16 files changed, 2664 insertions, 2548 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
index 31e45744ba..9401f7db2f 100644
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -96,13 +96,12 @@ extern "C" {
 *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
 *       serialNumber       CertificateSerialNumber }
 */
-typedef struct ocsp_cert_id_st
+typedef struct ocsp_cert_id_st {
-        {
        X509_ALGOR *hashAlgorithm;
        ASN1_OCTET_STRING *issuerNameHash;
        ASN1_OCTET_STRING *issuerKeyHash;
        ASN1_INTEGER *serialNumber;
-        } OCSP_CERTID;
+} OCSP_CERTID;
 DECLARE_STACK_OF(OCSP_CERTID)
@@ -110,11 +109,10 @@ DECLARE_STACK_OF(OCSP_CERTID)
 *       reqCert                    CertID,
 *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_one_request_st
+typedef struct ocsp_one_request_st {
-        {
        OCSP_CERTID *reqCert;
        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-        } OCSP_ONEREQ;
+} OCSP_ONEREQ;
 DECLARE_STACK_OF(OCSP_ONEREQ)
 DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
@@ -126,35 +124,32 @@ DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
 *       requestList             SEQUENCE OF Request,
 *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_req_info_st
+typedef struct ocsp_req_info_st {
-        {
        ASN1_INTEGER *version;
        GENERAL_NAME *requestorName;
        STACK_OF(OCSP_ONEREQ) *requestList;
        STACK_OF(X509_EXTENSION) *requestExtensions;
-        } OCSP_REQINFO;
+} OCSP_REQINFO;
 /*   Signature       ::=     SEQUENCE {
 *       signatureAlgorithm   AlgorithmIdentifier,
 *       signature            BIT STRING,
 *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 */
-typedef struct ocsp_signature_st
+typedef struct ocsp_signature_st {
-        {
        X509_ALGOR *signatureAlgorithm;
        ASN1_BIT_STRING *signature;
        STACK_OF(X509) *certs;
-        } OCSP_SIGNATURE;
+} OCSP_SIGNATURE;
 /*   OCSPRequest     ::=     SEQUENCE {
 *       tbsRequest                  TBSRequest,
 *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
 */
-typedef struct ocsp_request_st
+typedef struct ocsp_request_st {
-        {
        OCSP_REQINFO *tbsRequest;
        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-        } OCSP_REQUEST;
+} OCSP_REQUEST;
 /*   OCSPResponseStatus ::= ENUMERATED {
 *       successful            (0),      --Response has valid confirmations
@@ -166,32 +161,30 @@ typedef struct ocsp_request_st
 *       unauthorized          (6)       --Request unauthorized
 *   }
 */
-#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL         0
-#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST   1
-#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
+#define OCSP_RESPONSE_STATUS_INTERNALERROR      2
-#define OCSP_RESPONSE_STATUS_TRYLATER             3
+#define OCSP_RESPONSE_STATUS_TRYLATER           3
-#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED        5
-#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED       6
 /*   ResponseBytes ::=       SEQUENCE {
 *       responseType   OBJECT IDENTIFIER,
 *       response       OCTET STRING }
 */
-typedef struct ocsp_resp_bytes_st
+typedef struct ocsp_resp_bytes_st {
-        {
        ASN1_OBJECT *responseType;
        ASN1_OCTET_STRING *response;
-        } OCSP_RESPBYTES;
+} OCSP_RESPBYTES;
 /*   OCSPResponse ::= SEQUENCE {
 *      responseStatus         OCSPResponseStatus,
 *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
 */
-struct ocsp_response_st
+struct ocsp_response_st {
-        {
        ASN1_ENUMERATED *responseStatus;
        OCSP_RESPBYTES  *responseBytes;
-        };
+};
 /*   ResponderID ::= CHOICE {
 *      byName   [1] Name,
@@ -199,14 +192,13 @@ struct ocsp_response_st
 */
 #define V_OCSP_RESPID_NAME 0
 #define V_OCSP_RESPID_KEY  1
-struct ocsp_responder_id_st
+struct ocsp_responder_id_st {
-        {
        int type;
-        union   {
+        union {
                X509_NAME* byName;
-                ASN1_OCTET_STRING *byKey;
+                ASN1_OCTET_STRING *byKey;
-                } value;
+        } value;
-        };
+};
 DECLARE_STACK_OF(OCSP_RESPID)
 DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
@@ -219,11 +211,10 @@ DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
 *       revocationTime              GeneralizedTime,
 *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
 */
-typedef struct ocsp_revoked_info_st
+typedef struct ocsp_revoked_info_st {
-        {
        ASN1_GENERALIZEDTIME *revocationTime;
        ASN1_ENUMERATED *revocationReason;
-        } OCSP_REVOKEDINFO;
+} OCSP_REVOKEDINFO;
 /*   CertStatus ::= CHOICE {
 *       good                [0]     IMPLICIT NULL,
@@ -233,15 +224,14 @@ typedef struct ocsp_revoked_info_st
 #define V_OCSP_CERTSTATUS_GOOD    0
 #define V_OCSP_CERTSTATUS_REVOKED 1
 #define V_OCSP_CERTSTATUS_UNKNOWN 2
-typedef struct ocsp_cert_status_st
+typedef struct ocsp_cert_status_st {
-        {
        int type;
-        union   {
+        union {
                ASN1_NULL *good;
                OCSP_REVOKEDINFO *revoked;
                ASN1_NULL *unknown;
-                } value;
+        } value;
-        } OCSP_CERTSTATUS;
+} OCSP_CERTSTATUS;
 /*   SingleResponse ::= SEQUENCE {
 *      certID                       CertID,
@@ -250,14 +240,13 @@ typedef struct ocsp_cert_status_st
 *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
 *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_single_response_st
+typedef struct ocsp_single_response_st {
-        {
        OCSP_CERTID *certId;
        OCSP_CERTSTATUS *certStatus;
        ASN1_GENERALIZEDTIME *thisUpdate;
        ASN1_GENERALIZEDTIME *nextUpdate;
        STACK_OF(X509_EXTENSION) *singleExtensions;
-        } OCSP_SINGLERESP;
+} OCSP_SINGLERESP;
 DECLARE_STACK_OF(OCSP_SINGLERESP)
 DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
@@ -269,14 +258,13 @@ DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
 *      responses                SEQUENCE OF SingleResponse,
 *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_response_data_st
+typedef struct ocsp_response_data_st {
-        {
        ASN1_INTEGER *version;
        OCSP_RESPID  *responderId;
        ASN1_GENERALIZEDTIME *producedAt;
        STACK_OF(OCSP_SINGLERESP) *responses;
        STACK_OF(X509_EXTENSION) *responseExtensions;
-        } OCSP_RESPDATA;
+} OCSP_RESPDATA;
 /*   BasicOCSPResponse       ::= SEQUENCE {
 *      tbsResponseData      ResponseData,
@@ -300,13 +288,12 @@ typedef struct ocsp_response_data_st
     that it doesn't do the double hashing that the RFC seems to say one
     should.  Therefore, all relevant functions take a flag saying which
     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
-typedef struct ocsp_basic_response_st
+typedef struct ocsp_basic_response_st {
-        {
        OCSP_RESPDATA *tbsResponseData;
        X509_ALGOR *signatureAlgorithm;
        ASN1_BIT_STRING *signature;
        STACK_OF(X509) *certs;
-        } OCSP_BASICRESP;
+} OCSP_BASICRESP;
 /*
 *   CRLReason ::= ENUMERATED {
@@ -319,164 +306,159 @@ typedef struct ocsp_basic_response_st
 *        certificateHold         (6),
 *        removeFromCRL           (8) }
 */
-#define OCSP_REVOKED_STATUS_NOSTATUS               -1
+#define OCSP_REVOKED_STATUS_NOSTATUS                    -1
-#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
+#define OCSP_REVOKED_STATUS_UNSPECIFIED                 0
-#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE               1
-#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
+#define OCSP_REVOKED_STATUS_CACOMPROMISE                2
-#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED          3
-#define OCSP_REVOKED_STATUS_SUPERSEDED              4
+#define OCSP_REVOKED_STATUS_SUPERSEDED                  4
-#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION        5
-#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD             6
-#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL               8
 /* CrlID ::= SEQUENCE {
 *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
 *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
 *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
 */
-typedef struct ocsp_crl_id_st
+typedef struct ocsp_crl_id_st {
-        {
        ASN1_IA5STRING *crlUrl;
        ASN1_INTEGER *crlNum;
        ASN1_GENERALIZEDTIME *crlTime;
-        } OCSP_CRLID;
+} OCSP_CRLID;
 /* ServiceLocator ::= SEQUENCE {
 *      issuer    Name,
 *      locator   AuthorityInfoAccessSyntax OPTIONAL }
 */
-typedef struct ocsp_service_locator_st
+typedef struct ocsp_service_locator_st {
-        {
        X509_NAME* issuer;
        STACK_OF(ACCESS_DESCRIPTION) *locator;
-        } OCSP_SERVICELOC;
+} OCSP_SERVICELOC;
 
 #define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
 #define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
-#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
+#define d2i_OCSP_REQUEST_bio(bp,p) \
+    ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
-#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
+#define d2i_OCSP_RESPONSE_bio(bp,p) \
+    ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
-#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
-     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+    (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
+        PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
-#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
-     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+    (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
+        PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
 #define PEM_write_bio_OCSP_REQUEST(bp,o) \
    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
-                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+        bp,(char *)o, NULL,NULL,0,NULL,NULL)
 #define PEM_write_bio_OCSP_RESPONSE(bp,o) \
    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
-                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+        bp,(char *)o, NULL,NULL,0,NULL,NULL)
-#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
+#define i2d_OCSP_RESPONSE_bio(bp,o) \
+    ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
-#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
+#define i2d_OCSP_REQUEST_bio(bp,o) \
+    ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
 #define OCSP_REQUEST_sign(o,pkey,md) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+    ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \
-                o->optionalSignature->signatureAlgorithm,NULL,\
+        o->optionalSignature->signatureAlgorithm,NULL, \
-                o->optionalSignature->signature,o->tbsRequest,pkey,md)
+        o->optionalSignature->signature,o->tbsRequest,pkey,md)
 #define OCSP_BASICRESP_sign(o,pkey,md,d) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
+    ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \
-                o->signature,o->tbsResponseData,pkey,md)
+        o->signature,o->tbsResponseData,pkey,md)
-#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+#define OCSP_REQUEST_verify(a,r) \
-        a->optionalSignature->signatureAlgorithm,\
+    ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \
+        a->optionalSignature->signatureAlgorithm, \
        a->optionalSignature->signature,a->tbsRequest,r)
-#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+#define OCSP_BASICRESP_verify(a,r,d) \
+    ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \
        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
-        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+    ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
 #define OCSP_CERTSTATUS_dup(cs)\
-                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+    (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
-                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+        (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
 OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
 OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
-                                                                int maxline);
+            int maxline);
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
+int     OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
+void    OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
+int     OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
+int     OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
-                const char *name, const char *value);
+            const char *value);
 OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
-                              X509_NAME *issuerName, 
+            ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber);
-                              ASN1_BIT_STRING* issuerKey, 
-                              ASN1_INTEGER *serialNumber);
 OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int     OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int     OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int     OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+int     OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int     OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+int     OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
-int OCSP_request_sign(OCSP_REQUEST   *req,
+int     OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
-                      X509           *signer,
+            const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
-                      EVP_PKEY       *key,
-                      const EVP_MD   *dgst,
-                      STACK_OF(X509) *certs,
-                      unsigned long flags);
-int OCSP_response_status(OCSP_RESPONSE *resp);
+int     OCSP_response_status(OCSP_RESPONSE *resp);
 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
-int OCSP_resp_count(OCSP_BASICRESP *bs);
+int     OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int     OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+int     OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                                ASN1_GENERALIZEDTIME **revtime,
+            ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+            ASN1_GENERALIZEDTIME **nextupd);
-                                ASN1_GENERALIZEDTIME **nextupd);
+int     OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+            int *reason, ASN1_GENERALIZEDTIME **revtime,
-                                int *reason,
+            ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
-                                ASN1_GENERALIZEDTIME **revtime,
+int     OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+            ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
-                                ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+int     OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
-                        ASN1_GENERALIZEDTIME *nextupd,
+            X509_STORE *store, unsigned long flags);
-                        long sec, long maxsec);
+int     OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
+            int *pssl);
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+int     OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int     OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int     OCSP_request_onereq_count(OCSP_REQUEST *req);
-int OCSP_request_onereq_count(OCSP_REQUEST *req);
 OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
 OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+int     OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-                        ASN1_OCTET_STRING **pikeyHash,
+            ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
-                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+            OCSP_CERTID *cid);
-int OCSP_request_is_signed(OCSP_REQUEST *req);
+int     OCSP_request_is_signed(OCSP_REQUEST *req);
 OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
-                                                OCSP_CERTID *cid,
+            int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, 
-                                                int status, int reason,
+            ASN1_TIME *nextupd);
-                                                ASN1_TIME *revtime,
+int     OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
-                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int     OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+            const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
-int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
-                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
-                        STACK_OF(X509) *certs, unsigned long flags);
 X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
@@ -486,49 +468,60 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
 X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int     OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int     OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
 X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
 void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+int     OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
-                                                        unsigned long flags);
+            int crit, unsigned long flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+int     OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int     OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int     OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj,
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
 X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
 X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
 void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+int     OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
-                                                        unsigned long flags);
+            unsigned long flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+int     OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int     OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int     OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
 X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+            int *idx);
-                                                        unsigned long flags);
+int     OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+            int crit, unsigned long flags);
+int     OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
+int     OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+            int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
 X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+            int *idx);
-                                                        unsigned long flags);
+int     OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+            int crit, unsigned long flags);
+int     OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
+            int loc);
 DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
 DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
@@ -550,11 +543,11 @@ const char *OCSP_response_status_str(long s);
 const char *OCSP_cert_status_str(long s);
 const char *OCSP_crl_reason_str(long s);
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int     OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+int     OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+int     OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
-                                X509_STORE *st, unsigned long flags);
+            X509_STORE *st, unsigned long flags);
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 9c14d9da27..716513d2f9 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -78,229 +78,241 @@
 /* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
 * pointer: useful if we want to add extensions.
 */
+OCSP_ONEREQ *
-OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
-        {
+{
        OCSP_ONEREQ *one = NULL;
-        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (!(one = OCSP_ONEREQ_new()))
-        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+                goto err;
+        if (one->reqCert)
+                OCSP_CERTID_free(one->reqCert);
        one->reqCert = cid;
-        if (req &&
+        if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
-                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                goto err;
-                                goto err;
        return one;
 err:
        OCSP_ONEREQ_free(one);
        return NULL;
-        }
+}
 /* Set requestorName from an X509_NAME structure */
+int
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
-        {
+{
        GENERAL_NAME *gen;
        gen = GENERAL_NAME_new();
        if (gen == NULL)
                return 0;
-        if (!X509_NAME_set(&gen->d.directoryName, nm))
+        if (!X509_NAME_set(&gen->d.directoryName, nm)) {
-                {
                GENERAL_NAME_free(gen);
                return 0;
-                }
+        }
        gen->type = GEN_DIRNAME;
        if (req->tbsRequest->requestorName)
                GENERAL_NAME_free(req->tbsRequest->requestorName);
        req->tbsRequest->requestorName = gen;
        return 1;
-        }
+}
        
 /* Add a certificate to an OCSP request */
+int
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
-        {
+{
        OCSP_SIGNATURE *sig;
        if (!req->optionalSignature)
                req->optionalSignature = OCSP_SIGNATURE_new();
        sig = req->optionalSignature;
-        if (!sig) return 0;
+        if (!sig)
-        if (!cert) return 1;
+                return 0;
+        if (!cert)
+                return 1;
        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
                return 0;
-        if(!sk_X509_push(sig->certs, cert)) return 0;
+        if(!sk_X509_push(sig->certs, cert))
+                return 0;
        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
        return 1;
-        }
+}
 /* Sign an OCSP request set the requestorName to the subjec
 * name of an optional signers certificate and include one
 * or more optional certificates in the request. Behaves
 * like PKCS7_sign().
 */
+int
-int OCSP_request_sign(OCSP_REQUEST   *req,
+OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
-                      X509           *signer,
+    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-                      EVP_PKEY       *key,
+{
-                      const EVP_MD   *dgst,
-                      STACK_OF(X509) *certs,
-                      unsigned long flags)
-        {
        int i;
        OCSP_SIGNATURE *sig;
        X509 *x;
        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                goto err;
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
+                goto err;
+        if (key) {
+                if (!X509_check_private_key(signer, key)) {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
+                            OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                        goto err;
-        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
-        if (key)
-                {
-                if (!X509_check_private_key(signer, key))
-                        {
-                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
-                        goto err;
-                        }
-                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
                }
+                if (!OCSP_REQUEST_sign(req, key, dgst))
+                        goto err;
+        }
-        if (!(flags & OCSP_NOCERTS))
+        if (!(flags & OCSP_NOCERTS)) {
-                {
+                if(!OCSP_request_add1_cert(req, signer))
-                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++)
+                for (i = 0; i < sk_X509_num(certs); i++) {
-                        {
                        x = sk_X509_value(certs, i);
-                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        if (!OCSP_request_add1_cert(req, x))
-                        }
+                                goto err;
                }
+        }
        return 1;
 err:
        OCSP_SIGNATURE_free(req->optionalSignature);
        req->optionalSignature = NULL;
        return 0;
-        }
+}
 /* Get response status */
+int
-int OCSP_response_status(OCSP_RESPONSE *resp)
+OCSP_response_status(OCSP_RESPONSE *resp)
-        {
+{
        return ASN1_ENUMERATED_get(resp->responseStatus);
-        }
+}
 /* Extract basic response from OCSP_RESPONSE or NULL if
 * no basic response present.
 */
- 
+OCSP_BASICRESP *
+OCSP_response_get1_basic(OCSP_RESPONSE *resp)
-OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+{
-        {
        OCSP_RESPBYTES *rb;
        rb = resp->responseBytes;
-        if (!rb)
+        if (!rb) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                    OCSP_R_NO_RESPONSE_DATA);
                return NULL;
-                }
+        }
-        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                    OCSP_R_NOT_BASIC_RESPONSE);
                return NULL;
-                }
+        }
        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
-        }
+}
 /* Return number of OCSP_SINGLERESP reponses present in
 * a basic response.
 */
+int
-int OCSP_resp_count(OCSP_BASICRESP *bs)
+OCSP_resp_count(OCSP_BASICRESP *bs)
-        {
+{
-        if (!bs) return -1;
+        if (!bs)
+                return -1;
        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
-        }
+}
 /* Extract an OCSP_SINGLERESP response with a given index */
+OCSP_SINGLERESP *
-OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
-        {
+{
-        if (!bs) return NULL;
+        if (!bs)
+                return NULL;
        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
-        }
+}
 /* Look single response matching a given certificate ID */
+int
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
-        {
+{
        int i;
        STACK_OF(OCSP_SINGLERESP) *sresp;
        OCSP_SINGLERESP *single;
-        if (!bs) return -1;
-        if (last < 0) last = 0;
+        if (!bs)
-        else last++;
+                return -1;
+        if (last < 0)
+                last = 0;
+        else
+                last++;
        sresp = bs->tbsResponseData->responses;
-        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
-                {
                single = sk_OCSP_SINGLERESP_value(sresp, i);
-                if (!OCSP_id_cmp(id, single->certId)) return i;
+                if (!OCSP_id_cmp(id, single->certId))
-                }
+                        return i;
-        return -1;
        }
+        return -1;
+}
 /* Extract status information from an OCSP_SINGLERESP structure.
 * Note: the revtime and reason values are only set if the 
 * certificate status is revoked. Returns numerical value of
 * status.
 */
+int
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **nextupd)
+{
-        {
        int ret;
        OCSP_CERTSTATUS *cst;
-        if(!single) return -1;
+        if (!single)
+                return -1;
        cst = single->certStatus;
        ret = cst->type;
-        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+        if (ret == V_OCSP_CERTSTATUS_REVOKED) {
-                {
                OCSP_REVOKEDINFO *rev = cst->value.revoked;
-                if (revtime) *revtime = rev->revocationTime;
-                if (reason) 
+                if (revtime)
-                        {
+                        *revtime = rev->revocationTime;
-                        if(rev->revocationReason)
+                if (reason) {
+                        if (rev->revocationReason)
                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
-                        else *reason = -1;
+                        else
-                        }
+                                *reason = -1;
                }
-        if(thisupd) *thisupd = single->thisUpdate;
-        if(nextupd) *nextupd = single->nextUpdate;
-        return ret;
        }
+        if (thisupd)
+                *thisupd = single->thisUpdate;
+        if (nextupd)
+                *nextupd = single->nextUpdate;
+        return ret;
+}
 /* This function combines the previous ones: look up a certificate ID and
 * if found extract status information. Return 0 is successful.
 */
+int
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-                                int *reason,
+    int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **thisupd,
+{
-                                ASN1_GENERALIZEDTIME **nextupd)
-        {
        int i;
        OCSP_SINGLERESP *single;
        i = OCSP_resp_find(bs, id, -1);
        /* Maybe check for multiple responses and give an error? */
-        if(i < 0) return 0;
+        if (i < 0)
+                return 0;
        single = OCSP_resp_get0(bs, i);
        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
-        if(status) *status = i;
+        if (status)
+                *status = i;
        return 1;
-        }
+}
 /* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
@@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */
+int
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-        {
+    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+{
        int ret = 1;
        time_t t_now, t_tmp;
        time(&t_now);
        /* Check thisUpdate is valid and not more than nsec in the future */
-        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+        if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
+                t_tmp = t_now + nsec;
-                {
+                if (X509_cmp_time(thisupd, &t_tmp) > 0) {
-                        t_tmp = t_now + nsec;
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                            OCSP_R_STATUS_NOT_YET_VALID);
-                        {
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
                        ret = 0;
-                        }
+                }
                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
-                if (maxsec >= 0)
+                if (maxsec >= 0) {
-                        {
                        t_tmp = t_now - maxsec;
-                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0) {
-                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                    OCSP_R_STATUS_TOO_OLD);
                                ret = 0;
-                                }
                        }
                }
-                
+        }
-        if (!nextupd) return ret;
+        if (!nextupd)
+                return ret;
        /* Check nextUpdate is valid and not more than nsec in the past */
-        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+        if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
-                {
                t_tmp = t_now - nsec;
-                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                if (X509_cmp_time(nextupd, &t_tmp) < 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                            OCSP_R_STATUS_EXPIRED);
                        ret = 0;
-                        }
                }
+        }
        /* Also don't allow nextUpdate to precede thisUpdate */
-        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                    OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                ret = 0;
-                }
+        }
        return ret;
-        }
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
index 9c7832b301..6ec8ca4adf 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -73,238 +73,285 @@
 /* OCSP request extensions */
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+int
-        {
+OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
-        return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
+}
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
+OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+            lastpos);
-        {
+}
-        return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
-        }
+int
+OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
-        return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
+            lastpos);
-        }
+}
-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+int
-        {
+OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
-        return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
+{
-        }
+        return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
+            crit, lastpos);
-X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+}
-        {
-        return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
+X509_EXTENSION *
-        }
+OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+{
-void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+        return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
-        {
+}
+X509_EXTENSION *
+OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+{
+        return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
+}
+void *
+OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+{
        return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
-        }
+}
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
-        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
+{
-        }
+        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
+            crit, flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+}
-        {
-        return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
+int
-        }
+OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) !=
+            NULL;
+}
 /* Single extensions */
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+int
-        {
+OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
-        return(X509v3_get_ext_count(x->singleRequestExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->singleRequestExtensions);
+}
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
+OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+}
-        {
-        return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
+int
-        }
+OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+{
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+        return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
-        {
+}
-        return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
-        }
+int
+OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+{
-        {
+        return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
-        return(X509v3_get_ext(x->singleRequestExtensions,loc));
+            lastpos);
-        }
+}
-X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+X509_EXTENSION *
-        {
+OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
-        return(X509v3_delete_ext(x->singleRequestExtensions,loc));
+{
-        }
+        return X509v3_get_ext(x->singleRequestExtensions, loc);
+}
+X509_EXTENSION *
+OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+{
+        return X509v3_delete_ext(x->singleRequestExtensions, loc);
+}
 void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
-        {
+{
        return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
-        }
+}
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
-        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
+{
-        }
+        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
+            flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+}
-        {
-        return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
+int
-        }
+OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
+}
 /* OCSP Basic response */
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+int
-        {
+OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
-        return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
+}
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
+OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+            nid ,lastpos);
-        {
+}
-        return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
-        }
+int
+OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
-        return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
+            obj, lastpos);
-        }
+}
-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+int
-        {
+OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
-        return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
+{
-        }
+        return X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,
+            crit, lastpos);
-X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+}
-        {
-        return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
+X509_EXTENSION *
-        }
+OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+{
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+        return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
-        {
+}
-        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
-        }
+X509_EXTENSION *
+OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+{
-                                                        unsigned long flags)
+        return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
-        {
+}
-        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
-        }
+void *
+OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+{
-        {
+        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
-        return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
+            crit, idx);
-        }
+}
+int
+OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+    unsigned long flags)
+{
+        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
+            value, crit, flags);
+}
+int
+OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
+            loc) != NULL;
+}
 /* OCSP single response extensions */
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+int
-        {
+OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
-        return(X509v3_get_ext_count(x->singleExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->singleExtensions);
+}
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
+OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
+}
-        {
-        return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
+int
-        }
+OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+    int lastpos)
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
-        return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
+}
-        }
+int
-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
-        {
+{
-        return(X509v3_get_ext(x->singleExtensions,loc));
+        return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
-        }
+}
-X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+X509_EXTENSION *
-        {
+OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
-        return(X509v3_delete_ext(x->singleExtensions,loc));
+{
-        }
+        return X509v3_get_ext(x->singleExtensions, loc);
+}
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
-        {
+X509_EXTENSION *
+OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+{
+        return X509v3_delete_ext(x->singleExtensions, loc);
+}
+void *
+OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+{
        return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
-        }
+}
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
+{
        return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
-        }
+}
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+int
-        {
+OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
-        return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
+{
-        }
+        return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
+}
 /* also CRL Entry Extensions */
 #if 0
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+ASN1_STRING *
-                                void *data, STACK_OF(ASN1_OBJECT) *sk)
+ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data,
-        {
+    STACK_OF(ASN1_OBJECT) *sk)
+{
        int i;
        unsigned char *p, *b = NULL;
-        if (data)
+        if (data) {
-                {
+                if ((i = i2d(data, NULL)) <= 0)
-                if ((i=i2d(data,NULL)) <= 0) goto err;
-                if (!(b=p=malloc((unsigned int)i)))
                        goto err;
-                if (i2d(data, &p) <= 0) goto err;
+                if (!(b = p = malloc((unsigned int)i)))
-                }
+                        goto err;
-        else if (sk)
+                if (i2d(data, &p) <= 0)
-                {
+                        goto err;
-                if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
+        } else if (sk) {
-                                                   (I2D_OF(ASN1_OBJECT))i2d,
+                if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
-                                                   V_ASN1_SEQUENCE,
+                    (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
-                                                   V_ASN1_UNIVERSAL,
+                    IS_SEQUENCE)) <= 0)
-                                                   IS_SEQUENCE))<=0) goto err;
+                        goto err;
-                if (!(b=p=malloc((unsigned int)i)))
+                if (!(b = p = malloc((unsigned int)i)))
                        goto err;
                if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
-                                                V_ASN1_SEQUENCE,
+                    V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
-                                                V_ASN1_UNIVERSAL,
+                        goto err;
-                                                IS_SEQUENCE)<=0) goto err;
+        } else {
-                }
+                OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
-        else
+                goto err;
-                {
+        }
-                OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+        if (!s && !(s = ASN1_STRING_new()))
+                goto err;
+        if (!(ASN1_STRING_set(s, b, i)))
                goto err;
-                }
-        if (!s && !(s = ASN1_STRING_new())) goto err;
-        if (!(ASN1_STRING_set(s, b, i))) goto err;
        free(b);
        return s;
 err:
-        if (b) free(b);
+        free(b);
        return NULL;
-        }
+}
 #endif
 /* Nonce handling functions */
@@ -315,16 +362,19 @@ err:
 * nonce, previous versions used the raw nonce.
 */
-static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+static int
-        {
+ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+{
        unsigned char *tmpval;
        ASN1_OCTET_STRING os;
        int ret = 0;
-        if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+        if (len <= 0)
+                len = OCSP_DEFAULT_NONCE_LENGTH;
        /* Create the OCTET STRING manually by writing out the header and
         * appending the content octets. This avoids an extra memory allocation
         * operation in some cases. Applications should *NOT* do this because
-         * it relies on library internals.
+         * it relies on library internals.
         */
        os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
        os.data = malloc(os.length);
@@ -336,30 +386,29 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
                memcpy(tmpval, val, len);
        else
                RAND_pseudo_bytes(tmpval, len);
-        if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
+        if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
-                        &os, 0, X509V3_ADD_REPLACE))
+            X509V3_ADD_REPLACE))
-                                goto err;
+                goto err;
        ret = 1;
-        err:
+err:
-        if (os.data)
+        free(os.data);
-                free(os.data);
        return ret;
-        }
+}
 /* Add nonce to an OCSP request */
+int
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
-        {
+{
        return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
-        }
+}
 /* Same as above but for a response */
+int
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
-        {
+{
-        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
-        }
+            len);
+}
 /* Check nonce validity in a request and response.
 * Return value reflects result:
@@ -373,9 +422,9 @@ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */
+int
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
-        {
+{
        /*
         * Since we are only interested in the presence or absence of
         * the nonce and comparing its value there is no need to use
@@ -383,136 +432,160 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
         * ASN1_OCTET_STRING structure for the value which would be
         * freed immediately anyway.
         */
        int req_idx, resp_idx;
        X509_EXTENSION *req_ext, *resp_ext;
        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
        resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
        /* Check both absent */
-        if((req_idx < 0) && (resp_idx < 0))
+        if (req_idx < 0 && resp_idx < 0)
                return 2;
        /* Check in request only */
-        if((req_idx >= 0) && (resp_idx < 0))
+        if (req_idx >= 0 && resp_idx < 0)
                return -1;
        /* Check in response but not request */
-        if((req_idx < 0) && (resp_idx >= 0))
+        if (req_idx < 0 && resp_idx >= 0)
                return 3;
        /* Otherwise nonce in request and response so retrieve the extensions */
        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
        resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
-        if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+        if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
                return 0;
        return 1;
-        }
+}
 /* Copy the nonce value (if any) from an OCSP request to 
 * a response.
 */
+int
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
-        {
+{
        X509_EXTENSION *req_ext;
        int req_idx;
        /* Check for nonce in request */
        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
        /* If no nonce that's OK */
-        if (req_idx < 0) return 2;
+        if (req_idx < 0)
+                return 2;
        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
        return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
-        }
+}
-X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
+X509_EXTENSION *
-        {
+OCSP_crlID_new(char *url, long *n, char *tim)
+{
        X509_EXTENSION *x = NULL;
        OCSP_CRLID *cid = NULL;
        
-        if (!(cid = OCSP_CRLID_new())) goto err;
+        if (!(cid = OCSP_CRLID_new()))
-        if (url)
+                goto err;
-                {
+        if (url) {
-                if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
+                if (!(cid->crlUrl = ASN1_IA5STRING_new()))
-                if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
+                        goto err;
-                }
+                if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
-        if (n)
+                        goto err;
-                {
+        }
-                if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
+        if (n) {
-                if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
+                if (!(cid->crlNum = ASN1_INTEGER_new()))
-                }
+                        goto err;
-        if (tim)
+                if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
-                {
+                        goto err;
-                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+        }
+        if (tim) {
+                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
+                        goto err;
                if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
-                        goto err;
+                        goto err;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
-        if (cid) OCSP_CRLID_free(cid);
+        if (cid)
+                OCSP_CRLID_free(cid);
        return x;
-        }
+}
 /*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
-X509_EXTENSION *OCSP_accept_responses_new(char **oids)
+X509_EXTENSION *
-        {
+OCSP_accept_responses_new(char **oids)
+{
        int nid;
        STACK_OF(ASN1_OBJECT) *sk = NULL;
        ASN1_OBJECT *o = NULL;
-        X509_EXTENSION *x = NULL;
+        X509_EXTENSION *x = NULL;
-        if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
+        if (!(sk = sk_ASN1_OBJECT_new_null()))
-        while (oids && *oids)
+                goto err;
-                {
+        while (oids && *oids) {
-                if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
+                if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
-                        sk_ASN1_OBJECT_push(sk, o);
+                    (o = OBJ_nid2obj(nid))) 
+                        sk_ASN1_OBJECT_push(sk, o);
                oids++;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
-        if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        if (sk)
+                sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
        return x;
-        }
+}
 /*  ArchiveCutoff ::= GeneralizedTime */
-X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
+X509_EXTENSION *
-        {
+OCSP_archive_cutoff_new(char* tim)
-        X509_EXTENSION *x=NULL;
+{
+        X509_EXTENSION *x = NULL;
        ASN1_GENERALIZEDTIME *gt = NULL;
-        if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
+        if (!(gt = ASN1_GENERALIZEDTIME_new()))
-        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+                goto err;
+        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
+                goto err;
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
-        if (gt) ASN1_GENERALIZEDTIME_free(gt);
+        if (gt)
+                ASN1_GENERALIZEDTIME_free(gt);
        return x;
-        }
+}
 /* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This
 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+X509_EXTENSION *
-        {
+OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+{
        X509_EXTENSION *x = NULL;
        ASN1_IA5STRING *ia5 = NULL;
        OCSP_SERVICELOC *sloc = NULL;
        ACCESS_DESCRIPTION *ad = NULL;
        
-        if (!(sloc = OCSP_SERVICELOC_new())) goto err;
+        if (!(sloc = OCSP_SERVICELOC_new()))
-        if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
+                goto err;
-        if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
+        if (!(sloc->issuer = X509_NAME_dup(issuer)))
-        while (urls && *urls)
+                goto err;
-                {
+        if (urls && *urls &&
-                if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
+            !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
-                if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
+                goto err;
-                if (!(ad->location = GENERAL_NAME_new())) goto err;
+        while (urls && *urls) {
-                if (!(ia5 = ASN1_IA5STRING_new())) goto err;
+                if (!(ad = ACCESS_DESCRIPTION_new()))
-                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+                        goto err;
+                if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
+                        goto err;
+                if (!(ad->location = GENERAL_NAME_new()))
+                        goto err;
+                if (!(ia5 = ASN1_IA5STRING_new()))
+                        goto err;
+                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
+                        goto err;
                ad->location->type = GEN_URI;
                ad->location->d.ia5 = ia5;
-                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
+                        goto err;
                urls++;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
-        if (sloc) OCSP_SERVICELOC_free(sloc);
+        if (sloc)
+                OCSP_SERVICELOC_free(sloc);
        return x;
-        }
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index b45eaf6767..fe4a7a1a72 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -79,7 +79,7 @@ struct ocsp_req_ctx_st {
        BIO *io;                /* BIO to perform I/O with */
        BIO *mem;               /* Memory BIO response is built into */
        unsigned long asn1_len; /* ASN1 length of response */
-        };
+};
 #define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
 #define OCSP_MAX_LINE_LEN       4096;
@@ -108,54 +108,57 @@ struct ocsp_req_ctx_st {
 static int parse_http_line1(char *line);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
+void
-        {
+OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
+{
        if (rctx->mem)
                BIO_free(rctx->mem);
        if (rctx->iobuf)
                free(rctx->iobuf);
        free(rctx);
-        }
+}
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+int
-        {
+OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+{
        static const char req_hdr[] =
-        "Content-Type: application/ocsp-request\r\n"
+            "Content-Type: application/ocsp-request\r\n"
-        "Content-Length: %d\r\n\r\n";
+            "Content-Length: %d\r\n\r\n";
-        if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
+        if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
                return 0;
-        if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
+        if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
                return 0;
        rctx->state = OHS_ASN1_WRITE;
        rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
        return 1;
-        }
+}
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
+int
-                const char *name, const char *value)
+OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
-        {
+    const char *value)
+{
        if (!name)
                return 0;
        if (BIO_puts(rctx->mem, name) <= 0)
                return 0;
-        if (value)
+        if (value) {
-                {
                if (BIO_write(rctx->mem, ": ", 2) != 2)
                        return 0;
                if (BIO_puts(rctx->mem, value) <= 0)
                        return 0;
-                }
+        }
        if (BIO_write(rctx->mem, "\r\n", 2) != 2)
                return 0;
        return 1;
-        }
+}
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
+OCSP_REQ_CTX *
-                                                                int maxline)
+OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline)
-        {
+{
        static const char post_hdr[] = "POST %s HTTP/1.0\r\n";
        OCSP_REQ_CTX *rctx;
        rctx = malloc(sizeof(OCSP_REQ_CTX));
        rctx->state = OHS_ERROR;
        rctx->mem = BIO_new(BIO_s_mem());
@@ -174,7 +177,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
        if (!path)
                path = "/";
-        if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
+        if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
                free(rctx->iobuf);
                BIO_free(rctx->mem);
                free(rctx);
@@ -189,49 +192,44 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
        }
        return rctx;
-        }
+}
 /* Parse the HTTP response. This will look like this:
 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
 * (optional) informational message.
 */
+static int
-static int parse_http_line1(char *line)
+parse_http_line1(char *line)
-        {
+{
        int retcode;
        char *p, *q, *r;
-        /* Skip to first white space (passed protocol info) */
-        for(p = line; *p && !isspace((unsigned char)*p); p++)
+        /* Skip to first white space (passed protocol info) */
+        for (p = line; *p && !isspace((unsigned char)*p); p++)
                continue;
-        if(!*p)
+        if (!*p) {
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Skip past white space to start of response code */
-        while(*p && isspace((unsigned char)*p))
+        while (*p && isspace((unsigned char)*p))
                p++;
+        if (!*p) {
-        if(!*p)
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Find end of response code: first whitespace after start of code */
-        for(q = p; *q && !isspace((unsigned char)*q); q++)
+        for (q = p; *q && !isspace((unsigned char)*q); q++)
                continue;
+        if (!*q) {
-        if(!*q)
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Set end of response code and start of message */ 
        *q++ = 0;
@@ -239,94 +237,80 @@ static int parse_http_line1(char *line)
        /* Attempt to parse numeric code */
        retcode = strtoul(p, &r, 10);
-        if(*r)
+        if (*r)
                return 0;
        /* Skip over any leading white space in message */
-        while(*q && isspace((unsigned char)*q))
+        while (*q && isspace((unsigned char)*q))
                q++;
+        if (*q) {
-        if(*q)
-                {
                /* Finally zap any trailing white space in message (include
                 * CRLF) */
                /* We know q has a non white space character so this is OK */
-                for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
+                for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
                        *r = 0;
-                }
+        }
-        if(retcode != 200)
+        if (retcode != 200) {
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
-                if(!*q)
+                if (!*q)
                        ERR_asprintf_error_data("Code=%s", p);
                else
                        ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
                return 0;
-                }
+        }
        return 1;
+}
-        }
+int
+OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
+{
-        {
        int i, n;
        const unsigned char *p;
-        next_io:
-        if (!(rctx->state & OHS_NOREAD))
+next_io:
-                {
+        if (!(rctx->state & OHS_NOREAD)) {
                n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
-                if (n <= 0)
+                if (n <= 0) {
-                        {
                        if (BIO_should_retry(rctx->io))
                                return -1;
                        return 0;
-                        }
+                }
                /* Write data to memory BIO */
                if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
                        return 0;
-                }
+        }
-        switch(rctx->state)
-                {
-                case OHS_ASN1_WRITE:
+        switch (rctx->state) {
+        case OHS_ASN1_WRITE:
                n = BIO_get_mem_data(rctx->mem, &p);
                i = BIO_write(rctx->io,
                        p + (n - rctx->asn1_len), rctx->asn1_len);
+                if (i <= 0) {
-                if (i <= 0)
-                        {
                        if (BIO_should_retry(rctx->io))
                                return -1;
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                rctx->asn1_len -= i;
                if (rctx->asn1_len > 0)
                        goto next_io;
                rctx->state = OHS_ASN1_FLUSH;
                (void)BIO_reset(rctx->mem);
+                /* FALLTHROUGH */
-                case OHS_ASN1_FLUSH:
+        case OHS_ASN1_FLUSH:
                i = BIO_flush(rctx->io);
+                if (i > 0) {
-                if (i > 0)
-                        {
                        rctx->state = OHS_FIRSTLINE;
                        goto next_io;
-                        }
+                }
                if (BIO_should_retry(rctx->io))
                        return -1;
@@ -334,79 +318,62 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                rctx->state = OHS_ERROR;
                return 0;
-                case OHS_ERROR:
+        case OHS_ERROR:
                return 0;
-                case OHS_FIRSTLINE:
+        case OHS_FIRSTLINE:
-                case OHS_HEADERS:
+        case OHS_HEADERS:
                /* Attempt to read a line in */
+next_line:
-                next_line:
                /* Due to &%^*$" memory BIO behaviour with BIO_gets we
                 * have to check there's a complete line in there before
                 * calling BIO_gets or we'll just get a partial read.
                 */
                n = BIO_get_mem_data(rctx->mem, &p);
-                if ((n <= 0) || !memchr(p, '\n', n))
+                if ((n <= 0) || !memchr(p, '\n', n)) {
-                        {
+                        if (n >= rctx->iobuflen) {
-                        if (n >= rctx->iobuflen)
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
-                        goto next_io;
                        }
+                        goto next_io;
+                }
                n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
+                if (n <= 0) {
-                if (n <= 0)
-                        {
                        if (BIO_should_retry(rctx->mem))
                                goto next_io;
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* Don't allow excessive lines */
-                if (n == rctx->iobuflen)
+                if (n == rctx->iobuflen) {
-                        {
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* First line */
-                if (rctx->state == OHS_FIRSTLINE)
+                if (rctx->state == OHS_FIRSTLINE) {
-                        {
+                        if (parse_http_line1((char *)rctx->iobuf)) {
-                        if (parse_http_line1((char *)rctx->iobuf))
-                                {
                                rctx->state = OHS_HEADERS;
                                goto next_line;
-                                }
+                        } else {
-                        else
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
                        }
-                else
+                } else {
-                        {
                        /* Look for blank line: end of headers */
-                        for (p = rctx->iobuf; *p; p++)
+                        for (p = rctx->iobuf; *p; p++) {
-                                {
                                if ((*p != '\r') && (*p != '\n'))
                                        break;
-                                }
+                        }
                        if (*p)
                                goto next_line;
                        rctx->state = OHS_ASN1_HEADER;
+                }
+                /* FALLTRHOUGH */
-                        }
+        case OHS_ASN1_HEADER:
- 
-                /* Fall thru */
-                case OHS_ASN1_HEADER:
                /* Now reading ASN1 header: can read at least 2 bytes which
                 * is enough for ASN1 SEQUENCE header and either length field
                 * or at least the length of the length field.
@@ -416,15 +383,13 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                        goto next_io;
                /* Check it is an ASN1 SEQUENCE */
-                if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
+                if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
-                        {
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* Check out length field */
-                if (*p & 0x80)
+                if (*p & 0x80) {
-                        {
                        /* If MSB set on initial length octet we can now
                         * always read 6 octets: make sure we have them.
                         */
@@ -432,78 +397,64 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                                goto next_io;
                        n = *p & 0x7F;
                        /* Not NDEF or excessive length */
-                        if (!n || (n > 4))
+                        if (!n || (n > 4)) {
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
+                        }
                        p++;
                        rctx->asn1_len = 0;
-                        for (i = 0; i < n; i++)
+                        for (i = 0; i < n; i++) {
-                                {
                                rctx->asn1_len <<= 8;
                                rctx->asn1_len |= *p++;
-                                }
+                        }
-                        if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
+                        if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
+                        }
                        rctx->asn1_len += n + 2;
-                        }
+                } else
-                else
                        rctx->asn1_len = *p + 2;
                rctx->state = OHS_ASN1_CONTENT;
-                /* Fall thru */
+                /* FALLTHROUGH */
                
-                case OHS_ASN1_CONTENT:
+        case OHS_ASN1_CONTENT:
                n = BIO_get_mem_data(rctx->mem, &p);
                if (n < (int)rctx->asn1_len)
                        goto next_io;
                *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
-                if (*presp)
+                if (*presp) {
-                        {
                        rctx->state = OHS_DONE;
                        return 1;
-                        }
+                }
                rctx->state = OHS_ERROR;
                return 0;
-                break;
+        case OHS_DONE:
-                case OHS_DONE:
                return 1;
+        }
-                }
        return 0;
+}
-        }
 /* Blocking OCSP request handler: now a special case of non-blocking I/O */
+OCSP_RESPONSE *
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
-        {
+{
        OCSP_RESPONSE *resp = NULL;
        OCSP_REQ_CTX *ctx;
        int rv;
        ctx = OCSP_sendreq_new(b, path, req, -1);
-        do
+        do {
-                {
                rv = OCSP_sendreq_nbio(&resp, ctx);
-                } while ((rv == -1) && BIO_should_retry(b));
+        } while ((rv == -1) && BIO_should_retry(b));
        OCSP_REQ_CTX_free(ctx);
@@ -511,4 +462,4 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
                return resp;
        return NULL;
-        }
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 514cdabf2d..056bd27665 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -73,102 +73,112 @@
 /* Convert a certificate and its issuer to an OCSP_CERTID */
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+OCSP_CERTID *
+OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
 {
        X509_NAME *iname;
        ASN1_INTEGER *serial;
        ASN1_BIT_STRING *ikey;
 #ifndef OPENSSL_NO_SHA1
-        if(!dgst) dgst = EVP_sha1();
+        if (!dgst)
+                dgst = EVP_sha1();
 #endif
-        if (subject)
+        if (subject) {
-                {
                iname = X509_get_issuer_name(subject);
                serial = X509_get_serialNumber(subject);
-                }
+        } else {
-        else
-                {
                iname = X509_get_subject_name(issuer);
                serial = NULL;
-                }
+        }
        ikey = X509_get0_pubkey_bitstr(issuer);
        return OCSP_cert_id_new(dgst, iname, ikey, serial);
 }
+OCSP_CERTID *
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
-                              X509_NAME *issuerName, 
+    ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber)
-                              ASN1_BIT_STRING* issuerKey, 
+{
-                              ASN1_INTEGER *serialNumber)
-        {
        int nid;
-        unsigned int i;
+        unsigned int i;
        X509_ALGOR *alg;
        OCSP_CERTID *cid = NULL;
        unsigned char md[EVP_MAX_MD_SIZE];
-        if (!(cid = OCSP_CERTID_new())) goto err;
+        if (!(cid = OCSP_CERTID_new()))
+                goto err;
        alg = cid->hashAlgorithm;
-        if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
+        if (alg->algorithm != NULL)
-        if ((nid = EVP_MD_type(dgst)) == NID_undef)
+                ASN1_OBJECT_free(alg->algorithm);
-                {
+        if ((nid = EVP_MD_type(dgst)) == NID_undef) {
-                OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+                OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
+                goto err;
+        }
+        if (!(alg->algorithm=OBJ_nid2obj(nid)))
+                goto err;
+        if ((alg->parameter=ASN1_TYPE_new()) == NULL)
                goto err;
-                }
-        if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
-        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
        alg->parameter->type=V_ASN1_NULL;
-        if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
+        if (!X509_NAME_digest(issuerName, dgst, md, &i))
-        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+                goto digerr;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
+                goto err;
        /* Calculate the issuerKey hash, excluding tag and length */
        if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
                goto err;
-        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
+                goto err;
-        if (serialNumber)
+        if (serialNumber) {
-                {
                ASN1_INTEGER_free(cid->serialNumber);
-                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
-                }
+                        goto err;
+        }
        return cid;
 digerr:
-        OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+        OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
 err:
-        if (cid) OCSP_CERTID_free(cid);
+        if (cid)
+                OCSP_CERTID_free(cid);
        return NULL;
-        }
+}
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+int
-        {
+OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
        int ret;
        ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
-        }
+}
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+int
-        {
+OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
        int ret;
        ret = OCSP_id_issuer_cmp(a, b);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
-        }
+}
 /* Parse a URL and split it up into host, port and path components and whether
 * it is SSL.
 */
+int
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
-        {
+{
        char *p, *buf;
        char *host, *port;
        *phost = NULL;
@@ -177,26 +187,23 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
        /* dup the buffer since we are going to mess with it */
        buf = BUF_strdup(url);
-        if (!buf) goto mem_err;
+        if (!buf)
+                goto mem_err;
        /* Check for initial colon */
        p = strchr(buf, ':');
+        if (!p)
-        if (!p) goto parse_err;
+                goto parse_err;
        *(p++) = '\0';
-        if (!strcmp(buf, "http"))
+        if (!strcmp(buf, "http")) {
-                {
                *pssl = 0;
                port = "80";
-                }
+        } else if (!strcmp(buf, "https")) {
-        else if (!strcmp(buf, "https"))
-                {
                *pssl = 1;
                port = "443";
-                }
+        } else
-        else
                goto parse_err;
        /* Check for double slash */
@@ -208,59 +215,56 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
        host = p;
        /* Check for trailing part of path */
        p = strchr(p, '/');
        if (!p) 
                *ppath = BUF_strdup("/");
-        else
+        else {
-                {
                *ppath = BUF_strdup(p);
                /* Set start of path to 0 so hostname is valid */
                *p = '\0';
-                }
+        }
-        if (!*ppath) goto mem_err;
+        if (!*ppath)
+                goto mem_err;
        /* Look for optional ':' for port number */
-        if ((p = strchr(host, ':')))
+        if ((p = strchr(host, ':'))) {
-                {
                *p = 0;
                port = p + 1;
-                }
+        } else {
-        else
-                {
                /* Not found: set default port */
-                if (*pssl) port = "443";
+                if (*pssl)
-                else port = "80";
+                        port = "443";
-                }
+                else
+                        port = "80";
+        }
        *pport = BUF_strdup(port);
-        if (!*pport) goto mem_err;
+        if (!*pport)
+                goto mem_err;
        *phost = BUF_strdup(host);
-        if (!*phost) goto mem_err;
+        if (!*phost)
+                goto mem_err;
        free(buf);
        return 1;
-        mem_err:
+mem_err:
        OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
        goto err;
-        parse_err:
+parse_err:
        OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+err:
-        err:
+        free(buf);
-        if (buf) free(buf);
+        free(*ppath);
-        if (*ppath) free(*ppath);
+        free(*pport);
-        if (*pport) free(*pport);
+        free(*phost);
-        if (*phost) free(*phost);
        return 0;
+}
-        }
 IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID)
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
index 87608ff399..9e4b81f061 100644
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -66,8 +66,9 @@
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
-static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+static int
-        {
+ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+{
        BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
        indent += 2;
        BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
@@ -80,60 +81,68 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
        i2a_ASN1_INTEGER(bp, a->serialNumber);
        BIO_printf(bp, "\n");
        return 1;
-        }
+}
-typedef struct
+typedef struct {
-        {
        long t;
        const char *m;
-        } OCSP_TBLSTR;
+} OCSP_TBLSTR;
-static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
+static const char *
+table2string(long s, const OCSP_TBLSTR *ts, int len)
 {
        const OCSP_TBLSTR *p;
        for (p=ts; p < ts + len; p++)
-                if (p->t == s)
+                if (p->t == s)
-                         return p->m;
+                        return p->m;
        return "(UNKNOWN)";
 }
-const char *OCSP_response_status_str(long s)
+const char *
-        {
+OCSP_response_status_str(long s)
+{
        static const OCSP_TBLSTR rstat_tbl[] = {
-                { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+            { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
-                { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+            { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
-                { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+            { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
-                { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+            { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
-                { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+            { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
-                { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+            { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
+        };
        return table2string(s, rstat_tbl, 6);
-        } 
+} 
-const char *OCSP_cert_status_str(long s)
+const char *
-        {
+OCSP_cert_status_str(long s)
+{
        static const OCSP_TBLSTR cstat_tbl[] = {
-                { V_OCSP_CERTSTATUS_GOOD, "good" },
+            { V_OCSP_CERTSTATUS_GOOD, "good" },
-                { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+            { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
-                { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+            { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
+        };
        return table2string(s, cstat_tbl, 3);
-        } 
+} 
-const char *OCSP_crl_reason_str(long s)
+const char *
-        {
+OCSP_crl_reason_str(long s)
+{
        static const OCSP_TBLSTR reason_tbl[] = {
-          { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+            { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
-          { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+            { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
-          { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+            { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
-          { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+            { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
-          { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+            { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
-          { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+            { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
-          { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+            { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
-          { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+            { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
+        };
        return table2string(s, reason_tbl, 8);
-        } 
+} 
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+int
-        {
+OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+{
        int i;
        long l;
        OCSP_CERTID* cid = NULL;
@@ -141,45 +150,45 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
        OCSP_REQINFO *inf = o->tbsRequest;
        OCSP_SIGNATURE *sig = o->optionalSignature;
-        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
+        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0)
-        l=ASN1_INTEGER_get(inf->version);
+                goto err;
-        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
+        l = ASN1_INTEGER_get(inf->version);
-        if (inf->requestorName != NULL)
+        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0)
-                {
+                goto err;
+        if (inf->requestorName != NULL) {
                if (BIO_write(bp,"\n    Requestor Name: ",21) <= 0) 
-                        goto err;
+                        goto err;
                GENERAL_NAME_print(bp, inf->requestorName);
-                }
+        }
-        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
+        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0)
-        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
+                goto err;
-                {
+        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
                one = sk_OCSP_ONEREQ_value(inf->requestList, i);
                cid = one->reqCert;
                ocsp_certid_print(bp, cid, 8);
-                if (!X509V3_extensions_print(bp,
+                if (!X509V3_extensions_print(bp, "Request Single Extensions",
-                                        "Request Single Extensions",
+                    one->singleRequestExtensions, flags, 8))
-                                        one->singleRequestExtensions, flags, 8))
+                        goto err;
-                                                        goto err;
+        }
-                }
        if (!X509V3_extensions_print(bp, "Request Extensions",
-                        inf->requestExtensions, flags, 4))
+            inf->requestExtensions, flags, 4))
-                                                        goto err;
+                goto err;
-        if (sig)
+        if (sig) {
-                {
+                X509_signature_print(bp, sig->signatureAlgorithm,
-                X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
+                    sig->signature);
-                for (i=0; i<sk_X509_num(sig->certs); i++)
+                for (i=0; i<sk_X509_num(sig->certs); i++) {
-                        {
                        X509_print(bp, sk_X509_value(sig->certs,i));
                        PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
-                        }
                }
+        }
        return 1;
 err:
        return 0;
-        }
+}
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+int
-        {
+OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+{
        int i, ret = 0;
        long l;
        OCSP_CERTID *cid = NULL;
@@ -191,100 +200,107 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
        OCSP_SINGLERESP *single = NULL;
        OCSP_RESPBYTES *rb = o->responseBytes;
-        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
+        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0)
-        l=ASN1_ENUMERATED_get(o->responseStatus);
+                goto err;
+        l = ASN1_ENUMERATED_get(o->responseStatus);
        if (BIO_printf(bp,"    OCSP Response Status: %s (0x%lx)\n",
-                       OCSP_response_status_str(l), l) <= 0) goto err;
+            OCSP_response_status_str(l), l) <= 0)
-        if (rb == NULL) return 1;
+                goto err;
-        if (BIO_puts(bp,"    Response Type: ") <= 0)
+        if (rb == NULL)
-                goto err;
+                return 1;
+        if (BIO_puts(bp,"    Response Type: ") <= 0)
+                goto err;
        if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
-                goto err;
+                goto err;
-        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
-                {
                BIO_puts(bp," (unknown response type)\n");
                return 1;
-                }
+        }
        i = ASN1_STRING_length(rb->response);
-        if (!(br = OCSP_response_get1_basic(o))) goto err;
+        if (!(br = OCSP_response_get1_basic(o)))
+                goto err;
        rd = br->tbsResponseData;
-        l=ASN1_INTEGER_get(rd->version);
+        l = ASN1_INTEGER_get(rd->version);
-        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
+        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n", l+1,l) <= 0)
-                       l+1,l) <= 0) goto err;
+                goto err;
-        if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;
+        if (BIO_puts(bp,"    Responder Id: ") <= 0)
+                goto err;
        rid =  rd->responderId;
-        switch (rid->type)
+        switch (rid->type) {
-                {
+        case V_OCSP_RESPID_NAME:
-                case V_OCSP_RESPID_NAME:
+                X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
-                        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+                break;
-                        break;
+        case V_OCSP_RESPID_KEY:
-                case V_OCSP_RESPID_KEY:
+                i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
-                        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+                break;
-                        break;
+        }
-                }
-        if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
+        if (BIO_printf(bp,"\n    Produced At: ")<=0)
-        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
+                goto err;
-        if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
+        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
-        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
+                goto err;
-                {
+        if (BIO_printf(bp,"\n    Responses:\n") <= 0)
-                if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+                goto err;
+        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
+                if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
+                        continue;
                single = sk_OCSP_SINGLERESP_value(rd->responses, i);
                cid = single->certId;
-                if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+                if (ocsp_certid_print(bp, cid, 4) <= 0)
+                        goto err;
                cst = single->certStatus;
                if (BIO_printf(bp,"    Cert Status: %s",
-                               OCSP_cert_status_str(cst->type)) <= 0)
+                    OCSP_cert_status_str(cst->type)) <= 0)
-                        goto err;
+                        goto err;
-                if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
+                if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
-                        {
+                        rev = cst->value.revoked;
-                        rev = cst->value.revoked;
                        if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
-                                goto err;
-                        if (!ASN1_GENERALIZEDTIME_print(bp, 
-                                                        rev->revocationTime)) 
                                goto err;
-                        if (rev->revocationReason) 
+                        if (!ASN1_GENERALIZEDTIME_print(bp,
-                                {
+                            rev->revocationTime)) 
-                                l=ASN1_ENUMERATED_get(rev->revocationReason);
+                                goto err;
-                                if (BIO_printf(bp, 
+                        if (rev->revocationReason) {
-                                         "\n    Revocation Reason: %s (0x%lx)",
+                                l = ASN1_ENUMERATED_get(rev->revocationReason);
-                                               OCSP_crl_reason_str(l), l) <= 0)
+                                if (BIO_printf(bp,
-                                        goto err;
+                                    "\n    Revocation Reason: %s (0x%lx)",
-                                }
+                                    OCSP_crl_reason_str(l), l) <= 0)
+                                        goto err;
                        }
-                if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
+                }
+                if (BIO_printf(bp,"\n    This Update: ") <= 0)
+                        goto err;
                if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
                        goto err;
-                if (single->nextUpdate)
+                if (single->nextUpdate) {
-                        {
+                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)
-                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
+                                goto err;
                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
                                goto err;
-                        }
-                if (BIO_write(bp,"\n",1) <= 0) goto err;
-                if (!X509V3_extensions_print(bp,
-                                        "Response Single Extensions",
-                                        single->singleExtensions, flags, 8))
-                                                        goto err;
-                if (BIO_write(bp,"\n",1) <= 0) goto err;
                }
+                if (BIO_write(bp,"\n",1) <= 0)
+                        goto err;
+                if (!X509V3_extensions_print(bp, "Response Single Extensions",
+                    single->singleExtensions, flags, 8))
+                        goto err;
+                if (BIO_write(bp,"\n",1) <= 0)
+                        goto err;
+        }
        if (!X509V3_extensions_print(bp, "Response Extensions",
-                                        rd->responseExtensions, flags, 4))
+            rd->responseExtensions, flags, 4))
-                                                        goto err;
+                goto err;
-        if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
+        if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
-                                                        goto err;
+            0)
+                goto err;
-        for (i=0; i<sk_X509_num(br->certs); i++)
+        for (i = 0; i < sk_X509_num(br->certs); i++) {
-                {
+                X509_print(bp, sk_X509_value(br->certs, i));
-                X509_print(bp, sk_X509_value(br->certs,i));
+                PEM_write_bio_X509(bp,sk_X509_value(br->certs, i));
-                PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
+        }
-                }
        ret = 1;
 err:
        OCSP_BASICRESP_free(br);
        return ret;
-        }
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index 1c606dd0b6..c14e8e2bc3 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -69,107 +69,118 @@
 * relevant information from the request.
 */
-int OCSP_request_onereq_count(OCSP_REQUEST *req)
+int
-        {
+OCSP_request_onereq_count(OCSP_REQUEST *req)
+{
        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
-        }
+}
-OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+OCSP_ONEREQ *
-        {
+OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+{
        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
-        }
+}
-OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+OCSP_CERTID *
-        {
+OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+{
        return one->reqCert;
-        }
+}
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+int
-                        ASN1_OCTET_STRING **pikeyHash,
+OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-                        ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+    ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
-        {
+{
-        if (!cid) return 0;
+        if (!cid)
-        if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+                return 0;
-        if(piNameHash) *piNameHash = cid->issuerNameHash;
+        if (pmd)
-        if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+                *pmd = cid->hashAlgorithm->algorithm;
-        if (pserial) *pserial = cid->serialNumber;
+        if (piNameHash)
+                *piNameHash = cid->issuerNameHash;
+        if (pikeyHash)
+                *pikeyHash = cid->issuerKeyHash;
+        if (pserial)
+                *pserial = cid->serialNumber;
        return 1;
-        }
+}
-int OCSP_request_is_signed(OCSP_REQUEST *req)
+int
-        {
+OCSP_request_is_signed(OCSP_REQUEST *req)
-        if(req->optionalSignature) return 1;
+{
+        if (req->optionalSignature)
+                return 1;
        return 0;
-        }
+}
 /* Create an OCSP response and encode an optional basic response */
-OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+OCSP_RESPONSE *
-        {
+OCSP_response_create(int status, OCSP_BASICRESP *bs)
-        OCSP_RESPONSE *rsp = NULL;
+{
+        OCSP_RESPONSE *rsp = NULL;
-        if (!(rsp = OCSP_RESPONSE_new())) goto err;
+        if (!(rsp = OCSP_RESPONSE_new()))
-        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+                goto err;
-        if (!bs) return rsp;
+        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
-        if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+                goto err;
+        if (!bs)
+                return rsp;
+        if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
+                goto err;
        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
-        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
+        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
-                                goto err;
+            &rsp->responseBytes->response))
+                goto err;
        return rsp;
 err:
-        if (rsp) OCSP_RESPONSE_free(rsp);
+        if (rsp)
+                OCSP_RESPONSE_free(rsp);
        return NULL;
-        }
+}
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+OCSP_SINGLERESP *
-                                                OCSP_CERTID *cid,
+OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
-                                                int status, int reason,
+    int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
-                                                ASN1_TIME *revtime,
+{
-                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd)
-        {
        OCSP_SINGLERESP *single = NULL;
        OCSP_CERTSTATUS *cs;
        OCSP_REVOKEDINFO *ri;
-        if(!rsp->tbsResponseData->responses &&
+        if (!rsp->tbsResponseData->responses &&
            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
                goto err;
        if (!(single = OCSP_SINGLERESP_new()))
                goto err;
        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
                goto err;
        if (nextupd &&
-                !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+            !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
                goto err;
        OCSP_CERTID_free(single->certId);
-        if(!(single->certId = OCSP_CERTID_dup(cid)))
+        if (!(single->certId = OCSP_CERTID_dup(cid)))
                goto err;
        cs = single->certStatus;
-        switch(cs->type = status)
+        switch(cs->type = status) {
-                {
        case V_OCSP_CERTSTATUS_REVOKED:
-                if (!revtime)
+                if (!revtime) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
-                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                            OCSP_R_NO_REVOKED_TIME);
+                        goto err;
+                }
+                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
                        goto err;
-                        }
-                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
                        goto err;       
-                if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
-                        {
                        if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
-                                goto err;
+                                goto err;
-                        if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                        if (!(ASN1_ENUMERATED_set(ri->revocationReason,
-                                                  reason)))
+                            reason)))
-                                goto err;       
+                                goto err;       
                        }
                break;
@@ -183,82 +194,80 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
        default:
                goto err;
+        }
-                }
        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
                goto err;
        return single;
 err:
        OCSP_SINGLERESP_free(single);
        return NULL;
-        }
+}
 /* Add a certificate to an OCSP request */
+int
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
-        {
+{
        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
                return 0;
-        if(!sk_X509_push(resp->certs, cert)) return 0;
+        if (!sk_X509_push(resp->certs, cert))
+                return 0;
        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
        return 1;
-        }
+}
-int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+int
-                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
-                        STACK_OF(X509) *certs, unsigned long flags)
+    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-        {
+{
        int i;
        OCSP_RESPID *rid;
-        if (!X509_check_private_key(signer, key))
+        if (!X509_check_private_key(signer, key)) {
-                {
+                OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
-                OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                goto err;
-                }
+        }
-        if(!(flags & OCSP_NOCERTS))
+        if (!(flags & OCSP_NOCERTS)) {
-                {
+                if (!OCSP_basic_add1_cert(brsp, signer))
-                if(!OCSP_basic_add1_cert(brsp, signer))
                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++)
+                for (i = 0; i < sk_X509_num(certs); i++) {
-                        {
                        X509 *tmpcert = sk_X509_value(certs, i);
-                        if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                        if (!OCSP_basic_add1_cert(brsp, tmpcert))
                                goto err;
-                        }
                }
+        }
        rid = brsp->tbsResponseData->responderId;
-        if (flags & OCSP_RESPID_KEY)
+        if (flags & OCSP_RESPID_KEY) {
-                {
                unsigned char md[SHA_DIGEST_LENGTH];
                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
                        goto err;
-                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
-                                goto err;
+                    SHA_DIGEST_LENGTH)))
+                        goto err;
                rid->type = V_OCSP_RESPID_KEY;
-                }
+        } else {
-        else
-                {
                if (!X509_NAME_set(&rid->value.byName,
-                                        X509_get_subject_name(signer)))
+                    X509_get_subject_name(signer)))
-                                goto err;
+                        goto err;
                rid->type = V_OCSP_RESPID_NAME;
-                }
+        }
        if (!(flags & OCSP_NOTIME) &&
-                !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+            !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
                goto err;
        /* Right now, I think that not doing double hashing is the right
           thing.       -- Richard Levitte */
-        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
+                goto err;
        return 1;
 err:
        return 0;
-        }
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 0b181d5abe..aede155871 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -60,134 +60,137 @@
 #include <openssl/err.h>
 #include <string.h>
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                                X509_STORE *st, unsigned long flags);
+            STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+            unsigned long flags);
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+            STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x, int flags);
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                X509_STORE *st, unsigned long flags);
+            X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
+            unsigned long flags);
 /* Verify a basic response message */
+int
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
-                                X509_STORE *st, unsigned long flags)
+    unsigned long flags)
-        {
+{
        X509 *signer, *x;
        STACK_OF(X509) *chain = NULL;
        X509_STORE_CTX ctx;
        int i, ret = 0;
        ret = ocsp_find_signer(&signer, bs, certs, st, flags);
-        if (!ret)
+        if (!ret) {
-                {
+                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
-                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                    OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                goto end;
-                }
+        }
        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
                flags |= OCSP_NOVERIFY;
-        if (!(flags & OCSP_NOSIGS))
+        if (!(flags & OCSP_NOSIGS)) {
-                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
-                if (skey)
+                if (skey) {
-                        {
                        ret = OCSP_BASICRESP_verify(bs, skey, 0);
                        EVP_PKEY_free(skey);
-                        }
+                }
-                if(!skey || ret <= 0)
+                if (!skey || ret <= 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                            OCSP_R_SIGNATURE_FAILURE);
                        goto end;
-                        }
                }
-        if (!(flags & OCSP_NOVERIFY))
+        }
-                {
+        if (!(flags & OCSP_NOVERIFY)) {
                int init_res;
                if(flags & OCSP_NOCHAIN)
                        init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
                else
-                        init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer,
-                if(!init_res)
+                            bs->certs);
-                        {
+                if (!init_res) {
                        ret = -1;
                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
                        goto end;
-                        }
+                }
                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                ret = X509_verify_cert(&ctx);
                chain = X509_STORE_CTX_get1_chain(&ctx);
                X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+                if (ret <= 0) {
-                        {
                        i = X509_STORE_CTX_get_error(&ctx);
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+                            OCSP_R_CERTIFICATE_VERIFY_ERROR);
                        ERR_asprintf_error_data("Verify error:%s",
-                                        X509_verify_cert_error_string(i));
+                            X509_verify_cert_error_string(i));
-                        goto end;
+                        goto end;
-                        }
+                }
-                if(flags & OCSP_NOCHECKS)
+                if(flags & OCSP_NOCHECKS) {
-                        {
                        ret = 1;
                        goto end;
-                        }
+                }
                /* At this point we have a valid certificate chain
                 * need to verify it against the OCSP issuer criteria.
                 */
                ret = ocsp_check_issuer(bs, chain, flags);
                /* If fatal error or valid match then finish */
-                if (ret != 0) goto end;
+                if (ret != 0)
+                        goto end;
                /* Easy case: explicitly trusted. Get root CA and
                 * check for explicit trust
                 */
-                if(flags & OCSP_NOEXPLICIT) goto end;
+                if (flags & OCSP_NOEXPLICIT)
+                        goto end;
                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-                if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
+                if (X509_check_trust(x, NID_OCSP_sign, 0) !=
-                        {
+                    X509_TRUST_TRUSTED) {
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+                            OCSP_R_ROOT_CA_NOT_TRUSTED);
                        goto end;
-                        }
-                ret = 1;
                }
+                ret = 1;
-        end:
-        if(chain) sk_X509_pop_free(chain, X509_free);
-        return ret;
        }
+end:
+        if (chain)
+                sk_X509_pop_free(chain, X509_free);
+        return ret;
+}
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int
-                                X509_STORE *st, unsigned long flags)
+ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
-        {
+    X509_STORE *st, unsigned long flags)
+{
        X509 *signer;
        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
-        if ((signer = ocsp_find_signer_sk(certs, rid)))
-                {
+        if ((signer = ocsp_find_signer_sk(certs, rid))) {
                *psigner = signer;
                return 2;
-                }
+        }
-        if(!(flags & OCSP_NOINTERN) &&
+        if (!(flags & OCSP_NOINTERN) &&
-            (signer = ocsp_find_signer_sk(bs->certs, rid)))
+            (signer = ocsp_find_signer_sk(bs->certs, rid))) {
-                {
                *psigner = signer;
                return 1;
-                }
+        }
        /* Maybe lookup from store if by subject name */
        *psigner = NULL;
        return 0;
-        }
+}
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *
-        {
+ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+{
        int i;
        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
        X509 *x;
@@ -199,123 +202,124 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
        /* Lookup by key hash */
        /* If key hash isn't SHA1 length then forget it */
-        if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+        if (id->value.byKey->length != SHA_DIGEST_LENGTH)
+                return NULL;
        keyhash = id->value.byKey->data;
        /* Calculate hash of each key and compare */
-        for (i = 0; i < sk_X509_num(certs); i++)
+        for (i = 0; i < sk_X509_num(certs); i++) {
-                {
                x = sk_X509_value(certs, i);
                X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
-                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+                if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
                        return x;
-                }
-        return NULL;
        }
+        return NULL;
+}
+static int
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
+ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
-        {
+    unsigned long flags)
+{
        STACK_OF(OCSP_SINGLERESP) *sresp;
        X509 *signer, *sca;
        OCSP_CERTID *caid = NULL;
        int i;
        sresp = bs->tbsResponseData->responses;
-        if (sk_X509_num(chain) <= 0)
+        if (sk_X509_num(chain) <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER,
-                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+                    OCSP_R_NO_CERTIFICATES_IN_CHAIN);
                return -1;
-                }
+        }
        /* See if the issuer IDs match. */
        i = ocsp_check_ids(sresp, &caid);
        /* If ID mismatch or other error then return */
-        if (i <= 0) return i;
+        if (i <= 0)
+                return i;
        signer = sk_X509_value(chain, 0);
        /* Check to see if OCSP responder CA matches request CA */
-        if (sk_X509_num(chain) > 1)
+        if (sk_X509_num(chain) > 1) {
-                {
                sca = sk_X509_value(chain, 1);
                i = ocsp_match_issuerid(sca, caid, sresp);
-                if (i < 0) return i;
+                if (i < 0)
-                if (i)
+                        return i;
-                        {
+                if (i) {
                        /* We have a match, if extensions OK then success */
-                        if (ocsp_check_delegated(signer, flags)) return 1;
+                        if (ocsp_check_delegated(signer, flags))
+                                return 1;
                        return 0;
-                        }
                }
+        }
        /* Otherwise check if OCSP request signed directly by request CA */
        return ocsp_match_issuerid(signer, caid, sresp);
-        }
+}
 /* Check the issuer certificate IDs for equality. If there is a mismatch with the same
 * algorithm then there's no point trying to match any certificates against the issuer.
 * If the issuer IDs all match then we just need to check equality against one of them.
 */
-        
+static int
-static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
-        {
+{
        OCSP_CERTID *tmpid, *cid;
        int i, idcount;
        idcount = sk_OCSP_SINGLERESP_num(sresp);
-        if (idcount <= 0)
+        if (idcount <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_IDS,
-                OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+                    OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
                return -1;
-                }
+        }
        cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
        *ret = NULL;
-        for (i = 1; i < idcount; i++)
+        for (i = 1; i < idcount; i++) {
-                {
                tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                /* Check to see if IDs match */
-                if (OCSP_id_issuer_cmp(cid, tmpid))
+                if (OCSP_id_issuer_cmp(cid, tmpid)) {
-                        {
                        /* If algoritm mismatch let caller deal with it */
                        if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
-                                        cid->hashAlgorithm->algorithm))
+                            cid->hashAlgorithm->algorithm))
-                                        return 2;
+                                return 2;
                        /* Else mismatch */
                        return 0;
-                        }
                }
+        }
        /* All IDs match: only need to check one ID */
        *ret = cid;
        return 1;
-        }
+}
+static int
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
-                        STACK_OF(OCSP_SINGLERESP) *sresp)
+    STACK_OF(OCSP_SINGLERESP) *sresp)
-        {
+{
        /* If only one ID to match then do it */
-        if(cid)
+        if (cid) {
-                {
                const EVP_MD *dgst;
                X509_NAME *iname;
                int mdlen;
                unsigned char md[EVP_MAX_MD_SIZE];
-                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
-                        {
+                if (!(dgst =
-                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+                    EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
+                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
+                            OCSP_R_UNKNOWN_MESSAGE_DIGEST);
                        return -1;
-                        }
+                }
                mdlen = EVP_MD_size(dgst);
                if (mdlen < 0)
-                    return -1;
+                        return -1;
-                if ((cid->issuerNameHash->length != mdlen) ||
+                if (cid->issuerNameHash->length != mdlen ||
-                   (cid->issuerKeyHash->length != mdlen))
+                    cid->issuerKeyHash->length != mdlen)
                        return 0;
                iname = X509_get_subject_name(cert);
                if (!X509_NAME_digest(iname, dgst, md, NULL))
@@ -327,124 +331,123 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                        return 0;
                return 1;
+        } else {
-                }
-        else
-                {
                /* We have to match the whole lot */
                int i, ret;
                OCSP_CERTID *tmpid;
-                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
-                        {
+                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
                        tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
-                        if (ret <= 0) return ret;
+                        if (ret <= 0)
-                        }
+                                return ret;
-                return 1;
                }
-                        
+                return 1;
        }
+}
-static int ocsp_check_delegated(X509 *x, int flags)
+static int
-        {
+ocsp_check_delegated(X509 *x, int flags)
+{
        X509_check_purpose(x, -1, 0);
-        if ((x->ex_flags & EXFLAG_XKUSAGE) &&
+        if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
-            (x->ex_xkusage & XKU_OCSP_SIGN))
                return 1;
        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
        return 0;
-        }
+}
 /* Verify an OCSP request. This is fortunately much easier than OCSP
 * response verify. Just find the signers certificate and verify it
 * against a given trust value.
 */
+int
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
-        {
+    unsigned long flags)
+{
        X509 *signer;
        X509_NAME *nm;
        GENERAL_NAME *gen;
        int ret;
        X509_STORE_CTX ctx;
-        if (!req->optionalSignature) 
-                {
+        if (!req->optionalSignature) {
                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
                return 0;
-                }
+        }
        gen = req->tbsRequest->requestorName;
-        if (!gen || gen->type != GEN_DIRNAME)
+        if (!gen || gen->type != GEN_DIRNAME) {
-                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+                    OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
                return 0;
-                }
+        }
        nm = gen->d.directoryName;
        ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
-        if (ret <= 0)
+        if (ret <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                    OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                return 0;
-                }
+        }
        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
                flags |= OCSP_NOVERIFY;
-        if (!(flags & OCSP_NOSIGS))
+        if (!(flags & OCSP_NOSIGS)) {
-                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
                ret = OCSP_REQUEST_verify(req, skey);
                EVP_PKEY_free(skey);
-                if(ret <= 0)
+                if (ret <= 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                            OCSP_R_SIGNATURE_FAILURE);
                        return 0;
-                        }
                }
-        if (!(flags & OCSP_NOVERIFY))
+        }
-                {
+        if (!(flags & OCSP_NOVERIFY)) {
                int init_res;
-                if(flags & OCSP_NOCHAIN)
-                        init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+                if (flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                            NULL);
                else
                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
-                                        req->optionalSignature->certs);
+                            req->optionalSignature->certs);
-                if(!init_res)
+                if (!init_res) {
-                        {
                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
                        return 0;
-                        }
+                }
                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
                ret = X509_verify_cert(&ctx);
                X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+                if (ret <= 0) {
-                        {
                        ret = X509_STORE_CTX_get_error(&ctx);   
-                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+                            OCSP_R_CERTIFICATE_VERIFY_ERROR);
                        ERR_asprintf_error_data("Verify error:%s",
-                                        X509_verify_cert_error_string(ret));
+                            X509_verify_cert_error_string(ret));
-                        return 0;
+                        return 0;
-                        }
                }
+        }
        return 1;
-        }
+}
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+static int
-                                X509_STORE *st, unsigned long flags)
+ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
-        {
+    STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
+{
        X509 *signer;
-        if(!(flags & OCSP_NOINTERN))
-                {
+        if (!(flags & OCSP_NOINTERN)) {
-                signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+                signer =
+                    X509_find_by_subject(req->optionalSignature->certs, nm);
                *psigner = signer;
                return 1;
-                }
+        }
        signer = X509_find_by_subject(certs, nm);
-        if (signer)
+        if (signer) {
-                {
                *psigner = signer;
                return 2;
-                }
-        return 0;
        }
+        return 0;
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp.h b/src/lib/libssl/src/crypto/ocsp/ocsp.h
index 31e45744ba..9401f7db2f 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp.h
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp.h
@@ -96,13 +96,12 @@ extern "C" {
 *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
 *       serialNumber       CertificateSerialNumber }
 */
-typedef struct ocsp_cert_id_st
+typedef struct ocsp_cert_id_st {
-        {
        X509_ALGOR *hashAlgorithm;
        ASN1_OCTET_STRING *issuerNameHash;
        ASN1_OCTET_STRING *issuerKeyHash;
        ASN1_INTEGER *serialNumber;
-        } OCSP_CERTID;
+} OCSP_CERTID;
 DECLARE_STACK_OF(OCSP_CERTID)
@@ -110,11 +109,10 @@ DECLARE_STACK_OF(OCSP_CERTID)
 *       reqCert                    CertID,
 *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_one_request_st
+typedef struct ocsp_one_request_st {
-        {
        OCSP_CERTID *reqCert;
        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
-        } OCSP_ONEREQ;
+} OCSP_ONEREQ;
 DECLARE_STACK_OF(OCSP_ONEREQ)
 DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
@@ -126,35 +124,32 @@ DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
 *       requestList             SEQUENCE OF Request,
 *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_req_info_st
+typedef struct ocsp_req_info_st {
-        {
        ASN1_INTEGER *version;
        GENERAL_NAME *requestorName;
        STACK_OF(OCSP_ONEREQ) *requestList;
        STACK_OF(X509_EXTENSION) *requestExtensions;
-        } OCSP_REQINFO;
+} OCSP_REQINFO;
 /*   Signature       ::=     SEQUENCE {
 *       signatureAlgorithm   AlgorithmIdentifier,
 *       signature            BIT STRING,
 *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 */
-typedef struct ocsp_signature_st
+typedef struct ocsp_signature_st {
-        {
        X509_ALGOR *signatureAlgorithm;
        ASN1_BIT_STRING *signature;
        STACK_OF(X509) *certs;
-        } OCSP_SIGNATURE;
+} OCSP_SIGNATURE;
 /*   OCSPRequest     ::=     SEQUENCE {
 *       tbsRequest                  TBSRequest,
 *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
 */
-typedef struct ocsp_request_st
+typedef struct ocsp_request_st {
-        {
        OCSP_REQINFO *tbsRequest;
        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
-        } OCSP_REQUEST;
+} OCSP_REQUEST;
 /*   OCSPResponseStatus ::= ENUMERATED {
 *       successful            (0),      --Response has valid confirmations
@@ -166,32 +161,30 @@ typedef struct ocsp_request_st
 *       unauthorized          (6)       --Request unauthorized
 *   }
 */
-#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL         0
-#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST   1
-#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
+#define OCSP_RESPONSE_STATUS_INTERNALERROR      2
-#define OCSP_RESPONSE_STATUS_TRYLATER             3
+#define OCSP_RESPONSE_STATUS_TRYLATER           3
-#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED        5
-#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED       6
 /*   ResponseBytes ::=       SEQUENCE {
 *       responseType   OBJECT IDENTIFIER,
 *       response       OCTET STRING }
 */
-typedef struct ocsp_resp_bytes_st
+typedef struct ocsp_resp_bytes_st {
-        {
        ASN1_OBJECT *responseType;
        ASN1_OCTET_STRING *response;
-        } OCSP_RESPBYTES;
+} OCSP_RESPBYTES;
 /*   OCSPResponse ::= SEQUENCE {
 *      responseStatus         OCSPResponseStatus,
 *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
 */
-struct ocsp_response_st
+struct ocsp_response_st {
-        {
        ASN1_ENUMERATED *responseStatus;
        OCSP_RESPBYTES  *responseBytes;
-        };
+};
 /*   ResponderID ::= CHOICE {
 *      byName   [1] Name,
@@ -199,14 +192,13 @@ struct ocsp_response_st
 */
 #define V_OCSP_RESPID_NAME 0
 #define V_OCSP_RESPID_KEY  1
-struct ocsp_responder_id_st
+struct ocsp_responder_id_st {
-        {
        int type;
-        union   {
+        union {
                X509_NAME* byName;
-                ASN1_OCTET_STRING *byKey;
+                ASN1_OCTET_STRING *byKey;
-                } value;
+        } value;
-        };
+};
 DECLARE_STACK_OF(OCSP_RESPID)
 DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
@@ -219,11 +211,10 @@ DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
 *       revocationTime              GeneralizedTime,
 *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
 */
-typedef struct ocsp_revoked_info_st
+typedef struct ocsp_revoked_info_st {
-        {
        ASN1_GENERALIZEDTIME *revocationTime;
        ASN1_ENUMERATED *revocationReason;
-        } OCSP_REVOKEDINFO;
+} OCSP_REVOKEDINFO;
 /*   CertStatus ::= CHOICE {
 *       good                [0]     IMPLICIT NULL,
@@ -233,15 +224,14 @@ typedef struct ocsp_revoked_info_st
 #define V_OCSP_CERTSTATUS_GOOD    0
 #define V_OCSP_CERTSTATUS_REVOKED 1
 #define V_OCSP_CERTSTATUS_UNKNOWN 2
-typedef struct ocsp_cert_status_st
+typedef struct ocsp_cert_status_st {
-        {
        int type;
-        union   {
+        union {
                ASN1_NULL *good;
                OCSP_REVOKEDINFO *revoked;
                ASN1_NULL *unknown;
-                } value;
+        } value;
-        } OCSP_CERTSTATUS;
+} OCSP_CERTSTATUS;
 /*   SingleResponse ::= SEQUENCE {
 *      certID                       CertID,
@@ -250,14 +240,13 @@ typedef struct ocsp_cert_status_st
 *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
 *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_single_response_st
+typedef struct ocsp_single_response_st {
-        {
        OCSP_CERTID *certId;
        OCSP_CERTSTATUS *certStatus;
        ASN1_GENERALIZEDTIME *thisUpdate;
        ASN1_GENERALIZEDTIME *nextUpdate;
        STACK_OF(X509_EXTENSION) *singleExtensions;
-        } OCSP_SINGLERESP;
+} OCSP_SINGLERESP;
 DECLARE_STACK_OF(OCSP_SINGLERESP)
 DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
@@ -269,14 +258,13 @@ DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
 *      responses                SEQUENCE OF SingleResponse,
 *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
 */
-typedef struct ocsp_response_data_st
+typedef struct ocsp_response_data_st {
-        {
        ASN1_INTEGER *version;
        OCSP_RESPID  *responderId;
        ASN1_GENERALIZEDTIME *producedAt;
        STACK_OF(OCSP_SINGLERESP) *responses;
        STACK_OF(X509_EXTENSION) *responseExtensions;
-        } OCSP_RESPDATA;
+} OCSP_RESPDATA;
 /*   BasicOCSPResponse       ::= SEQUENCE {
 *      tbsResponseData      ResponseData,
@@ -300,13 +288,12 @@ typedef struct ocsp_response_data_st
     that it doesn't do the double hashing that the RFC seems to say one
     should.  Therefore, all relevant functions take a flag saying which
     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
-typedef struct ocsp_basic_response_st
+typedef struct ocsp_basic_response_st {
-        {
        OCSP_RESPDATA *tbsResponseData;
        X509_ALGOR *signatureAlgorithm;
        ASN1_BIT_STRING *signature;
        STACK_OF(X509) *certs;
-        } OCSP_BASICRESP;
+} OCSP_BASICRESP;
 /*
 *   CRLReason ::= ENUMERATED {
@@ -319,164 +306,159 @@ typedef struct ocsp_basic_response_st
 *        certificateHold         (6),
 *        removeFromCRL           (8) }
 */
-#define OCSP_REVOKED_STATUS_NOSTATUS               -1
+#define OCSP_REVOKED_STATUS_NOSTATUS                    -1
-#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
+#define OCSP_REVOKED_STATUS_UNSPECIFIED                 0
-#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE               1
-#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
+#define OCSP_REVOKED_STATUS_CACOMPROMISE                2
-#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED          3
-#define OCSP_REVOKED_STATUS_SUPERSEDED              4
+#define OCSP_REVOKED_STATUS_SUPERSEDED                  4
-#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION        5
-#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD             6
-#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL               8
 /* CrlID ::= SEQUENCE {
 *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
 *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
 *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
 */
-typedef struct ocsp_crl_id_st
+typedef struct ocsp_crl_id_st {
-        {
        ASN1_IA5STRING *crlUrl;
        ASN1_INTEGER *crlNum;
        ASN1_GENERALIZEDTIME *crlTime;
-        } OCSP_CRLID;
+} OCSP_CRLID;
 /* ServiceLocator ::= SEQUENCE {
 *      issuer    Name,
 *      locator   AuthorityInfoAccessSyntax OPTIONAL }
 */
-typedef struct ocsp_service_locator_st
+typedef struct ocsp_service_locator_st {
-        {
        X509_NAME* issuer;
        STACK_OF(ACCESS_DESCRIPTION) *locator;
-        } OCSP_SERVICELOC;
+} OCSP_SERVICELOC;
 
 #define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
 #define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
-#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
+#define d2i_OCSP_REQUEST_bio(bp,p) \
+    ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
-#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
+#define d2i_OCSP_RESPONSE_bio(bp,p) \
+    ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
-#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
-     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+    (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
+        PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
-#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
-     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+    (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
+        PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
 #define PEM_write_bio_OCSP_REQUEST(bp,o) \
    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
-                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+        bp,(char *)o, NULL,NULL,0,NULL,NULL)
 #define PEM_write_bio_OCSP_RESPONSE(bp,o) \
    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
-                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+        bp,(char *)o, NULL,NULL,0,NULL,NULL)
-#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
+#define i2d_OCSP_RESPONSE_bio(bp,o) \
+    ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
-#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
+#define i2d_OCSP_REQUEST_bio(bp,o) \
+    ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
 #define OCSP_REQUEST_sign(o,pkey,md) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+    ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO), \
-                o->optionalSignature->signatureAlgorithm,NULL,\
+        o->optionalSignature->signatureAlgorithm,NULL, \
-                o->optionalSignature->signature,o->tbsRequest,pkey,md)
+        o->optionalSignature->signature,o->tbsRequest,pkey,md)
 #define OCSP_BASICRESP_sign(o,pkey,md,d) \
-        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
+    ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL, \
-                o->signature,o->tbsResponseData,pkey,md)
+        o->signature,o->tbsResponseData,pkey,md)
-#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+#define OCSP_REQUEST_verify(a,r) \
-        a->optionalSignature->signatureAlgorithm,\
+    ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO), \
+        a->optionalSignature->signatureAlgorithm, \
        a->optionalSignature->signature,a->tbsRequest,r)
-#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+#define OCSP_BASICRESP_verify(a,r,d) \
+    ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA), \
        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
 #define ASN1_BIT_STRING_digest(data,type,md,len) \
-        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+    ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
 #define OCSP_CERTSTATUS_dup(cs)\
-                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+    (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
-                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+        (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
 OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
 OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
 OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
-                                                                int maxline);
+            int maxline);
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
+int     OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
+void    OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
+int     OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
+int     OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
-                const char *name, const char *value);
+            const char *value);
 OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
-                              X509_NAME *issuerName, 
+            ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber);
-                              ASN1_BIT_STRING* issuerKey, 
-                              ASN1_INTEGER *serialNumber);
 OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int     OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int     OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int     OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+int     OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int     OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+int     OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
-int OCSP_request_sign(OCSP_REQUEST   *req,
+int     OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
-                      X509           *signer,
+            const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
-                      EVP_PKEY       *key,
-                      const EVP_MD   *dgst,
-                      STACK_OF(X509) *certs,
-                      unsigned long flags);
-int OCSP_response_status(OCSP_RESPONSE *resp);
+int     OCSP_response_status(OCSP_RESPONSE *resp);
 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
-int OCSP_resp_count(OCSP_BASICRESP *bs);
+int     OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int     OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+int     OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                                ASN1_GENERALIZEDTIME **revtime,
+            ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+            ASN1_GENERALIZEDTIME **nextupd);
-                                ASN1_GENERALIZEDTIME **nextupd);
+int     OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+            int *reason, ASN1_GENERALIZEDTIME **revtime,
-                                int *reason,
+            ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
-                                ASN1_GENERALIZEDTIME **revtime,
+int     OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+            ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
-                                ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+int     OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
-                        ASN1_GENERALIZEDTIME *nextupd,
+            X509_STORE *store, unsigned long flags);
-                        long sec, long maxsec);
+int     OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
+            int *pssl);
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+int     OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int     OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int     OCSP_request_onereq_count(OCSP_REQUEST *req);
-int OCSP_request_onereq_count(OCSP_REQUEST *req);
 OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
 OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+int     OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-                        ASN1_OCTET_STRING **pikeyHash,
+            ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
-                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+            OCSP_CERTID *cid);
-int OCSP_request_is_signed(OCSP_REQUEST *req);
+int     OCSP_request_is_signed(OCSP_REQUEST *req);
 OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
-                                                OCSP_CERTID *cid,
+            int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, 
-                                                int status, int reason,
+            ASN1_TIME *nextupd);
-                                                ASN1_TIME *revtime,
+int     OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
-                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int     OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+            const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
-int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
-                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
-                        STACK_OF(X509) *certs, unsigned long flags);
 X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
@@ -486,49 +468,60 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
 X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int     OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int     OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
 X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
 void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+int     OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
-                                                        unsigned long flags);
+            int crit, unsigned long flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+int     OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int     OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int     OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj,
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
 X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
 X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
 void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+int     OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
-                                                        unsigned long flags);
+            unsigned long flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+int     OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int     OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int     OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
 X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+            int *idx);
-                                                        unsigned long flags);
+int     OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+            int crit, unsigned long flags);
+int     OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
+int     OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+            int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+            int lastpos);
+int     OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
+            int lastpos);
 X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
 X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+            int *idx);
-                                                        unsigned long flags);
+int     OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+            int crit, unsigned long flags);
+int     OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
+            int loc);
 DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
 DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
@@ -550,11 +543,11 @@ const char *OCSP_response_status_str(long s);
 const char *OCSP_cert_status_str(long s);
 const char *OCSP_crl_reason_str(long s);
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int     OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+int     OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+int     OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
-                                X509_STORE *st, unsigned long flags);
+            X509_STORE *st, unsigned long flags);
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
index 9c14d9da27..716513d2f9 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_cl.c
@@ -78,229 +78,241 @@
 /* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
 * pointer: useful if we want to add extensions.
 */
+OCSP_ONEREQ *
-OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
-        {
+{
        OCSP_ONEREQ *one = NULL;
-        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (!(one = OCSP_ONEREQ_new()))
-        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+                goto err;
+        if (one->reqCert)
+                OCSP_CERTID_free(one->reqCert);
        one->reqCert = cid;
-        if (req &&
+        if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
-                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                goto err;
-                                goto err;
        return one;
 err:
        OCSP_ONEREQ_free(one);
        return NULL;
-        }
+}
 /* Set requestorName from an X509_NAME structure */
+int
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
-        {
+{
        GENERAL_NAME *gen;
        gen = GENERAL_NAME_new();
        if (gen == NULL)
                return 0;
-        if (!X509_NAME_set(&gen->d.directoryName, nm))
+        if (!X509_NAME_set(&gen->d.directoryName, nm)) {
-                {
                GENERAL_NAME_free(gen);
                return 0;
-                }
+        }
        gen->type = GEN_DIRNAME;
        if (req->tbsRequest->requestorName)
                GENERAL_NAME_free(req->tbsRequest->requestorName);
        req->tbsRequest->requestorName = gen;
        return 1;
-        }
+}
        
 /* Add a certificate to an OCSP request */
+int
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
-        {
+{
        OCSP_SIGNATURE *sig;
        if (!req->optionalSignature)
                req->optionalSignature = OCSP_SIGNATURE_new();
        sig = req->optionalSignature;
-        if (!sig) return 0;
+        if (!sig)
-        if (!cert) return 1;
+                return 0;
+        if (!cert)
+                return 1;
        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
                return 0;
-        if(!sk_X509_push(sig->certs, cert)) return 0;
+        if(!sk_X509_push(sig->certs, cert))
+                return 0;
        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
        return 1;
-        }
+}
 /* Sign an OCSP request set the requestorName to the subjec
 * name of an optional signers certificate and include one
 * or more optional certificates in the request. Behaves
 * like PKCS7_sign().
 */
+int
-int OCSP_request_sign(OCSP_REQUEST   *req,
+OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
-                      X509           *signer,
+    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-                      EVP_PKEY       *key,
+{
-                      const EVP_MD   *dgst,
-                      STACK_OF(X509) *certs,
-                      unsigned long flags)
-        {
        int i;
        OCSP_SIGNATURE *sig;
        X509 *x;
        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                goto err;
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
+                goto err;
+        if (key) {
+                if (!X509_check_private_key(signer, key)) {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
+                            OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                        goto err;
-        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
-        if (key)
-                {
-                if (!X509_check_private_key(signer, key))
-                        {
-                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
-                        goto err;
-                        }
-                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
                }
+                if (!OCSP_REQUEST_sign(req, key, dgst))
+                        goto err;
+        }
-        if (!(flags & OCSP_NOCERTS))
+        if (!(flags & OCSP_NOCERTS)) {
-                {
+                if(!OCSP_request_add1_cert(req, signer))
-                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++)
+                for (i = 0; i < sk_X509_num(certs); i++) {
-                        {
                        x = sk_X509_value(certs, i);
-                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        if (!OCSP_request_add1_cert(req, x))
-                        }
+                                goto err;
                }
+        }
        return 1;
 err:
        OCSP_SIGNATURE_free(req->optionalSignature);
        req->optionalSignature = NULL;
        return 0;
-        }
+}
 /* Get response status */
+int
-int OCSP_response_status(OCSP_RESPONSE *resp)
+OCSP_response_status(OCSP_RESPONSE *resp)
-        {
+{
        return ASN1_ENUMERATED_get(resp->responseStatus);
-        }
+}
 /* Extract basic response from OCSP_RESPONSE or NULL if
 * no basic response present.
 */
- 
+OCSP_BASICRESP *
+OCSP_response_get1_basic(OCSP_RESPONSE *resp)
-OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+{
-        {
        OCSP_RESPBYTES *rb;
        rb = resp->responseBytes;
-        if (!rb)
+        if (!rb) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                    OCSP_R_NO_RESPONSE_DATA);
                return NULL;
-                }
+        }
-        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
-                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC,
-                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                    OCSP_R_NOT_BASIC_RESPONSE);
                return NULL;
-                }
+        }
        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
-        }
+}
 /* Return number of OCSP_SINGLERESP reponses present in
 * a basic response.
 */
+int
-int OCSP_resp_count(OCSP_BASICRESP *bs)
+OCSP_resp_count(OCSP_BASICRESP *bs)
-        {
+{
-        if (!bs) return -1;
+        if (!bs)
+                return -1;
        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
-        }
+}
 /* Extract an OCSP_SINGLERESP response with a given index */
+OCSP_SINGLERESP *
-OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
-        {
+{
-        if (!bs) return NULL;
+        if (!bs)
+                return NULL;
        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
-        }
+}
 /* Look single response matching a given certificate ID */
+int
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
-        {
+{
        int i;
        STACK_OF(OCSP_SINGLERESP) *sresp;
        OCSP_SINGLERESP *single;
-        if (!bs) return -1;
-        if (last < 0) last = 0;
+        if (!bs)
-        else last++;
+                return -1;
+        if (last < 0)
+                last = 0;
+        else
+                last++;
        sresp = bs->tbsResponseData->responses;
-        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
-                {
                single = sk_OCSP_SINGLERESP_value(sresp, i);
-                if (!OCSP_id_cmp(id, single->certId)) return i;
+                if (!OCSP_id_cmp(id, single->certId))
-                }
+                        return i;
-        return -1;
        }
+        return -1;
+}
 /* Extract status information from an OCSP_SINGLERESP structure.
 * Note: the revtime and reason values are only set if the 
 * certificate status is revoked. Returns numerical value of
 * status.
 */
+int
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **thisupd,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **nextupd)
+{
-        {
        int ret;
        OCSP_CERTSTATUS *cst;
-        if(!single) return -1;
+        if (!single)
+                return -1;
        cst = single->certStatus;
        ret = cst->type;
-        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+        if (ret == V_OCSP_CERTSTATUS_REVOKED) {
-                {
                OCSP_REVOKEDINFO *rev = cst->value.revoked;
-                if (revtime) *revtime = rev->revocationTime;
-                if (reason) 
+                if (revtime)
-                        {
+                        *revtime = rev->revocationTime;
-                        if(rev->revocationReason)
+                if (reason) {
+                        if (rev->revocationReason)
                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
-                        else *reason = -1;
+                        else
-                        }
+                                *reason = -1;
                }
-        if(thisupd) *thisupd = single->thisUpdate;
-        if(nextupd) *nextupd = single->nextUpdate;
-        return ret;
        }
+        if (thisupd)
+                *thisupd = single->thisUpdate;
+        if (nextupd)
+                *nextupd = single->nextUpdate;
+        return ret;
+}
 /* This function combines the previous ones: look up a certificate ID and
 * if found extract status information. Return 0 is successful.
 */
+int
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-                                int *reason,
+    int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
-                                ASN1_GENERALIZEDTIME **revtime,
+    ASN1_GENERALIZEDTIME **nextupd)
-                                ASN1_GENERALIZEDTIME **thisupd,
+{
-                                ASN1_GENERALIZEDTIME **nextupd)
-        {
        int i;
        OCSP_SINGLERESP *single;
        i = OCSP_resp_find(bs, id, -1);
        /* Maybe check for multiple responses and give an error? */
-        if(i < 0) return 0;
+        if (i < 0)
+                return 0;
        single = OCSP_resp_get0(bs, i);
        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
-        if(status) *status = i;
+        if (status)
+                *status = i;
        return 1;
-        }
+}
 /* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
@@ -308,64 +320,61 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */
+int
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-        {
+    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+{
        int ret = 1;
        time_t t_now, t_tmp;
        time(&t_now);
        /* Check thisUpdate is valid and not more than nsec in the future */
-        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+        if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
+                t_tmp = t_now + nsec;
-                {
+                if (X509_cmp_time(thisupd, &t_tmp) > 0) {
-                        t_tmp = t_now + nsec;
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                            OCSP_R_STATUS_NOT_YET_VALID);
-                        {
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
                        ret = 0;
-                        }
+                }
                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
-                if (maxsec >= 0)
+                if (maxsec >= 0) {
-                        {
                        t_tmp = t_now - maxsec;
-                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0) {
-                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                    OCSP_R_STATUS_TOO_OLD);
                                ret = 0;
-                                }
                        }
                }
-                
+        }
-        if (!nextupd) return ret;
+        if (!nextupd)
+                return ret;
        /* Check nextUpdate is valid and not more than nsec in the past */
-        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+        if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                    OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                ret = 0;
-                }
+        } else {
-        else 
-                {
                t_tmp = t_now - nsec;
-                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                if (X509_cmp_time(nextupd, &t_tmp) < 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                            OCSP_R_STATUS_EXPIRED);
                        ret = 0;
-                        }
                }
+        }
        /* Also don't allow nextUpdate to precede thisUpdate */
-        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
-                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                    OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                ret = 0;
-                }
+        }
        return ret;
-        }
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
index 9c7832b301..6ec8ca4adf 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
@@ -73,238 +73,285 @@
 /* OCSP request extensions */
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+int
-        {
+OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
-        return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
+}
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
+OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+            lastpos);
-        {
+}
-        return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
-        }
+int
+OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
-        return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
+            lastpos);
-        }
+}
-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+int
-        {
+OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
-        return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
+{
-        }
+        return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
+            crit, lastpos);
-X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+}
-        {
-        return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
+X509_EXTENSION *
-        }
+OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+{
-void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+        return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
-        {
+}
+X509_EXTENSION *
+OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+{
+        return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
+}
+void *
+OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+{
        return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
-        }
+}
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
-        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
+{
-        }
+        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
+            crit, flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+}
-        {
-        return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
+int
-        }
+OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex, loc) !=
+            NULL;
+}
 /* Single extensions */
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+int
-        {
+OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
-        return(X509v3_get_ext_count(x->singleRequestExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->singleRequestExtensions);
+}
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
+OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+}
-        {
-        return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
+int
-        }
+OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+{
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+        return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
-        {
+}
-        return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
-        }
+int
+OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+{
-        {
+        return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
-        return(X509v3_get_ext(x->singleRequestExtensions,loc));
+            lastpos);
-        }
+}
-X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+X509_EXTENSION *
-        {
+OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
-        return(X509v3_delete_ext(x->singleRequestExtensions,loc));
+{
-        }
+        return X509v3_get_ext(x->singleRequestExtensions, loc);
+}
+X509_EXTENSION *
+OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+{
+        return X509v3_delete_ext(x->singleRequestExtensions, loc);
+}
 void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
-        {
+{
        return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
-        }
+}
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
-        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
+{
-        }
+        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
+            flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+}
-        {
-        return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
+int
-        }
+OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
+}
 /* OCSP Basic response */
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+int
-        {
+OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
-        return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
+}
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
+OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+            nid ,lastpos);
-        {
+}
-        return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
-        }
+int
+OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
-        return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
+            obj, lastpos);
-        }
+}
-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+int
-        {
+OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
-        return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
+{
-        }
+        return X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,
+            crit, lastpos);
-X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+}
-        {
-        return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
+X509_EXTENSION *
-        }
+OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+{
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+        return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
-        {
+}
-        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
-        }
+X509_EXTENSION *
+OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+{
-                                                        unsigned long flags)
+        return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
-        {
+}
-        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
-        }
+void *
+OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+{
-        {
+        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
-        return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
+            crit, idx);
-        }
+}
+int
+OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+    unsigned long flags)
+{
+        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
+            value, crit, flags);
+}
+int
+OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+{
+        return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
+            loc) != NULL;
+}
 /* OCSP single response extensions */
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+int
-        {
+OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
-        return(X509v3_get_ext_count(x->singleExtensions));
+{
-        }
+        return X509v3_get_ext_count(x->singleExtensions);
+}
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
-        {
+int
-        return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
+OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
-        }
+{
+        return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
+}
-        {
-        return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
+int
-        }
+OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
+    int lastpos)
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+{
-        {
+        return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
-        return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
+}
-        }
+int
-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
-        {
+{
-        return(X509v3_get_ext(x->singleExtensions,loc));
+        return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
-        }
+}
-X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+X509_EXTENSION *
-        {
+OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
-        return(X509v3_delete_ext(x->singleExtensions,loc));
+{
-        }
+        return X509v3_get_ext(x->singleExtensions, loc);
+}
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
-        {
+X509_EXTENSION *
+OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+{
+        return X509v3_delete_ext(x->singleExtensions, loc);
+}
+void *
+OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+{
        return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
-        }
+}
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+int
-                                                        unsigned long flags)
+OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
-        {
+    unsigned long flags)
+{
        return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
-        }
+}
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+int
-        {
+OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
-        return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
+{
-        }
+        return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
+}
 /* also CRL Entry Extensions */
 #if 0
-ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
+ASN1_STRING *
-                                void *data, STACK_OF(ASN1_OBJECT) *sk)
+ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d, void *data,
-        {
+    STACK_OF(ASN1_OBJECT) *sk)
+{
        int i;
        unsigned char *p, *b = NULL;
-        if (data)
+        if (data) {
-                {
+                if ((i = i2d(data, NULL)) <= 0)
-                if ((i=i2d(data,NULL)) <= 0) goto err;
-                if (!(b=p=malloc((unsigned int)i)))
                        goto err;
-                if (i2d(data, &p) <= 0) goto err;
+                if (!(b = p = malloc((unsigned int)i)))
-                }
+                        goto err;
-        else if (sk)
+                if (i2d(data, &p) <= 0)
-                {
+                        goto err;
-                if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
+        } else if (sk) {
-                                                   (I2D_OF(ASN1_OBJECT))i2d,
+                if ((i = i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
-                                                   V_ASN1_SEQUENCE,
+                    (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL,
-                                                   V_ASN1_UNIVERSAL,
+                    IS_SEQUENCE)) <= 0)
-                                                   IS_SEQUENCE))<=0) goto err;
+                        goto err;
-                if (!(b=p=malloc((unsigned int)i)))
+                if (!(b = p = malloc((unsigned int)i)))
                        goto err;
                if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
-                                                V_ASN1_SEQUENCE,
+                    V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE) <= 0)
-                                                V_ASN1_UNIVERSAL,
+                        goto err;
-                                                IS_SEQUENCE)<=0) goto err;
+        } else {
-                }
+                OCSPerr(OCSP_F_ASN1_STRING_ENCODE, OCSP_R_BAD_DATA);
-        else
+                goto err;
-                {
+        }
-                OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+        if (!s && !(s = ASN1_STRING_new()))
+                goto err;
+        if (!(ASN1_STRING_set(s, b, i)))
                goto err;
-                }
-        if (!s && !(s = ASN1_STRING_new())) goto err;
-        if (!(ASN1_STRING_set(s, b, i))) goto err;
        free(b);
        return s;
 err:
-        if (b) free(b);
+        free(b);
        return NULL;
-        }
+}
 #endif
 /* Nonce handling functions */
@@ -315,16 +362,19 @@ err:
 * nonce, previous versions used the raw nonce.
 */
-static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+static int
-        {
+ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+{
        unsigned char *tmpval;
        ASN1_OCTET_STRING os;
        int ret = 0;
-        if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+        if (len <= 0)
+                len = OCSP_DEFAULT_NONCE_LENGTH;
        /* Create the OCTET STRING manually by writing out the header and
         * appending the content octets. This avoids an extra memory allocation
         * operation in some cases. Applications should *NOT* do this because
-         * it relies on library internals.
+         * it relies on library internals.
         */
        os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
        os.data = malloc(os.length);
@@ -336,30 +386,29 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
                memcpy(tmpval, val, len);
        else
                RAND_pseudo_bytes(tmpval, len);
-        if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
+        if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
-                        &os, 0, X509V3_ADD_REPLACE))
+            X509V3_ADD_REPLACE))
-                                goto err;
+                goto err;
        ret = 1;
-        err:
+err:
-        if (os.data)
+        free(os.data);
-                free(os.data);
        return ret;
-        }
+}
 /* Add nonce to an OCSP request */
+int
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
-        {
+{
        return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
-        }
+}
 /* Same as above but for a response */
+int
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
-        {
+{
-        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
-        }
+            len);
+}
 /* Check nonce validity in a request and response.
 * Return value reflects result:
@@ -373,9 +422,9 @@ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */
+int
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
-        {
+{
        /*
         * Since we are only interested in the presence or absence of
         * the nonce and comparing its value there is no need to use
@@ -383,136 +432,160 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
         * ASN1_OCTET_STRING structure for the value which would be
         * freed immediately anyway.
         */
        int req_idx, resp_idx;
        X509_EXTENSION *req_ext, *resp_ext;
        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
        resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
        /* Check both absent */
-        if((req_idx < 0) && (resp_idx < 0))
+        if (req_idx < 0 && resp_idx < 0)
                return 2;
        /* Check in request only */
-        if((req_idx >= 0) && (resp_idx < 0))
+        if (req_idx >= 0 && resp_idx < 0)
                return -1;
        /* Check in response but not request */
-        if((req_idx < 0) && (resp_idx >= 0))
+        if (req_idx < 0 && resp_idx >= 0)
                return 3;
        /* Otherwise nonce in request and response so retrieve the extensions */
        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
        resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
-        if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+        if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
                return 0;
        return 1;
-        }
+}
 /* Copy the nonce value (if any) from an OCSP request to 
 * a response.
 */
+int
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
-        {
+{
        X509_EXTENSION *req_ext;
        int req_idx;
        /* Check for nonce in request */
        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
        /* If no nonce that's OK */
-        if (req_idx < 0) return 2;
+        if (req_idx < 0)
+                return 2;
        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
        return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
-        }
+}
-X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
+X509_EXTENSION *
-        {
+OCSP_crlID_new(char *url, long *n, char *tim)
+{
        X509_EXTENSION *x = NULL;
        OCSP_CRLID *cid = NULL;
        
-        if (!(cid = OCSP_CRLID_new())) goto err;
+        if (!(cid = OCSP_CRLID_new()))
-        if (url)
+                goto err;
-                {
+        if (url) {
-                if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
+                if (!(cid->crlUrl = ASN1_IA5STRING_new()))
-                if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
+                        goto err;
-                }
+                if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
-        if (n)
+                        goto err;
-                {
+        }
-                if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
+        if (n) {
-                if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
+                if (!(cid->crlNum = ASN1_INTEGER_new()))
-                }
+                        goto err;
-        if (tim)
+                if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
-                {
+                        goto err;
-                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+        }
+        if (tim) {
+                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
+                        goto err;
                if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
-                        goto err;
+                        goto err;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
-        if (cid) OCSP_CRLID_free(cid);
+        if (cid)
+                OCSP_CRLID_free(cid);
        return x;
-        }
+}
 /*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
-X509_EXTENSION *OCSP_accept_responses_new(char **oids)
+X509_EXTENSION *
-        {
+OCSP_accept_responses_new(char **oids)
+{
        int nid;
        STACK_OF(ASN1_OBJECT) *sk = NULL;
        ASN1_OBJECT *o = NULL;
-        X509_EXTENSION *x = NULL;
+        X509_EXTENSION *x = NULL;
-        if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
+        if (!(sk = sk_ASN1_OBJECT_new_null()))
-        while (oids && *oids)
+                goto err;
-                {
+        while (oids && *oids) {
-                if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
+                if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
-                        sk_ASN1_OBJECT_push(sk, o);
+                    (o = OBJ_nid2obj(nid))) 
+                        sk_ASN1_OBJECT_push(sk, o);
                oids++;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
-        if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        if (sk)
+                sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
        return x;
-        }
+}
 /*  ArchiveCutoff ::= GeneralizedTime */
-X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
+X509_EXTENSION *
-        {
+OCSP_archive_cutoff_new(char* tim)
-        X509_EXTENSION *x=NULL;
+{
+        X509_EXTENSION *x = NULL;
        ASN1_GENERALIZEDTIME *gt = NULL;
-        if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
+        if (!(gt = ASN1_GENERALIZEDTIME_new()))
-        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+                goto err;
+        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
+                goto err;
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
-        if (gt) ASN1_GENERALIZEDTIME_free(gt);
+        if (gt)
+                ASN1_GENERALIZEDTIME_free(gt);
        return x;
-        }
+}
 /* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This
 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+X509_EXTENSION *
-        {
+OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+{
        X509_EXTENSION *x = NULL;
        ASN1_IA5STRING *ia5 = NULL;
        OCSP_SERVICELOC *sloc = NULL;
        ACCESS_DESCRIPTION *ad = NULL;
        
-        if (!(sloc = OCSP_SERVICELOC_new())) goto err;
+        if (!(sloc = OCSP_SERVICELOC_new()))
-        if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
+                goto err;
-        if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
+        if (!(sloc->issuer = X509_NAME_dup(issuer)))
-        while (urls && *urls)
+                goto err;
-                {
+        if (urls && *urls &&
-                if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
+            !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
-                if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
+                goto err;
-                if (!(ad->location = GENERAL_NAME_new())) goto err;
+        while (urls && *urls) {
-                if (!(ia5 = ASN1_IA5STRING_new())) goto err;
+                if (!(ad = ACCESS_DESCRIPTION_new()))
-                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+                        goto err;
+                if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
+                        goto err;
+                if (!(ad->location = GENERAL_NAME_new()))
+                        goto err;
+                if (!(ia5 = ASN1_IA5STRING_new()))
+                        goto err;
+                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
+                        goto err;
                ad->location->type = GEN_URI;
                ad->location->d.ia5 = ia5;
-                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
+                        goto err;
                urls++;
-                }
+        }
        x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
-        if (sloc) OCSP_SERVICELOC_free(sloc);
+        if (sloc)
+                OCSP_SERVICELOC_free(sloc);
        return x;
-        }
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
index b45eaf6767..fe4a7a1a72 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ht.c
@@ -79,7 +79,7 @@ struct ocsp_req_ctx_st {
        BIO *io;                /* BIO to perform I/O with */
        BIO *mem;               /* Memory BIO response is built into */
        unsigned long asn1_len; /* ASN1 length of response */
-        };
+};
 #define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
 #define OCSP_MAX_LINE_LEN       4096;
@@ -108,54 +108,57 @@ struct ocsp_req_ctx_st {
 static int parse_http_line1(char *line);
-void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
+void
-        {
+OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
+{
        if (rctx->mem)
                BIO_free(rctx->mem);
        if (rctx->iobuf)
                free(rctx->iobuf);
        free(rctx);
-        }
+}
-int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+int
-        {
+OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
+{
        static const char req_hdr[] =
-        "Content-Type: application/ocsp-request\r\n"
+            "Content-Type: application/ocsp-request\r\n"
-        "Content-Length: %d\r\n\r\n";
+            "Content-Length: %d\r\n\r\n";
-        if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
+        if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
                return 0;
-        if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
+        if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
                return 0;
        rctx->state = OHS_ASN1_WRITE;
        rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
        return 1;
-        }
+}
-int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
+int
-                const char *name, const char *value)
+OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
-        {
+    const char *value)
+{
        if (!name)
                return 0;
        if (BIO_puts(rctx->mem, name) <= 0)
                return 0;
-        if (value)
+        if (value) {
-                {
                if (BIO_write(rctx->mem, ": ", 2) != 2)
                        return 0;
                if (BIO_puts(rctx->mem, value) <= 0)
                        return 0;
-                }
+        }
        if (BIO_write(rctx->mem, "\r\n", 2) != 2)
                return 0;
        return 1;
-        }
+}
-OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
+OCSP_REQ_CTX *
-                                                                int maxline)
+OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline)
-        {
+{
        static const char post_hdr[] = "POST %s HTTP/1.0\r\n";
        OCSP_REQ_CTX *rctx;
        rctx = malloc(sizeof(OCSP_REQ_CTX));
        rctx->state = OHS_ERROR;
        rctx->mem = BIO_new(BIO_s_mem());
@@ -174,7 +177,7 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
        if (!path)
                path = "/";
-        if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
+        if (BIO_printf(rctx->mem, post_hdr, path) <= 0) {
                free(rctx->iobuf);
                BIO_free(rctx->mem);
                free(rctx);
@@ -189,49 +192,44 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
        }
        return rctx;
-        }
+}
 /* Parse the HTTP response. This will look like this:
 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
 * (optional) informational message.
 */
+static int
-static int parse_http_line1(char *line)
+parse_http_line1(char *line)
-        {
+{
        int retcode;
        char *p, *q, *r;
-        /* Skip to first white space (passed protocol info) */
-        for(p = line; *p && !isspace((unsigned char)*p); p++)
+        /* Skip to first white space (passed protocol info) */
+        for (p = line; *p && !isspace((unsigned char)*p); p++)
                continue;
-        if(!*p)
+        if (!*p) {
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Skip past white space to start of response code */
-        while(*p && isspace((unsigned char)*p))
+        while (*p && isspace((unsigned char)*p))
                p++;
+        if (!*p) {
-        if(!*p)
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Find end of response code: first whitespace after start of code */
-        for(q = p; *q && !isspace((unsigned char)*q); q++)
+        for (q = p; *q && !isspace((unsigned char)*q); q++)
                continue;
+        if (!*q) {
-        if(!*q)
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
-                                        OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                    OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
                return 0;
-                }
+        }
        /* Set end of response code and start of message */ 
        *q++ = 0;
@@ -239,94 +237,80 @@ static int parse_http_line1(char *line)
        /* Attempt to parse numeric code */
        retcode = strtoul(p, &r, 10);
-        if(*r)
+        if (*r)
                return 0;
        /* Skip over any leading white space in message */
-        while(*q && isspace((unsigned char)*q))
+        while (*q && isspace((unsigned char)*q))
                q++;
+        if (*q) {
-        if(*q)
-                {
                /* Finally zap any trailing white space in message (include
                 * CRLF) */
                /* We know q has a non white space character so this is OK */
-                for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
+                for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
                        *r = 0;
-                }
+        }
-        if(retcode != 200)
+        if (retcode != 200) {
-                {
                OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
-                if(!*q)
+                if (!*q)
                        ERR_asprintf_error_data("Code=%s", p);
                else
                        ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
                return 0;
-                }
+        }
        return 1;
+}
-        }
+int
+OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
-int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
+{
-        {
        int i, n;
        const unsigned char *p;
-        next_io:
-        if (!(rctx->state & OHS_NOREAD))
+next_io:
-                {
+        if (!(rctx->state & OHS_NOREAD)) {
                n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
-                if (n <= 0)
+                if (n <= 0) {
-                        {
                        if (BIO_should_retry(rctx->io))
                                return -1;
                        return 0;
-                        }
+                }
                /* Write data to memory BIO */
                if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
                        return 0;
-                }
+        }
-        switch(rctx->state)
-                {
-                case OHS_ASN1_WRITE:
+        switch (rctx->state) {
+        case OHS_ASN1_WRITE:
                n = BIO_get_mem_data(rctx->mem, &p);
                i = BIO_write(rctx->io,
                        p + (n - rctx->asn1_len), rctx->asn1_len);
+                if (i <= 0) {
-                if (i <= 0)
-                        {
                        if (BIO_should_retry(rctx->io))
                                return -1;
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                rctx->asn1_len -= i;
                if (rctx->asn1_len > 0)
                        goto next_io;
                rctx->state = OHS_ASN1_FLUSH;
                (void)BIO_reset(rctx->mem);
+                /* FALLTHROUGH */
-                case OHS_ASN1_FLUSH:
+        case OHS_ASN1_FLUSH:
                i = BIO_flush(rctx->io);
+                if (i > 0) {
-                if (i > 0)
-                        {
                        rctx->state = OHS_FIRSTLINE;
                        goto next_io;
-                        }
+                }
                if (BIO_should_retry(rctx->io))
                        return -1;
@@ -334,79 +318,62 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                rctx->state = OHS_ERROR;
                return 0;
-                case OHS_ERROR:
+        case OHS_ERROR:
                return 0;
-                case OHS_FIRSTLINE:
+        case OHS_FIRSTLINE:
-                case OHS_HEADERS:
+        case OHS_HEADERS:
                /* Attempt to read a line in */
+next_line:
-                next_line:
                /* Due to &%^*$" memory BIO behaviour with BIO_gets we
                 * have to check there's a complete line in there before
                 * calling BIO_gets or we'll just get a partial read.
                 */
                n = BIO_get_mem_data(rctx->mem, &p);
-                if ((n <= 0) || !memchr(p, '\n', n))
+                if ((n <= 0) || !memchr(p, '\n', n)) {
-                        {
+                        if (n >= rctx->iobuflen) {
-                        if (n >= rctx->iobuflen)
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
-                        goto next_io;
                        }
+                        goto next_io;
+                }
                n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
+                if (n <= 0) {
-                if (n <= 0)
-                        {
                        if (BIO_should_retry(rctx->mem))
                                goto next_io;
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* Don't allow excessive lines */
-                if (n == rctx->iobuflen)
+                if (n == rctx->iobuflen) {
-                        {
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* First line */
-                if (rctx->state == OHS_FIRSTLINE)
+                if (rctx->state == OHS_FIRSTLINE) {
-                        {
+                        if (parse_http_line1((char *)rctx->iobuf)) {
-                        if (parse_http_line1((char *)rctx->iobuf))
-                                {
                                rctx->state = OHS_HEADERS;
                                goto next_line;
-                                }
+                        } else {
-                        else
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
                        }
-                else
+                } else {
-                        {
                        /* Look for blank line: end of headers */
-                        for (p = rctx->iobuf; *p; p++)
+                        for (p = rctx->iobuf; *p; p++) {
-                                {
                                if ((*p != '\r') && (*p != '\n'))
                                        break;
-                                }
+                        }
                        if (*p)
                                goto next_line;
                        rctx->state = OHS_ASN1_HEADER;
+                }
+                /* FALLTRHOUGH */
-                        }
+        case OHS_ASN1_HEADER:
- 
-                /* Fall thru */
-                case OHS_ASN1_HEADER:
                /* Now reading ASN1 header: can read at least 2 bytes which
                 * is enough for ASN1 SEQUENCE header and either length field
                 * or at least the length of the length field.
@@ -416,15 +383,13 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                        goto next_io;
                /* Check it is an ASN1 SEQUENCE */
-                if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
+                if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
-                        {
                        rctx->state = OHS_ERROR;
                        return 0;
-                        }
+                }
                /* Check out length field */
-                if (*p & 0x80)
+                if (*p & 0x80) {
-                        {
                        /* If MSB set on initial length octet we can now
                         * always read 6 octets: make sure we have them.
                         */
@@ -432,78 +397,64 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                                goto next_io;
                        n = *p & 0x7F;
                        /* Not NDEF or excessive length */
-                        if (!n || (n > 4))
+                        if (!n || (n > 4)) {
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
+                        }
                        p++;
                        rctx->asn1_len = 0;
-                        for (i = 0; i < n; i++)
+                        for (i = 0; i < n; i++) {
-                                {
                                rctx->asn1_len <<= 8;
                                rctx->asn1_len |= *p++;
-                                }
+                        }
-                        if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
+                        if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
-                                {
                                rctx->state = OHS_ERROR;
                                return 0;
-                                }
+                        }
                        rctx->asn1_len += n + 2;
-                        }
+                } else
-                else
                        rctx->asn1_len = *p + 2;
                rctx->state = OHS_ASN1_CONTENT;
-                /* Fall thru */
+                /* FALLTHROUGH */
                
-                case OHS_ASN1_CONTENT:
+        case OHS_ASN1_CONTENT:
                n = BIO_get_mem_data(rctx->mem, &p);
                if (n < (int)rctx->asn1_len)
                        goto next_io;
                *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
-                if (*presp)
+                if (*presp) {
-                        {
                        rctx->state = OHS_DONE;
                        return 1;
-                        }
+                }
                rctx->state = OHS_ERROR;
                return 0;
-                break;
+        case OHS_DONE:
-                case OHS_DONE:
                return 1;
+        }
-                }
        return 0;
+}
-        }
 /* Blocking OCSP request handler: now a special case of non-blocking I/O */
+OCSP_RESPONSE *
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
-        {
+{
        OCSP_RESPONSE *resp = NULL;
        OCSP_REQ_CTX *ctx;
        int rv;
        ctx = OCSP_sendreq_new(b, path, req, -1);
-        do
+        do {
-                {
                rv = OCSP_sendreq_nbio(&resp, ctx);
-                } while ((rv == -1) && BIO_should_retry(b));
+        } while ((rv == -1) && BIO_should_retry(b));
        OCSP_REQ_CTX_free(ctx);
@@ -511,4 +462,4 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
                return resp;
        return NULL;
-        }
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
index 514cdabf2d..056bd27665 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_lib.c
@@ -73,102 +73,112 @@
 /* Convert a certificate and its issuer to an OCSP_CERTID */
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+OCSP_CERTID *
+OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
 {
        X509_NAME *iname;
        ASN1_INTEGER *serial;
        ASN1_BIT_STRING *ikey;
 #ifndef OPENSSL_NO_SHA1
-        if(!dgst) dgst = EVP_sha1();
+        if (!dgst)
+                dgst = EVP_sha1();
 #endif
-        if (subject)
+        if (subject) {
-                {
                iname = X509_get_issuer_name(subject);
                serial = X509_get_serialNumber(subject);
-                }
+        } else {
-        else
-                {
                iname = X509_get_subject_name(issuer);
                serial = NULL;
-                }
+        }
        ikey = X509_get0_pubkey_bitstr(issuer);
        return OCSP_cert_id_new(dgst, iname, ikey, serial);
 }
+OCSP_CERTID *
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName,
-                              X509_NAME *issuerName, 
+    ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber)
-                              ASN1_BIT_STRING* issuerKey, 
+{
-                              ASN1_INTEGER *serialNumber)
-        {
        int nid;
-        unsigned int i;
+        unsigned int i;
        X509_ALGOR *alg;
        OCSP_CERTID *cid = NULL;
        unsigned char md[EVP_MAX_MD_SIZE];
-        if (!(cid = OCSP_CERTID_new())) goto err;
+        if (!(cid = OCSP_CERTID_new()))
+                goto err;
        alg = cid->hashAlgorithm;
-        if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
+        if (alg->algorithm != NULL)
-        if ((nid = EVP_MD_type(dgst)) == NID_undef)
+                ASN1_OBJECT_free(alg->algorithm);
-                {
+        if ((nid = EVP_MD_type(dgst)) == NID_undef) {
-                OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+                OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_UNKNOWN_NID);
+                goto err;
+        }
+        if (!(alg->algorithm=OBJ_nid2obj(nid)))
+                goto err;
+        if ((alg->parameter=ASN1_TYPE_new()) == NULL)
                goto err;
-                }
-        if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
-        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
        alg->parameter->type=V_ASN1_NULL;
-        if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
+        if (!X509_NAME_digest(issuerName, dgst, md, &i))
-        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+                goto digerr;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
+                goto err;
        /* Calculate the issuerKey hash, excluding tag and length */
        if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
                goto err;
-        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
+                goto err;
-        if (serialNumber)
+        if (serialNumber) {
-                {
                ASN1_INTEGER_free(cid->serialNumber);
-                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
-                }
+                        goto err;
+        }
        return cid;
 digerr:
-        OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+        OCSPerr(OCSP_F_OCSP_CERT_ID_NEW, OCSP_R_DIGEST_ERR);
 err:
-        if (cid) OCSP_CERTID_free(cid);
+        if (cid)
+                OCSP_CERTID_free(cid);
        return NULL;
-        }
+}
-int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+int
-        {
+OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
        int ret;
        ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
-        }
+}
-int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+int
-        {
+OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+{
        int ret;
        ret = OCSP_id_issuer_cmp(a, b);
-        if (ret) return ret;
+        if (ret)
+                return ret;
        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
-        }
+}
 /* Parse a URL and split it up into host, port and path components and whether
 * it is SSL.
 */
+int
-int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
-        {
+{
        char *p, *buf;
        char *host, *port;
        *phost = NULL;
@@ -177,26 +187,23 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
        /* dup the buffer since we are going to mess with it */
        buf = BUF_strdup(url);
-        if (!buf) goto mem_err;
+        if (!buf)
+                goto mem_err;
        /* Check for initial colon */
        p = strchr(buf, ':');
+        if (!p)
-        if (!p) goto parse_err;
+                goto parse_err;
        *(p++) = '\0';
-        if (!strcmp(buf, "http"))
+        if (!strcmp(buf, "http")) {
-                {
                *pssl = 0;
                port = "80";
-                }
+        } else if (!strcmp(buf, "https")) {
-        else if (!strcmp(buf, "https"))
-                {
                *pssl = 1;
                port = "443";
-                }
+        } else
-        else
                goto parse_err;
        /* Check for double slash */
@@ -208,59 +215,56 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
        host = p;
        /* Check for trailing part of path */
        p = strchr(p, '/');
        if (!p) 
                *ppath = BUF_strdup("/");
-        else
+        else {
-                {
                *ppath = BUF_strdup(p);
                /* Set start of path to 0 so hostname is valid */
                *p = '\0';
-                }
+        }
-        if (!*ppath) goto mem_err;
+        if (!*ppath)
+                goto mem_err;
        /* Look for optional ':' for port number */
-        if ((p = strchr(host, ':')))
+        if ((p = strchr(host, ':'))) {
-                {
                *p = 0;
                port = p + 1;
-                }
+        } else {
-        else
-                {
                /* Not found: set default port */
-                if (*pssl) port = "443";
+                if (*pssl)
-                else port = "80";
+                        port = "443";
-                }
+                else
+                        port = "80";
+        }
        *pport = BUF_strdup(port);
-        if (!*pport) goto mem_err;
+        if (!*pport)
+                goto mem_err;
        *phost = BUF_strdup(host);
-        if (!*phost) goto mem_err;
+        if (!*phost)
+                goto mem_err;
        free(buf);
        return 1;
-        mem_err:
+mem_err:
        OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
        goto err;
-        parse_err:
+parse_err:
        OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+err:
-        err:
+        free(buf);
-        if (buf) free(buf);
+        free(*ppath);
-        if (*ppath) free(*ppath);
+        free(*pport);
-        if (*pport) free(*pport);
+        free(*phost);
-        if (*phost) free(*phost);
        return 0;
+}
-        }
 IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID)
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
index 87608ff399..9e4b81f061 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_prn.c
@@ -66,8 +66,9 @@
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
-static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+static int
-        {
+ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+{
        BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
        indent += 2;
        BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
@@ -80,60 +81,68 @@ static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
        i2a_ASN1_INTEGER(bp, a->serialNumber);
        BIO_printf(bp, "\n");
        return 1;
-        }
+}
-typedef struct
+typedef struct {
-        {
        long t;
        const char *m;
-        } OCSP_TBLSTR;
+} OCSP_TBLSTR;
-static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
+static const char *
+table2string(long s, const OCSP_TBLSTR *ts, int len)
 {
        const OCSP_TBLSTR *p;
        for (p=ts; p < ts + len; p++)
-                if (p->t == s)
+                if (p->t == s)
-                         return p->m;
+                        return p->m;
        return "(UNKNOWN)";
 }
-const char *OCSP_response_status_str(long s)
+const char *
-        {
+OCSP_response_status_str(long s)
+{
        static const OCSP_TBLSTR rstat_tbl[] = {
-                { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+            { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
-                { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+            { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
-                { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+            { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
-                { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+            { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
-                { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+            { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
-                { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+            { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
+        };
        return table2string(s, rstat_tbl, 6);
-        } 
+} 
-const char *OCSP_cert_status_str(long s)
+const char *
-        {
+OCSP_cert_status_str(long s)
+{
        static const OCSP_TBLSTR cstat_tbl[] = {
-                { V_OCSP_CERTSTATUS_GOOD, "good" },
+            { V_OCSP_CERTSTATUS_GOOD, "good" },
-                { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+            { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
-                { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+            { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
+        };
        return table2string(s, cstat_tbl, 3);
-        } 
+} 
-const char *OCSP_crl_reason_str(long s)
+const char *
-        {
+OCSP_crl_reason_str(long s)
+{
        static const OCSP_TBLSTR reason_tbl[] = {
-          { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+            { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
-          { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+            { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
-          { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+            { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
-          { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+            { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
-          { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+            { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
-          { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+            { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
-          { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+            { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
-          { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+            { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
+        };
        return table2string(s, reason_tbl, 8);
-        } 
+} 
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+int
-        {
+OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+{
        int i;
        long l;
        OCSP_CERTID* cid = NULL;
@@ -141,45 +150,45 @@ int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
        OCSP_REQINFO *inf = o->tbsRequest;
        OCSP_SIGNATURE *sig = o->optionalSignature;
-        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
+        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0)
-        l=ASN1_INTEGER_get(inf->version);
+                goto err;
-        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
+        l = ASN1_INTEGER_get(inf->version);
-        if (inf->requestorName != NULL)
+        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0)
-                {
+                goto err;
+        if (inf->requestorName != NULL) {
                if (BIO_write(bp,"\n    Requestor Name: ",21) <= 0) 
-                        goto err;
+                        goto err;
                GENERAL_NAME_print(bp, inf->requestorName);
-                }
+        }
-        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
+        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0)
-        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
+                goto err;
-                {
+        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
                one = sk_OCSP_ONEREQ_value(inf->requestList, i);
                cid = one->reqCert;
                ocsp_certid_print(bp, cid, 8);
-                if (!X509V3_extensions_print(bp,
+                if (!X509V3_extensions_print(bp, "Request Single Extensions",
-                                        "Request Single Extensions",
+                    one->singleRequestExtensions, flags, 8))
-                                        one->singleRequestExtensions, flags, 8))
+                        goto err;
-                                                        goto err;
+        }
-                }
        if (!X509V3_extensions_print(bp, "Request Extensions",
-                        inf->requestExtensions, flags, 4))
+            inf->requestExtensions, flags, 4))
-                                                        goto err;
+                goto err;
-        if (sig)
+        if (sig) {
-                {
+                X509_signature_print(bp, sig->signatureAlgorithm,
-                X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
+                    sig->signature);
-                for (i=0; i<sk_X509_num(sig->certs); i++)
+                for (i=0; i<sk_X509_num(sig->certs); i++) {
-                        {
                        X509_print(bp, sk_X509_value(sig->certs,i));
                        PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
-                        }
                }
+        }
        return 1;
 err:
        return 0;
-        }
+}
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+int
-        {
+OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+{
        int i, ret = 0;
        long l;
        OCSP_CERTID *cid = NULL;
@@ -191,100 +200,107 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
        OCSP_SINGLERESP *single = NULL;
        OCSP_RESPBYTES *rb = o->responseBytes;
-        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
+        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0)
-        l=ASN1_ENUMERATED_get(o->responseStatus);
+                goto err;
+        l = ASN1_ENUMERATED_get(o->responseStatus);
        if (BIO_printf(bp,"    OCSP Response Status: %s (0x%lx)\n",
-                       OCSP_response_status_str(l), l) <= 0) goto err;
+            OCSP_response_status_str(l), l) <= 0)
-        if (rb == NULL) return 1;
+                goto err;
-        if (BIO_puts(bp,"    Response Type: ") <= 0)
+        if (rb == NULL)
-                goto err;
+                return 1;
+        if (BIO_puts(bp,"    Response Type: ") <= 0)
+                goto err;
        if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
-                goto err;
+                goto err;
-        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
-                {
                BIO_puts(bp," (unknown response type)\n");
                return 1;
-                }
+        }
        i = ASN1_STRING_length(rb->response);
-        if (!(br = OCSP_response_get1_basic(o))) goto err;
+        if (!(br = OCSP_response_get1_basic(o)))
+                goto err;
        rd = br->tbsResponseData;
-        l=ASN1_INTEGER_get(rd->version);
+        l = ASN1_INTEGER_get(rd->version);
-        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
+        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n", l+1,l) <= 0)
-                       l+1,l) <= 0) goto err;
+                goto err;
-        if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;
+        if (BIO_puts(bp,"    Responder Id: ") <= 0)
+                goto err;
        rid =  rd->responderId;
-        switch (rid->type)
+        switch (rid->type) {
-                {
+        case V_OCSP_RESPID_NAME:
-                case V_OCSP_RESPID_NAME:
+                X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
-                        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+                break;
-                        break;
+        case V_OCSP_RESPID_KEY:
-                case V_OCSP_RESPID_KEY:
+                i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
-                        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+                break;
-                        break;
+        }
-                }
-        if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
+        if (BIO_printf(bp,"\n    Produced At: ")<=0)
-        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
+                goto err;
-        if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
+        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
-        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
+                goto err;
-                {
+        if (BIO_printf(bp,"\n    Responses:\n") <= 0)
-                if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+                goto err;
+        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
+                if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
+                        continue;
                single = sk_OCSP_SINGLERESP_value(rd->responses, i);
                cid = single->certId;
-                if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+                if (ocsp_certid_print(bp, cid, 4) <= 0)
+                        goto err;
                cst = single->certStatus;
                if (BIO_printf(bp,"    Cert Status: %s",
-                               OCSP_cert_status_str(cst->type)) <= 0)
+                    OCSP_cert_status_str(cst->type)) <= 0)
-                        goto err;
+                        goto err;
-                if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
+                if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
-                        {
+                        rev = cst->value.revoked;
-                        rev = cst->value.revoked;
                        if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
-                                goto err;
-                        if (!ASN1_GENERALIZEDTIME_print(bp, 
-                                                        rev->revocationTime)) 
                                goto err;
-                        if (rev->revocationReason) 
+                        if (!ASN1_GENERALIZEDTIME_print(bp,
-                                {
+                            rev->revocationTime)) 
-                                l=ASN1_ENUMERATED_get(rev->revocationReason);
+                                goto err;
-                                if (BIO_printf(bp, 
+                        if (rev->revocationReason) {
-                                         "\n    Revocation Reason: %s (0x%lx)",
+                                l = ASN1_ENUMERATED_get(rev->revocationReason);
-                                               OCSP_crl_reason_str(l), l) <= 0)
+                                if (BIO_printf(bp,
-                                        goto err;
+                                    "\n    Revocation Reason: %s (0x%lx)",
-                                }
+                                    OCSP_crl_reason_str(l), l) <= 0)
+                                        goto err;
                        }
-                if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
+                }
+                if (BIO_printf(bp,"\n    This Update: ") <= 0)
+                        goto err;
                if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
                        goto err;
-                if (single->nextUpdate)
+                if (single->nextUpdate) {
-                        {
+                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)
-                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
+                                goto err;
                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
                                goto err;
-                        }
-                if (BIO_write(bp,"\n",1) <= 0) goto err;
-                if (!X509V3_extensions_print(bp,
-                                        "Response Single Extensions",
-                                        single->singleExtensions, flags, 8))
-                                                        goto err;
-                if (BIO_write(bp,"\n",1) <= 0) goto err;
                }
+                if (BIO_write(bp,"\n",1) <= 0)
+                        goto err;
+                if (!X509V3_extensions_print(bp, "Response Single Extensions",
+                    single->singleExtensions, flags, 8))
+                        goto err;
+                if (BIO_write(bp,"\n",1) <= 0)
+                        goto err;
+        }
        if (!X509V3_extensions_print(bp, "Response Extensions",
-                                        rd->responseExtensions, flags, 4))
+            rd->responseExtensions, flags, 4))
-                                                        goto err;
+                goto err;
-        if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
+        if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
-                                                        goto err;
+            0)
+                goto err;
-        for (i=0; i<sk_X509_num(br->certs); i++)
+        for (i = 0; i < sk_X509_num(br->certs); i++) {
-                {
+                X509_print(bp, sk_X509_value(br->certs, i));
-                X509_print(bp, sk_X509_value(br->certs,i));
+                PEM_write_bio_X509(bp,sk_X509_value(br->certs, i));
-                PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
+        }
-                }
        ret = 1;
 err:
        OCSP_BASICRESP_free(br);
        return ret;
-        }
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
index 1c606dd0b6..c14e8e2bc3 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_srv.c
@@ -69,107 +69,118 @@
 * relevant information from the request.
 */
-int OCSP_request_onereq_count(OCSP_REQUEST *req)
+int
-        {
+OCSP_request_onereq_count(OCSP_REQUEST *req)
+{
        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
-        }
+}
-OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+OCSP_ONEREQ *
-        {
+OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+{
        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
-        }
+}
-OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+OCSP_CERTID *
-        {
+OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+{
        return one->reqCert;
-        }
+}
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+int
-                        ASN1_OCTET_STRING **pikeyHash,
+OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-                        ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+    ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
-        {
+{
-        if (!cid) return 0;
+        if (!cid)
-        if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+                return 0;
-        if(piNameHash) *piNameHash = cid->issuerNameHash;
+        if (pmd)
-        if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+                *pmd = cid->hashAlgorithm->algorithm;
-        if (pserial) *pserial = cid->serialNumber;
+        if (piNameHash)
+                *piNameHash = cid->issuerNameHash;
+        if (pikeyHash)
+                *pikeyHash = cid->issuerKeyHash;
+        if (pserial)
+                *pserial = cid->serialNumber;
        return 1;
-        }
+}
-int OCSP_request_is_signed(OCSP_REQUEST *req)
+int
-        {
+OCSP_request_is_signed(OCSP_REQUEST *req)
-        if(req->optionalSignature) return 1;
+{
+        if (req->optionalSignature)
+                return 1;
        return 0;
-        }
+}
 /* Create an OCSP response and encode an optional basic response */
-OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+OCSP_RESPONSE *
-        {
+OCSP_response_create(int status, OCSP_BASICRESP *bs)
-        OCSP_RESPONSE *rsp = NULL;
+{
+        OCSP_RESPONSE *rsp = NULL;
-        if (!(rsp = OCSP_RESPONSE_new())) goto err;
+        if (!(rsp = OCSP_RESPONSE_new()))
-        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+                goto err;
-        if (!bs) return rsp;
+        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
-        if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+                goto err;
+        if (!bs)
+                return rsp;
+        if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
+                goto err;
        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
-        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
+        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP),
-                                goto err;
+            &rsp->responseBytes->response))
+                goto err;
        return rsp;
 err:
-        if (rsp) OCSP_RESPONSE_free(rsp);
+        if (rsp)
+                OCSP_RESPONSE_free(rsp);
        return NULL;
-        }
+}
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+OCSP_SINGLERESP *
-                                                OCSP_CERTID *cid,
+OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
-                                                int status, int reason,
+    int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
-                                                ASN1_TIME *revtime,
+{
-                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd)
-        {
        OCSP_SINGLERESP *single = NULL;
        OCSP_CERTSTATUS *cs;
        OCSP_REVOKEDINFO *ri;
-        if(!rsp->tbsResponseData->responses &&
+        if (!rsp->tbsResponseData->responses &&
            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
                goto err;
        if (!(single = OCSP_SINGLERESP_new()))
                goto err;
        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
                goto err;
        if (nextupd &&
-                !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+            !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
                goto err;
        OCSP_CERTID_free(single->certId);
-        if(!(single->certId = OCSP_CERTID_dup(cid)))
+        if (!(single->certId = OCSP_CERTID_dup(cid)))
                goto err;
        cs = single->certStatus;
-        switch(cs->type = status)
+        switch(cs->type = status) {
-                {
        case V_OCSP_CERTSTATUS_REVOKED:
-                if (!revtime)
+                if (!revtime) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,
-                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                            OCSP_R_NO_REVOKED_TIME);
+                        goto err;
+                }
+                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
                        goto err;
-                        }
-                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
                        goto err;       
-                if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
-                        {
                        if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
-                                goto err;
+                                goto err;
-                        if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                        if (!(ASN1_ENUMERATED_set(ri->revocationReason,
-                                                  reason)))
+                            reason)))
-                                goto err;       
+                                goto err;       
                        }
                break;
@@ -183,82 +194,80 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
        default:
                goto err;
+        }
-                }
        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
                goto err;
        return single;
 err:
        OCSP_SINGLERESP_free(single);
        return NULL;
-        }
+}
 /* Add a certificate to an OCSP request */
+int
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
-        {
+{
        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
                return 0;
-        if(!sk_X509_push(resp->certs, cert)) return 0;
+        if (!sk_X509_push(resp->certs, cert))
+                return 0;
        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
        return 1;
-        }
+}
-int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+int
-                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
-                        STACK_OF(X509) *certs, unsigned long flags)
+    const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
-        {
+{
        int i;
        OCSP_RESPID *rid;
-        if (!X509_check_private_key(signer, key))
+        if (!X509_check_private_key(signer, key)) {
-                {
+                OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
-                OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                goto err;
-                }
+        }
-        if(!(flags & OCSP_NOCERTS))
+        if (!(flags & OCSP_NOCERTS)) {
-                {
+                if (!OCSP_basic_add1_cert(brsp, signer))
-                if(!OCSP_basic_add1_cert(brsp, signer))
                        goto err;
-                for (i = 0; i < sk_X509_num(certs); i++)
+                for (i = 0; i < sk_X509_num(certs); i++) {
-                        {
                        X509 *tmpcert = sk_X509_value(certs, i);
-                        if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                        if (!OCSP_basic_add1_cert(brsp, tmpcert))
                                goto err;
-                        }
                }
+        }
        rid = brsp->tbsResponseData->responderId;
-        if (flags & OCSP_RESPID_KEY)
+        if (flags & OCSP_RESPID_KEY) {
-                {
                unsigned char md[SHA_DIGEST_LENGTH];
                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
                        goto err;
-                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
-                                goto err;
+                    SHA_DIGEST_LENGTH)))
+                        goto err;
                rid->type = V_OCSP_RESPID_KEY;
-                }
+        } else {
-        else
-                {
                if (!X509_NAME_set(&rid->value.byName,
-                                        X509_get_subject_name(signer)))
+                    X509_get_subject_name(signer)))
-                                goto err;
+                        goto err;
                rid->type = V_OCSP_RESPID_NAME;
-                }
+        }
        if (!(flags & OCSP_NOTIME) &&
-                !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+            !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
                goto err;
        /* Right now, I think that not doing double hashing is the right
           thing.       -- Richard Levitte */
-        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
+                goto err;
        return 1;
 err:
        return 0;
-        }
+}
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
index 0b181d5abe..aede155871 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_vfy.c
@@ -60,134 +60,137 @@
 #include <openssl/err.h>
 #include <string.h>
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                                X509_STORE *st, unsigned long flags);
+            STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
+            unsigned long flags);
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+            STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x, int flags);
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                X509_STORE *st, unsigned long flags);
+            X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
+            unsigned long flags);
 /* Verify a basic response message */
+int
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
-                                X509_STORE *st, unsigned long flags)
+    unsigned long flags)
-        {
+{
        X509 *signer, *x;
        STACK_OF(X509) *chain = NULL;
        X509_STORE_CTX ctx;
        int i, ret = 0;
        ret = ocsp_find_signer(&signer, bs, certs, st, flags);
-        if (!ret)
+        if (!ret) {
-                {
+                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
-                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                    OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                goto end;
-                }
+        }
        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
                flags |= OCSP_NOVERIFY;
-        if (!(flags & OCSP_NOSIGS))
+        if (!(flags & OCSP_NOSIGS)) {
-                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
-                if (skey)
+                if (skey) {
-                        {
                        ret = OCSP_BASICRESP_verify(bs, skey, 0);
                        EVP_PKEY_free(skey);
-                        }
+                }
-                if(!skey || ret <= 0)
+                if (!skey || ret <= 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                            OCSP_R_SIGNATURE_FAILURE);
                        goto end;
-                        }
                }
-        if (!(flags & OCSP_NOVERIFY))
+        }
-                {
+        if (!(flags & OCSP_NOVERIFY)) {
                int init_res;
                if(flags & OCSP_NOCHAIN)
                        init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
                else
-                        init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer,
-                if(!init_res)
+                            bs->certs);
-                        {
+                if (!init_res) {
                        ret = -1;
                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
                        goto end;
-                        }
+                }
                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                ret = X509_verify_cert(&ctx);
                chain = X509_STORE_CTX_get1_chain(&ctx);
                X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+                if (ret <= 0) {
-                        {
                        i = X509_STORE_CTX_get_error(&ctx);
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+                            OCSP_R_CERTIFICATE_VERIFY_ERROR);
                        ERR_asprintf_error_data("Verify error:%s",
-                                        X509_verify_cert_error_string(i));
+                            X509_verify_cert_error_string(i));
-                        goto end;
+                        goto end;
-                        }
+                }
-                if(flags & OCSP_NOCHECKS)
+                if(flags & OCSP_NOCHECKS) {
-                        {
                        ret = 1;
                        goto end;
-                        }
+                }
                /* At this point we have a valid certificate chain
                 * need to verify it against the OCSP issuer criteria.
                 */
                ret = ocsp_check_issuer(bs, chain, flags);
                /* If fatal error or valid match then finish */
-                if (ret != 0) goto end;
+                if (ret != 0)
+                        goto end;
                /* Easy case: explicitly trusted. Get root CA and
                 * check for explicit trust
                 */
-                if(flags & OCSP_NOEXPLICIT) goto end;
+                if (flags & OCSP_NOEXPLICIT)
+                        goto end;
                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
-                if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
+                if (X509_check_trust(x, NID_OCSP_sign, 0) !=
-                        {
+                    X509_TRUST_TRUSTED) {
-                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
+                            OCSP_R_ROOT_CA_NOT_TRUSTED);
                        goto end;
-                        }
-                ret = 1;
                }
+                ret = 1;
-        end:
-        if(chain) sk_X509_pop_free(chain, X509_free);
-        return ret;
        }
+end:
+        if (chain)
+                sk_X509_pop_free(chain, X509_free);
+        return ret;
+}
-static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int
-                                X509_STORE *st, unsigned long flags)
+ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
-        {
+    X509_STORE *st, unsigned long flags)
+{
        X509 *signer;
        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
-        if ((signer = ocsp_find_signer_sk(certs, rid)))
-                {
+        if ((signer = ocsp_find_signer_sk(certs, rid))) {
                *psigner = signer;
                return 2;
-                }
+        }
-        if(!(flags & OCSP_NOINTERN) &&
+        if (!(flags & OCSP_NOINTERN) &&
-            (signer = ocsp_find_signer_sk(bs->certs, rid)))
+            (signer = ocsp_find_signer_sk(bs->certs, rid))) {
-                {
                *psigner = signer;
                return 1;
-                }
+        }
        /* Maybe lookup from store if by subject name */
        *psigner = NULL;
        return 0;
-        }
+}
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *
-        {
+ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+{
        int i;
        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
        X509 *x;
@@ -199,123 +202,124 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
        /* Lookup by key hash */
        /* If key hash isn't SHA1 length then forget it */
-        if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+        if (id->value.byKey->length != SHA_DIGEST_LENGTH)
+                return NULL;
        keyhash = id->value.byKey->data;
        /* Calculate hash of each key and compare */
-        for (i = 0; i < sk_X509_num(certs); i++)
+        for (i = 0; i < sk_X509_num(certs); i++) {
-                {
                x = sk_X509_value(certs, i);
                X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
-                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+                if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
                        return x;
-                }
-        return NULL;
        }
+        return NULL;
+}
+static int
-static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
+ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
-        {
+    unsigned long flags)
+{
        STACK_OF(OCSP_SINGLERESP) *sresp;
        X509 *signer, *sca;
        OCSP_CERTID *caid = NULL;
        int i;
        sresp = bs->tbsResponseData->responses;
-        if (sk_X509_num(chain) <= 0)
+        if (sk_X509_num(chain) <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER,
-                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+                    OCSP_R_NO_CERTIFICATES_IN_CHAIN);
                return -1;
-                }
+        }
        /* See if the issuer IDs match. */
        i = ocsp_check_ids(sresp, &caid);
        /* If ID mismatch or other error then return */
-        if (i <= 0) return i;
+        if (i <= 0)
+                return i;
        signer = sk_X509_value(chain, 0);
        /* Check to see if OCSP responder CA matches request CA */
-        if (sk_X509_num(chain) > 1)
+        if (sk_X509_num(chain) > 1) {
-                {
                sca = sk_X509_value(chain, 1);
                i = ocsp_match_issuerid(sca, caid, sresp);
-                if (i < 0) return i;
+                if (i < 0)
-                if (i)
+                        return i;
-                        {
+                if (i) {
                        /* We have a match, if extensions OK then success */
-                        if (ocsp_check_delegated(signer, flags)) return 1;
+                        if (ocsp_check_delegated(signer, flags))
+                                return 1;
                        return 0;
-                        }
                }
+        }
        /* Otherwise check if OCSP request signed directly by request CA */
        return ocsp_match_issuerid(signer, caid, sresp);
-        }
+}
 /* Check the issuer certificate IDs for equality. If there is a mismatch with the same
 * algorithm then there's no point trying to match any certificates against the issuer.
 * If the issuer IDs all match then we just need to check equality against one of them.
 */
-        
+static int
-static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
-        {
+{
        OCSP_CERTID *tmpid, *cid;
        int i, idcount;
        idcount = sk_OCSP_SINGLERESP_num(sresp);
-        if (idcount <= 0)
+        if (idcount <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_CHECK_IDS,
-                OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+                    OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
                return -1;
-                }
+        }
        cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
        *ret = NULL;
-        for (i = 1; i < idcount; i++)
+        for (i = 1; i < idcount; i++) {
-                {
                tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                /* Check to see if IDs match */
-                if (OCSP_id_issuer_cmp(cid, tmpid))
+                if (OCSP_id_issuer_cmp(cid, tmpid)) {
-                        {
                        /* If algoritm mismatch let caller deal with it */
                        if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
-                                        cid->hashAlgorithm->algorithm))
+                            cid->hashAlgorithm->algorithm))
-                                        return 2;
+                                return 2;
                        /* Else mismatch */
                        return 0;
-                        }
                }
+        }
        /* All IDs match: only need to check one ID */
        *ret = cid;
        return 1;
-        }
+}
+static int
-static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
-                        STACK_OF(OCSP_SINGLERESP) *sresp)
+    STACK_OF(OCSP_SINGLERESP) *sresp)
-        {
+{
        /* If only one ID to match then do it */
-        if(cid)
+        if (cid) {
-                {
                const EVP_MD *dgst;
                X509_NAME *iname;
                int mdlen;
                unsigned char md[EVP_MAX_MD_SIZE];
-                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
-                        {
+                if (!(dgst =
-                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+                    EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
+                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
+                            OCSP_R_UNKNOWN_MESSAGE_DIGEST);
                        return -1;
-                        }
+                }
                mdlen = EVP_MD_size(dgst);
                if (mdlen < 0)
-                    return -1;
+                        return -1;
-                if ((cid->issuerNameHash->length != mdlen) ||
+                if (cid->issuerNameHash->length != mdlen ||
-                   (cid->issuerKeyHash->length != mdlen))
+                    cid->issuerKeyHash->length != mdlen)
                        return 0;
                iname = X509_get_subject_name(cert);
                if (!X509_NAME_digest(iname, dgst, md, NULL))
@@ -327,124 +331,123 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                        return 0;
                return 1;
+        } else {
-                }
-        else
-                {
                /* We have to match the whole lot */
                int i, ret;
                OCSP_CERTID *tmpid;
-                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
-                        {
+                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
                        tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
-                        if (ret <= 0) return ret;
+                        if (ret <= 0)
-                        }
+                                return ret;
-                return 1;
                }
-                        
+                return 1;
        }
+}
-static int ocsp_check_delegated(X509 *x, int flags)
+static int
-        {
+ocsp_check_delegated(X509 *x, int flags)
+{
        X509_check_purpose(x, -1, 0);
-        if ((x->ex_flags & EXFLAG_XKUSAGE) &&
+        if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
-            (x->ex_xkusage & XKU_OCSP_SIGN))
                return 1;
        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
        return 0;
-        }
+}
 /* Verify an OCSP request. This is fortunately much easier than OCSP
 * response verify. Just find the signers certificate and verify it
 * against a given trust value.
 */
+int
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
-        {
+    unsigned long flags)
+{
        X509 *signer;
        X509_NAME *nm;
        GENERAL_NAME *gen;
        int ret;
        X509_STORE_CTX ctx;
-        if (!req->optionalSignature) 
-                {
+        if (!req->optionalSignature) {
                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
                return 0;
-                }
+        }
        gen = req->tbsRequest->requestorName;
-        if (!gen || gen->type != GEN_DIRNAME)
+        if (!gen || gen->type != GEN_DIRNAME) {
-                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+                    OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
                return 0;
-                }
+        }
        nm = gen->d.directoryName;
        ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
-        if (ret <= 0)
+        if (ret <= 0) {
-                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                    OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                return 0;
-                }
+        }
        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
                flags |= OCSP_NOVERIFY;
-        if (!(flags & OCSP_NOSIGS))
+        if (!(flags & OCSP_NOSIGS)) {
-                {
                EVP_PKEY *skey;
                skey = X509_get_pubkey(signer);
                ret = OCSP_REQUEST_verify(req, skey);
                EVP_PKEY_free(skey);
-                if(ret <= 0)
+                if (ret <= 0) {
-                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
-                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                            OCSP_R_SIGNATURE_FAILURE);
                        return 0;
-                        }
                }
-        if (!(flags & OCSP_NOVERIFY))
+        }
-                {
+        if (!(flags & OCSP_NOVERIFY)) {
                int init_res;
-                if(flags & OCSP_NOCHAIN)
-                        init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+                if (flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                            NULL);
                else
                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
-                                        req->optionalSignature->certs);
+                            req->optionalSignature->certs);
-                if(!init_res)
+                if (!init_res) {
-                        {
                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
                        return 0;
-                        }
+                }
                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
                ret = X509_verify_cert(&ctx);
                X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+                if (ret <= 0) {
-                        {
                        ret = X509_STORE_CTX_get_error(&ctx);   
-                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
+                            OCSP_R_CERTIFICATE_VERIFY_ERROR);
                        ERR_asprintf_error_data("Verify error:%s",
-                                        X509_verify_cert_error_string(ret));
+                            X509_verify_cert_error_string(ret));
-                        return 0;
+                        return 0;
-                        }
                }
+        }
        return 1;
-        }
+}
-static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+static int
-                                X509_STORE *st, unsigned long flags)
+ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
-        {
+    STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
+{
        X509 *signer;
-        if(!(flags & OCSP_NOINTERN))
-                {
+        if (!(flags & OCSP_NOINTERN)) {
-                signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+                signer =
+                    X509_find_by_subject(req->optionalSignature->certs, nm);
                *psigner = signer;
                return 1;
-                }
+        }
        signer = X509_find_by_subject(certs, nm);
-        if (signer)
+        if (signer) {
-                {
                *psigner = signer;
                return 2;
-                }
-        return 0;
        }
+        return 0;
+}