diff --git a/apps/cmp.c b/apps/cmp.c
index eb14f1f404..e38f0010a0 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1571,7 +1571,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             if (opt_csr != NULL) {
                 CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
                         opt_key == NULL ? "" :
-                        ", and -key option superseded by by -csr");
+                        ", and -key option superseded by -csr");
                 return 0;
             }
             if (opt_key == NULL) {
diff --git a/crypto/cpuid.c b/crypto/cpuid.c
index f3d966dbf0..a7c4f97fb4 100644
--- a/crypto/cpuid.c
+++ b/crypto/cpuid.c
@@ -34,7 +34,7 @@ static variant_char *ossl_getenv(const char *name)
 {
     /*
      * Since we pull only one environment variable, it's simpler to
-     * to just ignore |name| and use equivalent wide-char L-literal.
+     * just ignore |name| and use equivalent wide-char L-literal.
      * As well as to ignore excessively long values...
      */
     static WCHAR value[48];
@@ -173,7 +173,7 @@ void OPENSSL_cpuid_setup(void)
  */
 
 /*
- * The volatile is used to to ensure that the compiler generates code that reads
+ * The volatile is used to ensure that the compiler generates code that reads
  * all values from the array and doesn't try to optimize this away. The standard
  * doesn't actually require this behavior if the original data pointed to is
  * not volatile, but compilers do this in practice anyway.
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
index 6bf2da9b4b..eae0b52c4e 100644
--- a/crypto/ec/ecp_s390x_nistp.c
+++ b/crypto/ec/ecp_s390x_nistp.c
@@ -178,7 +178,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
             goto ret;
         }
         /*
-         * Generate random k and copy to param param block. RAND_priv_bytes_ex
+         * Generate random k and copy to param block. RAND_priv_bytes_ex
          * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
          * because kdsa instruction constructs an in-range, invertible nonce
          * internally implementing counter-measures for RNG weakness.
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 615d48a724..474a6e59e3 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1473,7 +1473,7 @@ int OSSL_HTTP_proxy_connect(BIO *bio, const char *server, const char *port,
     do {
         /*
          * This does not necessarily catch the case when the full
-         * HTTP response came in in more than a single TCP message.
+         * HTTP response came in more than a single TCP message.
          */
         read_len = BIO_gets(fbio, mbuf, BUF_SIZE);
     } while (read_len > 2);
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 8931386fae..d8aaebe72f 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -150,7 +150,7 @@ static EVP_PKEY *evp_pkey_new0_key(void *key, int evp_type)
  * Read the MSBLOB header and get relevant data from it.
  *
  * |pisdss| and |pispub| have a double role, as they can be used for
- * discovery as well as to check the the blob meets expectations.
+ * discovery as well as to check the blob meets expectations.
  * |*pisdss| is the indicator for whether the key is a DSA key or not.
  * |*pispub| is the indicator for whether the key is public or not.
  * In both cases, the following input values apply:
diff --git a/crypto/rsa/rsa_sp800_56b_gen.c b/crypto/rsa/rsa_sp800_56b_gen.c
index 04fbe5e86e..9fa85bfdf3 100644
--- a/crypto/rsa/rsa_sp800_56b_gen.c
+++ b/crypto/rsa/rsa_sp800_56b_gen.c
@@ -423,7 +423,7 @@ err:
  * See SP800-56Br1 6.3.1.3 (Step 6) Perform a pair-wise consistency test by
  * verifying that: k = (k^e)^d mod n for some integer k where 1 < k < n-1.
  *
- * Returns 1 if the RSA key passes the pairwise test or 0 it it fails.
+ * Returns 1 if the RSA key passes the pairwise test or 0 if it fails.
  */
 int ossl_rsa_sp800_56b_pairwise_test(RSA *rsa, BN_CTX *ctx)
 {
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 0e805062ac..df3180c048 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -1013,7 +1013,7 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme,
     ctx->post_process_data = post_process_data;
 
     /*
-     * ossl_store_get0_loader_int will raise an error if the loader for the
+     * ossl_store_get0_loader_int will raise an error if the loader for
      * the scheme cannot be retrieved. But if a loader was successfully
      * fetched then we remove this error from the error stack.
      */
diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c
index 3143de0d74..1a4345f2fe 100644
--- a/crypto/x509/x509_trust.c
+++ b/crypto/x509/x509_trust.c
@@ -275,7 +275,7 @@ static int obj_trust(int id, X509 *x, int flags)
         /*
          * Reject when explicit trust EKU are set and none match.
          *
-         * Returning untrusted is enough for for full chains that end in
+         * Returning untrusted is enough for full chains that end in
          * self-signed roots, because when explicit trust is specified it
          * suppresses the default blanket trust of self-signed objects.
          *
diff --git a/include/internal/bio_tfo.h b/include/internal/bio_tfo.h
index 6351443933..64c0d4c327 100644
--- a/include/internal/bio_tfo.h
+++ b/include/internal/bio_tfo.h
@@ -54,7 +54,7 @@
  * Some options are purposely NOT defined per-platform
  *
  * OSSL_TFO_SYSCTL
- *     Defined as a sysctlbyname() option to to determine if
+ *     Defined as a sysctlbyname() option to determine if
  *     TFO is enabled in the kernel (macOS, FreeBSD)
  *
  * OSSL_TFO_SERVER_SOCKOPT
@@ -86,7 +86,7 @@
 /*
  * NO WINDOWS SUPPORT
  *
- * But this is is what would be used on the server:
+ * But this is what would be used on the server:
  *
  * define OSSL_TFO_SERVER_SOCKOPT       TCP_FASTOPEN
  * define OSSL_TFO_SERVER_SOCKOPT_VALUE 1
diff --git a/include/internal/quic_ackm.h b/include/internal/quic_ackm.h
index f92f0ebaf2..03fc608867 100644
--- a/include/internal/quic_ackm.h
+++ b/include/internal/quic_ackm.h
@@ -225,7 +225,7 @@ int ossl_ackm_is_ack_desired(OSSL_ACKM *ackm, int pkt_space);
  * the RFC.
  *
  * The return value of this function transitions from 1 to 0 for a given PN once
- * that PN is passed to ossl_ackm_on_rx_packet, thus thus function must be used
+ * that PN is passed to ossl_ackm_on_rx_packet, thus this function must be used
  * before calling ossl_ackm_on_rx_packet.
  */
 int ossl_ackm_is_rx_pn_processable(OSSL_ACKM *ackm, QUIC_PN pn, int pkt_space);
diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h
index e0bc0f3231..53bd4ca6d2 100644
--- a/include/internal/recordmethod.h
+++ b/include/internal/recordmethod.h
@@ -228,7 +228,7 @@ struct ossl_record_method_st {
      * remain available until all the bytes from record are released via one or
      * more release_record calls.
      *
-     * Internally the the OSSL_RECORD_METHOD the implementation may read/process
+     * Internally the OSSL_RECORD_METHOD implementation may read/process
      * multiple records in one go and buffer them.
      */
     int (*read_record)(OSSL_RECORD_LAYER *rl, void **rechandle, int *rversion,
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 2fe819c462..e1cbe98228 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -1127,7 +1127,7 @@ OSSL_DEPRECATEDIN_3_0 int EC_KEY_check_key(const EC_KEY *key);
 
 /** Indicates if an EC_KEY can be used for signing.
  *  \param  eckey  the EC_KEY object
- *  \return 1 if can can sign and 0 otherwise.
+ *  \return 1 if can sign and 0 otherwise.
  */
 OSSL_DEPRECATEDIN_3_0 int EC_KEY_can_sign(const EC_KEY *eckey);
 
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index a16817d203..1d6b1f3730 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -699,7 +699,7 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
         return NULL;
 
     /*
-     * If a group name is selected then the type is group regardless of what the
+     * If a group name is selected then the type is group regardless of what
      * the user selected. This overrides rather than errors for backwards
      * compatibility.
      */
diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c
index 8a825b5bfe..0f1e9b8f25 100644
--- a/ssl/quic/quic_txp.c
+++ b/ssl/quic/quic_txp.c
@@ -1984,7 +1984,7 @@ static int txp_generate_crypto_frames(OSSL_QUIC_TX_PACKETISER *txp,
 
         /*
          * Ensure we have enough iovecs allocated (1 for the header, up to 2 for
-         * the the stream data.)
+         * the stream data.)
          */
         if (!txp_el_ensure_iovec(&txp->el[enc_level], h->num_iovec + 3))
             return 0; /* alloc error */
@@ -2234,7 +2234,7 @@ static int txp_generate_stream_frames(OSSL_QUIC_TX_PACKETISER *txp,
 
         /*
          * Ensure we have enough iovecs allocated (1 for the header, up to 2 for
-         * the the stream data.)
+         * the stream data.)
          */
         if (!txp_el_ensure_iovec(&txp->el[enc_level], h->num_iovec + 3))
             goto err; /* alloc error */
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 67865b85fa..853af8c0aa 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2353,7 +2353,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
          * we now have the following setup.
          * client_random
          * cipher_list          - our preferred list of ciphers
-         * ciphers              - the clients preferred list of ciphers
+         * ciphers              - the client's preferred list of ciphers
          * compression          - basically ignored right now
          * ssl version is set   - sslv3
          * s->session           - The ssl session has been setup.
diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
index 3b190baa5e..7e69f4bbd5 100644
--- a/test/provider_pkey_test.c
+++ b/test/provider_pkey_test.c
@@ -93,7 +93,7 @@ static int test_pkey_sig(void)
         /*
          * If this picks the wrong signature without realizing it
          * we can get a segfault or some internal error. At least watch
-         * whether fake-rsa sign_init is is exercised by calling sign.
+         * whether fake-rsa sign_init is exercised by calling sign.
          */
         if (!TEST_int_eq(EVP_PKEY_sign_init(ctx), 1))
             goto end;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 75fbd3bd3b..ed8eb2514b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -9054,7 +9054,7 @@ static int test_session_timeout(int test)
      * Test session ordering and timeout
      * Can't explicitly test performance of the new code,
      * but can test to see if the ordering of the sessions
-     * are correct, and they they are removed as expected
+     * are correct, and they are removed as expected
      */
     SSL_SESSION *early = NULL;
     SSL_SESSION *middle = NULL;
diff --git a/test/tls-provider.c b/test/tls-provider.c
index a914620cd2..5f1479435f 100644
--- a/test/tls-provider.c
+++ b/test/tls-provider.c
@@ -2152,7 +2152,7 @@ struct keytype_desc_st {
 /*
  * Start blatant code steal. Alternative: Open up d2i_X509_PUBKEY_INTERNAL
  * as per https://github.com/openssl/openssl/issues/16697 (TBD)
- * Code from from openssl/crypto/x509/x_pubkey.c as
+ * Code from openssl/crypto/x509/x_pubkey.c as
  * ossl_d2i_X509_PUBKEY_INTERNAL is presently not public
  */
 struct X509_pubkey_st {