Apply a large dose of KNF.

2 files changed, 404 insertions, 252 deletions

diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index af29cfc7ff..101da82b56 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.36 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.37 2014/07/12 23:59:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,12 +135,13 @@
  * OTHERWISE.
  */
 
-#include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -159,14 +160,18 @@ SSL_SESSION *
 SSL_get1_session(SSL *ssl)
 {
         SSL_SESSION *sess;
-        /* Need to lock this all up rather than just use CRYPTO_add so that
+
+        /*
+         * Need to lock this all up rather than just use CRYPTO_add so that
          * somebody doesn't free ssl->session between when we check it's
-         * non-null and when we up the reference count. */
+         * non-null and when we up the reference count.
+         */
         CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
         sess = ssl->session;
         if (sess)
                 sess->references++;
         CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
+
         return (sess);
 }
 
@@ -174,8 +179,8 @@ int
 SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
-        new_func, dup_func, free_func);
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
+            argl, argp, new_func, dup_func, free_func);
 }
 
 int
@@ -213,7 +218,9 @@ SSL_SESSION_new(void)
         ss->tlsext_ecpointformatlist = NULL;
         ss->tlsext_ellipticcurvelist_length = 0;
         ss->tlsext_ellipticcurvelist = NULL;
+
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+
         return (ss);
 }
 
@@ -231,28 +238,34 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s)
         return 0;
 }
 
-/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
- * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
- * until we have no conflict is going to complete in one iteration pretty much
- * "most" of the time (btw: understatement). So, if it takes us 10 iterations
- * and we still can't avoid a conflict - well that's a reasonable point to call
- * it quits. Either the RAND code is broken or someone is trying to open roughly
- * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
- * store that many sessions is perhaps a more interesting question ... */
+/*
+ * Even with SSLv2, we have 16 bytes (128 bits) of session ID space.
+ * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random
+ * gunk repeatedly until we have no conflict is going to complete in one
+ * iteration pretty much "most" of the time (btw: understatement). So, if it
+ * takes us 10 iterations and we still can't avoid a conflict - well that's a
+ * reasonable point to call it quits. Either the RAND code is broken or someone
+ * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our
+ * server. How you might store that many sessions is perhaps a more interesting
+ * question...
+ */
 
 #define MAX_SESS_ID_ATTEMPTS 10
+
 static int
-def_generate_session_id(const SSL *ssl, unsigned char *id,
-    unsigned int *id_len)
+def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len)
 {
         unsigned int retry = 0;
-        do
-        if (RAND_pseudo_bytes(id, *id_len) <= 0)
-                return 0;
-        while (SSL_has_matching_session_id(ssl, id, *id_len) &&
-        (++retry < MAX_SESS_ID_ATTEMPTS));
+
+        do {
+                if (RAND_pseudo_bytes(id, *id_len) <= 0)
+                        return 0;
+        } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
+            (++retry < MAX_SESS_ID_ATTEMPTS));
+
         if (retry < MAX_SESS_ID_ATTEMPTS)
                 return 1;
+
         /* else - woops a session_id match */
         /* XXX We should also check the external cache --
          * but the probability of a collision is negligible, and
@@ -268,13 +281,14 @@ def_generate_session_id(const SSL *ssl, unsigned char *id,
 int
 ssl_get_new_session(SSL *s, int session)
 {
-        /* This gets used by clients and servers. */
-
         unsigned int tmp;
         SSL_SESSION *ss = NULL;
         GEN_SESSION_CB cb = def_generate_session_id;
 
-        if ((ss = SSL_SESSION_new()) == NULL) return (0);
+        /* This gets used by clients and servers. */
+
+        if ((ss = SSL_SESSION_new()) == NULL)
+                return (0);
 
         /* If the context has a default timeout, use it */
         if (s->session_ctx->session_timeout == 0)
@@ -304,19 +318,22 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                /* If RFC4507 ticket use empty session ID */
+
+                /* If RFC4507 ticket use empty session ID. */
                 if (s->tlsext_ticket_expected) {
                         ss->session_id_length = 0;
                         goto sess_id_done;
                 }
-                /* Choose which callback will set the session ID */
+
+                /* Choose which callback will set the session ID. */
                 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                 if (s->generate_session_id)
                         cb = s->generate_session_id;
                 else if (s->session_ctx->generate_session_id)
                         cb = s->session_ctx->generate_session_id;
                 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                /* Choose a session ID */
+
+                /* Choose a session ID. */
                 tmp = ss->session_id_length;
                 if (!cb(s, ss->session_id, &tmp)) {
                         /* The callback failed */
@@ -325,8 +342,11 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                /* Don't allow the callback to set the session length to zero.
-                 * nor set it higher than it was. */
+
+                /*
+                 * Don't allow the callback to set the session length to zero.
+                 * nor set it higher than it was.
+                 */
                 if (!tmp || (tmp > ss->session_id_length)) {
                         /* The callback set an illegal length */
                         SSLerr(SSL_F_SSL_GET_NEW_SESSION,
@@ -335,7 +355,8 @@ ssl_get_new_session(SSL *s, int session)
                         return (0);
                 }
                 ss->session_id_length = tmp;
-                /* Finally, check for a conflict */
+
+                /* Finally, check for a conflict. */
                 if (SSL_has_matching_session_id(s, ss->session_id,
                         ss->session_id_length)) {
                         SSLerr(SSL_F_SSL_GET_NEW_SESSION,
@@ -343,11 +364,13 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                sess_id_done:
+
+sess_id_done:
                 if (s->tlsext_hostname) {
                         ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
                         if (ss->tlsext_hostname == NULL) {
-                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
+                                SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                                    ERR_R_INTERNAL_ERROR);
                                 SSL_SESSION_free(ss);
                                 return 0;
                         }
@@ -381,6 +404,7 @@ ssl_get_new_session(SSL *s, int session)
                 SSL_SESSION_free(ss);
                 return 0;
         }
+
         memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length);
         ss->sid_ctx_length = s->sid_ctx_length;
         s->session = ss;
@@ -390,7 +414,8 @@ ssl_get_new_session(SSL *s, int session)
         return (1);
 }
 
-/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
+/*
+ * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
  * connection. It is only called by servers.
  *
  *   session_id: points at the session ID in the ClientHello. This code will
@@ -404,29 +429,31 @@ ssl_get_new_session(SSL *s, int session)
  *    0: a session may have been found.
  *
  * Side effects:
- *   - If a session is found then s->session is pointed at it (after freeing an
- *     existing session if need be) and s->verify_result is set from the session.
- *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
- *     if the server should issue a new session ticket (to 0 otherwise).
+ *   - If a session is found then s->session is pointed at it (after freeing
+ *     an existing session if need be) and s->verify_result is set from the
+ *     session.
+ *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set
+ *     to 1 if the server should issue a new session ticket (to 0 otherwise).
  */
 int
 ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
     const unsigned char *limit)
 {
-        /* This is used only by servers. */
-
         SSL_SESSION *ret = NULL;
         int fatal = 0;
         int try_session_cache = 1;
         int r;
 
+        /* This is used only by servers. */
+
         if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
                 goto err;
 
         if (len == 0)
                 try_session_cache = 0;
 
-        r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
+        /* Sets s->tlsext_ticket_expected. */
+        r = tls1_process_ticket(s, session_id, len, limit, &ret);
         switch (r) {
         case -1: /* Error during processing */
                 fatal = 1;
@@ -442,48 +469,60 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                 abort();
         }
 
-        if (try_session_cache &&
-                ret == NULL &&
-        !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
+        if (try_session_cache && ret == NULL &&
+            !(s->session_ctx->session_cache_mode &
+             SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
                 SSL_SESSION data;
                 data.ssl_version = s->version;
                 data.session_id_length = len;
                 if (len == 0)
                         return 0;
                 memcpy(data.session_id, session_id, len);
+
                 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                 ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
                 if (ret != NULL) {
-                        /* don't allow other threads to steal it: */
-                        CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
+                        /* Don't allow other threads to steal it. */
+                        CRYPTO_add(&ret->references, 1,
+                            CRYPTO_LOCK_SSL_SESSION);
                 }
                 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+
                 if (ret == NULL)
                         s->session_ctx->stats.sess_miss++;
         }
 
-        if (try_session_cache &&
-                ret == NULL &&
-        s->session_ctx->get_session_cb != NULL) {
+        if (try_session_cache && ret == NULL &&
+            s->session_ctx->get_session_cb != NULL) {
                 int copy = 1;
 
-                if ((ret = s->session_ctx->get_session_cb(s, session_id, len, &copy))) {
+                if ((ret = s->session_ctx->get_session_cb(s, session_id,
+                    len, &copy))) {
                         s->session_ctx->stats.sess_cb_hit++;
 
-                        /* Increment reference count now if the session callback
-                         * asks us to do so (note that if the session structures
-                         * returned by the callback are shared between threads,
-                         * it must handle the reference count itself [i.e. copy == 0],
-                         * or things won't be thread-safe). */
+                        /*
+                         * Increment reference count now if the session
+                         * callback asks us to do so (note that if the session
+                         * structures returned by the callback are shared
+                         * between threads, it must handle the reference count
+                         * itself [i.e. copy == 0], or things won't be
+                         * thread-safe).
+                         */
                         if (copy)
-                                CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
-
-                        /* Add the externally cached session to the internal
-                         * cache as well if and only if we are supposed to. */
-                        if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
-                                /* The following should not return 1, otherwise,
-                                 * things are very strange */
-                        SSL_CTX_add_session(s->session_ctx, ret);
+                                CRYPTO_add(&ret->references, 1,
+                                    CRYPTO_LOCK_SSL_SESSION);
+
+                        /*
+                         * Add the externally cached session to the internal
+                         * cache as well if and only if we are supposed to.
+                         */
+                        if (!(s->session_ctx->session_cache_mode &
+                            SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                                /*
+                                 * The following should not return 1,
+                                 * otherwise, things are very strange.
+                                 */
+                                SSL_CTX_add_session(s->session_ctx, ret);
                 }
         }
 
@@ -492,25 +531,28 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 
         /* Now ret is non-NULL and we own one of its reference counts. */
 
-        if (ret->sid_ctx_length != s->sid_ctx_length
-            || timingsafe_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length) != 0) {
+        if (ret->sid_ctx_length != s->sid_ctx_length ||
+            timingsafe_memcmp(ret->sid_ctx,
+                s->sid_ctx, ret->sid_ctx_length) != 0) {
                 /* We have the session requested by the client, but we don't
                  * want to use it in this context. */
                 goto err; /* treat like cache miss */
         }
 
         if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
-                /* We can't be sure if this session is being used out of
+                /*
+                 * We can't be sure if this session is being used out of
                  * context, which is especially important for SSL_VERIFY_PEER.
-                 * The application should have used SSL[_CTX]_set_session_id_context.
+                 * The application should have used
+                 * SSL[_CTX]_set_session_id_context.
                  *
                  * For this error case, we generate an error instead of treating
                  * the event like a cache miss (otherwise it would be easy for
                  * applications to effectively disable the session cache by
                  * accident without anyone noticing).
                  */
-
-                SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+                SSLerr(SSL_F_SSL_GET_PREV_SESSION,
+                    SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
                 fatal = 1;
                 goto err;
         }
@@ -522,16 +564,18 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                 p = buf;
                 l = ret->cipher_id;
                 l2n(l, p);
+
                 if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR)
                         ret->cipher = ssl_get_cipher_by_char(s, &(buf[2]));
                 else
                         ret->cipher = ssl_get_cipher_by_char(s, &(buf[1]));
+
                 if (ret->cipher == NULL)
                         goto err;
         }
 
-        if (ret->timeout < (time(NULL) - ret->time)) /* timeout */
-        {
+        if (ret->timeout < (time(NULL) - ret->time)) {
+                /* timeout */
                 s->session_ctx->stats.sess_timeout++;
                 if (try_session_cache) {
                         /* session was from the cache, so remove it */
@@ -548,12 +592,14 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
         s->verify_result = s->session->verify_result;
         return 1;
 
-        err:
+err:
         if (ret != NULL) {
                 SSL_SESSION_free(ret);
                 if (!try_session_cache) {
-                        /* The session was from a ticket, so we should
-                         * issue a ticket for the new session */
+                        /*
+                         * The session was from a ticket, so we should
+                         * issue a ticket for the new session.
+                         */
                         s->tlsext_ticket_expected = 1;
                 }
         }
@@ -569,27 +615,36 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
         int ret = 0;
         SSL_SESSION *s;
 
-        /* add just 1 reference count for the SSL_CTX's session cache
+        /*
+         * Add just 1 reference count for the SSL_CTX's session cache
          * even though it has two ways of access: each session is in a
-         * doubly linked list and an lhash */
+         * doubly linked list and an lhash.
+         */
         CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
-        /* if session c is in already in cache, we take back the increment later */
 
+        /*
+         * If session c is in already in cache, we take back the increment
+         * later.
+         */
         CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
         s = lh_SSL_SESSION_insert(ctx->sessions, c);
 
-        /* s != NULL iff we already had a session with the given PID.
+        /*
+         * s != NULL iff we already had a session with the given PID.
          * In this case, s == c should hold (then we did not really modify
-         * ctx->sessions), or we're in trouble. */
+         * ctx->sessions), or we're in trouble.
+         */
         if (s != NULL && s != c) {
                 /* We *are* in trouble ... */
                 SSL_SESSION_list_remove(ctx, s);
                 SSL_SESSION_free(s);
-                /* ... so pretend the other session did not exist in cache
+                /*
+                 * ... so pretend the other session did not exist in cache
                  * (we cannot handle two SSL_SESSION structures with identical
                  * session ID in the same cache, which could happen e.g. when
-                 * two threads concurrently obtain the same session from an external
-                 * cache) */
+                 * two threads concurrently obtain the same session from an
+                 * external cache).
+                 */
                 s = NULL;
         }
 
@@ -598,22 +653,27 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
                 SSL_SESSION_list_add(ctx, c);
 
         if (s != NULL) {
-                /* existing cache entry -- decrement previously incremented reference
-                 * count because it already takes into account the cache */
-
+                /*
+                 * existing cache entry -- decrement previously incremented
+                 * reference count because it already takes into account the
+                 * cache.
+                 */
                 SSL_SESSION_free(s); /* s == c */
                 ret = 0;
         } else {
-                /* new cache entry -- remove old ones if cache has become too large */
+                /*
+                 * New cache entry -- remove old ones if cache has become
+                 * too large.
+                 */
 
                 ret = 1;
 
                 if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
                         while (SSL_CTX_sess_number(ctx) >
-                        SSL_CTX_sess_get_cache_size(ctx)) {
+                            SSL_CTX_sess_get_cache_size(ctx)) {
                                 if (!remove_session_lock(ctx,
-                                        ctx->session_cache_tail, 0))
-                                break;
+                                    ctx->session_cache_tail, 0))
+                                        break;
                                 else
                                         ctx->stats.sess_cache_full++;
                         }
@@ -638,12 +698,11 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
         if ((c != NULL) && (c->session_id_length != 0)) {
                 if (lck)
                         CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                        if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
+                if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
                         ret = 1;
                         r = lh_SSL_SESSION_delete(ctx->sessions, c);
                         SSL_SESSION_list_remove(ctx, c);
                 }
-
                 if (lck)
                         CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
 
@@ -701,7 +760,8 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                 if (meth == NULL)
                         meth = s->method->get_ssl_method(session->ssl_version);
                 if (meth == NULL) {
-                        SSLerr(SSL_F_SSL_SET_SESSION, SSL_R_UNABLE_TO_FIND_SSL_METHOD);
+                        SSLerr(SSL_F_SSL_SET_SESSION,
+                            SSL_R_UNABLE_TO_FIND_SSL_METHOD);
                         return (0);
                 }
 
@@ -782,7 +842,8 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
     unsigned int sid_ctx_len)
 {
         if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
+                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                 return 0;
         }
         s->sid_ctx_length = sid_ctx_len;
@@ -795,10 +856,12 @@ long
 SSL_CTX_set_timeout(SSL_CTX *s, long t)
 {
         long l;
+
         if (s == NULL)
                 return (0);
         l = s->session_timeout;
         s->session_timeout = t;
+
         return (l);
 }
 
@@ -811,8 +874,9 @@ SSL_CTX_get_timeout(const SSL_CTX *s)
 }
 
 int
-SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
-    STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s,
+    void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers,
+    SSL_CIPHER **cipher, void *arg), void *arg)
 {
         if (s == NULL)
                 return (0);
@@ -837,16 +901,20 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
 {
         if (s->version >= TLS1_VERSION) {
                 free(s->tlsext_session_ticket);
-                s->tlsext_session_ticket = malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
+                s->tlsext_session_ticket =
+                    malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
                 if (!s->tlsext_session_ticket) {
-                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
+                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT,
+                            ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
 
                 if (ext_data) {
                         s->tlsext_session_ticket->length = ext_len;
-                        s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
-                        memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+                        s->tlsext_session_ticket->data =
+                            s->tlsext_session_ticket + 1;
+                        memcpy(s->tlsext_session_ticket->data,
+                            ext_data, ext_len);
                 } else {
                         s->tlsext_session_ticket->length = 0;
                         s->tlsext_session_ticket->data = NULL;
@@ -867,8 +935,8 @@ typedef struct timeout_param_st {
 static void
 timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
 {
-        if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */
-        {
+        if ((p->time == 0) || (p->time > (s->time + s->timeout))) {
+                /* timeout */
                 /* The reason we don't call SSL_CTX_remove_session() is to
                  * save on locking overhead */
                 (void)lh_SSL_SESSION_delete(p->cache, s);
@@ -907,9 +975,8 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t)
 int
 ssl_clear_bad_session(SSL *s)
 {
-        if ((s->session != NULL) &&
-                !(s->shutdown & SSL_SENT_SHUTDOWN) &&
-        !(SSL_in_init(s) || SSL_in_before(s))) {
+        if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) &&
+            !(SSL_in_init(s) || SSL_in_before(s))) {
                 SSL_CTX_remove_session(s->ctx, s->session);
                 return (1);
         } else
@@ -920,26 +987,28 @@ ssl_clear_bad_session(SSL *s)
 static void
 SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
 {
-        if ((s->next == NULL)
-                || (s->prev == NULL)) return;
+        if ((s->next == NULL) || (s->prev == NULL))
+                return;
 
-        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
-                        { /* last element in list */
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                                { /* only one element in list */
+        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) {
+                /* last element in list */
+                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
+                        /* only one element in list */
                         ctx->session_cache_head = NULL;
                         ctx->session_cache_tail = NULL;
                 } else {
                         ctx->session_cache_tail = s->prev;
-                        s->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail);
+                        s->prev->next =
+                            (SSL_SESSION *)&(ctx->session_cache_tail);
                 }
         } else {
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                                { /* first element in list */
+                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
+                        /* first element in list */
                         ctx->session_cache_head = s->next;
-                        s->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
-                } else
-                                { /* middle of list */
+                        s->next->prev =
+                            (SSL_SESSION *)&(ctx->session_cache_head);
+                } else {
+                        /* middle of list */
                         s->next->prev = s->prev;
                         s->prev->next = s->next;
                 }
@@ -972,7 +1041,8 @@ SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
         ctx->new_session_cb = cb;
 }
 
-int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
+int
+(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
 {
         return ctx->new_session_cb;
 }
@@ -984,21 +1054,22 @@ SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
         ctx->remove_session_cb = cb;
 }
 
-void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
+void
+(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
 {
         return ctx->remove_session_cb;
 }
 
 void
-SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
-    SSL_SESSION *(*cb)(struct ssl_st *ssl,
-unsigned char *data, int len, int *copy))
+SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl,
+    unsigned char *data, int len, int *copy))
 {
         ctx->get_session_cb = cb;
 }
 
-SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
-    unsigned char *data, int len, int *copy)
+SSL_SESSION *
+(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data,
+    int len, int *copy)
 {
         return ctx->get_session_cb;
 }
@@ -1010,7 +1081,8 @@ SSL_CTX_set_info_callback(SSL_CTX *ctx,
         ctx->info_callback = cb;
 }
 
-void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
+void
+(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
 {
         return ctx->info_callback;
 }
@@ -1022,7 +1094,9 @@ SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
         ctx->client_cert_cb = cb;
 }
 
-int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
+int
+(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509,
+    EVP_PKEY **pkey)
 {
         return ctx->client_cert_cb;
 }
@@ -1032,11 +1106,13 @@ int
 SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
 {
         if (!ENGINE_init(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                    ERR_R_ENGINE_LIB);
                 return 0;
         }
         if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                    SSL_R_NO_CLIENT_CERT_METHOD);
                 ENGINE_finish(e);
                 return 0;
         }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index af29cfc7ff..101da82b56 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.36 2014/07/11 09:24:44 beck Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.37 2014/07/12 23:59:11 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,12 +135,13 @@
  * OTHERWISE.
  */
 
-#include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -159,14 +160,18 @@ SSL_SESSION *
 SSL_get1_session(SSL *ssl)
 {
         SSL_SESSION *sess;
-        /* Need to lock this all up rather than just use CRYPTO_add so that
+
+        /*
+         * Need to lock this all up rather than just use CRYPTO_add so that
          * somebody doesn't free ssl->session between when we check it's
-         * non-null and when we up the reference count. */
+         * non-null and when we up the reference count.
+         */
         CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
         sess = ssl->session;
         if (sess)
                 sess->references++;
         CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
+
         return (sess);
 }
 
@@ -174,8 +179,8 @@ int
 SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
-        new_func, dup_func, free_func);
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
+            argl, argp, new_func, dup_func, free_func);
 }
 
 int
@@ -213,7 +218,9 @@ SSL_SESSION_new(void)
         ss->tlsext_ecpointformatlist = NULL;
         ss->tlsext_ellipticcurvelist_length = 0;
         ss->tlsext_ellipticcurvelist = NULL;
+
         CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+
         return (ss);
 }
 
@@ -231,28 +238,34 @@ SSL_SESSION_get_compress_id(const SSL_SESSION *s)
         return 0;
 }
 
-/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
- * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
- * until we have no conflict is going to complete in one iteration pretty much
- * "most" of the time (btw: understatement). So, if it takes us 10 iterations
- * and we still can't avoid a conflict - well that's a reasonable point to call
- * it quits. Either the RAND code is broken or someone is trying to open roughly
- * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
- * store that many sessions is perhaps a more interesting question ... */
+/*
+ * Even with SSLv2, we have 16 bytes (128 bits) of session ID space.
+ * SSLv3/TLSv1 has 32 bytes (256 bits). As such, filling the ID with random
+ * gunk repeatedly until we have no conflict is going to complete in one
+ * iteration pretty much "most" of the time (btw: understatement). So, if it
+ * takes us 10 iterations and we still can't avoid a conflict - well that's a
+ * reasonable point to call it quits. Either the RAND code is broken or someone
+ * is trying to open roughly very close to 2^128 (or 2^256) SSL sessions to our
+ * server. How you might store that many sessions is perhaps a more interesting
+ * question...
+ */
 
 #define MAX_SESS_ID_ATTEMPTS 10
+
 static int
-def_generate_session_id(const SSL *ssl, unsigned char *id,
-    unsigned int *id_len)
+def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len)
 {
         unsigned int retry = 0;
-        do
-        if (RAND_pseudo_bytes(id, *id_len) <= 0)
-                return 0;
-        while (SSL_has_matching_session_id(ssl, id, *id_len) &&
-        (++retry < MAX_SESS_ID_ATTEMPTS));
+
+        do {
+                if (RAND_pseudo_bytes(id, *id_len) <= 0)
+                        return 0;
+        } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
+            (++retry < MAX_SESS_ID_ATTEMPTS));
+
         if (retry < MAX_SESS_ID_ATTEMPTS)
                 return 1;
+
         /* else - woops a session_id match */
         /* XXX We should also check the external cache --
          * but the probability of a collision is negligible, and
@@ -268,13 +281,14 @@ def_generate_session_id(const SSL *ssl, unsigned char *id,
 int
 ssl_get_new_session(SSL *s, int session)
 {
-        /* This gets used by clients and servers. */
-
         unsigned int tmp;
         SSL_SESSION *ss = NULL;
         GEN_SESSION_CB cb = def_generate_session_id;
 
-        if ((ss = SSL_SESSION_new()) == NULL) return (0);
+        /* This gets used by clients and servers. */
+
+        if ((ss = SSL_SESSION_new()) == NULL)
+                return (0);
 
         /* If the context has a default timeout, use it */
         if (s->session_ctx->session_timeout == 0)
@@ -304,19 +318,22 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                /* If RFC4507 ticket use empty session ID */
+
+                /* If RFC4507 ticket use empty session ID. */
                 if (s->tlsext_ticket_expected) {
                         ss->session_id_length = 0;
                         goto sess_id_done;
                 }
-                /* Choose which callback will set the session ID */
+
+                /* Choose which callback will set the session ID. */
                 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                 if (s->generate_session_id)
                         cb = s->generate_session_id;
                 else if (s->session_ctx->generate_session_id)
                         cb = s->session_ctx->generate_session_id;
                 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                /* Choose a session ID */
+
+                /* Choose a session ID. */
                 tmp = ss->session_id_length;
                 if (!cb(s, ss->session_id, &tmp)) {
                         /* The callback failed */
@@ -325,8 +342,11 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                /* Don't allow the callback to set the session length to zero.
-                 * nor set it higher than it was. */
+
+                /*
+                 * Don't allow the callback to set the session length to zero.
+                 * nor set it higher than it was.
+                 */
                 if (!tmp || (tmp > ss->session_id_length)) {
                         /* The callback set an illegal length */
                         SSLerr(SSL_F_SSL_GET_NEW_SESSION,
@@ -335,7 +355,8 @@ ssl_get_new_session(SSL *s, int session)
                         return (0);
                 }
                 ss->session_id_length = tmp;
-                /* Finally, check for a conflict */
+
+                /* Finally, check for a conflict. */
                 if (SSL_has_matching_session_id(s, ss->session_id,
                         ss->session_id_length)) {
                         SSLerr(SSL_F_SSL_GET_NEW_SESSION,
@@ -343,11 +364,13 @@ ssl_get_new_session(SSL *s, int session)
                         SSL_SESSION_free(ss);
                         return (0);
                 }
-                sess_id_done:
+
+sess_id_done:
                 if (s->tlsext_hostname) {
                         ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
                         if (ss->tlsext_hostname == NULL) {
-                                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
+                                SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+                                    ERR_R_INTERNAL_ERROR);
                                 SSL_SESSION_free(ss);
                                 return 0;
                         }
@@ -381,6 +404,7 @@ ssl_get_new_session(SSL *s, int session)
                 SSL_SESSION_free(ss);
                 return 0;
         }
+
         memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length);
         ss->sid_ctx_length = s->sid_ctx_length;
         s->session = ss;
@@ -390,7 +414,8 @@ ssl_get_new_session(SSL *s, int session)
         return (1);
 }
 
-/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
+/*
+ * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
  * connection. It is only called by servers.
  *
  *   session_id: points at the session ID in the ClientHello. This code will
@@ -404,29 +429,31 @@ ssl_get_new_session(SSL *s, int session)
  *    0: a session may have been found.
  *
  * Side effects:
- *   - If a session is found then s->session is pointed at it (after freeing an
- *     existing session if need be) and s->verify_result is set from the session.
- *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
- *     if the server should issue a new session ticket (to 0 otherwise).
+ *   - If a session is found then s->session is pointed at it (after freeing
+ *     an existing session if need be) and s->verify_result is set from the
+ *     session.
+ *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set
+ *     to 1 if the server should issue a new session ticket (to 0 otherwise).
  */
 int
 ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
     const unsigned char *limit)
 {
-        /* This is used only by servers. */
-
         SSL_SESSION *ret = NULL;
         int fatal = 0;
         int try_session_cache = 1;
         int r;
 
+        /* This is used only by servers. */
+
         if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
                 goto err;
 
         if (len == 0)
                 try_session_cache = 0;
 
-        r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
+        /* Sets s->tlsext_ticket_expected. */
+        r = tls1_process_ticket(s, session_id, len, limit, &ret);
         switch (r) {
         case -1: /* Error during processing */
                 fatal = 1;
@@ -442,48 +469,60 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                 abort();
         }
 
-        if (try_session_cache &&
-                ret == NULL &&
-        !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
+        if (try_session_cache && ret == NULL &&
+            !(s->session_ctx->session_cache_mode &
+             SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
                 SSL_SESSION data;
                 data.ssl_version = s->version;
                 data.session_id_length = len;
                 if (len == 0)
                         return 0;
                 memcpy(data.session_id, session_id, len);
+
                 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                 ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
                 if (ret != NULL) {
-                        /* don't allow other threads to steal it: */
-                        CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
+                        /* Don't allow other threads to steal it. */
+                        CRYPTO_add(&ret->references, 1,
+                            CRYPTO_LOCK_SSL_SESSION);
                 }
                 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+
                 if (ret == NULL)
                         s->session_ctx->stats.sess_miss++;
         }
 
-        if (try_session_cache &&
-                ret == NULL &&
-        s->session_ctx->get_session_cb != NULL) {
+        if (try_session_cache && ret == NULL &&
+            s->session_ctx->get_session_cb != NULL) {
                 int copy = 1;
 
-                if ((ret = s->session_ctx->get_session_cb(s, session_id, len, &copy))) {
+                if ((ret = s->session_ctx->get_session_cb(s, session_id,
+                    len, &copy))) {
                         s->session_ctx->stats.sess_cb_hit++;
 
-                        /* Increment reference count now if the session callback
-                         * asks us to do so (note that if the session structures
-                         * returned by the callback are shared between threads,
-                         * it must handle the reference count itself [i.e. copy == 0],
-                         * or things won't be thread-safe). */
+                        /*
+                         * Increment reference count now if the session
+                         * callback asks us to do so (note that if the session
+                         * structures returned by the callback are shared
+                         * between threads, it must handle the reference count
+                         * itself [i.e. copy == 0], or things won't be
+                         * thread-safe).
+                         */
                         if (copy)
-                                CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
-
-                        /* Add the externally cached session to the internal
-                         * cache as well if and only if we are supposed to. */
-                        if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
-                                /* The following should not return 1, otherwise,
-                                 * things are very strange */
-                        SSL_CTX_add_session(s->session_ctx, ret);
+                                CRYPTO_add(&ret->references, 1,
+                                    CRYPTO_LOCK_SSL_SESSION);
+
+                        /*
+                         * Add the externally cached session to the internal
+                         * cache as well if and only if we are supposed to.
+                         */
+                        if (!(s->session_ctx->session_cache_mode &
+                            SSL_SESS_CACHE_NO_INTERNAL_STORE))
+                                /*
+                                 * The following should not return 1,
+                                 * otherwise, things are very strange.
+                                 */
+                                SSL_CTX_add_session(s->session_ctx, ret);
                 }
         }
 
@@ -492,25 +531,28 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 
         /* Now ret is non-NULL and we own one of its reference counts. */
 
-        if (ret->sid_ctx_length != s->sid_ctx_length
-            || timingsafe_memcmp(ret->sid_ctx, s->sid_ctx, ret->sid_ctx_length) != 0) {
+        if (ret->sid_ctx_length != s->sid_ctx_length ||
+            timingsafe_memcmp(ret->sid_ctx,
+                s->sid_ctx, ret->sid_ctx_length) != 0) {
                 /* We have the session requested by the client, but we don't
                  * want to use it in this context. */
                 goto err; /* treat like cache miss */
         }
 
         if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
-                /* We can't be sure if this session is being used out of
+                /*
+                 * We can't be sure if this session is being used out of
                  * context, which is especially important for SSL_VERIFY_PEER.
-                 * The application should have used SSL[_CTX]_set_session_id_context.
+                 * The application should have used
+                 * SSL[_CTX]_set_session_id_context.
                  *
                  * For this error case, we generate an error instead of treating
                  * the event like a cache miss (otherwise it would be easy for
                  * applications to effectively disable the session cache by
                  * accident without anyone noticing).
                  */
-
-                SSLerr(SSL_F_SSL_GET_PREV_SESSION, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+                SSLerr(SSL_F_SSL_GET_PREV_SESSION,
+                    SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
                 fatal = 1;
                 goto err;
         }
@@ -522,16 +564,18 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                 p = buf;
                 l = ret->cipher_id;
                 l2n(l, p);
+
                 if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR)
                         ret->cipher = ssl_get_cipher_by_char(s, &(buf[2]));
                 else
                         ret->cipher = ssl_get_cipher_by_char(s, &(buf[1]));
+
                 if (ret->cipher == NULL)
                         goto err;
         }
 
-        if (ret->timeout < (time(NULL) - ret->time)) /* timeout */
-        {
+        if (ret->timeout < (time(NULL) - ret->time)) {
+                /* timeout */
                 s->session_ctx->stats.sess_timeout++;
                 if (try_session_cache) {
                         /* session was from the cache, so remove it */
@@ -548,12 +592,14 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
         s->verify_result = s->session->verify_result;
         return 1;
 
-        err:
+err:
         if (ret != NULL) {
                 SSL_SESSION_free(ret);
                 if (!try_session_cache) {
-                        /* The session was from a ticket, so we should
-                         * issue a ticket for the new session */
+                        /*
+                         * The session was from a ticket, so we should
+                         * issue a ticket for the new session.
+                         */
                         s->tlsext_ticket_expected = 1;
                 }
         }
@@ -569,27 +615,36 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
         int ret = 0;
         SSL_SESSION *s;
 
-        /* add just 1 reference count for the SSL_CTX's session cache
+        /*
+         * Add just 1 reference count for the SSL_CTX's session cache
          * even though it has two ways of access: each session is in a
-         * doubly linked list and an lhash */
+         * doubly linked list and an lhash.
+         */
         CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
-        /* if session c is in already in cache, we take back the increment later */
 
+        /*
+         * If session c is in already in cache, we take back the increment
+         * later.
+         */
         CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
         s = lh_SSL_SESSION_insert(ctx->sessions, c);
 
-        /* s != NULL iff we already had a session with the given PID.
+        /*
+         * s != NULL iff we already had a session with the given PID.
          * In this case, s == c should hold (then we did not really modify
-         * ctx->sessions), or we're in trouble. */
+         * ctx->sessions), or we're in trouble.
+         */
         if (s != NULL && s != c) {
                 /* We *are* in trouble ... */
                 SSL_SESSION_list_remove(ctx, s);
                 SSL_SESSION_free(s);
-                /* ... so pretend the other session did not exist in cache
+                /*
+                 * ... so pretend the other session did not exist in cache
                  * (we cannot handle two SSL_SESSION structures with identical
                  * session ID in the same cache, which could happen e.g. when
-                 * two threads concurrently obtain the same session from an external
-                 * cache) */
+                 * two threads concurrently obtain the same session from an
+                 * external cache).
+                 */
                 s = NULL;
         }
 
@@ -598,22 +653,27 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
                 SSL_SESSION_list_add(ctx, c);
 
         if (s != NULL) {
-                /* existing cache entry -- decrement previously incremented reference
-                 * count because it already takes into account the cache */
-
+                /*
+                 * existing cache entry -- decrement previously incremented
+                 * reference count because it already takes into account the
+                 * cache.
+                 */
                 SSL_SESSION_free(s); /* s == c */
                 ret = 0;
         } else {
-                /* new cache entry -- remove old ones if cache has become too large */
+                /*
+                 * New cache entry -- remove old ones if cache has become
+                 * too large.
+                 */
 
                 ret = 1;
 
                 if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
                         while (SSL_CTX_sess_number(ctx) >
-                        SSL_CTX_sess_get_cache_size(ctx)) {
+                            SSL_CTX_sess_get_cache_size(ctx)) {
                                 if (!remove_session_lock(ctx,
-                                        ctx->session_cache_tail, 0))
-                                break;
+                                    ctx->session_cache_tail, 0))
+                                        break;
                                 else
                                         ctx->stats.sess_cache_full++;
                         }
@@ -638,12 +698,11 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
         if ((c != NULL) && (c->session_id_length != 0)) {
                 if (lck)
                         CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                        if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
+                if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
                         ret = 1;
                         r = lh_SSL_SESSION_delete(ctx->sessions, c);
                         SSL_SESSION_list_remove(ctx, c);
                 }
-
                 if (lck)
                         CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
 
@@ -701,7 +760,8 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                 if (meth == NULL)
                         meth = s->method->get_ssl_method(session->ssl_version);
                 if (meth == NULL) {
-                        SSLerr(SSL_F_SSL_SET_SESSION, SSL_R_UNABLE_TO_FIND_SSL_METHOD);
+                        SSLerr(SSL_F_SSL_SET_SESSION,
+                            SSL_R_UNABLE_TO_FIND_SSL_METHOD);
                         return (0);
                 }
 
@@ -782,7 +842,8 @@ SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
     unsigned int sid_ctx_len)
 {
         if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
+                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
+                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
                 return 0;
         }
         s->sid_ctx_length = sid_ctx_len;
@@ -795,10 +856,12 @@ long
 SSL_CTX_set_timeout(SSL_CTX *s, long t)
 {
         long l;
+
         if (s == NULL)
                 return (0);
         l = s->session_timeout;
         s->session_timeout = t;
+
         return (l);
 }
 
@@ -811,8 +874,9 @@ SSL_CTX_get_timeout(const SSL_CTX *s)
 }
 
 int
-SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
-    STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s,
+    void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers,
+    SSL_CIPHER **cipher, void *arg), void *arg)
 {
         if (s == NULL)
                 return (0);
@@ -837,16 +901,20 @@ SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
 {
         if (s->version >= TLS1_VERSION) {
                 free(s->tlsext_session_ticket);
-                s->tlsext_session_ticket = malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
+                s->tlsext_session_ticket =
+                    malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
                 if (!s->tlsext_session_ticket) {
-                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
+                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT,
+                            ERR_R_MALLOC_FAILURE);
                         return 0;
                 }
 
                 if (ext_data) {
                         s->tlsext_session_ticket->length = ext_len;
-                        s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
-                        memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+                        s->tlsext_session_ticket->data =
+                            s->tlsext_session_ticket + 1;
+                        memcpy(s->tlsext_session_ticket->data,
+                            ext_data, ext_len);
                 } else {
                         s->tlsext_session_ticket->length = 0;
                         s->tlsext_session_ticket->data = NULL;
@@ -867,8 +935,8 @@ typedef struct timeout_param_st {
 static void
 timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
 {
-        if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */
-        {
+        if ((p->time == 0) || (p->time > (s->time + s->timeout))) {
+                /* timeout */
                 /* The reason we don't call SSL_CTX_remove_session() is to
                  * save on locking overhead */
                 (void)lh_SSL_SESSION_delete(p->cache, s);
@@ -907,9 +975,8 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t)
 int
 ssl_clear_bad_session(SSL *s)
 {
-        if ((s->session != NULL) &&
-                !(s->shutdown & SSL_SENT_SHUTDOWN) &&
-        !(SSL_in_init(s) || SSL_in_before(s))) {
+        if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) &&
+            !(SSL_in_init(s) || SSL_in_before(s))) {
                 SSL_CTX_remove_session(s->ctx, s->session);
                 return (1);
         } else
@@ -920,26 +987,28 @@ ssl_clear_bad_session(SSL *s)
 static void
 SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
 {
-        if ((s->next == NULL)
-                || (s->prev == NULL)) return;
+        if ((s->next == NULL) || (s->prev == NULL))
+                return;
 
-        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
-                        { /* last element in list */
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                                { /* only one element in list */
+        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) {
+                /* last element in list */
+                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
+                        /* only one element in list */
                         ctx->session_cache_head = NULL;
                         ctx->session_cache_tail = NULL;
                 } else {
                         ctx->session_cache_tail = s->prev;
-                        s->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail);
+                        s->prev->next =
+                            (SSL_SESSION *)&(ctx->session_cache_tail);
                 }
         } else {
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
-                                { /* first element in list */
+                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
+                        /* first element in list */
                         ctx->session_cache_head = s->next;
-                        s->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
-                } else
-                                { /* middle of list */
+                        s->next->prev =
+                            (SSL_SESSION *)&(ctx->session_cache_head);
+                } else {
+                        /* middle of list */
                         s->next->prev = s->prev;
                         s->prev->next = s->next;
                 }
@@ -972,7 +1041,8 @@ SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
         ctx->new_session_cb = cb;
 }
 
-int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
+int
+(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
 {
         return ctx->new_session_cb;
 }
@@ -984,21 +1054,22 @@ SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
         ctx->remove_session_cb = cb;
 }
 
-void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
+void
+(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
 {
         return ctx->remove_session_cb;
 }
 
 void
-SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
-    SSL_SESSION *(*cb)(struct ssl_st *ssl,
-unsigned char *data, int len, int *copy))
+SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl,
+    unsigned char *data, int len, int *copy))
 {
         ctx->get_session_cb = cb;
 }
 
-SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
-    unsigned char *data, int len, int *copy)
+SSL_SESSION *
+(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data,
+    int len, int *copy)
 {
         return ctx->get_session_cb;
 }
@@ -1010,7 +1081,8 @@ SSL_CTX_set_info_callback(SSL_CTX *ctx,
         ctx->info_callback = cb;
 }
 
-void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
+void
+(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
 {
         return ctx->info_callback;
 }
@@ -1022,7 +1094,9 @@ SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
         ctx->client_cert_cb = cb;
 }
 
-int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
+int
+(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509,
+    EVP_PKEY **pkey)
 {
         return ctx->client_cert_cb;
 }
@@ -1032,11 +1106,13 @@ int
 SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
 {
         if (!ENGINE_init(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                    ERR_R_ENGINE_LIB);
                 return 0;
         }
         if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
+                    SSL_R_NO_CLIENT_CERT_METHOD);
                 ENGINE_finish(e);
                 return 0;
         }