indent has problems with comments that are on the right hand side of a line.

Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.
Reviewed-by: NTim Hudson <tjh@openssl.org>

apps/s_client.c

@@ -2209,7 +2209,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 		if (peer != NULL)
 			{
 			BIO_printf(bio,"Server certificate\n");
-			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
+
+			/* Redundant if we showed the whole chain */
+			if (!(c_showcerts && got_a_chain))
 				PEM_write_bio_X509(bio,peer);
 			X509_NAME_oneline(X509_get_subject_name(peer),
 				buf,sizeof buf);

crypto/asn1/a_utctm.c

@@ -346,13 +346,16 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
 		}
 #undef g2
 
-	return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone
-	                               * instead of UTC, and unless we rewrite OpenSSL
-				       * in Lisp we cannot locally change the timezone
-				       * without possibly interfering with other parts
-	                               * of the program. timegm, which uses UTC, is
-				       * non-standard.
-	                               * Also time_t is inappropriate for general
-	                               * UTC times because it may a 32 bit type. */
+	/*
+	 * FIXME: mktime assumes the current timezone
+	 * instead of UTC, and unless we rewrite OpenSSL
+	 * in Lisp we cannot locally change the timezone
+	 * without possibly interfering with other parts
+	 * of the program. timegm, which uses UTC, is
+	 * non-standard.
+	 * Also time_t is inappropriate for general
+	 * UTC times because it may a 32 bit type.
+	 */
+	return mktime(&tm)-offset*60; 
 	}
 #endif

crypto/bio/bss_file.c

@@ -153,9 +153,14 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 			    		wmode,sizeof(wmode)/sizeof(wmode[0])) &&
 		    (file=_wfopen(wfilename,wmode))==NULL &&
 		    (errno==ENOENT || errno==EBADF)
-		   )	/* UTF-8 decode succeeded, but no file, filename
-			 * could still have been locale-ized... */
+		   )
+			{
+			/*
+			 * UTF-8 decode succeeded, but no file, filename
+			 * could still have been locale-ized...
+			 */
 			file = fopen(filename,mode);
+			}
 		}
 	else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION)
 		{

crypto/bio/bss_log.c

@@ -276,8 +276,11 @@ static void xsyslog(BIO *bp, int priority, const char *string)
 	case LOG_DEBUG:
 		evtype = EVENTLOG_INFORMATION_TYPE;
 		break;
-	default:		/* Should never happen, but set it
-				   as error anyway. */
+	default:
+		/*
+		 * Should never happen, but set it
+		 * as error anyway.
+		 */
 		evtype = EVENTLOG_ERROR_TYPE;
 		break;
 		}

crypto/bn/bn.h

@@ -257,16 +257,22 @@ extern "C" {
 
 #define BN_FLG_MALLOCED		0x01
 #define BN_FLG_STATIC_DATA	0x02
-#define BN_FLG_CONSTTIME	0x04 /* avoid leaking exponent information through timing,
-                                      * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
-                                      * BN_div() will call BN_div_no_branch,
-                                      * BN_mod_inverse() will call BN_mod_inverse_no_branch.
-                                      */
+
+/*
+ * avoid leaking exponent information through timing,
+ * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
+ * BN_div() will call BN_div_no_branch,
+ * BN_mod_inverse() will call BN_mod_inverse_no_branch.
+ */
+#define BN_FLG_CONSTTIME	0x04 
 
 #ifdef OPENSSL_USE_DEPRECATED
-#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */
-                                      /* avoid leaking exponent information through timings
-                                      * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
+/* deprecated name for the flag */
+#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME 
+/*
+ * avoid leaking exponent information through timings
+ * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime)
+ */
 #endif
 
 #ifdef OPENSSL_USE_DEPRECATED

crypto/bn/bn_lib.c

@@ -356,9 +356,12 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
 		case 3:	A[2]=B[2];
 		case 2:	A[1]=B[1];
 		case 1:	A[0]=B[0];
-		case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
-		         * the switch table by doing a=top&3; a--; goto jump_table[a];
-		         * which fails for top== 0 */
+		case 0:
+			/*
+			 * workaround for ultrix cc: without 'case 0', the optimizer does
+			 * the switch table by doing a=top&3; a--; goto jump_table[a];
+			 * which fails for top== 0
+			 */
 			;
 			}
 		}

crypto/des/read_pwd.c

@@ -75,7 +75,8 @@
 #endif
 #endif
 
-/* #define SIGACTION */ /* Define this if you have sigaction() */
+/* Define this if you have sigaction() */
+/* #define SIGACTION */
 
 /* 06-Apr-92 Luke Brennan    Support for VMS */
 #include "des_locl.h"

crypto/dh/dh.h

@@ -80,13 +80,16 @@
 #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
 
 #define DH_FLAG_CACHE_MONT_P     0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-                                       * implementation now uses constant time
-                                       * modular exponentiation for secret exponents
-                                       * by default. This flag causes the
-                                       * faster variable sliding window method to
-                                       * be used for all exponents.
-                                       */
+
+/*
+ * new with 0.9.7h; the built-in DH
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02
 
 /* If this flag is set the DH method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an

crypto/ec/ec_lcl.h

@@ -205,39 +205,49 @@ struct ec_group_st {
 	/* The following members are handled by the method functions,
 	 * even if they appear generic */
 	
-	BIGNUM *field; /* Field specification.
-	               * For curves over GF(p), this is the modulus;
-	               * for curves over GF(2^m), this is the 
-	               * irreducible polynomial defining the field.
-	               */
-
-	int poly[6]; /* Field specification for curves over GF(2^m).
-	              * The irreducible f(t) is then of the form:
-	              *     t^poly[0] + t^poly[1] + ... + t^poly[k]
-	              * where m = poly[0] > poly[1] > ... > poly[k] = 0.
-	              * The array is terminated with poly[k+1]=-1.
-	              * All elliptic curve irreducibles have at most 5
-	              * non-zero terms.
-	              */
-
-	BIGNUM *a, *b; /* Curve coefficients.
-	              * (Here the assumption is that BIGNUMs can be used
-	              * or abused for all kinds of fields, not just GF(p).)
-	              * For characteristic  > 3,  the curve is defined
-	              * by a Weierstrass equation of the form
-	              *     y^2 = x^3 + a*x + b.
-	              * For characteristic  2,  the curve is defined by
-	              * an equation of the form
-	              *     y^2 + x*y = x^3 + a*x^2 + b.
-	              */
-
-	int a_is_minus3; /* enable optimized point arithmetics for special case */
-
-	void *field_data1; /* method-specific (e.g., Montgomery structure) */
-	void *field_data2; /* method-specific */
-	int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,	BN_CTX *); /* method-specific */
-
-	BN_MONT_CTX *mont_data;    /* data for ECDSA inverse */
+	/* Field specification.
+	 * For curves over GF(p), this is the modulus;
+	 * for curves over GF(2^m), this is the 
+	 * irreducible polynomial defining the field.
+	 */
+	BIGNUM *field;
+
+	/* Field specification for curves over GF(2^m).
+	 * The irreducible f(t) is then of the form:
+	 *     t^poly[0] + t^poly[1] + ... + t^poly[k]
+	 * where m = poly[0] > poly[1] > ... > poly[k] = 0.
+	 * The array is terminated with poly[k+1]=-1.
+	 * All elliptic curve irreducibles have at most 5
+	 * non-zero terms.
+	 */
+	int poly[6]; 
+
+	/* Curve coefficients.
+	 * (Here the assumption is that BIGNUMs can be used
+	 * or abused for all kinds of fields, not just GF(p).)
+	 * For characteristic  > 3,  the curve is defined
+	 * by a Weierstrass equation of the form
+	 *     y^2 = x^3 + a*x + b.
+	 * For characteristic  2,  the curve is defined by
+	 * an equation of the form
+	 *     y^2 + x*y = x^3 + a*x^2 + b.
+	 */
+	BIGNUM *a, *b;
+
+	/* enable optimized point arithmetics for special case */
+	int a_is_minus3;
+
+	/* method-specific (e.g., Montgomery structure) */
+	void *field_data1;
+
+	/* method-specific */
+	void *field_data2;
+
+	/* method-specific */
+	int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,	BN_CTX *);
+
+	/* data for ECDSA inverse */
+	BN_MONT_CTX *mont_data;
 } /* EC_GROUP */;
 
 struct ec_key_st {

crypto/ec/ecp_nistp224.c

@@ -1017,9 +1017,12 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_assign(z3, z_out);
 	}
 
-/* select_point selects the |idx|th point from a precomputation table and
- * copies it to out. */
-static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
+/*
+ * select_point selects the |idx|th point from a precomputation table and
+ * copies it to out.
+ * The pre_comp array argument should be size of |size| argument
+ */
+static void select_point(const u64 idx, unsigned int size, const felem pre_comp[][3], felem out[3])
 	{
 	unsigned i, j;
 	limb *outlimbs = &out[0][0];

crypto/evp/evp.h

@@ -190,13 +190,16 @@ typedef int evp_verify_method(int type,const unsigned char *m,
 			    unsigned int m_length,const unsigned char *sigbuf,
 			    unsigned int siglen, void *key);
 
-#define EVP_MD_FLAG_ONESHOT	0x0001 /* digest can only handle a single
-					* block */
-
-#define EVP_MD_FLAG_PKEY_DIGEST	0x0002 /* digest is a "clone" digest used
-					* which is a copy of an existing
-					* one for a specific public key type.
-					* EVP_dss1() etc */
+/* digest can only handle a single block */
+#define EVP_MD_FLAG_ONESHOT	0x0001
+
+/*
+ * digest is a "clone" digest used
+ * which is a copy of an existing
+ * one for a specific public key type.
+ * EVP_dss1() etc
+ */
+#define EVP_MD_FLAG_PKEY_DIGEST	0x0002
 
 /* Digest uses EVP_PKEY_METHOD for signing instead of MD specific signing */
 
@@ -218,7 +221,8 @@ typedef int evp_verify_method(int type,const unsigned char *m,
 
 #define EVP_MD_FLAG_DIGALGID_CUSTOM		0x0018
 
-#define EVP_MD_FLAG_FIPS	0x0400 /* Note if suitable for use in FIPS mode */
+/* Note if suitable for use in FIPS mode */
+#define EVP_MD_FLAG_FIPS	0x0400
 
 /* Digest ctrls */
 
@@ -311,19 +315,39 @@ struct evp_cipher_st
 	{
 	int nid;
 	int block_size;
-	int key_len;		/* Default value for variable length ciphers */
+
+	/* Default value for variable length ciphers */
+	int key_len;
 	int iv_len;
-	unsigned long flags;	/* Various flags */
+
+	/* Various flags */
+	unsigned long flags;
+	
+	/* init key */
 	int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-		    const unsigned char *iv, int enc);	/* init key */
+		    const unsigned char *iv, int enc);
+		    
+	/* encrypt/decrypt data */
 	int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
-			 const unsigned char *in, size_t inl);/* encrypt/decrypt data */
-	int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */
-	int ctx_size;		/* how big ctx->cipher_data needs to be */
-	int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */
-	int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */
-	int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */
-	void *app_data;		/* Application data */
+			 const unsigned char *in, size_t inl);
+
+	/* cleanup ctx */
+	int (*cleanup)(EVP_CIPHER_CTX *);
+
+	/* how big ctx->cipher_data needs to be */
+	int ctx_size;
+
+	/* Populate a ASN1_TYPE with parameters */
+	int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
+
+	/* Get parameters from a ASN1_TYPE */
+	int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
+
+	/* Miscellaneous operations */
+	int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
+
+	/* Application data */
+	void *app_data;
 	} /* EVP_CIPHER */;
 
 /* Values for cipher flags */
@@ -466,14 +490,22 @@ struct evp_cipher_ctx_st
 
 typedef struct evp_Encode_Ctx_st
 	{
-	int num;	/* number saved in a partial encode/decode */
-	int length;	/* The length is either the output line length
-			 * (in input bytes) or the shortest input line
-			 * length that is ok.  Once decoding begins,
-			 * the length is adjusted up each time a longer
-			 * line is decoded */
-	unsigned char enc_data[80];	/* data to encode */
-	int line_num;	/* number read on current line */
+	/* number saved in a partial encode/decode */
+	int num;
+
+	/* The length is either the output line length
+	 * (in input bytes) or the shortest input line
+	 * length that is ok.  Once decoding begins,
+	 * the length is adjusted up each time a longer
+	 * line is decoded
+	 */
+	int length;
+
+	/* data to encode */
+	unsigned char enc_data[80];
+
+	/* number read on current line */
+	int line_num;
 	int expect_nl;
 	} EVP_ENCODE_CTX;
 

crypto/rand/rand_win.c

@@ -179,12 +179,13 @@ typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
 
 #include <lmcons.h>
 #include <lmstats.h>
-#if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE
-       * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
-       * was added to the Platform SDK to allow the NET API to be used in
-       * non-Unicode applications provided that Unicode strings were still
-       * used for input.  LMSTR is defined as LPWSTR.
-       */
+#if 1
+/* The NET API is Unicode only.  It requires the use of the UNICODE
+ * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was
+ * was added to the Platform SDK to allow the NET API to be used in
+ * non-Unicode applications provided that Unicode strings were still
+ * used for input.  LMSTR is defined as LPWSTR.
+ */
 typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
         (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
 typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);

crypto/rsa/rsa.h

@@ -170,7 +170,9 @@ struct rsa_st
 # define OPENSSL_RSA_SMALL_MODULUS_BITS	3072
 #endif
 #ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
-# define OPENSSL_RSA_MAX_PUBEXP_BITS	64 /* exponent limit enforced for "large" modulus only */
+
+/* exponent limit enforced for "large" modulus only */
+# define OPENSSL_RSA_MAX_PUBEXP_BITS	64
 #endif
 
 #define RSA_3	0x3L
@@ -193,30 +195,36 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER		0x0040
 
-#define RSA_FLAG_NO_BLINDING		0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
-                                                * RSA implementation now uses blinding by
-                                                * default (ignoring RSA_FLAG_BLINDING),
-                                                * but other engines might not need it
-                                                */
-#define RSA_FLAG_NO_CONSTTIME		0x0100 /* new with 0.9.8f; the built-in RSA
-						* implementation now uses constant time
-						* operations by default in private key operations,
-						* e.g., constant time modular exponentiation, 
-                                                * modular inverse without leaking branches, 
-                                                * division without leaking branches. This 
-                                                * flag disables these constant time 
-                                                * operations and results in faster RSA 
-                                                * private key operations.
-                                                */ 
+/*
+ * new with 0.9.6j and 0.9.7b; the built-in
+ * RSA implementation now uses blinding by
+ * default (ignoring RSA_FLAG_BLINDING),
+ * but other engines might not need it
+ */
+#define RSA_FLAG_NO_BLINDING		0x0080
+/*
+ * new with 0.9.8f; the built-in RSA
+ * implementation now uses constant time
+ * operations by default in private key operations,
+ * e.g., constant time modular exponentiation, 
+ * modular inverse without leaking branches, 
+ * division without leaking branches. This 
+ * flag disables these constant time 
+ * operations and results in faster RSA 
+ * private key operations.
+ */ 
+#define RSA_FLAG_NO_CONSTTIME		0x0100
 #ifdef OPENSSL_USE_DEPRECATED
-#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
-                                                /* new with 0.9.7h; the built-in RSA
-                                                * implementation now uses constant time
-                                                * modular exponentiation for secret exponents
-                                                * by default. This flag causes the
-                                                * faster variable sliding window method to
-                                                * be used for all exponents.
-                                                */
+/* deprecated name for the flag*/
+/*
+ * new with 0.9.7h; the built-in RSA
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
+#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME 
 #endif
 
 

crypto/rsa/rsa_eay.c

@@ -286,11 +286,12 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
 		{
 		/* resort to rsa->mt_blinding instead */
 
-		*local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
-		             * that the BN_BLINDING is shared, meaning that accesses
-		             * require locks, and that the blinding factor must be
-		             * stored outside the BN_BLINDING
-		             */
+		/* instructs rsa_blinding_convert(), rsa_blinding_invert()
+		 * that the BN_BLINDING is shared, meaning that accesses
+		 * require locks, and that the blinding factor must be
+		 * stored outside the BN_BLINDING
+		 */
+		*local = 0;
 
 		if (rsa->mt_blinding == NULL)
 			{

crypto/sha/sha.h

@@ -151,9 +151,12 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
  * being exactly 64-bit wide. See Implementation Notes in sha512.c
  * for further details.
  */
-#define SHA512_CBLOCK	(SHA_LBLOCK*8)	/* SHA-512 treats input data as a
-					 * contiguous array of 64 bit
-					 * wide big-endian values. */
+/*
+ * SHA-512 treats input data as a
+ * contiguous array of 64 bit
+ * wide big-endian values.
+ */
+#define SHA512_CBLOCK	(SHA_LBLOCK*8)
 #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
 #define SHA_LONG64 unsigned __int64
 #define U64(C)     C##UI64

crypto/stack/safestack.h

@@ -98,7 +98,8 @@ STACK_OF(type) \
     _STACK stack; \
     };
 
-#define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/
+/* nada (obsolete in new safestack approach)*/
+#define IMPLEMENT_STACK_OF(type)
 
 
 /*-

crypto/store/str_mem.c

@@ -86,25 +86,38 @@ typedef struct mem_object_data_st
 DECLARE_STACK_OF(MEM_OBJECT_DATA)
 struct mem_data_st
 	{
-	STACK_OF(MEM_OBJECT_DATA) *data; /* sorted with
-					  * STORE_ATTR_INFO_compare(). */
-	unsigned int compute_components : 1; /* Currently unused, but can
-						be used to add attributes
-						from parts of the data. */
+	/*
+	 * sorted with
+	 * STORE_ATTR_INFO_compare().
+	 */
+	STACK_OF(MEM_OBJECT_DATA) *data; 
+	/*
+	 * Currently unused, but can
+	 * be used to add attributes
+	 * from parts of the data.
+	 */
+	unsigned int compute_components : 1;
 	};
 
 DECLARE_STACK_OF(STORE_ATTR_INFO)
 struct mem_ctx_st
 	{
-	int type;		/* The type we're searching for */
-	STACK_OF(STORE_ATTR_INFO) *search_attributes; /* Sets of
-				     attributes to search for.  Each
-				     element is a STORE_ATTR_INFO. */
-	int search_index;	/* which of the search attributes we
-				   found a match for, -1 when we still
-				   haven't found any */
-	int index;		/* -1 as long as we're searching for
-                                    the first */
+	/* The type we're searching for */
+	int type;
+	/*
+	 * Sets of
+	 * attributes to search for.  Each
+	 * element is a STORE_ATTR_INFO.
+	 */
+	STACK_OF(STORE_ATTR_INFO) *search_attributes;
+	/*
+	 * which of the search attributes we
+	 * found a match for, -1 when we still
+	 * haven't found any
+	 */ 
+	int search_index;
+	/* -1 as long as we're searching for the first */
+	int index;
 	};
 
 static int mem_init(STORE *s);

crypto/whrlpool/wp_block.c

@@ -64,8 +64,11 @@ typedef unsigned long long	u64;
 #  define SMALL_REGISTER_BANK
 #  if defined(WHIRLPOOL_ASM)
 #    ifndef OPENSSL_SMALL_FOOTPRINT
-#      define OPENSSL_SMALL_FOOTPRINT	/* it appears that for elder non-MMX
-					   CPUs this is actually faster! */
+/*
+ * it appears that for elder non-MMX
+ * CPUs this is actually faster!
+ */
+#      define OPENSSL_SMALL_FOOTPRINT
 #    endif
 #    define GO_FOR_MMX(ctx,inp,num)	do {			\
 	extern unsigned long OPENSSL_ia32cap_P[];		\

crypto/x509/x509_vfy.h

@@ -195,14 +195,22 @@ struct x509_store_st
 	X509_VERIFY_PARAM *param;
 
 	/* Callbacks for various operations */
-	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
-	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
-	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
-	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	/* called to verify a certificate */
+	int (*verify)(X509_STORE_CTX *ctx);
+	/* error callback */
+	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
+	/* get issuers cert from ctx */
+	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+	/* check issued */
+	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+	/* Check revocation status of chain */
+	int (*check_revocation)(X509_STORE_CTX *ctx);
+	/* retrieve CRL */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+	/* Check CRL validity */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
+	/* Check certificate against CRL */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
 	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
 	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
 	int (*cleanup)(X509_STORE_CTX *ctx);
@@ -233,49 +241,72 @@ struct x509_lookup_st
 struct x509_store_ctx_st      /* X509_STORE_CTX */
 	{
 	X509_STORE *ctx;
-	int current_method;	/* used when looking up certs */
+	/* used when looking up certs */
+	int current_method;
 
 	/* The following are set by the caller */
-	X509 *cert;		/* The cert to check */
-	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
-	STACK_OF(X509_CRL) *crls;	/* set of CRLs passed in */
+	/* The cert to check */
+	X509 *cert;
+	/* chain of X509s - untrusted - passed in */
+	STACK_OF(X509) *untrusted;
+	/* set of CRLs passed in */
+	STACK_OF(X509_CRL) *crls;
 
 	X509_VERIFY_PARAM *param;
-	void *other_ctx;	/* Other info for use with get_issuer() */
+	/* Other info for use with get_issuer() */
+	void *other_ctx;
 
 	/* Callbacks for various operations */
-	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
-	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
-	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
-	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	/* called to verify a certificate */
+	int (*verify)(X509_STORE_CTX *ctx);
+	/* error callback */
+	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
+	/* get issuers cert from ctx */
+	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+	/* check issued */
+	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+	/* Check revocation status of chain */
+	int (*check_revocation)(X509_STORE_CTX *ctx);
+	/* retrieve CRL */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+	/* Check CRL validity */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
+	/* Check certificate against CRL */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
 	int (*check_policy)(X509_STORE_CTX *ctx);
 	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
 	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
 	int (*cleanup)(X509_STORE_CTX *ctx);
 
 	/* The following is built up */
-	int valid;		/* if 0, rebuild chain */
-	int last_untrusted;	/* index of last untrusted cert */
-	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */
-	X509_POLICY_TREE *tree;	/* Valid policy tree */
-
-	int explicit_policy;	/* Require explicit policy value */
+	/* if 0, rebuild chain */
+	int valid;
+	/* index of last untrusted cert */
+	int last_untrusted;
+	/* chain of X509s - built up and trusted */
+	STACK_OF(X509) *chain;
+	/* Valid policy tree */
+	X509_POLICY_TREE *tree;
+
+	/* Require explicit policy value */
+	int explicit_policy;
 
 	/* When something goes wrong, this is why */
 	int error_depth;
 	int error;
 	X509 *current_cert;
-	X509 *current_issuer;	/* cert currently being tested as valid issuer */
-	X509_CRL *current_crl;	/* current CRL */
-
-	int current_crl_score;  /* score of current CRL */
-	unsigned int current_reasons;  /* Reason mask */
-
-	X509_STORE_CTX *parent; /* For CRL path validation: parent context */
+	/* cert currently being tested as valid issuer */
+	X509 *current_issuer;
+	/* current CRL */
+	X509_CRL *current_crl;
+
+	/* score of current CRL */
+	int current_crl_score;
+	/* Reason mask */
+	unsigned int current_reasons;
+
+	/* For CRL path validation: parent context */
+	X509_STORE_CTX *parent;
 
 	CRYPTO_EX_DATA ex_data;
 	} /* X509_STORE_CTX */;

crypto/x509/x509type.c

@@ -122,8 +122,8 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 			}
 		}
 
-	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
-					   for, not bytes */
+	/* /8 because it's 1024 bits we look for, not bytes */
+	if (EVP_PKEY_size(pk) <= 1024/8)
 		ret|=EVP_PKT_EXP;
 	if(pkey==NULL) EVP_PKEY_free(pk);
 	return(ret);

demos/easy_tls/easy-tls.c

@@ -708,7 +708,9 @@ tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
 	    SSL_CTX_set_verify_depth(ret, a.verify_depth);
 	
 	if (a.ca_file != NULL) {
-	    r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */
+	    /* does not report failure if file does not exist ... */
+	    /* NULL argument means no CA-directory */
+	    r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL); 
 	    if (!r) {
 		err_pref_1 = " while processing certificate file ";
 		err_pref_2 = a.ca_file;

demos/engines/ibmca/hw_ibmca.c

@@ -776,8 +776,8 @@ they could cause potential side affects on either the card or the result */
 
         /* Prepare the argument and response */
 
-	outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2;  /* Correct endianess is used 
-						because the fields were converted above */
+	/* Correct endianess is used because the fields were converted above */
+	outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2;
 
         if (outLen > 256) {
 		IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,IBMCA_R_OUTLEN_TO_LARGE);

ms/applink.c

@@ -46,9 +46,12 @@ extern "C" {
 __declspec(dllexport)
 void **
 #if defined(__BORLANDC__)
-__stdcall	/* __stdcall appears to be the only way to get the name
-		 * decoration right with Borland C. Otherwise it works
-		 * purely incidentally, as we pass no parameters. */
+/*
+ * __stdcall appears to be the only way to get the name
+ * decoration right with Borland C. Otherwise it works
+ * purely incidentally, as we pass no parameters.
+ */
+__stdcall
 #else
 __cdecl
 #endif

ssl/d1_both.c

@@ -481,10 +481,15 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 again:
 	i = dtls1_get_message_fragment(s, st1, stn, max, ok);
 	if ( i == DTLS1_HM_BAD_FRAGMENT ||
-		i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
+		i == DTLS1_HM_FRAGMENT_RETRY)
+		{
+		/* bad fragment received */
 		goto again;
+		}
 	else if ( i <= 0 && !*ok)
+		{
 		return i;
+		}
 
 	p = (unsigned char *)s->init_buf->data;
 	msg_len = msg_hdr->msg_len;
@@ -1022,9 +1027,11 @@ int dtls1_read_failed(SSL *s, int code)
 		}
 
 #ifndef OPENSSL_NO_HEARTBEATS
-	if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
+	/* done, no need to send a retransmit */
+	if (!SSL_in_init(s) && !s->tlsext_hb_pending)
 #else
-	if (!SSL_in_init(s))  /* done, no need to send a retransmit */
+	/* done, no need to send a retransmit */
+	if (!SSL_in_init(s))
 #endif
 		{
 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);

ssl/d1_pkt.c

@@ -343,8 +343,8 @@ dtls1_get_buffered_record(SSL *s)
 		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
 		((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
 	
-	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
-							   nothing buffered */
+    /* if we're not (re)negotiating, nothing buffered */
+	if ( ! SSL_in_init(s))
 		return 0;
 
 

ssl/s23_srvr.c

@@ -232,19 +232,21 @@ end:
 
 int ssl23_get_client_hello(SSL *s)
 	{
-	char buf_space[11]; /* Request this many bytes in initial read.
-	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos
-	                     * ('type == 3') correctly only when the following
-	                     * is in a single record, which is not guaranteed by
-	                     * the protocol specification:
-	                     * Byte  Content
-	                     *  0     type            \
-	                     *  1/2   version          > record header
-	                     *  3/4   length          /
-	                     *  5     msg_type        \
-	                     *  6-8   length           > Client Hello message
-	                     *  9/10  client_version  /
-	                     */
+    /*-
+     * Request this many bytes in initial read.
+     * We can detect SSL 3.0/TLS 1.0 Client Hellos
+     * ('type == 3') correctly only when the following
+     * is in a single record, which is not guaranteed by
+     * the protocol specification:
+     * Byte  Content
+     *  0     type            \
+     *  1/2   version          > record header
+     *  3/4   length          /
+     *  5     msg_type        \
+     *  6-8   length           > Client Hello message
+     *  9/10  client_version  /
+     */
+	char buf_space[11]; 
 	char *buf= &(buf_space[0]);
 	unsigned char *p,*d,*d_len,*dd;
 	unsigned int i;

ssl/s3_both.c

@@ -230,11 +230,12 @@ int ssl3_get_finished(SSL *s, int a, int b)
 	 */ 
 #endif
 
+	/* 64 argument should actually be 36+4 :-) */
 	n=s->method->ssl_get_message(s,
 		a,
 		b,
 		SSL3_MT_FINISHED,
-		64, /* should actually be 36+4 :-) */
+		64,
 		&ok);
 
 	if (!ok) return((int)n);

ssl/ssl.h

@@ -994,7 +994,8 @@ struct ssl_ctx_st
 	int verify_mode;
 	unsigned int sid_ctx_length;
 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+	/* called 'verify_callback' in the SSL */
+	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
 
 	/* Default generate session ID callback. */
 	GEN_SESSION_CB generate_session_id;
@@ -1288,22 +1289,28 @@ struct ssl_st
 	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
 	 */
 	int version;
-	int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+	/* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+	int type;
 
-	const SSL_METHOD *method; /* SSLv3 */
+	/* SSLv3 */
+	const SSL_METHOD *method;
 
 	/* There are 2 BIO's even though they are normally both the
 	 * same.  This is so data can be read and written to different
 	 * handlers */
 
 #ifndef OPENSSL_NO_BIO
-	BIO *rbio; /* used by SSL_read */
-	BIO *wbio; /* used by SSL_write */
-	BIO *bbio; /* used during session-id reuse to concatenate
-		    * messages */
+	/* used by SSL_read */
+	BIO *rbio;
+	/* used by SSL_write */
+	BIO *wbio;
+	/* used during session-id reuse to concatenate messages */
+	BIO *bbio;
 #else
-	char *rbio; /* used by SSL_read */
-	char *wbio; /* used by SSL_write */
+	/* used by SSL_read */
+	char *rbio;
+	/* used by SSL_write */
+	char *wbio;
 	char *bbio;
 #endif
 	/* This holds a variable that indicates what we were doing
@@ -1324,17 +1331,24 @@ struct ssl_st
 	 * test instead of an "init" member.
 	 */
 
-	int server;	/* are we the server side? - mostly used by SSL_clear*/
+	/* are we the server side? - mostly used by SSL_clear*/
+	int server;
 
-	int new_session;/* Generate a new session or reuse an old one.
-	                 * NB: For servers, the 'new' session may actually be a previously
-	                 * cached session or even the previous session unless
-	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-	int quiet_shutdown;/* don't send shutdown packets */
-	int shutdown;	/* we have shut things down, 0x01 sent, 0x02
-			 * for received */
-	int state;	/* where we are */
-	int rstate;	/* where we are when reading */
+	/*
+	 * Generate a new session or reuse an old one.
+	 * NB: For servers, the 'new' session may actually be a previously
+	 * cached session or even the previous session unless
+	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
+	 */
+	int new_session;
+	/* don't send shutdown packets */
+	int quiet_shutdown;
+	/* we have shut things down, 0x01 sent, 0x02 for received */
+	int shutdown;
+	/* where we are */
+	int state;
+	/* where we are when reading */
+	int rstate;
 
 	BUF_MEM *init_buf;	/* buffer used during init */
 	void *init_msg;   	/* pointer to handshake message body, set by ssl3_get_message() */
@@ -1405,17 +1419,25 @@ struct ssl_st
 	GEN_SESSION_CB generate_session_id;
 
 	/* Used in SSL3 */
-	int verify_mode;	/* 0 don't care about verify failure.
-				 * 1 fail if verify fails */
-	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+	/*
+	 * 0 don't care about verify failure.
+	 * 1 fail if verify fails
+	 */
+	int verify_mode;	
+	/* fail if callback returns 0 */
+	int (*verify_callback)(int ok,X509_STORE_CTX *ctx);
 
-	void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
+	/* optional informational callback */
+	void (*info_callback)(const SSL *ssl,int type,int val);
 
-	int error;		/* error bytes to be written */
-	int error_code;		/* actual code */
+	/* error bytes to be written */
+	int error;
+	/* actual code */
+	int error_code;
 
 #ifndef OPENSSL_NO_KRB5
-	KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */
+	/* Kerberos 5 context */
+	KSSL_CTX *kssl_ctx;
 #endif	/* OPENSSL_NO_KRB5 */
 
 #ifndef OPENSSL_NO_PSK
@@ -1439,12 +1461,14 @@ struct ssl_st
 	STACK_OF(X509_NAME) *client_CA;
 
 	int references;
-	unsigned long options; /* protocol behaviour */
-	unsigned long mode; /* API behaviour */
+	/* protocol behaviour */
+	unsigned long options;
+	/* API behaviour */
+	unsigned long mode;
 	long max_cert_list;
 	int first_packet;
-	int client_version;	/* what was passed, used for
-				 * SSLv3/TLS rollback check */
+	/* what was passed, used for SSLv3/TLS rollback check */
+	int client_version;
 	unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extension debug callback */
@@ -1453,11 +1477,13 @@ struct ssl_st
 					void *arg);
 	void *tlsext_debug_arg;
 	char *tlsext_hostname;
-	int servername_done;   /* no further mod of servername 
-	                          0 : call the servername extension callback.
-	                          1 : prepare 2, allow last ack just after in server callback.
-	                          2 : don't call servername callback, no ack in server hello
-	                       */
+    /*-
+     * no further mod of servername 
+     * 0 : call the servername extension callback.
+     * 1 : prepare 2, allow last ack just after in server callback.
+     * 2 : don't call servername callback, no ack in server hello
+     */
+	int servername_done;
 	/* certificate status request info */
 	/* Status type or -1 if no status type */
 	int tlsext_status_type;
@@ -1474,9 +1500,11 @@ struct ssl_st
 	int tlsext_ticket_expected;
 #ifndef OPENSSL_NO_EC
 	size_t tlsext_ecpointformatlist_length;
-	unsigned char *tlsext_ecpointformatlist; /* our list */
+	/* our list */
+	unsigned char *tlsext_ecpointformatlist;
 	size_t tlsext_ellipticcurvelist_length;
-	unsigned char *tlsext_ellipticcurvelist; /* our list */
+	/* our list */
+	unsigned char *tlsext_ellipticcurvelist;
 #endif /* OPENSSL_NO_EC */
 
 	/* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
@@ -1510,16 +1538,22 @@ struct ssl_st
 
 #define session_ctx initial_ctx
 
-	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;  /* What we'll do */
-	SRTP_PROTECTION_PROFILE *srtp_profile;            /* What's been chosen */
+	/* What we'll do */
+	STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+	/* What's been chosen */
+	SRTP_PROTECTION_PROFILE *srtp_profile;
 
-	unsigned int tlsext_heartbeat;  /* Is use of the Heartbeat extension negotiated?
-	                                   0: disabled
-	                                   1: enabled
-	                                   2: enabled, but not allowed to send Requests
-	                                 */
-	unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
-	unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
+	/*-
+	 * Is use of the Heartbeat extension negotiated?
+	 *  0: disabled
+	 *  1: enabled
+	 *  2: enabled, but not allowed to send Requests
+	 */
+	unsigned int tlsext_heartbeat;
+	/* Indicates if a HeartbeatRequest is in flight */
+	unsigned int tlsext_hb_pending;
+	/* HeartbeatRequest sequence number */
+	unsigned int tlsext_hb_seq;
 
 	/* For a client, this contains the list of supported protocols in wire
 	 * format. */
@@ -1529,12 +1563,16 @@ struct ssl_st
 #define session_ctx ctx
 #endif /* OPENSSL_NO_TLSEXT */
 
-	int renegotiate;/* 1 if we are renegotiating.
-	                 * 2 if we are a server and are inside a handshake
-	                 * (i.e. not just sending a HelloRequest) */
+    /*-
+     * 1 if we are renegotiating.
+     * 2 if we are a server and are inside a handshake
+     * (i.e. not just sending a HelloRequest)
+     */
+	int renegotiate;
 
 #ifndef OPENSSL_NO_SRP
-	SRP_CTX srp_ctx; /* ctx for SRP authentication */
+	/* ctx for SRP authentication */
+	SRP_CTX srp_ctx;
 #endif
 
 	/* Callback for disabling session caching and ticket support

ssl/ssl3.h

@@ -388,27 +388,39 @@ extern "C" {
 
 typedef struct ssl3_record_st
 	{
-/*r */	int type;               /* type of record */
-/*rw*/	unsigned int length;    /* How many bytes available */
-/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
-				   was removed? This is used to implement the
-				   MAC check in constant time for CBC records.
-				 */
-/*r */	unsigned int off;       /* read/write offset into 'buf' */
-/*rw*/	unsigned char *data;    /* pointer to the record data */
-/*rw*/	unsigned char *input;   /* where the decode bytes are */
-/*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
-/*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
-/*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+		/* type of record */
+/*r */	int type;
+		/* How many bytes available */
+/*rw*/	unsigned int length;
+		/* How many bytes were available before padding
+		 * was removed? This is used to implement the
+		 * MAC check in constant time for CBC records.
+		 */
+/*rw*/	unsigned int orig_len;
+		/* read/write offset into 'buf' */
+/*r */	unsigned int off;
+		/* pointer to the record data */
+/*rw*/	unsigned char *data;
+		/* where the decode bytes are */
+/*rw*/	unsigned char *input;
+		/* only used with decompression - malloc()ed */
+/*r */	unsigned char *comp;
+		/* epoch number, needed by DTLS1 */
+/*r */  unsigned long epoch;
+		/* sequence number, needed by DTLS1 */
+/*r */  unsigned char seq_num[8];
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
 	{
-	unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
-	                         * see ssl3_setup_buffers() */
-	size_t len;             /* buffer size */
-	int offset;             /* where to 'copy from' */
-	int left;               /* how many bytes left */
+	/* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */
+	unsigned char *buf;
+	/* buffer size */
+	size_t len;
+	/* where to 'copy from' */
+	int offset;
+	/* how many bytes left */
+	int left;
 	} SSL3_BUFFER;
 
 #endif

ssl/ssl_lib.c

@@ -201,10 +201,15 @@ int SSL_clear(SSL *s)
 	s->hit=0;
 	s->shutdown=0;
 
-#if 0 /* Disabled since version 1.10 of this file (early return not
-       * needed because SSL_clear is not called when doing renegotiation) */
-	/* This is set if we are doing dynamic renegotiation so keep
-	 * the old cipher.  It is sort of a SSL_clear_lite :-) */
+#if 0
+    /*
+     * Disabled since version 1.10 of this file (early return not
+     * needed because SSL_clear is not called when doing renegotiation)
+     */
+    /*
+     * This is set if we are doing dynamic renegotiation so keep
+     * the old cipher.  It is sort of a SSL_clear_lite :-)
+     */
 	if (s->renegotiate) return(1);
 #else
 	if (s->renegotiate)

ssl/ssl_locl.h

@@ -566,9 +566,12 @@ typedef struct {
 typedef struct cert_st
 	{
 	/* Current active set */
-	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-			 * Probably it would make more sense to store
-			 * an index, not a pointer. */
+	/*
+	 * ALWAYS points to an element of the pkeys array
+	 * Probably it would make more sense to store
+	 * an index, not a pointer.
+	 */
+	CERT_PKEY *key;
  
 	/* For servers the following masks are for the key and auth
 	 * algorithms that are supported by the certs below.

ssl/ssl_sess.c

@@ -1009,9 +1009,11 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
 	if ((s->next == NULL) || (s->prev == NULL)) return;
 
 	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
-		{ /* last element in list */
+		{
+		/* last element in list */
 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-			{ /* only one element in list */
+			{
+			/* only one element in list */
 			ctx->session_cache_head=NULL;
 			ctx->session_cache_tail=NULL;
 			}
@@ -1024,12 +1026,14 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
 	else
 		{
 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-			{ /* first element in list */
+			{
+			/* first element in list */
 			ctx->session_cache_head=s->next;
 			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
 			}
 		else
-			{ /* middle of list */
+			{
+			/* middle of list */
 			s->next->prev=s->prev;
 			s->prev->next=s->next;
 			}

ssl/ssltest.c

@@ -140,8 +140,8 @@
  * OTHERWISE.
  */
 
-#define _BSD_SOURCE 1		/* Or gethostname won't be declared properly
-				   on Linux and GNU platforms. */
+/* Or gethostname won't be declared properly on Linux and GNU platforms. */
+#define _BSD_SOURCE 1
 
 #include <assert.h>
 #include <errno.h>
@@ -155,8 +155,8 @@
 #include "e_os.h"
 
 #ifdef OPENSSL_SYS_VMS
-#define _XOPEN_SOURCE 500	/* Or isascii won't be declared properly on
-				   VMS (at least with DECompHP C).  */
+/* Or isascii won't be declared properly on VMS (at least with DECompHP C).  */
+#define _XOPEN_SOURCE 500
 #endif
 
 #include <ctype.h>
@@ -186,11 +186,13 @@
 #endif
 #include <openssl/bn.h>
 
-#define _XOPEN_SOURCE_EXTENDED	1 /* Or gethostname won't be declared properly
-				     on Compaq platforms (at least with DEC C).
-				     Do not try to put it earlier, or IPv6 includes
-				     get screwed...
-				  */
+/*
+ * Or gethostname won't be declared properly
+ * on Compaq platforms (at least with DEC C).
+ * Do not try to put it earlier, or IPv6 includes
+ * get screwed...
+*/
+#define _XOPEN_SOURCE_EXTENDED	1 
 
 #ifdef OPENSSL_SYS_WINDOWS
 #include <winsock.h>

ssl/t1_lib.c

@@ -2264,8 +2264,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 				return 0;
 				}
 
-			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->client_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->client_opaque_prf_input);
+				}
 				
 			/* dummy byte just to get non-NULL */
 			if (s->s3->client_opaque_prf_input_len == 0)
@@ -2695,12 +2698,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
 				return 0;
 				}
 			
-			if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->server_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->server_opaque_prf_input);
+				}
 			if (s->s3->server_opaque_prf_input_len == 0)
-				s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+				{
+				/* dummy byte just to get non-NULL */
+				s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+				}
 			else
+				{
 				s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
+				}
 
 			if (s->s3->server_opaque_prf_input == NULL)
 				{
@@ -2915,13 +2926,21 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
 
 		if (s->tlsext_opaque_prf_input != NULL)
 			{
-			if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+			if (s->s3->client_opaque_prf_input != NULL)
+				{
+				/* shouldn't really happen */
 				OPENSSL_free(s->s3->client_opaque_prf_input);
+				}
 
 			if (s->tlsext_opaque_prf_input_len == 0)
-				s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+				{
+				/* dummy byte just to get non-NULL */
+				s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
+				}
 			else
+				{
 				s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+				}
 			if (s->s3->client_opaque_prf_input == NULL)
 				{
 				SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
@@ -2983,8 +3002,11 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
 				}
 			}
 
-		if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+		if (s->s3->server_opaque_prf_input != NULL)
+			{
+			/* shouldn't really happen */
 			OPENSSL_free(s->s3->server_opaque_prf_input);
+			}
 		s->s3->server_opaque_prf_input = NULL;
 
 		if (s->tlsext_opaque_prf_input != NULL)
@@ -2996,9 +3018,14 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
 				 * of the same length as the client opaque PRF input! */
 
 				if (s->tlsext_opaque_prf_input_len == 0)
-					s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+					{
+					/* dummy byte just to get non-NULL */
+					s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+					}
 				else
+					{
 					s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+					}
 				if (s->s3->server_opaque_prf_input == NULL)
 					{
 					ret = SSL_TLSEXT_ERR_ALERT_FATAL;

ssl/tls1.h

@@ -253,9 +253,12 @@ extern "C" {
 #define TLSEXT_TYPE_session_ticket		35
 
 /* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
-#if 0 /* will have to be provided externally for now ,
-       * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
-       * using whatever extension number you'd like to try */
+#if 0
+/*
+ * will have to be provided externally for now ,
+ * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
+ * using whatever extension number you'd like to try
+ */
 # define TLSEXT_TYPE_opaque_prf_input		??
 #endif