[openssl-commits] [openssl] OpenSSL source code branch master updated. 1d97c8435171a7af575f73c526d79e1ef0ee5960

Matt Caswell matt at openssl.org
Tue Dec 30 22:34:43 UTC 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  1d97c8435171a7af575f73c526d79e1ef0ee5960 (commit)
      from  aa8a9266f91ce05068c5bf7eab44263c99d366f3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1d97c8435171a7af575f73c526d79e1ef0ee5960
Author: Tim Hudson <tjh at openssl.org>
Date:   Sun Dec 28 12:48:40 2014 +1000

    mark all block comments that need format preserving so that
    indent will not alter them when reformatting comments
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/asn1pars.c                     |    3 +-
 apps/ca.c                           |    3 +-
 apps/crl2p7.c                       |    3 +-
 apps/dh.c                           |    3 +-
 apps/dhparam.c                      |    3 +-
 apps/dsa.c                          |    3 +-
 apps/dsaparam.c                     |    3 +-
 apps/ec.c                           |    3 +-
 apps/ecparam.c                      |    3 +-
 apps/openssl.c                      |    3 +-
 apps/passwd.c                       |    3 +-
 apps/rand.c                         |    3 +-
 apps/req.c                          |    3 +-
 apps/rsa.c                          |    3 +-
 apps/s_socket.c                     |    2 +-
 apps/spkac.c                        |    3 +-
 apps/ts.c                           |    2 +-
 apps/vms_decc_init.c                |    2 +-
 crypto/aes/aes_core.c               |    2 +-
 crypto/aes/aes_x86core.c            |    4 +-
 crypto/asn1/a_sign.c                |    3 +-
 crypto/asn1/a_time.c                |    3 +-
 crypto/asn1/a_utf8.c                |    3 +-
 crypto/asn1/asn1.h                  |    3 +-
 crypto/asn1/asn1t.h                 |    6 +-
 crypto/asn1/x_attrib.c              |    3 +-
 crypto/asn1/x_req.c                 |    3 +-
 crypto/bf/blowfish.h                |    2 +-
 crypto/bio/b_print.c                |    2 +-
 crypto/bio/bio.h                    |    9 +-
 crypto/bio/bss_acpt.c               |    2 +-
 crypto/bio/bss_bio.c                |    6 +-
 crypto/bn/asm/x86_64-gcc.c          |    4 +-
 crypto/bn/bn_add.c                  |    6 +-
 crypto/bn/bn_div.c                  |    3 +-
 crypto/bn/bn_exp.c                  |    3 +-
 crypto/bn/bn_gcd.c                  |   31 +++--
 crypto/bn/bn_lcl.h                  |    5 +-
 crypto/bn/bn_lib.c                  |    3 +-
 crypto/bn/bn_mul.c                  |   33 +++--
 crypto/bn/bn_prime.c                |    6 +-
 crypto/bn/bn_recp.c                 |    3 +-
 crypto/bn/bn_sqr.c                  |    9 +-
 crypto/bn/bn_sqrt.c                 |   12 +-
 crypto/conf/conf_def.c              |    3 +-
 crypto/constant_time_locl.h         |    6 +-
 crypto/constant_time_test.c         |    2 +-
 crypto/crypto.h                     |    3 +-
 crypto/des/des_locl.h               |    3 +-
 crypto/des/des_old.h                |    3 +-
 crypto/des/destest.c                |    2 +-
 crypto/des/enc_read.c               |    2 +-
 crypto/des/enc_writ.c               |    2 +-
 crypto/des/ncbc_enc.c               |    2 +-
 crypto/des/rpc_des.h                |    2 +-
 crypto/des/set_key.c                |    5 +-
 crypto/dh/dh_check.c                |    3 +-
 crypto/dh/dh_gen.c                  |    3 +-
 crypto/dsa/dsa_ameth.c              |    3 +-
 crypto/dsa/dsa_asn1.c               |    3 +-
 crypto/dsa/dsa_ossl.c               |    3 +-
 crypto/dso/dso_vms.c                |    3 +-
 crypto/ec/ec.h                      |    2 +-
 crypto/ec/ec2_mult.c                |    9 +-
 crypto/ec/ec2_smpl.c                |    6 +-
 crypto/ec/ec_lcl.h                  |    3 +-
 crypto/ec/ec_mult.c                 |    6 +-
 crypto/ec/ecp_nistp224.c            |   33 +++--
 crypto/ec/ecp_nistp256.c            |   75 +++++++----
 crypto/ec/ecp_nistp521.c            |   78 +++++++----
 crypto/ec/ecp_nistputil.c           |    2 +-
 crypto/ec/ecp_smpl.c                |   12 +-
 crypto/ecdsa/ecs_vrf.c              |    6 +-
 crypto/engine/eng_all.c             |    2 +-
 crypto/engine/engine.h              |    8 +-
 crypto/evp/bio_enc.c                |    2 +-
 crypto/evp/bio_md.c                 |    2 +-
 crypto/evp/bio_ok.c                 |    2 +-
 crypto/evp/encode.c                 |    9 +-
 crypto/evp/evp.h                    |    2 +-
 crypto/evp/evp_locl.h               |    2 +-
 crypto/evp/p_seal.c                 |    2 +-
 crypto/idea/ideatest.c              |    2 +-
 crypto/jpake/jpake.c                |    8 +-
 crypto/jpake/jpaketest.c            |    4 +-
 crypto/krb5/krb5_asn.h              |  134 +++++++++----------
 crypto/lhash/lhash.c                |    3 +-
 crypto/md32_common.h                |    2 +-
 crypto/md4/md4.h                    |    2 +-
 crypto/modes/gcm128.c               |    2 +-
 crypto/o_time.c                     |    3 +-
 crypto/objects/objects.h            |    5 +-
 crypto/ocsp/ocsp.h                  |   38 +++---
 crypto/opensslv.h                   |    6 +-
 crypto/pkcs7/pkcs7.h                |    2 +-
 crypto/rand/rand_egd.c              |    2 +-
 crypto/rc2/rc2test.c                |    2 +-
 crypto/rc4/rc4_enc.c                |    4 +-
 crypto/rsa/rsa_pss.c                |    4 +-
 crypto/sha/sha.h                    |    2 +-
 crypto/sha/sha512.c                 |    2 +-
 crypto/stack/safestack.h            |    5 +-
 crypto/ts/ts.h                      |   20 +--
 crypto/ts/ts_rsp_verify.c           |    2 +-
 crypto/ui/ui.h                      |    6 +-
 crypto/whrlpool/wp_dgst.c           |    2 +-
 crypto/x509/x509.h                  |    2 +-
 crypto/x509/x509_lu.c               |    3 +-
 crypto/x509/x509_vfy.h              |    2 +-
 crypto/x509/x509_vpm.c              |    3 +-
 crypto/x509/x509name.c              |    6 +-
 crypto/x509v3/pcy_tree.c            |    3 +-
 crypto/x509v3/v3_ncons.c            |    4 +-
 crypto/x509v3/v3_purp.c             |    6 +-
 crypto/x509v3/v3_scts.c             |    6 +-
 crypto/x509v3/v3nametest.c          |    2 +-
 demos/asn1/ocsp.c                   |    3 +-
 demos/easy_tls/easy-tls.c           |    7 +-
 e_os.h                              |    3 +-
 e_os2.h                             |   58 +++++----
 engines/ccgost/gost89.c             |    3 +-
 engines/ccgost/gost_ctl.c           |    2 +-
 engines/ccgost/gost_keywrap.c       |    7 +-
 engines/ccgost/gost_keywrap.h       |    7 +-
 engines/ccgost/gost_sign.c          |    4 +-
 engines/e_chil.c                    |    3 +-
 engines/e_gmp.c                     |    3 +-
 engines/e_padlock.c                 |    2 +-
 engines/vendor_defns/hwcryptohook.h |   62 ++++++---
 engines/vendor_defns/sureware.h     |   67 +++++-----
 ms/tlhelp32.h                       |    2 +-
 ssl/d1_both.c                       |   11 +-
 ssl/d1_pkt.c                        |   15 ++-
 ssl/heartbeat_test.c                |    2 +-
 ssl/kssl.c                          |  245 ++++++++++++++++++-----------------
 ssl/kssl.h                          |   22 ++--
 ssl/s23_srvr.c                      |    3 +-
 ssl/s3_both.c                       |    3 +-
 ssl/s3_cbc.c                        |   21 ++-
 ssl/s3_clnt.c                       |   56 ++++----
 ssl/s3_pkt.c                        |   27 ++--
 ssl/s3_srvr.c                       |   25 ++--
 ssl/ssl.h                           |   11 +-
 ssl/ssl_ciph.c                      |   14 +-
 ssl/ssl_locl.h                      |   11 +-
 ssl/ssl_sess.c                      |    2 +-
 ssl/ssl_task.c                      |    4 +-
 ssl/ssltest.c                       |   20 +--
 ssl/t1_lib.c                        |  106 ++++++++-------
 test/methtest.c                     |    2 +-
 test/testutil.c                     |    2 +-
 test/testutil.h                     |    5 +-
 152 files changed, 971 insertions(+), 704 deletions(-)

diff --git a/apps/asn1pars.c b/apps/asn1pars.c
index 42f37d7..f07d8b6 100644
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -69,7 +69,8 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -in arg	- input file - default stdin
  * -i		- indent the details by depth
  * -offset	- where in the file to start
diff --git a/apps/ca.c b/apps/ca.c
index baa6a90..6e8fa27 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2829,7 +2829,8 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 	return str;
 	}
 
-/* Convert revocation field to X509_REVOKED entry 
+/*-
+ * Convert revocation field to X509_REVOKED entry 
  * return code:
  * 0 error
  * 1 OK
diff --git a/apps/crl2p7.c b/apps/crl2p7.c
index 42c6886..ce78e76 100644
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -75,7 +75,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
 #undef PROG
 #define PROG	crl2pkcs7_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dh.c b/apps/dh.c
index dee9c01..26107b8 100644
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	dh_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 1127d10..7982222 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -132,7 +132,8 @@
 
 #define DEFBITS	2048
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dsa.c b/apps/dsa.c
index 5222487..03599be 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	dsa_main
 
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg	- input format - default PEM (one of DER, NET or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index fcbd794..a922335 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -75,7 +75,8 @@
 #undef PROG
 #define PROG	dsaparam_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/ec.c b/apps/ec.c
index 896eabc..ec560aa 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -70,7 +70,8 @@
 #undef PROG
 #define PROG	ec_main
 
-/* -inform arg    - input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg    - input format - default PEM (one of DER, NET or PEM)
  * -outform arg   - output format - default PEM
  * -in arg        - input file - default stdin
  * -out arg       - output file - default stdout
diff --git a/apps/ecparam.c b/apps/ecparam.c
index de4e46f..4f6a654 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -87,7 +87,8 @@
 #undef PROG
 #define PROG	ecparam_main
 
-/* -inform arg      - input format - default PEM (DER or PEM)
+/*-
+ * -inform arg      - input format - default PEM (DER or PEM)
  * -outform arg     - output format - default PEM
  * -in  arg         - input file  - default stdin
  * -out arg         - output file - default stdout
diff --git a/apps/openssl.c b/apps/openssl.c
index 5372459..7453e65 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -238,7 +238,8 @@ int main(int Argc, char *ARGV[])
 	long errline;
 
 #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
-	/* 2011-03-22 SMS.
+	/*- 
+	 * 2011-03-22 SMS.
 	 * If we have 32-bit pointers everywhere, then we're safe, and
 	 * we bypass this mess, as on non-VMS systems.  (See ARGV,
 	 * above.)
diff --git a/apps/passwd.c b/apps/passwd.c
index 9ca25dd..8e65ed7 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -43,7 +43,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out, int quiet, int table, int reverse,
 	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
 
-/* -crypt        - standard Unix password algorithm (default)
+/*-
+ * -crypt        - standard Unix password algorithm (default)
  * -1            - MD5-based password algorithm
  * -apr1         - MD5-based password algorithm, Apache variant
  * -salt string  - salt
diff --git a/apps/rand.c b/apps/rand.c
index 790e795..dc93159 100644
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -66,7 +66,8 @@
 #undef PROG
 #define PROG rand_main
 
-/* -out file         - write to file
+/*-
+ * -out file         - write to file
  * -rand file:file   - PRNG seed files
  * -base64           - base64 encode output
  * -hex              - hex encode output
diff --git a/apps/req.c b/apps/req.c
index a69915f..cc1b631 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -99,7 +99,8 @@
 #undef PROG
 #define PROG	req_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/rsa.c b/apps/rsa.c
index a17708f..4443d74 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	rsa_main
 
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg	- input format - default PEM (one of DER, NET or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/s_socket.c b/apps/s_socket.c
index 7edef15..f44050d 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -532,7 +532,7 @@ redoit:
 		return(0);
 		}
 
-/*
+/*-
 	ling.l_onoff=1;
 	ling.l_linger=0;
 	i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
diff --git a/apps/spkac.c b/apps/spkac.c
index 0e01ea9..149db17 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -73,7 +73,8 @@
 #undef PROG
 #define PROG	spkac_main
 
-/* -in arg	- input file - default stdin
+/*-
+ * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
  */
 
diff --git a/apps/ts.c b/apps/ts.c
index ae7604c..ace13bd 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -1130,7 +1130,7 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
 
 static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
 	{
-	/*
+	/*-
 	char buf[256];
 
 	if (!ok)
diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c
index f512c8f..1130ae4 100755
--- a/apps/vms_decc_init.c
+++ b/apps/vms_decc_init.c
@@ -5,7 +5,7 @@
 
 #ifdef USE_DECC_INIT
 
-/*
+/*-
  * 2010-04-26 SMS.
  *
  *----------------------------------------------------------------------
diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
index ba90952..de44a58 100644
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -41,7 +41,7 @@
 #include "aes_locl.h"
 
 #ifndef AES_ASM
-/*
+/*-
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
 Te2[x] = S [x].[01, 03, 02, 01];
diff --git a/crypto/aes/aes_x86core.c b/crypto/aes/aes_x86core.c
index e438580..41d3251 100644
--- a/crypto/aes/aes_x86core.c
+++ b/crypto/aes/aes_x86core.c
@@ -105,7 +105,7 @@ typedef unsigned long long u64;
 			})
 # endif
 #endif
-/*
+/*-
 Te [x] = S [x].[02, 01, 01, 03, 02, 01, 01, 03];
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -116,7 +116,7 @@ Te3[x] = S [x].[01, 01, 03, 02];
 #define Te1 (u32)((u64*)((u8*)Te+3))
 #define Te2 (u32)((u64*)((u8*)Te+2))
 #define Te3 (u32)((u64*)((u8*)Te+1))
-/*
+/*-
 Td [x] = Si[x].[0e, 09, 0d, 0b, 0e, 09, 0d, 0b];
 Td0[x] = Si[x].[0e, 09, 0d, 0b];
 Td1[x] = Si[x].[0b, 0e, 09, 0d];
diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c
index 7b4a193..2f7c790 100644
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -254,7 +254,8 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
 						signature);
 		if (rv == 1)
 			outl = signature->length;
-		/* Return value meanings:
+		/*-
+		 * Return value meanings:
 		 * <=0: error.
 		 *   1: method does everything.
 		 *   2: carry on as normal.
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 7036868..311e066 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -54,7 +54,8 @@
  */
 
 
-/* This is an implementation of the ASN1 Time structure which is:
+/*-
+ * This is an implementation of the ASN1 Time structure which is:
  *    Time ::= CHOICE {
  *      utcTime        UTCTime,
  *      generalTime    GeneralizedTime }
diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c
index 508e11e..2105306 100644
--- a/crypto/asn1/a_utf8.c
+++ b/crypto/asn1/a_utf8.c
@@ -63,7 +63,8 @@
 
 /* UTF8 utilities */
 
-/* This parses a UTF8 string one character at a time. It is passed a pointer
+/*-
+ * This parses a UTF8 string one character at a time. It is passed a pointer
  * to the string and the length of the string. It sets 'value' to the value of
  * the current character. It returns the number of characters read or a
  * negative error code:
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 68be533..fc87e0c 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -367,7 +367,8 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
 
 TYPEDEF_D2I2D_OF(void);
 
-/* The following macros and typedefs allow an ASN1_ITEM
+/*-
+ * The following macros and typedefs allow an ASN1_ITEM
  * to be embedded in a structure and referenced. Since
  * the ASN1_ITEM pointers need to be globally accessible
  * (possibly from shared libraries) they may exist in
diff --git a/crypto/asn1/asn1t.h b/crypto/asn1/asn1t.h
index d230e4b..47502a6 100644
--- a/crypto/asn1/asn1t.h
+++ b/crypto/asn1/asn1t.h
@@ -129,7 +129,8 @@ extern "C" {
 
 /* This is a ASN1 type which just embeds a template */
  
-/* This pair helps declare a SEQUENCE. We can do:
+/*- 
+ * This pair helps declare a SEQUENCE. We can do:
  *
  * 	ASN1_SEQUENCE(stname) = {
  * 		... SEQUENCE components ...
@@ -231,7 +232,8 @@ extern "C" {
 	ASN1_ITEM_end(tname)
 
 
-/* This pair helps declare a CHOICE type. We can do:
+/*-
+ * This pair helps declare a CHOICE type. We can do:
  *
  * 	ASN1_CHOICE(chname) = {
  * 		... CHOICE options ...
diff --git a/crypto/asn1/x_attrib.c b/crypto/asn1/x_attrib.c
index 1e3713f..04ae991 100644
--- a/crypto/asn1/x_attrib.c
+++ b/crypto/asn1/x_attrib.c
@@ -62,7 +62,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-/* X509_ATTRIBUTE: this has the following form:
+/*-
+ * X509_ATTRIBUTE: this has the following form:
  *
  * typedef struct x509_attributes_st
  *	{
diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c
index d575558..529899a 100644
--- a/crypto/asn1/x_req.c
+++ b/crypto/asn1/x_req.c
@@ -61,7 +61,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-/* X509_REQ_INFO is handled in an unusual way to get round
+/*-
+ * X509_REQ_INFO is handled in an unusual way to get round
  * invalid encodings. Some broken certificate requests don't
  * encode the attributes field if it is empty. This is in
  * violation of PKCS#10 but we need to tolerate it. We do
diff --git a/crypto/bf/blowfish.h b/crypto/bf/blowfish.h
index b97e76f..50787ed 100644
--- a/crypto/bf/blowfish.h
+++ b/crypto/bf/blowfish.h
@@ -72,7 +72,7 @@ extern "C" {
 #define BF_ENCRYPT	1
 #define BF_DECRYPT	0
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! BF_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! BF_LONG_LOG2 has to be defined along.                        !
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 143a7cf..bde51d8 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -94,7 +94,7 @@
  * on all source code distributions.
  */
 
-/*
+/*-
  * This code contains numerious changes and enhancements which were
  * made by lots of contributors over the last years to Patrick Powell's
  * original code:
diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
index 122ec04..3ea44ab 100644
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -218,7 +218,8 @@ extern "C" {
 #define BIO_GHBN_CTRL_FLUSH		5
 
 /* Mostly used in the SSL BIO */
-/* Not used anymore
+/*-
+ * Not used anymore
  * #define BIO_FLAGS_PROTOCOL_DELAYED_READ 0x10
  * #define BIO_FLAGS_PROTOCOL_DELAYED_WRITE 0x20
  * #define BIO_FLAGS_PROTOCOL_STARTUP	0x40
@@ -336,7 +337,8 @@ DECLARE_STACK_OF(BIO)
 
 typedef struct bio_f_buffer_ctx_struct
 	{
-	/* Buffers are setup like this:
+	/*-
+	 * Buffers are setup like this:
 	 *
 	 * <---------------------- size ----------------------->
 	 * +---------------------------------------------------+
@@ -715,7 +717,8 @@ int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
 		   int datalen);
 
 struct hostent *BIO_gethostbyname(const char *name);
-/* We might want a thread-safe interface too:
+/*-
+ * We might want a thread-safe interface too:
  * struct hostent *BIO_gethostbyname_r(const char *name,
  *     struct hostent *result, void *buffer, size_t buflen);
  * or something similar (caller allocates a struct hostent,
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index 4110ff1..0237c0f 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -436,7 +436,7 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
 		ret=(long)data->bind_mode;
 		break;
 	case BIO_CTRL_DUP:
-/*		dbio=(BIO *)ptr;
+/*-		dbio=(BIO *)ptr;
 		if (data->param_port) EAY EAY
 			BIO_set_port(dbio,data->param_port);
 		if (data->param_hostname)
diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c
index 52ef0eb..6d86587 100644
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -269,7 +269,8 @@ static int bio_read(BIO *bio, char *buf, int size_)
 	return size;
 	}
 
-/* non-copying interface: provide pointer to available data in buffer
+/*-
+ * non-copying interface: provide pointer to available data in buffer
  *    bio_nread0:  return number of available bytes
  *    bio_nread:   also advance index
  * (example usage:  bio_nread0(), read from buffer, bio_nread()
@@ -422,7 +423,8 @@ static int bio_write(BIO *bio, const char *buf, int num_)
 	return num;
 	}
 
-/* non-copying interface: provide pointer to region to write to
+/*-
+ * non-copying interface: provide pointer to region to write to
  *   bio_nwrite0:  check how much space is available
  *   bio_nwrite:   also increase length
  * (example usage:  bio_nwrite0(), write to buffer, bio_nwrite()
diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
index 7d97c0b..c6d12f4 100644
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@@ -2,7 +2,7 @@
 #if !(defined(__GNUC__) && __GNUC__>=2)
 # include "../bn_asm.c"	/* kind of dirty hack for Sun Studio */
 #else
-/*
+/*-
  * x86_64 BIGNUM accelerator version 0.1, December 2002.
  *
  * Implemented by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
@@ -64,7 +64,7 @@
 #undef mul
 #undef mul_add
 
-/*
+/*-
  * "m"(a), "+m"(r)	is the way to favor DirectPath µ-code;
  * "g"(0)		let the compiler to decide where does it
  *			want to keep the value of zero;
diff --git a/crypto/bn/bn_add.c b/crypto/bn/bn_add.c
index 659e1d2..2584234 100644
--- a/crypto/bn/bn_add.c
+++ b/crypto/bn/bn_add.c
@@ -70,7 +70,8 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	bn_check_top(a);
 	bn_check_top(b);
 
-	/*  a +  b	a+b
+	/*-
+	 *  a +  b	a+b
 	 *  a + -b	a-b
 	 * -a +  b	b-a
 	 * -a + -b	-(a+b)
@@ -266,7 +267,8 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	bn_check_top(a);
 	bn_check_top(b);
 
-	/*  a -  b	a-b
+	/*-
+	 *  a -  b	a-b
 	 *  a - -b	a+b
 	 * -a -  b	-(a+b)
 	 * -a - -b	b-a
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 1b5c29c..da6b4cf 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -172,7 +172,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 #endif /* OPENSSL_NO_ASM */
 
 
-/* BN_div computes  dv := num / divisor,  rounding towards
+/*-
+ * BN_div computes  dv := num / divisor,  rounding towards
  * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
  * Thus:
  *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 3a1941a..45760a8 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -200,7 +200,8 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	bn_check_top(p);
 	bn_check_top(m);
 
-	/* For even modulus  m = 2^k*m_odd,  it might make sense to compute
+	/*-
+	 * For even modulus  m = 2^k*m_odd,  it might make sense to compute
 	 * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
 	 * exponentiation for the odd part), using appropriate exponent
 	 * reductions, and combine the results using the CRT.
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 63a77d2..233e3f5 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -263,7 +263,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 		if (!BN_nnmod(B, B, A, ctx)) goto err;
 		}
 	sign = -1;
-	/* From  B = a mod |n|,  A = |n|  it follows that
+	/*-
+	 * From  B = a mod |n|,  A = |n|  it follows that
 	 *
 	 *      0 <= B < A,
 	 *     -sign*X*a  ==  B   (mod |n|),
@@ -280,7 +281,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 		
 		while (!BN_is_zero(B))
 			{
-			/*
+			/*-
 			 *      0 < B < |n|,
 			 *      0 < A <= |n|,
 			 * (1) -sign*X*a  ==  B   (mod |n|),
@@ -327,7 +328,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 				}
 
 			
-			/* We still have (1) and (2).
+			/*-
+			 * We still have (1) and (2).
 			 * Both  A  and  B  are odd.
 			 * The following computations ensure that
 			 *
@@ -363,7 +365,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			{
 			BIGNUM *tmp;
 			
-			/*
+			/*-
 			 *      0 < B < A,
 			 * (*) -sign*X*a  ==  B   (mod |n|),
 			 *      sign*Y*a  ==  A   (mod |n|)
@@ -410,7 +412,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 				if (!BN_div(D,M,A,B,ctx)) goto err;
 				}
 			
-			/* Now
+			/*-
+			 * Now
 			 *      A = D*B + M;
 			 * thus we have
 			 * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
@@ -423,7 +426,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			B=M;
 			/* ... so we have  0 <= B < A  again */
 			
-			/* Since the former  M  is now  B  and the former  B  is now  A,
+			/*-
+			 * Since the former  M  is now  B  and the former  B  is now  A,
 			 * (**) translates into
 			 *       sign*Y*a  ==  D*A + B    (mod |n|),
 			 * i.e.
@@ -476,7 +480,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			}
 		}
 		
-	/*
+	/*-
 	 * The while loop (Euclid's algorithm) ends when
 	 *      A == gcd(a,n);
 	 * we have
@@ -565,7 +569,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		if (!BN_nnmod(B, pB, A, ctx)) goto err;
 		}
 	sign = -1;
-	/* From  B = a mod |n|,  A = |n|  it follows that
+	/*-
+	 * From  B = a mod |n|,  A = |n|  it follows that
 	 *
 	 *      0 <= B < A,
 	 *     -sign*X*a  ==  B   (mod |n|),
@@ -576,7 +581,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		{
 		BIGNUM *tmp;
 		
-		/*
+		/*-
 		 *      0 < B < A,
 		 * (*) -sign*X*a  ==  B   (mod |n|),
 		 *      sign*Y*a  ==  A   (mod |n|)
@@ -591,7 +596,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		/* (D, M) := (A/B, A%B) ... */		
 		if (!BN_div(D,M,pA,B,ctx)) goto err;
 		
-		/* Now
+		/*-
+		 * Now
 		 *      A = D*B + M;
 		 * thus we have
 		 * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
@@ -604,7 +610,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		B=M;
 		/* ... so we have  0 <= B < A  again */
 		
-		/* Since the former  M  is now  B  and the former  B  is now  A,
+		/*-
+		 * Since the former  M  is now  B  and the former  B  is now  A,
 		 * (**) translates into
 		 *       sign*Y*a  ==  D*A + B    (mod |n|),
 		 * i.e.
@@ -632,7 +639,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		sign = -sign;
 		}
 		
-	/*
+	/*-
 	 * The while loop (Euclid's algorithm) ends when
 	 *      A == gcd(a,n);
 	 * we have
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 260f67b..993579e 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -118,7 +118,8 @@
 extern "C" {
 #endif
 
-/* Bignum consistency macros
+/*-
+ * Bignum consistency macros
  * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
  * bignum data after direct manipulations on the data. There is also an
  * "internal" macro, bn_check_top(), for verifying that there are no leading
@@ -268,7 +269,7 @@ struct bn_gencb_st
 	};
 
 
-/*
+/*-
  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  *
  *
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index f0b449d..886de0d 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -72,7 +72,8 @@ const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
 
 /* This stuff appears to be completely unused, so is deprecated */
 #ifndef OPENSSL_NO_DEPRECATED
-/* For a 32 bit machine
+/*-
+ * For a 32 bit machine
  * 2 -   4 ==  128
  * 3 -   8 ==  256
  * 4 -  16 ==  512
diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index dde0919..a98e607 100644
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -348,7 +348,8 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
 
-/* r is 2*n2 words in size,
+/*-
+ * r is 2*n2 words in size,
  * a and b are both n2 words in size.
  * n2 must be a power of 2.
  * We multiply and return the result.
@@ -466,7 +467,8 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -483,7 +485,8 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 * c1 holds the carry bits
@@ -638,7 +641,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 			}
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -655,7 +659,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 * c1 holds the carry bits
@@ -682,7 +687,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		}
 	}
 
-/* a and b must be the same size, which is n2.
+/*-
+ * a and b must be the same size, which is n2.
  * r needs to be n2 words and t needs to be n2*2
  */
 void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
@@ -707,7 +713,8 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		}
 	}
 
-/* a and b must be the same size, which is n2.
+/*-
+ * a and b must be the same size, which is n2.
  * r needs to be n2 words and t needs to be n2*2
  * l is the low words of the output.
  * t needs to be n2*3
@@ -775,7 +782,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 		bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
 		}
 
-	/* s0 == low(al*bl)
+	/*-
+	 * s0 == low(al*bl)
 	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
 	 * We know s0 and s1 so the only unknown is high(al*bl)
 	 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
@@ -812,16 +820,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 			lp[i]=((~mp[i])+1)&BN_MASK2;
 		}
 
-	/* s[0] = low(al*bl)
+	/*-
+	 * s[0] = low(al*bl)
 	 * t[3] = high(al*bl)
 	 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
 	 * r[10] = (a[1]*b[1])
 	 */
-	/* R[10] = al*bl
+	/*-
+	 * R[10] = al*bl
 	 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
 	 * R[32] = ah*bh
 	 */
-	/* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
+	/*-
+	 * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
 	 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
 	 * R[3]=r[1]+(carry/borrow)
 	 */
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 2d66b61..9f39005 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -524,7 +524,8 @@ loop:
 		{
 		BN_ULONG rnd_word = BN_get_word(rnd);
 
-		/* In the case that the candidate prime is a single word then
+		/*-
+		 * In the case that the candidate prime is a single word then
 		 * we check that:
 		 *   1) It's greater than primes[i] because we shouldn't reject
 		 *      3 as being a prime number because it's a multiple of
@@ -532,7 +533,8 @@ loop:
 		 *   2) That it's not a multiple of a known prime. We don't
 		 *      check that rnd-1 is also coprime to all the known
 		 *      primes because there aren't many small primes where
-		 *      that's true. */
+		 *      that's true. 
+		 */
 		for (i=1; i<NUMPRIMES && primes[i]<rnd_word; i++)
 			{
 			if ((mods[i]+delta)%primes[i] == 0)
diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c
index f99e1b4..372a01f 100644
--- a/crypto/bn/bn_recp.c
+++ b/crypto/bn/bn_recp.c
@@ -172,7 +172,8 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 			i,ctx); /* BN_reciprocal returns i, or -1 for an error */
 	if (recp->shift == -1) goto err;
 
-	/* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
+	/*-
+	 * d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
 	 *    = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i - BN_num_bits(N)))|
 	 *   <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
 	 *    = |m/N|
diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c
index 74d7df6..57da1e4 100644
--- a/crypto/bn/bn_sqr.c
+++ b/crypto/bn/bn_sqr.c
@@ -190,7 +190,8 @@ void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp)
 	}
 
 #ifdef BN_RECURSION
-/* r is 2*n words in size,
+/*-
+ * r is 2*n words in size,
  * a and b are both n words in size.    (There's not actually a 'b' here ...)
  * n must be a power of 2.
  * We multiply and return the result.
@@ -249,7 +250,8 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
 	bn_sqr_recursive(r,a,n,p);
 	bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
 
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+	/*-
+	 * t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -259,7 +261,8 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
 	/* t[32] is negative */
 	c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
 
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
 	 * r[10] holds (a[0]*a[0])
 	 * r[32] holds (a[1]*a[1])
 	 * c1 holds the carry bits
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 6beaf9e..04cf4a0 100644
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -135,7 +135,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
 	if (e == 1)
 		{
-		/* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+		/*-
+		 * The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
 		 * modulo  (|p|-1)/2,  and square roots can be computed
 		 * directly by modular exponentiation.
 		 * We have
@@ -152,7 +153,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	
 	if (e == 2)
 		{
-		/* |p| == 5  (mod 8)
+		/*-
+		 * |p| == 5  (mod 8)
 		 *
 		 * In this case  2  is always a non-square since
 		 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
@@ -262,7 +264,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		goto end;
 		}
 
-	/* Now we know that (if  p  is indeed prime) there is an integer
+	/*-
+	 * Now we know that (if  p  is indeed prime) there is an integer
 	 * k,  0 <= k < 2^e,  such that
 	 *
 	 *      a^q * y^k == 1   (mod p).
@@ -318,7 +321,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
 	while (1)
 		{
-		/* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+		/*- 
+		 * Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
 		 * where  E  refers to the original value of  e,  which we
 		 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
 		 *
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index ff55876..7204c09 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -601,7 +601,8 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 					}
 				e++;
 				}
-			/* So at this point we have
+			/*-
+			 * So at this point we have
 			 * np which is the start of the name string which is
 			 *   '\0' terminated. 
 			 * cp which is the start of the section string which is
diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h
index 8af98c1..6410ca7 100644
--- a/crypto/constant_time_locl.h
+++ b/crypto/constant_time_locl.h
@@ -1,5 +1,5 @@
 /* crypto/constant_time_locl.h */
-/*
+/*-
  * Utilities for constant-time cryptography.
  *
  * Author: Emilia Kasper (emilia at openssl.org)
@@ -53,7 +53,7 @@
 extern "C" {
 #endif
 
-/*
+/*-
  * The boolean methods return a bitmask of all ones (0xff...f) for true
  * and 0 for false. This is useful for choosing a value based on the result
  * of a conditional in constant time. For example,
@@ -112,7 +112,7 @@ static inline unsigned int constant_time_eq_int(int a, int b);
 static inline unsigned char constant_time_eq_int_8(int a, int b);
 
 
-/*
+/*-
  * Returns (mask & a) | (~mask & b).
  *
  * When |mask| is all 1s or all 0s (as returned by the methods above),
diff --git a/crypto/constant_time_test.c b/crypto/constant_time_test.c
index d9c6a44..82c2d96 100644
--- a/crypto/constant_time_test.c
+++ b/crypto/constant_time_test.c
@@ -1,5 +1,5 @@
 /* crypto/constant_time_test.c */
-/*
+/*-
  * Utilities for constant-time cryptography.
  *
  * Author: Emilia Kasper (emilia at openssl.org)
diff --git a/crypto/crypto.h b/crypto/crypto.h
index d4be37b..f5cb4c7 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -525,7 +525,8 @@ int CRYPTO_remove_all_info(void);
 void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_free(void *addr,int before_p);
-/* Tell the debugging code about options.  By default, the following values
+/*-
+ * Tell the debugging code about options.  By default, the following values
  * apply:
  *
  * 0:                           Clear all options.
diff --git a/crypto/des/des_locl.h b/crypto/des/des_locl.h
index 5b53da9..3075c72 100644
--- a/crypto/des/des_locl.h
+++ b/crypto/des/des_locl.h
@@ -362,7 +362,8 @@
 #endif
 #endif
 
-	/* IP and FP
+	/*-
+	 * IP and FP
 	 * The problem is more of a geometric problem that random bit fiddling.
 	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
 	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
diff --git a/crypto/des/des_old.h b/crypto/des/des_old.h
index fab1c06..33169ad 100644
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -1,6 +1,7 @@
 /* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
 
-/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+/*- 
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
  *
  * The function names in here are deprecated and are only present to
  * provide an interface compatible with openssl 0.9.6 and older as
diff --git a/crypto/des/destest.c b/crypto/des/destest.c
index 64b92a3..b5bcf8f 100644
--- a/crypto/des/destest.c
+++ b/crypto/des/destest.c
@@ -380,7 +380,7 @@ int main(int argc, char *argv[])
 			      DES_ENCRYPT);
 	DES_ede3_cbcm_encrypt(&cbc_data[16],&cbc_out[16],i-16,&ks,&ks2,&ks3,
 			      &iv3,&iv2,DES_ENCRYPT);
-	/*	if (memcmp(cbc_out,cbc3_ok,
+	/*-	if (memcmp(cbc_out,cbc3_ok,
 		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
 		{
 		printf("des_ede3_cbc_encrypt encrypt error\n");
diff --git a/crypto/des/enc_read.c b/crypto/des/enc_read.c
index edb6620..e6c4769 100644
--- a/crypto/des/enc_read.c
+++ b/crypto/des/enc_read.c
@@ -66,7 +66,7 @@
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_rw_mode,DES_PCBC_MODE)
 
 
-/*
+/*-
  * WARNINGS:
  *
  *  -  The data format used by DES_enc_write() and DES_enc_read()
diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c
index 2353ac1..cd5d676 100644
--- a/crypto/des/enc_writ.c
+++ b/crypto/des/enc_writ.c
@@ -63,7 +63,7 @@
 #include "des_locl.h"
 #include <openssl/rand.h>
 
-/*
+/*-
  * WARNINGS:
  *
  *  -  The data format used by DES_enc_write() and DES_enc_read()
diff --git a/crypto/des/ncbc_enc.c b/crypto/des/ncbc_enc.c
index fda23d5..fdd8655 100644
--- a/crypto/des/ncbc_enc.c
+++ b/crypto/des/ncbc_enc.c
@@ -1,5 +1,5 @@
 /* crypto/des/ncbc_enc.c */
-/*
+/*-
  * #included by:
  *    cbc_enc.c  (DES_cbc_encrypt)
  *    des_enc.c  (DES_ncbc_encrypt)
diff --git a/crypto/des/rpc_des.h b/crypto/des/rpc_des.h
index 41328d7..94a1d11 100644
--- a/crypto/des/rpc_des.h
+++ b/crypto/des/rpc_des.h
@@ -57,7 +57,7 @@
  */
 
 /*  @(#)des.h	2.2 88/08/10 4.0 RPCSRC; from 2.7 88/02/08 SMI  */
-/*
+/*-
  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
  * unrestricted use provided that this legend is included on all tape
  * media and as a part of the software program in whole or part.  Users
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index ce4faf2..37dec3c 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -106,7 +106,8 @@ int DES_check_key_parity(const_DES_cblock *key)
 	return(1);
 	}
 
-/* Weak and semi week keys as take from
+/*-
+ * Weak and semi week keys as take from
  * %A D.W. Davies
  * %A W.L. Price
  * %T Security for Computer Networks
@@ -399,7 +400,7 @@ int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule)
 	{
 	return(DES_set_key(key,schedule));
 	}
-/*
+/*-
 #undef des_fixup_key_parity
 void des_fixup_key_parity(des_cblock *key)
 	{
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 9c4f613..0acd775 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -61,7 +61,8 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-/* Check that p is a safe prime and
+/*-
+ * Check that p is a safe prime and
  * if g is 2, 3 or 5, check that it is a suitable generator
  * where
  * for 2, p mod 24 == 11
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 3da2792..1d3cbe8 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -77,7 +77,8 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *c
 	return dh_builtin_genparams(ret, prime_len, generator, cb);
 	}
 
-/* We generate DH parameters as follows
+/*-
+ * We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
  * p=(2*q)+1 or (p-1)/2 = q
  * For this case, g is a generator if
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 61a1b01..b8394fd 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -213,7 +213,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 			goto decerr;
 		if (sk_ASN1_TYPE_num(ndsa) != 2)
 			goto decerr;
-		/* Handle Two broken types:
+		/*-
+		 * Handle Two broken types:
 	    	 * SEQUENCE {parameters, priv_key}
 		 * SEQUENCE {pub_key, priv_key}
 		 */
diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
index 9e441fa..55c75b5 100644
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -167,7 +167,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 	}
 
 /* data has already been hashed (probably with SHA or SHA-1). */
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ff29e55..dc8afa5 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -93,7 +93,8 @@ NULL,
 NULL
 };
 
-/* These macro wrappers replace attempts to use the dsa_mod_exp() and
+/*-
+ * These macro wrappers replace attempts to use the dsa_mod_exp() and
  * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
  * having a the macro work as an expression by bundling an "err_instr". So;
  * 
diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c
index 868513c..d08de5e 100644
--- a/crypto/dso/dso_vms.c
+++ b/crypto/dso/dso_vms.c
@@ -174,7 +174,8 @@ static int vms_load(DSO *dso)
 		goto err;
 		}
 
-	/* A file specification may look like this:
+	/*-
+	 * A file specification may look like this:
 	 *
 	 *	node::dev:[dir-spec]name.type;ver
 	 *
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index f448aac..477e476 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -118,7 +118,7 @@ typedef enum {
 typedef struct ec_method_st EC_METHOD;
 
 typedef struct ec_group_st
-	/*
+	/*-
 	 EC_METHOD *meth;
 	 -- field definition
 	 -- curve coefficients
diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
index cc3ec83..c261b81 100644
--- a/crypto/ec/ec2_mult.c
+++ b/crypto/ec/ec2_mult.c
@@ -143,7 +143,8 @@ static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM
 	return ret;
 	}
 
-/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
+/*-
+ * Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
  * using Montgomery point multiplication algorithm Mxy() in appendix of 
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
@@ -212,7 +213,8 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
 	}
 
 
-/* Computes scalar*point and stores the result in r.
+/*-
+ * Computes scalar*point and stores the result in r.
  * point can not equal r.
  * Uses a modified algorithm 2P of
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
@@ -318,7 +320,8 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 	}
 
 
-/* Computes the sum
+/*-
+ * Computes the sum
  *     scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
  * gracefully ignoring NULL scalar values.
  */
diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c
index 0bf87e6..7160360 100644
--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@@ -586,7 +586,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
 	lh = BN_CTX_get(ctx);
 	if (lh == NULL) goto err;
 
-	/* We have a curve defined by a Weierstrass equation
+	/*-
+	 * We have a curve defined by a Weierstrass equation
 	 *      y^2 + x*y = x^3 + a*x^2 + b.
 	 *  <=> x^3 + a*x^2 + x*y + b + y^2 = 0
 	 *  <=> ((x + a) * x + y ) * x + b + y^2 = 0
@@ -606,7 +607,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
 	}
 
 
-/* Indicates whether two points are equal.
+/*-
+ * Indicates whether two points are equal.
  * Return values:
  *  -1   error
  *   0   equal (in affine coordinates)
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index abd73ee..b7982d9 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -117,7 +117,8 @@ struct ec_method_st {
 	void (*point_clear_finish)(EC_POINT *);
 	int (*point_copy)(EC_POINT *, const EC_POINT *);
 
-	/* used by EC_POINT_set_to_infinity,
+	/*-
+	 * used by EC_POINT_set_to_infinity,
 	 * EC_POINT_set_Jprojective_coordinates_GFp,
 	 * EC_POINT_get_Jprojective_coordinates_GFp,
 	 * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 3b5be30..eb83c62 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -482,7 +482,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	if (!(tmp = EC_POINT_new(group)))
 		goto err;
 
-	/* prepare precomputed values:
+	/*-
+	 * prepare precomputed values:
 	 *    val_sub[i][0] :=     points[i]
 	 *    val_sub[i][1] := 3 * points[i]
 	 *    val_sub[i][2] := 5 * points[i]
@@ -607,7 +608,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	}
 
 
-/* ec_wNAF_precompute_mult()
+/*-
+ * ec_wNAF_precompute_mult()
  * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
  * for use with wNAF splitting as implemented in ec_wNAF_mul().
  * 
diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
index bf8021c..4c76827 100644
--- a/crypto/ec/ecp_nistp224.c
+++ b/crypto/ec/ecp_nistp224.c
@@ -46,7 +46,8 @@ typedef int64_t s64;
 
 
 /******************************************************************************/
-/*		    INTERNAL REPRESENTATION OF FIELD ELEMENTS
+/*-
+ * INTERNAL REPRESENTATION OF FIELD ELEMENTS
  *
  * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
  * using 64-bit coefficients called 'limbs',
@@ -94,7 +95,8 @@ static const felem_bytearray nistp224_curve_params[5] = {
 	 0x44,0xd5,0x81,0x99,0x85,0x00,0x7e,0x34}
 };
 
-/* Precomputed multiples of the standard generator
+/*-
+ * Precomputed multiples of the standard generator
  * Points are given in coordinates (X, Y, Z) where Z normally is 1
  * (0 for the point at infinity).
  * For each field element, slice a_0 is word 0, etc.
@@ -573,9 +575,11 @@ static void felem_reduce(felem out, const widefelem in)
 	/* output[3] <= 2^56 + 2^16 */
 	out[2] = output[2] & 0x00ffffffffffffff;
 
-	/* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
+	/*-
+	 * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
 	 * out[3] <= 2^56 + 2^16 (due to final carry),
-	 * so out < 2*p */
+	 * so out < 2*p 
+	 */
 	out[3] = output[3];
 	}
 
@@ -752,13 +756,15 @@ copy_conditional(felem out, const felem in, limb icopy)
  *
  */
 
-/* Double an elliptic curve point:
+/*-
+ * Double an elliptic curve point:
  * (X', Y', Z') = 2 * (X, Y, Z), where
  * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
  * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
  * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
  * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
- * while x_out == y_in is not (maybe this works, but it's not tested). */
+ * while x_out == y_in is not (maybe this works, but it's not tested). 
+ */
 static void
 point_double(felem x_out, felem y_out, felem z_out,
              const felem x_in, const felem y_in, const felem z_in)
@@ -830,7 +836,8 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_reduce(y_out, tmp);
 	}
 
-/* Add two elliptic curve points:
+/*-
+ * Add two elliptic curve points:
  * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
  * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
  * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
@@ -968,8 +975,10 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_scalar(ftmp5, 2);
 	/* ftmp5[i] < 2 * 2^57 = 2^58 */
 
-	/* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
-	   2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
+	/*-
+	 * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
+	 *  2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 
+	 */
 	felem_diff_128_64(tmp2, ftmp5);
 	/* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
 	felem_reduce(x_out, tmp2);
@@ -982,8 +991,10 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_mul(tmp2, ftmp3, ftmp2);
 	/* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
 
-	/* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
-	   z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
+	/*-
+	 * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
+	 *  z2^3*y1*(z1^2*x2 - z2^2*x1)^3 
+	 */
 	widefelem_diff(tmp2, tmp);
 	/* tmp2[i] < 2^118 + 2^120 < 2^121 */
 	felem_reduce(y_out, tmp2);
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 2f9bb57..cd87161 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -79,7 +79,8 @@ static const felem_bytearray nistp256_curve_params[5] = {
 	 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}
 };
 
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
  * ------------------------------------
  *
  * We represent field elements with either four 128-bit values, eight 128-bit
@@ -248,7 +249,8 @@ static void longfelem_scalar(longfelem out, const u64 scalar)
 /* zero105 is 0 mod p */
 static const felem zero105 = { two105m41m9, two105, two105m41p9, two105m41p9 };
 
-/* smallfelem_neg sets |out| to |-small|
+/*-
+ * smallfelem_neg sets |out| to |-small|
  * On exit:
  *   out[i] < out[i] + 2^105
  */
@@ -261,7 +263,8 @@ static void smallfelem_neg(felem out, const smallfelem small)
 	out[3] = zero105[3] - small[3];
 	}
 
-/* felem_diff subtracts |in| from |out|
+/*-
+ * felem_diff subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^104
  * On exit:
@@ -288,7 +291,8 @@ static void felem_diff(felem out, const felem in)
 /* zero107 is 0 mod p */
 static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11 };
 
-/* An alternative felem_diff for larger inputs |in|
+/*-
+ * An alternative felem_diff for larger inputs |in|
  * felem_diff_zero107 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^106
@@ -309,7 +313,8 @@ static void felem_diff_zero107(felem out, const felem in)
 	out[3] -= in[3];
 	}
 
-/* longfelem_diff subtracts |in| from |out|
+/*-
+ * longfelem_diff subtracts |in| from |out|
  * On entry:
  *   in[i] < 7*2^67
  * On exit:
@@ -352,7 +357,8 @@ static void longfelem_diff(longfelem out, const longfelem in)
 /* zero110 is 0 mod p */
 static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
 
-/* felem_shrink converts an felem into a smallfelem. The result isn't quite
+/*-
+ * felem_shrink converts an felem into a smallfelem. The result isn't quite
  * minimal as the value may be greater than p.
  *
  * On entry:
@@ -404,12 +410,14 @@ static void felem_shrink(smallfelem out, const felem in)
 	/* As tmp[3] < 2^65, high is either 1 or 0 */
 	high <<= 63;
 	high >>= 63;
-	/* high is:
+	/*-
+	 * high is:
 	 *   all ones   if the high word of tmp[3] is 1
 	 *   all zeros  if the high word of tmp[3] if 0 */
 	low = tmp[3];
 	mask = low >> 63;
-	/* mask is:
+	/*-
+	 * mask is:
 	 *   all ones   if the MSB of low is 1
 	 *   all zeros  if the MSB of low if 0 */
 	low &= bottom63bits;
@@ -417,7 +425,8 @@ static void felem_shrink(smallfelem out, const felem in)
 	/* if low was greater than kPrime3Test then the MSB is zero */
 	low = ~low;
 	low >>= 63;
-	/* low is:
+	/*-
+	 * low is:
 	 *   all ones   if low was > kPrime3Test
 	 *   all zeros  if low was <= kPrime3Test */
 	mask = (mask & low) | high;
@@ -447,7 +456,8 @@ static void smallfelem_expand(felem out, const smallfelem in)
 	out[3] = in[3];
 	}
 
-/* smallfelem_square sets |out| = |small|^2
+/*- 
+ * smallfelem_square sets |out| = |small|^2
  * On entry:
  *   small[i] < 2^64
  * On exit:
@@ -525,7 +535,8 @@ static void smallfelem_square(longfelem out, const smallfelem small)
 	out[7] = high;
 	}
 
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
  * On entry:
  *   in[i] < 2^109
  * On exit:
@@ -538,7 +549,8 @@ static void felem_square(longfelem out, const felem in)
 	smallfelem_square(out, small);
 	}
 
-/* smallfelem_mul sets |out| = |small1| * |small2|
+/*-
+ * smallfelem_mul sets |out| = |small1| * |small2|
  * On entry:
  *   small1[i] < 2^64
  *   small2[i] < 2^64
@@ -653,7 +665,8 @@ static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfe
 	out[7] = high;
 	}
 
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
  * On entry:
  *   in1[i] < 2^109
  *   in2[i] < 2^109
@@ -668,7 +681,8 @@ static void felem_mul(longfelem out, const felem in1, const felem in2)
 	smallfelem_mul(out, small1, small2);
 	}
 
-/* felem_small_mul sets |out| = |small1| * |in2|
+/*-
+ * felem_small_mul sets |out| = |small1| * |in2|
  * On entry:
  *   small1[i] < 2^64
  *   in2[i] < 2^109
@@ -688,7 +702,8 @@ static void felem_small_mul(longfelem out, const smallfelem small1, const felem
 /* zero100 is 0 mod p */
 static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 };
 
-/* Internal function for the different flavours of felem_reduce.
+/*-
+ * Internal function for the different flavours of felem_reduce.
  * felem_reduce_ reduces the higher coefficients in[4]-in[7].
  * On entry:
  *   out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7] 
@@ -735,7 +750,8 @@ static void felem_reduce_(felem out, const longfelem in)
 	out[3] += (in[7] * 3);
 	}
 
-/* felem_reduce converts a longfelem into an felem.
+/*-
+ * felem_reduce converts a longfelem into an felem.
  * To be called directly after felem_square or felem_mul.
  * On entry:
  *   in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
@@ -752,7 +768,8 @@ static void felem_reduce(felem out, const longfelem in)
 
 	felem_reduce_(out, in);
 
-	/* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+	/*-
+	 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
 	 * out[1] > 2^100 - 2^64 - 7*2^96 > 0
 	 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
 	 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
@@ -764,7 +781,8 @@ static void felem_reduce(felem out, const longfelem in)
 	 */
 	}
 
-/* felem_reduce_zero105 converts a larger longfelem into an felem.
+/*-
+ * felem_reduce_zero105 converts a larger longfelem into an felem.
  * On entry:
  *   in[0] < 2^71
  * On exit:
@@ -779,7 +797,8 @@ static void felem_reduce_zero105(felem out, const longfelem in)
 
 	felem_reduce_(out, in);
 
-	/* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+	/*-
+	 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
 	 * out[1] > 2^105 - 2^71 - 2^103 > 0
 	 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
 	 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
@@ -881,7 +900,8 @@ static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const
 	felem_contract(out, tmp);
 	}
 
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
  * otherwise.
  * On entry:
  *   small[i] < 2^64
@@ -926,7 +946,8 @@ static int smallfelem_is_zero_int(const smallfelem small)
 	return (int) (smallfelem_is_zero(small) & ((limb)1));
 	}
 
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
  *
  * Based on Fermat's Little Theorem:
  *   a^p = a (mod p)
@@ -1005,14 +1026,16 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
 	felem_contract(out, tmp);
 	}
 
-/* Group operations
+/*-
+ * Group operations
  * ----------------
  *
  * Building on top of the field operations we have the operations on the
  * elliptic curve group itself. Points on the curve are represented in Jacobian
  * coordinates */
 
-/* point_double calculates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calculates 2*(x_in, y_in, z_in)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -1140,7 +1163,8 @@ copy_small_conditional(felem out, const smallfelem in, limb mask)
 		}
 	}
 
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
@@ -1329,7 +1353,8 @@ static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
 	felem_shrink(z3, felem_z3);
 	}
 
-/* Base point pre computation
+/*-
+ * Base point pre computation
  * --------------------------
  *
  * Two different sorts of precomputed tables are used in the following code.
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 178b655..7ff3a0b 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -109,7 +109,8 @@ static const felem_bytearray nistp521_curve_params[5] =
 	 0x66, 0x50}
 	};
 
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
  * ------------------------------------
  *
  * We represent field elements with nine values. These values are either 64 or
@@ -291,7 +292,8 @@ static void felem_scalar128(largefelem out, limb scalar)
 	out[8] *= scalar;
 	}
 
-/* felem_neg sets |out| to |-in|
+/*-
+ * felem_neg sets |out| to |-in|
  * On entry:
  *   in[i] < 2^59 + 2^14
  * On exit:
@@ -314,7 +316,8 @@ static void felem_neg(felem out, const felem in)
 	out[8] = two62m2 - in[8];
 	}
 
-/* felem_diff64 subtracts |in| from |out|
+/*-
+ * felem_diff64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^59 + 2^14
  * On exit:
@@ -337,7 +340,8 @@ static void felem_diff64(felem out, const felem in)
 	out[8] += two62m2 - in[8];
 	}
 
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^62 + 2^17
  * On exit:
@@ -360,7 +364,8 @@ static void felem_diff_128_64(largefelem out, const felem in)
 	out[8] += two63m5 - in[8];
 	}
 
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^126
  * On exit:
@@ -383,7 +388,8 @@ static void felem_diff128(largefelem out, const largefelem in)
 	out[8] += (two127m69 - in[8]);
 	}
 
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
  * On entry:
  *   in[i] < 2^62
  * On exit:
@@ -395,7 +401,8 @@ static void felem_square(largefelem out, const felem in)
 	felem_scalar(inx2, in, 2);
 	felem_scalar(inx4, in, 4);
 
-	/* We have many cases were we want to do
+	/*-
+	 * We have many cases were we want to do
 	 *   in[x] * in[y] +
 	 *   in[y] * in[x]
 	 * This is obviously just
@@ -474,7 +481,8 @@ static void felem_square(largefelem out, const felem in)
 	out[7] += ((uint128_t) in[8]) * inx2[8];
 	}
 
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
  * On entry:
  *   in1[i] < 2^64
  *   in2[i] < 2^63
@@ -589,7 +597,8 @@ static void felem_mul(largefelem out, const felem in1, const felem in2)
 
 static const limb bottom52bits = 0xfffffffffffff;
 
-/* felem_reduce converts a largefelem to an felem.
+/*-
+ * felem_reduce converts a largefelem to an felem.
  * On entry:
  *   in[i] < 2^128
  * On exit:
@@ -677,7 +686,8 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2)
 	felem_reduce(out, tmp);
 	}
 
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
  *
  * Based on Fermat's Little Theorem:
  *   a^p = a (mod p)
@@ -769,7 +779,8 @@ static const felem kPrime =
 	0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
 	};
 
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
  * otherwise.
  * On entry:
  *   in[i] < 2^59 + 2^14
@@ -834,7 +845,8 @@ static int felem_is_zero_int(const felem in)
 	return (int) (felem_is_zero(in) & ((limb)1));
 	}
 
-/* felem_contract converts |in| to its unique, minimal representation.
+/*-
+ * felem_contract converts |in| to its unique, minimal representation.
  * On entry:
  *   in[i] < 2^59 + 2^14
  */
@@ -930,14 +942,16 @@ static void felem_contract(felem out, const felem in)
 	sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
 	}
 
-/* Group operations
+/*-
+ * Group operations
  * ----------------
  *
  * Building on top of the field operations we have the operations on the
  * elliptic curve group itself. Points on the curve are represented in Jacobian
  * coordinates */
 
-/* point_double calcuates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calcuates 2*(x_in, y_in, z_in)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -974,11 +988,13 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_scalar64(ftmp2, 3);
 	/* ftmp2[i] < 3*2^60 + 3*2^15 */
 	felem_mul(tmp, ftmp, ftmp2);
-	/* tmp[i] < 17(3*2^121 + 3*2^76)
+	/*-
+	 * tmp[i] < 17(3*2^121 + 3*2^76)
 	 *        = 61*2^121 + 61*2^76
 	 *        < 64*2^121 + 64*2^76
 	 *        = 2^127 + 2^82
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_reduce(alpha, tmp);
 
 	/* x' = alpha^2 - 8*beta */
@@ -1011,22 +1027,30 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_diff64(beta, x_out);
 	/* beta[i] < 2^61 + 2^60 + 2^16 */
 	felem_mul(tmp, alpha, beta);
-	/* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
+	/*-
+	 * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
 	 *        = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) 
 	 *        = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_square(tmp2, gamma);
-	/* tmp2[i] < 17*(2^59 + 2^14)^2
-	 *         = 17*(2^118 + 2^74 + 2^28) */
+	/*-
+	 * tmp2[i] < 17*(2^59 + 2^14)^2
+	 *         = 17*(2^118 + 2^74 + 2^28) 
+	 */
 	felem_scalar128(tmp2, 8);
-	/* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
+	/*- 
+	 * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
 	 *         = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
-	 *         < 2^126 */
+	 *         < 2^126 
+	 */
 	felem_diff128(tmp, tmp2);
-	/* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+	/*-
+	 * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
 	 *        = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
 	 *          2^74 + 2^69 + 2^34 + 2^30
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_reduce(y_out, tmp);
 	}
 
@@ -1042,7 +1066,8 @@ copy_conditional(felem out, const felem in, limb mask)
 		}
 	}
 
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
  *
  * The method is taken from
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
@@ -1205,7 +1230,8 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_assign(z3, z_out);
 	}
 
-/* Base point pre computation
+/*-
+ * Base point pre computation
  * --------------------------
  *
  * Two different sorts of precomputed tables are used in the following code.
diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c
index c8140c8..4ab42d8 100644
--- a/crypto/ec/ecp_nistputil.c
+++ b/crypto/ec/ecp_nistputil.c
@@ -107,7 +107,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
 		}
 	}
 
-/*
+/*-
  * This function looks at 5+1 scalar bits (5 current, 1 adjacent less
  * significant bit), and recodes them into a signed digit for use in fast point
  * multiplication: the use of signed rather than unsigned digits means that
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index c2192b3..bd9f7df 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -320,9 +320,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
 		if (!BN_copy(b, group->b)) goto err;
 		}
 	
-	/* check the discriminant:
+	/*-
+	 * check the discriminant:
 	 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) 
-         * 0 =< a, b < p */
+         * 0 =< a, b < p 
+	 */
 	if (BN_is_zero(a))
 		{
 		if (BN_is_zero(b)) goto err;
@@ -975,7 +977,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
 	Z6 = BN_CTX_get(ctx);
 	if (Z6 == NULL) goto err;
 
-	/* We have a curve defined by a Weierstrass equation
+	/*-
+	 * We have a curve defined by a Weierstrass equation
 	 *      y^2 = x^3 + a*x + b.
 	 * The point to consider is given in Jacobian projective coordinates
 	 * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
@@ -1081,7 +1084,8 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
 	Zb23 = BN_CTX_get(ctx);
 	if (Zb23 == NULL) goto end;
 
-	/* We have to decide whether
+	/*-
+	 * We have to decide whether
 	 *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
 	 * or equivalently, whether
 	 *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c
index ef9acf7..ae14625 100644
--- a/crypto/ecdsa/ecs_vrf.c
+++ b/crypto/ecdsa/ecs_vrf.c
@@ -61,7 +61,8 @@
 #include <openssl/engine.h>
 #endif
 
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
@@ -75,7 +76,8 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
 	return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey);
 	}
 
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 63bd1f5..fa6febf 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -82,7 +82,7 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_4758_CCA
 	ENGINE_load_4758cca();
 #endif
-/*
+/*-
  * These engines have been disabled as they do not currently build
 #ifndef OPENSSL_NO_HW_AEP
 	ENGINE_load_aep();
diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
index 5d382fa..a6f5dbc 100644
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -291,7 +291,8 @@ typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
 typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
 	STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
 	STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
-/* These callback types are for an ENGINE's handler for cipher and digest logic.
+/*-
+ * These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
  *   int foo(ENGINE *e, const EVP_MD **digest, const int **nids, int nid);
@@ -359,13 +360,14 @@ void ENGINE_load_builtin_engines(void);
 unsigned int ENGINE_get_table_flags(void);
 void ENGINE_set_table_flags(unsigned int flags);
 
-/* Manage registration of ENGINEs per "table". For each type, there are 3
+/*- Manage registration of ENGINEs per "table". For each type, there are 3
  * functions;
  *   ENGINE_register_***(e) - registers the implementation from 'e' (if it has one)
  *   ENGINE_unregister_***(e) - unregister the implementation from 'e'
  *   ENGINE_register_all_***() - call ENGINE_register_***() for each 'e' in the list
  * Cleanup is automatically registered from each table when required, so
- * ENGINE_cleanup() will reverse any "register" operations. */
+ * ENGINE_cleanup() will reverse any "register" operations. 
+ */
 
 int ENGINE_register_RSA(ENGINE *e);
 void ENGINE_unregister_RSA(ENGINE *e);
diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c
index 3cf75f0..2ceb802 100644
--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@@ -396,7 +396,7 @@ static long enc_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	return(ret);
 	}
 
-/*
+/*-
 void BIO_set_cipher_ctx(b,c)
 BIO *b;
 EVP_CIPHER_ctx *c;
diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c
index 144fdfd..6190156 100644
--- a/crypto/evp/bio_md.c
+++ b/crypto/evp/bio_md.c
@@ -264,7 +264,7 @@ static int md_gets(BIO *bp, char *buf, int size)
 	return((int)ret);
 	}
 
-/*
+/*-
 static int md_puts(bp,str)
 BIO *bp;
 char *str;
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index ad8cad8..973439a 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-/*
+/*-
 	From: Arne Ansper <arne at cyber.ee>
 
 	Why BIO_f_reliable?
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index a4f7674..e612fd1 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -74,7 +74,8 @@
 #define conv_ascii2bin(a)	(data_ascii2bin[os_toascii[a]&0x7f])
 #endif
 
-/* 64 char lines
+/*-
+ * 64 char lines
  * pad input with 0
  * left over chars are set to =
  * 1 byte  => xx==
@@ -88,7 +89,8 @@
 static const unsigned char data_bin2ascii[65]="ABCDEFGHIJKLMNOPQRSTUVWXYZ\
 abcdefghijklmnopqrstuvwxyz0123456789+/";
 
-/* 0xF0 is a EOLN
+/*-
+ * 0xF0 is a EOLN
  * 0xF1 is ignore but next needs to be 0xF0 (for \r\n processing).
  * 0xF2 is EOF
  * 0xE0 is ignore at start of line.
@@ -228,7 +230,8 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
 	ctx->expect_nl=0;
 	}
 
-/* -1 for error
+/*-
+ * -1 for error
  *  0 for last line
  *  1 for full line
  */
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 757b796..7290c10 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -75,7 +75,7 @@
 #include <openssl/bio.h>
 #endif
 
-/*
+/*-
 #define EVP_RC2_KEY_SIZE		16
 #define EVP_RC4_KEY_SIZE		16
 #define EVP_BLOWFISH_KEY_SIZE		16
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 94162d6..cff2942 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -185,7 +185,7 @@ BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
 		     init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 
-/*
+/*-
 #define BLOCK_CIPHER_defs(cname, kstruct, \
 				nid, block_size, key_len, iv_len, flags,\
 				 init_key, cleanup, set_asn1, get_asn1, ctrl)\
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index e5919b0..6658302 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -94,7 +94,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek
 	return(npubk);
 	}
 
-/* MACRO
+/*- MACRO
 void EVP_SealUpdate(ctx,out,outl,in,inl)
 EVP_CIPHER_CTX *ctx;
 unsigned char *out;
diff --git a/crypto/idea/ideatest.c b/crypto/idea/ideatest.c
index d509f81..9764c0c 100644
--- a/crypto/idea/ideatest.c
+++ b/crypto/idea/ideatest.c
@@ -100,7 +100,7 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
 	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
 	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
 
-/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+/*-	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
 	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
 	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 	}; 
diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c
index 9167a8d..e3003ad 100644
--- a/crypto/jpake/jpake.c
+++ b/crypto/jpake/jpake.c
@@ -370,7 +370,7 @@ int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
     BIGNUM *t1 = BN_new();
     BIGNUM *t2 = BN_new();
 
-   /*
+   /*-
     * X = g^{(xa + xc + xd) * xb * s}
     * t1 = g^xa
     */
@@ -382,7 +382,7 @@ int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
    /* t2 = xb * s */
     BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
 
-   /*
+   /*-
     * ZKP(xb * s)
     * XXX: this is kinda funky, because we're using
     *
@@ -407,7 +407,7 @@ static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
     BIGNUM *t2 = BN_new();
     BIGNUM *t3 = BN_new();
 
-   /*
+   /*-
     * K = (gx/g^{xb * xd * s})^{xb}
     *   = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
     *   = (g^{(xa + xc) * xd * s})^{xb}
@@ -440,7 +440,7 @@ int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
     BIGNUM *t2 = BN_new();
     int ret = 0;
 
-   /*
+   /*-
     * g' = g^{xc + xa + xb} [from our POV]
     * t1 = xa + xb
     */
diff --git a/crypto/jpake/jpaketest.c b/crypto/jpake/jpaketest.c
index eaba75e..a183262 100644
--- a/crypto/jpake/jpaketest.c
+++ b/crypto/jpake/jpaketest.c
@@ -128,12 +128,12 @@ int main(int argc, char **argv)
 
     ERR_load_crypto_strings();
 
-    /*
+    /*-
     BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
     BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
     BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
     */
-    /*
+    /*-
     p = BN_new();
     BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
     */
diff --git a/crypto/krb5/krb5_asn.h b/crypto/krb5/krb5_asn.h
index 41725d0..7d7868d 100644
--- a/crypto/krb5/krb5_asn.h
+++ b/crypto/krb5/krb5_asn.h
@@ -71,14 +71,14 @@ extern "C" {
 
 
 /*	ASN.1 from Kerberos RFC 1510
-*/
+ */
 
-/*	EncryptedData ::=   SEQUENCE {
-**		etype[0]                      INTEGER, -- EncryptionType
-**		kvno[1]                       INTEGER OPTIONAL,
-**		cipher[2]                     OCTET STRING -- ciphertext
-**	}
-*/
+/*-	EncryptedData ::=   SEQUENCE {
+ *		etype[0]                      INTEGER, -- EncryptionType
+ *		kvno[1]                       INTEGER OPTIONAL,
+ *		cipher[2]                     OCTET STRING -- ciphertext
+ *	}
+ */
 typedef	struct	krb5_encdata_st
 	{
 	ASN1_INTEGER			*etype;
@@ -88,11 +88,11 @@ typedef	struct	krb5_encdata_st
 
 DECLARE_STACK_OF(KRB5_ENCDATA)
 
-/*	PrincipalName ::=   SEQUENCE {
-**		name-type[0]                  INTEGER,
-**		name-string[1]                SEQUENCE OF GeneralString
-**	}
-*/
+/*-	PrincipalName ::=   SEQUENCE {
+ *		name-type[0]                  INTEGER,
+ *		name-string[1]                SEQUENCE OF GeneralString
+ *	}
+ */
 typedef	struct	krb5_princname_st
 	{
 	ASN1_INTEGER			*nametype;
@@ -102,13 +102,13 @@ typedef	struct	krb5_princname_st
 DECLARE_STACK_OF(KRB5_PRINCNAME)
 
 
-/*	Ticket ::=	[APPLICATION 1] SEQUENCE {
-**		tkt-vno[0]                    INTEGER,
-**		realm[1]                      Realm,
-**		sname[2]                      PrincipalName,
-**		enc-part[3]                   EncryptedData
-**	}
-*/
+/*-	Ticket ::=	[APPLICATION 1] SEQUENCE {
+ *		tkt-vno[0]                    INTEGER,
+ *		realm[1]                      Realm,
+ *		sname[2]                      PrincipalName,
+ *		enc-part[3]                   EncryptedData
+ *	}
+ */
 typedef	struct	krb5_tktbody_st
 	{
 	ASN1_INTEGER			*tktvno;
@@ -121,17 +121,17 @@ typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET;
 DECLARE_STACK_OF(KRB5_TKTBODY)
 
 
-/*	AP-REQ ::=      [APPLICATION 14] SEQUENCE {
-**		pvno[0]                       INTEGER,
-**		msg-type[1]                   INTEGER,
-**		ap-options[2]                 APOptions,
-**		ticket[3]                     Ticket,
-**		authenticator[4]              EncryptedData
-**	}
-**
-**	APOptions ::=   BIT STRING {
-**		reserved(0), use-session-key(1), mutual-required(2) }
-*/
+/*-	AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+ *		pvno[0]                       INTEGER,
+ *		msg-type[1]                   INTEGER,
+ *		ap-options[2]                 APOptions,
+ *		ticket[3]                     Ticket,
+ *		authenticator[4]              EncryptedData
+ *	}
+ *
+ *	APOptions ::=   BIT STRING {
+ *		reserved(0), use-session-key(1), mutual-required(2) }
+ */
 typedef	struct	krb5_ap_req_st
 	{
 	ASN1_INTEGER			*pvno;
@@ -148,11 +148,11 @@ DECLARE_STACK_OF(KRB5_APREQBODY)
 /*	Authenticator Stuff	*/
 
 
-/*	Checksum ::=   SEQUENCE {
-**		cksumtype[0]                  INTEGER,
-**		checksum[1]                   OCTET STRING
-**	}
-*/
+/*-	Checksum ::=   SEQUENCE {
+ *		cksumtype[0]                  INTEGER,
+ *		checksum[1]                   OCTET STRING
+ *	}
+ */
 typedef	struct	krb5_checksum_st
 	{
 	ASN1_INTEGER			*ctype;
@@ -162,11 +162,11 @@ typedef	struct	krb5_checksum_st
 DECLARE_STACK_OF(KRB5_CHECKSUM)
 
 
-/*	EncryptionKey ::=   SEQUENCE {
-**		keytype[0]                    INTEGER,
-**		keyvalue[1]                   OCTET STRING
-**	}
-*/
+/*-	EncryptionKey ::=   SEQUENCE {
+ *		keytype[0]                    INTEGER,
+ *		keyvalue[1]                   OCTET STRING
+ *	}
+ */
 typedef struct  krb5_encryptionkey_st
 	{
 	ASN1_INTEGER			*ktype;
@@ -176,11 +176,11 @@ typedef struct  krb5_encryptionkey_st
 DECLARE_STACK_OF(KRB5_ENCKEY)
 
 
-/*	AuthorizationData ::=   SEQUENCE OF SEQUENCE {
-**		ad-type[0]                    INTEGER,
-**              ad-data[1]                    OCTET STRING
-**	}
-*/
+/*-	AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+ *		ad-type[0]                    INTEGER,
+ *              ad-data[1]                    OCTET STRING
+ *	}
+ */
 typedef struct	krb5_authorization_st
 	{
 	ASN1_INTEGER			*adtype;
@@ -190,19 +190,19 @@ typedef struct	krb5_authorization_st
 DECLARE_STACK_OF(KRB5_AUTHDATA)
 
 			
-/*	-- Unencrypted authenticator
-**	Authenticator ::=    [APPLICATION 2] SEQUENCE    {
-**		authenticator-vno[0]          INTEGER,
-**		crealm[1]                     Realm,
-**		cname[2]                      PrincipalName,
-**		cksum[3]                      Checksum OPTIONAL,
-**		cusec[4]                      INTEGER,
-**		ctime[5]                      KerberosTime,
-**		subkey[6]                     EncryptionKey OPTIONAL,
-**		seq-number[7]                 INTEGER OPTIONAL,
-**		authorization-data[8]         AuthorizationData OPTIONAL
-**	}
-*/
+/*-	-- Unencrypted authenticator
+ *	Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+ *		authenticator-vno[0]          INTEGER,
+ *		crealm[1]                     Realm,
+ *		cname[2]                      PrincipalName,
+ *		cksum[3]                      Checksum OPTIONAL,
+ *		cusec[4]                      INTEGER,
+ *		ctime[5]                      KerberosTime,
+ *		subkey[6]                     EncryptionKey OPTIONAL,
+ *		seq-number[7]                 INTEGER OPTIONAL,
+ *		authorization-data[8]         AuthorizationData OPTIONAL
+ *	}
+ */
 typedef struct	krb5_authenticator_st
 	{
 	ASN1_INTEGER			*avno;
@@ -220,15 +220,15 @@ typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT;
 DECLARE_STACK_OF(KRB5_AUTHENTBODY)
 
 
-/*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
-**	type *name##_new(void);
-**	void name##_free(type *a);
-**	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
-**	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
-**	  type *d2i_##name(type **a, const unsigned char **in, long len);
-**	  int i2d_##name(type *a, unsigned char **out);
-**	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
-*/
+/*-  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
+ *	type *name##_new(void);
+ *	void name##_free(type *a);
+ *	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
+ *	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
+ *	  type *d2i_##name(type **a, const unsigned char **in, long len);
+ *	  int i2d_##name(type *a, unsigned char **out);
+ *	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
+ */
 
 DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA)
 DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME)
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 47f7480..a60914a 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -56,7 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-/* Code for dynamic hash table routines
+/*-
+ * Code for dynamic hash table routines
  * Author - Eric Young v 2.0
  *
  * 2.2 eay - added #include "crypto.h" so the memory leak checking code is
diff --git a/crypto/md32_common.h b/crypto/md32_common.h
index 2146154..9388dad 100644
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -49,7 +49,7 @@
  *
  */
 
-/*
+/*-
  * This is a generic 32 bit "collector" for message digest algorithms.
  * Whenever needed it collects input character stream into chunks of
  * 32 bit values and invokes a block function that performs actual hash
diff --git a/crypto/md4/md4.h b/crypto/md4/md4.h
index c3ed9b3..631c1b2 100644
--- a/crypto/md4/md4.h
+++ b/crypto/md4/md4.h
@@ -70,7 +70,7 @@ extern "C" {
 #error MD4 is disabled.
 #endif
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! MD4_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! MD4_LONG_LOG2 has to be defined along.			   !
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 662b6ff..261dc59 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -82,7 +82,7 @@
 	} \
 } while(0)
 
-/*
+/*-
  * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
  * never be set to 8. 8 is effectively reserved for testing purposes.
  * TABLE_BITS>1 are lookup-table-driven implementations referred to as
diff --git a/crypto/o_time.c b/crypto/o_time.c
index 362e9e7..e02b651 100644
--- a/crypto/o_time.c
+++ b/crypto/o_time.c
@@ -148,7 +148,8 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 		/* Since there was no gmtime_r() to do this stuff for us,
 		   we have to do it the hard way. */
 		{
-		/* The VMS epoch is the astronomical Smithsonian date,
+		/*-
+		 * The VMS epoch is the astronomical Smithsonian date,
 		   if I remember correctly, which is November 17, 1858.
 		   Furthermore, time is measure in thenths of microseconds
 		   and stored in quadwords (64 bit integers).  unix_epoch
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index bd0ee52..42d2457 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -639,7 +639,8 @@
 #define NID_ripemd160WithRSA		119
 #define OBJ_ripemd160WithRSA		1L,3L,36L,3L,3L,1L,2L
 
-/* Taken from rfc2040
+/*-
+ * Taken from rfc2040
  *  RC5_CBC_Parameters ::= SEQUENCE {
  *	version           INTEGER (v1_0(16)),
  *	rounds            INTEGER (8..127),
@@ -1028,7 +1029,7 @@ const void *	OBJ_bsearch_ex_(const void *key,const void *base,int num,
 #define DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, nm)	\
   type2 * OBJ_bsearch_##nm(type1 *key, type2 const *base, int num)
 
-/*
+/*-
  * Unsolved problem: if a type is actually a pointer type, like
  * nid_triple is, then its impossible to get a const where you need
  * it. Consider:
diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index b2acebe..e033191 100644
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -90,7 +90,7 @@ extern "C" {
 #define OCSP_RESPID_KEY			0x400
 #define OCSP_NOTIME			0x800
 
-/*   CertID ::= SEQUENCE {
+/*-  CertID ::= SEQUENCE {
  *       hashAlgorithm            AlgorithmIdentifier,
  *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
  *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
@@ -106,7 +106,7 @@ typedef struct ocsp_cert_id_st
 
 DECLARE_STACK_OF(OCSP_CERTID)
 
-/*   Request ::=     SEQUENCE {
+/*-  Request ::=     SEQUENCE {
  *       reqCert                    CertID,
  *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
  */
@@ -120,7 +120,7 @@ DECLARE_STACK_OF(OCSP_ONEREQ)
 DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
 
 
-/*   TBSRequest      ::=     SEQUENCE {
+/*-  TBSRequest      ::=     SEQUENCE {
  *       version             [0] EXPLICIT Version DEFAULT v1,
  *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
  *       requestList             SEQUENCE OF Request,
@@ -134,7 +134,7 @@ typedef struct ocsp_req_info_st
 	STACK_OF(X509_EXTENSION) *requestExtensions;
 	} OCSP_REQINFO;
 
-/*   Signature       ::=     SEQUENCE {
+/*-  Signature       ::=     SEQUENCE {
  *       signatureAlgorithm   AlgorithmIdentifier,
  *       signature            BIT STRING,
  *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
@@ -146,7 +146,7 @@ typedef struct ocsp_signature_st
 	STACK_OF(X509) *certs;
 	} OCSP_SIGNATURE;
 
-/*   OCSPRequest     ::=     SEQUENCE {
+/*-  OCSPRequest     ::=     SEQUENCE {
  *       tbsRequest                  TBSRequest,
  *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
  */
@@ -156,7 +156,7 @@ typedef struct ocsp_request_st
 	OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
 	} OCSP_REQUEST;
 
-/*   OCSPResponseStatus ::= ENUMERATED {
+/*-  OCSPResponseStatus ::= ENUMERATED {
  *       successful            (0),      --Response has valid confirmations
  *       malformedRequest      (1),      --Illegal confirmation request
  *       internalError         (2),      --Internal error in issuer
@@ -173,7 +173,7 @@ typedef struct ocsp_request_st
 #define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
 #define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
 
-/*   ResponseBytes ::=       SEQUENCE {
+/*-  ResponseBytes ::=       SEQUENCE {
  *       responseType   OBJECT IDENTIFIER,
  *       response       OCTET STRING }
  */
@@ -183,7 +183,7 @@ typedef struct ocsp_resp_bytes_st
 	ASN1_OCTET_STRING *response;
 	} OCSP_RESPBYTES;
 
-/*   OCSPResponse ::= SEQUENCE {
+/*-  OCSPResponse ::= SEQUENCE {
  *      responseStatus         OCSPResponseStatus,
  *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
  */
@@ -193,7 +193,7 @@ struct ocsp_response_st
 	OCSP_RESPBYTES  *responseBytes;
 	};
 
-/*   ResponderID ::= CHOICE {
+/*-  ResponderID ::= CHOICE {
  *      byName   [1] Name,
  *      byKey    [2] KeyHash }
  */
@@ -211,11 +211,11 @@ struct ocsp_responder_id_st
 DECLARE_STACK_OF(OCSP_RESPID)
 DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
 
-/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+/*-  KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  *                            --(excluding the tag and length fields)
  */
 
-/*   RevokedInfo ::= SEQUENCE {
+/*-  RevokedInfo ::= SEQUENCE {
  *       revocationTime              GeneralizedTime,
  *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
  */
@@ -225,7 +225,7 @@ typedef struct ocsp_revoked_info_st
 	ASN1_ENUMERATED *revocationReason;
 	} OCSP_REVOKEDINFO;
 
-/*   CertStatus ::= CHOICE {
+/*-  CertStatus ::= CHOICE {
  *       good                [0]     IMPLICIT NULL,
  *       revoked             [1]     IMPLICIT RevokedInfo,
  *       unknown             [2]     IMPLICIT UnknownInfo }
@@ -243,7 +243,7 @@ typedef struct ocsp_cert_status_st
 		} value;
 	} OCSP_CERTSTATUS;
 
-/*   SingleResponse ::= SEQUENCE {
+/*-  SingleResponse ::= SEQUENCE {
  *      certID                       CertID,
  *      certStatus                   CertStatus,
  *      thisUpdate                   GeneralizedTime,
@@ -262,7 +262,7 @@ typedef struct ocsp_single_response_st
 DECLARE_STACK_OF(OCSP_SINGLERESP)
 DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
 
-/*   ResponseData ::= SEQUENCE {
+/*-  ResponseData ::= SEQUENCE {
  *      version              [0] EXPLICIT Version DEFAULT v1,
  *      responderID              ResponderID,
  *      producedAt               GeneralizedTime,
@@ -278,7 +278,7 @@ typedef struct ocsp_response_data_st
 	STACK_OF(X509_EXTENSION) *responseExtensions;
 	} OCSP_RESPDATA;
 
-/*   BasicOCSPResponse       ::= SEQUENCE {
+/*-  BasicOCSPResponse       ::= SEQUENCE {
  *      tbsResponseData      ResponseData,
  *      signatureAlgorithm   AlgorithmIdentifier,
  *      signature            BIT STRING,
@@ -308,7 +308,7 @@ typedef struct ocsp_basic_response_st
 	STACK_OF(X509) *certs;
 	} OCSP_BASICRESP;
 
-/*
+/*-
  *   CRLReason ::= ENUMERATED {
  *        unspecified             (0),
  *        keyCompromise           (1),
@@ -329,7 +329,8 @@ typedef struct ocsp_basic_response_st
 #define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
 #define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
 
-/* CrlID ::= SEQUENCE {
+/*-
+ * CrlID ::= SEQUENCE {
  *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
  *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
  *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
@@ -341,7 +342,8 @@ typedef struct ocsp_crl_id_st
 	ASN1_GENERALIZEDTIME *crlTime;
         } OCSP_CRLID;
 
-/* ServiceLocator ::= SEQUENCE {
+/*-
+ * ServiceLocator ::= SEQUENCE {
  *      issuer    Name,
  *      locator   AuthorityInfoAccessSyntax OPTIONAL }
  */
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 22b87f9..f40abf4 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -5,7 +5,8 @@
 extern "C" {
 #endif
 
-/* Numeric release version identifier:
+/*-
+ * Numeric release version identifier:
  * MNNFFPPS: major minor fix patch status
  * The status nibble has one of the values 0 for development, 1 to e for betas
  * 1 to 14, and f for release.  The patch level is exactly that.
@@ -38,7 +39,8 @@ extern "C" {
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 
-/* The macros below are to be used for shared library (.so, .dll, ...)
+/*-
+ * The macros below are to be used for shared library (.so, .dll, ...)
  * versioning.  That kind of versioning works a bit differently between
  * operating systems.  The most usual scheme is to set a major and a minor
  * number, and have the runtime loader check that the major number is equal
diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
index b7f1efa..7078637 100644
--- a/crypto/pkcs7/pkcs7.h
+++ b/crypto/pkcs7/pkcs7.h
@@ -76,7 +76,7 @@ extern "C" {
 #undef PKCS7_SIGNER_INFO
 #endif
 
-/*
+/*-
 Encryption_ID		DES-CBC
 Digest_ID		MD5
 Digest_Encryption_ID	rsaEncryption
diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c
index 0a74e40..0f32094 100644
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -58,7 +58,7 @@
 #include <openssl/rand.h>
 #include <openssl/buffer.h>
 
-/*
+/*-
  * Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
  *
  * This module supplies three routines:
diff --git a/crypto/rc2/rc2test.c b/crypto/rc2/rc2test.c
index 0e11743..945b179 100644
--- a/crypto/rc2/rc2test.c
+++ b/crypto/rc2/rc2test.c
@@ -129,7 +129,7 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
 	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
 	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
 
-/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+/*-	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
 	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
 	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 	}; 
diff --git a/crypto/rc4/rc4_enc.c b/crypto/rc4/rc4_enc.c
index 0cc5ac4..ee0fe8d 100644
--- a/crypto/rc4/rc4_enc.c
+++ b/crypto/rc4/rc4_enc.c
@@ -79,7 +79,7 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
         d=key->data; 
 
 #if defined(RC4_CHUNK) && !defined(PEDANTIC)
-	/*
+	/*-
 	 * The original reason for implementing this(*) was the fact that
 	 * pre-21164a Alpha CPUs don't have byte load/store instructions
 	 * and e.g. a byte store has to be done with 64-bit load, shift,
@@ -126,7 +126,7 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
 		RC4_CHUNK ichunk,otp;
 		const union { long one; char little; } is_endian = {1};
 
-		/*
+		/*-
 		 * I reckon we can afford to implement both endian
 		 * cases and to decide which way to take at run-time
 		 * because the machine code appears to be very compact
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index f890f89..4b79332 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -98,7 +98,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
 	hLen = M_EVP_MD_size(Hash);
 	if (hLen < 0)
 		goto err;
-	/*
+	/*-
 	 * Negative sLen has special meanings:
 	 *	-1	sLen == hLen
 	 *	-2	salt length is autorecovered from signature
@@ -210,7 +210,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
 	hLen = M_EVP_MD_size(Hash);
 	if (hLen < 0)
 		goto err;
-	/*
+	/*-
 	 * Negative sLen has special meanings:
 	 *	-1	sLen == hLen
 	 *	-2	salt length is maximized
diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h
index 7cbca26..c5dd660 100644
--- a/crypto/sha/sha.h
+++ b/crypto/sha/sha.h
@@ -70,7 +70,7 @@ extern "C" {
 #error SHA is disabled.
 #endif
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! SHA_LONG_LOG2 has to be defined along.                        !
diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c
index 080b33e..5be98d3 100644
--- a/crypto/sha/sha512.c
+++ b/crypto/sha/sha512.c
@@ -6,7 +6,7 @@
  */
 #include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
-/*
+/*-
  * IMPLEMENTATION NOTES.
  *
  * As you might have noticed 32-bit hash algorithms:
diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h
index 5327cb8..99393cb 100644
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -101,7 +101,8 @@ STACK_OF(type) \
 #define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/
 
 
-/* Strings are special: normally an lhash entry will point to a single
+/*-
+ * Strings are special: normally an lhash entry will point to a single
  * (somewhat) mutable object. In the case of strings:
  *
  * a) Instead of a single char, there is an array of chars, NUL-terminated.
@@ -110,7 +111,7 @@ STACK_OF(type) \
  * So, they need their own declarations. Especially important for
  * type-checking tools, such as Deputy.
  *
-o * In practice, however, it appears to be hard to have a const
+ * In practice, however, it appears to be hard to have a const
  * string. For now, I'm settling for dealing with the fact it is a
  * string at all.
  */
diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h
index c2448e3..b5fe7ae 100644
--- a/crypto/ts/ts.h
+++ b/crypto/ts/ts.h
@@ -98,7 +98,7 @@ extern "C" {
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-/*
+/*-
 MessageImprint ::= SEQUENCE  {
      hashAlgorithm                AlgorithmIdentifier,
      hashedMessage                OCTET STRING  }
@@ -110,7 +110,7 @@ typedef struct TS_msg_imprint_st
 	ASN1_OCTET_STRING *hashed_msg;
 	} TS_MSG_IMPRINT;
 
-/*
+/*-
 TimeStampReq ::= SEQUENCE  {
    version                  INTEGER  { v1(1) },
    messageImprint           MessageImprint,
@@ -132,7 +132,7 @@ typedef struct TS_req_st
 	STACK_OF(X509_EXTENSION) *extensions;	/* [0] OPTIONAL */
 	} TS_REQ;
 
-/*
+/*-
 Accuracy ::= SEQUENCE {
                 seconds        INTEGER           OPTIONAL,
                 millis     [0] INTEGER  (1..999) OPTIONAL,
@@ -146,7 +146,7 @@ typedef struct TS_accuracy_st
 	ASN1_INTEGER *micros;
 	} TS_ACCURACY;
 
-/*
+/*-
 TSTInfo ::= SEQUENCE  {
     version                      INTEGER  { v1(1) },
     policy                       TSAPolicyId,
@@ -180,7 +180,7 @@ typedef struct TS_tst_info_st
 	STACK_OF(X509_EXTENSION) *extensions;
 	} TS_TST_INFO;	
 
-/*
+/*-
 PKIStatusInfo ::= SEQUENCE {
     status        PKIStatus,
     statusString  PKIFreeText     OPTIONAL,
@@ -223,7 +223,7 @@ typedef struct TS_status_info_st
 DECLARE_STACK_OF(ASN1_UTF8STRING)
 DECLARE_ASN1_SET_OF(ASN1_UTF8STRING)
 
-/*
+/*-
 TimeStampResp ::= SEQUENCE  {
      status                  PKIStatusInfo,
      timeStampToken          TimeStampToken     OPTIONAL }
@@ -238,7 +238,7 @@ typedef struct TS_resp_st
 
 /* The structure below would belong to the ESS component. */
 
-/*
+/*-
 IssuerSerial ::= SEQUENCE {
 	issuer                   GeneralNames,
 	serialNumber             CertificateSerialNumber
@@ -251,7 +251,7 @@ typedef struct ESS_issuer_serial
 	ASN1_INTEGER		*serial;
 	} ESS_ISSUER_SERIAL;
 
-/*
+/*-
 ESSCertID ::=  SEQUENCE {
         certHash                 Hash,
         issuerSerial             IssuerSerial OPTIONAL
@@ -267,7 +267,7 @@ typedef struct ESS_cert_id
 DECLARE_STACK_OF(ESS_CERT_ID)
 DECLARE_ASN1_SET_OF(ESS_CERT_ID)
 
-/*
+/*-
 SigningCertificate ::=  SEQUENCE {
        certs        SEQUENCE OF ESSCertID,
        policies     SEQUENCE OF PolicyInformation OPTIONAL
@@ -691,7 +691,7 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
 
-/* 
+/*-
  * If ctx is NULL, it allocates and returns a new object, otherwise
  * it returns ctx. It initialises all the members as follows:
  * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 3c7f816..cee1398 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -393,7 +393,7 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
 	return ret;
 	}
 
-/*
+/*-
  * Verifies whether the 'token' contains a valid time stamp token 
  * with regards to the settings of the context. Only those checks are
  * carried out that are specified in the context:
diff --git a/crypto/ui/ui.h b/crypto/ui/ui.h
index 5c4ff49..f23ae16 100644
--- a/crypto/ui/ui.h
+++ b/crypto/ui/ui.h
@@ -84,7 +84,8 @@ UI *UI_new(void);
 UI *UI_new_method(const UI_METHOD *method);
 void UI_free(UI *ui);
 
-/* The following functions are used to add strings to be printed and prompt
+/*-
+   The following functions are used to add strings to be printed and prompt
    strings to prompt for data.  The names are UI_{add,dup}_<function>_string
    and UI_{add,dup}_input_boolean.
 
@@ -243,7 +244,8 @@ UI_METHOD *UI_OpenSSL(void);
 
 
 /* ---------- For method writers ---------- */
-/* A method contains a number of functions that implement the low level
+/*-
+   A method contains a number of functions that implement the low level
    of the User Interface.  The functions are:
 
 	an opener	This function starts a session, maybe by opening
diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c
index ee5c5c1..1b782e2 100644
--- a/crypto/whrlpool/wp_dgst.c
+++ b/crypto/whrlpool/wp_dgst.c
@@ -140,7 +140,7 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *_inp,size_t bits)
 	else				/* bit-oriented loop */
 #endif
 		{
-		/*
+		/*-
 			   inp
 			   |
 			   +-------+-------+-------
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index ad804f2..46c1d44 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -549,7 +549,7 @@ typedef struct Netscape_certificate_sequence
 	STACK_OF(X509) *certs;
 	} NETSCAPE_CERT_SEQUENCE;
 
-/* Unused (and iv length is wrong)
+/*- Unused (and iv length is wrong)
 typedef struct CBCParameter_st
 	{
 	unsigned char iv[8];
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 79281c6..47426c7 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -624,7 +624,8 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
 	}
 
 
-/* Try to get issuer certificate from store. Due to limitations
+/*-
+ * Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
  * matching certificates, so we can examine the cache for all
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 8a6f10d..aff2b0c 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -97,7 +97,7 @@ typedef struct x509_file_st
 	} X509_CERT_FILE_CTX;
 
 /*******************************/
-/*
+/*-
 SSL_CTX -> X509_STORE    
 		-> X509_LOOKUP
 			->X509_LOOKUP_METHOD
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index a809219..92ac038 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -193,7 +193,8 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 	OPENSSL_free(param);
 	}
 
-/* This function determines how parameters are "inherited" from one structure
+/*-
+ * This function determines how parameters are "inherited" from one structure
  * to another. There are several different ways this can happen.
  *
  * 1. If a child structure needs to have its values initialized from a parent
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
index 27bc4dc..81f40f5 100644
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@@ -157,14 +157,16 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
 		set_prev=ret->set-1;
 	set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
 
-	/* set_prev is the previous set
+	/*-
+	 * set_prev is the previous set
 	 * set is the current set
 	 * set_next is the following
 	 * prev  1 1	1 1	1 1	1 1
 	 * set   1	1	2	2
 	 * next  1 1	2 2	2 2	3 2
 	 * so basically only if prev and next differ by 2, then
-	 * re-number down by 1 */
+	 * re-number down by 1 
+	 */
 	if (set_prev+1 < set_next)
 		for (i=loc; i<n; i++)
 			sk_X509_NAME_ENTRY_value(sk,i)->set--;
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 93470c3..361bc32 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -758,7 +758,8 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
 
 	}
 
-/* Application policy checking function.
+/*-
+ * Application policy checking function.
  * Return codes:
  *  0 	Internal Error.
  *  1   Successful.
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 26a6f67..06520fe 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -225,7 +225,8 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
 	return 1;
 	}
 
-/* Check a certificate conforms to a specified set of constraints.
+/*-
+ * Check a certificate conforms to a specified set of constraints.
  * Return values:
  *  X509_V_OK: All constraints obeyed.
  *  X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
@@ -234,7 +235,6 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
  *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:  Unsupported constraint type.
  *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
  *  X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
-
  */
 
 int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 5f931db..8e0a685 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -497,7 +497,8 @@ static void x509v3_cache_extensions(X509 *x)
 	x->ex_flags |= EXFLAG_SET;
 }
 
-/* CA checks common to all purposes
+/*-
+ * CA checks common to all purposes
  * return codes:
  * 0 not a CA
  * 1 is a CA
@@ -700,7 +701,8 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 	return 1;
 }
 
-/* Various checks to see if one certificate issued the second.
+/*-
+ * Various checks to see if one certificate issued the second.
  * This can be used to prune a set of possible issuer certificates
  * which have been looked up using some simple method such as by
  * subject name.
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
index 3bf1579..5367271 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c
@@ -226,7 +226,8 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
 		sct->version = *p2++;
 		if (sct->version == 0)		/* SCT v1 */
 			{
-			/* Fixed-length header:
+			/*- 
+			 * Fixed-length header:
 			 *		struct {
 			 * (1 byte)	  Version sct_version;
 			 * (32 bytes)	  LogID id;
@@ -251,7 +252,8 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
 			p2 += fieldlen;
 			sctlen -= fieldlen;
 
-			/* digitally-signed struct header:
+			/*-
+			 * digitally-signed struct header:
 			 * (1 byte)       Hash algorithm
 			 * (1 byte)       Signature algorithm
 			 * (2 bytes + ?)  Signature
diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
index dd5f9f8..fbf82d0 100644
--- a/crypto/x509v3/v3nametest.c
+++ b/crypto/x509v3/v3nametest.c
@@ -91,7 +91,7 @@ static int set_cn(X509 *crt, ...)
 	return ret;
 	}
 
-/*
+/*-
 int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
 			int nid, int crit, ASN1_OCTET_STRING *data);
diff --git a/demos/asn1/ocsp.c b/demos/asn1/ocsp.c
index e89f1f7..e2535f3 100644
--- a/demos/asn1/ocsp.c
+++ b/demos/asn1/ocsp.c
@@ -62,7 +62,8 @@
 
 
 
-/* Example of new ASN1 code, OCSP request
+/*- 
+   Example of new ASN1 code, OCSP request
 
 	OCSPRequest     ::=     SEQUENCE {
 	    tbsRequest                  TBSRequest,
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c
index 864017d..22ea442 100644
--- a/demos/easy_tls/easy-tls.c
+++ b/demos/easy_tls/easy-tls.c
@@ -3,7 +3,7 @@
  * easy-tls.c -- generic TLS proxy.
  * $Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $
  */
-/*
+/*-
  (c) Copyright 1999 Bodo Moeller.  All rights reserved.
 
  This is free software; you can redistributed and/or modify it
@@ -14,7 +14,7 @@
  or
    -  the following license:
 */
-/*
+/*-
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that each of the following
  * conditions is met:
@@ -185,7 +185,8 @@ tls_start_proxy_defaultargs(void)
     return ret;
 }
 
-/* Slice in TLS proxy process at fd.
+/*- 
+ * Slice in TLS proxy process at fd.
  * Return value:
  *   0    ok  (*pid is set to child's PID if pid != NULL),
  *   < 0  look at errno
diff --git a/e_os.h b/e_os.h
index 8b7bcf2..1d27b63 100644
--- a/e_os.h
+++ b/e_os.h
@@ -371,7 +371,8 @@ static __inline unsigned int _strlen31(const char *str)
 #    define NUL_DEV		"NLA0:"
   /* We don't have any well-defined random devices on VMS, yet... */
 #    undef DEVRANDOM
-  /* We need to do this since VMS has the following coding on status codes:
+  /*-
+     We need to do this since VMS has the following coding on status codes:
 
      Bits 0-2: status type: 0 = warning, 1 = success, 2 = error, 3 = info ...
                The important thing to know is that odd numbers are considered
diff --git a/e_os2.h b/e_os2.h
index dc6ee2d..3789bd4 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -203,24 +203,25 @@ extern "C" {
 # define OPENSSL_DECLARE_EXIT /* declared in unistd.h */
 #endif
 
-/* Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN, to define and declare
-   certain global symbols that, with some compilers under VMS, have to be
-   defined and declared explicitely with globaldef and globalref.
-   Definitions of OPENSSL_EXPORT and OPENSSL_IMPORT, to define and declare
-   DLL exports and imports for compilers under Win32.  These are a little
-   more complicated to use.  Basically, for any library that exports some
-   global variables, the following code must be present in the header file
-   that declares them, before OPENSSL_EXTERN is used:
-
-   #ifdef SOME_BUILD_FLAG_MACRO
-   # undef OPENSSL_EXTERN
-   # define OPENSSL_EXTERN OPENSSL_EXPORT
-   #endif
-
-   The default is to have OPENSSL_EXPORT, OPENSSL_IMPORT and OPENSSL_GLOBAL
-   have some generally sensible values, and for OPENSSL_EXTERN to have the
-   value OPENSSL_IMPORT.
-*/
+/*-
+ * Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN, to define and declare
+ * certain global symbols that, with some compilers under VMS, have to be
+ * defined and declared explicitely with globaldef and globalref.
+ * Definitions of OPENSSL_EXPORT and OPENSSL_IMPORT, to define and declare
+ * DLL exports and imports for compilers under Win32.  These are a little
+ * more complicated to use.  Basically, for any library that exports some
+ * global variables, the following code must be present in the header file
+ * that declares them, before OPENSSL_EXTERN is used:
+ *
+ * #ifdef SOME_BUILD_FLAG_MACRO
+ * # undef OPENSSL_EXTERN
+ * # define OPENSSL_EXTERN OPENSSL_EXPORT
+ * #endif
+ *
+ * The default is to have OPENSSL_EXPORT, OPENSSL_IMPORT and OPENSSL_GLOBAL
+ * have some generally sensible values, and for OPENSSL_EXTERN to have the
+ * value OPENSSL_IMPORT.
+ */
 
 #if defined(OPENSSL_SYS_VMS_NODECC)
 # define OPENSSL_EXPORT globalref
@@ -237,16 +238,17 @@ extern "C" {
 #endif
 #define OPENSSL_EXTERN OPENSSL_IMPORT
 
-/* Macros to allow global variables to be reached through function calls when
-   required (if a shared library version requires it, for example.
-   The way it's done allows definitions like this:
-
-	// in foobar.c
-	OPENSSL_IMPLEMENT_GLOBAL(int,foobar,0)
-	// in foobar.h
-	OPENSSL_DECLARE_GLOBAL(int,foobar);
-	#define foobar OPENSSL_GLOBAL_REF(foobar)
-*/
+/*-
+ * Macros to allow global variables to be reached through function calls when
+ * required (if a shared library version requires it, for example.
+ * The way it's done allows definitions like this:
+ *
+ *	// in foobar.c
+ *	OPENSSL_IMPLEMENT_GLOBAL(int,foobar,0)
+ *	// in foobar.h
+ *	OPENSSL_DECLARE_GLOBAL(int,foobar);
+ *	#define foobar OPENSSL_GLOBAL_REF(foobar)
+ */
 #ifdef OPENSSL_EXPORT_VAR_AS_FUNCTION
 # define OPENSSL_IMPLEMENT_GLOBAL(type,name,value)			\
 	type *_shadow_##name(void)					\
diff --git a/engines/ccgost/gost89.c b/engines/ccgost/gost89.c
index c1474cb..2b6201b 100644
--- a/engines/ccgost/gost89.c
+++ b/engines/ccgost/gost89.c
@@ -9,7 +9,8 @@
  **********************************************************************/ 
 #include <string.h>
 #include "gost89.h"
-/* Substitution blocks from RFC 4357 
+/*-
+   Substitution blocks from RFC 4357 
    
    Note: our implementation of gost 28147-89 algorithm 
    uses S-box matrix rotated 90 degrees counterclockwise, relative to 
diff --git a/engines/ccgost/gost_ctl.c b/engines/ccgost/gost_ctl.c
index d3cd171..4b0fa19 100644
--- a/engines/ccgost/gost_ctl.c
+++ b/engines/ccgost/gost_ctl.c
@@ -18,7 +18,7 @@ static char *gost_params[GOST_PARAM_MAX+1]={NULL};
 static const char *gost_envnames[]={"CRYPT_PARAMS"};
 const ENGINE_CMD_DEFN gost_cmds[]=
 	{
-/*	{ GOST_CTRL_RNG,
+/*-	{ GOST_CTRL_RNG,
 	"RNG",
 	"Type of random number generator to use",
 	ENGINE_CMD_FLAG_STRING
diff --git a/engines/ccgost/gost_keywrap.c b/engines/ccgost/gost_keywrap.c
index c618f6d..c8a4508 100644
--- a/engines/ccgost/gost_keywrap.c
+++ b/engines/ccgost/gost_keywrap.c
@@ -11,7 +11,8 @@
 #include "gost89.h"
 #include "gost_keywrap.h"
 
-/* Diversifies key using random UserKey Material
+/*-
+ * Diversifies key using random UserKey Material
  * Implements RFC 4357 p 6.5 key diversification algorithm 
  * 
  * inputKey - 32byte key to be diversified
@@ -58,7 +59,7 @@ void keyDiversifyCryptoPro(gost_ctx *ctx,const unsigned char *inputKey, const un
 	}	
 	
 
-/*
+/*-
  * Wraps key using RFC 4357 6.3
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey (KEK) 32-byte (256-bit) shared key
@@ -78,7 +79,7 @@ int keyWrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey, const un
 	gost_mac_iv(ctx,32,ukm,sessionKey,32,wrappedKey+40);
 	return 1;
 	}
-/*
+/*-
  * Unwraps key using RFC 4357 6.4
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey 32-byte shared key
diff --git a/engines/ccgost/gost_keywrap.h b/engines/ccgost/gost_keywrap.h
index 37c2a0f..80c7927 100644
--- a/engines/ccgost/gost_keywrap.h
+++ b/engines/ccgost/gost_keywrap.h
@@ -11,7 +11,8 @@
 #define GOST_KEYWRAP_H
 #include <string.h>
 #include "gost89.h"
-/* Diversifies key using random UserKey Material
+/*-
+ * Diversifies key using random UserKey Material
  * Implements RFC 4357 p 6.5 key diversification algorithm 
  * 
  * inputKey - 32byte key to be diversified
@@ -23,7 +24,7 @@ void keyDiversifyCryptoPro(gost_ctx *ctx,
 	const unsigned char *inputKey, 
 	const unsigned char *ukm, 
 	unsigned char *outputKey);
-/*
+/*-
  * Wraps key using RFC 4357 6.3
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey (KEK) 32-byte (256-bit) shared key
@@ -37,7 +38,7 @@ int keyWrapCryptoPro(gost_ctx *ctx,
 	const unsigned char *ukm,
 	const	unsigned char *sessionKey, 
 	unsigned char *wrappedKey) ;
-/*
+/*-
  * Unwraps key using RFC 4357 6.4
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey 32-byte shared key
diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c
index 93a1f27..17e9f13 100644
--- a/engines/ccgost/gost_sign.c
+++ b/engines/ccgost/gost_sign.c
@@ -101,7 +101,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst,int dlen, DSA *dsa)
  * Packs signature according to Cryptocom rules
  * and frees up DSA_SIG structure
  */
-/*
+/*-
 int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
 	{
 	*siglen = 2*order;
@@ -248,7 +248,7 @@ int gost_sign_keygen(DSA *dsa)
 	}
 
 /* Unpack signature according to cryptocom rules  */
-/*
+/*-
 DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen)
 	{
 	DSA_SIG *s;
diff --git a/engines/e_chil.c b/engines/e_chil.c
index fdc2100..9999fcc 100644
--- a/engines/e_chil.c
+++ b/engines/e_chil.c
@@ -76,7 +76,8 @@
 #ifndef OPENSSL_NO_HW
 #ifndef OPENSSL_NO_HW_CHIL
 
-/* Attribution notice: nCipher have said several times that it's OK for
+/*-
+ * Attribution notice: nCipher have said several times that it's OK for
  * us to implement a general interface to their boxes, and recently declared
  * their HWCryptoHook to be public, and therefore available for us to use.
  * Thanks, nCipher.
diff --git a/engines/e_gmp.c b/engines/e_gmp.c
index a3d4715..6166e9b 100644
--- a/engines/e_gmp.c
+++ b/engines/e_gmp.c
@@ -62,7 +62,8 @@
  * otherwise paths must be specified - eg. try configuring with
  * "enable-gmp -I<includepath> -L<libpath> -lgmp". YMMV. */
 
-/* As for what this does - it's a largely unoptimised implementation of an
+/*-
+ * As for what this does - it's a largely unoptimised implementation of an
  * ENGINE that uses the GMP library to perform RSA private key operations. To
  * obtain more information about what "unoptimised" means, see my original mail
  * on the subject (though ignore the build instructions which have since
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 26e2edf..42a11b5 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -1,4 +1,4 @@
-/* 
+/*-
  * Support for VIA PadLock Advanced Cryptography Engine (ACE)
  * Written by Michal Ludvig <michal at logix.cz>
  *            http://www.logix.cz/michal
diff --git a/engines/vendor_defns/hwcryptohook.h b/engines/vendor_defns/hwcryptohook.h
index 482f1f2..f84f9d0 100644
--- a/engines/vendor_defns/hwcryptohook.h
+++ b/engines/vendor_defns/hwcryptohook.h
@@ -1,4 +1,4 @@
-/*
+/*-
  * ModExp / RSA (with/without KM) plugin API
  *
  * The application will load a dynamic library which
@@ -84,7 +84,8 @@
 
 #if HWCRYPTOHOOK_DECLARE_APPTYPES
 
-/* These structs are defined by the application and opaque to the
+/*-
+ * These structs are defined by the application and opaque to the
  * crypto plugin.  The application may define these as it sees fit.
  * Default declarations are provided here, but the application may
  *  #define HWCRYPTOHOOK_DECLARE_APPTYPES 0
@@ -100,7 +101,8 @@ typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;
 
 #endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */
 
-/* These next two structs are opaque to the application.  The crypto
+/*- 
+ * These next two structs are opaque to the application.  The crypto
  * plugin will return pointers to them; the caller simply manipulates
  * the pointers.
  */
@@ -111,7 +113,8 @@ typedef struct {
   char *buf;
   size_t size;
 } HWCryptoHook_ErrMsgBuf;
-/* Used for error reporting.  When a HWCryptoHook function fails it
+/*-
+ * Used for error reporting.  When a HWCryptoHook function fails it
  * will return a sentinel value (0 for pointer-valued functions, or a
  * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for
  * integer-valued ones).  It will, if an ErrMsgBuf is passed, also put
@@ -130,7 +133,8 @@ typedef struct HWCryptoHook_MPIStruct {
   unsigned char *buf;
   size_t size;
 } HWCryptoHook_MPI;
-/* When one of these is returned, a pointer is passed to the function.
+/*-
+ * When one of these is returned, a pointer is passed to the function.
  * At call, size is the space available.  Afterwards it is updated to
  * be set to the actual length (which may be more than the space available,
  * if there was not enough room and the result was truncated).
@@ -143,7 +147,8 @@ typedef struct HWCryptoHook_MPIStruct {
 
 #define HWCryptoHook_InitFlags_FallbackModExp    0x0002UL
 #define HWCryptoHook_InitFlags_FallbackRSAImmed  0x0004UL
-/* Enable requesting fallback to software in case of problems with the
+/*- 
+ * Enable requesting fallback to software in case of problems with the
  * hardware support.  This indicates to the crypto provider that the
  * application is prepared to fall back to software operation if the
  * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.
@@ -154,7 +159,8 @@ typedef struct HWCryptoHook_MPIStruct {
  */
 
 #define HWCryptoHook_InitFlags_SimpleForkCheck   0x0010UL
-/* Without _SimpleForkCheck the library is allowed to assume that the
+/*-
+ * Without _SimpleForkCheck the library is allowed to assume that the
  * application will not fork and call the library in the child(ren).
  *
  * When it is specified, this is allowed.  However, after a fork
@@ -174,7 +180,8 @@ typedef struct {
   int mslimbfirst; /* 0 or 1 */
   int msbytefirst; /* 0 or 1; -1 = native */
 
-  /* All the callback functions should return 0 on success, or a
+  /*-
+   * All the callback functions should return 0 on success, or a
    * nonzero integer (whose value will be visible in the error message
    * put in the buffer passed to the call).
    *
@@ -183,7 +190,8 @@ typedef struct {
    * The callbacks may not call down again into the crypto plugin.
    */
   
-  /* For thread-safety.  Set everything to 0 if you promise only to be
+  /*-
+   * For thread-safety.  Set everything to 0 if you promise only to be
    * singlethreaded.  maxsimultaneous is the number of calls to
    * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA.  If you don't know what to
    * put there then say 0 and the hook library will use a default.
@@ -207,7 +215,8 @@ typedef struct {
   void (*mutex_release)(HWCryptoHook_Mutex*);
   void (*mutex_destroy)(HWCryptoHook_Mutex*);
 
-  /* For greater efficiency, can use condition vars internally for
+  /*-
+   * For greater efficiency, can use condition vars internally for
    * synchronisation.  In this case maxsimultaneous is ignored, but
    * the other mutex stuff must be available.  In singlethreaded
    * programs, set everything to 0.
@@ -219,7 +228,8 @@ typedef struct {
   void (*condvar_broadcast)(HWCryptoHook_CondVar*);
   void (*condvar_destroy)(HWCryptoHook_CondVar*);
   
-  /* The semantics of acquiring and releasing mutexes and broadcasting
+  /*-
+   * The semantics of acquiring and releasing mutexes and broadcasting
    * and waiting on condition variables are expected to be those from
    * POSIX threads (pthreads).  The mutexes may be (in pthread-speak)
    * fast mutexes, recursive mutexes, or nonrecursive ones.
@@ -234,7 +244,8 @@ typedef struct {
                        int *len_io, char *buf,
                        HWCryptoHook_PassphraseContext *ppctx,
                        HWCryptoHook_CallerContext *cactx);
-  /* Passphrases and the prompt_info, if they contain high-bit-set
+  /*-
+   * Passphrases and the prompt_info, if they contain high-bit-set
    * characters, are UTF-8.  The prompt_info may be a null pointer if
    * no prompt information is available (it should not be an empty
    * string).  It will not contain text like `enter passphrase';
@@ -251,7 +262,8 @@ typedef struct {
                       const char *wrong_info,
                       HWCryptoHook_PassphraseContext *ppctx,
                       HWCryptoHook_CallerContext *cactx);
-  /* Requests that the human user physically insert a different
+  /*-
+   * Requests that the human user physically insert a different
    * smartcard, DataKey, etc.  The plugin should check whether the
    * currently inserted token(s) are appropriate, and if they are it
    * should not make this call.
@@ -263,7 +275,8 @@ typedef struct {
    * syntactically similar to that of prompt_info. 
    */
   
-  /* Note that a single LoadKey operation might cause several calls to
+  /*-
+   * Note that a single LoadKey operation might cause several calls to
    * getpassphrase and/or requestphystoken.  If requestphystoken is
    * not provided (ie, a null pointer is passed) then the plugin may
    * not support loading keys for which authorisation by several cards
@@ -285,7 +298,8 @@ typedef struct {
    */
 
   void (*logmessage)(void *logstream, const char *message);
-  /* A log message will be generated at least every time something goes
+  /*-
+   * A log message will be generated at least every time something goes
    * wrong and an ErrMsgBuf is filled in (or would be if one was
    * provided).  Other diagnostic information may be written there too,
    * including more detailed reasons for errors which are reported in an
@@ -325,7 +339,8 @@ HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *init
                                                HWCryptoHook_CallerContext *cactx);
 extern HWCryptoHook_Init_t HWCryptoHook_Init;
 
-/* Caller should set initinfosize to the size of the HWCryptoHook struct,
+/*-
+ * Caller should set initinfosize to the size of the HWCryptoHook struct,
  * so it can be extended later.
  *
  * On success, a message for display or logging by the server,
@@ -334,7 +349,8 @@ extern HWCryptoHook_Init_t HWCryptoHook_Init;
  * usual.
  */
 
-/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
+/*-
+ * All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
  * on most failures.  HWCRYPTOHOOK_ERROR_MPISIZE means at least one of
  * the output MPI buffer(s) was too small; the sizes of all have been
  * set to the desired size (and for those where the buffer was large
@@ -345,7 +361,8 @@ extern HWCryptoHook_Init_t HWCryptoHook_Init;
  * _NoStderr at init time then messages may be reported to stderr.
  */
 
-/* The RSAImmed* functions (and key managed RSA) only work with
+/*-
+ * The RSAImmed* functions (and key managed RSA) only work with
  * modules which have an RSA patent licence - currently that means KM
  * units; the ModExp* ones work with all modules, so you need a patent
  * licence in the software in the US.  They are otherwise identical.
@@ -404,7 +421,8 @@ int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,
                                 const HWCryptoHook_ErrMsgBuf *errors);
 extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;
 
-/* The RSAImmed* and ModExp* functions may return E_FAILED or
+/*-
+ * The RSAImmed* and ModExp* functions may return E_FAILED or
  * E_FALLBACK for failure.
  *
  * E_FAILED means the failure is permanent and definite and there
@@ -426,7 +444,8 @@ int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,
                               const HWCryptoHook_ErrMsgBuf *errors,
                               HWCryptoHook_PassphraseContext *ppctx);
 extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;
-/* The key_ident is a null-terminated string configured by the
+/*-
+ * The key_ident is a null-terminated string configured by the
  * user via the application's usual configuration mechanisms.
  * It is provided to the user by the crypto provider's key management
  * system.  The user must be able to enter at least any string of between
@@ -449,7 +468,8 @@ int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,
                                    HWCryptoHook_MPI *e,
                                    const HWCryptoHook_ErrMsgBuf *errors);
 extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;
-/* The crypto plugin will not store certificates.
+/*-
+ * The crypto plugin will not store certificates.
  *
  * Although this function for acquiring the public key value is
  * provided, it is not the purpose of this API to deal fully with the
diff --git a/engines/vendor_defns/sureware.h b/engines/vendor_defns/sureware.h
index e46b000..f878674 100644
--- a/engines/vendor_defns/sureware.h
+++ b/engines/vendor_defns/sureware.h
@@ -1,22 +1,21 @@
-/*
-* Written by Corinne Dive-Reclus(cdive at baltimore.com)
-*
-* Copyright at 2001 Baltimore Technologies Ltd.
-*																								*	
-*		THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND																			*
-*		ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE					* 
-*		IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE				*
-*		ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE						*
-*		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL				*
-*		DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS					*
-*		OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)					*
-*		HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT				*
-*		LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY				*
-*		OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF					*
-*		SUCH DAMAGE.																			*
-*
-* 
-*/
+/*-
+ * Written by Corinne Dive-Reclus(cdive at baltimore.com)
+ *
+ * Copyright at 2001 Baltimore Technologies Ltd.
+ *
+ * THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
 #ifdef WIN32
 #define SW_EXPORT	__declspec ( dllexport )
 #else
@@ -31,29 +30,29 @@
 #define SUREWAREHOOK_ERROR_UNIT_FAILURE -3
 #define SUREWAREHOOK_ERROR_DATA_SIZE -4
 #define SUREWAREHOOK_ERROR_INVALID_PAD -5
-/*
+/*-
 * -----------------WARNING-----------------------------------
 * In all the following functions:
 * msg is a string with at least 24 bytes free.
 * A 24 bytes string will be concatenated to the existing content of msg. 
 */
-/*
+/*-
 *	SureWare Initialisation function
 *	in param threadsafe, if !=0, thread safe enabled
 *	return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success
 */
 typedef int SureWareHook_Init_t(char*const msg,int threadsafe);
 extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init;
-/*
+/*-
 *	SureWare Finish function
 */
 typedef void SureWareHook_Finish_t(void);
 extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
-/*
+/*-
 *	 PRE_CONDITION:
 *		DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE
 */
-/*
+/*-
 *	SureWare RAND Bytes function
 *	In case of failure, the content of buf is unpredictable.
 *	return 1 if success
@@ -68,7 +67,7 @@ extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
 typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num);
 extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
 
-/*
+/*-
 *	SureWare RAND Seed function
 *	Adds some seed to the Hardware Random Number Generator
 *	return 1 if success
@@ -83,7 +82,7 @@ extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
 typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num);
 extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
 
-/*
+/*-
 *	SureWare Load Private Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -98,7 +97,7 @@ extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
 typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype);
 extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey;
 
-/*
+/*-
 *	SureWare Info Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -114,7 +113,7 @@ typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigne
 										char *keytype);
 extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey;
 
-/*
+/*-
 *	SureWare Load Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -130,7 +129,7 @@ typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,uns
 										unsigned long *n, unsigned long *e);
 extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey;
 
-/*
+/*-
 *	SureWare Load DSA Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -149,7 +148,7 @@ typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,uns
 										unsigned long *g);
 extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey;
 
-/*
+/*-
 *	SureWare Free function
 *	Destroy the key into the hardware if destroy==1
 */
@@ -159,7 +158,7 @@ extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free;
 #define SUREWARE_PKCS1_PAD 1
 #define SUREWARE_ISO9796_PAD 2
 #define SUREWARE_NO_PAD 0
-/*
+/*-
 * SureWare RSA Private Decryption
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -180,7 +179,7 @@ typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *f
 										int *tlen,unsigned char *to,
 										char *prsa,int padding);
 extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec;
-/*
+/*-
 * SureWare RSA Signature
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -201,7 +200,7 @@ typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from,
 										int *tlen,unsigned char *to,
 										char *prsa,int padding);
 extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign;
-/*
+/*-
 * SureWare DSA Signature
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -219,7 +218,7 @@ typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char
 extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign;
 
 
-/*
+/*-
 * SureWare Mod Exp
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
diff --git a/ms/tlhelp32.h b/ms/tlhelp32.h
index 8f4222e..e15b7e2 100644
--- a/ms/tlhelp32.h
+++ b/ms/tlhelp32.h
@@ -1,4 +1,4 @@
-/*
+/*-
 	tlhelp32.h - Include file for Tool help functions.
 
 	Written by Mumit Khan <khan at nanotech.wisc.edu>
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 14d45b5..26e1da2 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -574,7 +574,8 @@ static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 	{
-	/* (0) check whether the desired fragment is available
+	/*-
+	 * (0) check whether the desired fragment is available
 	 * if so:
 	 * (1) copy over the fragment to s->init_buf->data[]
 	 * (2) update s->init_num
@@ -964,7 +965,8 @@ f_err:
 	return(-1);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
@@ -1165,7 +1167,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 	struct dtls1_retransmit_state saved_state;
 	unsigned char save_write_sequence[8];
 
-	/*
+	/*-
 	  OPENSSL_assert(s->init_num == 0);
 	  OPENSSL_assert(s->init_off == 0);
 	 */
@@ -1493,7 +1495,8 @@ dtls1_heartbeat(SSL *s)
 	 */
 	OPENSSL_assert(payload + padding <= 16381);
 
-	/* Create HeartBeat message, we just use a sequence number
+	/*-
+	 * Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
 	 * some random stuff.
 	 *  - Message Type, 1 byte
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 2952bcc..208d244 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -518,7 +518,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -538,7 +539,8 @@ err:
 }
 
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -720,7 +722,8 @@ again:
 
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -797,10 +800,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* We are not handshaking and have no data yet,
diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
index fc19259..c77e7f7 100644
--- a/ssl/heartbeat_test.c
+++ b/ssl/heartbeat_test.c
@@ -1,5 +1,5 @@
 /* test/heartbeat_test.c */
-/*
+/*-
  * Unit test for TLS heartbeats.
  *
  * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 10687f0..7009a58 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -56,15 +56,16 @@
  */
 
 
-/*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
-**
-**  19990701	VRS 	Started.
-**  200011??	Jeffrey Altman, Richard Levitte
-**          		Generalized for Heimdal, Newer MIT, & Win32.
-**          		Integrated into main OpenSSL 0.9.7 snapshots.
-**  20010413	Simon Wilkinson, VRS
-**          		Real RFC2712 KerberosWrapper replaces AP_REQ.
-*/
+/*-
+ * ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
+ *
+ *  19990701	VRS 	Started.
+ *  200011??	Jeffrey Altman, Richard Levitte
+ *          		Generalized for Heimdal, Newer MIT, & Win32.
+ *          		Integrated into main OpenSSL 0.9.7 snapshots.
+ *  20010413	Simon Wilkinson, VRS
+ *          		Real RFC2712 KerberosWrapper replaces AP_REQ.
+ */
 
 #include <openssl/opensslconf.h>
 
@@ -808,10 +809,10 @@ char
         }
 
 /*	Given KRB5 enctype (basically DES or 3DES),
-**	return closest match openssl EVP_ encryption algorithm.
-**	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
-**	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
-*/
+ *	return closest match openssl EVP_ encryption algorithm.
+ *	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+ *	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
+ */
 const EVP_CIPHER *
 kssl_map_enc(krb5_enctype enctype)
         {
@@ -836,10 +837,10 @@ kssl_map_enc(krb5_enctype enctype)
 
 
 /*	Return true:1 if p "looks like" the start of the real authenticator
-**	described in kssl_skip_confound() below.  The ASN.1 pattern is
-**	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
-**	xx and yy are possibly multi-byte length fields.
-*/
+ *	described in kssl_skip_confound() below.  The ASN.1 pattern is
+ *	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
+ *	xx and yy are possibly multi-byte length fields.
+ */
 static int 	kssl_test_confound(unsigned char *p)
 	{
 	int 	len = 2;
@@ -866,15 +867,15 @@ static int 	kssl_test_confound(unsigned char *p)
 	}
 
 /*	Allocate, fill, and return cksumlens array of checksum lengths.
-**	This array holds just the unique elements from the krb5_cksumarray[].
-**	array[n] == 0 signals end of data.
-**
-**      The krb5_cksumarray[] was an internal variable that has since been
-**      replaced by a more general method for storing the data.  It should
-**      not be used.  Instead we use real API calls and make a guess for 
-**      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
-**      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
-*/
+ *	This array holds just the unique elements from the krb5_cksumarray[].
+ *	array[n] == 0 signals end of data.
+ *
+ *      The krb5_cksumarray[] was an internal variable that has since been
+ *      replaced by a more general method for storing the data.  It should
+ *      not be used.  Instead we use real API calls and make a guess for 
+ *      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
+ *      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
+ */
 static size_t  *populate_cksumlens(void)
 	{
 	int 		i, j, n;
@@ -907,12 +908,12 @@ static size_t  *populate_cksumlens(void)
 	}
 
 /*	Return pointer to start of real authenticator within authenticator, or
-**	return NULL on error.
-**	Decrypted authenticator looks like this:
-**		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
-**	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
-**	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
-*/
+ *	return NULL on error.
+ *	Decrypted authenticator looks like this:
+ *		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
+ *	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
+ *	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
+ */
 unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 	{
 	int 		i, conlen;
@@ -934,8 +935,8 @@ unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 
 
 /*	Set kssl_err error info when reason text is a simple string
-**		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
-*/
+ *		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
+ */
 void
 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
         {
@@ -1024,8 +1025,8 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 
 /*	Display contents of krb5_principal_data struct, for debugging
-**	(krb5_principal is typedef'd == krb5_principal_data *)
-*/
+ *	(krb5_principal is typedef'd == krb5_principal_data *)
+ */
 static void
 print_krb5_princ(char *label, krb5_principal_data *princ)
         {
@@ -1047,16 +1048,16 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         }
 
 
-/*	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
-**	Return encrypted Kerberos ticket for service @ hostname.
-**	If authenp is non-NULL, also return encrypted authenticator,
-**	whose data should be freed by caller.
-**	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
-**
-**	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
-**	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
-**	20010606	VRS 	May also return optional authenticator.
-*/
+/*-	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
+ *	Return encrypted Kerberos ticket for service @ hostname.
+ *	If authenp is non-NULL, also return encrypted authenticator,
+ *	whose data should be freed by caller.
+ *	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
+ *
+ *	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
+ *	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
+ *	20010606	VRS 	May also return optional authenticator.
+ */
 krb5_error_code
 kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
                 /* OUT    */	krb5_data **enc_ticketp,
@@ -1141,8 +1142,8 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	krb5rc = KRB5KRB_ERR_GENERIC;
 	/*	caller should free data of krb5_app_req  */
 	/*  20010406 VRS deleted for real KerberosWrapper
-	**  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
-	*/
+	 *  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
+	 */
 	krb5_app_req.length = 0;
 	if (authenp)
                 {
@@ -1214,17 +1215,18 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	}
 
 
-/*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
-**  Return Kerberos error code and kssl_err struct on error.
-**  Allocates krb5_ticket and krb5_principal; caller should free these.
-**
-**	20010410	VRS	Implemented krb5_decode_ticket() as
-**				old_krb5_decode_ticket(). Missing from MIT1.0.6.
-**	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
-**				Re-used some of the old krb5_decode_ticket()
-**				code here.  This tkt should alloc/free just
-**				like the real thing.
-*/
+/*-
+ *  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
+ *  Return Kerberos error code and kssl_err struct on error.
+ *  Allocates krb5_ticket and krb5_principal; caller should free these.
+ *
+ *	20010410	VRS	Implemented krb5_decode_ticket() as
+ *				old_krb5_decode_ticket(). Missing from MIT1.0.6.
+ *	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
+ *				Re-used some of the old krb5_decode_ticket()
+ *				code here.  This tkt should alloc/free just
+ *				like the real thing.
+ */
 static krb5_error_code
 kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 		/* IN     */	KRB5_TKTBODY	*asn1ticket,
@@ -1299,12 +1301,12 @@ kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 
 
 /*	Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
-**		and krb5 AP_REQ message & message length,
-**	Return Kerberos session key and client principle
-**		to SSL Server in KSSL_CTX *kssl_ctx.
-**
-**	19990702	VRS 	Started.
-*/
+ *		and krb5 AP_REQ message & message length,
+ *	Return Kerberos session key and client principle
+ *		to SSL Server in KSSL_CTX *kssl_ctx.
+ *
+ *	19990702	VRS 	Started.
+ */
 krb5_error_code
 kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		/* IN     */	krb5_data		*indata,
@@ -1419,19 +1421,20 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 			}
 		}
 
-	/*	Actual Kerberos5 krb5_recvauth() has initial conversation here
-	**	o	check KRB5_SENDAUTH_BADAUTHVERS
-	**		unless KRB5_RECVAUTH_SKIP_VERSION
-	**	o	check KRB5_SENDAUTH_BADAPPLVERS
-	**	o	send "0" msg if all OK
-	*/
+	/*-	Actual Kerberos5 krb5_recvauth() has initial conversation here
+	 *	o	check KRB5_SENDAUTH_BADAUTHVERS
+	 *		unless KRB5_RECVAUTH_SKIP_VERSION
+	 *	o	check KRB5_SENDAUTH_BADAPPLVERS
+	 *	o	send "0" msg if all OK
+	 */
 
-	/*  20010411 was using AP_REQ instead of true KerberosWrapper
-	**
-	**  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
-	**			&krb5in_data, krb5server, krb5keytab,
-	**			&ap_option, &krb5ticket)) != 0)  { Error }
-	*/
+	/*- 
+	 * 20010411 was using AP_REQ instead of true KerberosWrapper
+	 *
+	 *  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
+	 *			&krb5in_data, krb5server, krb5keytab,
+	 *			&ap_option, &krb5ticket)) != 0)  { Error }
+	 */
 
 	p = (unsigned char *)indata->data;
 	if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
@@ -1568,8 +1571,8 @@ kssl_ctx_new(void)
 
 
 /*	Frees a kssl_ctx struct and any allocated memory it holds.
-**	Returns NULL.
-*/
+ *	Returns NULL.
+ */
 KSSL_CTX	*
 kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
@@ -1589,9 +1592,9 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
 
 
 /*	Given an array of (krb5_data *) entity (and optional realm),
-**	set the plain (char *) client_princ or service_host member
-**	of the kssl_ctx struct.
-*/
+ *	set the plain (char *) client_princ or service_host member
+ *	of the kssl_ctx struct.
+ */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         krb5_data *realm, krb5_data *entity, int nentities)
@@ -1644,11 +1647,11 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         }
 
 
-/*	Set one of the plain (char *) string members of the kssl_ctx struct.
-**	Default values should be:
-**		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
-**		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
-*/
+/*-	Set one of the plain (char *) string members of the kssl_ctx struct.
+ *	Default values should be:
+ *		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
+ *		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
+ */
 krb5_error_code
 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
         {
@@ -1682,8 +1685,8 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
 
 
 /*	Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
-**	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
-*/
+ *	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
+ */
 krb5_error_code
 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
         {
@@ -1897,12 +1900,12 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
 
 
 /*  Given pointers to KerberosTime and struct tm structs, convert the
-**  KerberosTime string to struct tm.  Note that KerberosTime is a
-**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
-**  seconds as defined in RFC 1510.
-**  Return pointer to the (partially) filled in struct tm on success,
-**  return NULL on failure.
-*/
+ *  KerberosTime string to struct tm.  Note that KerberosTime is a
+ *  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+ *  seconds as defined in RFC 1510.
+ *  Return pointer to the (partially) filled in struct tm on success,
+ *  return NULL on failure.
+ */
 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 	{
 	char 		c, *p;
@@ -1925,10 +1928,10 @@ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 
 
 /*  Helper function for kssl_validate_times().
-**  We need context->clockskew, but krb5_context is an opaque struct.
-**  So we try to sneek the clockskew out through the replay cache.
-**	If that fails just return a likely default (300 seconds).
-*/
+ *  We need context->clockskew, but krb5_context is an opaque struct.
+ *  So we try to sneek the clockskew out through the replay cache.
+ *	If that fails just return a likely default (300 seconds).
+ */
 static krb5_deltat get_rc_clockskew(krb5_context context)
 	{
 	krb5_rcache 	rc;
@@ -1945,15 +1948,15 @@ static krb5_deltat get_rc_clockskew(krb5_context context)
 
 
 /*  kssl_validate_times() combines (and more importantly exposes)
-**  the MIT KRB5 internal function krb5_validate_times() and the
-**  in_clock_skew() macro.  The authenticator client time is checked
-**  to be within clockskew secs of the current time and the current
-**  time is checked to be within the ticket start and expire times.
-**  Either check may be omitted by supplying a NULL value.
-**  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
-**  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
-**  20010420 VRS
-*/
+ *  the MIT KRB5 internal function krb5_validate_times() and the
+ *  in_clock_skew() macro.  The authenticator client time is checked
+ *  to be within clockskew secs of the current time and the current
+ *  time is checked to be within the ticket start and expire times.
+ *  Either check may be omitted by supplying a NULL value.
+ *  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
+ *  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
+ *  20010420 VRS
+ */
 krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 					krb5_ticket_times *ttimes)
 	{
@@ -1985,12 +1988,12 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 
 
 /*  Decode and decrypt given DER-encoded authenticator, then pass
-**  authenticator ctime back in *atimep (or 0 if time unavailable).
-**  Returns krb5_error_code and kssl_err on error.  A NULL 
-**  authenticator (authentp->length == 0) is not considered an error.
-**  Note that kssl_check_authent() makes use of the KRB5 session key;
-**  you must call kssl_sget_tkt() to get the key before calling this routine.
-*/
+ *  authenticator ctime back in *atimep (or 0 if time unavailable).
+ *  Returns krb5_error_code and kssl_err on error.  A NULL 
+ *  authenticator (authentp->length == 0) is not considered an error.
+ *  Note that kssl_check_authent() makes use of the KRB5 session key;
+ *  you must call kssl_sget_tkt() to get the key before calling this routine.
+ */
 krb5_error_code  kssl_check_authent(
 			/* IN     */	KSSL_CTX	*kssl_ctx,
                         /* IN     */   	krb5_data	*authentp,
@@ -2069,9 +2072,9 @@ krb5_error_code  kssl_check_authent(
 	if (enc == NULL)
 		{
 		/*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
-		**  This enctype indicates the authenticator was encrypted
-		**  using key-usage derived keys which openssl cannot decrypt.
-		*/
+		 *  This enctype indicates the authenticator was encrypted
+		 *  using key-usage derived keys which openssl cannot decrypt.
+		 */
 		goto err;
 		}
 
@@ -2148,10 +2151,10 @@ krb5_error_code  kssl_check_authent(
 
 
 /*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
-**  because I don't know how to stub varargs.
-**  Returns krb5_error_code == ENOMEM on alloc error, otherwise
-**  passes back newly constructed principal, which should be freed by caller.
-*/
+ *  because I don't know how to stub varargs.
+ *  Returns krb5_error_code == ENOMEM on alloc error, otherwise
+ *  passes back newly constructed principal, which should be freed by caller.
+ */
 krb5_error_code  kssl_build_principal_2(
 			/* UPDATE */	krb5_context	context,
 			/* OUT    */	krb5_principal	*princ,
diff --git a/ssl/kssl.h b/ssl/kssl.h
index e4df843..c3d5492 100644
--- a/ssl/kssl.h
+++ b/ssl/kssl.h
@@ -85,9 +85,9 @@ extern "C" {
 #endif
 
 /*
-**	Depending on which KRB5 implementation used, some types from
-**	the other may be missing.  Resolve that here and now
-*/
+ *	Depending on which KRB5 implementation used, some types from
+ *	the other may be missing.  Resolve that here and now
+ */
 #ifdef KRB5_HEIMDAL
 typedef unsigned char krb5_octet;
 #define FAR
@@ -100,10 +100,10 @@ typedef unsigned char krb5_octet;
 #endif
 
 /*	Uncomment this to debug kssl problems or
-**	to trace usage of the Kerberos session key
-**
-**	#define		KSSL_DEBUG
-*/
+ *	to trace usage of the Kerberos session key
+ *
+ *	#define		KSSL_DEBUG
+ */
 
 #ifndef	KRB5SVC
 #define KRB5SVC	"host"
@@ -132,10 +132,10 @@ typedef struct kssl_err_st  {
 	} KSSL_ERR;
 
 
-/*	Context for passing
-**		(1) Kerberos session key to SSL, and
-**		(2)	Config data between application and SSL lib
-*/
+/*-	Context for passing
+ *		(1) Kerberos session key to SSL, and
+ *		(2)	Config data between application and SSL lib
+ */
 typedef struct kssl_ctx_st
         {
                                 /*	used by:    disposition:            */
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6e44e0c..9193d7b 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -440,7 +440,8 @@ int ssl23_get_client_hello(SSL *s)
 		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
 		v[1] = p[4];
 
-		/* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
+		/*-
+		 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
 		 * header is sent directly on the wire, not wrapped as a TLS
 		 * record. It's format is:
 		 * Byte  Content
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index b110e3c..6c0fb37 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -294,7 +294,8 @@ f_err:
 	return(0);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 6087ee3..9910306 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -68,14 +68,16 @@
  * supported by TLS.) */
 #define MAX_HASH_BLOCK_SIZE 128
 
-/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
+/*-
+ * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  * record in |rec| by updating |rec->length| in constant time.
  *
  * block_size: the block size of the cipher used to encrypt the record.
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int ssl3_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -97,7 +99,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
+/*- 
+ * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
  * record in |rec| in constant time and returns 1 if the padding is valid and
  * -1 otherwise. It also removes any explicit IV from the start of the record
  * without leaking any timing about whether there was enough space after the
@@ -107,7 +110,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int tls1_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -193,7 +197,8 @@ int tls1_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
+/*-
+ * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
  * constant time (independent of the concrete value of rec->length, which may
  * vary within a 256-byte window).
  *
@@ -373,7 +378,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 		}
 	}
 
-/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
+/*-
+ * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  * record.
  *
  *   ctx: the EVP_MD_CTX from which we take the hash function.
@@ -391,7 +397,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  * On entry: by virtue of having been through one of the remove_padding
  * functions, above, we know that data_plus_mac_size is large enough to contain
  * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+ * padding too. ) 
+ */
 void ssl3_cbc_digest_record(
 	const EVP_MD_CTX *ctx,
 	unsigned char* md_out,
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 321afc1..4ca2774 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -730,7 +730,8 @@ int ssl3_client_hello(SSL *s)
 		/* Do the message type and length last */
 		d=p= ssl_handshake_start(s);
 
-		/* version indicates the negotiated version: for example from
+		/*-
+		 * version indicates the negotiated version: for example from
 		 * an SSLv2/v3 compatible client hello). The client_version
 		 * field is the maximum version we permit and it is also
 		 * used in RSA encrypted premaster secrets. Some servers can
@@ -2593,24 +2594,25 @@ int ssl3_send_client_key_exchange(SSL *s)
 				goto err;
 				}
 
-			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-			**  in place of RFC 2712 KerberosWrapper, as in:
-			**
-			**  Send ticket (copy to *p, set n = length)
-			**  n = krb5_ap_req.length;
-			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-			**  if (krb5_ap_req.data)  
-			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-			**
-			**  Now using real RFC 2712 KerberosWrapper
-			**  (Thanks to Simon Wilkinson <sxw at sxw.org.uk>)
-			**  Note: 2712 "opaque" types are here replaced
-			**  with a 2-byte length followed by the value.
-			**  Example:
-			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-			**  Where "xx xx" = length bytes.  Shown here with
-			**  optional authenticator omitted.
-			*/
+			/*-
+			 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
+			 * in place of RFC 2712 KerberosWrapper, as in:
+			 *
+			 * Send ticket (copy to *p, set n = length)
+			 * n = krb5_ap_req.length;
+			 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+			 * if (krb5_ap_req.data)  
+			 *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+			 *
+			 * Now using real RFC 2712 KerberosWrapper
+			 * (Thanks to Simon Wilkinson <sxw at sxw.org.uk>)
+			 * Note: 2712 "opaque" types are here replaced
+			 * with a 2-byte length followed by the value.
+			 * Example:
+			 * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+			 * Where "xx xx" = length bytes.  Shown here with
+			 * optional authenticator omitted.
+			 */
 
 			/*  KerberosWrapper.Ticket		*/
 			s2n(enc_ticket->length,p);
@@ -2641,12 +2643,13 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
 				goto err;
 
-			/*  20010420 VRS.  Tried it this way; failed.
-			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-			**				kssl_ctx->length);
-			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-			*/
+			/*-
+			 * 20010420 VRS.  Tried it this way; failed.
+			 *	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+			 *	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+			 *				kssl_ctx->length);
+			 *	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+			 */
 
 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
@@ -2803,7 +2806,8 @@ int ssl3_send_client_key_exchange(SSL *s)
 			 */
 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 
 				{
-				/* XXX: For now, we do not support client
+				/*-
+				 * XXX: For now, we do not support client
 				 * authentication using ECDH certificates.
 				 * To add such support, one needs to add
 				 * code that checks for appropriate 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8fedf5a..2de10d6 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -293,7 +293,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
  * ssl3_get_record to loop forever. */
 #define MAX_EMPTY_RECORDS 32
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -449,10 +450,12 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 		}
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
-	/* enc_err is:
+	/*-
+	 * enc_err is:
 	 *    0: (in non-constant time) if the record is publically invalid.
 	 *    1: if the padding is valid
-	 *    -1: if the padding is invalid */
+	 *    -1: if the padding is invalid 
+	 */
 	if (enc_err == 0)
 		{
 		al=SSL_AD_DECRYPTION_FAILED;
@@ -556,7 +559,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -1215,7 +1219,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
 		}
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -1297,10 +1302,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* get new packet if necessary */
@@ -1422,9 +1429,11 @@ start:
 			}
 		}
 
-	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
+	/*-
+	 * s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
 	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
-	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 
+	 */
 
 	/* If we are a client, check for an incoming 'Hello Request': */
 	if ((!s->server) &&
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 02c8c10..a308577 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1501,7 +1501,8 @@ int ssl3_get_client_hello(SSL *s)
 			goto f_err;
 		}
 	
-	/* we now have the following setup. 
+	/*-
+	 * we now have the following setup. 
 	 * client_random
 	 * cipher_list 		- our prefered list of ciphers
 	 * ciphers 		- the clients prefered list of ciphers
@@ -1559,7 +1560,8 @@ int ssl3_send_server_hello(SSL *s)
 		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
 		p+=SSL3_RANDOM_SIZE;
 
-		/* There are several cases for the session ID to send
+		/*-
+		 * There are several cases for the session ID to send
 		 * back in the server hello:
 		 * - For session reuse from the session cache,
 		 *   we send back the old session ID.
@@ -2690,11 +2692,11 @@ int ssl3_get_client_key_exchange(SSL *s)
 			}
 
 
-		/*  Was doing kssl_ctx_free() here,
-		**  but it caused problems for apache.
-		**  kssl_ctx = kssl_ctx_free(kssl_ctx);
-		**  if (s->kssl_ctx)  s->kssl_ctx = NULL;
-		*/
+		/*- Was doing kssl_ctx_free() here,
+		 *  but it caused problems for apache.
+		 *  kssl_ctx = kssl_ctx_free(kssl_ctx);
+		 *  if (s->kssl_ctx)  s->kssl_ctx = NULL;
+		 */
 		}
 	else
 #endif	/* OPENSSL_NO_KRB5 */
@@ -3587,7 +3589,8 @@ int ssl3_send_newsession_ticket(SSL *s)
 		i2d_SSL_SESSION(sess, &p);
 		SSL_SESSION_free(sess);
 
-		/* Grow buffer if need be: the length calculation is as
+		/*-
+		 * Grow buffer if need be: the length calculation is as
  		 * follows handshake_header_length +
  		 * 4 (ticket lifetime hint) + 2 (ticket length) +
  		 * 16 (key name) + max_iv_len (iv length) +
@@ -3671,7 +3674,8 @@ int ssl3_send_cert_status(SSL *s)
 	if (s->state == SSL3_ST_SW_CERT_STATUS_A)
 		{
 		unsigned char *p;
-		/* Grow buffer if need be: the length calculation is as
+		/*-
+		 * Grow buffer if need be: the length calculation is as
  		 * follows 1 (message type) + 3 (message length) +
  		 * 1 (ocsp response type) + 3 (ocsp response length)
  		 * + (ocsp response)
@@ -3743,7 +3747,8 @@ int ssl3_get_next_proto(SSL *s)
 
 	p=(unsigned char *)s->init_msg;
 
-	/* The payload looks like:
+	/*-
+	 * The payload looks like:
 	 *   uint8 proto_len;
 	 *   uint8 proto[proto_len];
 	 *   uint8 padding_len;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0318d04..31d01b6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -305,7 +305,7 @@ extern "C" {
 
 #define SSL_TXT_ALL		"ALL"
 
-/*
+/*-
  * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
  * ciphers normally not being used.
  * Example: "RC4" will activate all ciphers using RC4 including ciphers
@@ -453,7 +453,8 @@ struct ssl_method_st
 	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
 	};
 
-/* Lets make this into an ASN.1 type structure as follows
+/*-
+ * Lets make this into an ASN.1 type structure as follows
  * SSL_SESSION_ID ::= SEQUENCE {
  *	version 		INTEGER,	-- structure version number
  *	SSLversion 		INTEGER,	-- SSL version number
@@ -1086,14 +1087,16 @@ struct ssl_ctx_st
 	/* ALPN information
 	 * (we are in the process of transitioning from NPN to ALPN.) */
 
-	/* For a server, this contains a callback function that allows the
+	/*-
+	 * For a server, this contains a callback function that allows the
 	 * server to select the protocol for the connection.
 	 *   out: on successful return, this must point to the raw protocol
 	 *        name (without the length prefix).
 	 *   outlen: on successful return, this contains the length of |*out|.
 	 *   in: points to the client's list of supported protocols in
 	 *       wire-format.
-	 *   inlen: the length of |in|. */
+	 *   inlen: the length of |in|. 
+	 */
 	int (*alpn_select_cb)(SSL *s,
 			      const unsigned char **out,
 			      unsigned char *outlen,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4d65a2b..a046c71 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1953,12 +1953,14 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
         if (cm == NULL || cm->type == NID_undef)
                 return 1;
 
-	/* According to draft-ietf-tls-compression-04.txt, the
-	   compression number ranges should be the following:
-
-	   0 to 63:    methods defined by the IETF
-	   64 to 192:  external party methods assigned by IANA
-	   193 to 255: reserved for private use */
+	/*-
+	 * According to draft-ietf-tls-compression-04.txt, the
+	 * compression number ranges should be the following:
+         *
+         *   0 to  63:  methods defined by the IETF
+	 *  64 to 192:  external party methods assigned by IANA
+	 * 193 to 255:  reserved for private use 
+	 */
 	if (id < 193 || id > 255)
 		{
 		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 5212bc9..facfec5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -413,7 +413,7 @@
 
 /* we have used 000001ff - 23 bits left to go */
 
-/*
+/*-
  * Macros to check the export status and cipher strength for export ciphers.
  * Even though the macros for EXPORT and EXPORT40/56 have similar names,
  * their meaning is different:
@@ -479,7 +479,8 @@
 #define SSL_PKEY_GOST01		7
 #define SSL_PKEY_NUM		8
 
-/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
+/*-
+ * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
  * 	    <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
  * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
  * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
@@ -511,11 +512,13 @@ typedef struct cert_pkey_st
 	/* Chain for this certificate */
 	STACK_OF(X509) *chain;
 #ifndef OPENSSL_NO_TLSEXT
-	/* serverinfo data for this certificate.  The data is in TLS Extension
+	/*-
+	 * serverinfo data for this certificate.  The data is in TLS Extension
 	 * wire format, specifically it's a series of records like:
 	 *   uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
 	 *   uint16_t length;
-	 *   uint8_t data[length]; */
+	 *   uint8_t data[length]; 
+	 */
 	unsigned char *serverinfo;
 	size_t serverinfo_length;
 #endif
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index a85f279..493b0fd 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -335,7 +335,7 @@ int ssl_get_new_session(SSL *s, int session)
 			return(0);
 			}
 #ifndef OPENSSL_NO_TLSEXT
-		/*
+		/*-
 		 * If RFC5077 ticket, use empty session ID (as server).
 		 * Note that:
 		 * (a) ssl_get_prev_session() does lookahead into the
diff --git a/ssl/ssl_task.c b/ssl/ssl_task.c
index 9c4982c..592e858 100644
--- a/ssl/ssl_task.c
+++ b/ssl/ssl_task.c
@@ -57,7 +57,7 @@
  */
 
 /* VMS */
-/*
+/*-
  * DECnet object for servicing SSL.  We accept the inbound and speak a
  * simple protocol for multiplexing the 2 data streams (application and
  * ssl data) over this logical link.
@@ -270,7 +270,7 @@ int doit(io_channel chan, SSL_CTX *s_ctx )
 	c_to_s=BIO_new(BIO_s_rtcp());
 	s_to_c=BIO_new(BIO_s_rtcp());
 	if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
-/* original, DRM 24-SEP-1997
+/*- original, DRM 24-SEP-1997
 	BIO_set_fd ( c_to_s, "", chan );
 	BIO_set_fd ( s_to_c, "", chan );
 */
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index e5be634..c699b61 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -545,7 +545,8 @@ static int verify_serverinfo()
 	return 0;
 	}
 
-/* Four test cases for custom extensions:
+/*-
+ * Four test cases for custom extensions:
  * 0 - no ClientHello extension or ServerHello response
  * 1 - ClientHello with "abc", no response
  * 2 - ClientHello with "abc", empty response
@@ -1924,7 +1925,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
 
 	do
 		{
-		/* c_ssl_bio:          SSL filter BIO
+		/*-
+		 * c_ssl_bio:          SSL filter BIO
 		 *
 		 * client:             pseudo-I/O for SSL library
 		 *
@@ -2796,11 +2798,12 @@ static void process_proxy_debug(int indent, const char *format, ...)
 	vfprintf(stderr, my_format, args);
 	va_end(args);
 	}
-/* Priority levels:
-   0	[!]var, ()
-   1	& ^
-   2	|
-*/
+/*-
+ * Priority levels:
+ *  0	[!]var, ()
+ *  1	& ^
+ *  2	|
+ */
 static int process_proxy_cond_adders(unsigned int letters[26],
 	const char *cond, const char **cond_end, int *pos, int indent);
 static int process_proxy_cond_val(unsigned int letters[26],
@@ -3152,7 +3155,8 @@ static void free_tmp_rsa(void)
 #endif
 
 #ifndef OPENSSL_NO_DH
-/* These DH parameters have been generated as follows:
+/*-
+ * These DH parameters have been generated as follows:
  *    $ openssl dhparam -C -noout 512
  *    $ openssl dhparam -C -noout 1024
  *    $ openssl dhparam -C -noout -dsaparam 1024
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f0291b1..31b1c36 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -504,7 +504,7 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
 	return 0;
 	}
 
-/*
+/*-
  * Return |nmatch|th shared curve or NID_undef if there is no match.
  * For nmatch == -1, return number of  matches
  * For nmatch == -2, return the NID of the curve to use for
@@ -1222,13 +1222,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 		unsigned long size_str;
 		long lenmax; 
 
-		/* check for enough space.
-		   4 for the servername type and entension length
-		   2 for servernamelist length
-		   1 for the hostname type
-		   2 for hostname length
-		   + hostname length 
-		*/
+		/*-
+		 * check for enough space.
+		 * 4 for the servername type and entension length
+		 * 2 for servernamelist length
+		 * 1 for the hostname type
+		 * 2 for hostname length
+		 * + hostname length 
+		 */
 		   
 		if ((lenmax = limit - ret - 9) < 0 
 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
@@ -1260,11 +1261,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			return NULL;
 			} 
 
-		/* check for enough space.
-		   4 for the srp type type and entension length
-		   1 for the srp user identity
-		   + srp user identity length 
-		*/
+		/*-
+		 * check for enough space.
+		 * 4 for the srp type type and entension length
+		 * 1 for the srp user identity
+		 * + srp user identity length 
+		 */
 		if ((limit - ret - 5 - login_len) < 0) return NULL; 
 
 		/* fill in the extension */
@@ -1464,7 +1466,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 		return NULL;
 	s2n(TLSEXT_TYPE_heartbeat,ret);
 	s2n(1,ret);
-	/* Set mode:
+	/*-
+	 * Set mode:
 	 * 1: peer may send requests
 	 * 2: peer not allowed to send requests
 	 */
@@ -1720,7 +1723,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			return NULL;
 		s2n(TLSEXT_TYPE_heartbeat,ret);
 		s2n(1,ret);
-		/* Set mode:
+		/*-
+		 * Set mode:
 		 * 1: peer may send requests
 		 * 2: peer not allowed to send requests
 		 */
@@ -1867,7 +1871,8 @@ parse_error:
 	}
 
 #ifndef OPENSSL_NO_EC
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+/*-
+ * ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
  * Safari, since 10.6, sends exactly these extensions, in this order:
  *   SNI,
@@ -2019,28 +2024,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			}
 		else if (s->version == SSL3_VERSION)
 			{}
-/* The servername extension is treated as follows:
-
-   - Only the hostname type is supported with a maximum length of 255.
-   - The servername is rejected if too long or if it contains zeros,
-     in which case an fatal alert is generated.
-   - The servername field is maintained together with the session cache.
-   - When a session is resumed, the servername call back invoked in order
-     to allow the application to position itself to the right context. 
-   - The servername is acknowledged if it is new for a session or when 
-     it is identical to a previously used for the same session. 
-     Applications can control the behaviour.  They can at any time
-     set a 'desirable' servername for a new SSL object. This can be the
-     case for example with HTTPS when a Host: header field is received and
-     a renegotiation is requested. In this case, a possible servername
-     presented in the new client hello is only acknowledged if it matches
-     the value of the Host: field. 
-   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-     if they provide for changing an explicit servername context for the session,
-     i.e. when the session has been established with a servername extension. 
-   - On session reconnect, the servername extension may be absent. 
-
-*/      
+/*-
+ * The servername extension is treated as follows:
+ *
+ * - Only the hostname type is supported with a maximum length of 255.
+ * - The servername is rejected if too long or if it contains zeros,
+ *   in which case an fatal alert is generated.
+ * - The servername field is maintained together with the session cache.
+ * - When a session is resumed, the servername call back invoked in order
+ *   to allow the application to position itself to the right context. 
+ * - The servername is acknowledged if it is new for a session or when 
+ *   it is identical to a previously used for the same session. 
+ *   Applications can control the behaviour.  They can at any time
+ *   set a 'desirable' servername for a new SSL object. This can be the
+ *   case for example with HTTPS when a Host: header field is received and
+ *   a renegotiation is requested. In this case, a possible servername
+ *   presented in the new client hello is only acknowledged if it matches
+ *   the value of the Host: field. 
+ * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ *   if they provide for changing an explicit servername context for the 
+ *   session, i.e. when the session has been established with a servername 
+ *   extension. 
+ * - On session reconnect, the servername extension may be absent. 
+ *
+ */      
 
 		else if (type == TLSEXT_TYPE_server_name)
 			{
@@ -2419,7 +2426,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			 s->s3->tmp.finish_md_len == 0 &&
 			 s->s3->alpn_selected == NULL)
 			{
-			/* We shouldn't accept this extension on a
+			/*-
+			 * We shouldn't accept this extension on a
 			 * renegotiation.
 			 *
 			 * s->new_session will be set on renegotiation, but we
@@ -2428,12 +2436,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			 * there's some other reason to disallow resuming an
 			 * earlier session -- the current code won't be doing
 			 * anything like that, but this might change).
-
+			 *
 			 * A valid sign that there's been a previous handshake
 			 * in this connection is if s->s3->tmp.finish_md_len >
 			 * 0.  (We are talking about a check that will happen
 			 * in the Hello protocol round, well before a new
-			 * Finished message could have been computed.) */
+			 * Finished message could have been computed.) 
+			 */
 			s->s3->next_proto_neg_seen = 1;
 			}
 #endif
@@ -2746,10 +2755,12 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
-			/* The extension data consists of:
+			/*- 
+			 * The extension data consists of:
 			 *   uint16 list_length
 			 *   uint8 proto_length;
-			 *   uint8 proto[proto_length]; */
+			 *   uint8 proto[proto_length]; 
+			 */
 			len = data[0];
 			len <<= 8;
 			len |= data[1];
@@ -3248,7 +3259,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	return 1;
 }
 
-/* Since the server cache lookup is done early on in the processing of the
+/*-
+ * Since the server cache lookup is done early on in the processing of the
  * ClientHello, and other operations depend on the result, we need to handle
  * any TLS session ticket extension at the same time.
  *
@@ -3368,7 +3380,8 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
 	return 0;
 	}
 
-/* tls_decrypt_ticket attempts to decrypt a session ticket.
+/*-
+ * tls_decrypt_ticket attempts to decrypt a session ticket.
  *
  *   etick: points to the body of the session ticket extension.
  *   eticklen: the length of the session tickets extenion.
@@ -4086,7 +4099,8 @@ tls1_heartbeat(SSL *s)
 	 */
 	OPENSSL_assert(payload + padding <= 16381);
 
-	/* Create HeartBeat message, we just use a sequence number
+	/*-
+	 * Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
 	 * some random stuff.
 	 *  - Message Type, 1 byte
diff --git a/test/methtest.c b/test/methtest.c
index 005c2f4..b734217 100644
--- a/test/methtest.c
+++ b/test/methtest.c
@@ -84,7 +84,7 @@ char *argv[];
 	METH_arg(tmp2,METH_TYPE_DIR,"/usr/local/ssl/certs");
 	METH_push(top,METH_X509_CA_BY_SUBJECT,tmp2);
 
-/*	tmp=METH_new(x509_by_issuer_dir);
+/*-	tmp=METH_new(x509_by_issuer_dir);
 	METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
 	METH_push(top,METH_X509_BY_ISSUER,tmp);
 
diff --git a/test/testutil.c b/test/testutil.c
index 89e8141..908eb5b 100644
--- a/test/testutil.c
+++ b/test/testutil.c
@@ -1,5 +1,5 @@
 /* test/testutil.c */
-/*
+/*-
  * Utilities for writing OpenSSL unit tests.
  *
  * More information:
diff --git a/test/testutil.h b/test/testutil.h
index adb092a..502be2e 100644
--- a/test/testutil.h
+++ b/test/testutil.h
@@ -1,5 +1,5 @@
 /* test/testutil.h */
-/*
+/*-
  * Utilities for writing OpenSSL unit tests.
  *
  * More information:
@@ -59,7 +59,8 @@
 #ifndef HEADER_TESTUTIL_H
 #define HEADER_TESTUTIL_H
 
-/* SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
+/*-
+ * SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
  *
  * SETUP_TEST_FIXTURE will call set_up() to create a new TEST_FIXTURE_TYPE
  * object called "fixture". It will also allocate the "result" variable used


hooks/post-receive
-- 
OpenSSL source code


More information about the openssl-commits mailing list