build: fix -Wunused-macros warnings, and related tidy-ups

- fix internal macro `AN_APPLE_OS` reused between sources without resetting it. It may potentially have left the system sha256 function unused. - fix to define `WOLFSSL_OPTIONS_IGNORE_SYS` so that it always applies to wolfSSL headers, also during feature detection. - md4, md5, sha256: simplify fallback logic. - delete 20+ unused macros. - scope or move macros to avoid `-Wunused-macros` warnings. - examples: delete unused code. The warning detects macros defined but not used within the same C source. It does not warn for macros defined in headers. It also works with unity builds, but to a lesser extent. Closes #20593
2026-04-11 12:01:42 +08:00 · 2026-02-13 17:05:36 +01:00 · 2026-02-13 17:05:36 +01:00 · 5fa5cb3825
commit 5fa5cb3825
parent 633ec719d5
28 changed files with 105 additions and 161 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -879,6 +879,8 @@ if(CURL_USE_WOLFSSL)
    set(_valid_default_ssl_backend TRUE)
  endif()
  set(_curl_ca_bundle_supported TRUE)
+
+  set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS "WOLFSSL_OPTIONS_IGNORE_SYS")
 endif()

 if(CURL_USE_GNUTLS)
@ -979,6 +981,7 @@ macro(curl_openssl_check_exists)
  endif()
  if(USE_WOLFSSL)
    list(APPEND CMAKE_REQUIRED_LIBRARIES CURL::wolfssl)
+    list(APPEND CMAKE_REQUIRED_DEFINITIONS "-DWOLFSSL_OPTIONS_IGNORE_SYS")
    if(HAVE_LIBZ)
      list(APPEND CMAKE_REQUIRED_LIBRARIES ZLIB::ZLIB)  # Public wolfSSL headers also require zlib headers
    endif()
--- a/docs/examples/log_failed_transfers.c
+++ b/docs/examples/log_failed_transfers.c
@ -47,8 +47,6 @@

 #ifdef _WIN32
 #include <windows.h>
-#define strcasecmp _stricmp
-#define strncasecmp _strnicmp
 #define unlink _unlink
 #else
 #include <strings.h>
--- a/docs/examples/synctime.c
+++ b/docs/examples/synctime.c
@ -108,9 +108,6 @@ static const char *MthStr[] = {
 };
 #endif

-#define HTTP_COMMAND_HEAD 0
-#define HTTP_COMMAND_GET  1
-
 static size_t write_cb(void *ptr, size_t size, size_t nmemb, void *stream)
 {
  fwrite(ptr, size, nmemb, stream);
@ -185,24 +182,15 @@ static void SyncTime_CURL_Init(CURL *curl, const char *proxy_port,
  curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, SyncTime_CURL_WriteHeader);
 }

-static CURLcode SyncTime_CURL_Fetch(CURL *curl, const char *URL_Str,
-                                    const char *OutFileName, int HttpGetBody)
+static CURLcode SyncTime_CURL_FetchHead(CURL *curl, const char *URL_Str)
 {
-  FILE *outfile;
  CURLcode result;

-  outfile = NULL;
-  if(HttpGetBody == HTTP_COMMAND_HEAD)
-    curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
-  else {
-    outfile = fopen(OutFileName, "wb");
-    curl_easy_setopt(curl, CURLOPT_WRITEDATA, outfile);
-  }
-
+  curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
  curl_easy_setopt(curl, CURLOPT_URL, URL_Str);
+
  result = curl_easy_perform(curl);
-  if(outfile)
-    fclose(outfile);
+
  return result; /* CURLE_OK */
 }

@ -320,7 +308,7 @@ int main(int argc, const char *argv[])
    fprintf(stderr, "Before HTTP. Date: %s%s\n\n", timeBuf, tzoneBuf);

    /* HTTP HEAD command to the Webserver */
-    SyncTime_CURL_Fetch(curl, conf.timeserver, "index.htm", HTTP_COMMAND_HEAD);
+    SyncTime_CURL_FetchHead(curl, conf.timeserver);

 #if defined(_WIN32) && !defined(CURL_WINDOWS_UWP)
    GetLocalTime(&LOCALTime);
--- a/lib/asyn-ares.c
+++ b/lib/asyn-ares.c
@ -63,11 +63,6 @@
 #include <ares_version.h> /* really old c-ares did not include this by
                             itself */

-#if ARES_VERSION >= 0x010601
-/* IPv6 supported since 1.6.1 */
-#define HAVE_CARES_IPV6 1
-#endif
-
 #if ARES_VERSION >= 0x010704
 #define HAVE_CARES_SERVERS_CSV 1
 #define HAVE_CARES_LOCAL_DEV 1
@ -783,7 +778,7 @@ CURLcode Curl_async_getaddrinfo(struct Curl_easy *data, const char *hostname,
  }
 #else

-#ifdef HAVE_CARES_IPV6
+#if ARES_VERSION >= 0x010601  /* IPv6 supported since 1.6.1 */
  if((ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) {
    /* The stack seems to be IPv6-enabled */
    /* areschannel is already setup in the Curl_open() function */
--- a/lib/cf-socket.c
+++ b/lib/cf-socket.c
@ -96,6 +96,9 @@ static void tcpnodelay(struct Curl_cfilter *cf,
 #endif
 }

+#if defined(USE_WINSOCK) || defined(TCP_KEEPIDLE) || \
+  defined(TCP_KEEPALIVE) || defined(TCP_KEEPALIVE_THRESHOLD) || \
+  defined(TCP_KEEPINTVL) || defined(TCP_KEEPALIVE_ABORT_THRESHOLD)
 #if defined(USE_WINSOCK) || \
   (defined(__sun) && !defined(TCP_KEEPIDLE)) || \
   (defined(__DragonFly__) && __DragonFly_version < 500702) || \
@ -106,6 +109,7 @@ static void tcpnodelay(struct Curl_cfilter *cf,
 #else
 #define KEEPALIVE_FACTOR(x)
 #endif
+#endif

 static void tcpkeepalive(struct Curl_cfilter *cf,
                         struct Curl_easy *data,
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@ -92,7 +92,6 @@
 #    define DESKEY(x) &x
 #  endif
 #endif
-#define DESKEYARG(x) *x

 #elif defined(USE_GNUTLS)

@ -179,8 +178,7 @@ static void extend_key_56_to_64(const unsigned char *key_56, char *key)
 * Turns a 56-bit key into a 64-bit, odd parity key and sets the key. The
 * key schedule ks is also set.
 */
-static void setup_des_key(const unsigned char *key_56,
-                          DES_key_schedule DESKEYARG(ks))
+static void setup_des_key(const unsigned char *key_56, DES_key_schedule *ks)
 {
  DES_cblock key;

@ -304,7 +302,7 @@ static bool encrypt_des(const unsigned char *in, unsigned char *out,
  return TRUE;
 }

-#endif /* USE_WIN32_CRYPTO */
+#endif /* crypto backends */

 /*
 * takes a 21 byte array and treats it as 3 56-bit DES keys. The
--- a/lib/ftp.c
+++ b/lib/ftp.c
@ -83,9 +83,7 @@
 /* macro to check for the last line in an FTP server response */
 #define LASTLINE(line) (STATUSCODE(line) && (' ' == line[3]))

-#ifndef CURLVERBOSE
-#define FTP_CSTATE(c)  ((void)(c), "")
-#else
+#ifdef CURLVERBOSE
 /* for tracing purposes */
 static const char * const ftp_state_names[] = {
  "STOP",
--- a/lib/http.c
+++ b/lib/http.c
@ -164,9 +164,6 @@ char *Curl_checkProxyheaders(struct Curl_easy *data,

  return NULL;
 }
-#else
-/* disabled */
-#define Curl_checkProxyheaders(x, y, z, a) NULL
 #endif

 static bool http_header_is_empty(const char *header)
--- a/lib/http2.c
+++ b/lib/http2.c
@ -51,10 +51,6 @@
 #error too old nghttp2 version, upgrade!
 #endif

-#ifndef CURLVERBOSE
-#define nghttp2_session_callbacks_set_error_callback(x, y)
-#endif
-
 #if (NGHTTP2_VERSION_NUM >= 0x010c00)
 #define NGHTTP2_HAS_SET_LOCAL_WINDOW_SIZE 1
 #endif
--- a/lib/md4.c
+++ b/lib/md4.c
@ -40,34 +40,13 @@

 #ifdef USE_WOLFSSL
 #include <wolfssl/options.h>
-#define VOID_MD4_INIT
-#ifdef NO_MD4
-#define WOLFSSL_NO_MD4
-#endif
 #endif

 /* When OpenSSL or wolfSSL is available, we use their MD4 functions. */
-#if defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4)
-#include <wolfssl/openssl/md4.h>
-#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4)
-#include <openssl/md4.h>
-#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
-              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \
-       defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && \
-              (__MAC_OS_X_VERSION_MIN_REQUIRED < 101500)) || \
-      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
-              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000) && \
-       defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && \
-              (__IPHONE_OS_VERSION_MIN_REQUIRED < 130000))
-#define AN_APPLE_OS
-#include <CommonCrypto/CommonDigest.h>
-#elif defined(USE_WIN32_CRYPTO)
-#include <wincrypt.h>
-#elif defined(USE_GNUTLS)
-#include <nettle/md4.h>
-#endif

-#if defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4)
+#if defined(USE_WOLFSSL) && !defined(NO_MD4)
+#include <wolfssl/openssl/md4.h>
+#define VOID_MD4_INIT

 #ifdef OPENSSL_COEXIST
 #  define MD4_CTX    WOLFSSL_MD4_CTX
@ -77,8 +56,18 @@
 #endif

 #elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4)
+#include <openssl/md4.h>
+
+#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
+              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \
+       defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && \
+              (__MAC_OS_X_VERSION_MIN_REQUIRED < 101500)) || \
+      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
+              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000) && \
+       defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && \
+              (__IPHONE_OS_VERSION_MIN_REQUIRED < 130000))
+#include <CommonCrypto/CommonDigest.h>

-#elif defined(AN_APPLE_OS)
 typedef CC_MD4_CTX MD4_CTX;

 static int MD4_Init(MD4_CTX *ctx)
@ -97,6 +86,7 @@ static void MD4_Final(unsigned char *digest, MD4_CTX *ctx)
 }

 #elif defined(USE_WIN32_CRYPTO)
+#include <wincrypt.h>

 struct md4_ctx {
  HCRYPTPROV hCryptProv;
@ -143,6 +133,7 @@ static void MD4_Final(unsigned char *digest, MD4_CTX *ctx)
 }

 #elif defined(USE_GNUTLS)
+#include <nettle/md4.h>

 typedef struct md4_ctx MD4_CTX;

--- a/lib/md5.c
+++ b/lib/md5.c
@ -31,16 +31,10 @@

 #ifdef USE_OPENSSL
 #include <openssl/opensslconf.h>
-#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-#define USE_OPENSSL_MD5
-#endif
 #endif

 #ifdef USE_WOLFSSL
 #include <wolfssl/options.h>
-#ifndef NO_MD5
-#define USE_WOLFSSL_MD5
-#endif
 #endif

 #ifdef USE_MBEDTLS
@ -49,34 +43,10 @@
 #error "mbedTLS 3.2.0 or later required"
 #endif
 #include <psa/crypto_config.h>
-#if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5  /* mbedTLS 4+ */
-#define USE_MBEDTLS_MD5
-#endif
 #endif

 #ifdef USE_GNUTLS
 #include <nettle/md5.h>
-#elif defined(USE_OPENSSL_MD5)
-#include <openssl/md5.h>
-#elif defined(USE_WOLFSSL_MD5)
-#include <wolfssl/openssl/md5.h>
-#elif defined(USE_MBEDTLS_MD5)
-#include <psa/crypto.h>
-#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
-              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \
-       defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && \
-              (__MAC_OS_X_VERSION_MIN_REQUIRED < 101500)) || \
-      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
-              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000) && \
-       defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && \
-              (__IPHONE_OS_VERSION_MIN_REQUIRED < 130000))
-#define AN_APPLE_OS
-#include <CommonCrypto/CommonDigest.h>
-#elif defined(USE_WIN32_CRYPTO)
-#include <wincrypt.h>
-#endif
-
-#ifdef USE_GNUTLS

 typedef struct md5_ctx my_md5_ctx;

@ -97,8 +67,14 @@ static void my_md5_final(unsigned char *digest, void *ctx)
  md5_digest(ctx, 16, digest);
 }

-#elif defined(USE_OPENSSL_MD5) || \
-  (defined(USE_WOLFSSL_MD5) && !defined(OPENSSL_COEXIST))
+#elif (defined(USE_OPENSSL) && \
+  !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)) || \
+  (defined(USE_WOLFSSL) && !defined(NO_MD5) && !defined(OPENSSL_COEXIST))
+#ifdef USE_OPENSSL
+#include <openssl/md5.h>
+#else
+#include <wolfssl/openssl/md5.h>
+#endif

 typedef MD5_CTX my_md5_ctx;

@ -121,7 +97,8 @@ static void my_md5_final(unsigned char *digest, void *ctx)
  (void)MD5_Final(digest, ctx);
 }

-#elif defined(USE_WOLFSSL_MD5)
+#elif defined(USE_WOLFSSL) && !defined(NO_MD5)
+#include <wolfssl/openssl/md5.h>

 typedef WOLFSSL_MD5_CTX my_md5_ctx;

@ -144,7 +121,9 @@ static void my_md5_final(unsigned char *digest, void *ctx)
  (void)wolfSSL_MD5_Final(digest, ctx);
 }

-#elif defined(USE_MBEDTLS_MD5)
+#elif defined(USE_MBEDTLS) && \
+  defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5  /* mbedTLS 4+ */
+#include <psa/crypto.h>

 typedef psa_hash_operation_t my_md5_ctx;

@ -168,7 +147,15 @@ static void my_md5_final(unsigned char *digest, void *ctx)
  (void)psa_hash_finish(ctx, digest, 16, &actual_length);
 }

-#elif defined(AN_APPLE_OS)
+#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
+              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \
+       defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && \
+              (__MAC_OS_X_VERSION_MIN_REQUIRED < 101500)) || \
+      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
+              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000) && \
+       defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && \
+              (__IPHONE_OS_VERSION_MIN_REQUIRED < 130000))
+#include <CommonCrypto/CommonDigest.h>

 /* For Apple operating systems: CommonCrypto has the functions we need.
   These functions are available on Tiger and later, as well as iOS 2.0
@ -198,6 +185,7 @@ static void my_md5_final(unsigned char *digest, void *ctx)
 }

 #elif defined(USE_WIN32_CRYPTO)
+#include <wincrypt.h>

 struct md5_ctx {
  HCRYPTPROV hCryptProv;
--- a/lib/parsedate.c
+++ b/lib/parsedate.c
@ -80,13 +80,6 @@

 */

-#define PARSEDATE_OK     0
-#define PARSEDATE_FAIL   -1
-#define PARSEDATE_LATER  1
-#if defined(HAVE_TIME_T_UNSIGNED) || (SIZEOF_TIME_T < 5)
-#define PARSEDATE_SOONER 2
-#endif
-
 #if !defined(CURL_DISABLE_PARSEDATE) || !defined(CURL_DISABLE_FTP) || \
  !defined(CURL_DISABLE_FILE) || defined(USE_GNUTLS)
 /* These names are also used by FTP and FILE code */
@ -99,7 +92,16 @@ const char * const Curl_month[] = {
 };
 #endif

+#define PARSEDATE_OK     0
+#define PARSEDATE_FAIL   -1
+
 #ifndef CURL_DISABLE_PARSEDATE
+
+#define PARSEDATE_LATER  1
+#if defined(HAVE_TIME_T_UNSIGNED) || (SIZEOF_TIME_T < 5)
+#define PARSEDATE_SOONER 2
+#endif
+
 static const char * const weekday[] = {
  "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"
 };
--- a/lib/progress.c
+++ b/lib/progress.c
@ -30,9 +30,6 @@
 #include "transfer.h"
 #include "curlx/strcopy.h"

-/* check rate limits within this many recent milliseconds, at minimum. */
-#define MIN_RATE_LIMIT_PERIOD 3000
-
 #ifndef CURL_DISABLE_PROGRESS_METER
 /* Provide a string that is 7 letters long (plus the zero byte).

--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -188,8 +188,10 @@ static CURLcode setstropt_interface(char *option, char **devp,
  return CURLE_OK;
 }

+#ifdef USE_SSL
 #define C_SSLVERSION_VALUE(x)     (x & 0xffff)
 #define C_SSLVERSION_MAX_VALUE(x) ((unsigned long)x & 0xffff0000)
+#endif

 static CURLcode protocol2num(const char *str, curl_prot_t *val)
 {
--- a/lib/sha256.c
+++ b/lib/sha256.c
@ -35,25 +35,6 @@
 #error "mbedTLS 3.2.0 or later required"
 #endif
 #include <psa/crypto_config.h>
-#if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256  /* mbedTLS 4+ */
-#define USE_MBEDTLS_SHA256
-#endif
-#endif
-
-#ifdef USE_OPENSSL
-#include <openssl/evp.h>
-#elif defined(USE_GNUTLS)
-#include <nettle/sha.h>
-#elif defined(USE_MBEDTLS_SHA256)
-#include <psa/crypto.h>
-#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
-              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
-      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
-              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000))
-#include <CommonCrypto/CommonDigest.h>
-#define AN_APPLE_OS
-#elif defined(USE_WIN32_CRYPTO)
-#include <wincrypt.h>
 #endif

 /* Please keep the SSL backend-specific #if branches in this order:
@ -69,6 +50,7 @@
 */

 #ifdef USE_OPENSSL
+#include <openssl/evp.h>

 struct ossl_sha256_ctx {
  EVP_MD_CTX *openssl_ctx;
@ -105,6 +87,7 @@ static void my_sha256_final(unsigned char *digest, void *in)
 }

 #elif defined(USE_GNUTLS)
+#include <nettle/sha.h>

 typedef struct sha256_ctx my_sha256_ctx;

@ -126,7 +109,9 @@ static void my_sha256_final(unsigned char *digest, void *ctx)
  sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
 }

-#elif defined(USE_MBEDTLS_SHA256)
+#elif defined(USE_MBEDTLS) && \
+  defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256  /* mbedTLS 4+ */
+#include <psa/crypto.h>

 typedef psa_hash_operation_t my_sha256_ctx;

@ -152,7 +137,12 @@ static void my_sha256_final(unsigned char *digest, void *ctx)
                        &actual_length);
 }

-#elif defined(AN_APPLE_OS)
+#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
+              (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
+      (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
+              (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000))
+#include <CommonCrypto/CommonDigest.h>
+
 typedef CC_SHA256_CTX my_sha256_ctx;

 static CURLcode my_sha256_init(void *ctx)
@ -174,6 +164,7 @@ static void my_sha256_final(unsigned char *digest, void *ctx)
 }

 #elif defined(USE_WIN32_CRYPTO)
+#include <wincrypt.h>

 struct sha256_ctx {
  HCRYPTPROV hCryptProv;
--- a/lib/url.c
+++ b/lib/url.c
@ -133,7 +133,7 @@ static void data_priority_cleanup(struct Curl_easy *data);
 # error READBUFFER_SIZE is too small
 #endif

-#ifdef USE_UNIX_SOCKETS
+#if !defined(CURL_DISABLE_PROXY) && defined(USE_UNIX_SOCKETS)
 #define UNIX_SOCKET_PREFIX "localhost"
 #endif

@ -614,10 +614,6 @@ static bool socks_proxy_info_matches(const struct proxy_info *data,
    return FALSE;
  return TRUE;
 }
-#else
-/* disabled, will not get called */
-#define proxy_info_matches(x, y)       FALSE
-#define socks_proxy_info_matches(x, y) FALSE
 #endif

 /* A connection has to have been idle for less than 'conn_max_idle_ms'
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@ -41,6 +41,9 @@
 #include "../curlx/strdup.h"
 #include "../curl_endian.h"

+/* "NTLMSSP" signature is always in ASCII regardless of the platform */
+#define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
+
 /* NTLM buffer fixed size, large enough for long user + host + domain */
 #define NTLM_BUFSIZE 1024

@ -58,6 +61,7 @@
 /* Requests that the server's authentication realm be included in the Type 2
   message. */

+#if DEBUG_ME
 /* unknown (1 << 3) */
 #define NTLMFLAG_NEGOTIATE_SIGN                  (1 << 4)
 /* Specifies that authenticated communication between the client and server
@ -73,10 +77,12 @@
 #define NTLMFLAG_NEGOTIATE_LM_KEY                (1 << 7)
 /* Indicates that the LAN Manager session key should be used for signing and
   sealing authenticated communications. */
+#endif

 #define NTLMFLAG_NEGOTIATE_NTLM_KEY              (1 << 9)
 /* Indicates that NTLM authentication is being used. */

+#if DEBUG_ME
 /* unknown (1 << 10) */

 #define NTLMFLAG_NEGOTIATE_ANONYMOUS             (1 << 11)
@ -95,11 +101,13 @@
 /* Sent by the server to indicate that the server and client are on the same
   machine. Implies that the client may use a pre-established local security
   context rather than responding to the challenge. */
+#endif

 #define NTLMFLAG_NEGOTIATE_ALWAYS_SIGN           (1 << 15)
 /* Indicates that authenticated communication between the client and server
   should be signed with a "dummy" signature. */

+#if DEBUG_ME
 #define NTLMFLAG_TARGET_TYPE_DOMAIN              (1 << 16)
 /* Sent by the server in the Type 2 message to indicate that the target
   authentication realm is a domain. */
@ -112,11 +120,13 @@
 /* Sent by the server in the Type 2 message to indicate that the target
   authentication realm is a share. Presumably, this is for share-level
   authentication. Usage is unclear. */
+#endif

 #define NTLMFLAG_NEGOTIATE_NTLM2_KEY             (1 << 19)
 /* Indicates that the NTLM2 signing and sealing scheme should be used for
   protecting authenticated communications. */

+#if DEBUG_ME
 #define NTLMFLAG_REQUEST_INIT_RESPONSE           (1 << 20)
 /* unknown purpose */

@ -125,11 +135,13 @@

 #define NTLMFLAG_REQUEST_NONNT_SESSION_KEY       (1 << 22)
 /* unknown purpose */
+#endif

 #define NTLMFLAG_NEGOTIATE_TARGET_INFO           (1 << 23)
 /* Sent by the server in the Type 2 message to indicate that it is including a
   Target Information block in the message. */

+#if DEBUG_ME
 /* unknown (1<24) */
 /* unknown (1<25) */
 /* unknown (1<26) */
@ -146,10 +158,6 @@
 #define NTLMFLAG_NEGOTIATE_56                    (1 << 31)
 /* Indicates that 56-bit encryption is supported. */

-/* "NTLMSSP" signature is always in ASCII regardless of the platform */
-#define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
-
-#if DEBUG_ME
 #define DEBUG_OUT(x) x
 static void ntlm_print_flags(FILE *handle, unsigned long flags)
 {
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@ -376,10 +376,6 @@ static void h3_data_done(struct Curl_cfilter *cf, struct Curl_easy *data)
  }
 }

-/* ngtcp2 default congestion controller does not perform pacing. Limit
-   the maximum packet burst to MAX_PKT_BURST packets. */
-#define MAX_PKT_BURST 10
-
 struct pkt_io_ctx {
  struct Curl_cfilter *cf;
  struct Curl_easy *data;
--- a/lib/vquic/curl_quiche.c
+++ b/lib/vquic/curl_quiche.c
@ -53,16 +53,12 @@
 /* HTTP/3 error values defined in RFC 9114, ch. 8.1 */
 #define CURL_H3_NO_ERROR  0x0100

+#define MAX_PKT_BURST          10
+
 #define QUIC_MAX_STREAMS       100

 #define H3_STREAM_WINDOW_SIZE  (1024 * 128)
 #define H3_STREAM_CHUNK_SIZE   (1024 * 16)
-/* The pool keeps spares around and half of a full stream windows seems good.
- * More does not seem to improve performance. The benefit of the pool is that
- * stream buffer to not keep spares. Memory consumption goes down when streams
- * run empty, have a large upload done, etc. */
-#define H3_STREAM_POOL_SPARES \
-  (H3_STREAM_WINDOW_SIZE / H3_STREAM_CHUNK_SIZE) / 2
 /* Receive and Send max number of chunks just follows from the
 * chunk size and window size */
 #define H3_STREAM_RECV_CHUNKS \
--- a/lib/vquic/vquic.c
+++ b/lib/vquic/vquic.c
@ -225,11 +225,13 @@ out:
  return result;
 }

+#ifdef CURLVERBOSE
 #ifdef HAVE_SENDMSG
 #define VQUIC_SEND_METHOD   "sendmsg"
 #else
 #define VQUIC_SEND_METHOD   "send"
 #endif
+#endif

 static CURLcode send_packet_no_gso(struct Curl_cfilter *cf,
                                   struct Curl_easy *data,
--- a/lib/vquic/vquic_int.h
+++ b/lib/vquic/vquic_int.h
@ -29,7 +29,6 @@

 #include "../bufq.h"

-#define MAX_PKT_BURST         10
 #define MAX_UDP_PAYLOAD_SIZE  1452

 /* definitions from RFC 9114, ch 8.1 */
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -4430,9 +4430,9 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509 *cert,
  return result;
 }

-#if !(defined(LIBRESSL_VERSION_NUMBER) && \
-  LIBRESSL_VERSION_NUMBER < 0x3060000fL) && \
-  !defined(HAVE_BORINGSSL_LIKE) && defined(CURLVERBOSE)
+#ifdef CURLVERBOSE
+#if !defined(HAVE_BORINGSSL_LIKE) && \
+  !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3060000fL)
 static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 {
  STACK_OF(X509) *certstack;
@ -4505,6 +4505,7 @@ static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
 #else
 #define infof_certstack(data, ssl)
 #endif
+#endif /* CURLVERBOSE */

 static CURLcode ossl_check_issuer(struct Curl_cfilter *cf,
                                  struct Curl_easy *data,
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -30,7 +30,6 @@

 #ifdef USE_WOLFSSL

-#define WOLFSSL_OPTIONS_IGNORE_SYS
 #include <wolfssl/options.h>
 #include <wolfssl/version.h>

--- a/lib/vtls/x509asn1.c
+++ b/lib/vtls/x509asn1.c
@ -50,6 +50,7 @@
 /* Largest supported ASN.1 structure. */
 #define CURL_ASN1_MAX                   ((size_t)0x40000)      /* 256K */

+#ifdef WANT_EXTRACT_CERTINFO
 /* ASN.1 classes. */
 /* #define CURL_ASN1_UNIVERSAL             0 */
 /* #define CURL_ASN1_APPLICATION           1 */
@ -86,7 +87,6 @@
 /* #define CURL_ASN1_CHARACTER_STRING      29 */
 #define CURL_ASN1_BMP_STRING            30

-#ifdef WANT_EXTRACT_CERTINFO
 /* ASN.1 OID table entry. */
 struct Curl_OID {
  const char *numoid;  /* Dotted-numeric OID. */
--- a/lib/ws.c
+++ b/lib/ws.c
@ -63,7 +63,9 @@
 #define WSBIT_OPCODE_CLOSE 0x8
 #define WSBIT_OPCODE_PING  0x9
 #define WSBIT_OPCODE_PONG  0xa
+#ifdef CURLVERBOSE
 #define WSBIT_OPCODE_MASK  0xf
+#endif

 #define WSBIT_MASK 0x80

--- a/m4/curl-wolfssl.m4
+++ b/m4/curl-wolfssl.m4
@ -83,6 +83,7 @@ if test "$OPT_WOLFSSL" != "no"; then
    fi

    if test "$USE_WOLFSSL" != "yes"; then
+      CPPFLAGS="$CPPFLAGS -DWOLFSSL_OPTIONS_IGNORE_SYS"

      LDFLAGS="$LDFLAGS $addld"
      LDFLAGSPC="$LDFLAGSPC $addld"
--- a/src/tool_doswin.c
+++ b/src/tool_doswin.c
@ -27,8 +27,6 @@

 #ifdef _WIN32
 #  include <tlhelp32.h>
-#  undef  PATH_MAX
-#  define PATH_MAX MAX_PATH
 #elif !defined(__DJGPP__) || (__DJGPP__ < 2)  /* DJGPP 2.0 has _use_lfn() */
 #  define CURL_USE_LFN(f) 0  /* long filenames never available */
 #elif defined(__DJGPP__)
@ -552,12 +550,12 @@ CURLcode FindWin32CACert(struct OperationConfig *config,
 {
  CURLcode result = CURLE_OK;
  DWORD res_len;
-  TCHAR buf[PATH_MAX];
+  TCHAR buf[MAX_PATH];
  TCHAR *ptr = NULL;

  buf[0] = TEXT('\0');

-  res_len = SearchPath(NULL, bundle_file, NULL, PATH_MAX, buf, &ptr);
+  res_len = SearchPath(NULL, bundle_file, NULL, MAX_PATH, buf, &ptr);
  if(res_len > 0) {
    curlx_free(config->cacert);
    config->cacert = curlx_convert_tchar_to_UTF8(buf);
--- a/src/var.c
+++ b/src/var.c
@ -369,8 +369,6 @@ static ParameterError addvariable(const char *name,
  return PARAM_NO_MEM;
 }

-#define MAX_FILENAME 10000
-
 ParameterError setvariable(const char *input)
 {
  const char *name;