First pass at applying KNF to the OpenSSL code, which almost makes it

readable. This pass is whitespace only and can readily be verified using
tr and md5.

6 files changed, 1681 insertions, 1873 deletions

diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c
index a265fed22fd..c051e84874a 100644
--- a/lib/libssl/src/ssl/d1_both.c
+++ b/lib/libssl/src/ssl/d1_both.c
@@ -152,102 +152,102 @@
 			printf("\n"); }
 #endif
 
-static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
-static unsigned char bitmask_end_values[]   = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
+static unsigned char bitmask_start_values[] = {
+	0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80
+};
+static unsigned char bitmask_end_values[] = {
+	0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f
+};
 
 /* XDTLS:  figure out the right values */
 static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
 
 static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
-static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 
-	unsigned long frag_len);
-static unsigned char *dtls1_write_message_header(SSL *s,
-	unsigned char *p);
+static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
+    unsigned long frag_len);
+static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);
 static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
-	unsigned long len, unsigned short seq_num, unsigned long frag_off, 
-	unsigned long frag_len);
-static long dtls1_get_message_fragment(SSL *s, int st1, int stn, 
-	long max, int *ok);
+    unsigned long len, unsigned short seq_num, unsigned long frag_off,
+    unsigned long frag_len);
+static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max,
+    int *ok);
 
 static hm_fragment *
 dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
-	{
+{
 	hm_fragment *frag = NULL;
 	unsigned char *buf = NULL;
 	unsigned char *bitmask = NULL;
 
 	frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
-	if ( frag == NULL)
+	if (frag == NULL)
 		return NULL;
 
-	if (frag_len)
-		{
+	if (frag_len) {
 		buf = (unsigned char *)OPENSSL_malloc(frag_len);
-		if ( buf == NULL)
-			{
+		if (buf == NULL) {
 			OPENSSL_free(frag);
 			return NULL;
-			}
 		}
+	}
 
 	/* zero length fragment gets zero frag->fragment */
 	frag->fragment = buf;
 
 	/* Initialize reassembly bitmask if necessary */
-	if (reassembly)
-		{
+	if (reassembly) {
 		bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
-		if (bitmask == NULL)
-			{
-			if (buf != NULL) OPENSSL_free(buf);
+		if (bitmask == NULL) {
+			if (buf != NULL)
+				OPENSSL_free(buf);
 			OPENSSL_free(frag);
 			return NULL;
-			}
-		memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
 		}
+		memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
+	}
 
 	frag->reassembly = bitmask;
 
 	return frag;
-	}
+}
 
 static void
 dtls1_hm_fragment_free(hm_fragment *frag)
-	{
+{
 
-	if (frag->msg_header.is_ccs)
-		{
+	if (frag->msg_header.is_ccs) {
 		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
 		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
-		}
-	if (frag->fragment) OPENSSL_free(frag->fragment);
-	if (frag->reassembly) OPENSSL_free(frag->reassembly);
-	OPENSSL_free(frag);
 	}
+	if (frag->fragment)
+		OPENSSL_free(frag->fragment);
+	if (frag->reassembly)
+		OPENSSL_free(frag->reassembly);
+	OPENSSL_free(frag);
+}
 
 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
-int dtls1_do_write(SSL *s, int type)
-	{
+int
+dtls1_do_write(SSL *s, int type)
+{
 	int ret;
 	int curr_mtu;
 	unsigned int len, frag_off, mac_size, blocksize;
 
 	/* AHA!  Figure out the MTU, and stick to the right size */
-	if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
-		{
-		s->d1->mtu = 
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+	if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
+		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
+		    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
 
 		/* I've seen the kernel return bogus numbers when it doesn't know
 		 * (initial write), so just make sure we have a reasonable number */
-		if (s->d1->mtu < dtls1_min_mtu())
-			{
+		if (s->d1->mtu < dtls1_min_mtu()) {
 			s->d1->mtu = 0;
 			s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
-			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 
-				s->d1->mtu, NULL);
-			}
+			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU,
+			s->d1->mtu, NULL);
 		}
+	}
 #if 0 
 	mtu = s->d1->mtu;
 
@@ -257,154 +257,144 @@ int dtls1_do_write(SSL *s, int type)
 
 	curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
 
-	if ( curr_mtu > 0)
+	if (curr_mtu > 0)
 		mtu = curr_mtu;
-	else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
+	else if (( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
 		return ret;
 
-	if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu)
-		{
+	if (BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) {
 		ret = BIO_flush(SSL_get_wbio(s));
-		if ( ret <= 0)
+		if (ret <= 0)
 			return ret;
 		mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
-		}
+	}
 #endif
 
-	OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());  /* should have something reasonable now */
+	OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());
+	/* should have something reasonable now */
 
-	if ( s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
-		OPENSSL_assert(s->init_num == 
-			(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
+	if (s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
+		OPENSSL_assert(s->init_num ==
+	(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
 
 	if (s->write_hash)
 		mac_size = EVP_MD_CTX_size(s->write_hash);
 	else
 		mac_size = 0;
 
-	if (s->enc_write_ctx && 
+	if (s->enc_write_ctx &&
 		(EVP_CIPHER_mode( s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
-		blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
+	blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
 	else
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
-		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+	while (s->init_num) {
+		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) -
+		    DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
 
-		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
-			{
+		if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {
 			/* grr.. we could get an error if MTU picked was wrong */
 			ret = BIO_flush(SSL_get_wbio(s));
-			if ( ret <= 0)
+			if (ret <= 0)
 				return ret;
 			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
-			}
+			mac_size - blocksize;
+		}
 
-		if ( s->init_num > curr_mtu)
+		if (s->init_num > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
 
 		/* XDTLS: this function is too long.  split out the CCS part */
-		if ( type == SSL3_RT_HANDSHAKE)
-			{
-			if ( s->init_off != 0)
-				{
+		if (type == SSL3_RT_HANDSHAKE) {
+			if (s->init_off != 0) {
 				OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH);
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				if ( s->init_num > curr_mtu)
+				if (s->init_num > curr_mtu)
 					len = curr_mtu;
 				else
 					len = s->init_num;
-				}
+			}
 
-			dtls1_fix_message_header(s, frag_off, 
-				len - DTLS1_HM_HEADER_LENGTH);
+			dtls1_fix_message_header(s, frag_off,
+			len - DTLS1_HM_HEADER_LENGTH);
 
 			dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
 
 			OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
-			}
+		}
 
-		ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],
-			len);
-		if (ret < 0)
-			{
+		ret = dtls1_write_bytes(s, type,
+		    &s->init_buf->data[s->init_off], len);
+		if (ret < 0) {
 			/* might need to update MTU here, but we don't know
 			 * which previous packet caused the failure -- so can't
 			 * really retransmit anything.  continue as if everything
 			 * is fine and wait for an alert to handle the
 			 * retransmit 
 			 */
-			if ( BIO_ctrl(SSL_get_wbio(s),
-				BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
+			if (BIO_ctrl(SSL_get_wbio(s),
+			    BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
 				s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
-					BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
+				    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
 			else
-				return(-1);
-			}
-		else
-			{
+				return (-1);
+		} else {
 
 			/* bad if this assert fails, only part of the handshake
 			 * message got sent.  but why would this happen? */
 			OPENSSL_assert(len == (unsigned int)ret);
 
-			if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting)
-				{
+			if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting) {
 				/* should not be done for 'Hello Request's, but in that case
 				 * we'll ignore the result anyway */
 				unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
 				const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
 				int xlen;
 
-				if (frag_off == 0 && s->version != DTLS1_BAD_VER)
-					{
+				if (frag_off == 0 && s->version != DTLS1_BAD_VER) {
 					/* reconstruct message header is if it
 					 * is being sent in single fragment */
 					*p++ = msg_hdr->type;
-					l2n3(msg_hdr->msg_len,p);
-					s2n (msg_hdr->seq,p);
-					l2n3(0,p);
-					l2n3(msg_hdr->msg_len,p);
-					p  -= DTLS1_HM_HEADER_LENGTH;
+					l2n3(msg_hdr->msg_len, p);
+					s2n (msg_hdr->seq, p);
+					l2n3(0, p);
+					l2n3(msg_hdr->msg_len, p);
+					p -= DTLS1_HM_HEADER_LENGTH;
 					xlen = ret;
-					}
-				else
-					{
-					p  += DTLS1_HM_HEADER_LENGTH;
+				} else {
+					p += DTLS1_HM_HEADER_LENGTH;
 					xlen = ret - DTLS1_HM_HEADER_LENGTH;
-					}
+				}
 
 				ssl3_finish_mac(s, p, xlen);
-				}
+			}
 
-			if (ret == s->init_num)
-				{
+			if (ret == s->init_num) {
 				if (s->msg_callback)
-					s->msg_callback(1, s->version, type, s->init_buf->data, 
-						(size_t)(s->init_off + s->init_num), s, 
-						s->msg_callback_arg);
+					s->msg_callback(1, s->version, type,
+					    s->init_buf->data,
+					    (size_t)(s->init_off + s->init_num),
+					    s, s->msg_callback_arg);
 
-				s->init_off = 0;  /* done writing this message */
+				s->init_off = 0;
+				/* done writing this message */
 				s->init_num = 0;
 
-				return(1);
-				}
-			s->init_off+=ret;
-			s->init_num-=ret;
-			frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);
+				return (1);
 			}
+			s->init_off += ret;
+			s->init_num -= ret;
+			frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);
 		}
-	return(0);
 	}
+	return (0);
+}
 
 
 /* Obtain handshake message of message type 'mt' (any if mt == -1),
@@ -412,8 +402,9 @@ int dtls1_do_write(SSL *s, int type)
  * Read an entire handshake message.  Handshake messages arrive in
  * fragments.
  */
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
-	{
+long
+dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
+{
 	int i, al;
 	struct hm_header_st *msg_hdr;
 	unsigned char *p;
@@ -421,30 +412,28 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
 	/* s3->tmp is used to store messages that are unexpected, caused
 	 * by the absence of an optional handshake message */
-	if (s->s3->tmp.reuse_message)
-		{
-		s->s3->tmp.reuse_message=0;
-		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
-			{
-			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+	if (s->s3->tmp.reuse_message) {
+		s->s3->tmp.reuse_message = 0;
+		if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
 			goto f_err;
-			}
-		*ok=1;
+		}
+		*ok = 1;
 		s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 		s->init_num = (int)s->s3->tmp.message_size;
 		return s->init_num;
-		}
+	}
 
 	msg_hdr = &s->d1->r_msg_hdr;
 	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 
 again:
 	i = dtls1_get_message_fragment(s, st1, stn, max, ok);
-	if ( i == DTLS1_HM_BAD_FRAGMENT ||
-		i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
+	if (i == DTLS1_HM_BAD_FRAGMENT ||
+	    i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
 		goto again;
-	else if ( i <= 0 && !*ok)
+	else if (i <= 0 && !*ok)
 		return i;
 
 	p = (unsigned char *)s->init_buf->data;
@@ -452,20 +441,19 @@ again:
 
 	/* reconstruct message header */
 	*(p++) = msg_hdr->type;
-	l2n3(msg_len,p);
-	s2n (msg_hdr->seq,p);
-	l2n3(0,p);
-	l2n3(msg_len,p);
+	l2n3(msg_len, p);
+	s2n (msg_hdr->seq, p);
+	l2n3(0, p);
+	l2n3(msg_len, p);
 	if (s->version != DTLS1_BAD_VER) {
-		p       -= DTLS1_HM_HEADER_LENGTH;
+		p -= DTLS1_HM_HEADER_LENGTH;
 		msg_len += DTLS1_HM_HEADER_LENGTH;
 	}
 
 	ssl3_finish_mac(s, p, msg_len);
 	if (s->msg_callback)
-		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
-			p, msg_len,
-			s, s->msg_callback_arg);
+		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len,
+		    s, s->msg_callback_arg);
 
 	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 
@@ -477,64 +465,59 @@ again:
 	return s->init_num;
 
 f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 	*ok = 0;
 	return -1;
-	}
+}
 
 
-static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max)
-	{
-	size_t frag_off,frag_len,msg_len;
+static int
+dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) {
+	size_t frag_off, frag_len, msg_len;
 
-	msg_len  = msg_hdr->msg_len;
+	msg_len = msg_hdr->msg_len;
 	frag_off = msg_hdr->frag_off;
 	frag_len = msg_hdr->frag_len;
 
 	/* sanity checking */
-	if ( (frag_off+frag_len) > msg_len)
-		{
-		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+	if ((frag_off + frag_len) > msg_len) {
+		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
 		return SSL_AD_ILLEGAL_PARAMETER;
-		}
+	}
 
-	if ( (frag_off+frag_len) > (unsigned long)max)
-		{
-		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+	if ((frag_off + frag_len) > (unsigned long)max) {
+		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
 		return SSL_AD_ILLEGAL_PARAMETER;
-		}
+	}
 
 	if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
-		{
+	{
 		/* msg_len is limited to 2^24, but is effectively checked
 		 * against max above */
-		if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH))
-			{
-			SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB);
+		if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
+			SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
 			return SSL_AD_INTERNAL_ERROR;
-			}
+		}
 
-		s->s3->tmp.message_size  = msg_len;
+		s->s3->tmp.message_size = msg_len;
 		s->d1->r_msg_hdr.msg_len = msg_len;
-		s->s3->tmp.message_type  = msg_hdr->type;
-		s->d1->r_msg_hdr.type    = msg_hdr->type;
-		s->d1->r_msg_hdr.seq     = msg_hdr->seq;
-		}
-	else if (msg_len != s->d1->r_msg_hdr.msg_len)
-		{
+		s->s3->tmp.message_type = msg_hdr->type;
+		s->d1->r_msg_hdr.type = msg_hdr->type;
+		s->d1->r_msg_hdr.seq = msg_hdr->seq;
+	} else if (msg_len != s->d1->r_msg_hdr.msg_len) {
 		/* They must be playing with us! BTW, failure to enforce
 		 * upper limit would open possibility for buffer overrun. */
-		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
 		return SSL_AD_ILLEGAL_PARAMETER;
-		}
+	}
 
 	return 0; /* no error */
-	}
+}
 
 
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
-	{
+{
 	/* (0) check whether the desired fragment is available
 	 * if so:
 	 * (1) copy over the fragment to s->init_buf->data[]
@@ -546,58 +529,54 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 
 	*ok = 0;
 	item = pqueue_peek(s->d1->buffered_messages);
-	if ( item == NULL)
+	if (item == NULL)
 		return 0;
 
 	frag = (hm_fragment *)item->data;
-	
+
 	/* Don't return if reassembly still in progress */
 	if (frag->reassembly != NULL)
 		return 0;
 
-	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
-		{
+	if (s->d1->handshake_read_seq == frag->msg_header.seq) {
 		unsigned long frag_len = frag->msg_header.frag_len;
 		pqueue_pop(s->d1->buffered_messages);
 
-		al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
+		al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
 
-		if (al==0) /* no alert */
-			{
-			unsigned char *p = (unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+		if (al == 0) /* no alert */
+		{
+			unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 			memcpy(&p[frag->msg_header.frag_off],
-				frag->fragment,frag->msg_header.frag_len);
-			}
+			frag->fragment, frag->msg_header.frag_len);
+		}
 
 		dtls1_hm_fragment_free(frag);
 		pitem_free(item);
 
-		if (al==0)
-			{
+		if (al == 0) {
 			*ok = 1;
 			return frag_len;
-			}
+		}
 
-		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		ssl3_send_alert(s, SSL3_AL_FATAL, al);
 		s->init_num = 0;
 		*ok = 0;
 		return -1;
-		}
-	else
+	} else
 		return 0;
-	}
+}
 
 
 static int
-dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-	{
+dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) {
 	hm_fragment *frag = NULL;
 	pitem *item = NULL;
 	int i = -1, is_complete;
 	unsigned char seq64be[8];
 	unsigned long frag_len = msg_hdr->frag_len, max_len;
 
-	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+	if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
 		goto err;
 
 	/* Determine maximum allowed message size. Depends on (user set)
@@ -608,104 +587,99 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	else
 		max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
 
-	if ((msg_hdr->frag_off+frag_len) > max_len)
+	if ((msg_hdr->frag_off + frag_len) > max_len)
 		goto err;
 
 	/* Try to find item in queue */
-	memset(seq64be,0,sizeof(seq64be));
-	seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
-	seq64be[7] = (unsigned char) msg_hdr->seq;
+	memset(seq64be, 0, sizeof(seq64be));
+	seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
+	seq64be[7] = (unsigned char)msg_hdr->seq;
 	item = pqueue_find(s->d1->buffered_messages, seq64be);
 
-	if (item == NULL)
-		{
+	if (item == NULL) {
 		frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
-		if ( frag == NULL)
+		if (frag == NULL)
 			goto err;
 		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
 		frag->msg_header.frag_len = frag->msg_header.msg_len;
 		frag->msg_header.frag_off = 0;
-		}
-	else
+	} else
 		frag = (hm_fragment*) item->data;
 
 	/* If message is already reassembled, this must be a
 	 * retransmit and can be dropped.
 	 */
-	if (frag->reassembly == NULL)
-		{
+	if (frag->reassembly == NULL) {
 		unsigned char devnull [256];
 
-		while (frag_len)
-			{
-			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-				devnull,
-				frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
-			if (i<=0) goto err;
+		while (frag_len) {
+			i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+			    devnull, frag_len > sizeof(devnull) ?
+			        sizeof(devnull) : frag_len, 0);
+			if (i <= 0)
+				goto err;
 			frag_len -= i;
-			}
-		return DTLS1_HM_FRAGMENT_RETRY;
 		}
+		return DTLS1_HM_FRAGMENT_RETRY;
+	}
 
 	/* read the body of the fragment (header has already been read */
-	i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-		frag->fragment + msg_hdr->frag_off,frag_len,0);
-	if (i<=0 || (unsigned long)i!=frag_len)
+	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+	frag->fragment + msg_hdr->frag_off, frag_len, 0);
+	if (i <= 0 || (unsigned long)i != frag_len)
 		goto err;
 
 	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
-	                    (long)(msg_hdr->frag_off + frag_len));
+	(long)(msg_hdr->frag_off + frag_len));
 
 	RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
-	                           is_complete);
+	is_complete);
 
-	if (is_complete)
-		{
+	if (is_complete) {
 		OPENSSL_free(frag->reassembly);
 		frag->reassembly = NULL;
-		}
+	}
 
-	if (item == NULL)
-		{
-		memset(seq64be,0,sizeof(seq64be));
-		seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
+	if (item == NULL) {
+		memset(seq64be, 0, sizeof(seq64be));
+		seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
 		seq64be[7] = (unsigned char)(msg_hdr->seq);
 
 		item = pitem_new(seq64be, frag);
-		if (item == NULL)
-			{
+		if (item == NULL) {
 			goto err;
 			i = -1;
-			}
+		}
 
 		pqueue_insert(s->d1->buffered_messages, item);
-		}
+	}
 
 	return DTLS1_HM_FRAGMENT_RETRY;
 
 err:
-	if (frag != NULL) dtls1_hm_fragment_free(frag);
-	if (item != NULL) OPENSSL_free(item);
+	if (frag != NULL)
+		dtls1_hm_fragment_free(frag);
+	if (item != NULL)
+		OPENSSL_free(item);
 	*ok = 0;
 	return i;
-	}
+}
 
 
 static int
-dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-{
-	int i=-1;
+dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) {
+	int i = -1;
 	hm_fragment *frag = NULL;
 	pitem *item = NULL;
 	unsigned char seq64be[8];
 	unsigned long frag_len = msg_hdr->frag_len;
 
-	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+	if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
 		goto err;
 
 	/* Try to find item in queue, to prevent duplicate entries */
-	memset(seq64be,0,sizeof(seq64be));
-	seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+	memset(seq64be, 0, sizeof(seq64be));
+	seq64be[6] = (unsigned char) (msg_hdr->seq >> 8);
 	seq64be[7] = (unsigned char) msg_hdr->seq;
 	item = pqueue_find(s->d1->buffered_messages, seq64be);
 
@@ -721,92 +695,89 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	 * retransmit.
 	 */
 	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
-		(s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
-		{
+	    msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
+	    (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {
 		unsigned char devnull [256];
 
-		while (frag_len)
-			{
-			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-				devnull,
-				frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
-			if (i<=0) goto err;
+		while (frag_len) {
+			i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+			    devnull, frag_len > sizeof(devnull) ?
+			        sizeof(devnull) : frag_len, 0);
+			if (i <= 0)
+				goto err;
 			frag_len -= i;
-			}
 		}
-	else
-		{
+	} else {
 		if (frag_len && frag_len < msg_hdr->msg_len)
 			return dtls1_reassemble_fragment(s, msg_hdr, ok);
 
 		frag = dtls1_hm_fragment_new(frag_len, 0);
-		if ( frag == NULL)
+		if (frag == NULL)
 			goto err;
 
 		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
 
-		if (frag_len)
-			{
+		if (frag_len) {
 			/* read the body of the fragment (header has already been read */
-			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-				frag->fragment,frag_len,0);
-			if (i<=0 || (unsigned long)i!=frag_len)
+			i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+			    frag->fragment, frag_len, 0);
+			if (i <= 0 || (unsigned long)i != frag_len)
 				goto err;
-			}
+		}
 
-		memset(seq64be,0,sizeof(seq64be));
-		seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
+		memset(seq64be, 0, sizeof(seq64be));
+		seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
 		seq64be[7] = (unsigned char)(msg_hdr->seq);
 
 		item = pitem_new(seq64be, frag);
-		if ( item == NULL)
+		if (item == NULL)
 			goto err;
 
 		pqueue_insert(s->d1->buffered_messages, item);
-		}
+	}
 
 	return DTLS1_HM_FRAGMENT_RETRY;
 
 err:
-	if ( frag != NULL) dtls1_hm_fragment_free(frag);
-	if ( item != NULL) OPENSSL_free(item);
+	if (frag != NULL)
+		dtls1_hm_fragment_free(frag);
+	if (item != NULL)
+		OPENSSL_free(item);
 	*ok = 0;
 	return i;
-	}
+}
 
 
 static long
 dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
-	{
+{
 	unsigned char wire[DTLS1_HM_HEADER_LENGTH];
 	unsigned long len, frag_off, frag_len;
-	int i,al;
+	int i, al;
 	struct hm_header_st msg_hdr;
 
 	/* see if we have the required fragment already */
-	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
-		{
-		if (*ok)	s->init_num = frag_len;
+	if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
+		if (*ok)
+			s->init_num = frag_len;
 		return frag_len;
-		}
+	}
 
 	/* read handshake message header */
-	i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire,
-		DTLS1_HM_HEADER_LENGTH, 0);
+	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
+	DTLS1_HM_HEADER_LENGTH, 0);
 	if (i <= 0) 	/* nbio, or an error */
-		{
-		s->rwstate=SSL_READING;
+	{
+		s->rwstate = SSL_READING;
 		*ok = 0;
 		return i;
-		}
+	}
 	/* Handshake fails if message header is incomplete */
-	if (i != DTLS1_HM_HEADER_LENGTH)
-		{
-		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+	if (i != DTLS1_HM_HEADER_LENGTH) {
+		al = SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_UNEXPECTED_MESSAGE);
 		goto f_err;
-		}
+	}
 
 	/* parse the message fragment header */
 	dtls1_get_message_header(wire, &msg_hdr);
@@ -828,62 +799,56 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 		return dtls1_reassemble_fragment(s, &msg_hdr, ok);
 
 	if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
-		wire[0] == SSL3_MT_HELLO_REQUEST)
-		{
+	    wire[0] == SSL3_MT_HELLO_REQUEST) {
 		/* The server may always send 'Hello Request' messages --
 		 * we are doing a handshake anyway now, so ignore them
 		 * if their format is correct. Does not count for
 		 * 'Finished' MAC. */
-		if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0)
-			{
+		if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
 			if (s->msg_callback)
-				s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
-					wire, DTLS1_HM_HEADER_LENGTH, s, 
-					s->msg_callback_arg);
-			
+				s->msg_callback(0, s->version,
+				    SSL3_RT_HANDSHAKE, wire,
+				    DTLS1_HM_HEADER_LENGTH, s,
+				    s->msg_callback_arg);
+
 			s->init_num = 0;
-			return dtls1_get_message_fragment(s, st1, stn,
-				max, ok);
-			}
+			return dtls1_get_message_fragment(s, st1, stn, max, ok);
+		}
 		else /* Incorrectly formated Hello request */
-			{
-			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+		{
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_UNEXPECTED_MESSAGE);
 			goto f_err;
-			}
 		}
+	}
 
-	if ((al=dtls1_preprocess_fragment(s,&msg_hdr,max)))
+	if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max)))
 		goto f_err;
 
 	/* XDTLS:  ressurect this when restart is in place */
-	s->state=stn;
+	s->state = stn;
 
-	if ( frag_len > 0)
-		{
-		unsigned char *p=(unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+	if (frag_len > 0) {
+		unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 
-		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-			&p[frag_off],frag_len,0);
+		i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+		    &p[frag_off], frag_len, 0);
 		/* XDTLS:  fix this--message fragments cannot span multiple packets */
-		if (i <= 0)
-			{
-			s->rwstate=SSL_READING;
+		if (i <= 0) {
+			s->rwstate = SSL_READING;
 			*ok = 0;
 			return i;
-			}
 		}
-	else
+	} else
 		i = 0;
 
 	/* XDTLS:  an incorrectly formatted fragment should cause the 
 	 * handshake to fail */
-	if (i != (int)frag_len)
-		{
-		al=SSL3_AD_ILLEGAL_PARAMETER;
-		SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
+	if (i != (int)frag_len) {
+		al = SSL3_AD_ILLEGAL_PARAMETER;
+		SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL3_AD_ILLEGAL_PARAMETER);
 		goto f_err;
-		}
+	}
 
 	*ok = 1;
 
@@ -895,62 +860,59 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	return frag_len;
 
 f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 	s->init_num = 0;
 
-	*ok=0;
-	return(-1);
-	}
+	*ok = 0;
+	return (-1);
+}
 
-int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
-	{
-	unsigned char *p,*d;
+int
+dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+{
+	unsigned char *p, *d;
 	int i;
 	unsigned long l;
 
-	if (s->state == a)
-		{
-		d=(unsigned char *)s->init_buf->data;
-		p= &(d[DTLS1_HM_HEADER_LENGTH]);
+	if (s->state == a) {
+		d = (unsigned char *)s->init_buf->data;
+		p = &(d[DTLS1_HM_HEADER_LENGTH]);
 
-		i=s->method->ssl3_enc->final_finish_mac(s,
-			sender,slen,s->s3->tmp.finish_md);
+		i = s->method->ssl3_enc->final_finish_mac(s,
+		    sender, slen, s->s3->tmp.finish_md);
 		s->s3->tmp.finish_md_len = i;
 		memcpy(p, s->s3->tmp.finish_md, i);
-		p+=i;
-		l=i;
+		p += i;
+		l = i;
 
-	/* Copy the finished so we can use it for
-	 * renegotiation checks
-	 */
-	if(s->type == SSL_ST_CONNECT)
-		{
-		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
-		memcpy(s->s3->previous_client_finished, 
-		       s->s3->tmp.finish_md, i);
-		s->s3->previous_client_finished_len=i;
-		}
-	else
-		{
-		OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
-		memcpy(s->s3->previous_server_finished, 
-		       s->s3->tmp.finish_md, i);
-		s->s3->previous_server_finished_len=i;
+		/* Copy the finished so we can use it for
+		 * renegotiation checks
+		 */
+		if (s->type == SSL_ST_CONNECT) {
+			OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+			memcpy(s->s3->previous_client_finished,
+			s->s3->tmp.finish_md, i);
+			s->s3->previous_client_finished_len = i;
+		} else {
+			OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
+			memcpy(s->s3->previous_server_finished,
+			s->s3->tmp.finish_md, i);
+			s->s3->previous_server_finished_len = i;
 		}
 
 		d = dtls1_set_message_header(s, d, SSL3_MT_FINISHED, l, 0, l);
-		s->init_num=(int)l+DTLS1_HM_HEADER_LENGTH;
-		s->init_off=0;
+		s->init_num = (int)l + DTLS1_HM_HEADER_LENGTH;
+		s->init_off = 0;
 
 		/* buffer the message to handle re-xmits */
 		dtls1_buffer_message(s, 0);
 
-		s->state=b;
-		}
+		s->state = b;
+	}
 
 	/* SSL3_ST_SEND_xxxxxx_HELLO_B */
-	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
-	}
+	return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
+}
 
 /* for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
@@ -960,161 +922,154 @@ int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
  * ssl->session->read_compression	assign
  * ssl->session->read_hash		assign
  */
-int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
-	{ 
+int
+dtls1_send_change_cipher_spec(SSL *s, int a, int b)
+{
 	unsigned char *p;
 
-	if (s->state == a)
-		{
-		p=(unsigned char *)s->init_buf->data;
+	if (s->state == a) {
+		p = (unsigned char *)s->init_buf->data;
 		*p++=SSL3_MT_CCS;
 		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
-		s->init_num=DTLS1_CCS_HEADER_LENGTH;
+		s->init_num = DTLS1_CCS_HEADER_LENGTH;
 
 		if (s->version == DTLS1_BAD_VER) {
 			s->d1->next_handshake_write_seq++;
-			s2n(s->d1->handshake_write_seq,p);
-			s->init_num+=2;
+			s2n(s->d1->handshake_write_seq, p);
+			s->init_num += 2;
 		}
 
-		s->init_off=0;
+		s->init_off = 0;
 
-		dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 
-			s->d1->handshake_write_seq, 0, 0);
+		dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
+		s->d1->handshake_write_seq, 0, 0);
 
 		/* buffer the message to handle re-xmits */
 		dtls1_buffer_message(s, 1);
 
-		s->state=b;
-		}
+		s->state = b;
+	}
 
 	/* SSL3_ST_CW_CHANGE_B */
-	return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
-	}
+	return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));
+}
 
-static int dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
-	{
+static int
+dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
+{
 	int n;
 	unsigned char *p;
 
-	n=i2d_X509(x,NULL);
-	if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
-		{
-		SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF,ERR_R_BUF_LIB);
+	n = i2d_X509(x, NULL);
+	if (!BUF_MEM_grow_clean(buf,(int)(n + (*l) + 3))) {
+		SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
 		return 0;
-		}
-	p=(unsigned char *)&(buf->data[*l]);
-	l2n3(n,p);
-	i2d_X509(x,&p);
-	*l+=n+3;
+	}
+	p = (unsigned char *)&(buf->data[*l]);
+	l2n3(n, p);
+	i2d_X509(x, &p);
+	*l += n + 3;
 
 	return 1;
-	}
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
-	{
+}
+
+unsigned long
+dtls1_output_cert_chain(SSL *s, X509 *x)
+{
 	unsigned char *p;
 	int i;
-	unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
+	unsigned long l = 3 + DTLS1_HM_HEADER_LENGTH;
 	BUF_MEM *buf;
 
 	/* TLSv1 sends a chain with nothing in it, instead of an alert */
-	buf=s->init_buf;
-	if (!BUF_MEM_grow_clean(buf,10))
-		{
-		SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
-		return(0);
-		}
-	if (x != NULL)
-		{
+	buf = s->init_buf;
+	if (!BUF_MEM_grow_clean(buf, 10)) {
+		SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_BUF_LIB);
+		return (0);
+	}
+	if (x != NULL) {
 		X509_STORE_CTX xs_ctx;
 
-		if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
-  			{
-  			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
-  			return(0);
-  			}
-  
+		if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, x, NULL)) {
+			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN, ERR_R_X509_LIB);
+			return (0);
+		}
+
 		X509_verify_cert(&xs_ctx);
 		/* Don't leave errors in the queue */
 		ERR_clear_error();
-		for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
-  			{
+		for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
 			x = sk_X509_value(xs_ctx.chain, i);
 
-			if (!dtls1_add_cert_to_buf(buf, &l, x))
-  				{
+			if (!dtls1_add_cert_to_buf(buf, &l, x)) {
 				X509_STORE_CTX_cleanup(&xs_ctx);
 				return 0;
-  				}
-  			}
-  		X509_STORE_CTX_cleanup(&xs_ctx);
-  		}
-  	/* Thawte special :-) */
-	for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
-		{
-		x=sk_X509_value(s->ctx->extra_certs,i);
+			}
+		}
+		X509_STORE_CTX_cleanup(&xs_ctx);
+	}
+	/* Thawte special :-) */
+	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
+		x = sk_X509_value(s->ctx->extra_certs, i);
 		if (!dtls1_add_cert_to_buf(buf, &l, x))
 			return 0;
-		}
+	}
 
-	l-= (3 + DTLS1_HM_HEADER_LENGTH);
+	l -= (3 + DTLS1_HM_HEADER_LENGTH);
 
-	p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
-	l2n3(l,p);
-	l+=3;
-	p=(unsigned char *)&(buf->data[0]);
+	p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
+	l2n3(l, p);
+	l += 3;
+	p = (unsigned char *)&(buf->data[0]);
 	p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
 
-	l+=DTLS1_HM_HEADER_LENGTH;
-	return(l);
-	}
+	l += DTLS1_HM_HEADER_LENGTH;
+	return (l);
+}
 
-int dtls1_read_failed(SSL *s, int code)
-	{
-	if ( code > 0)
-		{
+int
+dtls1_read_failed(SSL *s, int code)
+{
+	if (code > 0) {
 		fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
 		return 1;
-		}
+	}
 
-	if (!dtls1_is_timer_expired(s))
-		{
+	if (!dtls1_is_timer_expired(s)) {
 		/* not a timeout, none of our business, 
 		   let higher layers handle this.  in fact it's probably an error */
 		return code;
-		}
+	}
 
 #ifndef OPENSSL_NO_HEARTBEATS
 	if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
 #else
 	if (!SSL_in_init(s))  /* done, no need to send a retransmit */
 #endif
-		{
+	{
 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
 		return code;
-		}
+	}
 
 #if 0 /* for now, each alert contains only one record number */
 	item = pqueue_peek(state->rcvd_records);
-	if ( item )
-		{
+	if (item ) {
 		/* send an alert immediately for all the missing records */
-		}
-	else
+	} else
 #endif
 
 #if 0  /* no more alert sending, just retransmit the last set of messages */
-	if ( state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
-		ssl3_send_alert(s,SSL3_AL_WARNING,
-			DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+	if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
+		ssl3_send_alert(s, SSL3_AL_WARNING,
+	DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
 #endif
 
 	return dtls1_handle_timeout(s);
-	}
+}
 
 int
 dtls1_get_queue_priority(unsigned short seq, int is_ccs)
-	{
+{
 	/* The index of the retransmission queue actually is the message sequence number,
 	 * since the queue only contains messages of a single handshake. However, the
 	 * ChangeCipherSpec has no message sequence number and so using only the sequence
@@ -1124,11 +1079,11 @@ dtls1_get_queue_priority(unsigned short seq, int is_ccs)
 	 * index (important for priority queues) and fits in the unsigned short variable.
 	 */	
 	return seq * 2 - is_ccs;
-	}
+}
 
 int
 dtls1_retransmit_buffered_messages(SSL *s)
-	{
+{
 	pqueue sent = s->d1->sent_messages;
 	piterator iter;
 	pitem *item;
@@ -1137,24 +1092,23 @@ dtls1_retransmit_buffered_messages(SSL *s)
 
 	iter = pqueue_iterator(sent);
 
-	for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter))
-		{
+	for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
 		frag = (hm_fragment *)item->data;
-			if ( dtls1_retransmit_message(s,
-				(unsigned short)dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs),
-				0, &found) <= 0 && found)
-			{
+		if (dtls1_retransmit_message(s,
+		    (unsigned short)dtls1_get_queue_priority(
+		        frag->msg_header.seq, frag->msg_header.is_ccs), 0,
+		        &found) <= 0 && found) {
 			fprintf(stderr, "dtls1_retransmit_message() failed\n");
 			return -1;
-			}
 		}
+	}
 
 	return 1;
-	}
+}
 
 int
 dtls1_buffer_message(SSL *s, int is_ccs)
-	{
+{
 	pitem *item;
 	hm_fragment *frag;
 	unsigned char seq64be[8];
@@ -1167,16 +1121,13 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 
 	memcpy(frag->fragment, s->init_buf->data, s->init_num);
 
-	if ( is_ccs)
-		{
-		OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
-			       ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned int)s->init_num);
-		}
-	else
-		{
-		OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
-			DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
-		}
+	if (is_ccs) {
+		OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
+		((s->version == DTLS1_VERSION) ? DTLS1_CCS_HEADER_LENGTH : 3) == (unsigned int)s->init_num);
+	} else {
+		OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
+		DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
+	}
 
 	frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
 	frag->msg_header.seq = s->d1->w_msg_hdr.seq;
@@ -1191,38 +1142,37 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	frag->msg_header.saved_retransmit_state.compress = s->compress;
 	frag->msg_header.saved_retransmit_state.session = s->session;
 	frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
-	
-	memset(seq64be,0,sizeof(seq64be));
+
+	memset(seq64be, 0, sizeof(seq64be));
 	seq64be[6] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq,
-														  frag->msg_header.is_ccs)>>8);
+	frag->msg_header.is_ccs) >> 8);
 	seq64be[7] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq,
-														  frag->msg_header.is_ccs));
+	frag->msg_header.is_ccs));
 
 	item = pitem_new(seq64be, frag);
-	if ( item == NULL)
-		{
+	if (item == NULL) {
 		dtls1_hm_fragment_free(frag);
 		return 0;
-		}
+	}
 
 #if 0
-	fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
-	fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
-	fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
+	fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
+	fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
+	fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
 #endif
 
 	pqueue_insert(s->d1->sent_messages, item);
 	return 1;
-	}
+}
 
 int
 dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
-	int *found)
-	{
+    int *found)
+{
 	int ret;
 	/* XDTLS: for now assuming that read/writes are blocking */
 	pitem *item;
-	hm_fragment *frag ;
+	hm_fragment *frag;
 	unsigned long header_length;
 	unsigned char seq64be[8];
 	struct dtls1_retransmit_state saved_state;
@@ -1234,33 +1184,32 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 	 */
 
 	/* XDTLS:  the requested message ought to be found, otherwise error */
-	memset(seq64be,0,sizeof(seq64be));
-	seq64be[6] = (unsigned char)(seq>>8);
+	memset(seq64be, 0, sizeof(seq64be));
+	seq64be[6] = (unsigned char)(seq >> 8);
 	seq64be[7] = (unsigned char)seq;
 
 	item = pqueue_find(s->d1->sent_messages, seq64be);
-	if ( item == NULL)
-		{
+	if (item == NULL) {
 		fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
 		*found = 0;
 		return 0;
-		}
+	}
 
 	*found = 1;
 	frag = (hm_fragment *)item->data;
 
-	if ( frag->msg_header.is_ccs)
+	if (frag->msg_header.is_ccs)
 		header_length = DTLS1_CCS_HEADER_LENGTH;
 	else
 		header_length = DTLS1_HM_HEADER_LENGTH;
 
-	memcpy(s->init_buf->data, frag->fragment, 
-		frag->msg_header.msg_len + header_length);
-		s->init_num = frag->msg_header.msg_len + header_length;
+	memcpy(s->init_buf->data, frag->fragment,
+	frag->msg_header.msg_len + header_length);
+	s->init_num = frag->msg_header.msg_len + header_length;
 
-	dtls1_set_message_header_int(s, frag->msg_header.type, 
-		frag->msg_header.msg_len, frag->msg_header.seq, 0, 
-		frag->msg_header.frag_len);
+	dtls1_set_message_header_int(s, frag->msg_header.type,
+	frag->msg_header.msg_len, frag->msg_header.seq, 0,
+	frag->msg_header.frag_len);
 
 	/* save current state */
 	saved_state.enc_write_ctx = s->enc_write_ctx;
@@ -1269,34 +1218,32 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 	saved_state.session = s->session;
 	saved_state.epoch = s->d1->w_epoch;
 	saved_state.epoch = s->d1->w_epoch;
-	
+
 	s->d1->retransmitting = 1;
-	
+
 	/* restore state in which the message was originally sent */
 	s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
 	s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
 	s->compress = frag->msg_header.saved_retransmit_state.compress;
 	s->session = frag->msg_header.saved_retransmit_state.session;
 	s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
-	
-	if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1)
-	{
+
+	if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
 		memcpy(save_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence));
 		memcpy(s->s3->write_sequence, s->d1->last_write_sequence, sizeof(s->s3->write_sequence));
 	}
-	
-	ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 
-						 SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
-	
+
+	ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
+	SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
+
 	/* restore current state */
 	s->enc_write_ctx = saved_state.enc_write_ctx;
 	s->write_hash = saved_state.write_hash;
 	s->compress = saved_state.compress;
 	s->session = saved_state.session;
 	s->d1->w_epoch = saved_state.epoch;
-	
-	if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1)
-	{
+
+	if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
 		memcpy(s->d1->last_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence));
 		memcpy(s->s3->write_sequence, save_write_sequence, sizeof(s->s3->write_sequence));
 	}
@@ -1305,47 +1252,45 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 
 	(void)BIO_flush(SSL_get_wbio(s));
 	return ret;
-	}
+}
 
 /* call this function when the buffered messages are no longer needed */
 void
 dtls1_clear_record_buffer(SSL *s)
-	{
+{
 	pitem *item;
 
-	for(item = pqueue_pop(s->d1->sent_messages);
-		item != NULL; item = pqueue_pop(s->d1->sent_messages))
-		{
+	for(item = pqueue_pop(s->d1->sent_messages); item != NULL;
+	    item = pqueue_pop(s->d1->sent_messages)) {
 		dtls1_hm_fragment_free((hm_fragment *)item->data);
 		pitem_free(item);
-		}
 	}
+}
 
 
 unsigned char *
 dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
-			unsigned long len, unsigned long frag_off, unsigned long frag_len)
-	{
+    unsigned long len, unsigned long frag_off, unsigned long frag_len)
+{
 	/* Don't change sequence numbers while listening */
-	if (frag_off == 0 && !s->d1->listen)
-		{
+	if (frag_off == 0 && !s->d1->listen) {
 		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
 		s->d1->next_handshake_write_seq++;
-		}
+	}
 
 	dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
-		frag_off, frag_len);
+	frag_off, frag_len);
 
 	return p += DTLS1_HM_HEADER_LENGTH;
-	}
+}
 
 
 /* don't actually do the writing, wait till the MTU has been retrieved */
 static void
 dtls1_set_message_header_int(SSL *s, unsigned char mt,
-			    unsigned long len, unsigned short seq_num, unsigned long frag_off,
-			    unsigned long frag_len)
-	{
+    unsigned long len, unsigned short seq_num, unsigned long frag_off,
+unsigned long frag_len)
+{
 	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
 
 	msg_hdr->type = mt;
@@ -1353,21 +1298,21 @@ dtls1_set_message_header_int(SSL *s, unsigned char mt,
 	msg_hdr->seq = seq_num;
 	msg_hdr->frag_off = frag_off;
 	msg_hdr->frag_len = frag_len;
-	}
+}
 
 static void
 dtls1_fix_message_header(SSL *s, unsigned long frag_off,
-			unsigned long frag_len)
-	{
+    unsigned long frag_len)
+{
 	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
 
 	msg_hdr->frag_off = frag_off;
 	msg_hdr->frag_len = frag_len;
-	}
+}
 
 static unsigned char *
 dtls1_write_message_header(SSL *s, unsigned char *p)
-	{
+{
 	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
 
 	*p++ = msg_hdr->type;
@@ -1378,33 +1323,32 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
 	l2n3(msg_hdr->frag_len, p);
 
 	return p;
-	}
+}
 
-unsigned int 
+unsigned int
 dtls1_min_mtu(void)
-	{
-	return (g_probable_mtu[(sizeof(g_probable_mtu) / 
-		sizeof(g_probable_mtu[0])) - 1]);
-	}
+{
+	return (g_probable_mtu[(sizeof(g_probable_mtu) /
+	sizeof(g_probable_mtu[0])) - 1]);
+}
 
-static unsigned int 
+static unsigned int
 dtls1_guess_mtu(unsigned int curr_mtu)
-	{
+{
 	unsigned int i;
 
-	if ( curr_mtu == 0 )
-		return g_probable_mtu[0] ;
+	if (curr_mtu == 0)
+		return g_probable_mtu[0];
 
-	for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++)
-		if ( curr_mtu > g_probable_mtu[i])
+	for (i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++)
+		if (curr_mtu > g_probable_mtu[i])
 			return g_probable_mtu[i];
 
 	return curr_mtu;
-	}
+}
 
 void
-dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
-	{
+dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) {
 	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 	msg_hdr->type = *(data++);
 	n2l3(data, msg_hdr->msg_len);
@@ -1412,41 +1356,41 @@ dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
 	n2s(data, msg_hdr->seq);
 	n2l3(data, msg_hdr->frag_off);
 	n2l3(data, msg_hdr->frag_len);
-	}
+}
 
 void
-dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr)
-	{
+dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) {
 	memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
 
 	ccs_hdr->type = *(data++);
-	}
+}
 
-int dtls1_shutdown(SSL *s)
-	{
+int
+dtls1_shutdown(SSL *s)
+{
 	int ret;
 #ifndef OPENSSL_NO_SCTP
 	if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
-	    !(s->shutdown & SSL_SENT_SHUTDOWN))
-		{
+	    !(s->shutdown & SSL_SENT_SHUTDOWN)) {
 		ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
-		if (ret < 0) return -1;
+		if (ret < 0)
+			return -1;
 
 		if (ret == 0)
 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
-		}
+	}
 #endif
 	ret = ssl3_shutdown(s);
 #ifndef OPENSSL_NO_SCTP
 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
 #endif
 	return ret;
-	}
+}
 
 #ifndef OPENSSL_NO_HEARTBEATS
 int
 dtls1_process_heartbeat(SSL *s)
-	{
+{
 	unsigned char *p = &s->s3->rrec.data[0], *pl;
 	unsigned short hbtype;
 	unsigned int payload;
@@ -1454,8 +1398,8 @@ dtls1_process_heartbeat(SSL *s)
 
 	if (s->msg_callback)
 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-			&s->s3->rrec.data[0], s->s3->rrec.length,
-			s, s->msg_callback_arg);
+		    &s->s3->rrec.data[0], s->s3->rrec.length,
+		    s, s->msg_callback_arg);
 
 	/* Read type and payload length first */
 	if (1 + 2 + 16 > s->s3->rrec.length)
@@ -1466,12 +1410,11 @@ dtls1_process_heartbeat(SSL *s)
 		return 0; /* silently discard per RFC 6520 sec. 4 */
 	pl = p;
 
-	if (hbtype == TLS1_HB_REQUEST)
-		{
+	if (hbtype == TLS1_HB_REQUEST) {
 		unsigned char *buffer, *bp;
 		unsigned int write_length = 1 /* heartbeat type */ +
-					    2 /* heartbeat length */ +
-					    payload + padding;
+		    2 /* heartbeat length */ +
+		    payload + padding;
 		int r;
 
 		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
@@ -1496,16 +1439,14 @@ dtls1_process_heartbeat(SSL *s)
 
 		if (r >= 0 && s->msg_callback)
 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-				buffer, write_length,
-				s, s->msg_callback_arg);
+			    buffer, write_length,
+			    s, s->msg_callback_arg);
 
 		OPENSSL_free(buffer);
 
 		if (r < 0)
 			return r;
-		}
-	else if (hbtype == TLS1_HB_RESPONSE)
-		{
+	} else if (hbtype == TLS1_HB_RESPONSE) {
 		unsigned int seq;
 
 		/* We only send sequence numbers (2 bytes unsigned int),
@@ -1513,20 +1454,19 @@ dtls1_process_heartbeat(SSL *s)
 		 * sequence number */
 		n2s(pl, seq);
 
-		if (payload == 18 && seq == s->tlsext_hb_seq)
-			{
+		if (payload == 18 && seq == s->tlsext_hb_seq) {
 			dtls1_stop_timer(s);
 			s->tlsext_hb_seq++;
 			s->tlsext_hb_pending = 0;
-			}
 		}
+	}
 
 	return 0;
-	}
+}
 
 int
 dtls1_heartbeat(SSL *s)
-	{
+{
 	unsigned char *buf, *p;
 	int ret;
 	unsigned int payload = 18; /* Sequence number + random bytes */
@@ -1534,25 +1474,22 @@ dtls1_heartbeat(SSL *s)
 
 	/* Only send if peer supports and accepts HB requests... */
 	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-	    s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
-		{
-		SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
+		s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
+		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
 		return -1;
-		}
+	}
 
 	/* ...and there is none in flight yet... */
-	if (s->tlsext_hb_pending)
-		{
-		SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
+	if (s->tlsext_hb_pending) {
+		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
 		return -1;
-		}
+	}
 
 	/* ...and no handshake in progress. */
-	if (SSL_in_init(s) || s->in_handshake)
-		{
-		SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
+	if (SSL_in_init(s) || s->in_handshake) {
+		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
 		return -1;
-		}
+	}
 
 	/* Check if padding is too long, payload and padding
 	 * must not exceed 2^14 - 3 = 16381 bytes in total.
@@ -1583,19 +1520,18 @@ dtls1_heartbeat(SSL *s)
 	RAND_pseudo_bytes(p, padding);
 
 	ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-	if (ret >= 0)
-		{
+	if (ret >= 0) {
 		if (s->msg_callback)
 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-				buf, 3 + payload + padding,
-				s, s->msg_callback_arg);
+		buf, 3 + payload + padding,
+		s, s->msg_callback_arg);
 
 		dtls1_start_timer(s);
 		s->tlsext_hb_pending = 1;
-		}
+	}
 
 	OPENSSL_free(buf);
 
 	return ret;
-	}
+}
 #endif
diff --git a/lib/libssl/src/ssl/d1_enc.c b/lib/libssl/src/ssl/d1_enc.c
index 712c4647f24..1967e7a95e5 100644
--- a/lib/libssl/src/ssl/d1_enc.c
+++ b/lib/libssl/src/ssl/d1_enc.c
@@ -134,127 +134,114 @@
  *   1: if the record's padding is valid / the encryption was successful.
  *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
  *       an internal error occured. */
-int dtls1_enc(SSL *s, int send)
-	{
+int
+dtls1_enc(SSL *s, int send)
+{
 	SSL3_RECORD *rec;
 	EVP_CIPHER_CTX *ds;
 	unsigned long l;
-	int bs,i,j,k,mac_size=0;
+	int bs, i, j, k, mac_size = 0;
 	const EVP_CIPHER *enc;
 
-	if (send)
-		{
-		if (EVP_MD_CTX_md(s->write_hash))
-			{
-			mac_size=EVP_MD_CTX_size(s->write_hash);
+	if (send) {
+		if (EVP_MD_CTX_md(s->write_hash)) {
+			mac_size = EVP_MD_CTX_size(s->write_hash);
 			if (mac_size < 0)
 				return -1;
-			}
-		ds=s->enc_write_ctx;
-		rec= &(s->s3->wrec);
+		}
+		ds = s->enc_write_ctx;
+		rec = &(s->s3->wrec);
 		if (s->enc_write_ctx == NULL)
-			enc=NULL;
-		else
-			{
-			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
-			if ( rec->data != rec->input)
+			enc = NULL;
+		else {
+			enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
+			if (rec->data != rec->input)
 				/* we can't write into the input stream */
 				fprintf(stderr, "%s:%d: rec->data != rec->input\n",
-					__FILE__, __LINE__);
-			else if ( EVP_CIPHER_block_size(ds->cipher) > 1)
-				{
+				    __FILE__, __LINE__);
+			else if (EVP_CIPHER_block_size(ds->cipher) > 1) {
 				if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0)
 					return -1;
-				}
 			}
 		}
-	else
-		{
-		if (EVP_MD_CTX_md(s->read_hash))
-			{
-			mac_size=EVP_MD_CTX_size(s->read_hash);
+	} else {
+		if (EVP_MD_CTX_md(s->read_hash)) {
+			mac_size = EVP_MD_CTX_size(s->read_hash);
 			OPENSSL_assert(mac_size >= 0);
-			}
-		ds=s->enc_read_ctx;
-		rec= &(s->s3->rrec);
+		}
+		ds = s->enc_read_ctx;
+		rec = &(s->s3->rrec);
 		if (s->enc_read_ctx == NULL)
-			enc=NULL;
+			enc = NULL;
 		else
-			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
-		}
+			enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
+	}
 
 #ifdef KSSL_DEBUG
 	printf("dtls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
-	if ((s->session == NULL) || (ds == NULL) ||
-		(enc == NULL))
-		{
-		memmove(rec->data,rec->input,rec->length);
-		rec->input=rec->data;
-		}
-	else
-		{
-		l=rec->length;
-		bs=EVP_CIPHER_block_size(ds->cipher);
+	if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
+		memmove(rec->data, rec->input, rec->length);
+		rec->input = rec->data;
+	} else {
+		l = rec->length;
+		bs = EVP_CIPHER_block_size(ds->cipher);
 
-		if ((bs != 1) && send)
-			{
-			i=bs-((int)l%bs);
+		if ((bs != 1) && send) {
+			i = bs - ((int)l % bs);
 
 			/* Add weird padding of upto 256 bytes */
 
 			/* we need to add 'i' padding bytes of value j */
-			j=i-1;
-			if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
-				{
+			j = i - 1;
+			if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
 				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
 					j++;
-				}
-			for (k=(int)l; k<(int)(l+i); k++)
-				rec->input[k]=j;
-			l+=i;
-			rec->length+=i;
 			}
+			for (k = (int)l; k < (int)(l + i); k++)
+				rec->input[k] = j;
+			l += i;
+			rec->length += i;
+		}
 
 #ifdef KSSL_DEBUG
 		{
-                unsigned long ui;
-		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
-                        ds,rec->data,rec->input,l);
-		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
-                        ds->buf_len, ds->cipher->key_len,
-                        DES_KEY_SZ, DES_SCHEDULE_SZ,
-                        ds->cipher->iv_len);
-		printf("\t\tIV: ");
-		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
-		printf("\n");
-		printf("\trec->input=");
-		for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
-		printf("\n");
+			unsigned long ui;
+			printf("EVP_Cipher(ds=%p, rec->data=%p, rec->input=%p, l=%ld) ==>\n",
+			ds, rec->data, rec->input, l);
+			printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+			ds->buf_len, ds->cipher->key_len,
+			DES_KEY_SZ, DES_SCHEDULE_SZ,
+			ds->cipher->iv_len);
+			printf("\t\tIV: ");
+			for (i = 0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
+				printf("\n");
+			printf("\trec->input=");
+			for (ui = 0; ui<l; ui++) printf(" %02x", rec->input[ui]);
+				printf("\n");
 		}
 #endif	/* KSSL_DEBUG */
 
-		if (!send)
-			{
-			if (l == 0 || l%bs != 0)
+		if (!send) {
+			if (l == 0 || l % bs != 0)
 				return 0;
-			}
-		
-		EVP_Cipher(ds,rec->data,rec->input,l);
+		}
+
+		EVP_Cipher(ds, rec->data, rec->input, l);
 
 #ifdef KSSL_DEBUG
 		{
-                unsigned long i;
-                printf("\trec->data=");
-		for (i=0; i<l; i++)
-                        printf(" %02x", rec->data[i]);  printf("\n");
-                }
+			unsigned long i;
+			printf("\trec->data=");
+			for (i = 0; i < l; i++)
+				printf(" %02x", rec->data[i]);  printf("\n");
+		}
 #endif	/* KSSL_DEBUG */
 
 		if ((bs != 1) && !send)
 			return tls1_cbc_remove_padding(s, rec, bs, mac_size);
-		}
-	return(1);
 	}
+	return (1);
+}
 
diff --git a/lib/libssl/src/ssl/d1_lib.c b/lib/libssl/src/ssl/d1_lib.c
index 750f83e04a5..3da7c36545e 100644
--- a/lib/libssl/src/ssl/d1_lib.c
+++ b/lib/libssl/src/ssl/d1_lib.c
@@ -70,8 +70,8 @@ static void get_current_time(struct timeval *t);
 const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
 int dtls1_listen(SSL *s, struct sockaddr *client);
 
-SSL3_ENC_METHOD DTLSv1_enc_data={
-    dtls1_enc,
+SSL3_ENC_METHOD DTLSv1_enc_data = {
+	dtls1_enc,
 	tls1_mac,
 	tls1_setup_key_block,
 	tls1_generate_master_secret,
@@ -79,137 +79,139 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
 	tls1_final_finish_mac,
 	TLS1_FINISH_MAC_LENGTH,
 	tls1_cert_verify_mac,
-	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
-	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+	TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
+	TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
 	tls1_alert_code,
 	tls1_export_keying_material,
-	};
+};
 
-long dtls1_default_timeout(void)
-	{
+long
+dtls1_default_timeout(void)
+{
 	/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
 	 * is way too long for http, the cache would over fill */
-	return(60*60*2);
-	}
+	return (60*60*2);
+}
 
-int dtls1_new(SSL *s)
-	{
+int
+dtls1_new(SSL *s)
+{
 	DTLS1_STATE *d1;
 
-	if (!ssl3_new(s)) return(0);
-	if ((d1=OPENSSL_malloc(sizeof *d1)) == NULL) return (0);
-	memset(d1,0, sizeof *d1);
+	if (!ssl3_new(s))
+		return (0);
+	if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL) return (0);
+		memset(d1, 0, sizeof *d1);
 
 	/* d1->handshake_epoch=0; */
 
-	d1->unprocessed_rcds.q=pqueue_new();
-	d1->processed_rcds.q=pqueue_new();
+	d1->unprocessed_rcds.q = pqueue_new();
+	d1->processed_rcds.q = pqueue_new();
 	d1->buffered_messages = pqueue_new();
-	d1->sent_messages=pqueue_new();
-	d1->buffered_app_data.q=pqueue_new();
+	d1->sent_messages = pqueue_new();
+	d1->buffered_app_data.q = pqueue_new();
 
-	if ( s->server)
-		{
+	if (s->server) {
 		d1->cookie_len = sizeof(s->d1->cookie);
-		}
+	}
 
-	if( ! d1->unprocessed_rcds.q || ! d1->processed_rcds.q 
-        || ! d1->buffered_messages || ! d1->sent_messages || ! d1->buffered_app_data.q)
-		{
-        if ( d1->unprocessed_rcds.q) pqueue_free(d1->unprocessed_rcds.q);
-        if ( d1->processed_rcds.q) pqueue_free(d1->processed_rcds.q);
-        if ( d1->buffered_messages) pqueue_free(d1->buffered_messages);
-		if ( d1->sent_messages) pqueue_free(d1->sent_messages);
-		if ( d1->buffered_app_data.q) pqueue_free(d1->buffered_app_data.q);
+	if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q ||
+	    !d1->buffered_messages || !d1->sent_messages ||
+	    !d1->buffered_app_data.q) {
+		if (d1->unprocessed_rcds.q)
+			pqueue_free(d1->unprocessed_rcds.q);
+		if (d1->processed_rcds.q)
+			pqueue_free(d1->processed_rcds.q);
+		if (d1->buffered_messages)
+			pqueue_free(d1->buffered_messages);
+		if (d1->sent_messages)
+			pqueue_free(d1->sent_messages);
+		if (d1->buffered_app_data.q)
+			pqueue_free(d1->buffered_app_data.q);
 		OPENSSL_free(d1);
 		return (0);
-		}
+	}
 
-	s->d1=d1;
+	s->d1 = d1;
 	s->method->ssl_clear(s);
-	return(1);
-	}
+	return (1);
+}
 
-static void dtls1_clear_queues(SSL *s)
-	{
-    pitem *item = NULL;
-    hm_fragment *frag = NULL;
+static void
+dtls1_clear_queues(SSL *s)
+{
+	pitem *item = NULL;
+	hm_fragment *frag = NULL;
 	DTLS1_RECORD_DATA *rdata;
 
-    while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)
-        {
+	while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
 		rdata = (DTLS1_RECORD_DATA *) item->data;
-		if (rdata->rbuf.buf)
-			{
+		if (rdata->rbuf.buf) {
 			OPENSSL_free(rdata->rbuf.buf);
-			}
-        OPENSSL_free(item->data);
-        pitem_free(item);
-        }
+		}
+		OPENSSL_free(item->data);
+		pitem_free(item);
+	}
 
-    while( (item = pqueue_pop(s->d1->processed_rcds.q)) != NULL)
-        {
+	while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
 		rdata = (DTLS1_RECORD_DATA *) item->data;
-		if (rdata->rbuf.buf)
-			{
+		if (rdata->rbuf.buf) {
 			OPENSSL_free(rdata->rbuf.buf);
-			}
-        OPENSSL_free(item->data);
-        pitem_free(item);
-        }
-
-    while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
-        {
-        frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
-        pitem_free(item);
-        }
-
-    while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
-        {
-        frag = (hm_fragment *)item->data;
-        OPENSSL_free(frag->fragment);
-        OPENSSL_free(frag);
-        pitem_free(item);
-        }
-
-	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
-		{
+		}
+		OPENSSL_free(item->data);
+		pitem_free(item);
+	}
+
+	while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
 		frag = (hm_fragment *)item->data;
 		OPENSSL_free(frag->fragment);
 		OPENSSL_free(frag);
 		pitem_free(item);
-		}
 	}
 
-void dtls1_free(SSL *s)
-	{
+	while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
+		frag = (hm_fragment *)item->data;
+		OPENSSL_free(frag->fragment);
+		OPENSSL_free(frag);
+		pitem_free(item);
+	}
+
+	while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
+		frag = (hm_fragment *)item->data;
+		OPENSSL_free(frag->fragment);
+		OPENSSL_free(frag);
+		pitem_free(item);
+	}
+}
+
+void
+dtls1_free(SSL *s)
+{
 	ssl3_free(s);
 
 	dtls1_clear_queues(s);
 
-    pqueue_free(s->d1->unprocessed_rcds.q);
-    pqueue_free(s->d1->processed_rcds.q);
-    pqueue_free(s->d1->buffered_messages);
+	pqueue_free(s->d1->unprocessed_rcds.q);
+	pqueue_free(s->d1->processed_rcds.q);
+	pqueue_free(s->d1->buffered_messages);
 	pqueue_free(s->d1->sent_messages);
 	pqueue_free(s->d1->buffered_app_data.q);
 
 	OPENSSL_free(s->d1);
 	s->d1 = NULL;
-	}
+}
 
-void dtls1_clear(SSL *s)
-	{
-    pqueue unprocessed_rcds;
-    pqueue processed_rcds;
-    pqueue buffered_messages;
+void
+dtls1_clear(SSL *s)
+{
+	pqueue unprocessed_rcds;
+	pqueue processed_rcds;
+	pqueue buffered_messages;
 	pqueue sent_messages;
 	pqueue buffered_app_data;
 	unsigned int mtu;
 
-	if (s->d1)
-		{
+	if (s->d1) {
 		unprocessed_rcds = s->d1->unprocessed_rcds.q;
 		processed_rcds = s->d1->processed_rcds.q;
 		buffered_messages = s->d1->buffered_messages;
@@ -221,41 +223,38 @@ void dtls1_clear(SSL *s)
 
 		memset(s->d1, 0, sizeof(*(s->d1)));
 
-		if (s->server)
-			{
+		if (s->server) {
 			s->d1->cookie_len = sizeof(s->d1->cookie);
-			}
+		}
 
-		if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
-			{
+		if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
 			s->d1->mtu = mtu;
-			}
+		}
 
 		s->d1->unprocessed_rcds.q = unprocessed_rcds;
 		s->d1->processed_rcds.q = processed_rcds;
 		s->d1->buffered_messages = buffered_messages;
 		s->d1->sent_messages = sent_messages;
 		s->d1->buffered_app_data.q = buffered_app_data;
-		}
+	}
 
 	ssl3_clear(s);
 	if (s->options & SSL_OP_CISCO_ANYCONNECT)
-		s->version=DTLS1_BAD_VER;
+		s->version = DTLS1_BAD_VER;
 	else
-		s->version=DTLS1_VERSION;
-	}
+		s->version = DTLS1_VERSION;
+}
 
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
-	{
-	int ret=0;
+long
+dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
+{
+	int ret = 0;
 
-	switch (cmd)
-		{
+	switch (cmd) {
 	case DTLS_CTRL_GET_TIMEOUT:
-		if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL)
-			{
+		if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) {
 			ret = 1;
-			}
+		}
 		break;
 	case DTLS_CTRL_HANDLE_TIMEOUT:
 		ret = dtls1_handle_timeout(s);
@@ -267,9 +266,9 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
 	default:
 		ret = ssl3_ctrl(s, cmd, larg, parg);
 		break;
-		}
-	return(ret);
 	}
+	return (ret);
+}
 
 /*
  * As it's impossible to use stream ciphers in "datagram" mode, this
@@ -278,53 +277,51 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
  * to explicitly list their SSL_* codes. Currently RC4 is the only one
  * available, but if new ones emerge, they will have to be added...
  */
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
-	{
+const SSL_CIPHER
+*dtls1_get_cipher(unsigned int u)
+{
 	const SSL_CIPHER *ciph = ssl3_get_cipher(u);
 
-	if (ciph != NULL)
-		{
+	if (ciph != NULL) {
 		if (ciph->algorithm_enc == SSL_RC4)
 			return NULL;
-		}
+	}
 
 	return ciph;
-	}
+}
 
-void dtls1_start_timer(SSL *s)
-	{
+void
+dtls1_start_timer(SSL *s)
+{
 #ifndef OPENSSL_NO_SCTP
 	/* Disable timer for SCTP */
-	if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
-		{
+	if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
 		memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
 		return;
-		}
+	}
 #endif
 
 	/* If timer is not set, initialize duration with 1 second */
-	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)
-		{
+	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
 		s->d1->timeout_duration = 1;
-		}
-	
+	}
+
 	/* Set timeout to current time */
 	get_current_time(&(s->d1->next_timeout));
 
 	/* Add duration to current time */
 	s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
 	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
-	}
+}
 
-struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft)
-	{
+struct timeval*
+dtls1_get_timeout(SSL *s, struct timeval* timeleft) {
 	struct timeval timenow;
 
 	/* If no timeout is set, just return NULL */
-	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)
-		{
+	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
 		return NULL;
-		}
+	}
 
 	/* Get current time */
 	get_current_time(&timenow);
@@ -332,65 +329,63 @@ struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft)
 	/* If timer already expired, set remaining time to 0 */
 	if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
 		(s->d1->next_timeout.tv_sec == timenow.tv_sec &&
-		 s->d1->next_timeout.tv_usec <= timenow.tv_usec))
-		{
+	s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
 		memset(timeleft, 0, sizeof(struct timeval));
 		return timeleft;
-		}
+	}
 
 	/* Calculate time left until timer expires */
 	memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
 	timeleft->tv_sec -= timenow.tv_sec;
 	timeleft->tv_usec -= timenow.tv_usec;
-	if (timeleft->tv_usec < 0)
-		{
+	if (timeleft->tv_usec < 0) {
 		timeleft->tv_sec--;
 		timeleft->tv_usec += 1000000;
-		}
+	}
 
 	/* If remaining time is less than 15 ms, set it to 0
 	 * to prevent issues because of small devergences with
 	 * socket timeouts.
 	 */
-	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
-		{
+	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
 		memset(timeleft, 0, sizeof(struct timeval));
-		}
-	
+	}
+
 
 	return timeleft;
-	}
+}
 
-int dtls1_is_timer_expired(SSL *s)
-	{
+int
+dtls1_is_timer_expired(SSL *s)
+{
 	struct timeval timeleft;
 
 	/* Get time left until timeout, return false if no timer running */
-	if (dtls1_get_timeout(s, &timeleft) == NULL)
-		{
+	if (dtls1_get_timeout(s, &timeleft) == NULL) {
 		return 0;
-		}
+	}
 
 	/* Return false if timer is not expired yet */
-	if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0)
-		{
+	if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
 		return 0;
-		}
+	}
 
-	/* Timer expired, so return true */	
+	/* Timer expired, so return true */
 	return 1;
-	}
+}
 
-void dtls1_double_timeout(SSL *s)
-	{
+void
+dtls1_double_timeout(SSL *s)
+{
 	s->d1->timeout_duration *= 2;
 	if (s->d1->timeout_duration > 60)
 		s->d1->timeout_duration = 60;
 	dtls1_start_timer(s);
-	}
+}
 
-void dtls1_stop_timer(SSL *s)
-	{
+void
+dtls1_stop_timer(SSL *s)
+{
 	/* Reset everything */
 	memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
 	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
@@ -398,35 +393,35 @@ void dtls1_stop_timer(SSL *s)
 	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
 	/* Clear retransmission buffer */
 	dtls1_clear_record_buffer(s);
-	}
+}
 
-int dtls1_check_timeout_num(SSL *s)
-	{
+int
+dtls1_check_timeout_num(SSL *s)
+{
 	s->d1->timeout.num_alerts++;
 
 	/* Reduce MTU after 2 unsuccessful retransmissions */
-	if (s->d1->timeout.num_alerts > 2)
-		{
-		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);		
-		}
+	if (s->d1->timeout.num_alerts > 2) {
+		s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
 
-	if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
-		{
+	}
+
+	if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
 		/* fail the connection, enough alerts have been sent */
-		SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
+		SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
 		return -1;
-		}
+	}
 
 	return 0;
-	}
+}
 
-int dtls1_handle_timeout(SSL *s)
-	{
+int
+dtls1_handle_timeout(SSL *s)
+{
 	/* if no timer is expired, don't do anything */
-	if (!dtls1_is_timer_expired(s))
-		{
+	if (!dtls1_is_timer_expired(s)) {
 		return 0;
-		}
+	}
 
 	dtls1_double_timeout(s);
 
@@ -434,38 +429,39 @@ int dtls1_handle_timeout(SSL *s)
 		return -1;
 
 	s->d1->timeout.read_timeouts++;
-	if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
-		{
+	if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
 		s->d1->timeout.read_timeouts = 1;
-		}
+	}
 
 #ifndef OPENSSL_NO_HEARTBEATS
-	if (s->tlsext_hb_pending)
-		{
+	if (s->tlsext_hb_pending) {
 		s->tlsext_hb_pending = 0;
 		return dtls1_heartbeat(s);
-		}
+	}
 #endif
 
 	dtls1_start_timer(s);
 	return dtls1_retransmit_buffered_messages(s);
-	}
+}
 
-static void get_current_time(struct timeval *t)
+static void
+get_current_time(struct timeval *t)
 {
 	gettimeofday(t, NULL);
 }
 
-int dtls1_listen(SSL *s, struct sockaddr *client)
-	{
+int
+dtls1_listen(SSL *s, struct sockaddr *client)
+{
 	int ret;
 
 	SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
 	s->d1->listen = 1;
 
 	ret = SSL_accept(s);
-	if (ret <= 0) return ret;
-	
-	(void) BIO_dgram_get_peer(SSL_get_rbio(s), client);
+	if (ret <= 0)
+		return ret;
+
+	(void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
 	return 1;
-	}
+}
diff --git a/lib/libssl/src/ssl/d1_meth.c b/lib/libssl/src/ssl/d1_meth.c
index 8a6cf31947a..2d3f3920ec9 100644
--- a/lib/libssl/src/ssl/d1_meth.c
+++ b/lib/libssl/src/ssl/d1_meth.c
@@ -61,17 +61,15 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-static SSL_METHOD *dtls1_get_method(int ver);
-static SSL_METHOD *dtls1_get_method(int ver)
-	{
+static const SSL_METHOD *dtls1_get_method(int ver);
+static const SSL_METHOD
+*dtls1_get_method(int ver)
+{
 	if (ver == DTLS1_VERSION)
-		return(DTLSv1_method());
+		return (DTLSv1_method());
 	else
-		return(NULL);
-	}
+		return (NULL);
+}
 
 IMPLEMENT_dtls1_meth_func(DTLSv1_method,
-			dtls1_accept,
-			dtls1_connect,
-			dtls1_get_method)
-
+    dtls1_accept, dtls1_connect, dtls1_get_method)
diff --git a/lib/libssl/src/ssl/d1_pkt.c b/lib/libssl/src/ssl/d1_pkt.c
index 52f7fc022fe..30fe8460fb9 100644
--- a/lib/libssl/src/ssl/d1_pkt.c
+++ b/lib/libssl/src/ssl/d1_pkt.c
@@ -122,107 +122,120 @@
 #include <openssl/rand.h>
 
 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
-static int satsub64be(const unsigned char *v1,const unsigned char *v2)
-{	int ret,sat,brw,i;
-
-	if (sizeof(long) == 8) do
-	{	const union { long one; char little; } is_endian = {1};
-		long l;
-
-		if (is_endian.little)			break;
-		/* not reached on little-endians */
-		/* following test is redundant, because input is
-		 * always aligned, but I take no chances... */
-		if (((size_t)v1|(size_t)v2)&0x7)	break;
-
-		l  = *((long *)v1);
-		l -= *((long *)v2);
-		if (l>128)		return 128;
-		else if (l<-128)	return -128;
-		else			return (int)l;
-	} while (0);
-
-	ret = (int)v1[7]-(int)v2[7];
+static int
+satsub64be(const unsigned char *v1, const unsigned char *v2)
+{
+	int ret, sat, brw, i;
+
+	if (sizeof(long) == 8)
+		do {
+			const union {
+				long one;
+				char little;
+			} is_endian = {1};
+			long l;
+
+			if (is_endian.little)
+				break;
+			/* not reached on little-endians */
+			/* following test is redundant, because input is
+			 * always aligned, but I take no chances... */
+			if (((size_t)v1 | (size_t)v2) & 0x7)
+				break;
+
+			l  = *((long *)v1);
+			l -= *((long *)v2);
+			if (l > 128)
+				return 128;
+			else if (l<-128)
+				return -128;
+			else
+				return (int)l;
+		} while (0);
+
+	ret = (int)v1[7] - (int)v2[7];
 	sat = 0;
-	brw = ret>>8;	/* brw is either 0 or -1 */
-	if (ret & 0x80)
-	{	for (i=6;i>=0;i--)
-		{	brw += (int)v1[i]-(int)v2[i];
+	brw = ret >> 8;	/* brw is either 0 or -1 */
+	if (ret & 0x80) {
+		for (i = 6; i >= 0; i--) {
+			brw += (int)v1[i]-(int)v2[i];
 			sat |= ~brw;
 			brw >>= 8;
 		}
-	}
-	else
-	{	for (i=6;i>=0;i--)
-		{	brw += (int)v1[i]-(int)v2[i];
+	} else {
+		for (i = 6; i >= 0; i--) {
+			brw += (int)v1[i]-(int)v2[i];
 			sat |= brw;
 			brw >>= 8;
 		}
 	}
 	brw <<= 8;	/* brw is either 0 or -256 */
 
-	if (sat&0xff)	return brw | 0x80;
-	else		return brw + (ret&0xFF);
+	if (sat & 0xff)
+		return brw | 0x80;
+	else
+		return brw + (ret & 0xFF);
 }
 
-static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
-	int len, int peek);
+static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
+    int len, int peek);
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
+static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
     unsigned int *is_next_epoch);
 #if 0
 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
-	unsigned short *priority, unsigned long *offset);
+    unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-	unsigned char *priority);
+    unsigned char *priority);
 static int dtls1_process_record(SSL *s);
 
 /* copy buffered record into SSL structure */
 static int
 dtls1_copy_record(SSL *s, pitem *item)
-    {
-    DTLS1_RECORD_DATA *rdata;
-
-    rdata = (DTLS1_RECORD_DATA *)item->data;
-    
-    if (s->s3->rbuf.buf != NULL)
-        OPENSSL_free(s->s3->rbuf.buf);
-    
-    s->packet = rdata->packet;
-    s->packet_length = rdata->packet_length;
-    memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-    memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-	
+{
+	DTLS1_RECORD_DATA *rdata;
+
+	rdata = (DTLS1_RECORD_DATA *)item->data;
+
+	if (s->s3->rbuf.buf != NULL)
+		OPENSSL_free(s->s3->rbuf.buf);
+
+	s->packet = rdata->packet;
+	s->packet_length = rdata->packet_length;
+	memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
+	memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+
 	/* Set proper sequence number for mac calculation */
 	memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
-    
-    return(1);
-    }
+
+	return (1);
+}
 
 
 static int
 dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
-	{
+{
 	DTLS1_RECORD_DATA *rdata;
 	pitem *item;
 
 	/* Limit the size of the queue to prevent DOS attacks */
 	if (pqueue_size(queue->q) >= 100)
 		return 0;
-		
+
 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
 	item = pitem_new(priority, rdata);
-	if (rdata == NULL || item == NULL)
-		{
-		if (rdata != NULL) OPENSSL_free(rdata);
-		if (item != NULL) pitem_free(item);
-		
+	if (rdata == NULL || item == NULL) {
+		if (rdata != NULL)
+			OPENSSL_free(rdata);
+		if (item != NULL)
+			pitem_free(item);
+
 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
-		return(0);
-		}
-	
+		return (0);
+	}
+
 	rdata->packet = s->packet;
 	rdata->packet_length = s->packet_length;
 	memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
@@ -233,54 +246,51 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 #ifndef OPENSSL_NO_SCTP
 	/* Store bio_dgram_sctp_rcvinfo struct */
 	if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
-	    (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
+		(s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
 		BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
 	}
 #endif
 
 	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
+	if (pqueue_insert(queue->q, item) == NULL) {
 		OPENSSL_free(rdata);
 		pitem_free(item);
-		return(0);
-		}
+		return (0);
+	}
 
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
 	memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
-	
-	if (!ssl3_setup_buffers(s))
-		{
+
+	if (!ssl3_setup_buffers(s)) {
 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
 		OPENSSL_free(rdata);
 		pitem_free(item);
-		return(0);
-		}
-	
-	return(1);
+		return (0);
 	}
 
+	return (1);
+}
+
 
 static int
 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
-    {
-    pitem *item;
+{
+	pitem *item;
 
-    item = pqueue_pop(queue->q);
-    if (item)
-        {
-        dtls1_copy_record(s, item);
+	item = pqueue_pop(queue->q);
+	if (item) {
+		dtls1_copy_record(s, item);
 
-        OPENSSL_free(item->data);
+		OPENSSL_free(item->data);
 		pitem_free(item);
 
-        return(1);
-        }
+		return (1);
+	}
 
-    return(0);
-    }
+	return (0);
+}
 
 
 /* retrieve a buffered record that belongs to the new epoch, i.e., not processed 
@@ -296,98 +306,96 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
 
 static int
 dtls1_process_buffered_records(SSL *s)
-    {
-    pitem *item;
-    
-    item = pqueue_peek(s->d1->unprocessed_rcds.q);
-    if (item)
-        {
-        /* Check if epoch is current. */
-        if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
-            return(1);  /* Nothing to do. */
-        
-        /* Process all the records. */
-        while (pqueue_peek(s->d1->unprocessed_rcds.q))
-            {
-            dtls1_get_unprocessed_record(s);
-            if ( ! dtls1_process_record(s))
-                return(0);
-            dtls1_buffer_record(s, &(s->d1->processed_rcds), 
-                s->s3->rrec.seq_num);
-            }
-        }
+{
+	pitem *item;
+
+	item = pqueue_peek(s->d1->unprocessed_rcds.q);
+	if (item) {
+		/* Check if epoch is current. */
+		if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+			return (1);
+		/* Nothing to do. */
+
+		/* Process all the records. */
+		while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+			dtls1_get_unprocessed_record(s);
+			if (! dtls1_process_record(s))
+				return (0);
+			dtls1_buffer_record(s, &(s->d1->processed_rcds),
+			s->s3->rrec.seq_num);
+		}
+	}
 
     /* sync epoch numbers once all the unprocessed records 
      * have been processed */
-    s->d1->processed_rcds.epoch = s->d1->r_epoch;
-    s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+	s->d1->processed_rcds.epoch = s->d1->r_epoch;
+	s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
 
-    return(1);
-    }
+	return (1);
+}
 
 
 #if 0
 
 static int
 dtls1_get_buffered_record(SSL *s)
-	{
+{
 	pitem *item;
-	PQ_64BIT priority = 
-		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
-		((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
-	
-	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
-							   nothing buffered */
+	PQ_64BIT priority =
+	    (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
+	    ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
+
+	if (!SSL_in_init(s))  /* if we're not (re)negotiating,
+				   nothing buffered */
 		return 0;
 
 
 	item = pqueue_peek(s->d1->rcvd_records);
-	if (item && item->priority == priority)
-		{
+	if (item && item->priority == priority) {
 		/* Check if we've received the record of interest.  It must be
 		 * a handshake record, since data records as passed up without
 		 * buffering */
 		DTLS1_RECORD_DATA *rdata;
 		item = pqueue_pop(s->d1->rcvd_records);
 		rdata = (DTLS1_RECORD_DATA *)item->data;
-		
+
 		if (s->s3->rbuf.buf != NULL)
 			OPENSSL_free(s->s3->rbuf.buf);
-		
+
 		s->packet = rdata->packet;
 		s->packet_length = rdata->packet_length;
 		memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
 		memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-		
+
 		OPENSSL_free(item->data);
 		pitem_free(item);
-		
+
 		/* s->d1->next_expected_seq_num++; */
-		return(1);
-		}
-	
-	return 0;
+		return (1);
 	}
 
+	return 0;
+}
+
 #endif
 
 static int
 dtls1_process_record(SSL *s)
 {
-	int i,al;
+	int i, al;
 	int enc_err;
 	SSL_SESSION *sess;
 	SSL3_RECORD *rr;
 	unsigned int mac_size, orig_len;
 	unsigned char md[EVP_MAX_MD_SIZE];
 
-	rr= &(s->s3->rrec);
+	rr = &(s->s3->rrec);
 	sess = s->session;
 
 	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
 	 * and we have that many bytes in s->packet
 	 */
-	rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
+	rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]);
 
 	/* ok, we can now read from 's->packet' data into 'rr'
 	 * rr->input points at rr->length bytes, which
@@ -400,48 +408,44 @@ dtls1_process_record(SSL *s)
 	 * rr->length bytes of encrypted compressed stuff. */
 
 	/* check is not needed I believe */
-	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
-		{
-		al=SSL_AD_RECORD_OVERFLOW;
-		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
+		al = SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
 		goto f_err;
-		}
+	}
 
 	/* decrypt in place in 'rr->input' */
-	rr->data=rr->input;
+	rr->data = rr->input;
 
-	enc_err = s->method->ssl3_enc->enc(s,0);
+	enc_err = s->method->ssl3_enc->enc(s, 0);
 	/* enc_err is:
 	 *    0: (in non-constant time) if the record is publically invalid.
 	 *    1: if the padding is valid
 	 *    -1: if the padding is invalid */
-	if (enc_err == 0)
-		{
+	if (enc_err == 0) {
 		/* For DTLS we simply ignore bad packets. */
 		rr->length = 0;
 		s->packet_length = 0;
 		goto err;
-		}
+	}
 
 #ifdef TLS_DEBUG
-printf("dec %d\n",rr->length);
-{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
-printf("\n");
+	printf("dec %d\n", rr->length);
+	{ unsigned int z; for (z = 0; z<rr->length; z++) printf("%02X%c", rr->data[z],((z+1)%16)?' ':'\n'); }
+	printf("\n");
 #endif
 
 	/* r->length is now the compressed data plus mac */
-	if ((sess != NULL) &&
-	    (s->enc_read_ctx != NULL) &&
-	    (EVP_MD_CTX_md(s->read_hash) != NULL))
-		{
+	if ((sess != NULL) && (s->enc_read_ctx != NULL) &&
+	    (EVP_MD_CTX_md(s->read_hash) != NULL)) {
 		/* s->read_hash != NULL => mac_size != -1 */
 		unsigned char *mac = NULL;
 		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-		mac_size=EVP_MD_CTX_size(s->read_hash);
+		mac_size = EVP_MD_CTX_size(s->read_hash);
 		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
 		/* kludge: *_cbc_remove_padding passes padding length in rr->type */
-		orig_len = rr->length+((unsigned int)rr->type>>8);
+		orig_len = rr->length + ((unsigned int)rr->type >> 8);
 
 		/* orig_len is the length of the record before any padding was
 		 * removed. This is public information, as is the MAC in use,
@@ -449,17 +453,15 @@ printf("\n");
 		 * amount of time if it's too short to possibly contain a MAC.
 		 */
 		if (orig_len < mac_size ||
-		    /* CBC records must have a padding length byte too. */
+			/* CBC records must have a padding length byte too. */
 		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-		     orig_len < mac_size+1))
-			{
-			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
+		    orig_len < mac_size + 1)) {
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
-			}
+		}
 
-		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
-			{
+		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) {
 			/* We update the length so that the TLS header bytes
 			 * can be constructed correctly but we need to extract
 			 * the MAC in constant time from within the record,
@@ -468,56 +470,49 @@ printf("\n");
 			mac = mac_tmp;
 			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
 			rr->length -= mac_size;
-			}
-		else
-			{
+		} else {
 			/* In this case there's no padding, so |orig_len|
 			 * equals |rec->length| and we checked that there's
 			 * enough bytes for |mac_size| above. */
 			rr->length -= mac_size;
 			mac = &rr->data[rr->length];
-			}
+		}
 
-		i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+		i = s->method->ssl3_enc->mac(s, md, 0 /* not send */);
 		if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
 			enc_err = -1;
-		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
 			enc_err = -1;
-		}
+	}
 
-	if (enc_err < 0)
-		{
+	if (enc_err < 0) {
 		/* decryption failed, silently discard message */
 		rr->length = 0;
 		s->packet_length = 0;
 		goto err;
-		}
+	}
 
 	/* r->length is now just compressed */
-	if (s->expand != NULL)
-		{
-		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
-			{
-			al=SSL_AD_RECORD_OVERFLOW;
-			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+	if (s->expand != NULL) {
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
+			al = SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
 			goto f_err;
-			}
-		if (!ssl3_do_uncompress(s))
-			{
-			al=SSL_AD_DECOMPRESSION_FAILURE;
-			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
+		}
+		if (!ssl3_do_uncompress(s)) {
+			al = SSL_AD_DECOMPRESSION_FAILURE;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION);
 			goto f_err;
-			}
 		}
+	}
 
-	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
-		{
-		al=SSL_AD_RECORD_OVERFLOW;
-		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
+		al = SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
 		goto f_err;
-		}
+	}
 
-	rr->off=0;
+	rr->off = 0;
 	/* So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
@@ -527,14 +522,14 @@ printf("\n");
 	 */
 
 	/* we have pulled in a full packet so zero things */
-	s->packet_length=0;
+	s->packet_length = 0;
 	dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
-	return(1);
+	return (1);
 
 f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-	return(0);
+	return (0);
 }
 
 
@@ -547,17 +542,18 @@ err:
  * ssl->s3->rrec.length, - number of bytes
  */
 /* used only by dtls1_read_bytes */
-int dtls1_get_record(SSL *s)
-	{
-	int ssl_major,ssl_minor;
-	int i,n;
+int
+dtls1_get_record(SSL *s)
+{
+	int ssl_major, ssl_minor;
+	int i, n;
 	SSL3_RECORD *rr;
 	unsigned char *p = NULL;
 	unsigned short version;
 	DTLS1_BITMAP *bitmap;
 	unsigned int is_next_epoch;
 
-	rr= &(s->s3->rrec);
+	rr = &(s->s3->rrec);
 
 	/* The epoch may have changed.  If so, process all the
 	 * pending records.  This is a non-blocking operation. */
@@ -570,104 +566,98 @@ int dtls1_get_record(SSL *s)
 	/* get something from the wire */
 again:
 	/* check if we have the header */
-	if (	(s->rstate != SSL_ST_READ_BODY) ||
-		(s->packet_length < DTLS1_RT_HEADER_LENGTH)) 
-		{
-		n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+	if ((s->rstate != SSL_ST_READ_BODY) ||
+		(s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
+		n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
 		/* read timeout is handled by dtls1_read_bytes */
-		if (n <= 0) return(n); /* error or non-blocking */
+		if (n <= 0)
+			return(n); /* error or non-blocking */
 
 		/* this packet contained a partial record, dump it */
-		if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
-			{
+		if (s->packet_length != DTLS1_RT_HEADER_LENGTH) {
 			s->packet_length = 0;
 			goto again;
-			}
+		}
 
-		s->rstate=SSL_ST_READ_BODY;
+		s->rstate = SSL_ST_READ_BODY;
 
-		p=s->packet;
+		p = s->packet;
 
 		/* Pull apart the header into the DTLS1_RECORD */
 		rr->type= *(p++);
 		ssl_major= *(p++);
 		ssl_minor= *(p++);
-		version=(ssl_major<<8)|ssl_minor;
+		version = (ssl_major << 8)|ssl_minor;
 
-		/* sequence number is 64 bits, with top 2 bytes = epoch */ 
-		n2s(p,rr->epoch);
+		/* sequence number is 64 bits, with top 2 bytes = epoch */
+		n2s(p, rr->epoch);
 
 		memcpy(&(s->s3->read_sequence[2]), p, 6);
-		p+=6;
+		p += 6;
 
-		n2s(p,rr->length);
+		n2s(p, rr->length);
 
 		/* Lets check version */
-		if (!s->first_packet)
-			{
-			if (version != s->version)
-				{
+		if (!s->first_packet) {
+			if (version != s->version) {
 				/* unexpected version, silently discard */
 				rr->length = 0;
 				s->packet_length = 0;
 				goto again;
-				}
 			}
+		}
 
-		if ((version & 0xff00) != (s->version & 0xff00))
-			{
+		if ((version & 0xff00) != (s->version & 0xff00)) {
 			/* wrong version, silently discard record */
 			rr->length = 0;
 			s->packet_length = 0;
 			goto again;
-			}
+		}
 
-		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
-			{
+		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
 			/* record too long, silently discard it */
 			rr->length = 0;
 			s->packet_length = 0;
 			goto again;
-			}
+		}
 
 		/* now s->rstate == SSL_ST_READ_BODY */
-		}
+	}
 
 	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
 
-	if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
-		{
+	if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) {
 		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
-		i=rr->length;
-		n=ssl3_read_n(s,i,i,1);
-		if (n <= 0) return(n); /* error or non-blocking io */
+		i = rr->length;
+		n = ssl3_read_n(s, i, i, 1);
+		if (n <= 0)
+			return(n); /* error or non-blocking io */
 
 		/* this packet contained a partial record, dump it */
-		if ( n != i)
-			{
+		if (n != i) {
 			rr->length = 0;
 			s->packet_length = 0;
 			goto again;
-			}
+		}
 
 		/* now n == rr->length,
 		 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
-		}
-	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
+	}
+	s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
 
 	/* match epochs.  NULL means the packet is dropped on the floor */
 	bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
-	if ( bitmap == NULL)
-		{
+	if (bitmap == NULL) {
 		rr->length = 0;
-		s->packet_length = 0;  /* dump this record */
-		goto again;   /* get another record */
-		}
+		s->packet_length = 0;
+		/* dump this record */
+		goto again;
+		/* get another record */
+	}
 
 #ifndef OPENSSL_NO_SCTP
 	/* Only do replay check if no SCTP bio */
-	if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
-  		{
+	if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) {
 #endif
 		/* Check whether this is a repeat, or aged record.
 		 * Don't check if we're listening and this message is
@@ -677,45 +667,45 @@ again:
 		 */
 		if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
 		    *p == SSL3_MT_CLIENT_HELLO) &&
-		    !dtls1_record_replay_check(s, bitmap))
-			{
+		    !dtls1_record_replay_check(s, bitmap)) {
 			rr->length = 0;
 			s->packet_length=0; /* dump this record */
-			goto again;     /* get another record */
-			}
+			goto again;
+			/* get another record */
+		}
 #ifndef OPENSSL_NO_SCTP
-  		}
+	}
 #endif
 
 	/* just read a 0 length packet */
-	if (rr->length == 0) goto again;
+	if (rr->length == 0)
+		goto again;
 
 	/* If this record is from the next epoch (either HM or ALERT),
 	 * and a handshake is currently in progress, buffer it since it
 	 * cannot be processed at this time. However, do not buffer
 	 * anything while listening.
 	 */
-	if (is_next_epoch)
-		{
-		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
-			{
+	if (is_next_epoch) {
+		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) {
 			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-			}
+		}
 		rr->length = 0;
 		s->packet_length = 0;
 		goto again;
-		}
+	}
 
-	if (!dtls1_process_record(s))
-		{
+	if (!dtls1_process_record(s)) {
 		rr->length = 0;
-		s->packet_length = 0;  /* dump this record */
-		goto again;   /* get another record */
-		}
+		s->packet_length = 0;
+		/* dump this record */
+		goto again;
+		/* get another record */
+	}
 
-	return(1);
+	return (1);
 
-	}
+}
 
 /* Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
@@ -744,28 +734,28 @@ again:
  *     Application data protocol
  *             none of our business
  */
-int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
-	{
-	int al,i,j,ret;
+int
+dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+{
+	int al, i, j, ret;
 	unsigned int n;
 	SSL3_RECORD *rr;
-	void (*cb)(const SSL *ssl,int type2,int val)=NULL;
+	void (*cb)(const SSL *ssl, int type2, int val) = NULL;
 
 	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
 		if (!ssl3_setup_buffers(s))
-			return(-1);
+			return (-1);
 
-    /* XXX: check what the second '&& type' is about */
-	if ((type && (type != SSL3_RT_APPLICATION_DATA) && 
-		(type != SSL3_RT_HANDSHAKE) && type) ||
-	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
-		{
+	/* XXX: check what the second '&& type' is about */
+	if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
+	    (type != SSL3_RT_HANDSHAKE) && type) ||
+	    (peek && (type != SSL3_RT_APPLICATION_DATA))) {
 		SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
 		return -1;
-		}
+	}
 
 	/* check whether there's a handshake message (client hello?) waiting */
-	if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
+	if ((ret = have_handshake_fragment(s, type, buf, len, peek)))
 		return ret;
 
 	/* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
@@ -776,24 +766,25 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 	 */
 	if ((!s->in_handshake && SSL_in_init(s)) ||
 	    (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
-	     (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
-	     s->s3->in_read_app_data != 2))
+	    (s->state == DTLS1_SCTP_ST_SR_READ_SOCK ||
+	    s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
+	    s->s3->in_read_app_data != 2))
 #else
 	if (!s->in_handshake && SSL_in_init(s))
 #endif
-		{
+	{
 		/* type == SSL3_RT_APPLICATION_DATA */
-		i=s->handshake_func(s);
-		if (i < 0) return(i);
-		if (i == 0)
-			{
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-			return(-1);
-			}
+		i = s->handshake_func(s);
+		if (i < 0)
+			return (i);
+		if (i == 0) {
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+			return (-1);
 		}
+	}
 
 start:
-	s->rwstate=SSL_NOTHING;
+	s->rwstate = SSL_NOTHING;
 
 	/* s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
@@ -805,59 +796,52 @@ start:
 	 * so process data buffered during the last handshake
 	 * in advance, if any.
 	 */
-	if (s->state == SSL_ST_OK && rr->length == 0)
-		{
+	if (s->state == SSL_ST_OK && rr->length == 0) {
 		pitem *item;
 		item = pqueue_pop(s->d1->buffered_app_data.q);
-		if (item)
-			{
+		if (item) {
 #ifndef OPENSSL_NO_SCTP
 			/* Restore bio_dgram_sctp_rcvinfo struct */
-			if (BIO_dgram_is_sctp(SSL_get_rbio(s)))
-				{
+			if (BIO_dgram_is_sctp(SSL_get_rbio(s))) {
 				DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *) item->data;
 				BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
-				}
+			}
 #endif
 
 			dtls1_copy_record(s, item);
 
 			OPENSSL_free(item->data);
 			pitem_free(item);
-			}
 		}
+	}
 
 	/* Check for timeout */
 	if (dtls1_handle_timeout(s) > 0)
 		goto start;
 
 	/* get new packet if necessary */
-	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
-		{
-		ret=dtls1_get_record(s);
-		if (ret <= 0) 
-			{
+	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) {
+		ret = dtls1_get_record(s);
+		if (ret <= 0) {
 			ret = dtls1_read_failed(s, ret);
 			/* anything other than a timeout is an error */
-			if (ret <= 0)  
-				return(ret);
+			if (ret <= 0)
+				return (ret);
 			else
 				goto start;
-			}
 		}
+	}
 
-	if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
-		{
+	if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) {
 		rr->length = 0;
 		goto start;
-		}
+	}
 
 	/* we now have a packet which can be read and processed */
 
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
 	                               * reset by ssl3_get_finished */
-		&& (rr->type != SSL3_RT_HANDSHAKE))
-		{
+	    && (rr->type != SSL3_RT_HANDSHAKE)) {
 		/* We now have application data between CCS and Finished.
 		 * Most likely the packets were reordered on their way, so
 		 * buffer the application data for later processing rather
@@ -866,75 +850,71 @@ start:
 		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
 		rr->length = 0;
 		goto start;
-		}
+	}
 
 	/* If the other end has shut down, throw anything we read away
 	 * (even in 'peek' mode) */
-	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
-		{
-		rr->length=0;
-		s->rwstate=SSL_NOTHING;
-		return(0);
-		}
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
+		rr->length = 0;
+		s->rwstate = SSL_NOTHING;
+		return (0);
+	}
 
 
 	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
-		{
+	{
 		/* make sure that we are not getting application data when we
 		 * are doing a handshake for the first time */
 		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
-			(s->enc_read_ctx == NULL))
-			{
-			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			(s->enc_read_ctx == NULL)) {
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE);
 			goto f_err;
-			}
+		}
 
-		if (len <= 0) return(len);
+		if (len <= 0)
+			return (len);
 
 		if ((unsigned int)len > rr->length)
 			n = rr->length;
 		else
 			n = (unsigned int)len;
 
-		memcpy(buf,&(rr->data[rr->off]),n);
-		if (!peek)
-			{
-			rr->length-=n;
-			rr->off+=n;
-			if (rr->length == 0)
-				{
-				s->rstate=SSL_ST_READ_HEADER;
-				rr->off=0;
-				}
+		memcpy(buf, &(rr->data[rr->off]), n);
+		if (!peek) {
+			rr->length -= n;
+			rr->off += n;
+			if (rr->length == 0) {
+				s->rstate = SSL_ST_READ_HEADER;
+				rr->off = 0;
 			}
+		}
 
 #ifndef OPENSSL_NO_SCTP
-			/* We were about to renegotiate but had to read
-			 * belated application data first, so retry.
-			 */
-			if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
-			    rr->type == SSL3_RT_APPLICATION_DATA &&
-			    (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))
-				{
-				s->rwstate=SSL_READING;
-				BIO_clear_retry_flags(SSL_get_rbio(s));
-				BIO_set_retry_read(SSL_get_rbio(s));
-				}
+		/* We were about to renegotiate but had to read
+		 * belated application data first, so retry.
+		 */
+		if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+		    rr->type == SSL3_RT_APPLICATION_DATA &&
+		    (s->state == DTLS1_SCTP_ST_SR_READ_SOCK ||
+		    s->state == DTLS1_SCTP_ST_CR_READ_SOCK)) {
+			s->rwstate = SSL_READING;
+			BIO_clear_retry_flags(SSL_get_rbio(s));
+			BIO_set_retry_read(SSL_get_rbio(s));
+		}
 
-			/* We might had to delay a close_notify alert because
-			 * of reordered app data. If there was an alert and there
-			 * is no message to read anymore, finally set shutdown.
-			 */
-			if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
-			    s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
-				{
-				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
-				return(0);
-				}
-#endif			
-		return(n);
+		/* We might had to delay a close_notify alert because
+		 * of reordered app data. If there was an alert and there
+		 * is no message to read anymore, finally set shutdown.
+		 */
+		if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+			s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+			s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+			return (0);
 		}
+#endif			
+		return (n);
+	}
 
 
 	/* If we get here, then type != rr->type; if we have a handshake
@@ -943,65 +923,57 @@ start:
 	/* In case of record types for which we have 'fragment' storage,
 	 * fill that so that we can process the data at a fixed place.
 	 */
-		{
+	{
 		unsigned int k, dest_maxlen = 0;
 		unsigned char *dest = NULL;
 		unsigned int *dest_len = NULL;
 
-		if (rr->type == SSL3_RT_HANDSHAKE)
-			{
+		if (rr->type == SSL3_RT_HANDSHAKE) {
 			dest_maxlen = sizeof s->d1->handshake_fragment;
 			dest = s->d1->handshake_fragment;
 			dest_len = &s->d1->handshake_fragment_len;
-			}
-		else if (rr->type == SSL3_RT_ALERT)
-			{
+		} else if (rr->type == SSL3_RT_ALERT) {
 			dest_maxlen = sizeof(s->d1->alert_fragment);
 			dest = s->d1->alert_fragment;
 			dest_len = &s->d1->alert_fragment_len;
-			}
+		}
 #ifndef OPENSSL_NO_HEARTBEATS
-		else if (rr->type == TLS1_RT_HEARTBEAT)
-			{
+		else if (rr->type == TLS1_RT_HEARTBEAT) {
 			dtls1_process_heartbeat(s);
 
 			/* Exit and notify application to read again */
 			rr->length = 0;
-			s->rwstate=SSL_READING;
+			s->rwstate = SSL_READING;
 			BIO_clear_retry_flags(SSL_get_rbio(s));
 			BIO_set_retry_read(SSL_get_rbio(s));
-			return(-1);
-			}
+			return (-1);
+		}
 #endif
 		/* else it's a CCS message, or application data or wrong */
-		else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
-			{
+		else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) {
 			/* Application data while renegotiating
 			 * is allowed. Try again reading.
 			 */
-			if (rr->type == SSL3_RT_APPLICATION_DATA)
-				{
+			if (rr->type == SSL3_RT_APPLICATION_DATA) {
 				BIO *bio;
-				s->s3->in_read_app_data=2;
-				bio=SSL_get_rbio(s);
-				s->rwstate=SSL_READING;
+				s->s3->in_read_app_data = 2;
+				bio = SSL_get_rbio(s);
+				s->rwstate = SSL_READING;
 				BIO_clear_retry_flags(bio);
 				BIO_set_retry_read(bio);
-				return(-1);
-				}
+				return (-1);
+			}
 
 			/* Not certain if this is the right error handling */
-			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
 			goto f_err;
-			}
+		}
 
-		if (dest_maxlen > 0)
-			{
+		if (dest_maxlen > 0) {
             /* XDTLS:  In a pathalogical case, the Client Hello
              *  may be fragmented--don't always expect dest_maxlen bytes */
-			if ( rr->length < dest_maxlen)
-				{
+			if (rr->length < dest_maxlen) {
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 				/*
 				 * for normal alerts rr->length is 2, while
@@ -1010,20 +982,19 @@ start:
 				 */
 				FIX ME
 #endif
-				s->rstate=SSL_ST_READ_HEADER;
+				s->rstate = SSL_ST_READ_HEADER;
 				rr->length = 0;
 				goto start;
-				}
+			}
 
 			/* now move 'n' bytes: */
-			for ( k = 0; k < dest_maxlen; k++)
-				{
+			for ( k = 0; k < dest_maxlen; k++) {
 				dest[k] = rr->data[rr->off++];
 				rr->length--;
-				}
-			*dest_len = dest_maxlen;
 			}
+			*dest_len = dest_maxlen;
 		}
+	}
 
 	/* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
 	 * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
@@ -1031,117 +1002,107 @@ start:
 
 	/* If we are a client, check for an incoming 'Hello Request': */
 	if ((!s->server) &&
-		(s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
-		(s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
-		(s->session != NULL) && (s->session->cipher != NULL))
-		{
+	    (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
+	    (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
+	    (s->session != NULL) && (s->session->cipher != NULL)) {
 		s->d1->handshake_fragment_len = 0;
 
 		if ((s->d1->handshake_fragment[1] != 0) ||
-			(s->d1->handshake_fragment[2] != 0) ||
-			(s->d1->handshake_fragment[3] != 0))
-			{
-			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+		    (s->d1->handshake_fragment[2] != 0) ||
+		    (s->d1->handshake_fragment[3] != 0)) {
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST);
 			goto err;
-			}
+		}
 
 		/* no need to check sequence number on HELLO REQUEST messages */
 
 		if (s->msg_callback)
-			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
-				s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
+			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
+		s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
 
 		if (SSL_is_init_finished(s) &&
-			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
-			!s->s3->renegotiate)
-			{
+		    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+		    !s->s3->renegotiate) {
 			s->d1->handshake_read_seq++;
 			s->new_session = 1;
 			ssl3_renegotiate(s);
-			if (ssl3_renegotiate_check(s))
-				{
-				i=s->handshake_func(s);
-				if (i < 0) return(i);
-				if (i == 0)
-					{
-					SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-					return(-1);
-					}
+			if (ssl3_renegotiate_check(s)) {
+				i = s->handshake_func(s);
+				if (i < 0)
+					return (i);
+				if (i == 0) {
+					SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+					return (-1);
+				}
 
-				if (!(s->mode & SSL_MODE_AUTO_RETRY))
-					{
+				if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
 					if (s->s3->rbuf.left == 0) /* no read-ahead left? */
-						{
+					{
 						BIO *bio;
 						/* In the case where we try to read application data,
 						 * but we trigger an SSL handshake, we return -1 with
 						 * the retry option set.  Otherwise renegotiation may
 						 * cause nasty problems in the blocking world */
-						s->rwstate=SSL_READING;
-						bio=SSL_get_rbio(s);
+						s->rwstate = SSL_READING;
+						bio = SSL_get_rbio(s);
 						BIO_clear_retry_flags(bio);
 						BIO_set_retry_read(bio);
-						return(-1);
-						}
+						return (-1);
 					}
 				}
 			}
+		}
 		/* we either finished a handshake or ignored the request,
 		 * now try again to obtain the (application) data we were asked for */
 		goto start;
-		}
+	}
 
-	if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
-		{
+	if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) {
 		int alert_level = s->d1->alert_fragment[0];
 		int alert_descr = s->d1->alert_fragment[1];
 
 		s->d1->alert_fragment_len = 0;
 
 		if (s->msg_callback)
-			s->msg_callback(0, s->version, SSL3_RT_ALERT, 
-				s->d1->alert_fragment, 2, s, s->msg_callback_arg);
+			s->msg_callback(0, s->version, SSL3_RT_ALERT,
+		s->d1->alert_fragment, 2, s, s->msg_callback_arg);
 
 		if (s->info_callback != NULL)
-			cb=s->info_callback;
+			cb = s->info_callback;
 		else if (s->ctx->info_callback != NULL)
-			cb=s->ctx->info_callback;
+			cb = s->ctx->info_callback;
 
-		if (cb != NULL)
-			{
+		if (cb != NULL) {
 			j = (alert_level << 8) | alert_descr;
 			cb(s, SSL_CB_READ_ALERT, j);
-			}
+		}
 
 		if (alert_level == 1) /* warning */
-			{
+		{
 			s->s3->warn_alert = alert_descr;
-			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
-				{
+			if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
 #ifndef OPENSSL_NO_SCTP
 				/* With SCTP and streams the socket may deliver app data
 				 * after a close_notify alert. We have to check this
 				 * first so that nothing gets discarded.
 				 */
 				if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
-					BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
-					{
+					BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
 					s->d1->shutdown_received = 1;
-					s->rwstate=SSL_READING;
+					s->rwstate = SSL_READING;
 					BIO_clear_retry_flags(SSL_get_rbio(s));
 					BIO_set_retry_read(SSL_get_rbio(s));
 					return -1;
-					}
+				}
 #endif
 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
-				return(0);
-				}
+				return (0);
+			}
 #if 0
-            /* XXX: this is a possible improvement in the future */
+			/* XXX: this is a possible improvement in the future */
 			/* now check if it's a missing record */
-			if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
-				{
+			if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
 				unsigned short seq;
 				unsigned int frag_off;
 				unsigned char *p = &(s->d1->alert_fragment[2]);
@@ -1150,51 +1111,46 @@ start:
 				n2l3(p, frag_off);
 
 				dtls1_retransmit_message(s,
-										 dtls1_get_queue_priority(frag->msg_header.seq, 0),
-										 frag_off, &found);
-				if ( ! found  && SSL_in_init(s))
-					{
+				dtls1_get_queue_priority(frag->msg_header.seq, 0),
+				frag_off, &found);
+				if (!found  && SSL_in_init(s)) {
 					/* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
 					/* requested a message not yet sent, 
 					   send an alert ourselves */
-					ssl3_send_alert(s,SSL3_AL_WARNING,
-						DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-					}
+					ssl3_send_alert(s, SSL3_AL_WARNING,
+					DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
 				}
-#endif
 			}
-		else if (alert_level == 2) /* fatal */
-			{
+#endif
+		} else if (alert_level == 2) /* fatal */
+		{
 			char tmp[16];
 
-			s->rwstate=SSL_NOTHING;
+			s->rwstate = SSL_NOTHING;
 			s->s3->fatal_alert = alert_descr;
 			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
-			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
-			ERR_add_error_data(2,"SSL alert number ",tmp);
+			BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);
+			ERR_add_error_data(2, "SSL alert number ", tmp);
 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
-			SSL_CTX_remove_session(s->ctx,s->session);
-			return(0);
-			}
-		else
-			{
-			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			SSL_CTX_remove_session(s->ctx, s->session);
+			return (0);
+		} else {
+			al = SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
 			goto f_err;
-			}
+		}
 
 		goto start;
-		}
+	}
 
 	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
-		{
-		s->rwstate=SSL_NOTHING;
-		rr->length=0;
-		return(0);
-		}
+	{
+		s->rwstate = SSL_NOTHING;
+		rr->length = 0;
+		return (0);
+	}
 
-	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-		{
+	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
 		struct ccs_header_st ccs_hdr;
 		unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
 
@@ -1206,31 +1162,29 @@ start:
 		/* 'Change Cipher Spec' is just a single byte, so we know
 		 * exactly what the record payload has to look like */
 		/* XDTLS: check that epoch is consistent */
-		if (	(rr->length != ccs_hdr_len) || 
-			(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-			{
-			i=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+		if ((rr->length != ccs_hdr_len) ||
+		    (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) {
+			i = SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
 			goto err;
-			}
+		}
 
-		rr->length=0;
+		rr->length = 0;
 
 		if (s->msg_callback)
-			s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
-				rr->data, 1, s, s->msg_callback_arg);
+			s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
+		rr->data, 1, s, s->msg_callback_arg);
 
 		/* We can't process a CCS now, because previous handshake
 		 * messages are still missing, so just drop it.
 		 */
-		if (!s->d1->change_cipher_spec_ok)
-			{
+		if (!s->d1->change_cipher_spec_ok) {
 			goto start;
-			}
+		}
 
 		s->d1->change_cipher_spec_ok = 0;
 
-		s->s3->change_cipher_spec=1;
+		s->s3->change_cipher_spec = 1;
 		if (!ssl3_do_change_cipher_spec(s))
 			goto err;
 
@@ -1250,90 +1204,82 @@ start:
 #endif
 
 		goto start;
-		}
+	}
 
 	/* Unexpected handshake message (Client Hello, or protocol violation) */
-	if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 
-		!s->in_handshake)
-		{
+	if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
+	    !s->in_handshake) {
 		struct hm_header_st msg_hdr;
-		
+
 		/* this may just be a stale retransmit */
 		dtls1_get_message_header(rr->data, &msg_hdr);
-		if( rr->epoch != s->d1->r_epoch)
-			{
+		if (rr->epoch != s->d1->r_epoch) {
 			rr->length = 0;
 			goto start;
-			}
+		}
 
 		/* If we are server, we may have a repeated FINISHED of the
 		 * client here, then retransmit our CCS and FINISHED.
 		 */
-		if (msg_hdr.type == SSL3_MT_FINISHED)
-			{
+		if (msg_hdr.type == SSL3_MT_FINISHED) {
 			if (dtls1_check_timeout_num(s) < 0)
 				return -1;
 
 			dtls1_retransmit_buffered_messages(s);
 			rr->length = 0;
 			goto start;
-			}
+		}
 
 		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
-			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
-			{
+		    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
 #if 0 /* worked only because C operator preferences are not as expected (and
-       * because this is not really needed for clients except for detecting
+			* because this is not really needed for clients except for detecting
        * protocol violations): */
-			s->state=SSL_ST_BEFORE|(s->server)
-				?SSL_ST_ACCEPT
-				:SSL_ST_CONNECT;
+			s->state = SSL_ST_BEFORE |
+			    (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #else
 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #endif
-			s->renegotiate=1;
-			s->new_session=1;
-			}
-		i=s->handshake_func(s);
-		if (i < 0) return(i);
-		if (i == 0)
-			{
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
-			return(-1);
-			}
+			s->renegotiate = 1;
+			s->new_session = 1;
+		}
+		i = s->handshake_func(s);
+		if (i < 0)
+			return (i);
+		if (i == 0) {
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+			return (-1);
+		}
 
-		if (!(s->mode & SSL_MODE_AUTO_RETRY))
-			{
+		if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
 			if (s->s3->rbuf.left == 0) /* no read-ahead left? */
-				{
+			{
 				BIO *bio;
 				/* In the case where we try to read application data,
 				 * but we trigger an SSL handshake, we return -1 with
 				 * the retry option set.  Otherwise renegotiation may
 				 * cause nasty problems in the blocking world */
-				s->rwstate=SSL_READING;
-				bio=SSL_get_rbio(s);
+				s->rwstate = SSL_READING;
+				bio = SSL_get_rbio(s);
 				BIO_clear_retry_flags(bio);
 				BIO_set_retry_read(bio);
-				return(-1);
-				}
+				return (-1);
 			}
-		goto start;
 		}
+		goto start;
+	}
 
-	switch (rr->type)
-		{
+	switch (rr->type) {
 	default:
 #ifndef OPENSSL_NO_TLS
 		/* TLS just ignores unknown message types */
-		if (s->version == TLS1_VERSION)
-			{
+		if (s->version == TLS1_VERSION) {
 			rr->length = 0;
 			goto start;
-			}
+		}
 #endif
-		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		al = SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
 		goto f_err;
 	case SSL3_RT_CHANGE_CIPHER_SPEC:
 	case SSL3_RT_ALERT:
@@ -1341,8 +1287,8 @@ start:
 		/* we already handled all of these, with the possible exception
 		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
 		 * should not happen when type != rr->type */
-		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
+		al = SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
 		goto f_err;
 	case SSL3_RT_APPLICATION_DATA:
 		/* At this point, we were expecting handshake data,
@@ -1353,123 +1299,116 @@ start:
 		 * we will indulge it.
 		 */
 		if (s->s3->in_read_app_data &&
-			(s->s3->total_renegotiations != 0) &&
-			((
-				(s->state & SSL_ST_CONNECT) &&
-				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
-				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
-				) || (
-					(s->state & SSL_ST_ACCEPT) &&
-					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
-					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
-					)
-				))
-			{
-			s->s3->in_read_app_data=2;
-			return(-1);
-			}
-		else
-			{
-			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		    (s->s3->total_renegotiations != 0) &&
+		    (((s->state & SSL_ST_CONNECT) &&
+		    (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
+		    (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) || (
+		    (s->state & SSL_ST_ACCEPT) &&
+		    (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
+		    (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
+			s->s3->in_read_app_data = 2;
+			return (-1);
+		} else {
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
 			goto f_err;
-			}
 		}
+	}
 	/* not reached */
 
 f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-	return(-1);
-	}
+	return (-1);
+}
 
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
-	{
+{
 	int i;
 
 #ifndef OPENSSL_NO_SCTP
-		/* Check if we have to continue an interrupted handshake
-		 * for reading belated app data with SCTP.
-		 */
-		if ((SSL_in_init(s) && !s->in_handshake) ||
-		    (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
-		     (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
+	/* Check if we have to continue an interrupted handshake
+	 * for reading belated app data with SCTP.
+	 */
+	if ((SSL_in_init(s) && !s->in_handshake) ||
+	    (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+	    (s->state == DTLS1_SCTP_ST_SR_READ_SOCK ||
+	    s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
 #else
-		if (SSL_in_init(s) && !s->in_handshake)
+	if (SSL_in_init(s) && !s->in_handshake)
 #endif
-		{
-		i=s->handshake_func(s);
-		if (i < 0) return(i);
-		if (i == 0)
-			{
-			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+	{
+		i = s->handshake_func(s);
+		if (i < 0)
+			return (i);
+		if (i == 0) {
+			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
 			return -1;
-			}
 		}
+	}
 
-	if (len > SSL3_RT_MAX_PLAIN_LENGTH)
-		{
-			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
-			return -1;
-		}
+	if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
+		SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG);
+		return -1;
+	}
 
 	i = dtls1_write_bytes(s, type, buf_, len);
 	return i;
-	}
+}
 
 
 	/* this only happens when a client hello is received and a handshake 
 	 * is started. */
 static int
-have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
-	int len, int peek)
-	{
-	
+have_handshake_fragment(SSL *s, int type, unsigned char *buf,
+    int len, int peek)
+{
+
 	if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
 		/* (partially) satisfy request from storage */
-		{
+	{
 		unsigned char *src = s->d1->handshake_fragment;
 		unsigned char *dst = buf;
-		unsigned int k,n;
-		
+		unsigned int k, n;
+
 		/* peek == 0 */
 		n = 0;
-		while ((len > 0) && (s->d1->handshake_fragment_len > 0))
-			{
+		while ((len > 0) && (s->d1->handshake_fragment_len > 0)) {
 			*dst++ = *src++;
-			len--; s->d1->handshake_fragment_len--;
+			len--;
+			s->d1->handshake_fragment_len--;
 			n++;
-			}
+		}
 		/* move any remaining fragment bytes: */
 		for (k = 0; k < s->d1->handshake_fragment_len; k++)
 			s->d1->handshake_fragment[k] = *src++;
 		return n;
-		}
-	
-	return 0;
 	}
 
-
+	return 0;
+}
 
 
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
-int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
-	{
+int
+dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
+{
 	int i;
 
 	OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
-	s->rwstate=SSL_NOTHING;
-	i=do_dtls1_write(s, type, buf, len, 0);
+	s->rwstate = SSL_NOTHING;
+	i = do_dtls1_write(s, type, buf, len, 0);
 	return i;
-	}
+}
 
-int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
-	{
-	unsigned char *p,*pseq;
-	int i,mac_size,clear=0;
+int
+do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
+{
+	unsigned char *p, *pseq;
+	int i, mac_size, clear = 0;
 	int prefix_len = 0;
 	SSL3_RECORD *wr;
 	SSL3_BUFFER *wb;
@@ -1478,54 +1417,49 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 	/* first check if there is a SSL3_BUFFER still being written
 	 * out.  This will happen with non blocking IO */
-	if (s->s3->wbuf.left != 0)
-		{
+	if (s->s3->wbuf.left != 0) {
 		OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
-		return(ssl3_write_pending(s,type,buf,len));
-		}
+		return (ssl3_write_pending(s, type, buf, len));
+	}
 
 	/* If we have an alert to send, lets send it */
-	if (s->s3->alert_dispatch)
-		{
-		i=s->method->ssl_dispatch_alert(s);
+	if (s->s3->alert_dispatch) {
+		i = s->method->ssl_dispatch_alert(s);
 		if (i <= 0)
-			return(i);
+			return (i);
 		/* if it went, fall through and send more stuff */
-		}
+	}
 
 	if (len == 0 && !create_empty_fragment)
 		return 0;
 
-	wr= &(s->s3->wrec);
-	wb= &(s->s3->wbuf);
-	sess=s->session;
+	wr = &(s->s3->wrec);
+	wb = &(s->s3->wbuf);
+	sess = s->session;
 
-	if (	(sess == NULL) ||
-		(s->enc_write_ctx == NULL) ||
-		(EVP_MD_CTX_md(s->write_hash) == NULL))
-		clear=1;
+	if ((sess == NULL) || (s->enc_write_ctx == NULL) ||
+	    (EVP_MD_CTX_md(s->write_hash) == NULL))
+		clear = 1;
 
 	if (clear)
-		mac_size=0;
-	else
-		{
-		mac_size=EVP_MD_CTX_size(s->write_hash);
+		mac_size = 0;
+	else {
+		mac_size = EVP_MD_CTX_size(s->write_hash);
 		if (mac_size < 0)
 			goto err;
-		}
+	}
 
 	/* DTLS implements explicit IV, so no need for empty fragments */
 #if 0
 	/* 'create_empty_fragment' is true only when this function calls itself */
-	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
-	    && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
-		{
+	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done &&
+	    SSL_version(s) != DTLS1_VERSION &&
+	    SSL_version(s) != DTLS1_BAD_VER) {
 		/* countermeasure against known-IV weakness in CBC ciphersuites
 		 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
 		 */
 
-		if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
-			{
+		if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
 			/* recursive function call with 'create_empty_fragment' set;
 			 * this prepares and buffers the data for an empty fragment
 			 * (these 'prefix_len' bytes are sent out later
@@ -1534,211 +1468,206 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 			if (prefix_len <= 0)
 				goto err;
 
-			if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
-				{
+			if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) {
 				/* insufficient space */
 				SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
 				goto err;
-				}
 			}
-		
-		s->s3->empty_fragment_done = 1;
 		}
+
+		s->s3->empty_fragment_done = 1;
+	}
 #endif
 	p = wb->buf + prefix_len;
 
 	/* write the header */
 
-	*(p++)=type&0xff;
-	wr->type=type;
+	*(p++) = type&0xff;
+	wr->type = type;
 
-	*(p++)=(s->version>>8);
-	*(p++)=s->version&0xff;
+	*(p++) = (s->version >> 8);
+	*(p++) = s->version&0xff;
 
 	/* field where we are to write out packet epoch, seq num and len */
-	pseq=p; 
-	p+=10;
+	pseq = p;
+
+	p += 10;
 
 	/* lets setup the record stuff. */
 
 	/* Make space for the explicit IV in case of CBC.
 	 * (this is a bit of a boundary violation, but what the heck).
 	 */
-	if ( s->enc_write_ctx && 
-		(EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
+	if (s->enc_write_ctx &&
+	    (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
 		bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
 	else
 		bs = 0;
 
-	wr->data=p + bs;  /* make room for IV in case of CBC */
-	wr->length=(int)len;
-	wr->input=(unsigned char *)buf;
+	wr->data = p + bs;
+	/* make room for IV in case of CBC */
+	wr->length = (int)len;
+	wr->input = (unsigned char *)buf;
 
 	/* we now 'read' from wr->input, wr->length bytes into
 	 * wr->data */
 
 	/* first we compress */
-	if (s->compress != NULL)
-		{
-		if (!ssl3_do_compress(s))
-			{
-			SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
+	if (s->compress != NULL) {
+		if (!ssl3_do_compress(s)) {
+			SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE);
 			goto err;
-			}
-		}
-	else
-		{
-		memcpy(wr->data,wr->input,wr->length);
-		wr->input=wr->data;
 		}
+	} else {
+		memcpy(wr->data, wr->input, wr->length);
+		wr->input = wr->data;
+	}
 
 	/* we should still have the output to wr->data and the input
 	 * from wr->input.  Length should be wr->length.
 	 * wr->data still points in the wb->buf */
 
-	if (mac_size != 0)
-		{
-		if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
+	if (mac_size != 0) {
+		if (s->method->ssl3_enc->mac(s, &(p[wr->length + bs]), 1) < 0)
 			goto err;
-		wr->length+=mac_size;
-		}
+		wr->length += mac_size;
+	}
 
 	/* this is true regardless of mac size */
-	wr->input=p;
-	wr->data=p;
+	wr->input = p;
+	wr->data = p;
 
 
 	/* ssl3_enc can only have an error on read */
 	if (bs)	/* bs != 0 in case of CBC */
-		{
-		RAND_pseudo_bytes(p,bs);
+	{
+		RAND_pseudo_bytes(p, bs);
 		/* master IV and last CBC residue stand for
 		 * the rest of randomness */
 		wr->length += bs;
-		}
+	}
 
-	s->method->ssl3_enc->enc(s,1);
+	s->method->ssl3_enc->enc(s, 1);
 
 	/* record length after mac and block padding */
 /*	if (type == SSL3_RT_APPLICATION_DATA ||
 	(type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
-	
+
 	/* there's only one epoch between handshake and app data */
-	
+
 	s2n(s->d1->w_epoch, pseq);
 
 	/* XDTLS: ?? */
 /*	else
-	s2n(s->d1->handshake_epoch, pseq); */
+	s2n(s->d1->handshake_epoch, pseq);
+*/
 
 	memcpy(pseq, &(s->s3->write_sequence[2]), 6);
-	pseq+=6;
-	s2n(wr->length,pseq);
+	pseq += 6;
+	s2n(wr->length, pseq);
 
 	/* we should now have
 	 * wr->data pointing to the encrypted data, which is
 	 * wr->length long */
 	wr->type=type; /* not needed but helps for debugging */
-	wr->length+=DTLS1_RT_HEADER_LENGTH;
+	wr->length += DTLS1_RT_HEADER_LENGTH;
 
 #if 0  /* this is now done at the message layer */
 	/* buffer the record, making it easy to handle retransmits */
-	if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
-		dtls1_buffer_record(s, wr->data, wr->length, 
-			*((PQ_64BIT *)&(s->s3->write_sequence[0])));
+	if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
+		dtls1_buffer_record(s, wr->data, wr->length,
+	*((PQ_64BIT *)&(s->s3->write_sequence[0])));
 #endif
 
 	ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
 
-	if (create_empty_fragment)
-		{
+	if (create_empty_fragment) {
 		/* we are in a recursive call;
 		 * just return the length, don't write out anything here
 		 */
 		return wr->length;
-		}
+	}
 
 	/* now let's set up wb */
 	wb->left = prefix_len + wr->length;
 	wb->offset = 0;
 
 	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
-	s->s3->wpend_tot=len;
-	s->s3->wpend_buf=buf;
-	s->s3->wpend_type=type;
-	s->s3->wpend_ret=len;
+	s->s3->wpend_tot = len;
+	s->s3->wpend_buf = buf;
+	s->s3->wpend_type = type;
+	s->s3->wpend_ret = len;
 
 	/* we now just need to write the buffer */
-	return ssl3_write_pending(s,type,buf,len);
+	return ssl3_write_pending(s, type, buf, len);
 err:
 	return -1;
-	}
+}
 
 
 
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
-	{
+static int
+dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
+{
 	int cmp;
 	unsigned int shift;
 	const unsigned char *seq = s->s3->read_sequence;
 
-	cmp = satsub64be(seq,bitmap->max_seq_num);
-	if (cmp > 0)
-		{
-		memcpy (s->s3->rrec.seq_num,seq,8);
+	cmp = satsub64be(seq, bitmap->max_seq_num);
+	if (cmp > 0) {
+		memcpy (s->s3->rrec.seq_num, seq, 8);
 		return 1; /* this record in new */
-		}
+	}
 	shift = -cmp;
 	if (shift >= sizeof(bitmap->map)*8)
 		return 0; /* stale, outside the window */
-	else if (bitmap->map & (1UL<<shift))
+	else if (bitmap->map & (1UL << shift))
 		return 0; /* record previously received */
 
-	memcpy (s->s3->rrec.seq_num,seq,8);
+	memcpy(s->s3->rrec.seq_num, seq, 8);
 	return 1;
-	}
+}
 
 
-static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
-	{
+static void
+dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
+{
 	int cmp;
 	unsigned int shift;
 	const unsigned char *seq = s->s3->read_sequence;
 
-	cmp = satsub64be(seq,bitmap->max_seq_num);
-	if (cmp > 0)
-		{
+	cmp = satsub64be(seq, bitmap->max_seq_num);
+	if (cmp > 0) {
 		shift = cmp;
 		if (shift < sizeof(bitmap->map)*8)
 			bitmap->map <<= shift, bitmap->map |= 1UL;
 		else
 			bitmap->map = 1UL;
-		memcpy(bitmap->max_seq_num,seq,8);
-		}
-	else	{
+		memcpy(bitmap->max_seq_num, seq, 8);
+	} else {
 		shift = -cmp;
-		if (shift < sizeof(bitmap->map)*8)
-			bitmap->map |= 1UL<<shift;
-		}
+		if (shift < sizeof(bitmap->map) * 8)
+			bitmap->map |= 1UL << shift;
 	}
+}
 
 
-int dtls1_dispatch_alert(SSL *s)
-	{
-	int i,j;
-	void (*cb)(const SSL *ssl,int type,int val)=NULL;
+int
+dtls1_dispatch_alert(SSL *s)
+{
+	int i, j;
+	void (*cb)(const SSL *ssl, int type, int val) = NULL;
 	unsigned char buf[DTLS1_AL_HEADER_LENGTH];
 	unsigned char *ptr = &buf[0];
 
-	s->s3->alert_dispatch=0;
+	s->s3->alert_dispatch = 0;
 
 	memset(buf, 0x00, sizeof(buf));
 	*ptr++ = s->s3->send_alert[0];
 	*ptr++ = s->s3->send_alert[1];
 
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-	if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
-		{	
+	if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
 		s2n(s->d1->handshake_read_seq, ptr);
 #if 0
 		if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
@@ -1748,152 +1677,136 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
 
 #if 0
-		fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
+		fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
 #endif
 		l2n3(s->d1->r_msg_hdr.frag_off, ptr);
-		}
+	}
 #endif
 
 	i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
-	if (i <= 0)
-		{
-		s->s3->alert_dispatch=1;
+	if (i <= 0) {
+		s->s3->alert_dispatch = 1;
 		/* fprintf( stderr, "not done with alert\n" ); */
-		}
-	else
-		{
+	} else {
 		if (s->s3->send_alert[0] == SSL3_AL_FATAL
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-		    || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+		|| s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 #endif
-		    )
-			(void)BIO_flush(s->wbio);
+		)
+		(void)BIO_flush(s->wbio);
 
 		if (s->msg_callback)
-			s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 
-				2, s, s->msg_callback_arg);
+			s->msg_callback(1, s->version, SSL3_RT_ALERT,
+			    s->s3->send_alert, 2, s, s->msg_callback_arg);
 
 		if (s->info_callback != NULL)
-			cb=s->info_callback;
+			cb = s->info_callback;
 		else if (s->ctx->info_callback != NULL)
-			cb=s->ctx->info_callback;
+			cb = s->ctx->info_callback;
 
-		if (cb != NULL)
-			{
-			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
-			cb(s,SSL_CB_WRITE_ALERT,j);
-			}
+		if (cb != NULL) {
+			j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
+			cb(s, SSL_CB_WRITE_ALERT, j);
 		}
-	return(i);
 	}
+	return (i);
+}
 
 
 static DTLS1_BITMAP *
 dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
-    {
-    
-    *is_next_epoch = 0;
-
-    /* In current epoch, accept HM, CCS, DATA, & ALERT */
-    if (rr->epoch == s->d1->r_epoch)
-        return &s->d1->bitmap;
-
-    /* Only HM and ALERT messages can be from the next epoch */
-    else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
-        (rr->type == SSL3_RT_HANDSHAKE ||
-            rr->type == SSL3_RT_ALERT))
-        {
-        *is_next_epoch = 1;
-        return &s->d1->next_bitmap;
-        }
-
-    return NULL;
-    }
+{
+
+	*is_next_epoch = 0;
+
+	/* In current epoch, accept HM, CCS, DATA, & ALERT */
+	if (rr->epoch == s->d1->r_epoch)
+		return &s->d1->bitmap;
+
+	/* Only HM and ALERT messages can be from the next epoch */
+	else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
+		(rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+		*is_next_epoch = 1;
+		return &s->d1->next_bitmap;
+	}
+
+	return NULL;
+}
 
 #if 0
 static int
 dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
-	unsigned long *offset)
-	{
+    unsigned long *offset)
+{
 
 	/* alerts are passed up immediately */
-	if ( rr->type == SSL3_RT_APPLICATION_DATA ||
-		rr->type == SSL3_RT_ALERT)
+	if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
 		return 0;
 
 	/* Only need to buffer if a handshake is underway.
 	 * (this implies that Hello Request and Client Hello are passed up
 	 * immediately) */
-	if ( SSL_in_init(s))
-		{
+	if (SSL_in_init(s)) {
 		unsigned char *data = rr->data;
 		/* need to extract the HM/CCS sequence number here */
-		if ( rr->type == SSL3_RT_HANDSHAKE ||
-			rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-			{
+		if (rr->type == SSL3_RT_HANDSHAKE ||
+		    rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
 			unsigned short seq_num;
 			struct hm_header_st msg_hdr;
 			struct ccs_header_st ccs_hdr;
 
-			if ( rr->type == SSL3_RT_HANDSHAKE)
-				{
+			if (rr->type == SSL3_RT_HANDSHAKE) {
 				dtls1_get_message_header(data, &msg_hdr);
 				seq_num = msg_hdr.seq;
 				*offset = msg_hdr.frag_off;
-				}
-			else
-				{
+			} else {
 				dtls1_get_ccs_header(data, &ccs_hdr);
 				seq_num = ccs_hdr.seq;
 				*offset = 0;
-				}
-				
+			}
+
 			/* this is either a record we're waiting for, or a
 			 * retransmit of something we happened to previously 
 			 * receive (higher layers will drop the repeat silently */
-			if ( seq_num < s->d1->handshake_read_seq)
+			if (seq_num < s->d1->handshake_read_seq)
 				return 0;
-			if (rr->type == SSL3_RT_HANDSHAKE && 
-				seq_num == s->d1->handshake_read_seq &&
-				msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
+			if (rr->type == SSL3_RT_HANDSHAKE &&
+			    seq_num == s->d1->handshake_read_seq &&
+			    msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
 				return 0;
-			else if ( seq_num == s->d1->handshake_read_seq &&
-				(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
-					msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
+			else if (seq_num == s->d1->handshake_read_seq &&
+			    (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
+			    msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
 				return 0;
-			else
-				{
+			else {
 				*priority = seq_num;
 				return 1;
-				}
 			}
+		}
 		else /* unknown record type */
 			return 0;
-		}
+	}
 
 	return 0;
-	}
+}
 #endif
 
 void
 dtls1_reset_seq_numbers(SSL *s, int rw)
-	{
+{
 	unsigned char *seq;
 	unsigned int seq_bytes = sizeof(s->s3->read_sequence);
 
-	if ( rw & SSL3_CC_READ)
-		{
+	if (rw & SSL3_CC_READ) {
 		seq = s->s3->read_sequence;
 		s->d1->r_epoch++;
 		memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
 		memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
-		}
-	else
-		{
+	} else {
 		seq = s->s3->write_sequence;
 		memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
 		s->d1->w_epoch++;
-		}
+	}
 
 	memset(seq, 0x00, seq_bytes);
-	}
+}
diff --git a/lib/libssl/src/ssl/d1_srtp.c b/lib/libssl/src/ssl/d1_srtp.c
index 928935bd8b4..fadd9f381f6 100644
--- a/lib/libssl/src/ssl/d1_srtp.c
+++ b/lib/libssl/src/ssl/d1_srtp.c
@@ -115,379 +115,357 @@
   Copyright (C) 2011, RTFM, Inc.
 */
 
-#ifndef OPENSSL_NO_SRTP
-
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
+
+#ifndef OPENSSL_NO_SRTP
+
 #include "srtp.h"
 
 
-static SRTP_PROTECTION_PROFILE srtp_known_profiles[]=
-    {
-    {
-    "SRTP_AES128_CM_SHA1_80",
-    SRTP_AES128_CM_SHA1_80,
-    },
-    {
-    "SRTP_AES128_CM_SHA1_32",
-    SRTP_AES128_CM_SHA1_32,
-    },
+static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= {
+	{
+		"SRTP_AES128_CM_SHA1_80",
+		SRTP_AES128_CM_SHA1_80,
+	},
+	{
+		"SRTP_AES128_CM_SHA1_32",
+		SRTP_AES128_CM_SHA1_32,
+	},
 #if 0
-    {
-    "SRTP_NULL_SHA1_80",
-    SRTP_NULL_SHA1_80,
-    },
-    {
-    "SRTP_NULL_SHA1_32",
-    SRTP_NULL_SHA1_32,
-    },
+	{
+		"SRTP_NULL_SHA1_80",
+		SRTP_NULL_SHA1_80,
+	},
+	{
+		"SRTP_NULL_SHA1_32",
+		SRTP_NULL_SHA1_32,
+	},
 #endif
-    {0}
-    };
+	{0}
+};
 
-static int find_profile_by_name(char *profile_name,
-				SRTP_PROTECTION_PROFILE **pptr,unsigned len)
-	{
+static int
+find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr,
+    unsigned len)
+{
 	SRTP_PROTECTION_PROFILE *p;
 
-	p=srtp_known_profiles;
-	while(p->name)
-		{
-		if((len == strlen(p->name)) && !strncmp(p->name,profile_name,
-							len))
-			{
-			*pptr=p;
+	p = srtp_known_profiles;
+	while (p->name) {
+		if ((len == strlen(p->name)) &&
+		    !strncmp(p->name, profile_name, len)) {
+			*pptr = p;
 			return 0;
-			}
+		}
 
 		p++;
-		}
+	}
 
 	return 1;
-	}
+}
 
-static int find_profile_by_num(unsigned profile_num,
-			       SRTP_PROTECTION_PROFILE **pptr)
-	{
+static int
+find_profile_by_num(unsigned profile_num, SRTP_PROTECTION_PROFILE **pptr)
+{
 	SRTP_PROTECTION_PROFILE *p;
 
-	p=srtp_known_profiles;
-	while(p->name)
-		{
-		if(p->id == profile_num)
-			{
-			*pptr=p;
+	p = srtp_known_profiles;
+	while (p->name) {
+		if (p->id == profile_num) {
+			*pptr = p;
 			return 0;
-			}
-		p++;
 		}
+		p++;
+	}
 
 	return 1;
-	}
+}
 
-static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
-	{
+static int
+ssl_ctx_make_profiles(const char *profiles_string,
+    STACK_OF(SRTP_PROTECTION_PROFILE) **out)
+{
 	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
 
 	char *col;
-	char *ptr=(char *)profiles_string;
-    
+	char *ptr = (char *)profiles_string;
+
 	SRTP_PROTECTION_PROFILE *p;
 
-	if(!(profiles=sk_SRTP_PROTECTION_PROFILE_new_null()))
-		{
+	if (!(profiles = sk_SRTP_PROTECTION_PROFILE_new_null())) {
 		SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
 		return 1;
-		}
-    
-	do
-		{
-		col=strchr(ptr,':');
-
-		if(!find_profile_by_name(ptr,&p,
-					 col ? col-ptr : (int)strlen(ptr)))
-			{
-			sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
-			}
-		else
-			{
-			SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-			return 1;
-			}
+	}
 
-		if(col) ptr=col+1;
-		} while (col);
+	do {
+		col = strchr(ptr, ':');
 
-	*out=profiles;
-    
-	return 0;
-	}
-    
-int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,const char *profiles)
-	{
-	return ssl_ctx_make_profiles(profiles,&ctx->srtp_profiles);
-	}
+		if (!find_profile_by_name(ptr, &p,
+		    col ? col - ptr : (int)strlen(ptr))) {
+			sk_SRTP_PROTECTION_PROFILE_push(profiles, p);
+		} else {
+			SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+			return 1;
+		}
 
-int SSL_set_tlsext_use_srtp(SSL *s,const char *profiles)
-	{
-	return ssl_ctx_make_profiles(profiles,&s->srtp_profiles);
-	}
+		if (col)
+			ptr = col + 1;
+		} while (col);
 
+	*out = profiles;
 
-STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *s)
-	{
-	if(s != NULL)
-		{
-		if(s->srtp_profiles != NULL)
-			{
+	return 0;
+}
+
+int
+SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles)
+{
+	return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);
+}
+
+int
+SSL_set_tlsext_use_srtp(SSL *s, const char *profiles)
+{
+	return ssl_ctx_make_profiles(profiles, &s->srtp_profiles);
+}
+
+
+STACK_OF(SRTP_PROTECTION_PROFILE)
+*SSL_get_srtp_profiles(SSL *s)
+{
+	if (s != NULL) {
+		if (s->srtp_profiles != NULL) {
 			return s->srtp_profiles;
-			}
-		else if((s->ctx != NULL) &&
-			(s->ctx->srtp_profiles != NULL))
-			{
+		} else if ((s->ctx != NULL) &&
+		    (s->ctx->srtp_profiles != NULL)) {
 			return s->ctx->srtp_profiles;
-			}
 		}
+	}
 
 	return NULL;
-	}
+}
 
-SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s)
-	{
+SRTP_PROTECTION_PROFILE
+*SSL_get_selected_srtp_profile(SSL *s)
+{
 	return s->srtp_profile;
-	}
+}
 
 /* Note: this function returns 0 length if there are no 
    profiles specified */
-int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
-	{
-	int ct=0;
+int
+ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
+{
+	int ct = 0;
 	int i;
-	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0;
+	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
 	SRTP_PROTECTION_PROFILE *prof;
-    
-	clnt=SSL_get_srtp_profiles(s);    
-	ct=sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
-
-	if(p)
-		{
-		if(ct==0)
-			{
-			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
-			return 1;
-			}
 
-		if((2 + ct*2 + 1) > maxlen)
-			{
-			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
+	clnt = SSL_get_srtp_profiles(s);
+
+	ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
+
+	if (p) {
+		if (ct == 0) {
+			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
 			return 1;
-			}
+		}
 
-                /* Add the length */
-                s2n(ct * 2, p);
-		for(i=0;i<ct;i++)
-			{
-			prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
-			s2n(prof->id,p);
-			}
+		if ((2 + ct * 2 + 1) > maxlen) {
+			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
+			return 1;
+		}
 
-                /* Add an empty use_mki value */
-                *p++ = 0;
+		/* Add the length */
+		s2n(ct * 2, p);
+		for (i = 0; i < ct; i++) {
+			prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
+			s2n(prof->id, p);
 		}
 
-	*len=2 + ct*2 + 1;
-    
-	return 0;
+		/* Add an empty use_mki value */
+		*p++ = 0;
 	}
 
+	*len = 2 + ct*2 + 1;
 
-int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
-	{
-	SRTP_PROTECTION_PROFILE *cprof,*sprof;
-	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
-        int ct;
-        int mki_len;
-	int i,j;
+	return 0;
+}
+
+
+int
+ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
+{
+	SRTP_PROTECTION_PROFILE *cprof, *sprof;
+	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0, *srvr;
+	int ct;
+	int mki_len;
+	int i, j;
 	int id;
 	int ret;
 
-         /* Length value + the MKI length */
-        if(len < 3)
-		{            
-		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-		*al=SSL_AD_DECODE_ERROR;
+	/* Length value + the MKI length */
+	if (len < 3) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-                }
-
-        /* Pull off the length of the cipher suite list */
-        n2s(d, ct);
-        len -= 2;
-        
-        /* Check that it is even */
-	if(ct%2)
-		{
-		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-		*al=SSL_AD_DECODE_ERROR;
+	}
+
+	/* Pull off the length of the cipher suite list */
+	n2s(d, ct);
+	len -= 2;
+
+	/* Check that it is even */
+	if (ct % 2) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
-        
-        /* Check that lengths are consistent */
-	if(len < (ct + 1)) 
-		{
-		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-		*al=SSL_AD_DECODE_ERROR;
+	}
+
+	/* Check that lengths are consistent */
+	if (len < (ct + 1)) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
+	}
 
-        
-	clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
 
-	while(ct)
-		{
-		n2s(d,id);
-		ct-=2;
-                len-=2;
+	clnt = sk_SRTP_PROTECTION_PROFILE_new_null();
 
-		if(!find_profile_by_num(id,&cprof))
-			{
-			sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
-			}
-		else
-			{
+	while (ct) {
+		n2s(d, id);
+		ct -= 2;
+		len -= 2;
+
+		if (!find_profile_by_num(id, &cprof)) {
+			sk_SRTP_PROTECTION_PROFILE_push(clnt, cprof);
+		} else {
 			; /* Ignore */
-			}
 		}
+	}
 
-        /* Now extract the MKI value as a sanity check, but discard it for now */
-        mki_len = *d;
-        d++; len--;
+	/* Now extract the MKI value as a sanity check, but discard it for now */
+	mki_len = *d;
+	d++;
+	len--;
 
-        if (mki_len != len)
-		{
-		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
-		*al=SSL_AD_DECODE_ERROR;
+	if (mki_len != len) {
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
+	}
 
-	srvr=SSL_get_srtp_profiles(s);
+	srvr = SSL_get_srtp_profiles(s);
 
 	/* Pick our most preferred profile. If no profiles have been
 	 configured then the outer loop doesn't run 
 	 (sk_SRTP_PROTECTION_PROFILE_num() = -1)
 	 and so we just return without doing anything */
-	for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
-		{
-		sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
-
-		for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
-			{
-			cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
-            
-			if(cprof->id==sprof->id)
-				{
-				s->srtp_profile=sprof;
-				*al=0;
-				ret=0;
+	for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) {
+		sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
+
+		for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) {
+			cprof = sk_SRTP_PROTECTION_PROFILE_value(clnt, j);
+
+			if (cprof->id == sprof->id) {
+				s->srtp_profile = sprof;
+				*al = 0;
+				ret = 0;
 				goto done;
-				}
 			}
 		}
+	}
+
+	ret = 0;
 
-	ret=0;
-    
 done:
-	if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
+	if (clnt)
+		sk_SRTP_PROTECTION_PROFILE_free(clnt);
 
 	return ret;
-	}
-
-int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
-	{
-	if(p)
-		{
-		if(maxlen < 5)
-			{
-			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
+}
+
+int
+ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
+{
+	if (p) {
+		if (maxlen < 5) {
+			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
 			return 1;
-			}
+		}
 
-		if(s->srtp_profile==0)
-			{
-			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_USE_SRTP_NOT_NEGOTIATED);
+		if (s->srtp_profile == 0) {
+			SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, SSL_R_USE_SRTP_NOT_NEGOTIATED);
 			return 1;
-			}
-                s2n(2, p);
-		s2n(s->srtp_profile->id,p);
-                *p++ = 0;
 		}
-	*len=5;
-    
-	return 0;
+		s2n(2, p);
+		s2n(s->srtp_profile->id, p);
+		*p++ = 0;
 	}
-    
+	*len = 5;
 
-int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
-	{
+	return 0;
+}
+
+
+int
+ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
+{
 	unsigned id;
 	int i;
-        int ct;
+	int ct;
 
 	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
 	SRTP_PROTECTION_PROFILE *prof;
 
-	if(len!=5)
-		{
-		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-		*al=SSL_AD_DECODE_ERROR;
+	if (len != 5) {
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
+	}
 
-        n2s(d, ct);
-	if(ct!=2)
-		{
-		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-		*al=SSL_AD_DECODE_ERROR;
+	n2s(d, ct);
+	if (ct != 2) {
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
+	}
 
-	n2s(d,id);
-        if (*d)  /* Must be no MKI, since we never offer one */
-		{
-		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
-		*al=SSL_AD_ILLEGAL_PARAMETER;
+	n2s(d, id);
+	if (*d)  /* Must be no MKI, since we never offer one */
+	{
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE);
+		*al = SSL_AD_ILLEGAL_PARAMETER;
 		return 1;
-		}
+	}
 
-	clnt=SSL_get_srtp_profiles(s);
+	clnt = SSL_get_srtp_profiles(s);
 
 	/* Throw an error if the server gave us an unsolicited extension */
-	if (clnt == NULL)
-		{
-		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_NO_SRTP_PROFILES);
-		*al=SSL_AD_DECODE_ERROR;
+	if (clnt == NULL) {
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_NO_SRTP_PROFILES);
+		*al = SSL_AD_DECODE_ERROR;
 		return 1;
-		}
-    
+	}
+
 	/* Check to see if the server gave us something we support
 	   (and presumably offered)
 	*/
-	for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(clnt);i++)
-		{
-		prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
-	    
-		if(prof->id == id)
-			{
-			s->srtp_profile=prof;
-			*al=0;
+	for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
+		prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
+
+		if (prof->id == id) {
+			s->srtp_profile = prof;
+			*al = 0;
 			return 0;
-			}
 		}
-
-	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-	*al=SSL_AD_DECODE_ERROR;
-	return 1;
 	}
 
+	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+	*al = SSL_AD_DECODE_ERROR;
+	return 1;
+}
 
 #endif