source/cipher_openssl.c (5 lines):
	- line 205: // TODO: Cache? Are EC_GROUPs threadsafe?
	- line 283: // TODO: We currently _only_ accept compressed points. Should we accept uncompressed points as well?
	- line 305: // TODO: When aws-c-common removes the NUL terminator fix this
	- line 402: /* TODO: Refactor once writing routines are moved to aws_byte_bufs */
	- line 525: // TODO: add preconditions that if the ctx/pkey/keypair exist, they are valid.


source/session_encrypt.c (4 lines):
	- line 95: // TODO - eliminate the data_key type
	- line 266: // TODO - should we free the parsed header here?
	- line 277: // TODO - should we try to write incrementally?
	- line 282: // TODO - should we free the parsed header here?


source/session_decrypt.c (3 lines):
	- line 38: // TODO: Make encrypted_data_keys a pointer?
	- line 79: // TODO - eliminate the struct data_key type and use the unencrypted_data_key buffer directly
	- line 333: // TODO: should the signature be a cursor after all?


source/session.c (3 lines):
	- line 169: // TODO AWS_BAD_STATE
	- line 272: // TODO - is this the right error?
	- line 476: // TODO check for KR config/etc?


include/aws/cryptosdk/private/cipher.h (3 lines):
	- line 23: * TODO - Finish splitting cipher.c into common code and backend, and move this into the backends.
	- line 119: // TODO: Initialize the cipher once and reuse it
	- line 156: // TODO: Footer


cmake/AwsCryptosdkCFlags.cmake (2 lines):
	- line 14: # TODO:
	- line 48: # TODO: Fix these?


source/local_cache.c (2 lines):
	- line 165: * TODO: Should we re-hash to deal with CMMs which don't pre-hash?
	- line 551: /* TODO: Saturation */


source/materials.c (1 line):
	- line 56: // TODO: initialization for trailing signature key, if necessary


source/caching_cmm.c (1 line):
	- line 64: /* TODO: Better name for this property? */


verification/cbmc/proofs/aws_cryptosdk_keyring_trace_add_record_c_str/aws_cryptosdk_keyring_trace_add_record_c_str_harness.c (1 line):
	- line 55: // TODO: we should actually perform memcpy and not memcpy_havoc


verification/cbmc/proofs/aws_cryptosdk_keyring_trace_add_record_buf/aws_cryptosdk_keyring_trace_add_record_buf_harness.c (1 line):
	- line 54: // TODO: we should actually perform memcpy and not memcpy_havoc


verification/cbmc/proofs/aws_cryptosdk_keyring_trace_add_record/aws_cryptosdk_keyring_trace_add_record_harness.c (1 line):
	- line 52: // TODO: we should actually perform memcpy and not memcpy_havoc


verification/cbmc/sources/openssl/evp_override.c (1 line):
	- line 242: /* TODO: assert(evp_pkey_ctx_is_valid(ctx)); */


source/keyring_trace.c (1 line):
	- line 107: // TODO: check for post-condition aws_cryptosdk_keyring_trace_is_valid(trace)


source/header.c (1 line):
	- line 501: // TODO - unify everything on byte_bufs when the aws-c-common refactor lands