3 files changed, 48 insertions, 40 deletions

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 2e386d0..64c7fa6 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -548,9 +548,8 @@ send:
 	if (tp->t_flags & TF_SIGNATURE) {
 		int i;
 		u_char *bp;
-		/*
-		 * Initialize TCP-MD5 option (RFC2385)
-		 */
+
+		/* Initialize TCP-MD5 option (RFC2385) */
 		bp = (u_char *)opt + optlen;
 		*bp++ = TCPOPT_SIGNATURE;
 		*bp++ = TCPOLEN_SIGNATURE;
@@ -558,9 +557,8 @@ send:
 		for (i = 0; i < TCP_SIGLEN; i++)
 			*bp++ = 0;
 		optlen += TCPOLEN_SIGNATURE;
-		/*
-		 * Terminate options list and maintain 32-bit alignment.
-		 */
+
+		/* Terminate options list and maintain 32-bit alignment. */
 		*bp++ = TCPOPT_NOP;
 		*bp++ = TCPOPT_EOL;
 		optlen += 2;
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 689d0cd..f099aa5 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1924,6 +1924,14 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
 /*
  * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385)
  *
+ * Parameters:
+ * m		pointer to head of mbuf chain
+ * off0		offset to TCP header within the mbuf chain
+ * len		length of TCP segment data, excluding options
+ * optlen	length of TCP segment options
+ * buf		pointer to storage for computed MD5 digest
+ * direction	direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
+ *
  * We do this over ip, tcphdr, segment data, and the key in the SADB.
  * When called from tcp_input(), we can be sure that th_sum has been
  * zeroed out and verified already.
@@ -1940,13 +1948,8 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
  * specify per-application flows but it is unstable.
  */
 int
-tcpsignature_compute(
-	struct mbuf *m,		/* mbuf chain */
-	int off0,		/* offset to TCP header */
-	int len,		/* length of TCP data */
-	int optlen,		/* length of TCP options */
-	u_char *buf,		/* storage for MD5 digest */
-	u_int direction)	/* direction of flow */
+tcpsignature_compute(struct mbuf *m, int off0, int len, int optlen,
+    u_char *buf, u_int direction)
 {
 	union sockaddr_union dst;
 	struct ippseudo ippseudo;
@@ -1958,32 +1961,30 @@ tcpsignature_compute(
 	struct tcphdr *th;
 	u_short savecsum;
 
-	KASSERT(m != NULL, ("passed NULL mbuf. Game over."));
-	KASSERT(buf != NULL, ("passed NULL storage pointer for MD5 signature"));
-	/*
-	 * Extract the destination from the IP header in the mbuf.
-	 */
+	KASSERT(m != NULL, ("NULL mbuf chain"));
+	KASSERT(buf != NULL, ("NULL signature pointer"));
+
+	/* Extract the destination from the IP header in the mbuf. */
 	ip = mtod(m, struct ip *);
 	bzero(&dst, sizeof(union sockaddr_union));
 	dst.sa.sa_len = sizeof(struct sockaddr_in);
 	dst.sa.sa_family = AF_INET;
 	dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
 	    ip->ip_src : ip->ip_dst;
-	/*
-	 * Look up an SADB entry which matches the address found in
-	 * the segment.
-	 */
+
+	/* Look up an SADB entry which matches the address of the peer. */
 	sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
 	if (sav == NULL) {
 		printf("%s: SADB lookup failed for %s\n", __func__,
 		    inet_ntoa(dst.sin.sin_addr));
 		return (EINVAL);
 	}
-	MD5Init(&ctx);
 
+	MD5Init(&ctx);
 	ipovly = (struct ipovly *)ip;
 	th = (struct tcphdr *)((u_char *)ip + off0);
 	doff = off0 + sizeof(struct tcphdr) + optlen;
+
 	/*
 	 * Step 1: Update MD5 hash with IP pseudo-header.
 	 *
@@ -1999,6 +2000,7 @@ tcpsignature_compute(
 	ippseudo.ippseudo_p = IPPROTO_TCP;
 	ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen);
 	MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
+
 	/*
 	 * Step 2: Update MD5 hash with TCP header, excluding options.
 	 * The TCP checksum must be set to zero.
@@ -2007,17 +2009,20 @@ tcpsignature_compute(
 	th->th_sum = 0;
 	MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
 	th->th_sum = savecsum;
+
 	/*
 	 * Step 3: Update MD5 hash with TCP segment data.
 	 *         Use m_apply() to avoid an early m_pullup().
 	 */
 	if (len > 0)
 		m_apply(m, doff, len, tcpsignature_apply, &ctx);
+
 	/*
 	 * Step 4: Update MD5 hash with shared secret.
 	 */
 	MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
 	MD5Final(buf, &ctx);
+
 	key_sa_recordxfer(sav, m);
 	KEY_FREESAV(&sav);
 	return (0);
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 689d0cd..f099aa5 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -1924,6 +1924,14 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
 /*
  * Compute TCP-MD5 hash of a TCPv4 segment. (RFC2385)
  *
+ * Parameters:
+ * m		pointer to head of mbuf chain
+ * off0		offset to TCP header within the mbuf chain
+ * len		length of TCP segment data, excluding options
+ * optlen	length of TCP segment options
+ * buf		pointer to storage for computed MD5 digest
+ * direction	direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
+ *
  * We do this over ip, tcphdr, segment data, and the key in the SADB.
  * When called from tcp_input(), we can be sure that th_sum has been
  * zeroed out and verified already.
@@ -1940,13 +1948,8 @@ tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
  * specify per-application flows but it is unstable.
  */
 int
-tcpsignature_compute(
-	struct mbuf *m,		/* mbuf chain */
-	int off0,		/* offset to TCP header */
-	int len,		/* length of TCP data */
-	int optlen,		/* length of TCP options */
-	u_char *buf,		/* storage for MD5 digest */
-	u_int direction)	/* direction of flow */
+tcpsignature_compute(struct mbuf *m, int off0, int len, int optlen,
+    u_char *buf, u_int direction)
 {
 	union sockaddr_union dst;
 	struct ippseudo ippseudo;
@@ -1958,32 +1961,30 @@ tcpsignature_compute(
 	struct tcphdr *th;
 	u_short savecsum;
 
-	KASSERT(m != NULL, ("passed NULL mbuf. Game over."));
-	KASSERT(buf != NULL, ("passed NULL storage pointer for MD5 signature"));
-	/*
-	 * Extract the destination from the IP header in the mbuf.
-	 */
+	KASSERT(m != NULL, ("NULL mbuf chain"));
+	KASSERT(buf != NULL, ("NULL signature pointer"));
+
+	/* Extract the destination from the IP header in the mbuf. */
 	ip = mtod(m, struct ip *);
 	bzero(&dst, sizeof(union sockaddr_union));
 	dst.sa.sa_len = sizeof(struct sockaddr_in);
 	dst.sa.sa_family = AF_INET;
 	dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
 	    ip->ip_src : ip->ip_dst;
-	/*
-	 * Look up an SADB entry which matches the address found in
-	 * the segment.
-	 */
+
+	/* Look up an SADB entry which matches the address of the peer. */
 	sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
 	if (sav == NULL) {
 		printf("%s: SADB lookup failed for %s\n", __func__,
 		    inet_ntoa(dst.sin.sin_addr));
 		return (EINVAL);
 	}
-	MD5Init(&ctx);
 
+	MD5Init(&ctx);
 	ipovly = (struct ipovly *)ip;
 	th = (struct tcphdr *)((u_char *)ip + off0);
 	doff = off0 + sizeof(struct tcphdr) + optlen;
+
 	/*
 	 * Step 1: Update MD5 hash with IP pseudo-header.
 	 *
@@ -1999,6 +2000,7 @@ tcpsignature_compute(
 	ippseudo.ippseudo_p = IPPROTO_TCP;
 	ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) + optlen);
 	MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
+
 	/*
 	 * Step 2: Update MD5 hash with TCP header, excluding options.
 	 * The TCP checksum must be set to zero.
@@ -2007,17 +2009,20 @@ tcpsignature_compute(
 	th->th_sum = 0;
 	MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
 	th->th_sum = savecsum;
+
 	/*
 	 * Step 3: Update MD5 hash with TCP segment data.
 	 *         Use m_apply() to avoid an early m_pullup().
 	 */
 	if (len > 0)
 		m_apply(m, doff, len, tcpsignature_apply, &ctx);
+
 	/*
 	 * Step 4: Update MD5 hash with shared secret.
 	 */
 	MD5Update(&ctx, _KEYBUF(sav->key_auth), _KEYLEN(sav->key_auth));
 	MD5Final(buf, &ctx);
+
 	key_sa_recordxfer(sav, m);
 	KEY_FREESAV(&sav);
 	return (0);