legacy keys are gone.
          */
         if (keymgmt != NULL) {
             int tmp_id = get_legacy_alg_type_from_keymgmt(keymgmt);
@@ -323,7 +322,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
     ret->libctx = libctx;
     ret->keytype = keytype;
     ret->keymgmt = keymgmt;
-    ret->legacy_keytype = id;   /* TODO: Remove when #legacy key are gone */
+    ret->legacy_keytype = id;
     ret->engine = e;
     ret->pmeth = pmeth;
     ret->operation = EVP_PKEY_OP_UNDEFINED;
diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index 698adff088..9b289d315b 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -395,10 +395,6 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation,
     evp_pkey_ctx_free_old_ops(ctx);
     ctx->operation = operation;
 
-    /*
-     * TODO when we stop falling back to legacy, this and the ERR_pop_to_mark()
-     * calls can be removed.
-     */
     ERR_set_mark();
 
     if (evp_pkey_ctx_is_legacy(ctx))
@@ -450,7 +446,6 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation,
     }
 
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
@@ -507,7 +502,6 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation,
 
  legacy:
     /*
-     * TODO remove this when legacy is gone
      * If we don't have the full support we need with provided methods,
      * let's go see if legacy does.
      */
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index cd6a51989f..e7e0183b59 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1330,7 +1330,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
     /* Read past all following headers */
     do {
         /*
-         * TODO: This does not necessarily catch the case when the full
+         * This does not necessarily catch the case when the full
          * HTTP response came in in more than a single TCP message.
          */
         read_len = BIO_gets(fbio, mbuf, BUF_SIZE);
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 5e829fa972..7a4a45d537 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -51,12 +51,11 @@ static int ocsp_verify_signer(X509 *signer, int response,
             && X509_get_ext_by_NID(signer, NID_id_pkix_OCSP_noCheck, -1) >= 0)
         /*
          * Locally disable revocation status checking for OCSP responder cert.
-         * Done here for CRLs; TODO should be done also for OCSP-based checks.
+         * Done here for CRLs; should be done also for OCSP-based checks.
          */
         X509_VERIFY_PARAM_clear_flags(vp, X509_V_FLAG_CRL_CHECK);
     X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
     X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
-    /* TODO: why is X509_TRUST_OCSP_REQUEST set? Seems to get ignored. */
 
     ret = X509_verify_cert(ctx);
     if (ret <= 0) {
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index becf7e277c..01877057dc 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -298,8 +298,6 @@ PEM_write_cb_fnsig(PrivateKey, EVP_PKEY, BIO, write_bio)
 /*
  * Note: there is no way to tell a provided pkey encoder to use "traditional"
  * encoding.  Therefore, if the pkey is provided, we try to take a copy 
- * TODO: when #legacy keys are gone, this function will not be possible any
- * more and should be removed.
  */
 int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,
                                          const EVP_CIPHER *enc,
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index eac5b58946..30fa44d789 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -980,8 +980,6 @@ static void provider_activate_fallbacks(struct provider_store_st *store)
     /*
      * We assume that all fallbacks have been added to the store before
      * any fallback is activated.
-     * TODO: We may have to reconsider this, IF we find ourselves adding
-     * fallbacks after any previous fallback has been activated.
      */
     if (activated_fallback_count > 0)
         store->use_fallbacks = 0;
diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c
index 5b7d60d6e1..e824dcaf3c 100644
--- a/crypto/rsa/rsa_backend.c
+++ b/crypto/rsa/rsa_backend.c
@@ -270,7 +270,6 @@ int ossl_rsa_pss_params_30_fromdata(RSA_PSS_PARAMS_30 *pss_params,
         else if (!OSSL_PARAM_get_utf8_ptr(param_mgf, &mgfname))
             return 0;
 
-        /* TODO Revisit this if / when a new MGF algorithm appears */
         if (strcasecmp(param_mgf->data,
                        ossl_rsa_mgf_nid2name(default_maskgenalg_nid)) != 0)
             return 0;
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 1817392e76..c417a4b8f6 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -780,16 +780,6 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
     }
 
 #ifndef FIPS_MODULE
-    /*
-     * calculate m_i in multi-prime case
-     *
-     * TODO:
-     * 1. squash the following two loops and calculate |m_i| there.
-     * 2. remove cc and reuse |c|.
-     * 3. remove |dmq1| and |dmp1| in previous block and use |di|.
-     *
-     * If these things are done, the code will be more readable.
-     */
     if (ex_primes > 0) {
         BIGNUM *di = BN_new(), *cc = BN_new();
 
diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h
index 4d29857620..6aeaaa915f 100644
--- a/crypto/store/store_local.h
+++ b/crypto/store/store_local.h
@@ -54,7 +54,7 @@ struct ossl_store_search_st {
      * Used by OSSL_STORE_SEARCH_BY_NAME and
      * OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
      */
-    X509_NAME *name; /* TODO constify this; leads to API incompatibility */
+    X509_NAME *name;
 
     /* Used by OSSL_STORE_SEARCH_BY_ISSUER_SERIAL */
     const ASN1_INTEGER *serial;
diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index c78d96d532..91c679718c 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -399,8 +399,6 @@ static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
              * engine provided legacy key.
              * This is the same as der2key_decode() does, but in a limited
              * way and within the walls of libcrypto.
-             *
-             * TODO Remove this when #legacy keys are gone
              */
             if (pk == NULL)
                 pk = try_key_value_legacy(data, &store_info_new, ctx,
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index bdfb4cb08b..8b84792b05 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -523,11 +523,5 @@ int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx)
         BIO_free(bio);
     }
 
-    /*
-     * TODO we could check policies here too, e.g.:
-     * if (cert_error == X509_V_OK && ok == 2)
-     *     policies_print(NULL, ctx);
-     */
-
     return ok;
 }
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c
index 4e0403844e..8bb35bd8a3 100644
--- a/crypto/x509/v3_addr.c
+++ b/crypto/x509/v3_addr.c
@@ -140,7 +140,6 @@ static int i2r_address(BIO *out,
             return 0;
         BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
         break;
-        /* TODO possibly combine with ipaddr_to_asc() */
     case IANA_AFI_IPV6:
         if (!addr_expand(addr, bs, 16, fill))
             return 0;
diff --git a/crypto/x509/v3_bcons.c b/crypto/x509/v3_bcons.c
index 2fabcd900e..6e7a165f26 100644
--- a/crypto/x509/v3_bcons.c
+++ b/crypto/x509/v3_bcons.c
@@ -72,7 +72,6 @@ static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
         } else if (strcmp(val->name, "pathlen") == 0) {
             if (!X509V3_get_value_int(val, &bcons->pathlen))
                 goto err;
-            /* TODO add sanity check on int value - at least, must be >= 0 */
         } else {
             ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NAME);
             X509V3_conf_add_error_name_value(val);
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 6da3fdfa52..255db422bd 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -991,7 +991,6 @@ char *ossl_ipaddr_to_asc(unsigned char *p, int len)
     case 4: /* IPv4 */
         BIO_snprintf(buf, sizeof(buf), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
         break;
-        /* TODO possibly combine with static i2r_address() in v3_addr.c */
     case 16: /* IPv6 */
         for (out = buf, i = 8, remain = sizeof(buf);
              i-- > 0 && bytes >= 0;
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index b36ddb69a1..3b76b92f71 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -541,7 +541,6 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v)
     return v->objs;
 }
 
-/* TODO param type could be constified as change to lock is intermittent */
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
 {
     STACK_OF(X509) *sk;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 278b8b6765..bb54a064bc 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -553,7 +553,6 @@ static int check_extensions(X509_STORE_CTX *ctx)
             CB_FAIL_IF(x->altname != NULL
                            && sk_GENERAL_NAME_num(x->altname) <= 0,
                        ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_ALT_NAME);
-            /* TODO add more checks on SAN entries */
             /* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */
             CB_FAIL_IF(X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0,
                        ctx, x, i, X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY);
@@ -2088,8 +2087,9 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
 
         rvn = sk_X509_REVOKED_value(revs, i);
         /*
-         * Add only if not also in base. TODO: need something cleverer here
-         * for some more complex CRLs covering multiple CAs.
+         * Add only if not also in base.
+         * Need something cleverer here for some more complex CRLs covering
+         * multiple CAs.
          */
         if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
             rvtmp = X509_REVOKED_dup(rvn);
@@ -2101,7 +2101,6 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
             }
         }
     }
-    /* TODO: optionally prune deleted entries */
 
     if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md))
         goto memerr;
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index 7ae35f21fd..c21184d964 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -225,7 +225,6 @@ X509_PUBKEY *X509_PUBKEY_dup(const X509_PUBKEY *a)
     return pubkey;
 }
 
-/* TODO should better be called X509_PUBKEY_set1 */
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 {
     X509_PUBKEY *pk = NULL;
diff --git a/fuzz/client.c b/fuzz/client.c
index b8afe55336..698ff0f669 100644
--- a/fuzz/client.c
+++ b/fuzz/client.c
@@ -63,10 +63,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (len == 0)
         return 0;
 
-    /*
-     * TODO: use the ossltest engine (optionally?) to disable crypto checks.
-     */
-
     /* This only fuzzes the initial flow from the client so far. */
     ctx = SSL_CTX_new(SSLv23_method());
 
diff --git a/fuzz/server.c b/fuzz/server.c
index 6234e15ccc..e481e5621c 100644
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -538,10 +538,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (len < 2)
         return 0;
 
-    /*
-     * TODO: use the ossltest engine (optionally?) to disable crypto checks.
-     */
-
     /* This only fuzzes the initial flow from the client so far. */
     ctx = SSL_CTX_new(SSLv23_method());
 
@@ -618,8 +614,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     X509_free(cert);
 #endif
 
-    /* TODO: Set up support for SRP and PSK */
-
     server = SSL_new(ctx);
     in = BIO_new(BIO_s_mem());
     out = BIO_new(BIO_s_mem());
diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h
index 5a187e41a7..829c5980d2 100644
--- a/include/crypto/asn1.h
+++ b/include/crypto/asn1.h
@@ -74,10 +74,6 @@ struct evp_pkey_asn1_method_st {
     int (*get_priv_key) (const EVP_PKEY *pk, unsigned char *priv, size_t *len);
     int (*get_pub_key) (const EVP_PKEY *pk, unsigned char *pub, size_t *len);
 
-    /*
-     * TODO: Make sure these functions are defined for key types that are
-     * implemented in providers.
-     */
     /* Exports and imports to / from providers */
     size_t (*dirty_cnt) (const EVP_PKEY *pk);
     int (*export_to) (const EVP_PKEY *pk, void *to_keydata,
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 4877fb21f9..d5d3cdb719 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -661,7 +661,6 @@ X509_INFO *X509_INFO_new(void);
 void X509_INFO_free(X509_INFO *a);
 char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
 
-/* TODO move this block of decls to asn1.h when 'breaking change' is possible */
 #ifndef OPENSSL_NO_DEPRECATED_3_0
 OSSL_DEPRECATEDIN_3_0
 int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
@@ -699,9 +698,9 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 ASN1_INTEGER *X509_get_serialNumber(X509 *x);
 const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
 int X509_set_issuer_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_issuer_name(const X509 *a); /* TODO change to get0_ */
+X509_NAME *X509_get_issuer_name(const X509 *a);
 int X509_set_subject_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_subject_name(const X509 *a); /* TODO change to get0_ */
+X509_NAME *X509_get_subject_name(const X509 *a);
 const ASN1_TIME * X509_get0_notBefore(const X509 *x);
 ASN1_TIME *X509_getm_notBefore(const X509 *x);
 int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
@@ -738,7 +737,7 @@ ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
 
 long X509_REQ_get_version(const X509_REQ *req);
 int X509_REQ_set_version(X509_REQ *x, long version);
-X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); /* TODO change to get0_ */
+X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
 int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name);
 void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
                              const X509_ALGOR **palg);
@@ -796,7 +795,7 @@ const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
 OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
 OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
 #endif
-X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); /* TODO change to get0_ */
+X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
 STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 6ed4378a2f..30fe7c6b21 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -49,7 +49,6 @@ static int load_common(const OSSL_PARAM params[], const char **propquery,
     }
 
     *engine = NULL;
-    /* TODO legacy stuff, to be removed */
     /* Inside the FIPS module, we don't support legacy ciphers */
 #if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE)
     p = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_ENGINE);
@@ -87,7 +86,6 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
     EVP_CIPHER_free(pc->alloc_cipher);
     ERR_set_mark();
     pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
-    /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
     if (pc->cipher == NULL)
         pc->cipher = EVP_get_cipherbyname(p->data);
@@ -157,7 +155,6 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
 
     ERR_set_mark();
     ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
-    /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
     if (pd->md == NULL)
         pd->md = EVP_get_digestbyname(p->data);
diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c
index f95c785522..8d32c64fbf 100644
--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@@ -602,7 +602,6 @@ static int prepare_ec_explicit_params(const void *eckey,
 /*
  * This implements EcpkParameters, where the CHOICE is based on whether there
  * is a curve name (curve nid) to be found or not.  See RFC 3279 for details.
- * TODO: shouldn't we use i2d_ECPKParameters()?
  */
 static int prepare_ec_params(const void *eckey, int nid, int save,
                              void **pstr, int *pstrtype)
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index fd7373a3e9..f77f6e0324 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
+++ b/providers/implementations/rands/seeding/rand_unix.c
@@ -601,7 +601,7 @@ void ossl_rand_pool_keep_random_devices_open(int keep)
 /*
  * Try the various seeding methods in turn, exit when successful.
  *
- * TODO(DRBG): If more than one entropy source is available, is it
+ * If more than one entropy source is available, is it
  * preferable to stop as soon as enough entropy has been collected
  * (as favored by @rsalz) or should one rather be defensive and add
  * more entropy than requested and/or from different sources?
diff --git a/providers/implementations/rands/seeding/rand_vms.c b/providers/implementations/rands/seeding/rand_vms.c
index 98d0ce31a4..8f8855321b 100644
--- a/providers/implementations/rands/seeding/rand_vms.c
+++ b/providers/implementations/rands/seeding/rand_vms.c
@@ -160,7 +160,7 @@ static const struct item_st RMI_item_data[] = {
     {4,   RMI$_BLKOUT},
     {4,   RMI$_DIRIN},
     {4,   RMI$_DIROUT},
-    /* We currently get a fault when trying these.  TODO: To be figured out. */
+    /* We currently get a fault when trying these */
 #if 0
     {140, RMI$_MSCP_EVERYTHING},   /* 35 32-bit words */
     {152, RMI$_DDTM_ALL},          /* 38 32-bit words */
diff --git a/ssl/build.info b/ssl/build.info
index c17084b9ad..f2de0371ae 100644
--- a/ssl/build.info
+++ b/ssl/build.info
@@ -15,10 +15,10 @@ IF[{- !$disabled{ktls} -}]
   $KTLSSRC=ktls.c
 ENDIF
 
-#TODO: For now we just include the libcrypto packet.c in libssl as well. We
-#      could either continue to do it like this, or export all the WPACKET
-#      symbols so that libssl can use them like any other. Probably would do
-#      this privately so it does not become part of the public API.
+# For now we just include the libcrypto packet.c in libssl as well. We
+# could either continue to do it like this, or export all the WPACKET
+# symbols so that libssl can use them like any other. Probably would do
+# this privately so it does not become part of the public API.
 SOURCE[../libssl]=\
         pqueue.c ../crypto/packet.c \
         statem/statem_srvr.c statem/statem_clnt.c  s3_lib.c  s3_enc.c record/rec_layer_s3.c \
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 5626b7f506..f9ad4ed684 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -797,7 +797,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client)
             BIO_ADDR_free(tmpclient);
             tmpclient = NULL;
 
-            /* TODO(size_t): convert this call */
             if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) {
                 if (BIO_should_retry(wbio)) {
                     /*
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index a217db772a..aacd5694fc 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -295,7 +295,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
         clear_sys_error();
         if (s->rbio != NULL) {
             s->rwstate = SSL_READING;
-            /* TODO(size_t): Convert this function */
             ret = BIO_read(s->rbio, pkt + len + left, max - left);
             if (ret >= 0)
                 bioread = ret;
@@ -722,7 +721,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
         mac_size = 0;
     } else {
-        /* TODO(siz_t): Convert me */
         mac_size = EVP_MD_CTX_get_size(s->write_hash);
         if (mac_size < 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -833,7 +831,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
     if (s->enc_write_ctx && SSL_USE_EXPLICIT_IV(s) && !SSL_TREAT_AS_TLS13(s)) {
         int mode = EVP_CIPHER_CTX_get_mode(s->enc_write_ctx);
         if (mode == EVP_CIPH_CBC_MODE) {
-            /* TODO(size_t): Convert me */
             eivlen = EVP_CIPHER_CTX_get_iv_length(s->enc_write_ctx);
             if (eivlen <= 1)
                 eivlen = 0;
@@ -1195,7 +1192,6 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
                     return i;
                 BIO_set_ktls_ctrl_msg(s->wbio, type);
             }
-            /* TODO(size_t): Convert this call */
             i = BIO_write(s->wbio, (char *)
                           &(SSL3_BUFFER_get_buf(&wb[currbuf])
                             [SSL3_BUFFER_get_offset(&wb[currbuf])]),
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 8c4ff01dd1..4275c19cff 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -521,7 +521,6 @@ int ssl3_get_record(SSL *s)
     if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
         goto skip_decryption;
 
-    /* TODO(size_t): convert this to do size_t properly */
     if (s->read_hash != NULL) {
         const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash);
 
@@ -782,7 +781,6 @@ int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
     if (rr->comp == NULL)
         return 0;
 
-    /* TODO(size_t): Convert this call */
     i = COMP_expand_block(ssl->expand, rr->comp,
                           SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
     if (i < 0)
@@ -799,7 +797,6 @@ int ssl3_do_compress(SSL *ssl, SSL3_RECORD *wr)
 #ifndef OPENSSL_NO_COMP
     int i;
 
-    /* TODO(size_t): Convert this call */
     i = COMP_compress_block(ssl->compress, wr->data,
                             (int)(wr->length + SSL3_RT_MAX_COMPRESSED_OVERHEAD),
                             wr->input, (int)wr->length);
@@ -858,7 +855,6 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
         int provided = (EVP_CIPHER_get0_provider(enc) != NULL);
 
         l = rec->length;
-        /* TODO(size_t): Convert this call */
         bs = EVP_CIPHER_CTX_get_block_size(ds);
 
         /* COMPRESS */
@@ -916,7 +912,6 @@ int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, size_t n_recs, int sending,
                 }
             }
         } else {
-            /* TODO(size_t): Convert this call */
             if (EVP_Cipher(ds, rec->data, rec->input, (unsigned int)l) < 1) {
                 /* Shouldn't happen */
                 SSLfatal(s, SSL_AD_BAD_RECORD_MAC, ERR_R_INTERNAL_ERROR);
@@ -1212,7 +1207,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
         } else {
             /* Legacy cipher */
 
-            /* TODO(size_t): Convert this call */
             tmpr = EVP_Cipher(ds, recs[0].data, recs[0].input,
                               (unsigned int)reclen[0]);
             if ((EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ds))
@@ -1471,7 +1465,6 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
             return 0;
     }
 
-    /* TODO(size_t): Convert these calls */
     if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
         || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
         || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
@@ -1546,7 +1539,6 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
     rr->data = rr->input;
     rr->orig_len = rr->length;
 
-    /* TODO(size_t): convert this to do size_t properly */
     if (s->read_hash != NULL) {
         const EVP_MD *tmpmd = EVP_MD_CTX_get0_md(s->read_hash);
 
@@ -1850,10 +1842,6 @@ int dtls1_get_record(SSL *s)
     if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
 #endif
         /* Check whether this is a repeat, or aged record. */
-        /*
-         * TODO: Does it make sense to have replay protection in epoch 0 where
-         * we have no integrity negotiated yet?
-         */
         if (!dtls1_record_replay_check(s, bitmap)) {
             rr->length = 0;
             rr->read = 1;
diff --git a/ssl/record/ssl3_record_tls13.c b/ssl/record/ssl3_record_tls13.c
index 13c007ae23..3d35071847 100644
--- a/ssl/record/ssl3_record_tls13.c
+++ b/ssl/record/ssl3_record_tls13.c
@@ -35,7 +35,6 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
 
     if (n_recs != 1) {
         /* Should not happen */
-        /* TODO(TLS1.3): Support pipelining */
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
@@ -139,7 +138,6 @@ int tls13_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
         return 0;
     }
 
-    /* TODO(size_t): lenu/lenf should be a size_t but EVP doesn't support it */
     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv, sending) <= 0
             || (!sending && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
                                              taglen,
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 8e1c779ddb..b0e3496ba2 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -500,7 +500,6 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
             || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
             goto err;
     }
-    /* TODO(size_t): Convert me */
     ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
     if (ret && md_out_size)
         *md_out_size = md_out_size_u;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 64b246eb65..2ca3f74ae7 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -499,7 +499,6 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                                 SSL3_RANDOM_SIZE) <= 0
             || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]),
                                 SSL3_RANDOM_SIZE) <= 0
-               /* TODO(size_t) : convert me */
             || EVP_DigestFinal_ex(ctx, buf, &n) <= 0
             || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0
             || EVP_DigestUpdate(ctx, p, len) <= 0
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d7c19feedf..dd22e57c59 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1543,7 +1543,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
 
     /*
      * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
-     * TODO(openssl-team): is there an easier way to accomplish all this?
      */
     ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
                           &head, &tail);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 063134015a..c1e8e41f02 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2246,11 +2246,6 @@ int SSL_shutdown(SSL *s)
 
 int SSL_key_update(SSL *s, int updatetype)
 {
-    /*
-     * TODO(TLS1.3): How will applications know whether TLSv1.3 has been
-     * negotiated, and that it is appropriate to call SSL_key_update() instead
-     * of SSL_renegotiate().
-     */
     if (!SSL_IS_TLS13(s)) {
         ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION);
         return 0;
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 28603a81ad..b222fc6a2d 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1379,7 +1379,7 @@ struct ssl_st {
         size_t previous_client_finished_len;
         unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
         size_t previous_server_finished_len;
-        int send_connection_binding; /* TODOEKR */
+        int send_connection_binding;
 
 # ifndef OPENSSL_NO_NEXTPROTONEG
         /*
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 8dc418ca48..01871dca8c 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -107,7 +107,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     if (x->ext.tick) {
         if (BIO_puts(bp, "\n    TLS session ticket:\n") <= 0)
             goto err;
-        /* TODO(size_t): Convert this call */
         if (BIO_dump_indent
             (bp, (const char *)x->ext.tick, (int)x->ext.ticklen, 4)
             <= 0)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index d12e940704..f58111c95c 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -115,8 +115,6 @@ typedef struct extensions_definition_st {
  * messages the extension is relevant to. These flags also specify whether the
  * extension is relevant to a particular protocol or protocol version.
  *
- * TODO(TLS1.3): Make sure we have a test to check the consistency of these
- *
  * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
  * the end, keep these extensions before signature_algorithm.
  */
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 545b2d034f..78cc226064 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -629,7 +629,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
     }
 
     /*
-     * TODO(TLS1.3): When changing to send more than one key_share we're
+     * When changing to send more than one key_share we're
      * going to need to be able to save more than one EVP_PKEY. For now
      * we reuse the existing tmp.pkey
      */
@@ -668,8 +668,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
     tls1_get_supported_groups(s, &pgroups, &num_groups);
 
     /*
-     * TODO(TLS1.3): Make the number of key_shares sent configurable. For
-     * now, just send one
+     * Make the number of key_shares sent configurable. For
+     * now, we just send one
      */
     if (s->s3.group_id != 0) {
         curve_id = s->s3.group_id;
@@ -1387,7 +1387,6 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
 {
     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
         /* We ignore this if the server sends a CertificateRequest */
-        /* TODO(TLS1.3): Add support for this */
         return 1;
     }
 
@@ -1429,7 +1428,6 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
 {
     if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
         /* We ignore this if the server sends it in a CertificateRequest */
-        /* TODO(TLS1.3): Add support for this */
         return 1;
     }
 
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 51c3251635..e8e57cd5d9 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -155,10 +155,6 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
          * the initial handshake and the resumption. In TLSv1.3 SNI is not
          * associated with the session.
          */
-        /*
-         * TODO(openssl-team): if the SNI doesn't match, we MUST
-         * fall back to a full handshake.
-         */
         s->servername_done = (s->session->ext.hostname != NULL)
             && PACKET_equal(&hostname, s->session->ext.hostname,
                             strlen(s->session->ext.hostname));
@@ -215,10 +211,6 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
         return 0;
     }
 
-    /*
-     * TODO(openssl-team): currently, we re-authenticate the user
-     * upon resumption. Instead, we MUST ignore the login.
-     */
     if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
@@ -364,7 +356,6 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
         }
 
         id_data = PACKET_data(&responder_id);
-        /* TODO(size_t): Convert d2i_* to size_t */
         id = d2i_OCSP_RESPID(NULL, &id_data,
                              (int)PACKET_remaining(&responder_id));
         if (id == NULL) {
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 88b34c6ad1..e8e9f94651 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -168,7 +168,8 @@ static int ossl_statem_client13_read_transition(SSL *s, int mt)
         }
         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
-# error TODO(DTLS1.3): Restore digest for PHA before adding message.
+            /* Restore digest for PHA before adding message.*/
+# error Internal DTLS version error
 #endif
             if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
                 s->post_handshake_auth = SSL_PHA_REQUESTED;
@@ -1985,7 +1986,6 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
         return 0;
     }
 
-    /* TODO(size_t): Convert BN_bin2bn() calls */
     if ((s->srp_ctx.N =
          BN_bin2bn(PACKET_data(&prime),
                    (int)PACKET_remaining(&prime), NULL)) == NULL
@@ -2035,7 +2035,6 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
         return 0;
     }
 
-    /* TODO(size_t): Convert these calls */
     p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
     g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
                   NULL);
@@ -2573,7 +2572,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
         goto err;
     }
     /*
-     * TODO(size_t): we use sess_len here because EVP_Digest expects an int
+     * We use sess_len here because EVP_Digest expects an int
      * but s->session->session_id_length is a size_t
      */
     if (!EVP_Digest(s->session->ext.tick, ticklen,
@@ -2853,7 +2852,6 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
 
     pms[0] = s->client_version >> 8;
     pms[1] = s->client_version & 0xff;
-    /* TODO(size_t): Convert this function */
     if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -3059,7 +3057,6 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
 
     if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
         /* Generate session key
-         * TODO(size_t): Convert this function
          */
         || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index a954097a39..c1c0d455e1 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1765,7 +1765,7 @@ static int tls_early_post_process_client_hello(SSL *s)
 
     /*
      * We don't allow resumption in a backwards compatible ClientHello.
-     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
+     * In TLS1.1+, session_id MUST be empty.
      *
      * Versions before 0.9.7 always allow clients to resume sessions in
      * renegotiation. 0.9.7 and later allow this by default, but optionally
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 03a83ee9a0..51688d4f2e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -333,7 +333,6 @@ int tls1_change_cipher_state(SSL *s, int which)
     p = s->s3.tmp.key_block;
     i = *mac_secret_size = s->s3.tmp.new_mac_secret_size;
 
-    /* TODO(size_t): convert me */
     cl = EVP_CIPHER_get_key_length(c);
     j = cl;
     k = tls_iv_length_within_key_block(c);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d22a794d37..3bc424acef 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3079,7 +3079,7 @@ static int check_cert_usable(SSL *s, const SIGALG_LOOKUP *sig, X509 *x,
                 continue;
 
             /*
-             * TODO this does not differentiate between the
+             * This does not differentiate between the
              * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not
              * have a chain here that lets us look at the key OID in the
              * signing certificate.
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 53aeea446b..11e39715d8 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -402,7 +402,6 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
         return 0;
     }
 
-    /* TODO(size_t): convert me */
     keylen = EVP_CIPHER_get_key_length(ciph);
     if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
         uint32_t algenc;
diff --git a/test/algorithmid_test.c b/test/algorithmid_test.c
index b484315ad3..ce5fbffc22 100644
--- a/test/algorithmid_test.c
+++ b/test/algorithmid_test.c
@@ -107,16 +107,6 @@ static int test_x509_spki_aid(X509 *cert, const char *filename)
     return test_spki_aid(pubkey, filename);
 }
 
-/*
- * TODO
- * When we gain the ability to get an EVP_SIGNATURE with a complete signature
- * algorithm name (like "sha1WithRSAEncryption" or its corresponding OID in
- * text form, "1.2.840.113549.1.1.2"), we won't have to limit this test to
- * what we have in libcrypto's cross-reference db, i.e. won't have to call
- * OBJ_find_sigid_algs() to find out the EVP_PKEY_METHOD NID any more.
- * All we'd have to do is used OBJ_obj2txt() on an ASN1_OBJECT and pass the
- * result.
- */
 static int test_x509_sig_aid(X509 *eecert, const char *ee_filename,
                              X509 *cacert, const char *ca_filename)
 {
diff --git a/test/bntest.c b/test/bntest.c
index b6147395fd..c90db8f8e4 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -28,7 +28,7 @@
 #endif
 
 /*
- * Things in boring, not in openssl.  TODO we should add them.
+ * Things in boring, not in openssl.
  */
 #define HAVE_BN_PADDED 0
 #define HAVE_BN_SQRT 0
@@ -1100,7 +1100,7 @@ static int file_sum(STANZA *s)
     /*
      * Test that the functions work when |r| and |a| point to the same BIGNUM,
      * or when |r| and |b| point to the same BIGNUM.
-     * TODO: Test where all of |r|, |a|, and |b| point to the same BIGNUM.
+     * There is no test for all of |r|, |a|, and |b| pointint to the same BIGNUM.
      */
     if (!TEST_true(BN_copy(ret, a))
             || !TEST_true(BN_add(ret, ret, b))
@@ -1127,7 +1127,6 @@ static int file_sum(STANZA *s)
      * documented as having. Note that these functions are frequently used
      * when the prerequisites don't hold. In those cases, they are supposed
      * to work as if the prerequisite hold, but we don't test that yet.
-     * TODO: test that.
      */
     if (!BN_is_negative(a) && !BN_is_negative(b) && BN_cmp(a, b) >= 0) {
         if (!TEST_true(BN_uadd(ret, a, b))
@@ -1140,7 +1139,8 @@ static int file_sum(STANZA *s)
         /*
          * Test that the functions work when |r| and |a| point to the same
          * BIGNUM, or when |r| and |b| point to the same BIGNUM.
-         * TODO: Test where all of |r|, |a|, and |b| point to the same BIGNUM.
+         * There is no test for all of |r|, |a|, and |b| pointint to the same
+         * BIGNUM.
          */
         if (!TEST_true(BN_copy(ret, a))
                 || !TEST_true(BN_uadd(ret, ret, b))
diff --git a/test/cmp_asn_test.c b/test/cmp_asn_test.c
index 24f6605ce9..36ae8a6008 100644
--- a/test/cmp_asn_test.c
+++ b/test/cmp_asn_test.c
@@ -117,10 +117,5 @@ int setup_tests(void)
     ADD_TEST(test_cmp_asn1_get_int);
     ADD_TEST(test_ASN1_OCTET_STRING_set);
     ADD_TEST(test_ASN1_OCTET_STRING_set_tgt_is_src);
-    /*
-     * TODO make sure that total number of tests (here currently 24) is shown,
-     * also for other cmp_*text.c. Currently the test drivers always show 1.
-     */
-
     return 1;
 }
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index d181a03d19..863a765886 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -101,7 +101,6 @@ static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
     if (!TEST_ptr(itavs = OSSL_CMP_exec_GENM_ses(fixture->cmp_ctx)))
         return 0;
     sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
-    /* TODO: check if the returned value is the expected one (same as sent) */
     return 1;
 }
 
@@ -115,7 +114,6 @@ static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
 
     if (!TEST_ptr(res) || !TEST_int_eq(X509_cmp(res, client_cert), 0))
         return 0;
-    /* TODO: check that cerfConf has been exchanged unless implicitConfirm */
     if (fixture->caPubs != NULL) {
         STACK_OF(X509) *caPubs = OSSL_CMP_CTX_get1_caPubs(fixture->cmp_ctx);
         int ret = TEST_int_eq(STACK_OF_X509_cmp(fixture->caPubs, caPubs), 0);
@@ -169,7 +167,6 @@ static int test_exec_IR_ses_poll(void)
     ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 2);
     ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter);
     EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
-    /* TODO: check that 2 rounds are done or session takes 2..3 seconds */
     return result;
 }
 
diff --git a/test/cmp_hdr_test.c b/test/cmp_hdr_test.c
index ce0038d596..f4bc65bb9e 100644
--- a/test/cmp_hdr_test.c
+++ b/test/cmp_hdr_test.c
@@ -480,10 +480,5 @@ int setup_tests(void)
     /* also tests internal function ossl_cmp_hdr_get_pvno(): */
     ADD_TEST(test_HDR_init_with_ref);
     ADD_TEST(test_HDR_init_with_subject);
-    /*
-     *  TODO make sure that total number of tests (here currently 24) is shown,
-     *  also for other cmp_*text.c. Currently the test drivers always show 1.
-     */
-
     return 1;
 }
diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
index 97255306da..0543634c73 100644
--- a/test/helpers/handshake.c
+++ b/test/helpers/handshake.c
@@ -1196,13 +1196,7 @@ static handshake_status_t handshake_status(peer_status_t last_status,
             /* The client failed immediately before sending the ClientHello */
             return client_spoke_last ? CLIENT_ERROR : INTERNAL_ERROR;
         case PEER_SUCCESS:
-            /*
-             * First peer succeeded but second peer errored.
-             * TODO(emilia): we should be able to continue here (with some
-             * application data?) to ensure the first peer receives the
-             * alert / close_notify.
-             * (No tests currently exercise this branch.)
-             */
+            /* First peer succeeded but second peer errored. */
             return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR;
         case PEER_RETRY:
             /* We errored; let the peer finish. */
diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c
index ab877bca00..cb94be7b88 100644
--- a/test/helpers/pkcs12.c
+++ b/test/helpers/pkcs12.c
@@ -319,7 +319,6 @@ static STACK_OF(PKCS12_SAFEBAG) *decode_contentinfo(STACK_OF(PKCS7) *safes, int
     if (enc) {
         if (!TEST_int_eq(bagnid, NID_pkcs7_encrypted))
             goto err;
-        /* TODO: Check algorithm (iterations?) against what we originally set */
         bags = PKCS12_unpack_p7encdata(p7, enc->pass, strlen(enc->pass));
     } else {
         if (!TEST_int_eq(bagnid, NID_pkcs7_data))
@@ -518,8 +517,6 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A
         while(p_attr->oid != NULL) {
             /* Find a matching attribute type */
             if (strcmp(p_attr->oid, attr_txt) == 0) {
-
-                /* TODO: Handle multi-value attributes */
                 if (!TEST_int_eq(X509_ATTRIBUTE_count(attr), 1))
                     goto err;
 
@@ -603,8 +600,6 @@ void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
             pb->success = 0;
             goto err;
         }
-        /* TODO: handle key attributes */
-        /* PKCS8_pkey_get0_attrs(p8c); */
         break;
 
     case NID_pkcs8ShroudedKeyBag:
@@ -621,8 +616,6 @@ void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
             pb->success = 0;
             goto err;
         }
-        /* TODO: handle key attributes */
-        /* PKCS8_pkey_get0_attrs(p8); */
         PKCS8_PRIV_KEY_INFO_free(p8);
         break;
 
diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c
index c779b72371..60a275a014 100644
--- a/test/ssl_old_test.c
+++ b/test/ssl_old_test.c
@@ -636,7 +636,7 @@ static void sv_usage(void)
 #endif
     fprintf(stderr, " -no_dhe       - disable DHE\n");
 #ifndef OPENSSL_NO_EC
-    fprintf(stderr, " -no_ecdhe     - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
+    fprintf(stderr, " -no_ecdhe     - disable ECDHE\n");
 #endif
 #ifndef OPENSSL_NO_PSK
     fprintf(stderr, " -psk arg      - PSK in hex (without 0x)\n");
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 7275d6f9c6..2b73e43305 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -326,10 +326,6 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
 
             if (!TEST_ptr(token = strtok(NULL, " \n")))
                 return 0;
-
-            /*
-             * TODO(TLS1.3): test that application traffic secrets are what
-             * we expect */
         } else {
             TEST_info("Unexpected token %s\n", token);
             return 0;
@@ -2907,10 +2903,6 @@ static int test_set_sigalgs(int idx)
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
-    /*
-     * TODO(TLS1.3): These APIs cannot set TLSv1.3 sig algs so we just test it
-     * for TLSv1.2 for now until we add a new API.
-     */
     SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
 
     if (testctx) {
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 7498ac6865..467f551093 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -730,7 +730,6 @@ sub check {
         next if $target =~ /openssl-?/;
         next if ( grep { basename($_) eq "$target.pod" }
                   files(TAGS => [ 'manual', 'man1' ]) );
-        # TODO: Filter out "foreign manual" links.
         next if $target =~ /ps|apropos|sha1sum|procmail|perl/;
         err($id, "Bad command link L<$target(1)>") if grep /man1/, @sections;
     }


More information about the openssl-commits mailing list