doc/man3: use the documented coding style in the example code

Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
https://www.openssl.org/policies/codingstyle.html.

Indent literal sections by exactly one space.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)

doc/man3/ASYNC_start_job.pod

@@ -262,7 +262,7 @@ The following example demonstrates how to use most of the core async APIs:
      }
 
      for (;;) {
-         switch(ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) {
+         switch (ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) {
          case ASYNC_ERR:
          case ASYNC_NO_JOBS:
              printf("An error occurred\n");

doc/man3/BIO_f_base64.pod

@@ -65,7 +65,7 @@ data to standard output:
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
  BIO_push(b64, bio);
- while((inlen = BIO_read(b64, inbuf, 512)) > 0)
+ while ((inlen = BIO_read(b64, inbuf, 512)) > 0)
      BIO_write(bio_out, inbuf, inlen);
 
  BIO_flush(bio_out);

doc/man3/BIO_f_md.pod

@@ -82,7 +82,8 @@ checking has been omitted for clarity.
  bio = BIO_new(BIO_s_null());
  mdtmp = BIO_new(BIO_f_md());
  BIO_set_md(mdtmp, EVP_sha1());
- /* For BIO_push() we want to append the sink BIO and keep a note of
+ /*
+  * For BIO_push() we want to append the sink BIO and keep a note of
   * the start of the chain.
   */
  bio = BIO_push(mdtmp, bio);
@@ -120,7 +121,8 @@ outputs them. This could be used with the examples above.
  do {
      EVP_MD *md;
      mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
-        if (!mdtmp) break;
+     if (!mdtmp)
+         break;
      BIO_get_md(mdtmp, &md);
      printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
      mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);

doc/man3/BIO_f_ssl.pod

@@ -178,7 +178,7 @@ unencrypted example in L<BIO_s_connect(3)>.
  /* XXX Could examine ssl here to get connection info */
 
  BIO_puts(sbio, "GET / HTTP/1.0\n\n");
- for ( ; ; ) {
+ for (;;) {
      len = BIO_read(sbio, tmpbuf, 1024);
      if (len <= 0)
          break;
@@ -261,7 +261,7 @@ a client and also echoes the request to standard output.
  BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
  BIO_puts(sbio, "--------------------------------------------------\r\n");
 
- for ( ; ; ) {
+ for (;;) {
      len = BIO_gets(sbio, tmpbuf, 1024);
      if (len <= 0)
          break;

doc/man3/BIO_find_type.pod

@@ -49,7 +49,8 @@ Traverse a chain looking for digest BIOs:
 
  do {
      btmp = BIO_find_type(btmp, BIO_TYPE_MD);
-        if (btmp == NULL) break; /* Not found */
+     if (btmp == NULL)
+         break; /* Not found */
      /* btmp is a digest BIO, do something with it ...*/
      ...
 

doc/man3/BIO_s_connect.pod

@@ -174,7 +174,7 @@ to retrieve a page and copy the result to standard output.
      exit(1);
  }
  BIO_puts(cbio, "GET / HTTP/1.0\n\n");
- for ( ; ; ) {
+ for (;;) {
      len = BIO_read(cbio, tmpbuf, 1024);
      if (len <= 0)
          break;

doc/man3/BIO_s_file.pod

@@ -92,15 +92,18 @@ Alternative technique:
 
  BIO *bio_out;
  bio_out = BIO_new(BIO_s_file());
- if (bio_out == NULL) /* Error ... */
- if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */
+ if (bio_out == NULL)
+     /* Error */
+ if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE))
+     /* Error */
  BIO_printf(bio_out, "Hello World\n");
 
 Write to a file:
 
  BIO *out;
  out = BIO_new_file("filename.txt", "w");
- if (!out) /* Error occurred */
+ if (!out)
+     /* Error */
  BIO_printf(out, "Hello World\n");
  BIO_free(out);
 
@@ -108,8 +111,10 @@ Alternative technique:
 
  BIO *out;
  out = BIO_new(BIO_s_file());
- if (out == NULL) /* Error ... */
- if (!BIO_write_filename(out, "filename.txt")) /* Error ... */
+ if (out == NULL)
+     /* Error */
+ if (!BIO_write_filename(out, "filename.txt"))
+     /* Error */
  BIO_printf(out, "Hello World\n");
  BIO_free(out);
 

doc/man3/BIO_set_callback.pod

@@ -122,7 +122,8 @@ or
 
 is called before the read and
 
- callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, readbytes)
+ callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
+             readbytes)
 
 or
 
@@ -140,7 +141,8 @@ or
 
 is called before the write and
 
- callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, written)
+ callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
+             written)
 
 or
 
@@ -158,7 +160,8 @@ or
 
 is called before the operation and
 
- callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue, readbytes)
+ callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue,
+             readbytes)
 
 or
 

doc/man3/BN_CTX_new.pod

@@ -51,7 +51,8 @@ replace use of BN_CTX_init with BN_CTX_new instead:
 
  BN_CTX *ctx;
  ctx = BN_CTX_new();
- if(!ctx) /* Handle error */
+ if (!ctx)
+     /* error */
  ...
  BN_CTX_free(ctx);
 

doc/man3/BN_generate_prime.pod

@@ -169,7 +169,8 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new:
 
  BN_GENCB *callback;
  callback = BN_GENCB_new();
- if(!callback) /* handle error */
+ if (!callback)
+     /* error */
  ...
  BN_GENCB_free(callback);
 

doc/man3/ECDSA_SIG_new.pod

@@ -140,20 +140,17 @@ specific)
  ECDSA_SIG *sig;
  EC_KEY *eckey;
  eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (eckey == NULL) {
+ if (eckey == NULL)
      /* error */
- }
- if (EC_KEY_generate_key(eckey) == 0) {
+ if (EC_KEY_generate_key(eckey) == 0)
      /* error */
- }
 
 Second step: compute the ECDSA signature of a SHA-256 hash value
 using ECDSA_do_sign():
 
  sig = ECDSA_do_sign(digest, 32, eckey);
- if (sig == NULL) {
+ if (sig == NULL)
      /* error */
- }
 
 or using ECDSA_sign():
 
@@ -162,9 +159,8 @@ or using ECDSA_sign():
  buf_len = ECDSA_size(eckey);
  buffer = OPENSSL_malloc(buf_len);
  pp = buffer;
- if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) {
+ if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
      /* error */
- }
 
 Third step: verify the created ECDSA signature using ECDSA_do_verify():
 
@@ -176,13 +172,12 @@ or using ECDSA_verify():
 
 and finally evaluate the return value:
 
- if (ret == 1) {
+ if (ret == 1)
      /* signature ok */
- } else if (ret == 0) {
+ else if (ret == 0)
      /* incorrect signature */
- } else {
+ else
      /* error */
- }
 
 =head1 CONFORMING TO
 

doc/man3/ENGINE_add.pod

@@ -385,17 +385,19 @@ illustrates how to approach this;
  const char *engine_id = "ACME";
  ENGINE_load_builtin_engines();
  e = ENGINE_by_id(engine_id);
- if(!e)
+ if (!e)
      /* the engine isn't available */
      return;
- if(!ENGINE_init(e)) {
+ if (!ENGINE_init(e)) {
      /* the engine couldn't initialise, release 'e' */
      ENGINE_free(e);
      return;
  }
- if(!ENGINE_set_default_RSA(e))
-     /* This should only happen when 'e' can't initialise, but the previous
-      * statement suggests it did. */
+ if (!ENGINE_set_default_RSA(e))
+     /*
+      * This should only happen when 'e' can't initialise, but the previous
+      * statement suggests it did.
+      */
      abort();
  ENGINE_set_default_DSA(e);
  ENGINE_set_default_ciphers(e);
@@ -474,7 +476,7 @@ boolean success or failure.
      ENGINE *e = ENGINE_by_id(engine_id);
      if (!e) return 0;
      while (pre_num--) {
-         if(!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
+         if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
              fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id,
                      pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)");
              ENGINE_free(e);
@@ -487,11 +489,13 @@ boolean success or failure.
          ENGINE_free(e);
          return 0;
      }
-     /* ENGINE_init() returned a functional reference, so free the structural
-      * reference from ENGINE_by_id(). */
+     /*
+      * ENGINE_init() returned a functional reference, so free the structural
+      * reference from ENGINE_by_id().
+      */
      ENGINE_free(e);
-     while(post_num--) {
-         if(!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
+     while (post_num--) {
+         if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
              fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id,
                      post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)");
              ENGINE_finish(e);

doc/man3/EVP_EncryptInit.pod

@@ -543,7 +543,8 @@ Encrypt a string using IDEA:
  {
      unsigned char outbuf[1024];
      int outlen, tmplen;
-        /* Bogus key and IV: we'd normally set these from
+     /*
+      * Bogus key and IV: we'd normally set these from
       * another source.
       */
      unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
@@ -555,25 +556,25 @@ Encrypt a string using IDEA:
      ctx = EVP_CIPHER_CTX_new();
      EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv);
 
-        if(!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext)))
-                {
+     if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
          /* Error */
          return 0;
      }
-        /* Buffer passed to EVP_EncryptFinal() must be after data just
+     /*
+      * Buffer passed to EVP_EncryptFinal() must be after data just
       * encrypted to avoid overwriting it.
       */
-        if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
-                {
+     if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
          /* Error */
          return 0;
      }
      outlen += tmplen;
      EVP_CIPHER_CTX_free(ctx);
-        /* Need binary mode for fopen because encrypted data is
+     /*
+      * Need binary mode for fopen because encrypted data is
       * binary data. Also cannot use strlen() on it because
-         * it won't be null terminated and may contain embedded
-         * nulls.
+      * it won't be NUL terminated and may contain embedded
+      * NULs.
       */
      out = fopen(outfile, "wb");
      fwrite(outbuf, 1, outlen, out);
@@ -584,8 +585,8 @@ Encrypt a string using IDEA:
 The ciphertext from the above example can be decrypted using the B<openssl>
 utility with the command line (shown on two lines for clarity):
 
- openssl idea -d <filename
-          -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708
+ openssl idea -d \
+     -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
 
 General encryption and decryption function example using FILE I/O and AES128
 with a 128-bit key:
@@ -596,7 +597,8 @@ with a 128-bit key:
      unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
      int inlen, outlen;
      EVP_CIPHER_CTX *ctx;
-        /* Bogus key and IV: we'd normally set these from
+     /*
+      * Bogus key and IV: we'd normally set these from
       * another source.
       */
      unsigned char key[] = "0123456789abcdeF";
@@ -612,20 +614,18 @@ with a 128-bit key:
      /* Now we can set key and IV */
      EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt);
 
-        for(;;)
-                {
+     for (;;) {
          inlen = fread(inbuf, 1, 1024, in);
-                if (inlen <= 0) break;
-                if(!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen))
-                        {
+         if (inlen <= 0)
+             break;
+         if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
              /* Error */
              EVP_CIPHER_CTX_free(ctx);
              return 0;
          }
          fwrite(outbuf, 1, outlen, out);
      }
-        if(!EVP_CipherFinal_ex(ctx, outbuf, &outlen))
-                {
+     if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
          /* Error */
          EVP_CIPHER_CTX_free(ctx);
          return 0;

doc/man3/EVP_PKEY_decrypt.pod

@@ -52,7 +52,8 @@ Decrypt data using OAEP (for RSA keys):
  unsigned char *out, *in;
  size_t outlen, inlen;
  EVP_PKEY *key;
- /* NB: assumes key in, inlen are already set up
+ /*
+  * NB: assumes key in, inlen are already set up
   * and that key is an RSA private key
   */
  ctx = EVP_PKEY_CTX_new(key);

doc/man3/EVP_PKEY_encrypt.pod

@@ -56,7 +56,8 @@ set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
  unsigned char *out, *in;
  size_t outlen, inlen;
  EVP_PKEY *key;
- /* NB: assumes eng, key, in, inlen are already set up,
+ /*
+  * NB: assumes eng, key, in, inlen are already set up,
   * and that key is an RSA public key
   */
  ctx = EVP_PKEY_CTX_new(key, eng);

doc/man3/EVP_PKEY_keygen.pod

@@ -138,12 +138,15 @@ Example of generation callback for OpenSSL public key implementations:
  {
      char c = '*';
      BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
-        int p;
-        p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-        if (p == 0) c = '.';
-        if (p == 1) c = '+';
-        if (p == 2) c = '*';
-        if (p == 3) c = '\n';
+     int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+     if (p == 0)
+         c = '.';
+     if (p == 1)
+         c = '+';
+     if (p == 2)
+         c = '*';
+     if (p == 3)
+         c = '\n';
      BIO_write(b, &c, 1);
      (void)BIO_flush(b);
      return 1;

doc/man3/EVP_PKEY_verify.pod

@@ -55,7 +55,8 @@ Verify signature using PKCS#1 and SHA256 digest:
  unsigned char *md, *sig;
  size_t mdlen, siglen;
  EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig, siglen md and mdlen are already set up
+ /*
+  * NB: assumes verify_key, sig, siglen md and mdlen are already set up
   * and that verify_key is an RSA public key
   */
  ctx = EVP_PKEY_CTX_new(verify_key);
@@ -71,7 +72,8 @@ Verify signature using PKCS#1 and SHA256 digest:
  /* Perform operation */
  ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
 
- /* ret == 1 indicates success, 0 verify failure and < 0 for some
+ /*
+  * ret == 1 indicates success, 0 verify failure and < 0 for some
   * other error.
   */
 

doc/man3/EVP_PKEY_verify_recover.pod

@@ -60,7 +60,8 @@ Recover digest originally signed using PKCS#1 and SHA256 digest:
  unsigned char *rout, *sig;
  size_t routlen, siglen;
  EVP_PKEY *verify_key;
- /* NB: assumes verify_key, sig and siglen are already set up
+ /*
+  * NB: assumes verify_key, sig and siglen are already set up
   * and that verify_key is an RSA public key
   */
  ctx = EVP_PKEY_CTX_new(verify_key);

doc/man3/PEM_read_bio_PrivateKey.pod

@@ -306,43 +306,38 @@ Read a certificate in PEM format from a BIO:
 
  X509 *x;
  x = PEM_read_bio_X509(bp, NULL, 0, NULL);
- if (x == NULL) {
+ if (x == NULL)
      /* Error */
- }
 
 Alternative method:
 
  X509 *x = NULL;
- if (!PEM_read_bio_X509(bp, &x, 0, NULL)) {
+ if (!PEM_read_bio_X509(bp, &x, 0, NULL))
      /* Error */
- }
 
 Write a certificate to a BIO:
 
- if (!PEM_write_bio_X509(bp, x)) {
+ if (!PEM_write_bio_X509(bp, x))
      /* Error */
- }
 
 Write a private key (using traditional format) to a BIO using
 triple DES encryption, the pass phrase is prompted for:
 
- if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) {
+ if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
      /* Error */
- }
 
 Write a private key (using PKCS#8 format) to a BIO using triple
 DES encryption, using the pass phrase "hello":
 
- if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello")) {
+ if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
+                                    NULL, 0, 0, "hello"))
      /* Error */
- }
 
 Read a private key from a BIO using a pass phrase callback:
 
  key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
- if (key == NULL) {
+ if (key == NULL)
      /* Error */
- }
 
 Skeleton pass phrase callback:
 
@@ -432,9 +427,8 @@ The pseudo code to derive the key would look similar to:
 
  memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv);
  rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/);
- if (rc != nkey) {
+ if (rc != nkey)
      /* Error */
- }
 
  /* On success, use key and iv to initialize the cipher */
 

doc/man3/RSA_set_method.pod

@@ -99,8 +99,7 @@ the default method is used.
      int (*rsa_priv_dec)(int flen, unsigned char *from,
                          unsigned char *to, RSA *rsa, int padding);
 
-     /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some
-                                        implementations) */
+     /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some implementations) */
      int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
 
      /* compute r = a ^ p mod m (May be NULL for some implementations) */
@@ -113,7 +112,8 @@ the default method is used.
      /* called at RSA_free */
      int (*finish)(RSA *rsa);
 
-     /* RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
+     /*
+      * RSA_FLAG_EXT_PKEY        - rsa_mod_exp is called for private key
       *                            operations, even if p,q,dmp1,dmq1,iqmp
       *                            are NULL
       * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match

doc/man3/SSL_CTX_config.pod

@@ -41,15 +41,12 @@ If the file "config.cnf" contains the following:
 
  [test_sect]
  # list of confuration modules
-
  ssl_conf = ssl_sect
 
  [ssl_sect]
-
  server = server_section
 
  [server_section]
-
  RSA.Certificate = server-rsa.pem
  ECDSA.Certificate = server-ecdsa.pem
  Ciphers = ALL:!RC4

doc/man3/SSL_CTX_dane_enable.pod

@@ -199,15 +199,13 @@ the lifetime of the SSL connection.
  uint8_t usage, selector, mtype;
 
  if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
-    /* handle error */
+     /* error */
  if (SSL_CTX_dane_enable(ctx) <= 0)
-    /* handle error */
-
+     /* error */
  if ((ssl = SSL_new(ctx)) == NULL)
-    /* handle error */
-
+     /* error */
  if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
-    /* handle error */
+     /* error */
 
  /*
   * For many applications it is safe to skip DANE-EE(3) namechecks.  Do not
@@ -217,7 +215,7 @@ the lifetime of the SSL connection.
  SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
 
  if (!SSL_add1_host(ssl, nexthop_domain))
-    /* handle error */
+     /* error */
  SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 
  for (... each TLSA record ...) {

doc/man3/SSL_CTX_set_generate_session_id.pod

@@ -103,12 +103,10 @@ server id given, and will fill the rest with pseudo random bytes:
           * ID (ie. the prefix!) so all future session negotiations will
           * fail due to conflicts.
           */
-          memcpy(id, session_id_prefix,
-                 (strlen(session_id_prefix) < *id_len) ?
+         memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ?
                                        strlen(session_id_prefix) : *id_len);
-      }
-      while (SSL_has_matching_session_id(ssl, id, *id_len) &&
-              (++count < MAX_SESSION_ID_ATTEMPTS));
+     } while (SSL_has_matching_session_id(ssl, id, *id_len)
+               && ++count < MAX_SESSION_ID_ATTEMPTS);
      if (count >= MAX_SESSION_ID_ATTEMPTS)
          return 0;
      return 1;

doc/man3/SSL_CTX_set_info_callback.pod

@@ -112,33 +112,27 @@ about alerts being handled and error messages to the B<bio_err> BIO.
  void apps_ssl_info_callback(SSL *s, int where, int ret)
  {
      const char *str;
-        int w;
+     int w = where & ~SSL_ST_MASK;
 
-        w = where & ~SSL_ST_MASK;
+     if (w & SSL_ST_CONNECT)
+         str = "SSL_connect";
+     else if (w & SSL_ST_ACCEPT)
+         str = "SSL_accept";
+     else
+         str = "undefined";
 
-        if (w & SSL_ST_CONNECT) str = "SSL_connect";
-        else if (w & SSL_ST_ACCEPT) str = "SSL_accept";
-        else str = "undefined";
-
-        if (where & SSL_CB_LOOP)
-                {
+     if (where & SSL_CB_LOOP) {
          BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
-                }
-        else if (where & SSL_CB_ALERT)
-                {
+     } else if (where & SSL_CB_ALERT) {
          str = (where & SSL_CB_READ) ? "read" : "write";
-                BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n",
-                        str,
+         BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str,
                     SSL_alert_type_string_long(ret),
                     SSL_alert_desc_string_long(ret));
-                }
-        else if (where & SSL_CB_EXIT)
-                {
-                if (ret == 0)
+     } else if (where & SSL_CB_EXIT) {
+         if (ret == 0) {
              BIO_printf(bio_err, "%s:failed in %s\n",
                         str, SSL_state_string_long(s));
-                else if (ret < 0)
-                        {
+         } else if (ret < 0) {
              BIO_printf(bio_err, "%s:error in %s\n",
                         str, SSL_state_string_long(s));
          }

doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod

@@ -124,23 +124,28 @@ enable an attacker to obtain the session keys.
 =head1 EXAMPLES
 
 Reference Implementation:
+
  SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb);
-  ....
+ ...
 
-  static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+ static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16],
+                                     unsigned char *iv, EVP_CIPHER_CTX *ctx,
+                                     HMAC_CTX *hctx, int enc)
  {
      if (enc) { /* create new session */
-          if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) )
+         if (RAND_bytes(iv, EVP_MAX_IV_LENGTH))
              return -1; /* insufficient random */
 
          key = currentkey(); /* something that you need to implement */
-          if ( key == NULL ) {
+         if (key == NULL) {
              /* current key doesn't exist or isn't valid */
-              key = createkey();  /* something that you need to implement.
-                                   * createkey needs to initialise, a name,
+             key = createkey(); /*
+                                 * Something that you need to implement.
+                                 * createkey needs to initialise a name,
                                  * an aes_key, a hmac_key and optionally
-                                   * an expire time. */
-              if ( key == NULL )  /* key couldn't be created */
+                                 * an expire time.
+                                 */
+             if (key == NULL) /* key couldn't be created */
                  return 0;
          }
          memcpy(key_name, key->name, 16);
@@ -153,23 +158,23 @@ Reference Implementation:
      } else { /* retrieve session */
          key = findkey(name);
 
-          if (key == NULL || key->expire < now() )
+         if (key == NULL || key->expire < now())
              return 0;
 
          HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
-          EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv );
+         EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
 
-          if (key->expire < ( now() - RENEW_TIME ) )
-              /* return 2 - this session will get a new ticket even though the current is still valid */
+         if (key->expire < now() - RENEW_TIME) {
+             /*
+              * return 2 - This session will get a new ticket even though the
+              * current one is still valid.
+              */
              return 2;
-
+         }
          return 1;
-
      }
  }
 
-
-
 =head1 RETURN VALUES
 
 returns 0 to indicate the callback function was set.

doc/man3/SSL_CTX_set_tmp_dh_callback.pod

@@ -84,16 +84,14 @@ supply at least 2048-bit parameters in the callback.
 Setup DH parameters with a key length of 2048 bits. (Error handling
 partly left out.)
 
- Command-line parameter generation:
+Command-line parameter generation:
+
  $ openssl dhparam -out dh_param_2048.pem 2048
 
- Code for setting up parameters during server initialization:
+Code for setting up parameters during server initialization:
 
- ...
  SSL_CTX ctx = SSL_CTX_new();
- ...
 
- /* Set up ephemeral DH parameters. */
  DH *dh_2048 = NULL;
  FILE *paramfile;
  paramfile = fopen("dh_param_2048.pem", "r");
@@ -103,12 +101,10 @@ partly left out.)
  } else {
      /* Error. */
  }
- if (dh_2048 == NULL) {
+ if (dh_2048 == NULL)
      /* Error. */
- }
- if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
+ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1)
      /* Error. */
- }
  ...
 
 =head1 RETURN VALUES

doc/man3/SSL_CTX_set_verify.pod

@@ -190,6 +190,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
    int always_continue;
  } mydata_t;
  int mydata_index;
+
  ...
  static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
  {
@@ -229,9 +230,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
      if (!preverify_ok) {
          printf("verify error:num=%d:%s:depth=%d:%s\n", err,
                 X509_verify_cert_error_string(err), depth, buf);
-    }
-    else if (mydata->verbose_mode)
-    {
+     } else if (mydata->verbose_mode) {
          printf("depth=%d:%s\n", depth, buf);
      }
 
@@ -239,8 +238,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
       * At this point, err contains the last verification error. We can use
       * it for something special
       */
-    if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT))
-    {
+     if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
          X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
          printf("issuer= %s\n", buf);
      }
@@ -258,7 +256,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
  mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
 
  ...
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
                     verify_callback);
 
  /*
@@ -276,10 +274,8 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
 
  ...
  SSL_accept(ssl);       /* check of success left out for clarity */
- if (peer = SSL_get_peer_certificate(ssl))
- {
-   if (SSL_get_verify_result(ssl) == X509_V_OK)
-   {
+ if (peer = SSL_get_peer_certificate(ssl)) {
+     if (SSL_get_verify_result(ssl) == X509_V_OK) {
          /* The client sent a certificate which verified OK */
      }
  }

doc/man3/SSL_load_client_CA_file.pod

@@ -35,7 +35,7 @@ Load names of CAs from file and use it as a client CA list:
  if (cert_names != NULL)
      SSL_CTX_set_client_CA_list(ctx, cert_names);
  else
-   error_handling();
+     /* error */
  ...
 
 =head1 RETURN VALUES

doc/man3/SSL_set1_host.pod

@@ -82,22 +82,19 @@ and must be copied by the application if it is to be retained beyond
 the lifetime of the SSL connection.
 
  SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-  if (!SSL_set1_host(ssl, "smtp.example.com")) {
-    /* handle error */
-  }
-  if (!SSL_add1_host(ssl, "example.com")) {
-    /* handle error */
-  }
+ if (!SSL_set1_host(ssl, "smtp.example.com"))
+     /* error */
+ if (!SSL_add1_host(ssl, "example.com"))
+     /* error */
 
  /* XXX: Perform SSL_connect() handshake and handle errors here */
 
  if (SSL_get_verify_result(ssl) == X509_V_OK) {
      const char *peername = SSL_get0_peername(ssl);
 
-      if (peername != NULL) {
+     if (peername != NULL)
          /* Name checks were in scope and matched the peername */
  }
-  }
 
 =head1 SEE ALSO
 

doc/man3/X509_NAME_get_index_by_NID.pod

@@ -75,8 +75,7 @@ Process all entries:
  int i;
  X509_NAME_ENTRY *e;
 
- for (i = 0; i < X509_NAME_entry_count(nm); i++)
-        {
+ for (i = 0; i < X509_NAME_entry_count(nm); i++) {
      e = X509_NAME_get_entry(nm, i);
      /* Do something with e */
  }
@@ -86,8 +85,7 @@ Process all commonName entries:
  int lastpos = -1;
  X509_NAME_ENTRY *e;
 
- for (;;)
-        {
+ for (;;) {
      lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
      if (lastpos == -1)
          break;

doc/man3/X509_STORE_CTX_set_verify_cb.pod

@@ -100,16 +100,14 @@ X509_STORE_CTX_set_verify_cb() does not return a value.
 
 Default callback operation:
 
- int verify_callback(int ok, X509_STORE_CTX *ctx)
-        {
+ int verify_callback(int ok, X509_STORE_CTX *ctx) {
      return ok;
  }
 
 Simple example, suppose a certificate in the chain is expired and we wish
 to continue after this error:
 
- int verify_callback(int ok, X509_STORE_CTX *ctx)
-        {
+ int verify_callback(int ok, X509_STORE_CTX *ctx) {
      /* Tolerate certificate expiration */
      if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
          return 1;
@@ -124,8 +122,7 @@ expired just one specific case:
  {
      int err = X509_STORE_CTX_get_error(ctx);
      X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        if (err == X509_V_ERR_CERT_HAS_EXPIRED)
-                {
+     if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
          if (check_is_acceptable_expired_cert(err_cert)
              return 1;
      }
@@ -146,8 +143,7 @@ B<ex_data>.
      depth = X509_STORE_CTX_get_error_depth(ctx);
 
      BIO_printf(bio_err, "depth=%d ", depth);
-        if (err_cert)
-                {
+     if (err_cert) {
          X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
                             0, XN_FLAG_ONELINE);
          BIO_puts(bio_err, "\n");
@@ -157,8 +153,7 @@ B<ex_data>.
      if (!ok)
          BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                     X509_verify_cert_error_string(err));
-        switch (err)
-                {
+     switch (err) {
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
          BIO_puts(bio_err, "issuer= ");
          X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),