[openssl-commits] [openssl] master update

Emilia Kasper emilia at openssl.org
Thu Aug 18 12:02:37 UTC 2016


The branch master has been updated
       via  a230b26e0959dc5f072fbbdadcc9ed45e904c50c (commit)
      from  604f6eff31a3837abd3d96a2a41a3b269df757c4 (commit)


- Log -----------------------------------------------------------------
commit a230b26e0959dc5f072fbbdadcc9ed45e904c50c
Author: Emilia Kasper <emilia at openssl.org>
Date:   Fri Aug 5 19:03:17 2016 +0200

    Indent ssl/
    
    Run util/openssl-format-source on ssl/
    
    Some comments and hand-formatted tables were fixed up
    manually by disabling auto-formatting.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_lib.c              |  25 +--
 ssl/d1_srtp.c             |  21 +--
 ssl/methods.c             | 108 +++---------
 ssl/packet_locl.h         |  72 ++++----
 ssl/record/rec_layer_d1.c |  56 +++----
 ssl/record/rec_layer_s3.c |  82 +++++-----
 ssl/record/record.h       |  34 +---
 ssl/record/record_locl.h  |  12 +-
 ssl/record/ssl3_record.c  |  88 +++++-----
 ssl/s3_cbc.c              |  30 ++--
 ssl/s3_enc.c              |  50 +++---
 ssl/s3_lib.c              | 148 +++++++++--------
 ssl/s3_msg.c              |   3 +-
 ssl/ssl_asn1.c            |   2 +-
 ssl/ssl_cert.c            |  41 ++---
 ssl/ssl_ciph.c            | 104 ++++++------
 ssl/ssl_conf.c            |  17 +-
 ssl/ssl_init.c            |  30 ++--
 ssl/ssl_lib.c             | 209 ++++++++++++------------
 ssl/ssl_locl.h            | 345 +++++++++++++++++++--------------------
 ssl/ssl_mcnf.c            |  13 +-
 ssl/ssl_rsa.c             |  18 +-
 ssl/ssl_sess.c            |  39 ++---
 ssl/ssl_stat.c            |   3 +-
 ssl/ssl_txt.c             |   9 +-
 ssl/statem/statem.c       |  37 +++--
 ssl/statem/statem.h       |   7 -
 ssl/statem/statem_clnt.c  | 407 +++++++++++++++++++++++-----------------------
 ssl/statem/statem_dtls.c  |  42 ++---
 ssl/statem/statem_lib.c   |  77 ++++-----
 ssl/statem/statem_locl.h  |  11 +-
 ssl/statem/statem_srvr.c  | 195 +++++++++++-----------
 ssl/t1_enc.c              |  24 ++-
 ssl/t1_ext.c              |  12 +-
 ssl/t1_lib.c              | 181 ++++++++++-----------
 ssl/t1_reneg.c            |  10 +-
 ssl/t1_trce.c             |  46 +++---
 ssl/tls_srp.c             |   8 +-
 util/indent.pro           |   7 +-
 39 files changed, 1218 insertions(+), 1405 deletions(-)

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 08a5037..7fb9b96 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -338,8 +338,7 @@ int dtls1_check_timeout_num(SSL *s)
     if (s->d1->timeout.num_alerts > 2
         && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
         mtu =
-            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
-                     NULL);
+            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
         if (mtu < s->d1->mtu)
             s->d1->mtu = mtu;
     }
@@ -391,10 +390,13 @@ static void get_current_time(struct timeval *t)
 
     GetSystemTime(&st);
     SystemTimeToFileTime(&st, &now.ft);
+    /* re-bias to 1/1/1970 */
 # ifdef  __MINGW32__
     now.ul -= 116444736000000000ULL;
 # else
-    now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */
+    /* *INDENT-OFF* */
+    now.ul -= 116444736000000000UI64;
+    /* *INDENT-ON* */
 # endif
     t->tv_sec = (long)(now.ul / 10000000);
     t->tv_usec = ((int)(now.ul % 10000000)) / 10;
@@ -408,7 +410,6 @@ static void get_current_time(struct timeval *t)
 #endif
 }
 
-
 #define LISTEN_SUCCESS              2
 #define LISTEN_SEND_VERIFY_REQUEST  1
 
@@ -531,7 +532,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client)
             goto end;
         }
 
-        if (rectype != SSL3_RT_HANDSHAKE)  {
+        if (rectype != SSL3_RT_HANDSHAKE) {
             SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
             goto end;
         }
@@ -744,7 +745,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client)
                 s->msg_callback(1, 0, SSL3_RT_HEADER, buf,
                                 DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
 
-
             if ((tmpclient = BIO_ADDR_new()) == NULL) {
                 SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE);
                 goto end;
@@ -805,13 +805,15 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client)
      */
     ossl_statem_set_hello_verify_done(s);
 
-    /* Some BIOs may not support this. If we fail we clear the client address */
+    /*
+     * Some BIOs may not support this. If we fail we clear the client address
+     */
     if (BIO_dgram_get_peer(rbio, client) <= 0)
         BIO_ADDR_clear(client);
 
     ret = 1;
     clearpkt = 0;
-end:
+ end:
     BIO_ADDR_free(tmpclient);
     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL);
     if (clearpkt) {
@@ -842,12 +844,12 @@ static int dtls1_handshake_write(SSL *s)
 
 #ifndef OPENSSL_NO_HEARTBEATS
 
-#define HEARTBEAT_SIZE(payload, padding) ( \
+# define HEARTBEAT_SIZE(payload, padding) ( \
     1 /* heartbeat type */ + \
     2 /* heartbeat length */ + \
     (payload) + (padding))
 
-#define HEARTBEAT_SIZE_STD(payload) HEARTBEAT_SIZE(payload, 16)
+# define HEARTBEAT_SIZE_STD(payload) HEARTBEAT_SIZE(payload, 16)
 
 int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
 {
@@ -987,8 +989,7 @@ int dtls1_heartbeat(SSL *s)
     if (ret >= 0) {
         if (s->msg_callback)
             s->msg_callback(1, s->version, DTLS1_RT_HEARTBEAT,
-                            buf, size,
-                            s, s->msg_callback_arg);
+                            buf, size, s, s->msg_callback_arg);
 
         dtls1_start_timer(s);
         s->tlsext_hb_pending = 1;
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index 94c0127..7e88f17 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -30,11 +30,11 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
      },
     {
      "SRTP_AEAD_AES_128_GCM",
-     SRTP_AEAD_AES_128_GCM
+     SRTP_AEAD_AES_128_GCM,
      },
     {
      "SRTP_AEAD_AES_256_GCM",
-     SRTP_AEAD_AES_256_GCM
+     SRTP_AEAD_AES_256_GCM,
      },
     {0}
 };
@@ -76,8 +76,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
     do {
         col = strchr(ptr, ':');
 
-        if (!find_profile_by_name(ptr, &p,
-                                  col ? col - ptr : (int)strlen(ptr))) {
+        if (!find_profile_by_name(ptr, &p, col ? col - ptr : (int)strlen(ptr))) {
             if (sk_SRTP_PROTECTION_PROFILE_find(profiles, p) >= 0) {
                 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,
                        SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
@@ -104,7 +103,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,
     *out = profiles;
 
     return 0;
-err:
+ err:
     sk_SRTP_PROTECTION_PROFILE_free(profiles);
     return 1;
 }
@@ -190,8 +189,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
 
     /* Pull off the length of the cipher suite list  and check it is even */
     if (!PACKET_get_net_2(pkt, &ct)
-            || (ct & 1) != 0
-            || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
+        || (ct & 1) != 0 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
         *al = SSL_AD_DECODE_ERROR;
@@ -238,7 +236,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
     }
 
     if (!PACKET_forward(pkt, mki_len)
-            || PACKET_remaining(pkt)) {
+        || PACKET_remaining(pkt)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
                SSL_R_BAD_SRTP_MKI_VALUE);
         *al = SSL_AD_DECODE_ERROR;
@@ -281,10 +279,9 @@ int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
     SRTP_PROTECTION_PROFILE *prof;
 
     if (!PACKET_get_net_2(pkt, &ct)
-            || ct != 2
-            || !PACKET_get_net_2(pkt, &id)
-            || !PACKET_get_1(pkt, &mki)
-            || PACKET_remaining(pkt) != 0) {
+        || ct != 2 || !PACKET_get_net_2(pkt, &id)
+        || !PACKET_get_1(pkt, &mki)
+        || PACKET_remaining(pkt) != 0) {
         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
         *al = SSL_AD_DECODE_ERROR;
diff --git a/ssl/methods.c b/ssl/methods.c
index 7d27f9d..c846143 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -11,7 +11,7 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-/*
+/*-
  * TLS/SSLv3 methods
  */
 
@@ -19,201 +19,148 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_method,
                         ossl_statem_accept,
                         ossl_statem_connect, TLSv1_2_enc_data)
-
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_method,
                         ossl_statem_accept,
                         ossl_statem_connect, TLSv1_2_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         tlsv1_1_method,
                         ossl_statem_accept,
                         ossl_statem_connect, TLSv1_1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         tlsv1_method,
-                        ossl_statem_accept,
-                        ossl_statem_connect, TLSv1_enc_data)
+                        ossl_statem_accept, ossl_statem_connect, TLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(sslv3_method, ossl_statem_accept, ossl_statem_connect)
 #endif
-
-
-/*
+/*-
  * TLS/SSLv3 server methods
  */
-
 IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_server_method,
                         ossl_statem_accept,
-                        ssl_undefined_function,
-                        TLSv1_2_enc_data)
-
+                        ssl_undefined_function, TLSv1_2_enc_data)
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_server_method,
                         ossl_statem_accept,
-                        ssl_undefined_function,
-                        TLSv1_2_enc_data)
+                        ssl_undefined_function, TLSv1_2_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         tlsv1_1_server_method,
                         ossl_statem_accept,
-                        ssl_undefined_function,
-                        TLSv1_1_enc_data)
+                        ssl_undefined_function, TLSv1_1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         tlsv1_server_method,
                         ossl_statem_accept,
-                        ssl_undefined_function,
-                        TLSv1_enc_data)
+                        ssl_undefined_function, TLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(sslv3_server_method,
-                         ossl_statem_accept,
-                         ssl_undefined_function)
+                         ossl_statem_accept, ssl_undefined_function)
 #endif
-
-
-/*
+/*-
  * TLS/SSLv3 client methods
  */
-
 IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
                         TLS_client_method,
                         ssl_undefined_function,
-                        ossl_statem_connect,
-                        TLSv1_2_enc_data)
-
+                        ossl_statem_connect, TLSv1_2_enc_data)
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
                         tlsv1_2_client_method,
                         ssl_undefined_function,
-                        ossl_statem_connect,
-                        TLSv1_2_enc_data)
+                        ossl_statem_connect, TLSv1_2_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
                         tlsv1_1_client_method,
                         ssl_undefined_function,
-                        ossl_statem_connect,
-                        TLSv1_1_enc_data)
+                        ossl_statem_connect, TLSv1_1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
                         tlsv1_client_method,
                         ssl_undefined_function,
-                        ossl_statem_connect,
-                        TLSv1_enc_data)
+                        ossl_statem_connect, TLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_SSL3_METHOD
 IMPLEMENT_ssl3_meth_func(sslv3_client_method,
-                         ssl_undefined_function,
-                         ossl_statem_connect)
+                         ssl_undefined_function, ossl_statem_connect)
 #endif
-
-
-/*
+/*-
  * DTLS methods
  */
-
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           dtlsv1_method,
                           ossl_statem_accept,
-                          ossl_statem_connect,
-                          DTLSv1_enc_data)
+                          ossl_statem_connect, DTLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           dtlsv1_2_method,
                           ossl_statem_accept,
-                          ossl_statem_connect,
-                          DTLSv1_2_enc_data)
+                          ossl_statem_connect, DTLSv1_2_enc_data)
 #endif
-
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_method,
                           ossl_statem_accept,
-                          ossl_statem_connect,
-                          DTLSv1_2_enc_data)
+                          ossl_statem_connect, DTLSv1_2_enc_data)
 
-/*
+/*-
  * DTLS server methods
  */
-
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           dtlsv1_server_method,
                           ossl_statem_accept,
-                          ssl_undefined_function,
-                          DTLSv1_enc_data)
+                          ssl_undefined_function, DTLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           dtlsv1_2_server_method,
                           ossl_statem_accept,
-                          ssl_undefined_function,
-                          DTLSv1_2_enc_data)
+                          ssl_undefined_function, DTLSv1_2_enc_data)
 #endif
-
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_server_method,
                           ossl_statem_accept,
-                          ssl_undefined_function,
-                          DTLSv1_2_enc_data)
-
+                          ssl_undefined_function, DTLSv1_2_enc_data)
 
-/*
+/*-
  * DTLS client methods
  */
-
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           dtlsv1_client_method,
                           ssl_undefined_function,
-                          ossl_statem_connect,
-                          DTLSv1_enc_data)
+                          ossl_statem_connect, DTLSv1_enc_data)
 IMPLEMENT_dtls1_meth_func(DTLS1_BAD_VER, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
                           dtls_bad_ver_client_method,
                           ssl_undefined_function,
-                          ossl_statem_connect,
-                          DTLSv1_enc_data)
+                          ossl_statem_connect, DTLSv1_enc_data)
 #endif
-
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
                           dtlsv1_2_client_method,
                           ssl_undefined_function,
-                          ossl_statem_connect,
-                          DTLSv1_2_enc_data)
+                          ossl_statem_connect, DTLSv1_2_enc_data)
 #endif
-
 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           DTLS_client_method,
                           ssl_undefined_function,
-                          ossl_statem_connect,
-                          DTLSv1_2_enc_data)
-
+                          ossl_statem_connect, DTLSv1_2_enc_data)
 #if OPENSSL_API_COMPAT < 0x10100000L
-
 # ifndef OPENSSL_NO_TLS1_2_METHOD
 const SSL_METHOD *TLSv1_2_method(void)
 {
@@ -317,4 +264,3 @@ const SSL_METHOD *DTLSv1_client_method(void)
 # endif
 
 #endif
-
diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 0ff4ccc..d34034d 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -54,6 +54,7 @@ static ossl_inline const unsigned char *PACKET_end(const PACKET *pkt)
 {
     return pkt->curr + pkt->remaining;
 }
+
 /*
  * Returns a pointer to the PACKET's current position.
  * For use in non-PACKETized APIs.
@@ -107,8 +108,7 @@ __owur static ossl_inline int PACKET_equal(const PACKET *pkt, const void *ptr,
  * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
  */
 __owur static ossl_inline int PACKET_peek_sub_packet(const PACKET *pkt,
-                                                     PACKET *subpkt,
-                                                     size_t len)
+                                                     PACKET *subpkt, size_t len)
 {
     if (PACKET_remaining(pkt) < len)
         return 0;
@@ -122,8 +122,7 @@ __owur static ossl_inline int PACKET_peek_sub_packet(const PACKET *pkt,
  * original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
  */
 __owur static ossl_inline int PACKET_get_sub_packet(PACKET *pkt,
-                                                    PACKET *subpkt,
-                                                    size_t len)
+                                                    PACKET *subpkt, size_t len)
 {
     if (!PACKET_peek_sub_packet(pkt, subpkt, len))
         return 0;
@@ -151,8 +150,7 @@ __owur static ossl_inline int PACKET_peek_net_2(const PACKET *pkt,
 
 /* Equivalent of n2s */
 /* Get 2 bytes in network order from |pkt| and store the value in |*data| */
-__owur static ossl_inline int PACKET_get_net_2(PACKET *pkt,
-                                               unsigned int *data)
+__owur static ossl_inline int PACKET_get_net_2(PACKET *pkt, unsigned int *data)
 {
     if (!PACKET_peek_net_2(pkt, data))
         return 0;
@@ -181,8 +179,7 @@ __owur static ossl_inline int PACKET_peek_net_3(const PACKET *pkt,
 
 /* Equivalent of n2l3 */
 /* Get 3 bytes in network order from |pkt| and store the value in |*data| */
-__owur static ossl_inline int PACKET_get_net_3(PACKET *pkt,
-                                               unsigned long *data)
+__owur static ossl_inline int PACKET_get_net_3(PACKET *pkt, unsigned long *data)
 {
     if (!PACKET_peek_net_3(pkt, data))
         return 0;
@@ -212,8 +209,7 @@ __owur static ossl_inline int PACKET_peek_net_4(const PACKET *pkt,
 
 /* Equivalent of n2l */
 /* Get 4 bytes in network order from |pkt| and store the value in |*data| */
-__owur static ossl_inline int PACKET_get_net_4(PACKET *pkt,
-                                               unsigned long *data)
+__owur static ossl_inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data)
 {
     if (!PACKET_peek_net_4(pkt, data))
         return 0;
@@ -333,8 +329,7 @@ __owur static ossl_inline int PACKET_peek_copy_bytes(const PACKET *pkt,
  * The caller is responsible for ensuring that |data| can hold |len| bytes.
  */
 __owur static ossl_inline int PACKET_copy_bytes(PACKET *pkt,
-                                                unsigned char *data,
-                                                size_t len)
+                                                unsigned char *data, size_t len)
 {
     if (!PACKET_peek_copy_bytes(pkt, data, len))
         return 0;
@@ -417,7 +412,7 @@ __owur static ossl_inline int PACKET_strndup(const PACKET *pkt, char **data)
 /* Returns 1 if |pkt| contains at least one 0-byte, 0 otherwise. */
 static ossl_inline int PACKET_contains_zero_byte(const PACKET *pkt)
 {
-  return memchr(pkt->curr, 0, pkt->remaining) != NULL;
+    return memchr(pkt->curr, 0, pkt->remaining) != NULL;
 }
 
 /* Move the current reading position forward |len| bytes */
@@ -460,22 +455,23 @@ __owur static ossl_inline int PACKET_get_length_prefixed_1(PACKET *pkt,
  * Like PACKET_get_length_prefixed_1, but additionally, fails when there are
  * leftover bytes in |pkt|.
  */
-__owur static ossl_inline int PACKET_as_length_prefixed_1(PACKET *pkt, PACKET *subpkt)
+__owur static ossl_inline int PACKET_as_length_prefixed_1(PACKET *pkt,
+                                                          PACKET *subpkt)
 {
-  unsigned int length;
-  const unsigned char *data;
-  PACKET tmp = *pkt;
-  if (!PACKET_get_1(&tmp, &length) ||
-      !PACKET_get_bytes(&tmp, &data, (size_t)length) ||
-      PACKET_remaining(&tmp) != 0) {
-      return 0;
-  }
+    unsigned int length;
+    const unsigned char *data;
+    PACKET tmp = *pkt;
+    if (!PACKET_get_1(&tmp, &length) ||
+        !PACKET_get_bytes(&tmp, &data, (size_t)length) ||
+        PACKET_remaining(&tmp) != 0) {
+        return 0;
+    }
 
-  *pkt = tmp;
-  subpkt->curr = data;
-  subpkt->remaining = length;
+    *pkt = tmp;
+    subpkt->curr = data;
+    subpkt->remaining = length;
 
-  return 1;
+    return 1;
 }
 
 /*
@@ -511,21 +507,21 @@ __owur static ossl_inline int PACKET_get_length_prefixed_2(PACKET *pkt,
 __owur static ossl_inline int PACKET_as_length_prefixed_2(PACKET *pkt,
                                                           PACKET *subpkt)
 {
-  unsigned int length;
-  const unsigned char *data;
-  PACKET tmp = *pkt;
+    unsigned int length;
+    const unsigned char *data;
+    PACKET tmp = *pkt;
 
-  if (!PACKET_get_net_2(&tmp, &length) ||
-      !PACKET_get_bytes(&tmp, &data, (size_t)length) ||
-      PACKET_remaining(&tmp) != 0) {
-      return 0;
-  }
+    if (!PACKET_get_net_2(&tmp, &length) ||
+        !PACKET_get_bytes(&tmp, &data, (size_t)length) ||
+        PACKET_remaining(&tmp) != 0) {
+        return 0;
+    }
 
-  *pkt = tmp;
-  subpkt->curr = data;
-  subpkt->remaining = length;
+    *pkt = tmp;
+    subpkt->curr = data;
+    subpkt->remaining = length;
 
-  return 1;
+    return 1;
 }
 
 /*
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 7ddadfa..f9bf109 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -22,7 +22,6 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
     if ((d = OPENSSL_malloc(sizeof(*d))) == NULL)
         return (0);
 
-
     rl->d = d;
 
     d->unprocessed_rcds.q = pqueue_new();
@@ -97,18 +96,14 @@ void DTLS_RECORD_LAYER_set_saved_w_epoch(RECORD_LAYER *rl, unsigned short e)
 {
     if (e == rl->d->w_epoch - 1) {
         memcpy(rl->d->curr_write_sequence,
-               rl->write_sequence,
-               sizeof(rl->write_sequence));
+               rl->write_sequence, sizeof(rl->write_sequence));
         memcpy(rl->write_sequence,
-               rl->d->last_write_sequence,
-               sizeof(rl->write_sequence));
+               rl->d->last_write_sequence, sizeof(rl->write_sequence));
     } else if (e == rl->d->w_epoch + 1) {
         memcpy(rl->d->last_write_sequence,
-               rl->write_sequence,
-               sizeof(unsigned char[8]));
+               rl->write_sequence, sizeof(unsigned char[8]));
         memcpy(rl->write_sequence,
-               rl->d->curr_write_sequence,
-               sizeof(rl->write_sequence));
+               rl->d->curr_write_sequence, sizeof(rl->write_sequence));
     }
     rl->d->w_epoch = e;
 }
@@ -118,7 +113,6 @@ void DTLS_RECORD_LAYER_resync_write(RECORD_LAYER *rl)
     memcpy(rl->write_sequence, rl->read_sequence, sizeof(rl->write_sequence));
 }
 
-
 void DTLS_RECORD_LAYER_set_write_sequence(RECORD_LAYER *rl, unsigned char *seq)
 {
     memcpy(rl->write_sequence, seq, SEQ_NUM_SIZE);
@@ -232,7 +226,6 @@ int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
                    dtls1_retrieve_buffered_record((s), \
                    &((s)->rlayer.d->unprocessed_rcds))
 
-
 int dtls1_process_buffered_records(SSL *s)
 {
     pitem *item;
@@ -249,7 +242,8 @@ int dtls1_process_buffered_records(SSL *s)
             if (!dtls1_process_record(s))
                 return (0);
             if (dtls1_buffer_record(s, &(s->rlayer.d->processed_rcds),
-                SSL3_RECORD_get_seq_num(s->rlayer.rrec)) < 0)
+                                    SSL3_RECORD_get_seq_num(s->rlayer.rrec)) <
+                0)
                 return -1;
         }
     }
@@ -264,7 +258,6 @@ int dtls1_process_buffered_records(SSL *s)
     return (1);
 }
 
-
 /*-
  * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
@@ -390,7 +383,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
 
     /* get new packet if necessary */
     if ((SSL3_RECORD_get_length(rr) == 0)
-            || (s->rlayer.rstate == SSL_ST_READ_BODY)) {
+        || (s->rlayer.rstate == SSL_ST_READ_BODY)) {
         ret = dtls1_get_record(s);
         if (ret <= 0) {
             ret = dtls1_read_failed(s, ret);
@@ -413,7 +406,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
          * data for later processing rather than dropping the connection.
          */
         if (dtls1_buffer_record(s, &(s->rlayer.d->buffered_app_data),
-            SSL3_RECORD_get_seq_num(rr)) < 0) {
+                                SSL3_RECORD_get_seq_num(rr)) < 0) {
             SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
             return -1;
         }
@@ -432,8 +425,8 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     }
 
     if (type == SSL3_RECORD_get_type(rr)
-            || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
-                && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
+        || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+            && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
         /*
          * SSL3_RT_APPLICATION_DATA or
          * SSL3_RT_HANDSHAKE or
@@ -525,7 +518,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
         else if (SSL3_RECORD_get_type(rr) == DTLS1_RT_HEARTBEAT) {
             /* We allow a 0 return */
             if (dtls1_process_heartbeat(s, SSL3_RECORD_get_data(rr),
-                    SSL3_RECORD_get_length(rr)) < 0) {
+                                        SSL3_RECORD_get_length(rr)) < 0) {
                 return -1;
             }
             /* Exit and notify application to read again */
@@ -542,7 +535,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
              * Application data while renegotiating is allowed. Try again
              * reading.
              */
-            if (SSL3_RECORD_get_type(rr)  == SSL3_RT_APPLICATION_DATA) {
+            if (SSL3_RECORD_get_type(rr) == SSL3_RT_APPLICATION_DATA) {
                 BIO *bio;
                 s->s3->in_read_app_data = 2;
                 bio = SSL_get_rbio(s);
@@ -563,14 +556,14 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
              * XDTLS: In a pathological case, the Client Hello may be
              * fragmented--don't always expect dest_maxlen bytes
              */
-            if (SSL3_RECORD_get_length(rr)  < dest_maxlen) {
+            if (SSL3_RECORD_get_length(rr) < dest_maxlen) {
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
                 /*
                  * for normal alerts rr->length is 2, while
                  * dest_maxlen is 7 if we were to handle this
                  * non-existing alert...
                  */
-                FIX ME
+                FIX ME;
 #endif
                 s->rlayer.rstate = SSL_ST_READ_HEADER;
                 SSL3_RECORD_set_length(rr, 0);
@@ -628,8 +621,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                 if (i < 0)
                     return (i);
                 if (i == 0) {
-                    SSLerr(SSL_F_DTLS1_READ_BYTES,
-                           SSL_R_SSL_HANDSHAKE_FAILURE);
+                    SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
                     return (-1);
                 }
 
@@ -734,8 +726,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
 
             s->rwstate = SSL_NOTHING;
             s->s3->fatal_alert = alert_descr;
-            SSLerr(SSL_F_DTLS1_READ_BYTES,
-                   SSL_AD_REASON_OFFSET + alert_descr);
+            SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
             BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
             ERR_add_error_data(2, "SSL alert number ", tmp);
             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
@@ -874,7 +865,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     return (-1);
 }
 
-
         /*
          * this only happens when a client hello is received and a handshake
          * is started.
@@ -884,7 +874,7 @@ static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
 {
 
     if ((type == SSL3_RT_HANDSHAKE)
-            && (s->rlayer.d->handshake_fragment_len > 0))
+        && (s->rlayer.d->handshake_fragment_len > 0))
         /* (partially) satisfy request from storage */
     {
         unsigned char *src = s->rlayer.d->handshake_fragment;
@@ -981,7 +971,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
      * header: otherwise some clients will ignore it.
      */
     if (s->method->version == DTLS_ANY_VERSION &&
-	s->max_proto_version != DTLS1_BAD_VER) {
+        s->max_proto_version != DTLS1_BAD_VER) {
         *(p++) = DTLS1_VERSION >> 8;
         *(p++) = DTLS1_VERSION & 0xff;
     } else {
@@ -1040,7 +1030,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 
     if (mac_size != 0) {
         if (s->method->ssl3_enc->mac(s, &wr,
-                &(p[SSL3_RECORD_get_length(&wr) + eivlen]), 1) < 0)
+                                     &(p[SSL3_RECORD_get_length(&wr) + eivlen]),
+                                     1) < 0)
             goto err;
         SSL3_RECORD_add_length(&wr, mac_size);
     }
@@ -1115,7 +1106,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 }
 
 DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
-                                      unsigned int *is_next_epoch)
+                               unsigned int *is_next_epoch)
 {
 
     *is_next_epoch = 0;
@@ -1126,7 +1117,7 @@ DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
 
     /* Only HM and ALERT messages can be from the next epoch */
     else if (rr->epoch == (unsigned long)(s->rlayer.d->r_epoch + 1) &&
-            (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+             (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
         *is_next_epoch = 1;
         return &s->rlayer.d->next_bitmap;
     }
@@ -1144,8 +1135,7 @@ void dtls1_reset_seq_numbers(SSL *s, int rw)
         s->rlayer.d->r_epoch++;
         memcpy(&s->rlayer.d->bitmap, &s->rlayer.d->next_bitmap,
                sizeof(s->rlayer.d->bitmap));
-        memset(&s->rlayer.d->next_bitmap, 0,
-               sizeof(s->rlayer.d->next_bitmap));
+        memset(&s->rlayer.d->next_bitmap, 0, sizeof(s->rlayer.d->next_bitmap));
     } else {
         seq = s->rlayer.write_sequence;
         memcpy(s->rlayer.d->last_write_sequence, seq,
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index c2f9666..52a8dcf 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -43,7 +43,8 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
 
     rl->rstate = SSL_ST_READ_HEADER;
 
-    /* Do I need to clear read_ahead? As far as I can tell read_ahead did not
+    /*
+     * Do I need to clear read_ahead? As far as I can tell read_ahead did not
      * previously get reset by SSL_clear...so I'll keep it that way..but is
      * that right?
      */
@@ -91,7 +92,7 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
 int RECORD_LAYER_write_pending(const RECORD_LAYER *rl)
 {
     return (rl->numwpipes > 0)
-            && SSL3_BUFFER_get_left(&rl->wbuf[rl->numwpipes-1]) != 0;
+        && SSL3_BUFFER_get_left(&rl->wbuf[rl->numwpipes - 1]) != 0;
 }
 
 int RECORD_LAYER_set_data(RECORD_LAYER *rl, const unsigned char *buf, int len)
@@ -130,7 +131,7 @@ int ssl3_pending(const SSL *s)
 
     for (i = 0; i < RECORD_LAYER_get_numrpipes(&s->rlayer); i++) {
         if (SSL3_RECORD_get_type(&s->rlayer.rrec[i])
-                != SSL3_RT_APPLICATION_DATA)
+            != SSL3_RT_APPLICATION_DATA)
             return 0;
         num += SSL3_RECORD_get_length(&s->rlayer.rrec[i]);
     }
@@ -262,7 +263,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold)
      * Move any available bytes to front of buffer: 'len' bytes already
      * pointed to by 'packet', 'left' extra ones at the end
      */
-    if (s->rlayer.packet != pkt && clearold == 1) {     /* len > 0 */
+    if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */
         memmove(pkt, s->rlayer.packet, len + left);
         s->rlayer.packet = pkt;
         rb->offset = len + align;
@@ -327,7 +328,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold)
     return (n);
 }
 
-
 /*
  * Call this to write data in records of type 'type' It will return <= 0 if
  * not all data has been sent or non-blocking IO.
@@ -365,7 +365,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         return -1;
     }
 
-
     s->rlayer.wnum = 0;
 
     if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) {
@@ -538,22 +537,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         /*
          * We should have prevented this when we set max_pipelines so we
          * shouldn't get here
-        */
+         */
         SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR);
         return -1;
     }
     if (maxpipes == 0
-            || s->enc_write_ctx == NULL
-            || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx))
-                 & EVP_CIPH_FLAG_PIPELINE)
-            || !SSL_USE_EXPLICIT_IV(s))
+        || s->enc_write_ctx == NULL
+        || !(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx))
+             & EVP_CIPH_FLAG_PIPELINE)
+        || !SSL_USE_EXPLICIT_IV(s))
         maxpipes = 1;
     if (s->max_send_fragment == 0 || split_send_fragment > s->max_send_fragment
-            || split_send_fragment == 0) {
+        || split_send_fragment == 0) {
         /*
          * We should have prevented this when we set the split and max send
          * fragments so we shouldn't get here
-        */
+         */
         SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR);
         return -1;
     }
@@ -658,8 +657,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
     sess = s->session;
 
     if ((sess == NULL) ||
-        (s->enc_write_ctx == NULL) ||
-        (EVP_MD_CTX_md(s->write_hash) == NULL)) {
+        (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) {
         clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
         mac_size = 0;
     } else {
@@ -691,8 +689,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                 goto err;
 
             if (prefix_len >
-                (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD))
-            {
+                (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
                 /* insufficient space */
                 SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
                 goto err;
@@ -718,9 +715,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
     } else if (prefix_len) {
         wb = &s->rlayer.wbuf[0];
         outbuf[0] = SSL3_BUFFER_get_buf(wb) + SSL3_BUFFER_get_offset(wb)
-                    + prefix_len;
+            + prefix_len;
     } else {
-        for (j=0; j < numpipes; j++) {
+        for (j = 0; j < numpipes; j++) {
             wb = &s->rlayer.wbuf[j];
 #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
             align = (size_t)SSL3_BUFFER_get_buf(wb) + SSL3_RT_HEADER_LENGTH;
@@ -749,11 +746,10 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
     } else
         eivlen = 0;
 
-
     totlen = 0;
     /* Clear our SSL3_RECORD structures */
     memset(wr, 0, sizeof wr);
-    for (j=0; j < numpipes; j++) {
+    for (j = 0; j < numpipes; j++) {
         /* write the header */
         *(outbuf[j]++) = type & 0xff;
         SSL3_RECORD_set_type(&wr[j], type);
@@ -802,12 +798,12 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         if (!SSL_USE_ETM(s) && mac_size != 0) {
             if (s->method->ssl3_enc->mac(s, &wr[j],
-                    &(outbuf[j][wr[j].length + eivlen]), 1) < 0)
+                                         &(outbuf[j][wr[j].length + eivlen]),
+                                         1) < 0)
                 goto err;
             SSL3_RECORD_add_length(&wr[j], mac_size);
         }
 
-
         SSL3_RECORD_set_data(&wr[j], outbuf[j]);
         SSL3_RECORD_reset_input(&wr[j]);
 
@@ -822,7 +818,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
     if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1)
         goto err;
 
-    for (j=0; j < numpipes; j++) {
+    for (j = 0; j < numpipes; j++) {
         if (SSL_USE_ETM(s) && mac_size != 0) {
             if (s->method->ssl3_enc->mac(s, &wr[j],
                                          outbuf[j] + wr[j].length, 1) < 0)
@@ -841,7 +837,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
          * we should now have wr->data pointing to the encrypted data, which is
          * wr->length long
          */
-        SSL3_RECORD_set_type(&wr[j], type);  /* not needed but helps for debugging */
+        SSL3_RECORD_set_type(&wr[j], type); /* not needed but helps for
+                                             * debugging */
         SSL3_RECORD_add_length(&wr[j], SSL3_RT_HEADER_LENGTH);
 
         if (create_empty_fragment) {
@@ -859,11 +856,9 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         /* now let's set up wb */
         SSL3_BUFFER_set_left(&s->rlayer.wbuf[j],
-            prefix_len + SSL3_RECORD_get_length(&wr[j]));
+                             prefix_len + SSL3_RECORD_get_length(&wr[j]));
     }
 
-
-
     /*
      * memorize arguments so that ssl3_write_pending can detect bad write
      * retries later
@@ -899,17 +894,17 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
     for (;;) {
         /* Loop until we find a buffer we haven't written out yet */
         if (SSL3_BUFFER_get_left(&wb[currbuf]) == 0
-                && currbuf < s->rlayer.numwpipes - 1) {
+            && currbuf < s->rlayer.numwpipes - 1) {
             currbuf++;
             continue;
         }
         clear_sys_error();
         if (s->wbio != NULL) {
             s->rwstate = SSL_WRITING;
-            i = BIO_write(s->wbio,
-                (char *)&(SSL3_BUFFER_get_buf(&wb[currbuf])[
-                                SSL3_BUFFER_get_offset(&wb[currbuf])]),
-                (unsigned int)SSL3_BUFFER_get_left(&wb[currbuf]));
+            i = BIO_write(s->wbio, (char *)
+                          &(SSL3_BUFFER_get_buf(&wb[currbuf])
+                            [SSL3_BUFFER_get_offset(&wb[currbuf])]),
+                          (unsigned int)SSL3_BUFFER_get_left(&wb[currbuf]));
         } else {
             SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BIO_NOT_SET);
             i = -1;
@@ -1059,7 +1054,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
         /* Skip over any records we have already read */
         for (curr_rec = 0;
              curr_rec < num_recs && SSL3_RECORD_is_read(&rr[curr_rec]);
-             curr_rec++);
+             curr_rec++) ;
         if (curr_rec == num_recs) {
             RECORD_LAYER_set_numrpipes(&s->rlayer, 0);
             num_recs = 0;
@@ -1089,8 +1084,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     }
 
     if (type == SSL3_RECORD_get_type(rr)
-            || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
-                && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
+        || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+            && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
         /*
          * SSL3_RT_APPLICATION_DATA or
          * SSL3_RT_HANDSHAKE or
@@ -1108,8 +1103,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
         }
 
         if (type == SSL3_RT_HANDSHAKE
-                && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
-                && s->rlayer.handshake_fragment_len > 0) {
+            && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+            && s->rlayer.handshake_fragment_len > 0) {
             al = SSL_AD_UNEXPECTED_MESSAGE;
             SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
             goto f_err;
@@ -1152,8 +1147,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
             goto start;
         }
         if (!peek && curr_rec == num_recs
-                && (s->mode & SSL_MODE_RELEASE_BUFFERS)
-                && SSL3_BUFFER_get_left(rbuf) == 0)
+            && (s->mode & SSL_MODE_RELEASE_BUFFERS)
+            && SSL3_BUFFER_get_left(rbuf) == 0)
             ssl3_release_read_buffer(s);
         return read_bytes;
     }
@@ -1186,7 +1181,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     }
 
     if (s->method->version == TLS_ANY_VERSION
-            && (s->server || rr->type != SSL3_RT_ALERT)) {
+        && (s->server || rr->type != SSL3_RT_ALERT)) {
         /*
          * If we've got this far and still haven't decided on what version
          * we're using then this must be a client side alert we're dealing with
@@ -1273,8 +1268,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                 if (i < 0)
                     return (i);
                 if (i == 0) {
-                    SSLerr(SSL_F_SSL3_READ_BYTES,
-                           SSL_R_SSL_HANDSHAKE_FAILURE);
+                    SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
                     return (-1);
                 }
 
@@ -1405,7 +1399,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
      * Unexpected handshake message (Client Hello, or protocol violation)
      */
     if ((s->rlayer.handshake_fragment_len >= 4)
-            && !ossl_statem_get_in_handshake(s)) {
+        && !ossl_statem_get_in_handshake(s)) {
         if (SSL_is_init_finished(s) &&
             !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
             ossl_statem_set_in_init(s, 1);
diff --git a/ssl/record/record.h b/ssl/record/record.h
index ce60a15..a093aed 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -33,46 +33,36 @@ typedef struct ssl3_record_st {
     /* Record layer version */
     /* r */
     int rec_version;
-
     /* type of record */
     /* r */
     int type;
-
     /* How many bytes available */
     /* rw */
     unsigned int length;
-
     /*
      * How many bytes were available before padding was removed? This is used
      * to implement the MAC check in constant time for CBC records.
      */
     /* rw */
     unsigned int orig_len;
-
     /* read/write offset into 'buf' */
     /* r */
     unsigned int off;
-
     /* pointer to the record data */
     /* rw */
     unsigned char *data;
-
     /* where the decode bytes are */
     /* rw */
     unsigned char *input;
-
     /* only used with decompression - malloc()ed */
     /* r */
     unsigned char *comp;
-
     /* Whether the data from this record has already been read or not */
     /* r */
     unsigned int read;
-
     /* epoch number, needed by DTLS1 */
     /* r */
     unsigned long epoch;
-
     /* sequence number, needed by DTLS1 */
     /* r */
     unsigned char seq_num[SEQ_NUM_SIZE];
@@ -81,7 +71,6 @@ typedef struct ssl3_record_st {
 typedef struct dtls1_bitmap_st {
     /* Track 32 packets on 32-bit systems and 64 - on 64-bit systems */
     unsigned long map;
-
     /* Max record number seen so far, 64-bit value in big-endian encoding */
     unsigned char max_seq_num[SEQ_NUM_SIZE];
 } DTLS1_BITMAP;
@@ -96,12 +85,11 @@ typedef struct dtls1_record_data_st {
     unsigned int packet_length;
     SSL3_BUFFER rbuf;
     SSL3_RECORD rrec;
-#  ifndef OPENSSL_NO_SCTP
+#ifndef OPENSSL_NO_SCTP
     struct bio_dgram_sctp_rcvinfo recordinfo;
-#  endif
+#endif
 } DTLS1_RECORD_DATA;
 
-
 typedef struct dtls_record_layer_st {
     /*
      * The current data and handshake epoch.  This is initially
@@ -110,12 +98,10 @@ typedef struct dtls_record_layer_st {
      */
     unsigned short r_epoch;
     unsigned short w_epoch;
-
     /* records being received in the current epoch */
     DTLS1_BITMAP bitmap;
     /* renegotiation starts a new set of sequence numbers */
     DTLS1_BITMAP next_bitmap;
-
     /* Received handshake records (processed and unprocessed) */
     record_pqueue unprocessed_rcds;
     record_pqueue processed_rcds;
@@ -133,7 +119,6 @@ typedef struct dtls_record_layer_st {
     unsigned int alert_fragment_len;
     unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
     unsigned int handshake_fragment_len;
-
     /* save last and current sequence numbers for retransmissions */
     unsigned char last_write_sequence[8];
     unsigned char curr_write_sequence[8];
@@ -157,7 +142,6 @@ typedef struct record_layer_st {
     int read_ahead;
     /* where we are when reading */
     int rstate;
-
     /* How many pipelines can be used to read data */
     unsigned int numrpipes;
     /* How many pipelines can be used to write data */
@@ -168,14 +152,11 @@ typedef struct record_layer_st {
     SSL3_BUFFER wbuf[SSL_MAX_PIPELINES];
     /* each decoded record goes in here */
     SSL3_RECORD rrec[SSL_MAX_PIPELINES];
-
     /* used internally to point at a raw packet */
     unsigned char *packet;
     unsigned int packet_length;
-
     /* number of bytes sent so far */
     unsigned int wnum;
-
     /*
      * storage for Alert/Handshake protocol data received but not yet
      * processed by ssl3_read_bytes:
@@ -184,10 +165,8 @@ typedef struct record_layer_st {
     unsigned int alert_fragment_len;
     unsigned char handshake_fragment[4];
     unsigned int handshake_fragment_len;
-
     /* The number of consecutive empty records we have received */
     unsigned int empty_record_count;
-
     /* partial write - check the numbers match */
     /* number bytes written */
     int wpend_tot;
@@ -195,17 +174,13 @@ typedef struct record_layer_st {
     /* number of bytes submitted */
     int wpend_ret;
     const unsigned char *wpend_buf;
-
     unsigned char read_sequence[SEQ_NUM_SIZE];
     unsigned char write_sequence[SEQ_NUM_SIZE];
-
     /* Set to true if this is the first record in a connection */
     unsigned int is_first_record;
-
     DTLS_RECORD_LAYER *d;
 } RECORD_LAYER;
 
-
 /*****************************************************************************
  *                                                                           *
  * The following macros/functions represent the libssl internal API to the   *
@@ -247,7 +222,7 @@ __owur int ssl3_setup_buffers(SSL *s);
 __owur int ssl3_enc(SSL *s, SSL3_RECORD *inrecs, unsigned int n_recs, int send);
 __owur int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send);
 __owur int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-                       unsigned int len);
+                              unsigned int len);
 __owur int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send);
 __owur int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send);
 int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl);
@@ -261,6 +236,5 @@ __owur int dtls1_read_bytes(SSL *s, int type, int *recvd_type,
                             unsigned char *buf, int len, int peek);
 __owur int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 __owur int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
-                   unsigned int len, int create_empty_fragement);
+                          unsigned int len, int create_empty_fragement);
 void dtls1_reset_seq_numbers(SSL *s, int rw);
-
diff --git a/ssl/record/record_locl.h b/ssl/record/record_locl.h
index f9dbc33..3b9a700 100644
--- a/ssl/record/record_locl.h
+++ b/ssl/record/record_locl.h
@@ -40,11 +40,10 @@ __owur int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold);
 
 void RECORD_LAYER_set_write_sequence(RECORD_LAYER *rl, const unsigned char *ws);
 DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
-                                      unsigned int *is_next_epoch);
+                               unsigned int *is_next_epoch);
 int dtls1_process_buffered_records(SSL *s);
 int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue);
-int dtls1_buffer_record(SSL *s, record_pqueue *q,
-                               unsigned char *priority);
+int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority);
 void ssl3_record_sequence_update(unsigned char *seq);
 
 /* Functions provided by the DTLS1_BITMAP component */
@@ -52,7 +51,6 @@ void ssl3_record_sequence_update(unsigned char *seq);
 int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 
-
 /* Macros/functions provided by the SSL3_BUFFER component */
 
 #define SSL3_BUFFER_get_buf(b)              ((b)->buf)
@@ -108,9 +106,9 @@ __owur int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr);
 void ssl3_cbc_copy_mac(unsigned char *out,
                        const SSL3_RECORD *rec, unsigned md_size);
 __owur int ssl3_cbc_remove_padding(SSL3_RECORD *rec,
-                            unsigned block_size, unsigned mac_size);
+                                   unsigned block_size, unsigned mac_size);
 __owur int tls1_cbc_remove_padding(const SSL *s,
-                            SSL3_RECORD *rec,
-                            unsigned block_size, unsigned mac_size);
+                                   SSL3_RECORD *rec,
+                                   unsigned block_size, unsigned mac_size);
 int dtls1_process_record(SSL *s);
 __owur int dtls1_get_record(SSL *s);
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index f1d6f72..1782780 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -61,7 +61,6 @@ void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
     memcpy(r->seq_num, seq_num, SEQ_NUM_SIZE);
 }
 
-
 /*
  * Peeks ahead into "read_ahead" data to see if we have a whole record waiting
  * for us in the buffer.
@@ -151,9 +150,10 @@ int ssl3_get_record(SSL *s)
             (RECORD_LAYER_get_packet_length(&s->rlayer)
              < SSL3_RT_HEADER_LENGTH)) {
             n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH,
-                SSL3_BUFFER_get_len(rbuf), 0, num_recs == 0 ? 1 : 0);
+                            SSL3_BUFFER_get_len(rbuf), 0,
+                            num_recs == 0 ? 1 : 0);
             if (n <= 0)
-                return (n);         /* error or non-blocking */
+                return (n);     /* error or non-blocking */
             RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
 
             p = RECORD_LAYER_get_packet(&s->rlayer);
@@ -162,7 +162,7 @@ int ssl3_get_record(SSL *s)
              * The first record received by the server may be a V2ClientHello.
              */
             if (s->server && RECORD_LAYER_is_first_record(&s->rlayer)
-                    && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
+                && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
                 /*
                  *  SSLv2 style record
                  *
@@ -178,7 +178,7 @@ int ssl3_get_record(SSL *s)
                 rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1];
 
                 if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf)
-                                 - SSL2_RT_HEADER_LENGTH) {
+                    - SSL2_RT_HEADER_LENGTH) {
                     al = SSL_AD_RECORD_OVERFLOW;
                     SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
                     goto f_err;
@@ -217,7 +217,7 @@ int ssl3_get_record(SSL *s)
                              * shouldn't send a fatal alert back. We'll just
                              * end.
                              */
-                             goto err;
+                            goto err;
                         }
                         /*
                          * Send back error using their minor version number :-)
@@ -258,7 +258,7 @@ int ssl3_get_record(SSL *s)
                 }
 
                 if (rr[num_recs].length >
-                        SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
+                    SSL3_BUFFER_get_len(rbuf) - SSL3_RT_HEADER_LENGTH) {
                     al = SSL_AD_RECORD_OVERFLOW;
                     SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
                     goto f_err;
@@ -284,7 +284,7 @@ int ssl3_get_record(SSL *s)
 
             n = ssl3_read_n(s, i, i, 1, 0);
             if (n <= 0)
-                return (n);         /* error or non-blocking io */
+                return (n);     /* error or non-blocking io */
         }
 
         /* set state for later operations */
@@ -335,14 +335,13 @@ int ssl3_get_record(SSL *s)
         RECORD_LAYER_reset_packet_length(&s->rlayer);
         RECORD_LAYER_clear_first_record(&s->rlayer);
     } while (num_recs < max_recs
-             && rr[num_recs-1].type == SSL3_RT_APPLICATION_DATA
+             && rr[num_recs - 1].type == SSL3_RT_APPLICATION_DATA
              && SSL_USE_EXPLICIT_IV(s)
              && s->enc_read_ctx != NULL
              && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx))
-                & EVP_CIPH_FLAG_PIPELINE)
+                 & EVP_CIPH_FLAG_PIPELINE)
              && ssl3_record_app_data_waiting(s));
 
-
     /*
      * If in encrypt-then-mac mode calculate mac from encrypted record. All
      * the details below are public so no timing details can leak.
@@ -402,7 +401,7 @@ int ssl3_get_record(SSL *s)
         mac_size = EVP_MD_CTX_size(s->read_hash);
         OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
-        for (j=0; j < num_recs; j++) {
+        for (j = 0; j < num_recs; j++) {
             /*
              * orig_len is the length of the record before any padding was
              * removed. This is public information, as is the MAC in use,
@@ -495,7 +494,7 @@ int ssl3_get_record(SSL *s)
         if (rr[j].length == 0) {
             RECORD_LAYER_inc_empty_record_count(&s->rlayer);
             if (RECORD_LAYER_get_empty_record_count(&s->rlayer)
-                    > MAX_EMPTY_RECORDS) {
+                > MAX_EMPTY_RECORDS) {
                 al = SSL_AD_UNEXPECTED_MESSAGE;
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_RECORD_TOO_SMALL);
                 goto f_err;
@@ -527,8 +526,7 @@ int ssl3_do_uncompress(SSL *ssl, SSL3_RECORD *rr)
         return 0;
 
     i = COMP_expand_block(ssl->expand, rr->comp,
-                          SSL3_RT_MAX_PLAIN_LENGTH, rr->data,
-                          (int)rr->length);
+                          SSL3_RT_MAX_PLAIN_LENGTH, rr->data, (int)rr->length);
     if (i < 0)
         return 0;
     else
@@ -709,7 +707,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
 
         if (n_recs > 1) {
             if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
-                                    & EVP_CIPH_FLAG_PIPELINE)) {
+                  & EVP_CIPH_FLAG_PIPELINE)) {
                 /*
                  * We shouldn't have been called with pipeline data if the
                  * cipher doesn't support pipelining
@@ -722,7 +720,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
             reclen[ctr] = recs[ctr].length;
 
             if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
-                    & EVP_CIPH_FLAG_AEAD_CIPHER) {
+                & EVP_CIPH_FLAG_AEAD_CIPHER) {
                 unsigned char *seq;
 
                 seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer)
@@ -786,7 +784,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
                 data[ctr] = recs[ctr].data;
             }
             if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_OUTPUT_BUFS,
-                                      n_recs, data) <= 0) {
+                                    n_recs, data) <= 0) {
                 SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
             }
             /* Set the input buffers */
@@ -794,9 +792,9 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
                 data[ctr] = recs[ctr].input;
             }
             if (EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_BUFS,
-                                      n_recs, data) <= 0
+                                    n_recs, data) <= 0
                 || EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_SET_PIPELINE_INPUT_LENS,
-                                      n_recs, reclen) <= 0) {
+                                       n_recs, reclen) <= 0) {
                 SSLerr(SSL_F_TLS1_ENC, SSL_R_PIPELINE_FAILURE);
                 return -1;
             }
@@ -804,7 +802,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, unsigned int n_recs, int send)
 
         i = EVP_Cipher(ds, recs[0].data, recs[0].input, reclen[0]);
         if ((EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ds))
-                & EVP_CIPH_FLAG_CUSTOM_CIPHER)
+             & EVP_CIPH_FLAG_CUSTOM_CIPHER)
             ? (i < 0)
             : (i == 0))
             return -1;          /* AEAD can fail to verify MAC */
@@ -924,18 +922,18 @@ int n_ssl3_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
         p = md;
         s2n(rec->length, p);
         if (EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
-                || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
-                || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
-                || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
-                || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
-                || EVP_DigestUpdate(md_ctx, md, 2) <= 0
-                || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
-                || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
-                || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
-                || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
-                || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
-                || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
-                || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
+            || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
+            || EVP_DigestUpdate(md_ctx, ssl3_pad_1, npad) <= 0
+            || EVP_DigestUpdate(md_ctx, seq, 8) <= 0
+            || EVP_DigestUpdate(md_ctx, &rec_char, 1) <= 0
+            || EVP_DigestUpdate(md_ctx, md, 2) <= 0
+            || EVP_DigestUpdate(md_ctx, rec->input, rec->length) <= 0
+            || EVP_DigestFinal_ex(md_ctx, md, NULL) <= 0
+            || EVP_MD_CTX_copy_ex(md_ctx, hash) <= 0
+            || EVP_DigestUpdate(md_ctx, mac_sec, md_size) <= 0
+            || EVP_DigestUpdate(md_ctx, ssl3_pad_2, npad) <= 0
+            || EVP_DigestUpdate(md_ctx, md, md_size) <= 0
+            || EVP_DigestFinal_ex(md_ctx, md, &md_size_u) <= 0) {
             EVP_MD_CTX_reset(md_ctx);
             return -1;
         }
@@ -977,8 +975,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
         mac_ctx = hash;
     } else {
         hmac = EVP_MD_CTX_new();
-        if (hmac == NULL
-                || !EVP_MD_CTX_copy(hmac, hash))
+        if (hmac == NULL || !EVP_MD_CTX_copy(hmac, hash))
             return -1;
         mac_ctx = hmac;
     }
@@ -1020,8 +1017,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
         }
     } else {
         if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
-                || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
-                || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
+            || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
+            || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
             EVP_MD_CTX_free(hmac);
             return -1;
         }
@@ -1031,7 +1028,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
                                        rec->length, rec->orig_len)) {
                 EVP_MD_CTX_free(hmac);
                 return -1;
-        }
+            }
     }
 
     EVP_MD_CTX_free(hmac);
@@ -1138,7 +1135,8 @@ int tls1_cbc_remove_padding(const SSL *s,
 
     padding_length = rec->data[rec->length - 1];
 
-    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER) {
+    if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_read_ctx)) &
+        EVP_CIPH_FLAG_AEAD_CIPHER) {
         /* padding is already verified */
         rec->length -= padding_length + 1;
         return 1;
@@ -1439,7 +1437,6 @@ int dtls1_process_record(SSL *s)
     return (0);
 }
 
-
 /*
  * retrieve a buffered record that belongs to the current epoch, ie,
  * processed
@@ -1487,13 +1484,14 @@ int dtls1_get_record(SSL *s)
     if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
         (RECORD_LAYER_get_packet_length(&s->rlayer) < DTLS1_RT_HEADER_LENGTH)) {
         n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH,
-            SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
+                        SSL3_BUFFER_get_len(&s->rlayer.rbuf), 0, 1);
         /* read timeout is handled by dtls1_read_bytes */
         if (n <= 0)
             return (n);         /* error or non-blocking */
 
         /* this packet contained a partial record, dump it */
-        if (RECORD_LAYER_get_packet_length(&s->rlayer) != DTLS1_RT_HEADER_LENGTH) {
+        if (RECORD_LAYER_get_packet_length(&s->rlayer) !=
+            DTLS1_RT_HEADER_LENGTH) {
             RECORD_LAYER_reset_packet_length(&s->rlayer);
             goto again;
         }
@@ -1573,7 +1571,7 @@ int dtls1_get_record(SSL *s)
     bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
     if (bitmap == NULL) {
         rr->length = 0;
-        RECORD_LAYER_reset_packet_length(&s->rlayer);   /* dump this record */
+        RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
         goto again;             /* get another record */
     }
 #ifndef OPENSSL_NO_SCTP
@@ -1603,7 +1601,7 @@ int dtls1_get_record(SSL *s)
         if ((SSL_in_init(s) || ossl_statem_get_in_handshake(s))) {
             if (dtls1_buffer_record
                 (s, &(DTLS_RECORD_LAYER_get_unprocessed_rcds(&s->rlayer)),
-                rr->seq_num) < 0)
+                 rr->seq_num) < 0)
                 return -1;
             /* Mark receipt of record. */
             dtls1_record_bitmap_update(s, bitmap);
@@ -1615,7 +1613,7 @@ int dtls1_get_record(SSL *s)
 
     if (!dtls1_process_record(s)) {
         rr->length = 0;
-        RECORD_LAYER_reset_packet_length(&s->rlayer);   /* dump this record */
+        RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */
         goto again;             /* get another record */
     }
     dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index febd88a..9a228f7 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -26,8 +26,6 @@
  */
 #define MAX_HASH_BLOCK_SIZE 128
 
-
-
 /*
  * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
  * little-endian order. The value of p is advanced by four.
@@ -129,14 +127,14 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  * Returns 1 on success or 0 on error
  */
 int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
-                            unsigned char *md_out,
-                            size_t *md_out_size,
-                            const unsigned char header[13],
-                            const unsigned char *data,
-                            size_t data_plus_mac_size,
-                            size_t data_plus_mac_plus_padding_size,
-                            const unsigned char *mac_secret,
-                            unsigned mac_secret_length, char is_sslv3)
+                           unsigned char *md_out,
+                           size_t *md_out_size,
+                           const unsigned char header[13],
+                           const unsigned char *data,
+                           size_t data_plus_mac_size,
+                           size_t data_plus_mac_plus_padding_size,
+                           const unsigned char *mac_secret,
+                           unsigned mac_secret_length, char is_sslv3)
 {
     union {
         double align;
@@ -461,8 +459,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
         memset(hmac_pad, 0x5c, sslv3_pad_length);
 
         if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
-                || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
-                || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
+            || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
+            || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
             goto err;
     } else {
         /* Complete the HMAC in the standard manner. */
@@ -470,7 +468,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
             hmac_pad[i] ^= 0x6a;
 
         if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
-                || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
+            || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
             goto err;
     }
     ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
@@ -479,7 +477,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
     EVP_MD_CTX_free(md_ctx);
 
     return 1;
-err:
+ err:
     EVP_MD_CTX_free(md_ctx);
     return 0;
 }
@@ -491,8 +489,8 @@ err:
  */
 
 int tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
-                           EVP_MD_CTX *mac_ctx, const unsigned char *data,
-                           size_t data_len, size_t orig_len)
+                          EVP_MD_CTX *mac_ctx, const unsigned char *data,
+                          size_t data_len, size_t orig_len)
 {
     size_t block_size, digest_pad, blocks_data, blocks_orig;
     if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 3240735..56bd34a 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -140,8 +140,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
         dd = s->enc_read_ctx;
 
         if (ssl_replace_hash(&s->read_hash, m) == NULL) {
-                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
-                goto err2;
+            SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+            goto err2;
         }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
@@ -170,8 +170,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
             EVP_CIPHER_CTX_reset(s->enc_write_ctx);
         dd = s->enc_write_ctx;
         if (ssl_replace_hash(&s->write_hash, m) == NULL) {
-                SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
-                goto err2;
+            SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+            goto err2;
         }
 #ifndef OPENSSL_NO_COMP
         /* COMPRESS */
@@ -374,7 +374,8 @@ int ssl3_digest_cached_records(SSL *s, int keep)
     if (s->s3->handshake_dgst == NULL) {
         hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
         if (hdatalen <= 0) {
-            SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
+            SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS,
+                   SSL_R_BAD_HANDSHAKE_LENGTH);
             return 0;
         }
 
@@ -385,10 +386,8 @@ int ssl3_digest_cached_records(SSL *s, int keep)
         }
 
         md = ssl_handshake_md(s);
-        if (   md == NULL
-            || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL)
-            || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen))
-        {
+        if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL)
+            || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) {
             SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
             return 0;
         }
@@ -431,10 +430,10 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p)
     }
 
     if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
-            || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                               s->session->master_key_length,
-                               s->session->master_key) <= 0
-            || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
+        || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
+                           s->session->master_key_length,
+                           s->session->master_key) <= 0
+        || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
         SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR);
         ret = 0;
     }
@@ -472,19 +471,18 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
     }
     for (i = 0; i < 3; i++) {
         if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0
-                || EVP_DigestUpdate(ctx, salt[i],
-                                    strlen((const char *)salt[i])) <= 0
-                || EVP_DigestUpdate(ctx, p, len) <= 0
-                || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]),
-                                    SSL3_RANDOM_SIZE) <= 0
-                || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]),
-                                    SSL3_RANDOM_SIZE) <= 0
-                || EVP_DigestFinal_ex(ctx, buf, &n) <= 0
-
-                || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0
-                || EVP_DigestUpdate(ctx, p, len) <= 0
-                || EVP_DigestUpdate(ctx, buf, n) <= 0
-                || EVP_DigestFinal_ex(ctx, out, &n) <= 0) {
+            || EVP_DigestUpdate(ctx, salt[i],
+                                strlen((const char *)salt[i])) <= 0
+            || EVP_DigestUpdate(ctx, p, len) <= 0
+            || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]),
+                                SSL3_RANDOM_SIZE) <= 0
+            || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]),
+                                SSL3_RANDOM_SIZE) <= 0
+            || EVP_DigestFinal_ex(ctx, buf, &n) <= 0
+            || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0
+            || EVP_DigestUpdate(ctx, p, len) <= 0
+            || EVP_DigestUpdate(ctx, buf, n) <= 0
+            || EVP_DigestFinal_ex(ctx, out, &n) <= 0) {
             SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
             ret = 0;
             break;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 81d21f2..8925717 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -66,8 +66,7 @@
  *      Cipher families: Chacha/poly, Camellila, Gost, IDEA, SEED
  *      Weak ciphers
  */
-static SSL_CIPHER ssl3_ciphers[] =
-{
+static SSL_CIPHER ssl3_ciphers[] = {
     {
      1,
      SSL3_TXT_RSA_NULL_MD5,
@@ -1135,7 +1134,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      256,
      256,
      },
-#endif /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_PSK
     {
@@ -1709,8 +1708,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      0,
      0,
      },
-# endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_NO_PSK */
+# endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_PSK */
 
 #ifndef OPENSSL_NO_SRP
     {
@@ -1848,7 +1847,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      256,
      256,
      },
-#endif /* OPENSSL_NO_SRP */
+#endif                          /* OPENSSL_NO_SRP */
 
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 # ifndef OPENSSL_NO_RSA
@@ -1867,7 +1866,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      256,
      256,
      },
-# endif /* OPENSSL_NO_RSA */
+# endif                         /* OPENSSL_NO_RSA */
 
 # ifndef OPENSSL_NO_EC
     {
@@ -1900,7 +1899,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      256,
      256,
      },
-# endif /* OPENSSL_NO_EC */
+# endif                         /* OPENSSL_NO_EC */
 
 # ifndef OPENSSL_NO_PSK
     {
@@ -1963,8 +1962,9 @@ static SSL_CIPHER ssl3_ciphers[] =
      256,
      256,
      },
-# endif /* OPENSSL_NO_PSK */
-#endif /* !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) */
+# endif                         /* OPENSSL_NO_PSK */
+#endif                          /* !defined(OPENSSL_NO_CHACHA) &&
+                                 * !defined(OPENSSL_NO_POLY1305) */
 
 #ifndef OPENSSL_NO_CAMELLIA
     {
@@ -2222,8 +2222,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2237,8 +2237,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2252,8 +2252,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2267,9 +2267,9 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
-# endif /* OPENSSL_NO_EC */
+     256,
+     },
+# endif                         /* OPENSSL_NO_EC */
 
 # ifndef OPENSSL_NO_PSK
     {
@@ -2285,8 +2285,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_PSK_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2300,8 +2300,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      TLS1_TXT_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2315,8 +2315,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2330,8 +2330,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      TLS1_TXT_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2345,8 +2345,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2360,8 +2360,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2375,8 +2375,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
-     128
-    },
+     128,
+     },
     {
      1,
      TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
@@ -2390,11 +2390,11 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_NOT_DEFAULT | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
-     256
-    },
-# endif /* OPENSSL_NO_PSK */
+     256,
+     },
+# endif                         /* OPENSSL_NO_PSK */
 
-#endif /* OPENSSL_NO_CAMELLIA */
+#endif                          /* OPENSSL_NO_CAMELLIA */
 
 #ifndef OPENSSL_NO_GOST
     {
@@ -2410,8 +2410,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_HIGH,
      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      "GOST2001-NULL-GOST94",
@@ -2425,8 +2425,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_STRONG_NONE,
      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
      0,
-     0
-    },
+     0,
+     },
     {
      1,
      "GOST2012-GOST8912-GOST8912",
@@ -2440,8 +2440,8 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_HIGH,
      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
      256,
-     256
-    },
+     256,
+     },
     {
      1,
      "GOST2012-NULL-GOST12",
@@ -2455,8 +2455,9 @@ static SSL_CIPHER ssl3_ciphers[] =
      SSL_STRONG_NONE,
      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
      0,
-     0},
-#endif /* OPENSSL_NO_GOST */
+     0,
+     },
+#endif                          /* OPENSSL_NO_GOST */
 
 #ifndef OPENSSL_NO_IDEA
     {
@@ -2537,7 +2538,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      128,
      128,
      },
-#endif /* OPENSSL_NO_SEED */
+#endif                          /* OPENSSL_NO_SEED */
 
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
@@ -2647,7 +2648,7 @@ static SSL_CIPHER ssl3_ciphers[] =
      128,
      128,
      },
-# endif /* OPENSSL_NO_EC */
+# endif                         /* OPENSSL_NO_EC */
 
 # ifndef OPENSSL_NO_PSK
     {
@@ -2695,13 +2696,12 @@ static SSL_CIPHER ssl3_ciphers[] =
      128,
      128,
      },
-# endif /* OPENSSL_NO_PSK */
+# endif                         /* OPENSSL_NO_PSK */
 
-#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */
+#endif                          /* OPENSSL_NO_WEAK_SSL_CIPHERS */
 
 };
 
-
 static int cipher_compare(const void *a, const void *b)
 {
     const SSL_CIPHER *ap = (const SSL_CIPHER *)a;
@@ -2716,7 +2716,6 @@ void ssl_sort_cipher_list(void)
           cipher_compare);
 }
 
-
 const SSL3_ENC_METHOD SSLv3_enc_data = {
     ssl3_enc,
     n_ssl3_mac,
@@ -2767,7 +2766,7 @@ int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
     s->init_num = (int)len + SSL3_HM_HEADER_LENGTH;
     s->init_off = 0;
 
-     return 1;
+    return 1;
 }
 
 int ssl3_handshake_write(SSL *s)
@@ -2785,7 +2784,7 @@ int ssl3_new(SSL *s)
 
 #ifndef OPENSSL_NO_SRP
     if (!SSL_SRP_CTX_init(s))
-          goto err;
+        goto err;
 #endif
     s->method->ssl_clear(s);
     return (1);
@@ -2833,7 +2832,7 @@ void ssl3_clear(SSL *s)
 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
     EVP_PKEY_free(s->s3->tmp.pkey);
     EVP_PKEY_free(s->s3->peer_tmp);
-#endif                         /* !OPENSSL_NO_EC */
+#endif                          /* !OPENSSL_NO_EC */
 
     ssl3_free_digest_list(s);
 
@@ -2861,8 +2860,7 @@ static char *srp_password_from_info_cb(SSL *s, void *arg)
 }
 #endif
 
-static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p,
-                                  size_t len);
+static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
 
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 {
@@ -3102,13 +3100,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 
     case SSL_CTRL_SET_CURVES:
         return tls1_set_curves(&s->tlsext_ellipticcurvelist,
-                               &s->tlsext_ellipticcurvelist_length,
-                               parg, larg);
+                               &s->tlsext_ellipticcurvelist_length, parg, larg);
 
     case SSL_CTRL_SET_CURVES_LIST:
         return tls1_set_curves_list(&s->tlsext_ellipticcurvelist,
-                                    &s->tlsext_ellipticcurvelist_length,
-                                    parg);
+                                    &s->tlsext_ellipticcurvelist_length, parg);
 
     case SSL_CTRL_GET_SHARED_CURVE:
         return tls1_shared_curve(s, larg);
@@ -3300,7 +3296,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         {
             unsigned char *keys = parg;
             long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) +
-                sizeof(ctx->tlsext_tick_hmac_key) + sizeof(ctx->tlsext_tick_aes_key));
+                                       sizeof(ctx->tlsext_tick_hmac_key) +
+                                       sizeof(ctx->tlsext_tick_aes_key));
             if (keys == NULL)
                 return tlsext_tick_keylen;
             if (larg != tlsext_tick_keylen) {
@@ -3314,7 +3311,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                        keys + sizeof(ctx->tlsext_tick_key_name),
                        sizeof(ctx->tlsext_tick_hmac_key));
                 memcpy(ctx->tlsext_tick_aes_key,
-                       keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key),
+                       keys + sizeof(ctx->tlsext_tick_key_name) +
+                       sizeof(ctx->tlsext_tick_hmac_key),
                        sizeof(ctx->tlsext_tick_aes_key));
             } else {
                 memcpy(keys, ctx->tlsext_tick_key_name,
@@ -3322,7 +3320,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 memcpy(keys + sizeof(ctx->tlsext_tick_key_name),
                        ctx->tlsext_tick_hmac_key,
                        sizeof(ctx->tlsext_tick_hmac_key));
-                memcpy(keys + sizeof(ctx->tlsext_tick_key_name) + sizeof(ctx->tlsext_tick_hmac_key),
+                memcpy(keys + sizeof(ctx->tlsext_tick_key_name) +
+                       sizeof(ctx->tlsext_tick_hmac_key),
                        ctx->tlsext_tick_aes_key,
                        sizeof(ctx->tlsext_tick_aes_key));
             }
@@ -3355,8 +3354,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         ctx->srp_ctx.login = NULL;
         if (parg == NULL)
             break;
-        if (strlen((const char *)parg) > 255
-            || strlen((const char *)parg) < 1) {
+        if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
             SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
             return 0;
         }
@@ -3560,7 +3558,7 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
  * Returns the selected cipher or NULL when no common ciphers.
  */
 const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
-                               STACK_OF(SSL_CIPHER) *srvr)
+                                     STACK_OF(SSL_CIPHER) *srvr)
 {
     const SSL_CIPHER *c, *ret = NULL;
     STACK_OF(SSL_CIPHER) *prio, *allow;
@@ -3611,11 +3609,11 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
         /* Skip ciphers not supported by the protocol version */
         if (!SSL_IS_DTLS(s) &&
-                ((s->version < c->min_tls) || (s->version > c->max_tls)))
+            ((s->version < c->min_tls) || (s->version > c->max_tls)))
             continue;
         if (SSL_IS_DTLS(s) &&
-                (DTLS_VERSION_LT(s->version, c->min_dtls) ||
-                DTLS_VERSION_GT(s->version, c->max_dtls)))
+            (DTLS_VERSION_LT(s->version, c->min_dtls) ||
+             DTLS_VERSION_GT(s->version, c->max_dtls)))
             continue;
 
         mask_k = s->s3->tmp.mask_k;
@@ -3642,14 +3640,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 alg_a, mask_k, mask_a, (void *)c, c->name);
 #endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
         /*
          * if we are considering an ECC cipher suite that uses an ephemeral
          * EC key check it
          */
         if (alg_k & SSL_kECDHE)
             ok = ok && tls1_check_ec_tmp_key(s, c->id);
-# endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
         if (!ok)
             continue;
@@ -3803,8 +3801,7 @@ int ssl3_write(SSL *s, const void *buf, int len)
     if (s->s3->renegotiate)
         ssl3_renegotiate_check(s);
 
-    return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA,
-                                         buf, len);
+    return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len);
 }
 
 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
@@ -4040,11 +4037,12 @@ EVP_PKEY *ssl_generate_pkey_curve(int id)
         pkey = NULL;
     }
 
-    err:
+ err:
     EVP_PKEY_CTX_free(pctx);
     return pkey;
 }
 #endif
+
 /* Derive premaster or master secret for ECDH/DH */
 int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey)
 {
@@ -4083,7 +4081,7 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey)
         rv = 1;
     }
 
-    err:
+ err:
     OPENSSL_clear_free(pms, pmslen);
     EVP_PKEY_CTX_free(pctx);
     return rv;
diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
index 185f0e9..82513d2 100644
--- a/ssl/s3_msg.c
+++ b/ssl/s3_msg.c
@@ -24,8 +24,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
     if (s->s3->tmp.key_block == NULL) {
         if (s->session == NULL || s->session->master_key_length == 0) {
             /* might happen if dtls1_read_bytes() calls this */
-            SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,
-                   SSL_R_CCS_RECEIVED_EARLY);
+            SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
             return (0);
         }
 
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 67d8e0c..aa6e3e6 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -359,7 +359,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
     *pp = p;
     return ret;
 
-    err:
+ err:
     M_ASN1_free_of(as, SSL_SESSION_ASN1);
     if ((a == NULL) || (*a != ret))
         SSL_SESSION_free(ret);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c155e78..0c931db 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -31,8 +31,8 @@
 #include "ssl_locl.h"
 #include "internal/thread_once.h"
 
-static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op,
-                                         int bits, int nid, void *other,
+static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+                                         int op, int bits, int nid, void *other,
                                          void *ex);
 
 static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
@@ -41,8 +41,8 @@ static volatile int ssl_x509_store_ctx_idx = -1;
 DEFINE_RUN_ONCE_STATIC(ssl_x509_store_ctx_init)
 {
     ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0,
-                                                "SSL for verify callback",
-                                                NULL, NULL, NULL);
+                                                             "SSL for verify callback",
+                                                             NULL, NULL, NULL);
     return ssl_x509_store_ctx_idx >= 0;
 }
 
@@ -96,7 +96,6 @@ CERT *ssl_cert_dup(CERT *cert)
         OPENSSL_free(ret);
         return NULL;
     }
-
 #ifndef OPENSSL_NO_DH
     if (cert->dh_tmp != NULL) {
         ret->dh_tmp = cert->dh_tmp;
@@ -134,11 +133,9 @@ CERT *ssl_cert_dup(CERT *cert)
                 SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-            ret->pkeys[i].serverinfo_length =
-                cert->pkeys[i].serverinfo_length;
+            ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length;
             memcpy(ret->pkeys[i].serverinfo,
-                   cert->pkeys[i].serverinfo,
-                   cert->pkeys[i].serverinfo_length);
+                   cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length);
         }
     }
 
@@ -412,7 +409,8 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 
     /* Set suite B flags if needed */
     X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
-    if (!X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+    if (!X509_STORE_CTX_set_ex_data
+        (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
         goto end;
     }
 
@@ -454,7 +452,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     /* Move peername from the store context params to the SSL handle's */
     X509_VERIFY_PARAM_move_peername(s->param, param);
 
-end:
+ end:
     X509_STORE_CTX_free(ctx);
     return i;
 }
@@ -505,7 +503,7 @@ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
 
 STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
 {
-    if (!s->server) { /* we are in the client */
+    if (!s->server) {           /* we are in the client */
         if (((s->version >> 8) == SSL3_VERSION_MAJOR) && (s->s3 != NULL))
             return (s->s3->tmp.ca_names);
         else
@@ -576,8 +574,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
     X509 *x = NULL;
     X509_NAME *xn = NULL;
     STACK_OF(X509_NAME) *ret = NULL;
-    LHASH_OF(X509_NAME) *name_hash =
-        lh_X509_NAME_new(xname_hash, xname_cmp);
+    LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
 
     if ((name_hash == NULL) || (in == NULL)) {
         SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
@@ -651,8 +648,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
     in = BIO_new(BIO_s_file());
 
     if (in == NULL) {
-        SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,
-               ERR_R_MALLOC_FAILURE);
+        SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
@@ -806,7 +802,7 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
         chain_store = s->ctx->cert_store;
 
     if (chain_store) {
-        X509_STORE_CTX* xs_ctx = X509_STORE_CTX_new();
+        X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
 
         if (xs_ctx == NULL) {
             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
@@ -823,10 +819,10 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
          * ignore the error return from this call. We're not actually verifying
          * the cert - we're just building as much of the chain as we can
          */
-        (void) X509_verify_cert(xs_ctx);
+        (void)X509_verify_cert(xs_ctx);
         /* Don't leave errors in the queue */
         ERR_clear_error();
-        chain =  X509_STORE_CTX_get0_chain(xs_ctx);
+        chain = X509_STORE_CTX_get0_chain(xs_ctx);
         i = ssl_security_cert_chain(s, chain, NULL, 0);
         if (i != 1) {
 #if 0
@@ -892,8 +888,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
             if (!X509_STORE_add_cert(chain_store, x)) {
                 error = ERR_peek_last_error();
                 if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
-                    ERR_GET_REASON(error) !=
-                    X509_R_CERT_ALREADY_IN_HASH_TABLE)
+                    ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
                     goto err;
                 ERR_clear_error();
             }
@@ -1001,8 +996,8 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
     return 1;
 }
 
-static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op,
-                                         int bits, int nid, void *other,
+static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+                                         int op, int bits, int nid, void *other,
                                          void *ex)
 {
     int level, minbits;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 060bd9d..366dcc9 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -131,9 +131,9 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
     {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */
     {SSL_SHA256, NID_sha256},   /* SSL_MD_SHA256_IDX 4 */
     {SSL_SHA384, NID_sha384},   /* SSL_MD_SHA384_IDX 5 */
-    {SSL_GOST12_256, NID_id_GostR3411_2012_256},  /* SSL_MD_GOST12_256_IDX 6 */
-    {SSL_GOST89MAC12, NID_gost_mac_12},           /* SSL_MD_GOST89MAC12_IDX 7 */
-    {SSL_GOST12_512, NID_id_GostR3411_2012_512},  /* SSL_MD_GOST12_512_IDX 8 */
+    {SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */
+    {SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */
+    {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
     {0, NID_md5_sha1},          /* SSL_MD_MD5_SHA1_IDX 9 */
     {0, NID_sha224},            /* SSL_MD_SHA224_IDX 10 */
     {0, NID_sha512}             /* SSL_MD_SHA512_IDX 11 */
@@ -143,28 +143,30 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
 };
 
+/* *INDENT-OFF* */
 static const ssl_cipher_table ssl_cipher_table_kx[] = {
-    { SSL_kRSA,      NID_kx_rsa },
-    { SSL_kECDHE,    NID_kx_ecdhe },
-    { SSL_kDHE,      NID_kx_dhe },
-    { SSL_kECDHEPSK, NID_kx_ecdhe_psk },
-    { SSL_kDHEPSK,   NID_kx_dhe_psk },
-    { SSL_kRSAPSK,   NID_kx_rsa_psk },
-    { SSL_kPSK,      NID_kx_psk },
-    { SSL_kSRP,      NID_kx_srp },
-    { SSL_kGOST,     NID_kx_gost }
+    {SSL_kRSA,      NID_kx_rsa},
+    {SSL_kECDHE,    NID_kx_ecdhe},
+    {SSL_kDHE,      NID_kx_dhe},
+    {SSL_kECDHEPSK, NID_kx_ecdhe_psk},
+    {SSL_kDHEPSK,   NID_kx_dhe_psk},
+    {SSL_kRSAPSK,   NID_kx_rsa_psk},
+    {SSL_kPSK,      NID_kx_psk},
+    {SSL_kSRP,      NID_kx_srp},
+    {SSL_kGOST,     NID_kx_gost}
 };
 
 static const ssl_cipher_table ssl_cipher_table_auth[] = {
-    { SSL_aRSA,    NID_auth_rsa },
-    { SSL_aECDSA,  NID_auth_ecdsa },
-    { SSL_aPSK,    NID_auth_psk },
-    { SSL_aDSS,    NID_auth_dss },
-    { SSL_aGOST01, NID_auth_gost01 },
-    { SSL_aGOST12, NID_auth_gost12 },
-    { SSL_aSRP,    NID_auth_srp },
-    { SSL_aNULL,   NID_auth_null }
+    {SSL_aRSA,    NID_auth_rsa},
+    {SSL_aECDSA,  NID_auth_ecdsa},
+    {SSL_aPSK,    NID_auth_psk},
+    {SSL_aDSS,    NID_auth_dss},
+    {SSL_aGOST01, NID_auth_gost01},
+    {SSL_aGOST12, NID_auth_gost12},
+    {SSL_aSRP,    NID_auth_srp},
+    {SSL_aNULL,   NID_auth_null}
 };
+/* *INDENT-ON* */
 
 /* Utility function for table lookup */
 static int ssl_cipher_info_find(const ssl_cipher_table * table,
@@ -286,9 +288,11 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_GOST, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12, 0,
      0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0,
+    {0, SSL_TXT_AES128, 0, 0, 0,
+     SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0,
      0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0,
+    {0, SSL_TXT_AES256, 0, 0, 0,
+     SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0,
      0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0,
@@ -303,7 +307,7 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0, 0, 0,
      0},
     {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA, 0, 0, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
+    {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20, 0, 0, 0, 0, 0, 0, 0, 0, 0},
 
     /* MAC aliases */
     {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0, 0, 0, 0},
@@ -453,7 +457,8 @@ void ssl_load_ciphers(void)
         disabled_mac_mask |= SSL_GOST89MAC;
     }
 
-    ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = get_optional_pkey_id("gost-mac-12");
+    ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
+        get_optional_pkey_id("gost-mac-12");
     if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) {
         ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
     } else {
@@ -469,7 +474,8 @@ void ssl_load_ciphers(void)
     /*
      * Disable GOST key exchange if no GOST signature algs are available *
      */
-    if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == (SSL_aGOST01 | SSL_aGOST12))
+    if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
+        (SSL_aGOST01 | SSL_aGOST12))
         disabled_mkey_mask |= SSL_kGOST;
 }
 
@@ -824,8 +830,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
 #endif
 
     if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
-        reverse = 1;            /* needed to maintain sorting between
-                                 * currently deleted ciphers */
+        reverse = 1;            /* needed to maintain sorting between currently
+                                 * deleted ciphers */
 
     head = *head_p;
     tail = *tail_p;
@@ -1057,8 +1063,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                  * it is no command or separator nor
                  * alphanumeric, so we call this an error.
                  */
-                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                       SSL_R_INVALID_COMMAND);
+                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
                 retval = found = 0;
                 l++;
                 break;
@@ -1216,8 +1221,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                     ok = 1;
                 }
             } else
-                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                       SSL_R_INVALID_COMMAND);
+                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
             if (ok == 0)
                 retval = 0;
             /*
@@ -1293,8 +1297,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
     }
     return 1;
 # else
-    SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
-           SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
+    SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
     return 0;
 # endif
 }
@@ -1347,8 +1350,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
 
     ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
                                disabled_mkey, disabled_auth, disabled_enc,
-                               disabled_mac, co_list, &head,
-                               &tail);
+                               disabled_mac, co_list, &head, &tail);
 
     /* Now arrange all ciphers by preference. */
 
@@ -1366,18 +1368,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
     ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
                           &tail);
 
-
     /* Within each strength group, we prefer GCM over CHACHA... */
     ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
                           &head, &tail);
     ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
                           &head, &tail);
 
-     /*
-      * ...and generally, our preferred cipher is AES.
-      * Note that AEADs will be bumped to take preference after sorting by
-      * strength.
-      */
+    /*
+     * ...and generally, our preferred cipher is AES.
+     * Note that AEADs will be bumped to take preference after sorting by
+     * strength.
+     */
     ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
                           -1, &head, &tail);
 
@@ -1441,9 +1442,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
     ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
                           &head, &tail);
     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
-                          CIPHER_BUMP, -1,  &head, &tail);
+                          CIPHER_BUMP, -1, &head, &tail);
     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
-                          CIPHER_BUMP, -1,  &head, &tail);
+                          CIPHER_BUMP, -1, &head, &tail);
 
     /* Now disable everything (maintaining the ordering!) */
     ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
@@ -1485,7 +1486,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
     if (ok && (strlen(rule_p) > 0))
         ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
 
-    OPENSSL_free(ca_list); /* Not needed anymore */
+    OPENSSL_free(ca_list);      /* Not needed anymore */
 
     if (!ok) {                  /* Rule processing failure */
         OPENSSL_free(co_list);
@@ -1530,8 +1531,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
     if (*cipher_list_by_id != NULL)
         sk_SSL_CIPHER_free(*cipher_list_by_id);
     *cipher_list_by_id = tmp_cipher_list;
-    (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,
-                                     ssl_cipher_ptr_id_cmp);
+    (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
 
     sk_SSL_CIPHER_sort(*cipher_list_by_id);
     return (cipherstack);
@@ -1542,8 +1542,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     const char *ver;
     const char *kx, *au, *enc, *mac;
     uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
-    static const char *format =
-        "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
+    static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
 
     if (buf == NULL) {
         len = 128;
@@ -1753,8 +1752,8 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
 
     if (c != NULL) {
         if (alg_bits != NULL)
-            *alg_bits = (int) c->alg_bits;
-        ret = (int) c->strength_bits;
+            *alg_bits = (int)c->alg_bits;
+        ret = (int)c->strength_bits;
     }
     return ret;
 }
@@ -1785,11 +1784,13 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
 {
     return NULL;
 }
+
 STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
                                                       *meths)
 {
     return meths;
 }
+
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 {
     return 1;
@@ -1861,8 +1862,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
                SSL_R_DUPLICATE_COMPRESSION_ID);
         return (1);
     }
-    if (ssl_comp_methods == NULL
-        || !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
+    if (ssl_comp_methods == NULL || !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
         OPENSSL_free(comp);
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
         SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 890b0af..3957946 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -116,7 +116,7 @@ static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
         break;
 
     case SSL_TFLAG_VFY:
-        pflags =  cctx->pvfy_flags;
+        pflags = cctx->pvfy_flags;
         break;
 
     case SSL_TFLAG_OPTION:
@@ -142,8 +142,7 @@ static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
     if (namelen == -1) {
         if (strcmp(tbl->name, name))
             return 0;
-    } else if (tbl->namelen != namelen
-               || strncasecmp(tbl->name, name, namelen))
+    } else if (tbl->namelen != namelen || strncasecmp(tbl->name, name, namelen))
         return 0;
     ssl_set_option(cctx, tbl->name_flags, tbl->option_value, onoff);
     return 1;
@@ -192,8 +191,7 @@ static int cmd_SignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
 }
 
 /* Set supported client signature algorithms */
-static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx,
-                                         const char *value)
+static int cmd_ClientSignatureAlgorithms(SSL_CONF_CTX *cctx, const char *value)
 {
     int rv;
     if (cctx->ssl)
@@ -285,7 +283,8 @@ static int protocol_from_string(const char *value)
         {"TLSv1.1", TLS1_1_VERSION},
         {"TLSv1.2", TLS1_2_VERSION},
         {"DTLSv1", DTLS1_VERSION},
-        {"DTLSv1.2", DTLS1_2_VERSION}};
+        {"DTLSv1.2", DTLS1_2_VERSION}
+    };
     size_t i;
     size_t n = OSSL_NELEM(versions);
 
@@ -625,8 +624,7 @@ static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
 }
 
 /* Determine if a command is allowed according to cctx flags */
-static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx,
-                                const ssl_conf_cmd_tbl * t)
+static int ssl_conf_cmd_allowed(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * t)
 {
     unsigned int tfl = t->flags;
     unsigned int cfl = cctx->flags;
@@ -664,8 +662,7 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx,
     return NULL;
 }
 
-static int ctrl_switch_option(SSL_CONF_CTX *cctx,
-                              const ssl_conf_cmd_tbl * cmd)
+static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd)
 {
     /* Find index of command in table */
     size_t idx = cmd - ssl_conf_cmds;
diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c
index 543da13..b286a98 100644
--- a/ssl/ssl_init.c
+++ b/ssl/ssl_init.c
@@ -26,7 +26,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
 {
 #ifdef OPENSSL_INIT_DEBUG
     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-                    "Adding SSL ciphers and digests\n");
+            "Adding SSL ciphers and digests\n");
 #endif
 #ifndef OPENSSL_NO_DES
     EVP_add_cipher(EVP_des_cbc());
@@ -85,10 +85,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
     EVP_add_digest(EVP_sha384());
     EVP_add_digest(EVP_sha512());
 #ifndef OPENSSL_NO_COMP
-#ifdef OPENSSL_INIT_DEBUG
+# ifdef OPENSSL_INIT_DEBUG
     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-                    "SSL_COMP_get_compression_methods()\n");
-#endif
+            "SSL_COMP_get_compression_methods()\n");
+# endif
     /*
      * This will initialise the built-in compression algorithms. The value
      * returned is a STACK_OF(SSL_COMP), but that can be discarded safely
@@ -100,7 +100,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
 
 #ifdef OPENSSL_INIT_DEBUG
     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
-                    "SSL_add_ssl_module()\n");
+            "SSL_add_ssl_module()\n");
 #endif
     SSL_add_ssl_module();
     /*
@@ -122,8 +122,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
      */
 #if !defined(OPENSSL_NO_ERR) && !defined(OPENSSL_NO_AUTOERRINIT)
 # ifdef OPENSSL_INIT_DEBUG
-        fprintf(stderr, "OPENSSL_INIT: ossl_init_load_ssl_strings: "
-                        "ERR_load_SSL_strings()\n");
+    fprintf(stderr, "OPENSSL_INIT: ossl_init_load_ssl_strings: "
+            "ERR_load_SSL_strings()\n");
 # endif
     ERR_load_SSL_strings();
 #endif
@@ -146,10 +146,10 @@ static void ssl_library_stop(void)
 
     if (ssl_base_inited) {
 #ifndef OPENSSL_NO_COMP
-#ifdef OPENSSL_INIT_DEBUG
+# ifdef OPENSSL_INIT_DEBUG
         fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "
-                        "ssl_comp_free_compression_methods_int()\n");
-#endif
+                "ssl_comp_free_compression_methods_int()\n");
+# endif
         ssl_comp_free_compression_methods_int();
 #endif
     }
@@ -157,7 +157,7 @@ static void ssl_library_stop(void)
     if (ssl_strings_inited) {
 #ifdef OPENSSL_INIT_DEBUG
         fprintf(stderr, "OPENSSL_INIT: ssl_library_stop: "
-                        "err_free_strings_int()\n");
+                "err_free_strings_int()\n");
 #endif
         /*
          * If both crypto and ssl error strings are inited we will end up
@@ -169,13 +169,12 @@ static void ssl_library_stop(void)
     }
 }
 
-
 /*
  * If this function is called with a non NULL settings value then it must be
  * called prior to any threads making calls to any OpenSSL functions,
  * i.e. passing a non-null settings value is assumed to be single-threaded.
  */
-int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)
 {
     static int stoperrset = 0;
 
@@ -200,13 +199,12 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
         return 0;
 
     if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)
-            && !RUN_ONCE(&ssl_strings, ossl_init_no_load_ssl_strings))
+        && !RUN_ONCE(&ssl_strings, ossl_init_no_load_ssl_strings))
         return 0;
 
     if ((opts & OPENSSL_INIT_LOAD_SSL_STRINGS)
-            && !RUN_ONCE(&ssl_strings, ossl_init_load_ssl_strings))
+        && !RUN_ONCE(&ssl_strings, ossl_init_load_ssl_strings))
         return 0;
 
     return 1;
 }
-
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 04bd9ee..3347191 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -82,22 +82,28 @@ struct ssl_async_args {
     SSL *s;
     void *buf;
     int num;
-    enum { READFUNC, WRITEFUNC,  OTHERFUNC} type;
+    enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
     union {
-        int (*func_read)(SSL *, void *, int);
-        int (*func_write)(SSL *, const void *, int);
-        int (*func_other)(SSL *);
+        int (*func_read) (SSL *, void *, int);
+        int (*func_write) (SSL *, const void *, int);
+        int (*func_other) (SSL *);
     } f;
 };
 
 static const struct {
     uint8_t mtype;
     uint8_t ord;
-    int     nid;
+    int nid;
 } dane_mds[] = {
-    { DANETLS_MATCHING_FULL, 0, NID_undef },
-    { DANETLS_MATCHING_2256, 1, NID_sha256 },
-    { DANETLS_MATCHING_2512, 2, NID_sha512 },
+    {
+        DANETLS_MATCHING_FULL, 0, NID_undef
+    },
+    {
+        DANETLS_MATCHING_2256, 1, NID_sha256
+    },
+    {
+        DANETLS_MATCHING_2512, 2, NID_sha512
+    },
 };
 
 static int dane_ctx_enable(struct dane_ctx_st *dctx)
@@ -105,7 +111,7 @@ static int dane_ctx_enable(struct dane_ctx_st *dctx)
     const EVP_MD **mdevp;
     uint8_t *mdord;
     uint8_t mdmax = DANETLS_MATCHING_LAST;
-    int n = ((int) mdmax) + 1;          /* int to handle PrivMatch(255) */
+    int n = ((int)mdmax) + 1;   /* int to handle PrivMatch(255) */
     size_t i;
 
     if (dctx->mdevp != NULL)
@@ -194,7 +200,7 @@ static int ssl_dane_dup(SSL *to, SSL *from)
         return 0;
     }
 
-    num  = sk_danetls_record_num(from->dane.trecs);
+    num = sk_danetls_record_num(from->dane.trecs);
     for (i = 0; i < num; ++i) {
         danetls_record *t = sk_danetls_record_value(from->dane.trecs, i);
 
@@ -205,24 +211,20 @@ static int ssl_dane_dup(SSL *to, SSL *from)
     return 1;
 }
 
-static int dane_mtype_set(
-    struct dane_ctx_st *dctx,
-    const EVP_MD *md,
-    uint8_t mtype,
-    uint8_t ord)
+static int dane_mtype_set(struct dane_ctx_st *dctx,
+                          const EVP_MD *md, uint8_t mtype, uint8_t ord)
 {
     int i;
 
     if (mtype == DANETLS_MATCHING_FULL && md != NULL) {
-        SSLerr(SSL_F_DANE_MTYPE_SET,
-                SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
+        SSLerr(SSL_F_DANE_MTYPE_SET, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL);
         return 0;
     }
 
     if (mtype > dctx->mdmax) {
         const EVP_MD **mdevp;
         uint8_t *mdord;
-        int n = ((int) mtype) + 1;
+        int n = ((int)mtype) + 1;
 
         mdevp = OPENSSL_realloc(dctx->mdevp, n * sizeof(*mdevp));
         if (mdevp == NULL) {
@@ -239,7 +241,7 @@ static int dane_mtype_set(
         dctx->mdord = mdord;
 
         /* Zero-fill any gaps */
-        for (i = dctx->mdmax+1; i < mtype; ++i) {
+        for (i = dctx->mdmax + 1; i < mtype; ++i) {
             mdevp[i] = NULL;
             mdord[i] = 0;
         }
@@ -261,13 +263,10 @@ static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype)
     return dane->dctx->mdevp[mtype];
 }
 
-static int dane_tlsa_add(
-    SSL_DANE *dane,
-    uint8_t usage,
-    uint8_t selector,
-    uint8_t mtype,
-    unsigned char *data,
-    size_t dlen)
+static int dane_tlsa_add(SSL_DANE *dane,
+                         uint8_t usage,
+                         uint8_t selector,
+                         uint8_t mtype, unsigned char *data, size_t dlen)
 {
     danetls_record *t;
     const EVP_MD *md = NULL;
@@ -512,8 +511,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
                                 &(ctx->cipher_list_by_id),
                                 SSL_DEFAULT_CIPHER_LIST, ctx->cert);
     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
-               SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+        SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
         return (0);
     }
     return (1);
@@ -603,7 +601,7 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->tlsext_ocsp_resplen = -1;
     SSL_CTX_up_ref(ctx);
     s->initial_ctx = ctx;
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (ctx->tlsext_ecpointformatlist) {
         s->tlsext_ecpointformatlist =
             OPENSSL_memdup(ctx->tlsext_ecpointformatlist,
@@ -622,10 +620,10 @@ SSL *SSL_new(SSL_CTX *ctx)
         s->tlsext_ellipticcurvelist_length =
             ctx->tlsext_ellipticcurvelist_length;
     }
-# endif
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#endif
+#ifndef OPENSSL_NO_NEXTPROTONEG
     s->next_proto_negotiated = NULL;
-# endif
+#endif
 
     if (s->ctx->alpn_client_proto_list) {
         s->alpn_client_proto_list =
@@ -665,7 +663,7 @@ SSL *SSL_new(SSL_CTX *ctx)
 
 #ifndef OPENSSL_NO_CT
     if (!SSL_set_ct_validation_callback(s, ctx->ct_validation_callback,
-            ctx->ct_validation_callback_arg))
+                                        ctx->ct_validation_callback_arg))
         goto err;
 #endif
 
@@ -930,7 +928,8 @@ int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
     return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen);
 }
 
-int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, uint8_t ord)
+int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype,
+                           uint8_t ord)
 {
     return dane_mtype_set(&ctx->dane, md, mtype, ord);
 }
@@ -1004,7 +1003,7 @@ void SSL_free(SSL *s)
 #ifndef OPENSSL_NO_EC
     OPENSSL_free(s->tlsext_ecpointformatlist);
     OPENSSL_free(s->tlsext_ellipticcurvelist);
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
     sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
 #ifndef OPENSSL_NO_OCSP
     sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
@@ -1389,15 +1388,12 @@ int SSL_copy_session_id(SSL *t, const SSL *f)
 /* Fix this so it checks all the valid key/cert options */
 int SSL_CTX_check_private_key(const SSL_CTX *ctx)
 {
-    if ((ctx == NULL) ||
-        (ctx->cert->key->x509 == NULL)) {
-        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
-               SSL_R_NO_CERTIFICATE_ASSIGNED);
+    if ((ctx == NULL) || (ctx->cert->key->x509 == NULL)) {
+        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
         return (0);
     }
     if (ctx->cert->key->privatekey == NULL) {
-        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
-               SSL_R_NO_PRIVATE_KEY_ASSIGNED);
+        SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
         return (0);
     }
     return (X509_check_private_key
@@ -1477,7 +1473,8 @@ long SSL_get_default_timeout(const SSL *s)
 }
 
 static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
-                          int (*func)(void *)) {
+                               int (*func) (void *))
+{
     int ret;
     if (s->waitctx == NULL) {
         s->waitctx = ASYNC_WAIT_CTX_new();
@@ -1485,7 +1482,7 @@ static int ssl_start_async_job(SSL *s, struct ssl_async_args *args,
             return -1;
     }
     switch (ASYNC_start_job(&s->job, s->waitctx, &ret, func, args,
-        sizeof(struct ssl_async_args))) {
+                            sizeof(struct ssl_async_args))) {
     case ASYNC_ERR:
         s->rwstate = SSL_NOTHING;
         SSLerr(SSL_F_SSL_START_ASYNC_JOB, SSL_R_FAILED_TO_INIT_ASYNC);
@@ -1736,7 +1733,7 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         }
     case SSL_CTRL_GET_EXTMS_SUPPORT:
         if (!s->session || SSL_in_init(s) || ossl_statem_get_in_handshake(s))
-                return -1;
+            return -1;
         if (s->session->flags & SSL_SESS_FLAG_EXTMS)
             return 1;
         else
@@ -2122,8 +2119,7 @@ int SSL_get_servername_type(const SSL *s)
 int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                           const unsigned char *server,
                           unsigned int server_len,
-                          const unsigned char *client,
-                          unsigned int client_len)
+                          const unsigned char *client, unsigned int client_len)
 {
     unsigned int i, j;
     const unsigned char *result;
@@ -2294,7 +2290,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
         *len = ssl->s3->alpn_selected_len;
 }
 
-
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
                                const char *label, size_t llen,
                                const unsigned char *p, size_t plen,
@@ -2399,9 +2394,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
         goto err;
 #endif
     if (!ssl_create_cipher_list(ret->method,
-                           &ret->cipher_list, &ret->cipher_list_by_id,
-                           SSL_DEFAULT_CIPHER_LIST, ret->cert)
-       || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+                                &ret->cipher_list, &ret->cipher_list_by_id,
+                                SSL_DEFAULT_CIPHER_LIST, ret->cert)
+        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
         goto err2;
     }
@@ -2433,9 +2428,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
     /* Setup RFC5077 ticket keys */
-    if ((RAND_bytes(ret->tlsext_tick_key_name, sizeof(ret->tlsext_tick_key_name)) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_hmac_key, sizeof(ret->tlsext_tick_hmac_key)) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_aes_key, sizeof(ret->tlsext_tick_aes_key)) <= 0))
+    if ((RAND_bytes(ret->tlsext_tick_key_name,
+                    sizeof(ret->tlsext_tick_key_name)) <= 0)
+        || (RAND_bytes(ret->tlsext_tick_hmac_key,
+                       sizeof(ret->tlsext_tick_hmac_key)) <= 0)
+        || (RAND_bytes(ret->tlsext_tick_aes_key,
+                       sizeof(ret->tlsext_tick_aes_key)) <= 0))
         ret->options |= SSL_OP_NO_TICKET;
 
 #ifndef OPENSSL_NO_SRP
@@ -2616,8 +2614,7 @@ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
     X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 }
 
-void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
-                         void *arg)
+void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg), void *arg)
 {
     ssl_cert_set_cert_cb(c->cert, cb, arg);
 }
@@ -2802,8 +2799,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
     alg_a = cipher->algorithm_auth;
     c = s->cert;
 
-    if ((alg_a & SSL_aDSS) &&
-            (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
+    if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
         idx = SSL_PKEY_DSA_SIGN;
     else if (alg_a & SSL_aRSA) {
         if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
@@ -2889,7 +2885,7 @@ int SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
 
     if (s->method != meth) {
         const SSL_METHOD *sm = s->method;
-        int (*hf)(SSL *) = s->handshake_func;
+        int (*hf) (SSL *) = s->handshake_func;
 
         if (sm->version == meth->version)
             s->method = meth;
@@ -3412,7 +3408,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
     }
 
     SSL_CTX_up_ref(ctx);
-    SSL_CTX_free(ssl->ctx); /* decrement reference count */
+    SSL_CTX_free(ssl->ctx);     /* decrement reference count */
     ssl->ctx = ctx;
 
     return ssl->ctx;
@@ -3507,7 +3503,7 @@ size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)
 }
 
 size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
-                               unsigned char *out, size_t outlen)
+                                  unsigned char *out, size_t outlen)
 {
     if (session->master_key_length < 0) {
         /* Should never happen */
@@ -3587,8 +3583,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export,
 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint)
 {
     if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {
-        SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT,
-               SSL_R_DATA_LENGTH_TOO_LONG);
+        SSLerr(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT, SSL_R_DATA_LENGTH_TOO_LONG);
         return 0;
     }
     OPENSSL_free(ctx->cert->psk_identity_hint);
@@ -3641,8 +3636,7 @@ void SSL_set_psk_client_callback(SSL *s,
                                                      unsigned int
                                                      max_identity_len,
                                                      unsigned char *psk,
-                                                     unsigned int
-                                                     max_psk_len))
+                                                     unsigned int max_psk_len))
 {
     s->psk_client_callback = cb;
 }
@@ -3664,8 +3658,7 @@ void SSL_set_psk_server_callback(SSL *s,
                                  unsigned int (*cb) (SSL *ssl,
                                                      const char *identity,
                                                      unsigned char *psk,
-                                                     unsigned int
-                                                     max_psk_len))
+                                                     unsigned int max_psk_len))
 {
     s->psk_server_callback = cb;
 }
@@ -3783,7 +3776,6 @@ void SSL_set_debug(SSL *s, int debug)
 }
 #endif
 
-
 void SSL_set_security_level(SSL *s, int level)
 {
     s->cert->sec_level = level;
@@ -3795,16 +3787,17 @@ int SSL_get_security_level(const SSL *s)
 }
 
 void SSL_set_security_callback(SSL *s,
-                               int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
-                                          int bits, int nid, void *other,
-                                          void *ex))
+                               int (*cb) (const SSL *s, const SSL_CTX *ctx,
+                                          int op, int bits, int nid,
+                                          void *other, void *ex))
 {
     s->cert->sec_cb = cb;
 }
 
-int (*SSL_get_security_callback(const SSL *s)) (const SSL *s, const SSL_CTX *ctx, int op,
-                                                int bits, int nid,
-                                                void *other, void *ex) {
+int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
+                                                const SSL_CTX *ctx, int op,
+                                                int bits, int nid, void *other,
+                                                void *ex) {
     return s->cert->sec_cb;
 }
 
@@ -3829,9 +3822,9 @@ int SSL_CTX_get_security_level(const SSL_CTX *ctx)
 }
 
 void SSL_CTX_set_security_callback(SSL_CTX *ctx,
-                                   int (*cb) (const SSL *s, const SSL_CTX *ctx, int op,
-                                              int bits, int nid, void *other,
-                                              void *ex))
+                                   int (*cb) (const SSL *s, const SSL_CTX *ctx,
+                                              int op, int bits, int nid,
+                                              void *other, void *ex))
 {
     ctx->cert->sec_cb = cb;
 }
@@ -3855,7 +3848,6 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
     return ctx->cert->sec_ex;
 }
 
-
 /*
  * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
  * can return unsigned long, instead of the generic long return value from the
@@ -3865,22 +3857,27 @@ unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
 {
     return ctx->options;
 }
-unsigned long SSL_get_options(const SSL* s)
+
+unsigned long SSL_get_options(const SSL *s)
 {
     return s->options;
 }
+
 unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
 {
     return ctx->options |= op;
 }
+
 unsigned long SSL_set_options(SSL *s, unsigned long op)
 {
     return s->options |= op;
 }
+
 unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
 {
     return ctx->options &= ~op;
 }
+
 unsigned long SSL_clear_options(SSL *s, unsigned long op)
 {
     return s->options &= ~op;
@@ -3902,7 +3899,8 @@ IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
  * the caller.
  * Returns the number of SCTs moved, or a negative integer if an error occurs.
  */
-static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src, sct_source_t origin)
+static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
+                        sct_source_t origin)
 {
     int scts_moved = 0;
     SCT *sct = NULL;
@@ -3925,16 +3923,16 @@ static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src, sct_source_t or
     }
 
     return scts_moved;
-err:
+ err:
     if (sct != NULL)
-        sk_SCT_push(src, sct); /* Put the SCT back */
+        sk_SCT_push(src, sct);  /* Put the SCT back */
     return -1;
 }
 
 /*
-* Look for data collected during ServerHello and parse if found.
-* Return 1 on success, 0 on failure.
-*/
+ * Look for data collected during ServerHello and parse if found.
+ * Return 1 on success, 0 on failure.
+ */
 static int ct_extract_tls_extension_scts(SSL *s)
 {
     int scts_extracted = 0;
@@ -3961,7 +3959,7 @@ static int ct_extract_tls_extension_scts(SSL *s)
  */
 static int ct_extract_ocsp_response_scts(SSL *s)
 {
-#ifndef OPENSSL_NO_OCSP
+# ifndef OPENSSL_NO_OCSP
     int scts_extracted = 0;
     const unsigned char *p;
     OCSP_BASICRESP *br = NULL;
@@ -3987,21 +3985,22 @@ static int ct_extract_ocsp_response_scts(SSL *s)
         if (single == NULL)
             continue;
 
-        scts = OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
-        scts_extracted = ct_move_scts(&s->scts, scts,
-                                      SCT_SOURCE_OCSP_STAPLED_RESPONSE);
+        scts =
+            OCSP_SINGLERESP_get1_ext_d2i(single, NID_ct_cert_scts, NULL, NULL);
+        scts_extracted =
+            ct_move_scts(&s->scts, scts, SCT_SOURCE_OCSP_STAPLED_RESPONSE);
         if (scts_extracted < 0)
             goto err;
     }
-err:
+ err:
     SCT_LIST_free(scts);
     OCSP_BASICRESP_free(br);
     OCSP_RESPONSE_free(rsp);
     return scts_extracted;
-#else
+# else
     /* Behave as if no OCSP response exists */
     return 0;
-#endif
+# endif
 }
 
 /*
@@ -4043,17 +4042,17 @@ const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s)
         s->scts_parsed = 1;
     }
     return s->scts;
-err:
+ err:
     return NULL;
 }
 
-static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx,
+static int ct_permissive(const CT_POLICY_EVAL_CTX * ctx,
                          const STACK_OF(SCT) *scts, void *unused_arg)
 {
     return 1;
 }
 
-static int ct_strict(const CT_POLICY_EVAL_CTX *ctx,
+static int ct_strict(const CT_POLICY_EVAL_CTX * ctx,
                      const STACK_OF(SCT) *scts, void *unused_arg)
 {
     int count = scts != NULL ? sk_SCT_num(scts) : 0;
@@ -4078,14 +4077,17 @@ int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
      * for this and throw an error if they have already registered to use CT.
      */
     if (callback != NULL && SSL_CTX_has_client_custom_ext(s->ctx,
-            TLSEXT_TYPE_signed_certificate_timestamp)) {
+                                                          TLSEXT_TYPE_signed_certificate_timestamp))
+    {
         SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK,
                SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
         return 0;
     }
 
     if (callback != NULL) {
-        /* If we are validating CT, then we MUST accept SCTs served via OCSP */
+        /*
+         * If we are validating CT, then we MUST accept SCTs served via OCSP
+         */
         if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
             return 0;
     }
@@ -4097,15 +4099,15 @@ int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
 }
 
 int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
-                                       ssl_ct_validation_cb callback,
-                                       void *arg)
+                                       ssl_ct_validation_cb callback, void *arg)
 {
     /*
      * Since code exists that uses the custom extension handler for CT, look for
      * this and throw an error if they have already registered to use CT.
      */
     if (callback != NULL && SSL_CTX_has_client_custom_ext(ctx,
-            TLSEXT_TYPE_signed_certificate_timestamp)) {
+                                                          TLSEXT_TYPE_signed_certificate_timestamp))
+    {
         SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK,
                SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
         return 0;
@@ -4148,8 +4150,7 @@ int ssl_validate_ct(SSL *s)
      */
     if (s->ct_validation_callback == NULL || cert == NULL ||
         s->verify_result != X509_V_OK ||
-        s->verified_chain == NULL ||
-        sk_X509_num(s->verified_chain) <= 1)
+        s->verified_chain == NULL || sk_X509_num(s->verified_chain) <= 1)
         return 1;
 
     /*
@@ -4198,9 +4199,9 @@ int ssl_validate_ct(SSL *s)
 
     ret = s->ct_validation_callback(ctx, scts, s->ct_validation_callback_arg);
     if (ret < 0)
-        ret = 0; /* This function returns 0 on failure */
+        ret = 0;                /* This function returns 0 on failure */
 
-end:
+ end:
     CT_POLICY_EVAL_CTX_free(ctx);
     /*
      * With SSL_VERIFY_NONE the session may be cached and re-used despite a
@@ -4258,7 +4259,7 @@ int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
     return CTLOG_STORE_load_file(ctx->ctlog_store, path);
 }
 
-void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs)
+void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE * logs)
 {
     CTLOG_STORE_free(ctx->ctlog_store);
     ctx->ctlog_store = logs;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e7084fc..6fba983 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -48,7 +48,7 @@
 
 # include "e_os.h"
 # if defined(__unix) || defined(__unix__)
-#  include <sys/time.h>  /* struct timeval for DTLS */
+#  include <sys/time.h>         /* struct timeval for DTLS */
 # endif
 
 # include <openssl/buffer.h>
@@ -62,10 +62,10 @@
 # include <openssl/async.h>
 # include <openssl/symhacks.h>
 # include <openssl/ct.h>
-#include "record/record.h"
-#include "statem/statem.h"
-#include "packet_locl.h"
-#include "internal/dane.h"
+# include "record/record.h"
+# include "statem/statem.h"
+# include "packet_locl.h"
+# include "internal/dane.h"
 
 # ifdef OPENSSL_BUILD_SHLIBSSL
 #  undef OPENSSL_EXTERN
@@ -164,13 +164,15 @@
                            (c)[1]=(unsigned char)(((l)>> 8)&0xff), \
                            (c)[2]=(unsigned char)(((l)    )&0xff)),(c)+=3)
 
-/* DTLS version numbers are strange because they're inverted. Except
- * for DTLS1_BAD_VER, which should be considered "lower" than the rest. */
-#define dtls_ver_ordinal(v1) (((v1) == DTLS1_BAD_VER) ? 0xff00 : (v1))
-#define DTLS_VERSION_GT(v1, v2) (dtls_ver_ordinal(v1) < dtls_ver_ordinal(v2))
-#define DTLS_VERSION_GE(v1, v2) (dtls_ver_ordinal(v1) <= dtls_ver_ordinal(v2))
-#define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))
-#define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))
+/*
+ * DTLS version numbers are strange because they're inverted. Except for
+ * DTLS1_BAD_VER, which should be considered "lower" than the rest.
+ */
+# define dtls_ver_ordinal(v1) (((v1) == DTLS1_BAD_VER) ? 0xff00 : (v1))
+# define DTLS_VERSION_GT(v1, v2) (dtls_ver_ordinal(v1) < dtls_ver_ordinal(v2))
+# define DTLS_VERSION_GE(v1, v2) (dtls_ver_ordinal(v1) <= dtls_ver_ordinal(v2))
+# define DTLS_VERSION_LT(v1, v2) (dtls_ver_ordinal(v1) > dtls_ver_ordinal(v2))
+# define DTLS_VERSION_LE(v1, v2) (dtls_ver_ordinal(v1) >= dtls_ver_ordinal(v2))
 
 /* LOCAL STUFF */
 
@@ -224,7 +226,7 @@
 
 /* all PSK */
 
-#define SSL_PSK     (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK)
+# define SSL_PSK     (SSL_kPSK | SSL_kRSAPSK | SSL_kECDHEPSK | SSL_kDHEPSK)
 
 /* Bits for algorithm_auth (server authentication) */
 /* RSA auth */
@@ -376,7 +378,7 @@
 # define SSL_CLIENT_USE_SIGALGS(s)        \
     SSL_CLIENT_USE_TLS1_2_CIPHERS(s)
 
-#  define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
+# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
 
 /* Mostly for SSLv3 */
 # define SSL_PKEY_RSA_ENC        0
@@ -407,30 +409,29 @@
 #define CERT_PRIVATE_KEY        2
 */
 
-
 /* CipherSuite length. SSLv3 and all TLS versions. */
-#define TLS_CIPHER_LEN 2
+# define TLS_CIPHER_LEN 2
 /* used to hold info on the particular ciphers used */
 struct ssl_cipher_st {
     uint32_t valid;
-    const char *name;        /* text name */
-    uint32_t id;             /* id, 4 bytes, first is version */
+    const char *name;           /* text name */
+    uint32_t id;                /* id, 4 bytes, first is version */
     /*
      * changed in 1.0.0: these four used to be portions of a single value
      * 'algorithms'
      */
-    uint32_t algorithm_mkey; /* key exchange algorithm */
-    uint32_t algorithm_auth; /* server authentication */
-    uint32_t algorithm_enc;  /* symmetric encryption */
-    uint32_t algorithm_mac;  /* symmetric authentication */
-    int min_tls;             /* minimum SSL/TLS protocol version */
-    int max_tls;             /* maximum SSL/TLS protocol version */
-    int min_dtls;            /* minimum DTLS protocol version */
-    int max_dtls;            /* maximum DTLS protocol version */
-    uint32_t algo_strength;  /* strength and export flags */
-    uint32_t algorithm2;     /* Extra flags */
-    int32_t strength_bits;   /* Number of bits really used */
-    uint32_t alg_bits;       /* Number of bits for algorithm */
+    uint32_t algorithm_mkey;    /* key exchange algorithm */
+    uint32_t algorithm_auth;    /* server authentication */
+    uint32_t algorithm_enc;     /* symmetric encryption */
+    uint32_t algorithm_mac;     /* symmetric authentication */
+    int min_tls;                /* minimum SSL/TLS protocol version */
+    int max_tls;                /* maximum SSL/TLS protocol version */
+    int min_dtls;               /* minimum DTLS protocol version */
+    int max_dtls;               /* maximum DTLS protocol version */
+    uint32_t algo_strength;     /* strength and export flags */
+    uint32_t algorithm2;        /* Extra flags */
+    int32_t strength_bits;      /* Number of bits really used */
+    uint32_t alg_bits;          /* Number of bits for algorithm */
 };
 
 /* Used to hold SSL/TLS functions */
@@ -494,8 +495,8 @@ struct ssl_method_st {
  * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
  */
 struct ssl_session_st {
-    int ssl_version;            /* what ssl version session info is being
-                                 * kept in here? */
+    int ssl_version;            /* what ssl version session info is being kept
+                                 * in here? */
     int master_key_length;
     unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
     /* session_id - valid? */
@@ -533,8 +534,8 @@ struct ssl_session_st {
     long time;
     unsigned int compress_meth; /* Need to lookup the method */
     const SSL_CIPHER *cipher;
-    unsigned long cipher_id;    /* when ASN.1 loaded, this needs to be used
-                                 * to load the 'cipher' structure */
+    unsigned long cipher_id;    /* when ASN.1 loaded, this needs to be used to
+                                 * load the 'cipher' structure */
     STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
     CRYPTO_EX_DATA ex_data;     /* application specific data */
     /*
@@ -548,11 +549,12 @@ struct ssl_session_st {
     unsigned char *tlsext_ecpointformatlist; /* peer's list */
     size_t tlsext_ellipticcurvelist_length;
     unsigned char *tlsext_ellipticcurvelist; /* peer's list */
-# endif                       /* OPENSSL_NO_EC */
+# endif                         /* OPENSSL_NO_EC */
     /* RFC4507 info */
     unsigned char *tlsext_tick; /* Session ticket */
     size_t tlsext_ticklen;      /* Session ticket length */
-    unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+    unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in
+                                              * seconds */
 # ifndef OPENSSL_NO_SRP
     char *srp_username;
 # endif
@@ -561,8 +563,7 @@ struct ssl_session_st {
 };
 
 /* Extended master secret support */
-#  define SSL_SESS_FLAG_EXTMS             0x1
-
+# define SSL_SESS_FLAG_EXTMS             0x1
 
 # ifndef OPENSSL_NO_SRP
 
@@ -595,7 +596,7 @@ DEFINE_LHASH_OF(SSL_SESSION);
 /* Needed in ssl_cert.c */
 DEFINE_LHASH_OF(X509_NAME);
 
-#define TLSEXT_KEYNAME_LENGTH 16
+# define TLSEXT_KEYNAME_LENGTH 16
 
 struct ssl_ctx_st {
     const SSL_METHOD *method;
@@ -650,9 +651,9 @@ struct ssl_ctx_st {
         int sess_hit;           /* session reuse actually done */
         int sess_cb_hit;        /* session-id that was not in the cache was
                                  * passed back via the callback.  This
-                                 * indicates that the application is
-                                 * supplying session-id's from other
-                                 * processes - spooky :-) */
+                                 * indicates that the application is supplying
+                                 * session-id's from other processes - spooky
+                                 * :-) */
     } stats;
 
     int references;
@@ -730,15 +731,15 @@ struct ssl_ctx_st {
 
     int quiet_shutdown;
 
-#  ifndef OPENSSL_NO_CT
-    CTLOG_STORE *ctlog_store; /* CT Log Store */
+# ifndef OPENSSL_NO_CT
+    CTLOG_STORE *ctlog_store;   /* CT Log Store */
     /*
-    * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
-    * If they are not, the connection should be aborted.
-    */
+     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+     * If they are not, the connection should be aborted.
+     */
     ssl_ct_validation_cb ct_validation_callback;
     void *ct_validation_callback_arg;
-#  endif
+# endif
 
     /*
      * If we're using more than one pipeline how should we divide the data
@@ -757,12 +758,12 @@ struct ssl_ctx_st {
     /* The default read buffer length to use (0 means not set) */
     size_t default_read_buf_len;
 
-#  ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
     /*
      * Engine to pass requests for client certs to
      */
     ENGINE *client_cert_engine;
-#  endif
+# endif
 
     /* TLS extensions servername callback */
     int (*tlsext_servername_callback) (SSL *, int *, void *);
@@ -774,15 +775,14 @@ struct ssl_ctx_st {
     /* Callback to support customisation of ticket key setting */
     int (*tlsext_ticket_key_cb) (SSL *ssl,
                                  unsigned char *name, unsigned char *iv,
-                                 EVP_CIPHER_CTX *ectx,
-                                 HMAC_CTX *hctx, int enc);
+                                 EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
 
     /* certificate status request info */
     /* Callback for status request */
     int (*tlsext_status_cb) (SSL *ssl, void *arg);
     void *tlsext_status_arg;
 
-#  ifndef OPENSSL_NO_PSK
+# ifndef OPENSSL_NO_PSK
     unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
                                          char *identity,
                                          unsigned int max_identity_len,
@@ -791,13 +791,13 @@ struct ssl_ctx_st {
     unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
                                          unsigned char *psk,
                                          unsigned int max_psk_len);
-#  endif
+# endif
 
-#  ifndef OPENSSL_NO_SRP
+# ifndef OPENSSL_NO_SRP
     SRP_CTX srp_ctx;            /* ctx for SRP authentication */
-#  endif
+# endif
 
-#  ifndef OPENSSL_NO_NEXTPROTONEG
+# ifndef OPENSSL_NO_NEXTPROTONEG
     /* Next protocol negotiation information */
 
     /*
@@ -816,7 +816,7 @@ struct ssl_ctx_st {
                                  const unsigned char *in,
                                  unsigned int inlen, void *arg);
     void *next_proto_select_cb_arg;
-#  endif
+# endif
 
     /*
      * ALPN information (we are in the process of transitioning from NPN to
@@ -857,13 +857,13 @@ struct ssl_ctx_st {
      * basis, depending on the chosen cipher.
      */
     int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-#  ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
     /* EC extension values inherited by SSL structure */
     size_t tlsext_ecpointformatlist_length;
     unsigned char *tlsext_ecpointformatlist;
     size_t tlsext_ellipticcurvelist_length;
     unsigned char *tlsext_ellipticcurvelist;
-#  endif                        /* OPENSSL_NO_EC */
+# endif                         /* OPENSSL_NO_EC */
 
     /* ext status type used for CSR extension (OCSP Stapling) */
     int tlsext_status_type;
@@ -871,14 +871,12 @@ struct ssl_ctx_st {
     CRYPTO_RWLOCK *lock;
 };
 
-
 struct ssl_st {
     /*
      * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
      * DTLS1_VERSION)
      */
     int version;
-
     /* SSLv3 */
     const SSL_METHOD *method;
     /*
@@ -897,7 +895,6 @@ struct ssl_st {
      * request needs re-doing when in SSL_accept or SSL_connect
      */
     int rwstate;
-
     int (*handshake_func) (SSL *);
     /*
      * Imagine that here's a boolean member "init" that is switched as soon
@@ -921,26 +918,21 @@ struct ssl_st {
     int shutdown;
     /* where we are */
     OSSL_STATEM statem;
-
     BUF_MEM *init_buf;          /* buffer used during init */
     void *init_msg;             /* pointer to handshake message body, set by
                                  * ssl3_get_message() */
     int init_num;               /* amount read/written */
     int init_off;               /* amount read/written */
-
     struct ssl3_state_st *s3;   /* SSLv3 variables */
     struct dtls1_state_st *d1;  /* DTLSv1 variables */
-
     /* callback that allows applications to peek at protocol messages */
     void (*msg_callback) (int write_p, int version, int content_type,
                           const void *buf, size_t len, SSL *ssl, void *arg);
     void *msg_callback_arg;
     int hit;                    /* reusing a previous session */
     X509_VERIFY_PARAM *param;
-
     /* Per connection DANE state */
     SSL_DANE dane;
-
     /* crypto */
     STACK_OF(SSL_CIPHER) *cipher_list;
     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
@@ -983,7 +975,7 @@ struct ssl_st {
     int error;
     /* actual code */
     int error_code;
-#  ifndef OPENSSL_NO_PSK
+# ifndef OPENSSL_NO_PSK
     unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
                                          char *identity,
                                          unsigned int max_identity_len,
@@ -992,7 +984,7 @@ struct ssl_st {
     unsigned int (*psk_server_callback) (SSL *ssl, const char *identity,
                                          unsigned char *psk,
                                          unsigned int max_psk_len);
-#  endif
+# endif
     SSL_CTX *ctx;
     /* Verified chain of peer */
     STACK_OF(X509) *verified_chain;
@@ -1012,7 +1004,6 @@ struct ssl_st {
     int first_packet;
     /* what was passed, used for SSLv3/TLS rollback check */
     int client_version;
-
     /*
      * If we're using more than one pipeline how should we divide the data
      * up between the pipes?
@@ -1023,10 +1014,8 @@ struct ssl_st {
      * be more than this due to padding and MAC overheads.
      */
     unsigned int max_send_fragment;
-
     /* Up to how many pipelines should we use? If 0 then 1 is assumed */
     unsigned int max_pipelines;
-
     /* TLS extension debug callback */
     void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
                              const unsigned char *data, int len, void *arg);
@@ -1042,11 +1031,11 @@ struct ssl_st {
     /* certificate status request info */
     /* Status type or -1 if no status type */
     int tlsext_status_type;
-#  ifndef OPENSSL_NO_CT
+# ifndef OPENSSL_NO_CT
     /*
-    * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
-    * If they are not, the connection should be aborted.
-    */
+     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
+     * If they are not, the connection should be aborted.
+     */
     ssl_ct_validation_cb ct_validation_callback;
     /* User-supplied argument tha tis passed to the ct_validation_callback */
     void *ct_validation_callback_arg;
@@ -1061,7 +1050,7 @@ struct ssl_st {
     uint16_t tlsext_scts_len;
     /* Have we attempted to find/parse SCTs yet? */
     int scts_parsed;
-#  endif
+# endif
     /* Expect OCSP CertificateStatus message */
     int tlsext_status_expected;
     /* OCSP status request only */
@@ -1072,14 +1061,14 @@ struct ssl_st {
     int tlsext_ocsp_resplen;
     /* RFC4507 session ticket expected to be received or sent */
     int tlsext_ticket_expected;
-#  ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
     size_t tlsext_ecpointformatlist_length;
     /* our list */
     unsigned char *tlsext_ecpointformatlist;
     size_t tlsext_ellipticcurvelist_length;
     /* our list */
     unsigned char *tlsext_ellipticcurvelist;
-#  endif                       /* OPENSSL_NO_EC */
+# endif                         /* OPENSSL_NO_EC */
     /* TLS Session Ticket extension override */
     TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
     /* TLS Session Ticket extension callback */
@@ -1089,7 +1078,7 @@ struct ssl_st {
     tls_session_secret_cb_fn tls_session_secret_cb;
     void *tls_session_secret_cb_arg;
     SSL_CTX *initial_ctx;       /* initial ctx, used to store sessions */
-#  ifndef OPENSSL_NO_NEXTPROTONEG
+# ifndef OPENSSL_NO_NEXTPROTONEG
     /*
      * Next protocol negotiation. For the client, this is the protocol that
      * we sent in NextProtocol and is set when handling ServerHello
@@ -1099,8 +1088,8 @@ struct ssl_st {
      */
     unsigned char *next_proto_negotiated;
     unsigned char next_proto_negotiated_len;
-#  endif
-#  define session_ctx initial_ctx
+# endif
+# define session_ctx initial_ctx
     /* What we'll do */
     STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
     /* What's been chosen */
@@ -1122,39 +1111,32 @@ struct ssl_st {
      */
     unsigned char *alpn_client_proto_list;
     unsigned alpn_client_proto_list_len;
-
     /*-
      * 1 if we are renegotiating.
      * 2 if we are a server and are inside a handshake
      * (i.e. not just sending a HelloRequest)
      */
     int renegotiate;
-#  ifndef OPENSSL_NO_SRP
+# ifndef OPENSSL_NO_SRP
     /* ctx for SRP authentication */
     SRP_CTX srp_ctx;
-#  endif
+# endif
     /*
      * Callback for disabling session caching and ticket support on a session
      * basis, depending on the chosen cipher.
      */
     int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-
     RECORD_LAYER rlayer;
-
     /* Default password callback. */
     pem_password_cb *default_passwd_callback;
-
     /* Default password callback user data. */
     void *default_passwd_callback_userdata;
-
     /* Async Job info */
     ASYNC_JOB *job;
     ASYNC_WAIT_CTX *waitctx;
-
     CRYPTO_RWLOCK *lock;
 };
 
-
 typedef struct ssl3_state_st {
     long flags;
     int read_mac_secret_size;
@@ -1205,9 +1187,9 @@ typedef struct ssl3_state_st {
         int message_type;
         /* used to hold the new cipher we are going to use */
         const SSL_CIPHER *new_cipher;
-#  if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
-        EVP_PKEY *pkey;            /* holds short lived DH/ECDH key */
-#  endif
+# if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+        EVP_PKEY *pkey;         /* holds short lived DH/ECDH key */
+# endif
         /* used for certificate requests */
         int cert_req;
         int ctype_num;
@@ -1219,11 +1201,11 @@ typedef struct ssl3_state_st {
         const EVP_MD *new_hash;
         int new_mac_pkey_type;
         int new_mac_secret_size;
-#  ifndef OPENSSL_NO_COMP
+# ifndef OPENSSL_NO_COMP
         const SSL_COMP *new_compression;
-#  else
+# else
         char *new_compression;
-#  endif
+# endif
         int cert_request;
         /* Raw values of the cipher list from a client */
         unsigned char *ciphers_raw;
@@ -1231,11 +1213,11 @@ typedef struct ssl3_state_st {
         /* Temporary storage for premaster secret */
         unsigned char *pms;
         size_t pmslen;
-#ifndef OPENSSL_NO_PSK
+# ifndef OPENSSL_NO_PSK
         /* Temporary storage for PSK key */
         unsigned char *psk;
         size_t psklen;
-#endif
+# endif
         /*
          * signature algorithms peer reports: e.g. supported signature
          * algorithms extension for server or as part of a certificate
@@ -1277,12 +1259,12 @@ typedef struct ssl3_state_st {
     unsigned char previous_server_finished_len;
     int send_connection_binding; /* TODOEKR */
 
-#  ifndef OPENSSL_NO_NEXTPROTONEG
+# ifndef OPENSSL_NO_NEXTPROTONEG
     /*
      * Set if we saw the Next Protocol Negotiation extension from our peer.
      */
     int next_proto_neg_seen;
-#  endif
+# endif
 
     /*
      * ALPN information (we are in the process of transitioning from NPN to
@@ -1302,14 +1284,14 @@ typedef struct ssl3_state_st {
     /* used by the client to know if it actually sent alpn */
     int alpn_sent;
 
-#   ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
     /*
      * This is set to true if we believe that this is a version of Safari
      * running on OS X 10.6 or newer. We wish to know this because Safari on
      * 10.8 .. 10.8.3 has broken ECDHE-ECDSA support.
      */
     char is_probably_safari;
-#   endif                       /* !OPENSSL_NO_EC */
+# endif                         /* !OPENSSL_NO_EC */
 
     /* For clients: peer temporary key */
 # if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
@@ -1318,21 +1300,20 @@ typedef struct ssl3_state_st {
 
 } SSL3_STATE;
 
-
 /* DTLS structures */
 
-#  ifndef OPENSSL_NO_SCTP
-#   define DTLS1_SCTP_AUTH_LABEL   "EXPORTER_DTLS_OVER_SCTP"
-#  endif
+# ifndef OPENSSL_NO_SCTP
+#  define DTLS1_SCTP_AUTH_LABEL   "EXPORTER_DTLS_OVER_SCTP"
+# endif
 
 /* Max MTU overhead we know about so far is 40 for IPv6 + 8 for UDP */
-#  define DTLS1_MAX_MTU_OVERHEAD                   48
+# define DTLS1_MAX_MTU_OVERHEAD                   48
 
 /*
  * Flag used in message reuse to indicate the buffer contains the record
  * header as well as the the handshake message header.
  */
-#  define DTLS1_SKIP_RECORD_HEADER                 2
+# define DTLS1_SKIP_RECORD_HEADER                 2
 
 struct dtls1_retransmit_state {
     EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
@@ -1380,7 +1361,7 @@ typedef struct pitem_st *piterator;
 
 pitem *pitem_new(unsigned char *prio64be, void *data);
 void pitem_free(pitem *item);
-pqueue* pqueue_new(void);
+pqueue *pqueue_new(void);
 void pqueue_free(pqueue *pq);
 pitem *pqueue_insert(pqueue *pq, pitem *item);
 pitem *pqueue_peek(pqueue *pq);
@@ -1394,17 +1375,14 @@ typedef struct dtls1_state_st {
     unsigned char cookie[DTLS1_COOKIE_LENGTH];
     unsigned int cookie_len;
     unsigned int cookie_verified;
-
     /* handshake message numbers */
     unsigned short handshake_write_seq;
     unsigned short next_handshake_write_seq;
     unsigned short handshake_read_seq;
-
     /* Buffered handshake messages */
     pqueue *buffered_messages;
     /* Buffered (sent) handshake records */
     pqueue *sent_messages;
-
     unsigned int link_mtu;      /* max on-the-wire DTLS packet size */
     unsigned int mtu;           /* max DTLS packet size */
     struct hm_header_st w_msg_hdr;
@@ -1416,15 +1394,12 @@ typedef struct dtls1_state_st {
     struct timeval next_timeout;
     /* Timeout duration */
     unsigned short timeout_duration;
-
     unsigned int retransmitting;
-#  ifndef OPENSSL_NO_SCTP
+# ifndef OPENSSL_NO_SCTP
     int shutdown_received;
-#  endif
+# endif
 } DTLS1_STATE;
 
-
-
 # ifndef OPENSSL_NO_EC
 /*
  * From ECC-TLS draft, used in encoding the curve type in ECParameters
@@ -1439,7 +1414,6 @@ typedef struct cert_pkey_st {
     EVP_PKEY *privatekey;
     /* Chain for this certificate */
     STACK_OF(X509) *chain;
-
     /*-
      * serverinfo data for this certificate.  The data is in TLS Extension
      * wire format, specifically it's a series of records like:
@@ -1559,10 +1533,10 @@ typedef struct cert_st {
     /* Security level */
     int sec_level;
     void *sec_ex;
-#ifndef OPENSSL_NO_PSK
+# ifndef OPENSSL_NO_PSK
     /* If not NULL psk identity hint to use for servers */
     char *psk_identity_hint;
-#endif
+# endif
     int references;             /* >1 only if SSL_copy_session_id is used */
     CRYPTO_RWLOCK *lock;
 } CERT;
@@ -1680,8 +1654,8 @@ extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;
 /*
  * Flags for SSL methods
  */
-#define SSL_METHOD_NO_FIPS      (1U<<0)
-#define SSL_METHOD_NO_SUITEB    (1U<<1)
+# define SSL_METHOD_NO_FIPS      (1U<<0)
+# define SSL_METHOD_NO_SUITEB    (1U<<1)
 
 # define IMPLEMENT_tls_meth_func(version, flags, mask, func_name, s_accept, \
                                  s_connect, enc_data) \
@@ -1801,7 +1775,7 @@ struct openssl_ssl_test_functions {
     int (*p_ssl3_setup_buffers) (SSL *s);
 # ifndef OPENSSL_NO_HEARTBEATS
     int (*p_dtls1_process_heartbeat) (SSL *s,
-        unsigned char *p, unsigned int length);
+                                      unsigned char *p, unsigned int length);
 # endif
 };
 
@@ -1822,17 +1796,21 @@ __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
 __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
 DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
 __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
-                          const SSL_CIPHER *const *bp);
+                                 const SSL_CIPHER *const *bp);
 __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
-                                             STACK_OF(SSL_CIPHER) **pref,
-                                             STACK_OF(SSL_CIPHER) **sorted,
-                                             const char *rule_str, CERT *c);
+                                                    STACK_OF(SSL_CIPHER) **pref,
+                                                    STACK_OF(SSL_CIPHER)
+                                                    **sorted,
+                                                    const char *rule_str,
+                                                    CERT *c);
 void ssl_update_cache(SSL *s, int mode);
 __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-                       const EVP_MD **md, int *mac_pkey_type,
-                       int *mac_secret_size, SSL_COMP **comp, int use_etm);
+                              const EVP_MD **md, int *mac_pkey_type,
+                              int *mac_secret_size, SSL_COMP **comp,
+                              int use_etm);
 __owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
-__owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr);
+__owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
+                                                const unsigned char *ptr);
 __owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
 __owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);
@@ -1840,31 +1818,35 @@ __owur int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);
 __owur int ssl_cert_select_current(CERT *c, X509 *x);
 __owur int ssl_cert_set_current(CERT *c, long arg);
 __owur X509 *ssl_cert_get0_next_certificate(CERT *c, int first);
-void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg),
-                          void *arg);
+void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg);
 
 __owur int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
 __owur int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags);
-__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
+__owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain,
+                                   int ref);
 
 __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
-__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other);
+__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
+                            void *other);
 
 int ssl_undefined_function(SSL *s);
 __owur int ssl_undefined_void_function(void);
 __owur int ssl_undefined_const_function(const SSL *s);
 __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
-__owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
-                                   size_t *serverinfo_length);
-__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
+__owur int ssl_get_server_cert_serverinfo(SSL *s,
+                                          const unsigned char **serverinfo,
+                                          size_t *serverinfo_length);
+__owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c,
+                                   const EVP_MD **pmd);
 __owur int ssl_cert_type(const X509 *x, const EVP_PKEY *pkey);
 void ssl_set_masks(SSL *s);
 __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 __owur int ssl_verify_alarm_type(long type);
 void ssl_sort_cipher_list(void);
 void ssl_load_ciphers(void);
-__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
+__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field,
+                                 int len);
 __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
                                       int free_pms);
 __owur EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm);
@@ -1880,7 +1862,7 @@ void ssl3_cleanup_key_block(SSL *s);
 __owur int ssl3_do_write(SSL *s, int type);
 int ssl3_send_alert(SSL *s, int level, int desc);
 __owur int ssl3_generate_master_secret(SSL *s, unsigned char *out,
-                                unsigned char *p, int len);
+                                       unsigned char *p, int len);
 __owur int ssl3_get_req_cert_type(SSL *s, unsigned char *p);
 __owur int ssl3_num_ciphers(void);
 __owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
@@ -1888,7 +1870,7 @@ int ssl3_renegotiate(SSL *ssl);
 int ssl3_renegotiate_check(SSL *ssl);
 __owur int ssl3_dispatch_alert(SSL *s);
 __owur int ssl3_final_finish_mac(SSL *s, const char *sender, int slen,
-                          unsigned char *p);
+                                 unsigned char *p);
 __owur int ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 void ssl3_free_digest_list(SSL *s);
 __owur unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
@@ -1923,17 +1905,18 @@ __owur int ssl_check_version_downgrade(SSL *s);
 __owur int ssl_set_version_bound(int method_version, int version, int *bound);
 __owur int ssl_choose_server_version(SSL *s);
 __owur int ssl_choose_client_version(SSL *s, int version);
-int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version);
+int ssl_get_client_min_max_version(const SSL *s, int *min_version,
+                                   int *max_version);
 
 __owur long tls1_default_timeout(void);
 __owur int dtls1_do_write(SSL *s, int type);
 void dtls1_set_message_header(SSL *s,
                               unsigned char mt,
                               unsigned long len,
-                              unsigned long frag_off,
-                              unsigned long frag_len);
+                              unsigned long frag_off, unsigned long frag_len);
 
-__owur int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
+__owur int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf,
+                                      int len);
 
 __owur int dtls1_read_failed(SSL *s, int code);
 __owur int dtls1_buffer_message(SSL *s, int ccs);
@@ -1979,13 +1962,13 @@ void ssl_free_wbio_buffer(SSL *s);
 __owur int tls1_change_cipher_state(SSL *s, int which);
 __owur int tls1_setup_key_block(SSL *s);
 __owur int tls1_final_finish_mac(SSL *s,
-                          const char *str, int slen, unsigned char *p);
+                                 const char *str, int slen, unsigned char *p);
 __owur int tls1_generate_master_secret(SSL *s, unsigned char *out,
-                                unsigned char *p, int len);
+                                       unsigned char *p, int len);
 __owur int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-                                const char *label, size_t llen,
-                                const unsigned char *p, size_t plen,
-                                int use_context);
+                                       const char *label, size_t llen,
+                                       const unsigned char *p, size_t plen,
+                                       int use_context);
 __owur int tls1_alert_code(int code);
 __owur int ssl3_alert_code(int code);
 __owur int ssl_ok(SSL *s);
@@ -2008,20 +1991,20 @@ __owur int tls1_ec_nid2curve_id(int nid);
 __owur int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
 __owur int tls1_shared_curve(SSL *s, int nmatch);
 __owur int tls1_set_curves(unsigned char **pext, size_t *pextlen,
-                    int *curves, size_t ncurves);
+                           int *curves, size_t ncurves);
 __owur int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
-                         const char *str);
+                                const char *str);
 __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
 __owur EVP_PKEY *ssl_generate_pkey_curve(int id);
 #  endif                        /* OPENSSL_NO_EC */
 
 __owur int tls1_shared_list(SSL *s,
-                     const unsigned char *l1, size_t l1len,
-                     const unsigned char *l2, size_t l2len, int nmatch);
+                            const unsigned char *l1, size_t l1len,
+                            const unsigned char *l2, size_t l2len, int nmatch);
 __owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
-                                          unsigned char *limit, int *al);
+                                                 unsigned char *limit, int *al);
 __owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
-                                          unsigned char *limit, int *al);
+                                                 unsigned char *limit, int *al);
 __owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt);
 void ssl_set_default_md(SSL *s);
 __owur int tls1_set_server_sigalgs(SSL *s);
@@ -2032,7 +2015,8 @@ __owur int ssl_prepare_serverhello_tlsext(SSL *s);
 
 #  ifndef OPENSSL_NO_HEARTBEATS
 __owur int dtls1_heartbeat(SSL *s);
-__owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
+__owur int dtls1_process_heartbeat(SSL *s, unsigned char *p,
+                                   unsigned int length);
 #  endif
 
 __owur int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
@@ -2040,53 +2024,54 @@ __owur int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
                                               SSL_SESSION **ret);
 
 __owur int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
-                         const EVP_MD *md);
+                                const EVP_MD *md);
 __owur int tls12_get_sigid(const EVP_PKEY *pk);
 __owur const EVP_MD *tls12_get_hash(unsigned char hash_alg);
 void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op);
 
 __owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
-__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client);
+__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
+                            int client);
 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
                      int idx);
 void tls1_set_cert_validity(SSL *s);
 
-#ifndef OPENSSL_NO_CT
+#  ifndef OPENSSL_NO_CT
 __owur int ssl_validate_ct(SSL *s);
-#endif
+#  endif
 
 #  ifndef OPENSSL_NO_DH
 __owur DH *ssl_get_auto_dh(SSL *s);
 #  endif
 
 __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
-__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex, int vfy);
+__owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
+                                   int vfy);
 
 __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md);
 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
-__owur int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
-                                        int maxlen);
-__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt,
-                                          int *al);
-__owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
-                                        int maxlen);
+__owur int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p,
+                                               int *len, int maxlen);
+__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
+__owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p,
+                                               int *len, int maxlen);
 __owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
 __owur long ssl_get_algorithm2(SSL *s);
 __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
-                          const unsigned char *psig, size_t psiglen);
+                                 const unsigned char *psig, size_t psiglen);
 __owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
 __owur int tls1_process_sigalgs(SSL *s);
 __owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
 __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
-                            const unsigned char *sig, EVP_PKEY *pkey);
+                                   const unsigned char *sig, EVP_PKEY *pkey);
 void ssl_set_client_disabled(SSL *s);
 __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
 
 __owur int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
-                                     int maxlen);
+                                            int maxlen);
 __owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
 __owur int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
-                                     int maxlen);
+                                            int maxlen);
 __owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
 
 __owur int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen);
@@ -2119,12 +2104,14 @@ __owur int srp_verify_server_param(SSL *s, int *al);
 void custom_ext_init(custom_ext_methods *meths);
 
 __owur int custom_ext_parse(SSL *s, int server,
-                     unsigned int ext_type,
-                     const unsigned char *ext_data, size_t ext_size, int *al);
-__owur int custom_ext_add(SSL *s, int server,
-                   unsigned char **pret, unsigned char *limit, int *al);
-
-__owur int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src);
+                            unsigned int ext_type,
+                            const unsigned char *ext_data, size_t ext_size,
+                            int *al);
+__owur int custom_ext_add(SSL *s, int server, unsigned char **pret,
+                          unsigned char *limit, int *al);
+
+__owur int custom_exts_copy(custom_ext_methods *dst,
+                            const custom_ext_methods *src);
 void custom_exts_free(custom_ext_methods *exts);
 
 void ssl_comp_free_compression_methods_int(void);
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index ac9cc95..c2d9dba 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -77,7 +77,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
         STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
         if (sk_CONF_VALUE_num(cmds) <= 0) {
             if (cmds == NULL)
-                SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
+                SSLerr(SSL_F_SSL_MODULE_INIT,
+                       SSL_R_SSL_COMMAND_SECTION_NOT_FOUND);
             else
                 SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY);
             ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value);
@@ -109,7 +110,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
 
     }
     rv = 1;
-    err:
+ err:
     if (rv == 0)
         ssl_module_free(md);
     return rv;
@@ -165,9 +166,9 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
         SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
     }
     if (meth->ssl_accept != ssl_undefined_function)
-            flags |= SSL_CONF_FLAG_SERVER;
+        flags |= SSL_CONF_FLAG_SERVER;
     if (meth->ssl_connect != ssl_undefined_function)
-            flags |= SSL_CONF_FLAG_CLIENT;
+        flags |= SSL_CONF_FLAG_CLIENT;
     SSL_CONF_CTX_set_flags(cctx, flags);
     for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) {
         rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg);
@@ -177,12 +178,12 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
             else
                 SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE);
             ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd,
-                                    ", arg=", cmd->arg);
+                               ", arg=", cmd->arg);
             goto err;
         }
     }
     rv = SSL_CONF_CTX_finish(cctx);
-    err:
+ err:
     SSL_CONF_CTX_free(cctx);
     return rv <= 0 ? 0 : 1;
 }
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 3484536..3eb1a8a 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -147,7 +147,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
          * cards.
          */
         if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
-            && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK);
+            && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
         else
 #endif
         if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
@@ -345,7 +345,7 @@ static int ssl_set_cert(CERT *c, X509 *x)
          */
         if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
             && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
-               RSA_METHOD_FLAG_NO_CHECK) ;
+            RSA_METHOD_FLAG_NO_CHECK) ;
         else
 #endif                          /* OPENSSL_NO_RSA */
         if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
@@ -410,8 +410,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
     return (ret);
 }
 
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
-                                 const unsigned char *d)
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
 {
     X509 *x;
     int ret;
@@ -649,7 +648,7 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
 
         while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
                                        passwd_callback_userdata))
-                != NULL) {
+               != NULL) {
             if (ctx)
                 r = SSL_CTX_add0_chain_cert(ctx, ca);
             else
@@ -892,8 +891,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
     size_t num_extensions = 0;
 
     if (ctx == NULL || file == NULL) {
-        SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
-               ERR_R_PASSED_NULL_PARAMETER);
+        SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_PASSED_NULL_PARAMETER);
         goto end;
     }
 
@@ -922,8 +920,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
         }
         /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
         if (strlen(name) < strlen(namePrefix)) {
-            SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
-                   SSL_R_PEM_NAME_TOO_SHORT);
+            SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, SSL_R_PEM_NAME_TOO_SHORT);
             goto end;
         }
         if (strncmp(name, namePrefix, strlen(namePrefix)) != 0) {
@@ -940,8 +937,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
             goto end;
         }
         /* Append the decoded extension to the serverinfo buffer */
-        tmp =
-            OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
+        tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
         if (tmp == NULL) {
             SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
             goto end;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 509175b..eee1ca1 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -158,7 +158,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
         if (dest->peer_chain == NULL)
             goto err;
     }
-
 #ifndef OPENSSL_NO_PSK
     if (src->psk_identity_hint) {
         dest->psk_identity_hint = OPENSSL_strdup(src->psk_identity_hint);
@@ -181,7 +180,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     }
 
     if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
-                                            &dest->ex_data, &src->ex_data)) {
+                            &dest->ex_data, &src->ex_data)) {
         goto err;
     }
 
@@ -195,21 +194,22 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     if (src->tlsext_ecpointformatlist) {
         dest->tlsext_ecpointformatlist =
             OPENSSL_memdup(src->tlsext_ecpointformatlist,
-                       src->tlsext_ecpointformatlist_length);
+                           src->tlsext_ecpointformatlist_length);
         if (dest->tlsext_ecpointformatlist == NULL)
             goto err;
     }
     if (src->tlsext_ellipticcurvelist) {
         dest->tlsext_ellipticcurvelist =
             OPENSSL_memdup(src->tlsext_ellipticcurvelist,
-                       src->tlsext_ellipticcurvelist_length);
+                           src->tlsext_ellipticcurvelist_length);
         if (dest->tlsext_ellipticcurvelist == NULL)
             goto err;
     }
 #endif
 
     if (ticket != 0) {
-        dest->tlsext_tick = OPENSSL_memdup(src->tlsext_tick, src->tlsext_ticklen);
+        dest->tlsext_tick =
+            OPENSSL_memdup(src->tlsext_tick, src->tlsext_ticklen);
         if (dest->tlsext_tick == NULL)
             goto err;
     } else {
@@ -227,14 +227,13 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
 #endif
 
     return dest;
-err:
+ err:
     SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
     SSL_SESSION_free(dest);
     return NULL;
 }
 
-const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
-                                        unsigned int *len)
+const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 {
     if (len)
         *len = s->session_id_length;
@@ -481,8 +480,7 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
         data.ssl_version = s->version;
         memset(data.session_id, 0, sizeof(data.session_id));
         if (!PACKET_copy_all(session_id, data.session_id,
-                             sizeof(data.session_id),
-                             &local_len)) {
+                             sizeof(data.session_id), &local_len)) {
             goto err;
         }
         data.session_id_length = local_len;
@@ -684,8 +682,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
         ret = 1;
 
         if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
-            while (SSL_CTX_sess_number(ctx) >
-                   SSL_CTX_sess_get_cache_size(ctx)) {
+            while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) {
                 if (!remove_session_lock(ctx, ctx->session_cache_tail, 0))
                     break;
                 else
@@ -757,7 +754,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_free(ss->tlsext_ecpointformatlist);
     ss->tlsext_ellipticcurvelist_length = 0;
     OPENSSL_free(ss->tlsext_ellipticcurvelist);
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_PSK
     OPENSSL_free(ss->psk_identity_hint);
     OPENSSL_free(ss->psk_identity);
@@ -868,7 +865,7 @@ unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
 }
 
 void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
-                            size_t *len)
+                             size_t *len)
 {
     *len = s->tlsext_ticklen;
     if (tick != NULL)
@@ -1068,8 +1065,7 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
 }
 
 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
-                             int (*cb) (struct ssl_st *ssl,
-                                        SSL_SESSION *sess))
+                             int (*cb) (struct ssl_st *ssl, SSL_SESSION *sess))
 {
     ctx->new_session_cb = cb;
 }
@@ -1098,8 +1094,9 @@ void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
 }
 
 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (SSL *ssl,
-                                                       const unsigned char *data,
-                                                       int len, int *copy) {
+                                                       const unsigned char
+                                                       *data, int len,
+                                                       int *copy) {
     return ctx->get_session_cb;
 }
 
@@ -1153,11 +1150,11 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
 }
 
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
-                                  int (*cb) (SSL *ssl, const unsigned char *cookie,
+                                  int (*cb) (SSL *ssl,
+                                             const unsigned char *cookie,
                                              unsigned int cookie_len))
 {
     ctx->app_verify_cookie_cb = cb;
 }
 
-IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION,
-                 SSL_SESSION)
+IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 230eadf..cc0d477 100644
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -110,7 +110,6 @@ const char *SSL_state_string_long(const SSL *s)
     }
 }
 
-
 const char *SSL_state_string(const SSL *s)
 {
     if (ossl_statem_in_error(s))
@@ -335,7 +334,7 @@ const char *SSL_alert_desc_string_long(int value)
         return "bad certificate hash value";
     case TLS1_AD_UNKNOWN_PSK_IDENTITY:
         return "unknown PSK identity";
-      case TLS1_AD_NO_APPLICATION_PROTOCOL:
+    case TLS1_AD_NO_APPLICATION_PROTOCOL:
         return "no application protocol";
     default:
         return "unknown";
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 2da3c0a..dbbf9d9 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -128,11 +128,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     if (x->tlsext_tick) {
         if (BIO_puts(bp, "\n    TLS session ticket:\n") <= 0)
             goto err;
-        if (BIO_dump_indent(bp, (const char *)x->tlsext_tick, x->tlsext_ticklen, 4)
+        if (BIO_dump_indent
+            (bp, (const char *)x->tlsext_tick, x->tlsext_ticklen, 4)
             <= 0)
             goto err;
     }
-
 #ifndef OPENSSL_NO_COMP
     if (x->compress_meth != 0) {
         SSL_COMP *comp = NULL;
@@ -140,12 +140,11 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
         if (!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
             goto err;
         if (comp == NULL) {
-            if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <=
-                0)
+            if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
                 goto err;
         } else {
             if (BIO_printf(bp, "\n    Compression: %d (%s)", comp->id,
-                 comp->name) <= 0)
+                           comp->name) <= 0)
                 goto err;
         }
     }
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 9bfd29d..3df4ce6 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -46,7 +46,7 @@
  */
 
 /* Sub state machine return values */
-typedef enum  {
+typedef enum {
     /* Something bad happened or NBIO */
     SUB_STATE_ERROR,
     /* Sub state finished go to the next sub state */
@@ -165,7 +165,8 @@ void ossl_statem_set_hello_verify_done(SSL *s)
     s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;
 }
 
-int ossl_statem_connect(SSL *s) {
+int ossl_statem_connect(SSL *s)
+{
     return state_machine(s, 0);
 }
 
@@ -174,7 +175,9 @@ int ossl_statem_accept(SSL *s)
     return state_machine(s, 1);
 }
 
-static void (*get_callback(SSL *s))(const SSL *, int, int)
+typedef void (*info_cb) (const SSL *, int, int);
+
+static info_cb get_callback(SSL *s)
 {
     if (s->info_callback != NULL)
         return s->info_callback;
@@ -237,7 +240,6 @@ static int state_machine(SSL *s, int server)
         if (!SSL_clear(s))
             return -1;
     }
-
 #ifndef OPENSSL_NO_SCTP
     if (SSL_IS_DTLS(s)) {
         /*
@@ -282,8 +284,7 @@ static int state_machine(SSL *s, int server)
 
         if (SSL_IS_DTLS(s)) {
             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
-                    (server
-                    || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
+                (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
                 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
                 goto end;
             }
@@ -320,7 +321,6 @@ static int state_machine(SSL *s, int server)
          */
         s->s3->change_cipher_spec = 0;
 
-
         /*
          * Ok, we now need to push on a buffering BIO ...but not with
          * SCTP
@@ -471,15 +471,16 @@ static void init_read_state_machine(SSL *s)
  * control returns to the calling application. When this function is recalled we
  * will resume in the same state where we left off.
  */
-static SUB_STATE_RETURN read_state_machine(SSL *s) {
+static SUB_STATE_RETURN read_state_machine(SSL *s)
+{
     OSSL_STATEM *st = &s->statem;
     int ret, mt;
     unsigned long len = 0;
-    int (*transition)(SSL *s, int mt);
+    int (*transition) (SSL *s, int mt);
     PACKET pkt;
-    MSG_PROCESS_RETURN (*process_message)(SSL *s, PACKET *pkt);
-    WORK_STATE (*post_process_message)(SSL *s, WORK_STATE wst);
-    unsigned long (*max_message_size)(SSL *s);
+    MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt);
+    WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst);
+    unsigned long (*max_message_size) (SSL *s);
     void (*cb) (const SSL *ssl, int type, int val) = NULL;
 
     cb = get_callback(s);
@@ -620,7 +621,7 @@ static int statem_do_write(SSL *s)
     OSSL_STATEM *st = &s->statem;
 
     if (st->hand_state == TLS_ST_CW_CHANGE
-            || st->hand_state == TLS_ST_SW_CHANGE) {
+        || st->hand_state == TLS_ST_SW_CHANGE) {
         if (SSL_IS_DTLS(s))
             return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
         else
@@ -675,10 +676,10 @@ static SUB_STATE_RETURN write_state_machine(SSL *s)
 {
     OSSL_STATEM *st = &s->statem;
     int ret;
-    WRITE_TRAN (*transition)(SSL *s);
-    WORK_STATE (*pre_work)(SSL *s, WORK_STATE wst);
-    WORK_STATE (*post_work)(SSL *s, WORK_STATE wst);
-    int (*construct_message)(SSL *s);
+    WRITE_TRAN(*transition) (SSL *s);
+    WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst);
+    WORK_STATE(*post_work) (SSL *s, WORK_STATE wst);
+    int (*construct_message) (SSL *s);
     void (*cb) (const SSL *ssl, int type, int val) = NULL;
 
     cb = get_callback(s);
@@ -807,7 +808,7 @@ int ossl_statem_app_data_allowed(SSL *s)
          * ServerHello yet then we allow app data
          */
         if (st->hand_state == TLS_ST_BEFORE
-                || st->hand_state == TLS_ST_SR_CLNT_HELLO)
+            || st->hand_state == TLS_ST_SR_CLNT_HELLO)
             return 1;
     } else {
         /*
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
index e2aef15..2fca39b 100644
--- a/ssl/statem/statem.h
+++ b/ssl/statem/statem.h
@@ -71,7 +71,6 @@ typedef enum {
     WRITE_STATE_POST_WORK
 } WRITE_STATE;
 
-
 /*****************************************************************************
  *                                                                           *
  * This structure should be considered "opaque" to anything outside of the   *
@@ -89,13 +88,10 @@ struct ossl_statem_st {
     OSSL_HANDSHAKE_STATE hand_state;
     int in_init;
     int read_state_first_init;
-
     /* true when we are actually in SSL_accept() or SSL_connect() */
     int in_handshake;
-
     /* Should we skip the CertificateVerify message? */
     unsigned int no_cert_verify;
-
     int use_timer;
 #ifndef OPENSSL_NO_SCTP
     int in_sctp_read_sock;
@@ -103,7 +99,6 @@ struct ossl_statem_st {
 };
 typedef struct ossl_statem_st OSSL_STATEM;
 
-
 /*****************************************************************************
  *                                                                           *
  * The following macros/functions represent the libssl internal API to the   *
@@ -126,5 +121,3 @@ __owur int ossl_statem_app_data_allowed(SSL *s);
 void ossl_statem_set_sctp_read_sock(SSL *s, int read_sock);
 __owur int ossl_statem_in_sctp_read_sock(SSL *s);
 #endif
-
-
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 338a23b..8f250cd 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -65,7 +65,6 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
                                     unsigned char *p);
 
-
 /*
  * Is a CertificateRequest message allowed at the moment or not?
  *
@@ -77,8 +76,8 @@ static ossl_inline int cert_req_allowed(SSL *s)
 {
     /* TLS does not like anon-DH with client cert */
     if ((s->version > SSL3_VERSION
-                && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
-            || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
+         && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+        || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
         return 0;
 
     return 1;
@@ -122,7 +121,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
     OSSL_STATEM *st = &s->statem;
     int ske_expected;
 
-    switch(st->hand_state) {
+    switch (st->hand_state) {
     case TLS_ST_CW_CLNT_HELLO:
         if (mt == SSL3_MT_SERVER_HELLO) {
             st->hand_state = TLS_ST_CR_SRVR_HELLO;
@@ -153,9 +152,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                 return 1;
             } else if (s->version >= TLS1_VERSION
-                    && s->tls_session_secret_cb != NULL
-                    && s->session->tlsext_tick != NULL
-                    && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+                       && s->tls_session_secret_cb != NULL
+                       && s->session->tlsext_tick != NULL
+                       && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                 /*
                  * Normally, we can tell if the server is resuming the session
                  * from the session ID. EAP-FAST (RFC 4851), however, relies on
@@ -166,7 +165,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
                 st->hand_state = TLS_ST_CR_CHANGE;
                 return 1;
             } else if (!(s->s3->tmp.new_cipher->algorithm_auth
-                        & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
+                         & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                 if (mt == SSL3_MT_CERTIFICATE) {
                     st->hand_state = TLS_ST_CR_CERT;
                     return 1;
@@ -175,19 +174,19 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
                 ske_expected = key_exchange_expected(s);
                 /* SKE is optional for some PSK ciphersuites */
                 if (ske_expected
-                        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
-                            && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
+                    || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
+                        && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
                     if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
                         st->hand_state = TLS_ST_CR_KEY_EXCH;
                         return 1;
                     }
                 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
-                            && cert_req_allowed(s)) {
-                        st->hand_state = TLS_ST_CR_CERT_REQ;
-                        return 1;
+                           && cert_req_allowed(s)) {
+                    st->hand_state = TLS_ST_CR_CERT_REQ;
+                    return 1;
                 } else if (mt == SSL3_MT_SERVER_DONE) {
-                        st->hand_state = TLS_ST_CR_SRVR_DONE;
-                        return 1;
+                    st->hand_state = TLS_ST_CR_SRVR_DONE;
+                    return 1;
                 }
             }
         }
@@ -207,9 +206,8 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
     case TLS_ST_CR_CERT_STATUS:
         ske_expected = key_exchange_expected(s);
         /* SKE is optional for some PSK ciphersuites */
-        if (ske_expected
-                || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
-                    && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
+        if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
+                             && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
             if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
                 st->hand_state = TLS_ST_CR_KEY_EXCH;
                 return 1;
@@ -280,99 +278,99 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
-        case TLS_ST_OK:
-            /* Renegotiation - fall through */
-        case TLS_ST_BEFORE:
-            st->hand_state = TLS_ST_CW_CLNT_HELLO;
-            return WRITE_TRAN_CONTINUE;
-
-        case TLS_ST_CW_CLNT_HELLO:
-            /*
-             * No transition at the end of writing because we don't know what
-             * we will be sent
-             */
-            return WRITE_TRAN_FINISHED;
+    switch (st->hand_state) {
+    case TLS_ST_OK:
+        /* Renegotiation - fall through */
+    case TLS_ST_BEFORE:
+        st->hand_state = TLS_ST_CW_CLNT_HELLO;
+        return WRITE_TRAN_CONTINUE;
 
-        case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
-            st->hand_state = TLS_ST_CW_CLNT_HELLO;
-            return WRITE_TRAN_CONTINUE;
+    case TLS_ST_CW_CLNT_HELLO:
+        /*
+         * No transition at the end of writing because we don't know what
+         * we will be sent
+         */
+        return WRITE_TRAN_FINISHED;
 
-        case TLS_ST_CR_SRVR_DONE:
-            if (s->s3->tmp.cert_req)
-                st->hand_state = TLS_ST_CW_CERT;
-            else
-                st->hand_state = TLS_ST_CW_KEY_EXCH;
-            return WRITE_TRAN_CONTINUE;
+    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
+        st->hand_state = TLS_ST_CW_CLNT_HELLO;
+        return WRITE_TRAN_CONTINUE;
 
-        case TLS_ST_CW_CERT:
+    case TLS_ST_CR_SRVR_DONE:
+        if (s->s3->tmp.cert_req)
+            st->hand_state = TLS_ST_CW_CERT;
+        else
             st->hand_state = TLS_ST_CW_KEY_EXCH;
-            return WRITE_TRAN_CONTINUE;
+        return WRITE_TRAN_CONTINUE;
 
-        case TLS_ST_CW_KEY_EXCH:
-            /*
-             * For TLS, cert_req is set to 2, so a cert chain of nothing is
-             * sent, but no verify packet is sent
-             */
-            /*
-             * XXX: For now, we do not support client authentication in ECDH
-             * cipher suites with ECDH (rather than ECDSA) certificates. We
-             * need to skip the certificate verify message when client's
-             * ECDH public key is sent inside the client certificate.
-             */
-            if (s->s3->tmp.cert_req == 1) {
-                st->hand_state = TLS_ST_CW_CERT_VRFY;
-            } else {
-                st->hand_state = TLS_ST_CW_CHANGE;
-            }
-            if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
-                st->hand_state = TLS_ST_CW_CHANGE;
-            }
-            return WRITE_TRAN_CONTINUE;
+    case TLS_ST_CW_CERT:
+        st->hand_state = TLS_ST_CW_KEY_EXCH;
+        return WRITE_TRAN_CONTINUE;
 
-        case TLS_ST_CW_CERT_VRFY:
+    case TLS_ST_CW_KEY_EXCH:
+        /*
+         * For TLS, cert_req is set to 2, so a cert chain of nothing is
+         * sent, but no verify packet is sent
+         */
+        /*
+         * XXX: For now, we do not support client authentication in ECDH
+         * cipher suites with ECDH (rather than ECDSA) certificates. We
+         * need to skip the certificate verify message when client's
+         * ECDH public key is sent inside the client certificate.
+         */
+        if (s->s3->tmp.cert_req == 1) {
+            st->hand_state = TLS_ST_CW_CERT_VRFY;
+        } else {
             st->hand_state = TLS_ST_CW_CHANGE;
-            return WRITE_TRAN_CONTINUE;
+        }
+        if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
+            st->hand_state = TLS_ST_CW_CHANGE;
+        }
+        return WRITE_TRAN_CONTINUE;
 
-        case TLS_ST_CW_CHANGE:
+    case TLS_ST_CW_CERT_VRFY:
+        st->hand_state = TLS_ST_CW_CHANGE;
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_CW_CHANGE:
 #if defined(OPENSSL_NO_NEXTPROTONEG)
-            st->hand_state = TLS_ST_CW_FINISHED;
+        st->hand_state = TLS_ST_CW_FINISHED;
 #else
-            if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
-                st->hand_state = TLS_ST_CW_NEXT_PROTO;
-            else
-                st->hand_state = TLS_ST_CW_FINISHED;
+        if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
+            st->hand_state = TLS_ST_CW_NEXT_PROTO;
+        else
+            st->hand_state = TLS_ST_CW_FINISHED;
 #endif
-            return WRITE_TRAN_CONTINUE;
+        return WRITE_TRAN_CONTINUE;
 
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
-        case TLS_ST_CW_NEXT_PROTO:
-            st->hand_state = TLS_ST_CW_FINISHED;
-            return WRITE_TRAN_CONTINUE;
+    case TLS_ST_CW_NEXT_PROTO:
+        st->hand_state = TLS_ST_CW_FINISHED;
+        return WRITE_TRAN_CONTINUE;
 #endif
 
-        case TLS_ST_CW_FINISHED:
-            if (s->hit) {
-                st->hand_state = TLS_ST_OK;
-                ossl_statem_set_in_init(s, 0);
-                return WRITE_TRAN_CONTINUE;
-            } else {
-                return WRITE_TRAN_FINISHED;
-            }
+    case TLS_ST_CW_FINISHED:
+        if (s->hit) {
+            st->hand_state = TLS_ST_OK;
+            ossl_statem_set_in_init(s, 0);
+            return WRITE_TRAN_CONTINUE;
+        } else {
+            return WRITE_TRAN_FINISHED;
+        }
 
-        case TLS_ST_CR_FINISHED:
-            if (s->hit) {
-                st->hand_state = TLS_ST_CW_CHANGE;
-                return WRITE_TRAN_CONTINUE;
-            } else {
-                st->hand_state = TLS_ST_OK;
-                ossl_statem_set_in_init(s, 0);
-                return WRITE_TRAN_CONTINUE;
-            }
+    case TLS_ST_CR_FINISHED:
+        if (s->hit) {
+            st->hand_state = TLS_ST_CW_CHANGE;
+            return WRITE_TRAN_CONTINUE;
+        } else {
+            st->hand_state = TLS_ST_OK;
+            ossl_statem_set_in_init(s, 0);
+            return WRITE_TRAN_CONTINUE;
+        }
 
-        default:
-            /* Shouldn't happen */
-            return WRITE_TRAN_ERROR;
+    default:
+        /* Shouldn't happen */
+        return WRITE_TRAN_ERROR;
     }
 }
 
@@ -384,7 +382,7 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
+    switch (st->hand_state) {
     case TLS_ST_CW_CLNT_HELLO:
         s->shutdown = 0;
         if (SSL_IS_DTLS(s)) {
@@ -433,7 +431,7 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
 
     s->init_num = 0;
 
-    switch(st->hand_state) {
+    switch (st->hand_state) {
     case TLS_ST_CW_CLNT_HELLO:
         if (wst == WORK_MORE_A && statem_flush(s) != 1)
             return WORK_MORE_A;
@@ -516,7 +514,7 @@ int ossl_statem_client_construct_message(SSL *s)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
+    switch (st->hand_state) {
     case TLS_ST_CW_CLNT_HELLO:
         return tls_construct_client_hello(s);
 
@@ -562,46 +560,47 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
-        case TLS_ST_CR_SRVR_HELLO:
-            return SERVER_HELLO_MAX_LENGTH;
+    switch (st->hand_state) {
+    case TLS_ST_CR_SRVR_HELLO:
+        return SERVER_HELLO_MAX_LENGTH;
 
-        case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
-            return HELLO_VERIFY_REQUEST_MAX_LENGTH;
+    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
+        return HELLO_VERIFY_REQUEST_MAX_LENGTH;
 
-        case TLS_ST_CR_CERT:
-            return s->max_cert_list;
+    case TLS_ST_CR_CERT:
+        return s->max_cert_list;
 
-        case TLS_ST_CR_CERT_STATUS:
-            return SSL3_RT_MAX_PLAIN_LENGTH;
+    case TLS_ST_CR_CERT_STATUS:
+        return SSL3_RT_MAX_PLAIN_LENGTH;
 
-        case TLS_ST_CR_KEY_EXCH:
-            return SERVER_KEY_EXCH_MAX_LENGTH;
+    case TLS_ST_CR_KEY_EXCH:
+        return SERVER_KEY_EXCH_MAX_LENGTH;
 
-        case TLS_ST_CR_CERT_REQ:
-            /* Set to s->max_cert_list for compatibility with previous releases.
-             * In practice these messages can get quite long if servers are
-             * configured to provide a long list of acceptable CAs
-             */
-            return s->max_cert_list;
+    case TLS_ST_CR_CERT_REQ:
+        /*
+         * Set to s->max_cert_list for compatibility with previous releases. In
+         * practice these messages can get quite long if servers are configured
+         * to provide a long list of acceptable CAs
+         */
+        return s->max_cert_list;
 
-        case TLS_ST_CR_SRVR_DONE:
-            return SERVER_HELLO_DONE_MAX_LENGTH;
+    case TLS_ST_CR_SRVR_DONE:
+        return SERVER_HELLO_DONE_MAX_LENGTH;
 
-        case TLS_ST_CR_CHANGE:
-            if (s->version == DTLS1_BAD_VER)
-                return 3;
-            return CCS_MAX_LENGTH;
+    case TLS_ST_CR_CHANGE:
+        if (s->version == DTLS1_BAD_VER)
+            return 3;
+        return CCS_MAX_LENGTH;
 
-        case TLS_ST_CR_SESSION_TICKET:
-            return SSL3_RT_MAX_PLAIN_LENGTH;
+    case TLS_ST_CR_SESSION_TICKET:
+        return SSL3_RT_MAX_PLAIN_LENGTH;
 
-        case TLS_ST_CR_FINISHED:
-            return FINISHED_MAX_LENGTH;
+    case TLS_ST_CR_FINISHED:
+        return FINISHED_MAX_LENGTH;
 
-        default:
-            /* Shouldn't happen */
-            break;
+    default:
+        /* Shouldn't happen */
+        break;
     }
 
     return 0;
@@ -614,40 +613,40 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
-        case TLS_ST_CR_SRVR_HELLO:
-            return tls_process_server_hello(s, pkt);
+    switch (st->hand_state) {
+    case TLS_ST_CR_SRVR_HELLO:
+        return tls_process_server_hello(s, pkt);
 
-        case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
-            return dtls_process_hello_verify(s, pkt);
+    case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
+        return dtls_process_hello_verify(s, pkt);
 
-        case TLS_ST_CR_CERT:
-            return tls_process_server_certificate(s, pkt);
+    case TLS_ST_CR_CERT:
+        return tls_process_server_certificate(s, pkt);
 
-        case TLS_ST_CR_CERT_STATUS:
-            return tls_process_cert_status(s, pkt);
+    case TLS_ST_CR_CERT_STATUS:
+        return tls_process_cert_status(s, pkt);
 
-        case TLS_ST_CR_KEY_EXCH:
-            return tls_process_key_exchange(s, pkt);
+    case TLS_ST_CR_KEY_EXCH:
+        return tls_process_key_exchange(s, pkt);
 
-        case TLS_ST_CR_CERT_REQ:
-            return tls_process_certificate_request(s, pkt);
+    case TLS_ST_CR_CERT_REQ:
+        return tls_process_certificate_request(s, pkt);
 
-        case TLS_ST_CR_SRVR_DONE:
-            return tls_process_server_done(s, pkt);
+    case TLS_ST_CR_SRVR_DONE:
+        return tls_process_server_done(s, pkt);
 
-        case TLS_ST_CR_CHANGE:
-            return tls_process_change_cipher_spec(s, pkt);
+    case TLS_ST_CR_CHANGE:
+        return tls_process_change_cipher_spec(s, pkt);
 
-        case TLS_ST_CR_SESSION_TICKET:
-            return tls_process_new_session_ticket(s, pkt);
+    case TLS_ST_CR_SESSION_TICKET:
+        return tls_process_new_session_ticket(s, pkt);
 
-        case TLS_ST_CR_FINISHED:
-            return tls_process_finished(s, pkt);
+    case TLS_ST_CR_FINISHED:
+        return tls_process_finished(s, pkt);
 
-        default:
-            /* Shouldn't happen */
-            break;
+    default:
+        /* Shouldn't happen */
+        break;
     }
 
     return MSG_PROCESS_ERROR;
@@ -661,7 +660,7 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
 {
     OSSL_STATEM *st = &s->statem;
 
-    switch(st->hand_state) {
+    switch (st->hand_state) {
     case TLS_ST_CR_CERT_REQ:
         return tls_prepare_client_certificate(s, wst);
 
@@ -711,8 +710,7 @@ int tls_construct_client_hello(SSL *s)
         goto err;
     }
 
-    if ((sess == NULL) ||
-        !ssl_version_supported(s, sess->ssl_version) ||
+    if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
         /*
          * In the case of EAP-FAST, we can have a pre-shared
          * "ticket" without a session ID.
@@ -742,8 +740,7 @@ int tls_construct_client_hello(SSL *s)
     } else
         i = 1;
 
-    if (i && ssl_fill_hello_random(s, 0, p,
-                                   sizeof(s->s3->client_random)) <= 0)
+    if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
         goto err;
 
     /* Do the message type and length last */
@@ -846,7 +843,7 @@ int tls_construct_client_hello(SSL *s)
         *(p++) = comp->id;
     }
 #endif
-    *(p++) = 0;             /* Add the NULL method */
+    *(p++) = 0;                 /* Add the NULL method */
 
     /* TLS extensions */
     if (ssl_prepare_clienthello_tlsext(s) <= 0) {
@@ -881,7 +878,7 @@ MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
     PACKET cookiepkt;
 
     if (!PACKET_forward(pkt, 2)
-            || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
+        || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_DTLS_PROCESS_HELLO_VERIFY, SSL_R_LENGTH_MISMATCH);
         goto f_err;
@@ -1145,7 +1142,6 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH);
         goto f_err;
     }
-
 #ifndef OPENSSL_NO_SCTP
     if (SSL_IS_DTLS(s) && s->hit) {
         unsigned char sctpauthkey[64];
@@ -1159,10 +1155,9 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
                sizeof(DTLS1_SCTP_AUTH_LABEL));
 
         if (SSL_export_keying_material(s, sctpauthkey,
-                                   sizeof(sctpauthkey),
-                                   labelbuffer,
-                                   sizeof(labelbuffer), NULL, 0,
-                                   0) <= 0)
+                                       sizeof(sctpauthkey),
+                                       labelbuffer,
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0)
             goto err;
 
         BIO_ctrl(SSL_get_wbio(s),
@@ -1194,14 +1189,14 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
     }
 
     if (!PACKET_get_net_3(pkt, &cert_list_len)
-            || PACKET_remaining(pkt) != cert_list_len) {
+        || PACKET_remaining(pkt) != cert_list_len) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
     while (PACKET_remaining(pkt)) {
         if (!PACKET_get_net_3(pkt, &cert_len)
-                || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
+            || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
@@ -1274,9 +1269,9 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
 
     exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
     if (exp_idx >= 0 && i != exp_idx
-            && (exp_idx != SSL_PKEY_GOST_EC ||
-                (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
-                 && i != SSL_PKEY_GOST01))) {
+        && (exp_idx != SSL_PKEY_GOST_EC ||
+            (i != SSL_PKEY_GOST12_512 && i != SSL_PKEY_GOST12_256
+             && i != SSL_PKEY_GOST01))) {
         x = NULL;
         al = SSL_AD_ILLEGAL_PARAMETER;
         SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
@@ -1333,7 +1328,7 @@ static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt, int *al)
         OPENSSL_free(s->session->psk_identity_hint);
         s->session->psk_identity_hint = NULL;
     } else if (!PACKET_strndup(&psk_identity_hint,
-                        &s->session->psk_identity_hint)) {
+                               &s->session->psk_identity_hint)) {
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
     }
@@ -1384,7 +1379,7 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
     }
 
     /* We must check if there is a certificate */
-    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA|SSL_aDSS))
+    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
         *pkey = X509_get0_pubkey(s->session->peer);
 
     return 1;
@@ -1422,8 +1417,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
     }
 
     p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
-    g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator),
-                  NULL);
+    g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL);
     bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
                           NULL);
     if (p == NULL || g == NULL || bnpub_key == NULL) {
@@ -1470,7 +1464,7 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
      * FIXME: This makes assumptions about which ciphersuites come with
      * public keys. We should have a less ad-hoc way of doing this
      */
-    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA|SSL_aDSS))
+    if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
         *pkey = X509_get0_pubkey(s->session->peer);
     /* else anonymous DH, so no certificate or pkey. */
 
@@ -1522,7 +1516,7 @@ static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
 
     curve_nid = tls1_ec_curve_id2nid(*(ecparams + 2), &curve_flags);
 
-    if (curve_nid  == 0) {
+    if (curve_nid == 0) {
         *al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_SKE_ECDHE,
                SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
@@ -1689,7 +1683,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
         if (PACKET_remaining(&signature) > (size_t)maxsig) {
             /* wrong packet length */
             al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH);
+            SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
+                   SSL_R_WRONG_SIGNATURE_LENGTH);
             goto err;
         }
 
@@ -1701,12 +1696,12 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
         }
 
         if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
-                || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
-                                    SSL3_RANDOM_SIZE) <= 0
-                || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
-                                    SSL3_RANDOM_SIZE) <= 0
-                || EVP_VerifyUpdate(md_ctx, PACKET_data(&params),
-                                    PACKET_remaining(&params)) <= 0) {
+            || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
+                                SSL3_RANDOM_SIZE) <= 0
+            || EVP_VerifyUpdate(md_ctx, &(s->s3->server_random[0]),
+                                SSL3_RANDOM_SIZE) <= 0
+            || EVP_VerifyUpdate(md_ctx, PACKET_data(&params),
+                                PACKET_remaining(&params)) <= 0) {
             EVP_MD_CTX_free(md_ctx);
             al = SSL_AD_INTERNAL_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
@@ -1724,7 +1719,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
     } else {
         /* aNULL, aSRP or PSK do not need public keys */
         if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
-                && !(alg_k & SSL_PSK)) {
+            && !(alg_k & SSL_PSK)) {
             /* Might be wrong key type, check it */
             if (ssl3_check_cert_and_algorithm(s)) {
                 /* Otherwise this shouldn't happen */
@@ -1767,7 +1762,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
 
     /* get the certificate types */
     if (!PACKET_get_1(pkt, &ctype_num)
-            || !PACKET_get_bytes(pkt, &data, ctype_num)) {
+        || !PACKET_get_bytes(pkt, &data, ctype_num)) {
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
         SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
         goto err;
@@ -1790,7 +1785,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
 
     if (SSL_USE_SIGALGS(s)) {
         if (!PACKET_get_net_2(pkt, &list_len)
-                || !PACKET_get_bytes(pkt, &data, list_len)) {
+            || !PACKET_get_bytes(pkt, &data, list_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
                    SSL_R_LENGTH_MISMATCH);
@@ -1819,7 +1814,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
 
     /* get the CA RDNs */
     if (!PACKET_get_net_2(pkt, &list_len)
-            || PACKET_remaining(pkt) != list_len) {
+        || PACKET_remaining(pkt) != list_len) {
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
         SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
         goto err;
@@ -1827,7 +1822,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
 
     while (PACKET_remaining(pkt)) {
         if (!PACKET_get_net_2(pkt, &name_len)
-                || !PACKET_get_bytes(pkt, &namebytes, name_len)) {
+            || !PACKET_get_bytes(pkt, &namebytes, name_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
                    SSL_R_LENGTH_MISMATCH);
@@ -1885,8 +1880,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
     unsigned long ticket_lifetime_hint;
 
     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
-            || !PACKET_get_net_2(pkt, &ticklen)
-            || PACKET_remaining(pkt) != ticklen) {
+        || !PACKET_get_net_2(pkt, &ticklen)
+        || PACKET_remaining(pkt) != ticklen) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
         goto f_err;
@@ -1968,13 +1963,13 @@ MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
     unsigned int type;
 
     if (!PACKET_get_1(pkt, &type)
-            || type != TLSEXT_STATUSTYPE_ocsp) {
+        || type != TLSEXT_STATUSTYPE_ocsp) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
         goto f_err;
     }
     if (!PACKET_get_net_3(pkt, &resplen)
-            || PACKET_remaining(pkt) != resplen) {
+        || PACKET_remaining(pkt) != resplen) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
         goto f_err;
@@ -2007,7 +2002,6 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
         ossl_statem_set_error(s);
         return MSG_PROCESS_ERROR;
     }
-
 #ifndef OPENSSL_NO_SRP
     if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
         if (SRP_Calc_A_param(s) <= 0) {
@@ -2050,7 +2044,6 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
             return MSG_PROCESS_ERROR;
         }
     }
-
 #ifndef OPENSSL_NO_CT
     if (s->ct_validation_callback != NULL) {
         /* Note we validate the SCTs whether or not we abort on error */
@@ -2064,7 +2057,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
 #ifndef OPENSSL_NO_SCTP
     /* Only applies to renegotiation */
     if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))
-            && s->renegotiate != 0)
+        && s->renegotiate != 0)
         return MSG_PROCESS_CONTINUE_PROCESSING;
     else
 #endif
@@ -2379,8 +2372,8 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
     }
 
     if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
-            /* Generate session key */
-            || RAND_bytes(pms, pmslen) <= 0) {
+        /* Generate session key */
+        || RAND_bytes(pms, pmslen) <= 0) {
         *al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
         goto err;
@@ -2389,8 +2382,7 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
      * If we have client certificate, use its secret as peer key
      */
     if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
-        if (EVP_PKEY_derive_set_peer
-            (pkey_ctx, s->cert->key->privatekey) <= 0) {
+        if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <= 0) {
             /*
              * If there was an error - just ignore it. Ephemeral key
              * * would be used
@@ -2404,12 +2396,12 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
      */
     ukm_hash = EVP_MD_CTX_new();
     if (ukm_hash == NULL
-            || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
-            || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
-                                SSL3_RANDOM_SIZE) <= 0
-            || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
-                                SSL3_RANDOM_SIZE) <= 0
-            || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
+        || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
+        || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
+                            SSL3_RANDOM_SIZE) <= 0
+        || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
+                            SSL3_RANDOM_SIZE) <= 0
+        || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
         *al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
         goto err;
@@ -2506,7 +2498,7 @@ int tls_construct_client_key_exchange(SSL *s)
     p = ssl_handshake_start(s);
 
     if ((alg_k & SSL_PSK)
-            && !tls_construct_cke_psk_preamble(s, &p, &pskhdrlen, &al))
+        && !tls_construct_cke_psk_preamble(s, &p, &pskhdrlen, &al))
         goto err;
 
     if (alg_k & SSL_kPSK) {
@@ -2603,8 +2595,8 @@ int tls_client_key_exchange_post_work(SSL *s)
                sizeof(DTLS1_SCTP_AUTH_LABEL));
 
         if (SSL_export_keying_material(s, sctpauthkey,
-                                   sizeof(sctpauthkey), labelbuffer,
-                                   sizeof(labelbuffer), NULL, 0, 0) <= 0)
+                                       sizeof(sctpauthkey), labelbuffer,
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0)
             goto err;
 
         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
@@ -2917,8 +2909,7 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
     return i;
 }
 
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
-                             unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p)
 {
     int i, j = 0;
     const SSL_CIPHER *c;
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 3f44175..46843ce 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -124,8 +124,7 @@ int dtls1_do_write(SSL *s, int type)
 
     if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
         OPENSSL_assert(s->init_num ==
-                       (int)s->d1->w_msg_hdr.msg_len +
-                       DTLS1_HM_HEADER_LENGTH);
+                       (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
 
     if (s->write_hash) {
         if (s->enc_write_ctx
@@ -230,16 +229,14 @@ int dtls1_do_write(SSL *s, int type)
                  */
                 return -1;
             }
-            dtls1_fix_message_header(s, frag_off,
-                                     len - DTLS1_HM_HEADER_LENGTH);
+            dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH);
 
             dtls1_write_message_header(s,
                                        (unsigned char *)&s->init_buf->
                                        data[s->init_off]);
         }
 
-        ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off],
-                                len);
+        ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len);
         if (ret < 0) {
             /*
              * might need to update MTU here, but we don't know which
@@ -339,8 +336,7 @@ int dtls_get_message(SSL *s, int *mt, unsigned long *len)
 
  again:
     ok = dtls_get_reassembled_message(s, &tmplen);
-    if (tmplen == DTLS1_HM_BAD_FRAGMENT
-        || tmplen == DTLS1_HM_FRAGMENT_RETRY) {
+    if (tmplen == DTLS1_HM_BAD_FRAGMENT || tmplen == DTLS1_HM_FRAGMENT_RETRY) {
         /* bad fragment received */
         goto again;
     } else if (tmplen <= 0 && !ok) {
@@ -386,7 +382,6 @@ int dtls_get_message(SSL *s, int *mt, unsigned long *len)
 
     s->d1->handshake_read_seq++;
 
-
     s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
     *len = s->init_num;
 
@@ -412,8 +407,7 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr)
          * msg_len is limited to 2^24, but is effectively checked against max
          * above
          */
-        if (!BUF_MEM_grow_clean
-            (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
+        if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
             SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
             return SSL_AD_INTERNAL_ERROR;
         }
@@ -639,8 +633,7 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
      */
     if (msg_hdr->seq <= s->d1->handshake_read_seq ||
         msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
-        (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
-    {
+        (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {
         unsigned char devnull[256];
 
         while (frag_len) {
@@ -975,8 +968,7 @@ int dtls1_retransmit_buffered_messages(SSL *s)
         if (dtls1_retransmit_message(s, (unsigned short)
                                      dtls1_get_queue_priority
                                      (frag->msg_header.seq,
-                                      frag->msg_header.is_ccs),
-                                     &found) <= 0)
+                                      frag->msg_header.is_ccs), &found) <= 0)
             return -1;
     }
 
@@ -1004,7 +996,8 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
     if (is_ccs) {
         /* For DTLS1_BAD_VER the header length is non-standard */
         OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
-                       ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH)
+                       ((s->version ==
+                         DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH)
                        == (unsigned int)s->init_num);
     } else {
         OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
@@ -1046,8 +1039,7 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
     return 1;
 }
 
-int
-dtls1_retransmit_message(SSL *s, unsigned short seq, int *found)
+int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found)
 {
     int ret;
     /* XDTLS: for now assuming that read/writes are blocking */
@@ -1106,7 +1098,8 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, int *found)
     s->compress = frag->msg_header.saved_retransmit_state.compress;
     s->session = frag->msg_header.saved_retransmit_state.session;
     DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer,
-        frag->msg_header.saved_retransmit_state.epoch);
+                                        frag->msg_header.
+                                        saved_retransmit_state.epoch);
 
     ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
                          SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
@@ -1138,8 +1131,7 @@ void dtls1_clear_record_buffer(SSL *s)
 
 void dtls1_set_message_header(SSL *s,
                               unsigned char mt, unsigned long len,
-                              unsigned long frag_off,
-                              unsigned long frag_len)
+                              unsigned long frag_off, unsigned long frag_len)
 {
     if (frag_off == 0) {
         s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
@@ -1166,8 +1158,7 @@ dtls1_set_message_header_int(SSL *s, unsigned char mt,
 }
 
 static void
-dtls1_fix_message_header(SSL *s, unsigned long frag_off,
-                         unsigned long frag_len)
+dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len)
 {
     struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
 
@@ -1189,8 +1180,7 @@ static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p)
     return p;
 }
 
-void
-dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
+void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
 {
     memset(msg_hdr, 0, sizeof(*msg_hdr));
     msg_hdr->type = *(data++);
@@ -1200,5 +1190,3 @@ dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
     n2l3(data, msg_hdr->frag_off);
     n2l3(data, msg_hdr->frag_len);
 }
-
-
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 7cf84c7..fac9684 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -138,13 +138,13 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
      */
     if (SSL_IS_DTLS(s)) {
         if ((s->version == DTLS1_BAD_VER
-                        && remain != DTLS1_CCS_HEADER_LENGTH + 1)
-                    || (s->version != DTLS1_BAD_VER
-                        && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
-                al = SSL_AD_ILLEGAL_PARAMETER;
-                SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
-                       SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                goto f_err;
+             && remain != DTLS1_CCS_HEADER_LENGTH + 1)
+            || (s->version != DTLS1_BAD_VER
+                && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
+            al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
+                   SSL_R_BAD_CHANGE_CIPHER_SPEC);
+            goto f_err;
         }
     } else {
         if (remain != 0) {
@@ -349,16 +349,18 @@ int tls_get_message_header(SSL *s, int *mt)
     do {
         while (s->init_num < SSL3_HM_HEADER_LENGTH) {
             i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
-                &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, 0);
+                                          &p[s->init_num],
+                                          SSL3_HM_HEADER_LENGTH - s->init_num,
+                                          0);
             if (i <= 0) {
                 s->rwstate = SSL_READING;
                 return 0;
             }
             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
                 /*
-		 * A ChangeCipherSpec must be a single byte and may not occur
-		 * in the middle of a handshake message.
-		 */
+                 * A ChangeCipherSpec must be a single byte and may not occur
+                 * in the middle of a handshake message.
+                 */
                 if (s->init_num != 0 || i != 1 || p[0] != SSL3_MT_CCS) {
                     al = SSL_AD_UNEXPECTED_MESSAGE;
                     SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER,
@@ -428,7 +430,7 @@ int tls_get_message_header(SSL *s, int *mt)
             goto f_err;
         }
         if (l && !BUF_MEM_grow_clean(s->init_buf,
-                                    (int)l + SSL3_HM_HEADER_LENGTH)) {
+                                     (int)l + SSL3_HM_HEADER_LENGTH)) {
             SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, ERR_R_BUF_LIB);
             goto err;
         }
@@ -490,11 +492,11 @@ int tls_get_message_body(SSL *s, unsigned long *len)
             return 0;
         }
         if (s->msg_callback)
-            s->msg_callback(0, SSL2_VERSION, 0,  s->init_buf->data,
+            s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
                             (size_t)s->init_num, s, s->msg_callback_arg);
     } else {
         if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
-            s->init_num + SSL3_HM_HEADER_LENGTH)) {
+                             s->init_num + SSL3_HM_HEADER_LENGTH)) {
             SSLerr(SSL_F_TLS_GET_MESSAGE_BODY, ERR_R_EVP_LIB);
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
             *len = 0;
@@ -522,8 +524,7 @@ int tls_get_message_body(SSL *s, unsigned long *len)
 
 int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
 {
-    if (pk == NULL &&
-        (pk = X509_get0_pubkey(x)) == NULL)
+    if (pk == NULL && (pk = X509_get0_pubkey(x)) == NULL)
         return -1;
 
     switch (EVP_PKEY_id(pk)) {
@@ -637,8 +638,8 @@ static int version_cmp(const SSL *s, int a, int b)
 
 typedef struct {
     int version;
-    const SSL_METHOD *(*cmeth)(void);
-    const SSL_METHOD *(*smeth)(void);
+    const SSL_METHOD *(*cmeth) (void);
+    const SSL_METHOD *(*smeth) (void);
 } version_info;
 
 #if TLS_MAX_VERSION != TLS1_2_VERSION
@@ -647,26 +648,26 @@ typedef struct {
 
 static const version_info tls_version_table[] = {
 #ifndef OPENSSL_NO_TLS1_2
-    { TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method },
+    {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
 #else
-    { TLS1_2_VERSION, NULL, NULL },
+    {TLS1_2_VERSION, NULL, NULL},
 #endif
 #ifndef OPENSSL_NO_TLS1_1
-    { TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method },
+    {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
 #else
-    { TLS1_1_VERSION, NULL, NULL },
+    {TLS1_1_VERSION, NULL, NULL},
 #endif
 #ifndef OPENSSL_NO_TLS1
-    { TLS1_VERSION, tlsv1_client_method, tlsv1_server_method },
+    {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
 #else
-    { TLS1_VERSION, NULL, NULL },
+    {TLS1_VERSION, NULL, NULL},
 #endif
 #ifndef OPENSSL_NO_SSL3
-    { SSL3_VERSION, sslv3_client_method, sslv3_server_method },
+    {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
 #else
-    { SSL3_VERSION, NULL, NULL },
+    {SSL3_VERSION, NULL, NULL},
 #endif
-    { 0, NULL, NULL },
+    {0, NULL, NULL},
 };
 
 #if DTLS_MAX_VERSION != DTLS1_2_VERSION
@@ -675,18 +676,18 @@ static const version_info tls_version_table[] = {
 
 static const version_info dtls_version_table[] = {
 #ifndef OPENSSL_NO_DTLS1_2
-    { DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method },
+    {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
 #else
-    { DTLS1_2_VERSION, NULL, NULL },
+    {DTLS1_2_VERSION, NULL, NULL},
 #endif
 #ifndef OPENSSL_NO_DTLS1
-    { DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method },
-    { DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL },
+    {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
+    {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
 #else
-    { DTLS1_VERSION, NULL, NULL },
-    { DTLS1_BAD_VER, NULL, NULL },
+    {DTLS1_VERSION, NULL, NULL},
+    {DTLS1_BAD_VER, NULL, NULL},
 #endif
-    { 0, NULL, NULL },
+    {0, NULL, NULL},
 };
 
 /*
@@ -707,7 +708,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
         return SSL_R_VERSION_TOO_LOW;
 
     if (s->max_proto_version != 0 &&
-             version_cmp(s, version, s->max_proto_version) > 0)
+        version_cmp(s, version, s->max_proto_version) > 0)
         return SSL_R_VERSION_TOO_HIGH;
 
     if ((s->options & method->mask) != 0)
@@ -794,8 +795,7 @@ int ssl_check_version_downgrade(SSL *s)
     }
 
     for (vent = table; vent->version != 0; ++vent) {
-        if (vent->smeth != NULL &&
-            ssl_method_error(s, vent->smeth()) == 0)
+        if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
             return s->version == vent->version;
     }
     return 0;
@@ -995,7 +995,8 @@ int ssl_choose_client_version(SSL *s, int version)
  * Returns 0 on success or an SSL error reason number on failure.  On failure
  * min_version and max_version will also be set to 0.
  */
-int ssl_get_client_min_max_version(const SSL *s, int *min_version, int *max_version)
+int ssl_get_client_min_max_version(const SSL *s, int *min_version,
+                                   int *max_version)
 {
     int version;
     int hole;
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h
index 9f7ec88..a46e6c7 100644
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -96,13 +96,12 @@ __owur int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
 __owur int tls_construct_client_key_exchange(SSL *s);
 __owur int tls_client_key_exchange_post_work(SSL *s);
 __owur int tls_construct_cert_status(SSL *s);
-__owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s,
-                                                        PACKET *pkt);
+__owur MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt);
 __owur MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt);
 __owur int ssl3_check_cert_and_algorithm(SSL *s);
-#  ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 __owur int tls_construct_next_proto(SSL *s);
-#  endif
+#endif
 __owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt);
 
 /* some server-only functions */
@@ -119,7 +118,7 @@ __owur MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt);
 __owur MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt);
 __owur WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst);
 __owur MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt);
-#  ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 __owur MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt);
-#  endif
+#endif
 __owur int tls_construct_new_session_ticket(SSL *s);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d662163..ae1c65d 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -47,7 +47,6 @@
  * OTHERWISE.
  */
 
-
 #include <stdio.h>
 #include "../ssl_locl.h"
 #include "statem_locl.h"
@@ -64,8 +63,9 @@
 
 static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                       PACKET *cipher_suites,
-                                                      STACK_OF(SSL_CIPHER) **skp,
-                                                      int sslv2format, int *al);
+                                                      STACK_OF(SSL_CIPHER)
+                                                      **skp, int sslv2format,
+                                                      int *al);
 
 /*
  * server_read_transition() encapsulates the logic for the allowed handshake
@@ -237,7 +237,7 @@ static int send_server_key_exchange(SSL *s)
      * the server certificate contains the server's public key for
      * key exchange.
      */
-    if (alg_k & (SSL_kDHE|SSL_kECDHE)
+    if (alg_k & (SSL_kDHE | SSL_kECDHE)
         /*
          * PSK: send ServerKeyExchange if PSK identity hint if
          * provided
@@ -253,7 +253,7 @@ static int send_server_key_exchange(SSL *s)
         /* SRP: send ServerKeyExchange */
         || (alg_k & SSL_kSRP)
 #endif
-       ) {
+        ) {
         return 1;
     }
 
@@ -284,11 +284,11 @@ static int send_certificate_request(SSL *s)
             * RFC 2246):
             */
            && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
-           /*
-            * ... except when the application insists on
-            * verification (against the specs, but statem_clnt.c accepts
-            * this for SSL 3)
-            */
+               /*
+                * ... except when the application insists on
+                * verification (against the specs, but statem_clnt.c accepts
+                * this for SSL 3)
+                */
                || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
            /* don't request certificate for SRP auth */
            && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
@@ -313,7 +313,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
 
     switch (st->hand_state) {
     case TLS_ST_BEFORE:
-        /* Just go straight to trying to read from the client */;
+        /* Just go straight to trying to read from the client */
         return WRITE_TRAN_FINISHED;
 
     case TLS_ST_OK:
@@ -328,7 +328,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
 
     case TLS_ST_SR_CLNT_HELLO:
         if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
-                && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
+            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
             st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
         else
             st->hand_state = TLS_ST_SW_SRVR_HELLO;
@@ -347,7 +347,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
             /* Check if it is anon DH or anon ECDH, */
             /* normal PSK or SRP */
             if (!(s->s3->tmp.new_cipher->algorithm_auth &
-                 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
+                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                 st->hand_state = TLS_ST_SW_CERT;
             } else if (send_server_key_exchange(s)) {
                 st->hand_state = TLS_ST_SW_KEY_EXCH;
@@ -549,8 +549,9 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
                    sizeof(DTLS1_SCTP_AUTH_LABEL));
 
             if (SSL_export_keying_material(s, sctpauthkey,
-                    sizeof(sctpauthkey), labelbuffer,
-                    sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                                           sizeof(sctpauthkey), labelbuffer,
+                                           sizeof(labelbuffer), NULL, 0,
+                                           0) <= 0) {
                 ossl_statem_set_error(s);
                 return WORK_ERROR;
             }
@@ -573,7 +574,8 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
         }
 #endif
         if (!s->method->ssl3_enc->change_cipher_state(s,
-                SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
+                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
+        {
             ossl_statem_set_error(s);
             return WORK_ERROR;
         }
@@ -786,11 +788,10 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
 
     case TLS_ST_SR_CERT_VRFY:
 #ifndef OPENSSL_NO_SCTP
-        if (    /* Is this SCTP? */
-                BIO_dgram_is_sctp(SSL_get_wbio(s))
-                /* Are we renegotiating? */
-                && s->renegotiate
-                && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+        if (                    /* Is this SCTP? */
+               BIO_dgram_is_sctp(SSL_get_wbio(s))
+               /* Are we renegotiating? */
+               && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
             s->s3->in_read_app_data = 2;
             s->rwstate = SSL_READING;
             BIO_clear_retry_flags(SSL_get_rbio(s));
@@ -847,8 +848,8 @@ int tls_construct_hello_request(SSL *s)
 }
 
 unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
-                                            unsigned char *cookie,
-                                            unsigned char cookie_len)
+                                           unsigned char *cookie,
+                                           unsigned char cookie_len)
 {
     unsigned int msg_len;
     unsigned char *p;
@@ -884,10 +885,9 @@ int dtls_construct_hello_verify_request(SSL *s)
     }
 
     len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
-                                         s->d1->cookie, s->d1->cookie_len);
+                                        s->d1->cookie, s->d1->cookie_len);
 
-    dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
-                             len);
+    dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0, len);
     len += DTLS1_HM_HEADER_LENGTH;
 
     /* number of bytes to write */
@@ -936,7 +936,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
          */
 
         if (!PACKET_get_1(pkt, &mt)
-                || mt != SSL2_MT_CLIENT_HELLO) {
+            || mt != SSL2_MT_CLIENT_HELLO) {
             /*
              * Should never happen. We should have tested this in the record
              * layer in order to have determined that this is a SSLv2 record
@@ -1012,8 +1012,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
         PACKET challenge;
 
         if (!PACKET_get_net_2(pkt, &cipher_len)
-                || !PACKET_get_net_2(pkt, &session_id_len)
-                || !PACKET_get_net_2(pkt, &challenge_len)) {
+            || !PACKET_get_net_2(pkt, &session_id_len)
+            || !PACKET_get_net_2(pkt, &challenge_len)) {
             SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                    SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
@@ -1080,15 +1080,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
              */
             if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                 if (PACKET_remaining(&cookie) == 0)
-                return 1;
+                    return 1;
             }
         }
 
         if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
             || !PACKET_get_length_prefixed_1(pkt, &compression)) {
-                al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-                goto f_err;
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
         }
         /* Could be empty. */
         extensions = *pkt;
@@ -1099,16 +1099,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
         if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
             if (s->ctx->app_verify_cookie_cb != NULL) {
                 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
-                                                 PACKET_remaining(&cookie)) == 0) {
+                                                 PACKET_remaining(&cookie)) ==
+                    0) {
                     al = SSL_AD_HANDSHAKE_FAILURE;
                     SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                            SSL_R_COOKIE_MISMATCH);
                     goto f_err;
                     /* else cookie verification succeeded */
                 }
-            /* default verification */
-            } else if (!PACKET_equal(&cookie, s->d1->cookie,
-                                     s->d1->cookie_len)) {
+                /* default verification */
+            } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
                 SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                 goto f_err;
@@ -1183,8 +1183,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
         id = s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-        fprintf(stderr, "client sent %d ciphers\n",
-                sk_SSL_CIPHER_num(ciphers));
+        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
 #endif
         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
             c = sk_SSL_CIPHER_value(ciphers, i);
@@ -1405,7 +1404,8 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                 if (rv == 0) {
                     al = SSL_AD_INTERNAL_ERROR;
-                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
+                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+                           SSL_R_CERT_CB_ERROR);
                     goto f_err;
                 }
                 if (rv < 0) {
@@ -1414,17 +1414,19 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                 }
                 s->rwstate = SSL_NOTHING;
             }
-            cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+            cipher =
+                ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
 
             if (cipher == NULL) {
-                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
+                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+                       SSL_R_NO_SHARED_CIPHER);
                 goto f_err;
             }
             s->s3->tmp.new_cipher = cipher;
             /* check whether we should disable session resumption */
             if (s->not_resumable_session_cb != NULL)
                 s->session->not_resumable = s->not_resumable_session_cb(s,
-                    ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
+                                                                        ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
             if (s->session->not_resumable)
                 /* do not send a session ticket */
                 s->tlsext_ticket_expected = 0;
@@ -1480,7 +1482,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
              */
             if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                 SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
-                           SSL_R_CLIENTHELLO_TLSEXT);
+                       SSL_R_CLIENTHELLO_TLSEXT);
             goto f_err;
         }
     }
@@ -1799,7 +1801,7 @@ int tls_construct_server_key_exchange(SSL *s)
         else
 #endif
 #ifndef OPENSSL_NO_DH
-        /*
+        /*-
          * for interoperability with some versions of the Microsoft TLS
          * stack, we need to zero pad the DHE pub key to the same length
          * as the prime, so use the length of the prime here
@@ -1811,7 +1813,7 @@ int tls_construct_server_key_exchange(SSL *s)
             n += 2 + nr[i];
     }
 
-    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
+    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
         && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
         if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
             == NULL) {
@@ -1866,7 +1868,7 @@ int tls_construct_server_key_exchange(SSL *s)
         } else
 #endif
 #ifndef OPENSSL_NO_DH
-        /*
+        /*-
          * for interoperability with some versions of the Microsoft TLS
          * stack, we need to zero pad the DHE pub key to the same length
          * as the prime
@@ -1929,13 +1931,13 @@ int tls_construct_server_key_exchange(SSL *s)
             fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
 #endif
             if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
-                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
-                                      SSL3_RANDOM_SIZE) <= 0
-                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
-                                      SSL3_RANDOM_SIZE) <= 0
-                    || EVP_SignUpdate(md_ctx, d, n) <= 0
-                    || EVP_SignFinal(md_ctx, &(p[2]),
-                               (unsigned int *)&i, pkey) <= 0) {
+                || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
+                                  SSL3_RANDOM_SIZE) <= 0
+                || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
+                                  SSL3_RANDOM_SIZE) <= 0
+                || EVP_SignUpdate(md_ctx, d, n) <= 0
+                || EVP_SignFinal(md_ctx, &(p[2]),
+                                 (unsigned int *)&i, pkey) <= 0) {
                 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
                 al = SSL_AD_INTERNAL_ERROR;
                 goto f_err;
@@ -2017,10 +2019,8 @@ int tls_construct_certificate_request(SSL *s)
         for (i = 0; i < sk_X509_NAME_num(sk); i++) {
             name = sk_X509_NAME_value(sk, i);
             j = i2d_X509_NAME(name, NULL);
-            if (!BUF_MEM_grow_clean
-                (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
-                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
-                       ERR_R_BUF_LIB);
+            if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
+                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB);
                 goto err;
             }
             p = ssl_handshake_start(s) + n;
@@ -2066,8 +2066,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
     }
     if (s->psk_server_callback == NULL) {
         *al = SSL_AD_INTERNAL_ERROR;
-        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
-               SSL_R_PSK_NO_SERVER_CB);
+        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
         return 0;
     }
 
@@ -2078,7 +2077,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
     }
 
     psklen = s->psk_server_callback(s, s->session->psk_identity,
-                                     psk, sizeof(psk));
+                                    psk, sizeof(psk));
 
     if (psklen > PSK_MAX_PSK_LEN) {
         *al = SSL_AD_INTERNAL_ERROR;
@@ -2115,7 +2114,6 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
 #endif
 }
 
-
 static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
 {
 #ifndef OPENSSL_NO_RSA
@@ -2174,8 +2172,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
      * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
      */
 
-    if (RAND_bytes(rand_premaster_secret,
-                   sizeof(rand_premaster_secret)) <= 0)
+    if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
         goto err;
 
     /*
@@ -2203,7 +2200,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
 
     padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
     decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
-                   constant_time_eq_int_8(rsa_decrypt[1], 2);
+        constant_time_eq_int_8(rsa_decrypt[1], 2);
     for (j = 2; j < padding_len - 1; j++) {
         decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
     }
@@ -2419,7 +2416,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
     const unsigned char *data;
 
     if (!PACKET_get_net_2(pkt, &i)
-            || !PACKET_get_bytes(pkt, &data, i)) {
+        || !PACKET_get_bytes(pkt, &data, i)) {
         *al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
         return 0;
@@ -2428,8 +2425,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
         SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
         return 0;
     }
-    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
-        || BN_is_zero(s->srp_ctx.A)) {
+    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
         *al = SSL_AD_ILLEGAL_PARAMETER;
         SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
         return 0;
@@ -2516,10 +2512,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
         SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
         goto err;
     }
-    if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
-                         &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
-        || Ttag != V_ASN1_SEQUENCE
-        || Tclass != V_ASN1_UNIVERSAL) {
+    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
+                        &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
+        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
         *al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
         goto err;
@@ -2571,7 +2566,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
         /* Identity extracted earlier: should be nothing left */
         if (PACKET_remaining(pkt) != 0) {
             al = SSL_AD_HANDSHAKE_FAILURE;
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
+            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+                   SSL_R_LENGTH_MISMATCH);
             goto err;
         }
         /* PSK handled by ssl_generate_master_secret */
@@ -2597,7 +2593,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
             goto err;
     } else {
         al = SSL_AD_HANDSHAKE_FAILURE;
-        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
+        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+               SSL_R_UNKNOWN_CIPHER_TYPE);
         goto err;
     }
 
@@ -2628,8 +2625,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
                    sizeof(DTLS1_SCTP_AUTH_LABEL));
 
             if (SSL_export_keying_material(s, sctpauthkey,
-                                       sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                                           sizeof(sctpauthkey), labelbuffer,
+                                           sizeof(labelbuffer), NULL, 0,
+                                           0) <= 0) {
                 ossl_statem_set_error(s);
                 return WORK_ERROR;;
             }
@@ -2641,13 +2639,13 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
     }
 
     if ((wst == WORK_MORE_B)
-            /* Is this SCTP? */
-            && BIO_dgram_is_sctp(SSL_get_wbio(s))
-            /* Are we renegotiating? */
-            && s->renegotiate
-            /* Are we going to skip the CertificateVerify? */
-            && (s->session->peer == NULL || s->statem.no_cert_verify)
-            && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+        /* Is this SCTP? */
+        && BIO_dgram_is_sctp(SSL_get_wbio(s))
+        /* Are we renegotiating? */
+        && s->renegotiate
+        /* Are we going to skip the CertificateVerify? */
+        && (s->session->peer == NULL || s->statem.no_cert_verify)
+        && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
         s->s3->in_read_app_data = 2;
         s->rwstate = SSL_READING;
         BIO_clear_retry_flags(SSL_get_rbio(s));
@@ -2660,8 +2658,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
 #endif
 
     if (s->statem.no_cert_verify || !s->session->peer) {
-        /* No certificate verify or no peer certificate so we no longer need the
-         * handshake_buffer
+        /*
+         * No certificate verify or no peer certificate so we no longer need
+         * the handshake_buffer
          */
         if (!ssl3_digest_cached_records(s, 0)) {
             ossl_statem_set_error(s);
@@ -2771,7 +2770,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
     }
     j = EVP_PKEY_size(pkey);
     if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
-            || (PACKET_remaining(pkt) == 0)) {
+        || (PACKET_remaining(pkt) == 0)) {
         SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
         al = SSL_AD_DECODE_ERROR;
         goto f_err;
@@ -2797,7 +2796,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
         al = SSL_AD_INTERNAL_ERROR;
         goto f_err;
     }
-
 #ifndef OPENSSL_NO_GOST
     {
         int pktype = EVP_PKEY_id(pkey);
@@ -2860,8 +2858,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
     }
 
     if (!PACKET_get_net_3(pkt, &llen)
-            || !PACKET_get_sub_packet(pkt, &spkt, llen)
-            || PACKET_remaining(pkt) != 0) {
+        || !PACKET_get_sub_packet(pkt, &spkt, llen)
+        || PACKET_remaining(pkt) != 0) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
         goto f_err;
@@ -2869,7 +2867,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
 
     while (PACKET_remaining(&spkt) > 0) {
         if (!PACKET_get_net_3(&spkt, &l)
-                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
+            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
@@ -3065,9 +3063,10 @@ int tls_construct_new_session_ticket(SSL *s)
                                              hctx, 1);
 
         if (ret == 0) {
-            l2n(0, p); /* timeout */
-            s2n(0, p); /* length */
-            if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
+            l2n(0, p);          /* timeout */
+            s2n(0, p);          /* length */
+            if (!ssl_set_handshake_header
+                (s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
                 goto err;
             OPENSSL_free(senc);
             EVP_CIPHER_CTX_free(ctx);
@@ -3205,8 +3204,7 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
         goto err;
     }
 
-    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
-                       &next_proto_len)) {
+    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
         s->next_proto_negotiated_len = 0;
         goto err;
     }
@@ -3214,7 +3212,7 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
     s->next_proto_negotiated_len = (unsigned char)next_proto_len;
 
     return MSG_PROCESS_CONTINUE_READING;
-err:
+ err:
     ossl_statem_set_error(s);
     return MSG_PROCESS_ERROR;
 }
@@ -3225,8 +3223,7 @@ err:
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                PACKET *cipher_suites,
                                                STACK_OF(SSL_CIPHER) **skp,
-                                               int sslv2format, int *al
-                                               )
+                                               int sslv2format, int *al)
 {
     const SSL_CIPHER *c;
     STACK_OF(SSL_CIPHER) *sk;
@@ -3276,7 +3273,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
          * first byte. We don't support any true SSLv2 ciphers, so skip them.
          */
         if (sslv2format && cipher[0] != '\0')
-                continue;
+            continue;
 
         /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
         if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 70f70d1..4aa5ddd 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -83,7 +83,7 @@ static int tls1_PRF(SSL *s,
         goto err;
     ret = 1;
 
-    err:
+ err:
     EVP_PKEY_CTX_free(pctx);
     return ret;
 }
@@ -253,7 +253,7 @@ int tls1_change_cipher_state(SSL *s, int which)
         mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
                                        mac_secret, *mac_secret_size);
         if (mac_key == NULL
-                || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
+            || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
             EVP_PKEY_free(mac_key);
             SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
             goto err2;
@@ -277,7 +277,8 @@ int tls1_change_cipher_state(SSL *s, int which)
         }
     } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
         int taglen;
-        if (s->s3->tmp.new_cipher->algorithm_enc & (SSL_AES128CCM8|SSL_AES256CCM8))
+        if (s->s3->tmp.
+            new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
             taglen = 8;
         else
             taglen = 16;
@@ -377,8 +378,7 @@ int tls1_setup_key_block(SSL *s)
     s->s3->tmp.new_hash = hash;
     s->s3->tmp.new_mac_pkey_type = mac_type;
     s->s3->tmp.new_mac_secret_size = mac_secret_size;
-    num =
-        EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
+    num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
     num *= 2;
 
     ssl3_cleanup_key_block(s);
@@ -449,8 +449,7 @@ int tls1_setup_key_block(SSL *s)
     return (ret);
 }
 
-int tls1_final_finish_mac(SSL *s, const char *str, int slen,
-                          unsigned char *out)
+int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
 {
     int hashlen;
     unsigned char hash[EVP_MAX_MD_SIZE];
@@ -477,10 +476,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
     if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
         unsigned char hash[EVP_MAX_MD_SIZE * 2];
         int hashlen;
-        /* Digest cached records keeping record buffer (if present):
-         * this won't affect client auth because we're freezing the buffer
-         * at the same point (after client key exchange and before certificate
-         * verify)
+        /*
+         * Digest cached records keeping record buffer (if present): this wont
+         * affect client auth because we're freezing the buffer at the same
+         * point (after client key exchange and before certificate verify)
          */
         if (!ssl3_digest_cached_records(s, 1))
             return -1;
@@ -611,8 +610,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
 
     goto ret;
  err1:
-    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL,
-           SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
+    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
     rv = 0;
     goto ret;
  err2:
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 2db949d..a8e9f9a 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -12,7 +12,6 @@
 #include <openssl/ct.h>
 #include "ssl_locl.h"
 
-
 /* Find a custom extension from the list. */
 static custom_ext_method *custom_ext_find(const custom_ext_methods *exts,
                                           unsigned int ext_type)
@@ -68,8 +67,7 @@ int custom_ext_parse(SSL *s, int server,
     if (!meth->parse_cb)
         return 1;
 
-    return meth->parse_cb(s, ext_type, ext_data, ext_size, al,
-                          meth->parse_arg);
+    return meth->parse_cb(s, ext_type, ext_data, ext_size, al, meth->parse_arg);
 }
 
 /*
@@ -139,7 +137,7 @@ int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src)
     if (src->meths_count) {
         dst->meths =
             OPENSSL_memdup(src->meths,
-                       sizeof(custom_ext_method) * src->meths_count);
+                           sizeof(custom_ext_method) * src->meths_count);
         if (dst->meths == NULL)
             return 0;
         dst->meths_count = src->meths_count;
@@ -214,8 +212,7 @@ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
                                   custom_ext_add_cb add_cb,
                                   custom_ext_free_cb free_cb,
                                   void *add_arg,
-                                  custom_ext_parse_cb parse_cb,
-                                  void *parse_arg)
+                                  custom_ext_parse_cb parse_cb, void *parse_arg)
 {
 #ifndef OPENSSL_NO_CT
     /*
@@ -235,8 +232,7 @@ int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
                                   custom_ext_add_cb add_cb,
                                   custom_ext_free_cb free_cb,
                                   void *add_arg,
-                                  custom_ext_parse_cb parse_cb,
-                                  void *parse_arg)
+                                  custom_ext_parse_cb parse_cb, void *parse_arg)
 {
     return custom_ext_meth_add(&ctx->cert->srv_ext, ext_type,
                                add_cb, free_cb, add_arg, parse_cb, parse_arg);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ca4e7d6..938f8be 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -209,7 +209,6 @@ static const unsigned char eccurves_all[] = {
     0, 3,                       /* sect163r2 (3) */
 };
 
-
 static const unsigned char suiteb_curves[] = {
     0, TLSEXT_curve_P_256,
     0, TLSEXT_curve_P_384
@@ -250,8 +249,7 @@ int tls1_ec_nid2curve_id(int nid)
  * so cannot happen in the 1.0.x series.)
  */
 static int tls1_get_curvelist(SSL *s, int sess,
-                              const unsigned char **pcurves,
-                              size_t *num_curves)
+                              const unsigned char **pcurves, size_t *num_curves)
 {
     size_t pcurveslen = 0;
     if (sess) {
@@ -384,8 +382,7 @@ int tls1_shared_curve(SSL *s, int nmatch)
         /* In practice, NID_undef == 0 but let's be precise. */
         return nmatch == -1 ? 0 : NID_undef;
     if (!tls1_get_curvelist
-        (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
-         &num_pref))
+        (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref, &num_pref))
         return nmatch == -1 ? 0 : NID_undef;
 
     /*
@@ -396,7 +393,7 @@ int tls1_shared_curve(SSL *s, int nmatch)
         supp = eccurves_all;
         num_supp = sizeof(eccurves_all) / 2;
     } else if (num_pref == 0 &&
-        (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
+               (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
         pref = eccurves_all;
         num_pref = sizeof(eccurves_all) / 2;
     }
@@ -489,8 +486,7 @@ static int nid_cb(const char *elem, int len, void *arg)
 }
 
 /* Set curves based on a colon separate list */
-int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
-                         const char *str)
+int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, const char *str)
 {
     nid_cb_st ncb;
     ncb.nidcnt = 0;
@@ -716,19 +712,19 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  */
 
 #ifdef OPENSSL_NO_RSA
-# define tlsext_sigalg_rsa(md) /* */
+# define tlsext_sigalg_rsa(md)  /* */
 #else
 # define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
 #endif
 
 #ifdef OPENSSL_NO_DSA
-# define tlsext_sigalg_dsa(md) /* */
+# define tlsext_sigalg_dsa(md)  /* */
 #else
 # define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
 #endif
 
 #ifdef OPENSSL_NO_EC
-# define tlsext_sigalg_ecdsa(md) /* */
+# define tlsext_sigalg_ecdsa(md)/* */
 #else
 # define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
 #endif
@@ -746,8 +742,8 @@ static const unsigned char tls12_sigalgs[] = {
         tlsext_sigalg(TLSEXT_hash_sha1)
 #ifndef OPENSSL_NO_GOST
         TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
-        TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
-        TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
+    TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
+    TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
 #endif
 };
 
@@ -862,8 +858,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
     }
     /* Make sure security callback allows algorithm */
     if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
-                      EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd),
-                      (void *)sig)) {
+                      EVP_MD_size(*pmd) * 4, EVP_MD_type(*pmd), (void *)sig)) {
         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
         return 0;
     }
@@ -890,13 +885,13 @@ void ssl_set_client_disabled(SSL *s)
     s->s3->tmp.mask_k = 0;
     ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
     ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
-# ifndef OPENSSL_NO_PSK
+#ifndef OPENSSL_NO_PSK
     /* with PSK there must be client callback set */
     if (!s->psk_client_callback) {
         s->s3->tmp.mask_a |= SSL_aPSK;
         s->s3->tmp.mask_k |= SSL_PSK;
     }
-#endif                         /* OPENSSL_NO_PSK */
+#endif                          /* OPENSSL_NO_PSK */
 #ifndef OPENSSL_NO_SRP
     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
         s->s3->tmp.mask_a |= SSL_aSRP;
@@ -921,10 +916,10 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
     if (s->s3->tmp.max_ver == 0)
         return 1;
     if (!SSL_IS_DTLS(s) && ((c->min_tls > s->s3->tmp.max_ver)
-            || (c->max_tls < s->s3->tmp.min_ver)))
+                            || (c->max_tls < s->s3->tmp.min_ver)))
         return 1;
     if (SSL_IS_DTLS(s) && (DTLS_VERSION_GT(c->min_dtls, s->s3->tmp.max_ver)
-            || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
+                           || DTLS_VERSION_LT(c->max_dtls, s->s3->tmp.min_ver)))
         return 1;
 
     return !ssl_security(s, op, c->strength_bits, 0, (void *)c);
@@ -937,7 +932,8 @@ static int tls_use_ticket(SSL *s)
     return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
 }
 
-static int compare_uint(const void *p1, const void *p2) {
+static int compare_uint(const void *p1, const void *p2)
+{
     unsigned int u1 = *((const unsigned int *)p1);
     unsigned int u2 = *((const unsigned int *)p2);
     if (u1 < u2)
@@ -956,7 +952,8 @@ static int compare_uint(const void *p1, const void *p2) {
  * contain duplicates, could not be successfully parsed, or an internal error
  * occurred.
  */
-static int tls1_check_duplicate_extensions(const PACKET *packet) {
+static int tls1_check_duplicate_extensions(const PACKET *packet)
+{
     PACKET extensions = *packet;
     size_t num_extensions = 0, i = 0;
     unsigned int *extension_types = NULL;
@@ -1030,7 +1027,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
             alg_k = c->algorithm_mkey;
             alg_a = c->algorithm_auth;
             if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
-                 || (alg_a & SSL_aECDSA)) {
+                || (alg_a & SSL_aECDSA)) {
                 using_ecc = 1;
                 break;
             }
@@ -1084,8 +1081,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
          */
 
         if ((lenmax = limit - ret - 9) < 0
-            || (size_str =
-                strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
+            || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
             return NULL;
 
         /* extension type and length */
@@ -1191,7 +1187,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         s2n(curves_list_len, ret);
         ret += curves_list_len;
     }
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
     if (tls_use_ticket(s)) {
         int ticklen;
@@ -1243,7 +1239,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         s2n(salglen, etmp);
         ret += salglen;
     }
-
 #ifndef OPENSSL_NO_OCSP
     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
         int i;
@@ -1491,7 +1486,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
      * Currently the server should not respond with a SupportedCurves
      * extension
      */
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
     if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
         if ((long)(limit - ret - 4) < 0)
@@ -1499,7 +1494,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         s2n(TLSEXT_TYPE_session_ticket, ret);
         s2n(0, ret);
     } else {
-        /* if we don't add the above TLSEXT, we can't add a session ticket later */
+        /*
+         * if we don't add the above TLSEXT, we can't add a session ticket
+         * later
+         */
         s->tlsext_ticket_expected = 0;
     }
 
@@ -1509,7 +1507,6 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
         s2n(TLSEXT_TYPE_status_request, ret);
         s2n(0, ret);
     }
-
 #ifndef OPENSSL_NO_SRTP
     if (SSL_IS_DTLS(s) && s->srtp_profile) {
         int el;
@@ -1664,8 +1661,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
     } while (PACKET_remaining(&protocol_list) != 0);
 
     if (!PACKET_memdup(&save_protocol_list,
-                       &s->s3->alpn_proposed,
-                       &s->s3->alpn_proposed_len)) {
+                       &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
         *al = TLS1_AD_INTERNAL_ERROR;
         return 0;
     }
@@ -1773,7 +1769,7 @@ static void ssl_check_for_safari(SSL *s, const PACKET *pkt)
     s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                              ext_len);
 }
-#endif                         /* !OPENSSL_NO_EC */
+#endif                          /* !OPENSSL_NO_EC */
 
 /*
  * Parse ClientHello extensions and stash extension info in various parts of
@@ -1813,7 +1809,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
 #ifndef OPENSSL_NO_EC
     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
         ssl_check_for_safari(s, pkt);
-# endif /* !OPENSSL_NO_EC */
+#endif                          /* !OPENSSL_NO_EC */
 
     /* Clear any signature algorithms extension received */
     OPENSSL_free(s->s3->tmp.peer_sigalgs);
@@ -1962,8 +1958,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             PACKET ec_point_format_list;
 
-            if (!PACKET_as_length_prefixed_1(&extension,
-                                              &ec_point_format_list)
+            if (!PACKET_as_length_prefixed_1(&extension, &ec_point_format_list)
                 || PACKET_remaining(&ec_point_format_list) == 0) {
                 return 0;
             }
@@ -1971,7 +1966,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
             if (!s->hit) {
                 if (!PACKET_memdup(&ec_point_format_list,
                                    &s->session->tlsext_ecpointformatlist,
-                                   &s->session->tlsext_ecpointformatlist_length)) {
+                                   &s->
+                                   session->tlsext_ecpointformatlist_length)) {
                     *al = TLS1_AD_INTERNAL_ERROR;
                     return 0;
                 }
@@ -1980,8 +1976,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
             PACKET elliptic_curve_list;
 
             /* Each NamedCurve is 2 bytes and we must have at least 1. */
-            if (!PACKET_as_length_prefixed_2(&extension,
-                                             &elliptic_curve_list)
+            if (!PACKET_as_length_prefixed_2(&extension, &elliptic_curve_list)
                 || PACKET_remaining(&elliptic_curve_list) == 0
                 || (PACKET_remaining(&elliptic_curve_list) % 2) != 0) {
                 return 0;
@@ -1990,18 +1985,20 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
             if (!s->hit) {
                 if (!PACKET_memdup(&elliptic_curve_list,
                                    &s->session->tlsext_ellipticcurvelist,
-                                   &s->session->tlsext_ellipticcurvelist_length)) {
+                                   &s->
+                                   session->tlsext_ellipticcurvelist_length)) {
                     *al = TLS1_AD_INTERNAL_ERROR;
                     return 0;
                 }
             }
         }
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
         else if (type == TLSEXT_TYPE_session_ticket) {
             if (s->tls_session_ticket_ext_cb &&
                 !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
                                               PACKET_remaining(&extension),
-                                              s->tls_session_ticket_ext_cb_arg)) {
+                                              s->tls_session_ticket_ext_cb_arg))
+            {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
             }
@@ -2014,7 +2011,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                 return 0;
             }
 
-            if  (!s->hit) {
+            if (!s->hit) {
                 if (!tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
                                        PACKET_remaining(&supported_sig_algs))) {
                     return 0;
@@ -2025,12 +2022,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                               (unsigned int *)&s->tlsext_status_type)) {
                 return 0;
             }
-
 #ifndef OPENSSL_NO_OCSP
             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
                 const unsigned char *ext_data;
                 PACKET responder_id_list, exts;
-                if (!PACKET_get_length_prefixed_2(&extension, &responder_id_list))
+                if (!PACKET_get_length_prefixed_2
+                    (&extension, &responder_id_list))
                     return 0;
 
                 while (PACKET_remaining(&responder_id_list) > 0) {
@@ -2099,7 +2096,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
             unsigned int hbtype;
 
             if (!PACKET_get_1(&extension, &hbtype)
-                    || PACKET_remaining(&extension)) {
+                || PACKET_remaining(&extension)) {
                 *al = SSL_AD_DECODE_ERROR;
                 return 0;
             }
@@ -2177,7 +2174,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
     }
 
     if (PACKET_remaining(pkt) != 0) {
-        /* tls1_check_duplicate_extensions should ensure this never happens. */
+        /*
+         * tls1_check_duplicate_extensions should ensure this never happens.
+         */
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
     }
@@ -2230,7 +2229,7 @@ static char ssl_next_proto_validate(PACKET *pkt)
 
     while (PACKET_remaining(pkt)) {
         if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
-                || PACKET_remaining(&tmp_protocol) == 0)
+            || PACKET_remaining(&tmp_protocol) == 0)
             return 0;
     }
 
@@ -2278,7 +2277,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
         PACKET spkt;
 
         if (!PACKET_get_sub_packet(pkt, &spkt, size)
-                ||  !PACKET_peek_bytes(&spkt, &data, size))
+            || !PACKET_peek_bytes(&spkt, &data, size))
             goto ri_check;
 
         if (s->tlsext_debug_cb)
@@ -2300,7 +2299,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             unsigned int ecpointformatlist_length;
             if (!PACKET_get_1(&spkt, &ecpointformatlist_length)
-                    || ecpointformatlist_length != size - 1) {
+                || ecpointformatlist_length != size - 1) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
@@ -2323,7 +2322,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
 
             }
         }
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
         else if (type == TLSEXT_TYPE_session_ticket) {
             if (s->tls_session_ticket_ext_cb &&
@@ -2338,8 +2337,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
                 return 0;
             }
             s->tlsext_ticket_expected = 1;
-        }
-        else if (type == TLSEXT_TYPE_status_request) {
+        } else if (type == TLSEXT_TYPE_status_request) {
             /*
              * MUST be empty and only sent if we've requested a status
              * request message.
@@ -2390,10 +2388,10 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
-            if (s->
-                ctx->next_proto_select_cb(s, &selected, &selected_len, data,
-                                          size,
-                                          s->ctx->next_proto_select_cb_arg) !=
+            if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data,
+                                             size,
+                                             s->
+                                             ctx->next_proto_select_cb_arg) !=
                 SSL_TLSEXT_ERR_OK) {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
@@ -2423,9 +2421,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
              *   uint8 proto[proto_length];
              */
             if (!PACKET_get_net_2(&spkt, &len)
-                    || PACKET_remaining(&spkt) != len
-                    || !PACKET_get_1(&spkt, &len)
-                    || PACKET_remaining(&spkt) != len) {
+                || PACKET_remaining(&spkt) != len || !PACKET_get_1(&spkt, &len)
+                || PACKET_remaining(&spkt) != len) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;
             }
@@ -2473,8 +2470,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
             if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
                 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
-        }
-        else if (type == TLSEXT_TYPE_extended_master_secret) {
+        } else if (type == TLSEXT_TYPE_extended_master_secret) {
             s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
             if (!s->hit)
                 s->session->flags |= SSL_SESS_FLAG_EXTMS;
@@ -2495,7 +2491,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
     if (!s->hit && tlsext_servername == 1) {
         if (s->tlsext_hostname) {
             if (s->session->tlsext_hostname == NULL) {
-                s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
+                s->session->tlsext_hostname =
+                    OPENSSL_strdup(s->tlsext_hostname);
                 if (!s->session->tlsext_hostname) {
                     *al = SSL_AD_UNRECOGNIZED_NAME;
                     return 0;
@@ -2534,7 +2531,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al)
             *al = SSL_AD_HANDSHAKE_FAILURE;
             SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_INCONSISTENT_EXTMS);
             return 0;
-            }
+        }
     }
 
     return 1;
@@ -2593,6 +2590,7 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
         return 1;
     }
 }
+
 /* Initialise digests to default values */
 void ssl_set_default_md(SSL *s)
 {
@@ -2743,7 +2741,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
         }
     }
     ret = SSL_TLSEXT_ERR_OK;
-#endif                         /* OPENSSL_NO_EC */
+#endif                          /* OPENSSL_NO_EC */
 
     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
         ret =
@@ -2864,7 +2862,7 @@ int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
         unsigned int type, size;
 
         if (!PACKET_get_net_2(&local_ext, &type)
-                || !PACKET_get_net_2(&local_ext, &size)) {
+            || !PACKET_get_net_2(&local_ext, &size)) {
             /* Shouldn't ever happen */
             retv = -1;
             goto end;
@@ -2938,7 +2936,7 @@ int tls_check_serverhello_tlsext_early(SSL *s, const PACKET *ext,
     }
     if (have_ticket == 0)
         retv = 0;
-end:
+ end:
     return retv;
 }
 
@@ -3005,11 +3003,12 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
         if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
                          sizeof(tctx->tlsext_tick_hmac_key),
                          EVP_sha256(), NULL) <= 0
-                || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
-                                      tctx->tlsext_tick_aes_key,
-                                      etick + sizeof(tctx->tlsext_tick_key_name)) <= 0) {
+            || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
+                                  tctx->tlsext_tick_aes_key,
+                                  etick + sizeof(tctx->tlsext_tick_key_name)) <=
+            0) {
             goto err;
-       }
+        }
     }
     /*
      * Attempt to process session ticket, first conduct sanity and integrity
@@ -3022,7 +3021,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
     eticklen -= mlen;
     /* Check HMAC of encrypted ticket */
     if (HMAC_Update(hctx, etick, eticklen) <= 0
-            || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
+        || HMAC_Final(hctx, tick_hmac, NULL) <= 0) {
         goto err;
     }
     HMAC_CTX_free(hctx);
@@ -3035,8 +3034,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
     p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
     sdec = OPENSSL_malloc(eticklen);
-    if (sdec == NULL
-            || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
+    if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
         EVP_CIPHER_CTX_free(ctx);
         OPENSSL_free(sdec);
         return -1;
@@ -3074,7 +3072,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
      * For session parse failure, indicate that we need to send a new ticket.
      */
     return 2;
-err:
+ err:
     EVP_CIPHER_CTX_free(ctx);
     HMAC_CTX_free(hctx);
     return ret;
@@ -3128,8 +3126,7 @@ static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
     return NID_undef;
 }
 
-int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
-                         const EVP_MD *md)
+int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
 {
     int sig_id, md_id;
     if (!md)
@@ -3164,9 +3161,11 @@ static const tls12_hash_info tls12_md_info[] = {
     {NID_sha256, 128, SSL_MD_SHA256_IDX, TLSEXT_hash_sha256},
     {NID_sha384, 192, SSL_MD_SHA384_IDX, TLSEXT_hash_sha384},
     {NID_sha512, 256, SSL_MD_SHA512_IDX, TLSEXT_hash_sha512},
-    {NID_id_GostR3411_94,       128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
-    {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX, TLSEXT_hash_gostr34112012_256},
-    {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX, TLSEXT_hash_gostr34112012_512},
+    {NID_id_GostR3411_94, 128, SSL_MD_GOST94_IDX, TLSEXT_hash_gostr3411},
+    {NID_id_GostR3411_2012_256, 128, SSL_MD_GOST12_256_IDX,
+     TLSEXT_hash_gostr34112012_256},
+    {NID_id_GostR3411_2012_512, 256, SSL_MD_GOST12_512_IDX,
+     TLSEXT_hash_gostr34112012_512},
 };
 
 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
@@ -3175,8 +3174,7 @@ static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)
     if (hash_alg == 0)
         return NULL;
 
-    for (i=0; i < OSSL_NELEM(tls12_md_info); i++)
-    {
+    for (i = 0; i < OSSL_NELEM(tls12_md_info); i++) {
         if (tls12_md_info[i].tlsext_hash == hash_alg)
             return tls12_md_info + i;
     }
@@ -3210,7 +3208,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
     case TLSEXT_signature_ecdsa:
         return SSL_PKEY_ECC;
 #endif
-# ifndef OPENSSL_NO_GOST
+#ifndef OPENSSL_NO_GOST
     case TLSEXT_signature_gostr34102001:
         return SSL_PKEY_GOST01;
 
@@ -3219,7 +3217,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg)
 
     case TLSEXT_signature_gostr34102012_512:
         return SSL_PKEY_GOST12_512;
-# endif
+#endif
     }
     return -1;
 }
@@ -3243,8 +3241,7 @@ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
     }
     if (psignhash_nid) {
         if (sign_nid == NID_undef || hash_nid == NID_undef
-                || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
-                                          sign_nid) <= 0)
+            || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid) <= 0)
             *psignhash_nid = NID_undef;
     }
 }
@@ -3470,14 +3467,16 @@ int tls1_process_sigalgs(SSL *s)
         if (pmd[SSL_PKEY_ECC] == NULL)
             pmd[SSL_PKEY_ECC] = EVP_sha1();
 #endif
-# ifndef OPENSSL_NO_GOST
+#ifndef OPENSSL_NO_GOST
         if (pmd[SSL_PKEY_GOST01] == NULL)
             pmd[SSL_PKEY_GOST01] = EVP_get_digestbynid(NID_id_GostR3411_94);
         if (pmd[SSL_PKEY_GOST12_256] == NULL)
-            pmd[SSL_PKEY_GOST12_256] = EVP_get_digestbynid(NID_id_GostR3411_2012_256);
+            pmd[SSL_PKEY_GOST12_256] =
+                EVP_get_digestbynid(NID_id_GostR3411_2012_256);
         if (pmd[SSL_PKEY_GOST12_512] == NULL)
-            pmd[SSL_PKEY_GOST12_512] = EVP_get_digestbynid(NID_id_GostR3411_2012_512);
-# endif
+            pmd[SSL_PKEY_GOST12_512] =
+                EVP_get_digestbynid(NID_id_GostR3411_2012_512);
+#endif
     }
     return 1;
 }
@@ -3598,8 +3597,7 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
     return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
 }
 
-int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
-                     int client)
+int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
 {
     unsigned char *sigalgs, *sptr;
     int rhash, rsign;
@@ -3945,7 +3943,6 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
     return tls1_check_chain(s, x, pk, chain, -1);
 }
 
-
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
 {
diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index 15a4e27..01dc403 100644
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -45,7 +45,7 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
 
     /* Parse the length byte */
     if (!PACKET_get_1(pkt, &ilen)
-            || !PACKET_get_bytes(pkt, &d, ilen)) {
+        || !PACKET_get_bytes(pkt, &d, ilen)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
                SSL_R_RENEGOTIATION_ENCODING_ERR);
         *al = SSL_AD_ILLEGAL_PARAMETER;
@@ -143,8 +143,8 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
     }
 
     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
-            || memcmp(data, s->s3->previous_client_finished,
-               s->s3->previous_client_finished_len) != 0) {
+        || memcmp(data, s->s3->previous_client_finished,
+                  s->s3->previous_client_finished_len) != 0) {
         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
                SSL_R_RENEGOTIATION_MISMATCH);
         *al = SSL_AD_HANDSHAKE_FAILURE;
@@ -152,8 +152,8 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
     }
 
     if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
-            || memcmp(data, s->s3->previous_server_finished,
-               s->s3->previous_server_finished_len) != 0) {
+        || memcmp(data, s->s3->previous_server_finished,
+                  s->s3->previous_server_finished_len) != 0) {
         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
                SSL_R_RENEGOTIATION_MISMATCH);
         *al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index ab6cfa2..00632e5 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -415,13 +415,13 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = {
     {0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM"},
     {0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"},
     {0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"},
-    {0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" },
-    {0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" },
-    {0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305" },
-    {0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305" },
-    {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305" },
-    {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305" },
-    {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305" },
+    {0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"},
+    {0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"},
+    {0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305"},
+    {0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305"},
+    {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305"},
+    {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"},
+    {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"},
     {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
     {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
 };
@@ -452,9 +452,9 @@ static ssl_trace_tbl ssl_exts_tbl[] = {
     {TLSEXT_TYPE_heartbeat, "heartbeat"},
     {TLSEXT_TYPE_session_ticket, "session_ticket"},
     {TLSEXT_TYPE_renegotiate, "renegotiate"},
-#ifndef OPENSSL_NO_NEXTPROTONEG
+# ifndef OPENSSL_NO_NEXTPROTONEG
     {TLSEXT_TYPE_next_proto_neg, "next_proto_neg"},
-#endif
+# endif
     {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"},
     {TLSEXT_TYPE_padding, "padding"},
     {TLSEXT_TYPE_encrypt_then_mac, "encrypt_then_mac"},
@@ -657,8 +657,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype,
         xlen = ext[0];
         if (extlen != xlen + 1)
             return 0;
-        return ssl_trace_list(bio, indent + 2,
-                              ext + 1, xlen, 1, ssl_point_tbl);
+        return ssl_trace_list(bio, indent + 2, ext + 1, xlen, 1, ssl_point_tbl);
 
     case TLSEXT_TYPE_elliptic_curves:
         if (extlen < 2)
@@ -666,8 +665,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype,
         xlen = (ext[0] << 8) | ext[1];
         if (extlen != xlen + 2)
             return 0;
-        return ssl_trace_list(bio, indent + 2,
-                              ext + 2, xlen, 2, ssl_curve_tbl);
+        return ssl_trace_list(bio, indent + 2, ext + 2, xlen, 2, ssl_curve_tbl);
 
     case TLSEXT_TYPE_signature_algorithms:
 
@@ -705,8 +703,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, int extype,
             ssl_print_hex(bio, indent + 4, "client_verify_data", ext, xlen);
             if (server) {
                 ext += xlen;
-                ssl_print_hex(bio, indent + 4,
-                              "server_verify_data", ext, xlen);
+                ssl_print_hex(bio, indent + 4, "server_verify_data", ext, xlen);
             }
         } else {
             BIO_indent(bio, indent + 4, 80);
@@ -758,8 +755,7 @@ static int ssl_print_extensions(BIO *bio, int indent, int server,
         if (msglen < extlen + 4)
             return 0;
         msg += 4;
-        if (!ssl_print_extension(bio, indent + 2, server,
-                                 extype, msg, extlen))
+        if (!ssl_print_extension(bio, indent + 2, server, extype, msg, extlen))
             return 0;
         msg += extlen;
         msglen -= extlen + 4;
@@ -823,8 +819,7 @@ static int ssl_print_client_hello(BIO *bio, SSL *ssl, int indent,
 }
 
 static int dtls_print_hello_vfyrequest(BIO *bio, int indent,
-                                       const unsigned char *msg,
-                                       size_t msglen)
+                                       const unsigned char *msg, size_t msglen)
 {
     if (!ssl_print_version(bio, indent, "server_version", &msg, &msglen))
         return 0;
@@ -928,8 +923,7 @@ static int ssl_print_client_keyex(BIO *bio, int indent, SSL *ssl,
                           "EncyptedPreMasterSecret", msg, msglen);
         } else {
             if (!ssl_print_hexbuf(bio, indent + 2,
-                                  "EncyptedPreMasterSecret", 2,
-                                  &msg, &msglen))
+                                  "EncyptedPreMasterSecret", 2, &msg, &msglen))
                 return 0;
         }
         break;
@@ -967,8 +961,7 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl,
     switch (id) {
     case SSL_kRSA:
 
-        if (!ssl_print_hexbuf(bio, indent + 2, "rsa_modulus", 2,
-                              &msg, &msglen))
+        if (!ssl_print_hexbuf(bio, indent + 2, "rsa_modulus", 2, &msg, &msglen))
             return 0;
         if (!ssl_print_hexbuf(bio, indent + 2, "rsa_exponent", 2,
                               &msg, &msglen))
@@ -985,7 +978,7 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl,
             return 0;
         break;
 
-#ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
     case SSL_kECDHE:
     case SSL_kECDHEPSK:
         if (msglen < 1)
@@ -1011,7 +1004,7 @@ static int ssl_print_server_keyex(BIO *bio, int indent, SSL *ssl,
             return 0;
         }
         break;
-#endif
+# endif
 
     case SSL_kPSK:
     case SSL_kRSAPSK:
@@ -1292,8 +1285,7 @@ void SSL_trace(int write_p, int version, int content_type,
     if (write_p == 2) {
         BIO_puts(bio, "Session ");
         ssl_print_hex(bio, 0,
-                      ssl_trace_str(content_type, ssl_crypto_tbl),
-                      msg, msglen);
+                      ssl_trace_str(content_type, ssl_crypto_tbl), msg, msglen);
         return;
     }
     switch (content_type) {
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 08e22df..06e5e5b 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -13,7 +13,7 @@
 #include "ssl_locl.h"
 
 #ifndef OPENSSL_NO_SRP
-#include <openssl/srp.h>
+# include <openssl/srp.h>
 
 int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
 {
@@ -325,8 +325,7 @@ int srp_generate_client_master_secret(SSL *s)
         goto err;
     if (!
         (passwd =
-         s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
-                                                     s->srp_ctx.SRP_cb_arg)))
+         s->srp_ctx.SRP_give_srp_client_pwd_callback(s, s->srp_ctx.SRP_cb_arg)))
         goto err;
     if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
         goto err;
@@ -388,8 +387,7 @@ int SRP_Calc_A_param(SSL *s)
     s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
     OPENSSL_cleanse(rnd, sizeof(rnd));
 
-    if (!
-        (s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
+    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
         return 0;
 
     return 1;
diff --git a/util/indent.pro b/util/indent.pro
index 2d44e6e..932c9b0 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -14,7 +14,7 @@
 -i4
 -il1
 -ip0
--l78
+-l80
 -lp
 -nbad
 -nbc
@@ -107,6 +107,7 @@
 -T BIGNUM
 -T BIO
 -T BIO_ACCEPT
+-T BIO_ADDR
 -T BIO_ASN1_BUF_CTX
 -T BIO_ASN1_EX_FUNCS
 -T BIO_B64_CTX
@@ -362,6 +363,7 @@
 -T OPENSSL_PSTRING
 -T OPENSSL_STRING
 -T OPENSSL_STRING
+-T OSSL_ASYNC_FD
 -T OTHERNAME
 -T P256_POINT
 -T P256_POINT_AFFINE
@@ -442,6 +444,7 @@
 -T SSL_COMP
 -T SSL_CONF_CTX
 -T SSL_CTX
+-T SSL_DANE
 -T SSL_EXCERT
 -T SSL_METHOD
 -T SSL_SESSION
@@ -727,3 +730,5 @@
 -T ASYNC_JOB
 -T intmax_t
 -T uintmax_t
+-T pqueue
+-T danetls_record


More information about the openssl-commits mailing list