 @@ -1,2516 +1,2512 @@
-/*	$NetBSD: if_wg.c,v 1.42 2020/08/31 20:26:21 riastradh Exp $	*/
+/*	$NetBSD: if_wg.c,v 1.43 2020/08/31 20:26:46 riastradh Exp $	*/
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. Neither the name of the project nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
+ *
  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 /*
  * This network interface aims to implement the WireGuard protocol.
  * The implementation is based on the paper of WireGuard as of
  * 2018-06-30 [1].  The paper is referred in the source code with label
  * [W].  Also the specification of the Noise protocol framework as of
  * 2018-07-11 [2] is referred with label [N].
+ *
  * [1] https://www.wireguard.com/papers/wireguard.pdf
  * [2] http://noiseprotocol.org/noise.pdf
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.42 2020/08/31 20:26:21 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.43 2020/08/31 20:26:46 riastradh Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #endif
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/callout.h>
 #include <sys/cprng.h>
 #include <sys/cpu.h>
 #include <sys/device.h>
 #include <sys/domain.h>
 #include <sys/errno.h>
 #include <sys/intr.h>
 #include <sys/ioctl.h>
 #include <sys/kernel.h>
 #include <sys/kmem.h>
 #include <sys/kthread.h>
 #include <sys/mbuf.h>
 #include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/pcq.h>
 #include <sys/percpu.h>
 #include <sys/pserialize.h>
 #include <sys/psref.h>
 #include <sys/queue.h>
 #include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sockio.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/systm.h>
 #include <sys/thmap.h>
 #include <sys/time.h>
 #include <sys/timespec.h>
 #include <net/bpf.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_wg.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 #ifdef INET6
 #include <netinet/ip6.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/udp6_var.h>
 #endif /* INET6 */
 #include <prop/proplib.h>
 #include <crypto/blake2/blake2s.h>
 #include <crypto/sodium/crypto_aead_chacha20poly1305.h>
 #include <crypto/sodium/crypto_aead_xchacha20poly1305.h>
 #include <crypto/sodium/crypto_scalarmult.h>
 #include "ioconf.h"
 #ifdef WG_RUMPKERNEL
 #include "wg_user.h"
 #endif
 /*
  * Data structures
  * - struct wg_softc is an instance of wg interfaces
  *   - It has a list of peers (struct wg_peer)
  *   - It has a kthread that sends/receives handshake messages and
  *     runs event handlers
  *   - It has its own two routing tables: one is for IPv4 and the other IPv6
  * - struct wg_peer is a representative of a peer
  *   - It has a softint that is used to send packets over an wg interface
  *     to a peer
  *   - It has a pair of session instances (struct wg_session)
  *   - It has a pair of endpoint instances (struct wg_sockaddr)
  *     - Normally one endpoint is used and the second one is used only on
  *       a peer migration (a change of peer's IP address)
  *   - It has a list of IP addresses and sub networks called allowedips
  *     (struct wg_allowedip)
  *     - A packets sent over a session is allowed if its destination matches
  *       any IP addresses or sub networks of the list
  * - struct wg_session represents a session of a secure tunnel with a peer
  *   - Two instances of sessions belong to a peer; a stable session and a
  *     unstable session
  *   - A handshake process of a session always starts with a unstable instace
  *   - Once a session is established, its instance becomes stable and the
  *     other becomes unstable instead
  *   - Data messages are always sent via a stable session
+ *
  * Locking notes:
  * - wg interfaces (struct wg_softc, wg) is listed in wg_softcs.list and
  *   protected by wg_softcs.lock
  * - Each wg has a mutex(9) and a rwlock(9)
  *   - The mutex (wg_lock) protects its peer list (wg_peers)
  *   - A peer on the list is also protected by pserialize(9) or psref(9)
  *   - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46])
  * - Each peer (struct wg_peer, wgp) has a mutex
  *   - The mutex (wgp_lock) protects wgp_session_unstable and wgp_state
  * - Each session (struct wg_session, wgs) has a mutex
  *   - The mutex (wgs_lock) protects its state (wgs_state) and its handshake
  *     states
  *   - wgs_state of a unstable session can be changed while it never be
  *     changed on a stable session, so once get a session instace via
  *     wgp_session_stable we can safely access wgs_state without
  *     holding wgs_lock
  *   - A session is protected by pserialize or psref like wgp
  *     - On a session swap, we must wait for all readers to release a
  *       reference to a stable session before changing wgs_state and
  *       session states
+ *
  * Lock order: wg_lock -> wgp_lock -> wgs_lock
  */
 #define WGLOG(level, fmt, args...)					      \
 	log(level, "%s: " fmt, __func__, ##args)
 /* Debug options */
 #ifdef WG_DEBUG
 /* Output debug logs */
 #ifndef WG_DEBUG_LOG
 #define WG_DEBUG_LOG
 #endif
 /* Output trace logs */
 #ifndef WG_DEBUG_TRACE
 #define WG_DEBUG_TRACE
 #endif
 /* Output hash values, etc. */
 #ifndef WG_DEBUG_DUMP
 #define WG_DEBUG_DUMP
 #endif
 /* Make some internal parameters configurable for testing and debugging */
 #ifndef WG_DEBUG_PARAMS
 #define WG_DEBUG_PARAMS
 #endif
 #endif
 #ifdef WG_DEBUG_TRACE
 #define WG_TRACE(msg)							      \
 	log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg))
 #else
 #define WG_TRACE(msg)	__nothing
 #endif
 #ifdef WG_DEBUG_LOG
 #define WG_DLOG(fmt, args...)	log(LOG_DEBUG, "%s: " fmt, __func__, ##args)
 #else
 #define WG_DLOG(fmt, args...)	__nothing
 #endif
 #define WG_LOG_RATECHECK(wgprc, level, fmt, args...)	do {		\
 	if (ppsratecheck(&(wgprc)->wgprc_lasttime,			\
 	    &(wgprc)->wgprc_curpps, 1)) {				\
 		log(level, fmt, ##args);				\
 	}								\
 } while (0)
 #ifdef WG_DEBUG_PARAMS
 static bool wg_force_underload = false;
 #endif
 #ifdef WG_DEBUG_DUMP
 #ifdef WG_RUMPKERNEL
 static void
 wg_dump_buf(const char *func, const char *buf, const size_t size)
+{
 	log(LOG_DEBUG, "%s: ", func);
 	for (int i = 0; i < size; i++)
 		log(LOG_DEBUG, "%02x ", (int)(0xff & buf[i]));
 	log(LOG_DEBUG, "\n");
+}
 #endif
 static void
 wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash,
     const size_t size)
+{
 	log(LOG_DEBUG, "%s: %s: ", func, name);
 	for (int i = 0; i < size; i++)
 		log(LOG_DEBUG, "%02x ", (int)(0xff & hash[i]));
 	log(LOG_DEBUG, "\n");
+}
 #define WG_DUMP_HASH(name, hash) \
 	wg_dump_hash(__func__, name, hash, WG_HASH_LEN)
 #define WG_DUMP_HASH48(name, hash) \
 	wg_dump_hash(__func__, name, hash, 48)
 #define WG_DUMP_BUF(buf, size) \
 	wg_dump_buf(__func__, buf, size)
 #else
 #define WG_DUMP_HASH(name, hash)	__nothing
 #define WG_DUMP_HASH48(name, hash)	__nothing
 #define WG_DUMP_BUF(buf, size)	__nothing
 #endif /* WG_DEBUG_DUMP */
 #define WG_MTU			1420
 #define WG_ALLOWEDIPS		16
 #define CURVE25519_KEY_LEN	32
 #define TAI64N_LEN		sizeof(uint32_t) * 3
 #define POLY1305_AUTHTAG_LEN	16
 #define HMAC_BLOCK_LEN		64
 /* [N] 4.1: "DHLEN must be 32 or greater."  WireGuard chooses 32. */
 /* [N] 4.3: Hash functions */
 #define NOISE_DHLEN		32
 /* [N] 4.3: "Must be 32 or 64."  WireGuard chooses 32. */
 #define NOISE_HASHLEN		32
 #define NOISE_BLOCKLEN		64
 #define NOISE_HKDF_OUTPUT_LEN	NOISE_HASHLEN
 /* [N] 5.1: "k" */
 #define NOISE_CIPHER_KEY_LEN	32
 /*
  * [N] 9.2: "psk"
  *          "... psk is a 32-byte secret value provided by the application."
  */
 #define NOISE_PRESHARED_KEY_LEN	32
 #define WG_STATIC_KEY_LEN	CURVE25519_KEY_LEN
 #define WG_TIMESTAMP_LEN	TAI64N_LEN
 #define WG_PRESHARED_KEY_LEN	NOISE_PRESHARED_KEY_LEN
 #define WG_COOKIE_LEN		16
 #define WG_MAC_LEN		16
 #define WG_RANDVAL_LEN		24
 #define WG_EPHEMERAL_KEY_LEN	CURVE25519_KEY_LEN
 /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */
 #define WG_CHAINING_KEY_LEN	NOISE_HASHLEN
 /* [N] 5.2: "h: A hash output of HASHLEN bytes" */
 #define WG_HASH_LEN		NOISE_HASHLEN
 #define WG_CIPHER_KEY_LEN	NOISE_CIPHER_KEY_LEN
 #define WG_DH_OUTPUT_LEN	NOISE_DHLEN
 #define WG_KDF_OUTPUT_LEN	NOISE_HKDF_OUTPUT_LEN
 #define WG_AUTHTAG_LEN		POLY1305_AUTHTAG_LEN
 #define WG_DATA_KEY_LEN		32
 #define WG_SALT_LEN		24
 /*
  * The protocol messages
  */
 struct wg_msg {
 	uint32_t	wgm_type;
 } __packed;
 /* [W] 5.4.2 First Message: Initiator to Responder */
 struct wg_msg_init {
 	uint32_t	wgmi_type;
 	uint32_t	wgmi_sender;
 	uint8_t		wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN];
 	uint8_t		wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN];
 	uint8_t		wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN];
 	uint8_t		wgmi_mac1[WG_MAC_LEN];
 	uint8_t		wgmi_mac2[WG_MAC_LEN];
 } __packed;
 /* [W] 5.4.3 Second Message: Responder to Initiator */
 struct wg_msg_resp {
 	uint32_t	wgmr_type;
 	uint32_t	wgmr_sender;
 	uint32_t	wgmr_receiver;
 	uint8_t		wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN];
 	uint8_t		wgmr_empty[0 + WG_AUTHTAG_LEN];
 	uint8_t		wgmr_mac1[WG_MAC_LEN];
 	uint8_t		wgmr_mac2[WG_MAC_LEN];
 } __packed;
 /* [W] 5.4.6 Subsequent Messages: Transport Data Messages */
 struct wg_msg_data {
 	uint32_t	wgmd_type;
 	uint32_t	wgmd_receiver;
 	uint64_t	wgmd_counter;
 	uint32_t	wgmd_packet[0];
 } __packed;
 /* [W] 5.4.7 Under Load: Cookie Reply Message */
 struct wg_msg_cookie {
 	uint32_t	wgmc_type;
 	uint32_t	wgmc_receiver;
 	uint8_t		wgmc_salt[WG_SALT_LEN];
 	uint8_t		wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN];
 } __packed;
 #define WG_MSG_TYPE_INIT		1
 #define WG_MSG_TYPE_RESP		2
 #define WG_MSG_TYPE_COOKIE		3
 #define WG_MSG_TYPE_DATA		4
 #define WG_MSG_TYPE_MAX			WG_MSG_TYPE_DATA
 /* Sliding windows */
 #define	SLIWIN_BITS	2048u
 #define	SLIWIN_TYPE	uint32_t
 #define	SLIWIN_BPW	NBBY*sizeof(SLIWIN_TYPE)
 #define	SLIWIN_WORDS	howmany(SLIWIN_BITS, SLIWIN_BPW)
 #define	SLIWIN_NPKT	(SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE))
 struct sliwin {
 	SLIWIN_TYPE	B[SLIWIN_WORDS];
 	uint64_t	T;
 };
 static void
 sliwin_reset(struct sliwin *W)
+{
 	memset(W, 0, sizeof(*W));
+}
 static int
 sliwin_check_fast(const volatile struct sliwin *W, uint64_t S)
+{
 	/*
 	 * If it's more than one window older than the highest sequence
 	 * number we've seen, reject.
 	 */
 #ifdef __HAVE_ATOMIC64_LOADSTORE
 	if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T))
 		return EAUTH;
 #endif
 	/*
 	 * Otherwise, we need to take the lock to decide, so don't
 	 * reject just yet.  Caller must serialize a call to
 	 * sliwin_update in this case.
 	 */
 	return 0;
+}
 static int
 sliwin_update(struct sliwin *W, uint64_t S)
+{
 	unsigned word, bit;
 	/*
 	 * If it's more than one window older than the highest sequence
 	 * number we've seen, reject.
 	 */
 	if (S + SLIWIN_NPKT < W->T)
 		return EAUTH;
 	/*
 	 * If it's higher than the highest sequence number we've seen,
 	 * advance the window.
 	 */
 	if (S > W->T) {
 		uint64_t i = W->T / SLIWIN_BPW;
 		uint64_t j = S / SLIWIN_BPW;
 		unsigned k;
 		for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++)
 			W->B[(i + k + 1) % SLIWIN_WORDS] = 0;
 #ifdef __HAVE_ATOMIC64_LOADSTORE
 		atomic_store_relaxed(&W->T, S);
 #else
 		W->T = S;
 #endif
+	}
 	/* Test and set the bit -- if already set, reject.  */
 	word = (S / SLIWIN_BPW) % SLIWIN_WORDS;
 	bit = S % SLIWIN_BPW;
 	if (W->B[word] & (1UL << bit))
 		return EAUTH;
 	W->B[word] |= 1UL << bit;
 	/* Accept!  */
 	return 0;
+}
 struct wg_worker {
 	kmutex_t	wgw_lock;
 	kcondvar_t	wgw_cv;
 	bool		wgw_todie;
 	struct socket	*wgw_so4;
 	struct socket	*wgw_so6;
 	int		wgw_wakeup_reasons;
 #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV4	__BIT(0)
 #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV6	__BIT(1)
 #define WG_WAKEUP_REASON_PEER			__BIT(2)
 };
 struct wg_session {
 	struct wg_peer	*wgs_peer;
 	struct psref_target
 			wgs_psref;
 	kmutex_t	*wgs_lock;
 	int		wgs_state;
 #define WGS_STATE_UNKNOWN	0
 #define WGS_STATE_INIT_ACTIVE	1
 #define WGS_STATE_INIT_PASSIVE	2
 #define WGS_STATE_ESTABLISHED	3
 #define WGS_STATE_DESTROYING	4
 	time_t		wgs_time_established;
 	time_t		wgs_time_last_data_sent;
 	bool		wgs_is_initiator;
 	uint32_t	wgs_sender_index;
 	uint32_t	wgs_receiver_index;
 #ifdef __HAVE_ATOMIC64_LOADSTORE
 	volatile uint64_t
 			wgs_send_counter;
 #else
 	kmutex_t	wgs_send_counter_lock;
 	uint64_t	wgs_send_counter;
 #endif
 	struct {
 		kmutex_t	lock;
 		struct sliwin	window;
 	}		*wgs_recvwin;
 	uint8_t		wgs_handshake_hash[WG_HASH_LEN];
 	uint8_t		wgs_chaining_key[WG_CHAINING_KEY_LEN];
 	uint8_t		wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN];
 	uint8_t		wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN];
 	uint8_t		wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN];
 	uint8_t		wgs_tkey_send[WG_DATA_KEY_LEN];
 	uint8_t		wgs_tkey_recv[WG_DATA_KEY_LEN];
 };
 struct wg_sockaddr {
 	union {
 		struct sockaddr_storage _ss;
 		struct sockaddr _sa;
 		struct sockaddr_in _sin;
 		struct sockaddr_in6 _sin6;
 	};
 	struct psref_target	wgsa_psref;
 };
 #define wgsatosa(wgsa)		(&(wgsa)->_sa)
 #define wgsatosin(wgsa)		(&(wgsa)->_sin)
 #define wgsatosin6(wgsa)	(&(wgsa)->_sin6)
 struct wg_peer;
 struct wg_allowedip {
 	struct radix_node	wga_nodes[2];
 	struct wg_sockaddr	_wga_sa_addr;
 	struct wg_sockaddr	_wga_sa_mask;
 #define wga_sa_addr		_wga_sa_addr._sa
 #define wga_sa_mask		_wga_sa_mask._sa
 	int			wga_family;
 	uint8_t			wga_cidr;
 	union {
 		struct in_addr _ip4;
 		struct in6_addr _ip6;
 	} wga_addr;
 #define wga_addr4	wga_addr._ip4
 #define wga_addr6	wga_addr._ip6
 	struct wg_peer		*wga_peer;
 };
 typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN];
 struct wg_ppsratecheck {
 	struct timeval		wgprc_lasttime;
 	int			wgprc_curpps;
 };
 struct wg_softc;
 struct wg_peer {
 	struct wg_softc		*wgp_sc;
 	char			wgp_name[WG_PEER_NAME_MAXLEN + 1];
 	struct pslist_entry	wgp_peerlist_entry;
 	pserialize_t		wgp_psz;
 	struct psref_target	wgp_psref;
 	kmutex_t		*wgp_lock;
 	uint8_t	wgp_pubkey[WG_STATIC_KEY_LEN];
 	struct wg_sockaddr	*wgp_endpoint;
 #define wgp_ss		wgp_endpoint->_ss
 #define wgp_sa		wgp_endpoint->_sa
 #define wgp_sin		wgp_endpoint->_sin
 #define wgp_sin6	wgp_endpoint->_sin6
 	struct wg_sockaddr	*wgp_endpoint0;
 	bool			wgp_endpoint_changing;
 	bool			wgp_endpoint_available;
 			/* The preshared key (optional) */
 	uint8_t		wgp_psk[WG_PRESHARED_KEY_LEN];
 	int wgp_state;
 #define WGP_STATE_INIT		0
 #define WGP_STATE_ESTABLISHED	1
 #define WGP_STATE_GIVEUP	2
 #define WGP_STATE_DESTROYING	3
 	void		*wgp_si;
 	pcq_t		*wgp_q;
 	struct wg_session	*wgp_session_stable;
 	struct wg_session	*wgp_session_unstable;
 	/* timestamp in big-endian */
 	wg_timestamp_t	wgp_timestamp_latest_init;
 	struct timespec		wgp_last_handshake_time;
 	callout_t		wgp_rekey_timer;
 	callout_t		wgp_handshake_timeout_timer;
 	callout_t		wgp_session_dtor_timer;
 	time_t			wgp_handshake_start_time;
 	int			wgp_n_allowedips;
 	struct wg_allowedip	wgp_allowedips[WG_ALLOWEDIPS];
 	time_t			wgp_latest_cookie_time;
 	uint8_t			wgp_latest_cookie[WG_COOKIE_LEN];
 	uint8_t			wgp_last_sent_mac1[WG_MAC_LEN];
 	bool			wgp_last_sent_mac1_valid;
 	uint8_t			wgp_last_sent_cookie[WG_COOKIE_LEN];
 	bool			wgp_last_sent_cookie_valid;
 	time_t			wgp_last_msg_received_time[WG_MSG_TYPE_MAX];
 	time_t			wgp_last_genrandval_time;
 	uint32_t		wgp_randval;
 	struct wg_ppsratecheck	wgp_ppsratecheck;
 	volatile unsigned int	wgp_tasks;
 #define WGP_TASK_SEND_INIT_MESSAGE		__BIT(0)
 #define WGP_TASK_ENDPOINT_CHANGED		__BIT(1)
 #define WGP_TASK_SEND_KEEPALIVE_MESSAGE		__BIT(2)
 #define WGP_TASK_DESTROY_PREV_SESSION		__BIT(3)
 };
 struct wg_ops;
 struct wg_softc {
 	struct ifnet	wg_if;
 	LIST_ENTRY(wg_softc) wg_list;
 	kmutex_t	*wg_lock;
 	krwlock_t	*wg_rwlock;
 	uint8_t		wg_privkey[WG_STATIC_KEY_LEN];
 	uint8_t		wg_pubkey[WG_STATIC_KEY_LEN];
 	int		wg_npeers;
 	struct pslist_head	wg_peers;
 	struct thmap	*wg_peers_bypubkey;
 	struct thmap	*wg_peers_byname;
 	struct thmap	*wg_sessions_byindex;
 	uint16_t	wg_listen_port;
 	struct wg_worker	*wg_worker;
 	lwp_t			*wg_worker_lwp;
 	struct radix_node_head	*wg_rtable_ipv4;
 	struct radix_node_head	*wg_rtable_ipv6;
 	struct wg_ppsratecheck	wg_ppsratecheck;
 	struct wg_ops		*wg_ops;
 #ifdef WG_RUMPKERNEL
 	struct wg_user		*wg_user;
 #endif
 };
 /* [W] 6.1 Preliminaries */
 #define WG_REKEY_AFTER_MESSAGES		(1ULL << 60)
 #define WG_REJECT_AFTER_MESSAGES	(UINT64_MAX - (1 << 13))
 #define WG_REKEY_AFTER_TIME		120
 #define WG_REJECT_AFTER_TIME		180
 #define WG_REKEY_ATTEMPT_TIME		 90
 #define WG_REKEY_TIMEOUT		  5
 #define WG_KEEPALIVE_TIMEOUT		 10
 #define WG_COOKIE_TIME			120
 #define WG_RANDVAL_TIME			(2 * 60)
 static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES;
 static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES;
 static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME;
 static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME;
 static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME;
 static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT;
 static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT;
 static struct mbuf *
 		wg_get_mbuf(size_t, size_t);
 static void	wg_wakeup_worker(struct wg_worker *, int);
 static int	wg_send_data_msg(struct wg_peer *, struct wg_session *,
 		    struct mbuf *);
 static int	wg_send_cookie_msg(struct wg_softc *, struct wg_peer *,
 		    const uint32_t, const uint8_t [], const struct sockaddr *);
 static int	wg_send_handshake_msg_resp(struct wg_softc *,
 		    struct wg_peer *, const struct wg_msg_init *);
 static void	wg_send_keepalive_msg(struct wg_peer *, struct wg_session *);
 static struct wg_peer *
 		wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *,
 		    struct psref *);
 static struct wg_peer *
 		wg_lookup_peer_by_pubkey(struct wg_softc *,
 		    const uint8_t [], struct psref *);
 static struct wg_session *
 		wg_lookup_session_by_index(struct wg_softc *,
 		    const uint32_t, struct psref *);
 static void	wg_update_endpoint_if_necessary(struct wg_peer *,
 		    const struct sockaddr *);
 static void	wg_schedule_rekey_timer(struct wg_peer *);
 static void	wg_schedule_session_dtor_timer(struct wg_peer *);
 static bool	wg_is_underload(struct wg_softc *, struct wg_peer *, int);
 static void	wg_calculate_keys(struct wg_session *, const bool);
 static void	wg_clear_states(struct wg_session *);
 static void	wg_get_peer(struct wg_peer *, struct psref *);
 static void	wg_put_peer(struct wg_peer *, struct psref *);
 static int	wg_send_so(struct wg_peer *, struct mbuf *);
 static int	wg_send_udp(struct wg_peer *, struct mbuf *);
 static int	wg_output(struct ifnet *, struct mbuf *,
 			   const struct sockaddr *, const struct rtentry *);
 static void	wg_input(struct ifnet *, struct mbuf *, const int);
 static int	wg_ioctl(struct ifnet *, u_long, void *);
 static int	wg_bind_port(struct wg_softc *, const uint16_t);
 static int	wg_init(struct ifnet *);
 static void	wg_stop(struct ifnet *, int);
 static int	wg_clone_create(struct if_clone *, int);
 static int	wg_clone_destroy(struct ifnet *);
 struct wg_ops {
 	int (*send_hs_msg)(struct wg_peer *, struct mbuf *);
 	int (*send_data_msg)(struct wg_peer *, struct mbuf *);
 	void (*input)(struct ifnet *, struct mbuf *, const int);
 	int (*bind_port)(struct wg_softc *, const uint16_t);
 };
 struct wg_ops wg_ops_rumpkernel = {
 	.send_hs_msg	= wg_send_so,
 	.send_data_msg	= wg_send_udp,
 	.input		= wg_input,
 	.bind_port	= wg_bind_port,
 };
 #ifdef WG_RUMPKERNEL
 static bool	wg_user_mode(struct wg_softc *);
 static int	wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *);
 static int	wg_send_user(struct wg_peer *, struct mbuf *);
 static void	wg_input_user(struct ifnet *, struct mbuf *, const int);
 static int	wg_bind_port_user(struct wg_softc *, const uint16_t);
 struct wg_ops wg_ops_rumpuser = {
 	.send_hs_msg	= wg_send_user,
 	.send_data_msg	= wg_send_user,
 	.input		= wg_input_user,
 	.bind_port	= wg_bind_port_user,
 };
 #endif
 #define WG_PEER_READER_FOREACH(wgp, wg)					\
 	PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer,	\
 	    wgp_peerlist_entry)
 #define WG_PEER_WRITER_FOREACH(wgp, wg)					\
 	PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer,	\
 	    wgp_peerlist_entry)
 #define WG_PEER_WRITER_INSERT_HEAD(wgp, wg)				\
 	PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry)
 #define WG_PEER_WRITER_REMOVE(wgp)					\
 	PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry)
 struct wg_route {
 	struct radix_node	wgr_nodes[2];
 	struct wg_peer		*wgr_peer;
 };
 static struct radix_node_head *
 wg_rnh(struct wg_softc *wg, const int family)
+{
 	switch (family) {
 		case AF_INET:
 			return wg->wg_rtable_ipv4;
 #ifdef INET6
 		case AF_INET6:
 			return wg->wg_rtable_ipv6;
 #endif
 		default:
 			return NULL;
+	}
+}
 /*
  * Global variables
  */
 LIST_HEAD(wg_sclist, wg_softc);
 static struct {
 	struct wg_sclist list;
 	kmutex_t lock;
 } wg_softcs __cacheline_aligned;
 struct psref_class *wg_psref_class __read_mostly;
 static struct if_clone wg_cloner =
     IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy);
 void wgattach(int);
 /* ARGSUSED */
 void
 wgattach(int count)
+{
 	/*
 	 * Nothing to do here, initialization is handled by the
 	 * module initialization code in wginit() below).
 	 */
+}
 static void
 wginit(void)
+{
 	wg_psref_class = psref_class_create("wg", IPL_SOFTNET);
 	mutex_init(&wg_softcs.lock, MUTEX_DEFAULT, IPL_NONE);
 	LIST_INIT(&wg_softcs.list);
 	if_clone_attach(&wg_cloner);
+}
 static int
 wgdetach(void)
+{
 	int error = 0;
 	mutex_enter(&wg_softcs.lock);
 	if (!LIST_EMPTY(&wg_softcs.list)) {
 		mutex_exit(&wg_softcs.lock);
 		error = EBUSY;
+	}
 	if (error == 0) {
 		psref_class_destroy(wg_psref_class);
 		if_clone_detach(&wg_cloner);
+	}
 	return error;
+}
 static void
 wg_init_key_and_hash(uint8_t ckey[WG_CHAINING_KEY_LEN],
     uint8_t hash[WG_HASH_LEN])
+{
 	/* [W] 5.4: CONSTRUCTION */
 	const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
 	/* [W] 5.4: IDENTIFIER */
 	const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com";
 	struct blake2s state;
 	blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0,
 	    signature, strlen(signature));
 	CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN);
 	memcpy(hash, ckey, WG_CHAINING_KEY_LEN);
 	blake2s_init(&state, WG_HASH_LEN, NULL, 0);
 	blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN);
 	blake2s_update(&state, id, strlen(id));
 	blake2s_final(&state, hash);
 	WG_DUMP_HASH("ckey", ckey);
 	WG_DUMP_HASH("hash", hash);
+}
 static void
 wg_algo_hash(uint8_t hash[WG_HASH_LEN], const uint8_t input[],
     const size_t inputsize)
+{
 	struct blake2s state;
 	blake2s_init(&state, WG_HASH_LEN, NULL, 0);
 	blake2s_update(&state, hash, WG_HASH_LEN);
 	blake2s_update(&state, input, inputsize);
 	blake2s_final(&state, hash);
+}
 static void
 wg_algo_mac(uint8_t out[], const size_t outsize,
     const uint8_t key[], const size_t keylen,
     const uint8_t input1[], const size_t input1len,
     const uint8_t input2[], const size_t input2len)
+{
 	struct blake2s state;
 	blake2s_init(&state, outsize, key, keylen);
 	blake2s_update(&state, input1, input1len);
 	if (input2 != NULL)
 		blake2s_update(&state, input2, input2len);
 	blake2s_final(&state, out);
+}
 static void
 wg_algo_mac_mac1(uint8_t out[], const size_t outsize,
     const uint8_t input1[], const size_t input1len,
     const uint8_t input2[], const size_t input2len)
+{
 	struct blake2s state;
 	/* [W] 5.4: LABEL-MAC1 */
 	const char *label = "mac1----";
 	uint8_t key[WG_HASH_LEN];
 	blake2s_init(&state, sizeof(key), NULL, 0);
 	blake2s_update(&state, label, strlen(label));
 	blake2s_update(&state, input1, input1len);
 	blake2s_final(&state, key);
 	blake2s_init(&state, outsize, key, sizeof(key));
 	if (input2 != NULL)
 		blake2s_update(&state, input2, input2len);
 	blake2s_final(&state, out);
+}
 static void
 wg_algo_mac_cookie(uint8_t out[], const size_t outsize,
     const uint8_t input1[], const size_t input1len)
+{
 	struct blake2s state;
 	/* [W] 5.4: LABEL-COOKIE */
 	const char *label = "cookie--";
 	blake2s_init(&state, outsize, NULL, 0);
 	blake2s_update(&state, label, strlen(label));
 	blake2s_update(&state, input1, input1len);
 	blake2s_final(&state, out);
+}
 static void
 wg_algo_generate_keypair(uint8_t pubkey[WG_EPHEMERAL_KEY_LEN],
     uint8_t privkey[WG_EPHEMERAL_KEY_LEN])
+{
 	CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES);
 	cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0);
 	crypto_scalarmult_base(pubkey, privkey);
+}
 static void
 wg_algo_dh(uint8_t out[WG_DH_OUTPUT_LEN],
     const uint8_t privkey[WG_STATIC_KEY_LEN],
     const uint8_t pubkey[WG_STATIC_KEY_LEN])
+{
 	CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES);
 	int ret __diagused = crypto_scalarmult(out, privkey, pubkey);
 	KASSERT(ret == 0);
+}
 static void
 wg_algo_hmac(uint8_t out[], const size_t outlen,
     const uint8_t key[], const size_t keylen,
     const uint8_t in[], const size_t inlen)
+{
 #define IPAD	0x36
 #define OPAD	0x5c
 	uint8_t hmackey[HMAC_BLOCK_LEN] = {0};
 	uint8_t ipad[HMAC_BLOCK_LEN];
 	uint8_t opad[HMAC_BLOCK_LEN];
 	int i;
 	struct blake2s state;
 	KASSERT(outlen == WG_HASH_LEN);
 	KASSERT(keylen <= HMAC_BLOCK_LEN);
 	memcpy(hmackey, key, keylen);
 	for (i = 0; i < sizeof(hmackey); i++) {
 		ipad[i] = hmackey[i] ^ IPAD;
 		opad[i] = hmackey[i] ^ OPAD;
+	}
 	blake2s_init(&state, WG_HASH_LEN, NULL, 0);
 	blake2s_update(&state, ipad, sizeof(ipad));
 	blake2s_update(&state, in, inlen);
 	blake2s_final(&state, out);
 	blake2s_init(&state, WG_HASH_LEN, NULL, 0);
 	blake2s_update(&state, opad, sizeof(opad));
 	blake2s_update(&state, out, WG_HASH_LEN);
 	blake2s_final(&state, out);
 #undef IPAD
 #undef OPAD
+}
 static void
 wg_algo_kdf(uint8_t out1[WG_KDF_OUTPUT_LEN], uint8_t out2[WG_KDF_OUTPUT_LEN],
     uint8_t out3[WG_KDF_OUTPUT_LEN], const uint8_t ckey[WG_CHAINING_KEY_LEN],
     const uint8_t input[], const size_t inputlen)
+{
 	uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1];
 	uint8_t one[1];
 	/*
 	 * [N] 4.3: "an input_key_material byte sequence with length
 	 * either zero bytes, 32 bytes, or DHLEN bytes."
 	 */
 	KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN);
 	WG_DUMP_HASH("ckey", ckey);
 	if (input != NULL)
 		WG_DUMP_HASH("input", input);
 	wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN,
 	    input, inputlen);
 	WG_DUMP_HASH("tmp1", tmp1);
 	one[0] = 1;
 	wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
 	    one, sizeof(one));
 	WG_DUMP_HASH("out1", out1);
 	if (out2 == NULL)
 		return;
 	memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN);
 	tmp2[WG_KDF_OUTPUT_LEN] = 2;
 	wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
 	    tmp2, sizeof(tmp2));
 	WG_DUMP_HASH("out2", out2);
 	if (out3 == NULL)
 		return;
 	memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN);
 	tmp2[WG_KDF_OUTPUT_LEN] = 3;
 	wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
 	    tmp2, sizeof(tmp2));
 	WG_DUMP_HASH("out3", out3);
+}
 static void
 wg_algo_dh_kdf(uint8_t ckey[WG_CHAINING_KEY_LEN],
     uint8_t cipher_key[WG_CIPHER_KEY_LEN],
     const uint8_t local_key[WG_STATIC_KEY_LEN],
     const uint8_t remote_key[WG_STATIC_KEY_LEN])
+{
 	uint8_t dhout[WG_DH_OUTPUT_LEN];
 	wg_algo_dh(dhout, local_key, remote_key);
 	wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout));
 	WG_DUMP_HASH("dhout", dhout);
 	WG_DUMP_HASH("ckey", ckey);
 	if (cipher_key != NULL)
 		WG_DUMP_HASH("cipher_key", cipher_key);
+}
 static void
 wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, const uint8_t key[],
     const uint64_t counter, const uint8_t plain[], const size_t plainsize,
     const uint8_t auth[], size_t authlen)
+{
 	uint8_t nonce[(32 + 64) / 8] = {0};
 	long long unsigned int outsize;
 	int error __diagused;
 	le64enc(&nonce[4], counter);
 	error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain,
 	    plainsize, auth, authlen, NULL, nonce, key);
 	KASSERT(error == 0);
 	KASSERT(outsize == expected_outsize);
+}
 static int
 wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, const uint8_t key[],
     const uint64_t counter, const uint8_t encrypted[],
     const size_t encryptedsize, const uint8_t auth[], size_t authlen)
+{
 	uint8_t nonce[(32 + 64) / 8] = {0};
 	long long unsigned int outsize;
 	int error;
 	le64enc(&nonce[4], counter);
 	error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL,
 	    encrypted, encryptedsize, auth, authlen, nonce, key);
 	if (error == 0)
 		KASSERT(outsize == expected_outsize);
 	return error;
+}
 static void
 wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize,
     const uint8_t key[], const uint8_t plain[], const size_t plainsize,
     const uint8_t auth[], size_t authlen,
     const uint8_t nonce[WG_SALT_LEN])
+{
 	long long unsigned int outsize;
 	int error __diagused;
 	CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
 	error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize,
 	    plain, plainsize, auth, authlen, NULL, nonce, key);
 	KASSERT(error == 0);
 	KASSERT(outsize == expected_outsize);
+}
 static int
 wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize,
     const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize,
     const uint8_t auth[], size_t authlen,
     const uint8_t nonce[WG_SALT_LEN])
+{
 	long long unsigned int outsize;
 	int error;
 	error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL,
 	    encrypted, encryptedsize, auth, authlen, nonce, key);
 	if (error == 0)
 		KASSERT(outsize == expected_outsize);
 	return error;
+}
 static void
 wg_algo_tai64n(wg_timestamp_t timestamp)
+{
 	struct timespec ts;
 	/* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */
 	getnanotime(&ts);
 	/* TAI64 label in external TAI64 format */
 	be32enc(timestamp, 0x40000000UL + (ts.tv_sec >> 32));
 	/* second beginning from 1970 TAI */
 	be32enc(timestamp + 4, ts.tv_sec & 0xffffffffU);
 	/* nanosecond in big-endian format */
 	be32enc(timestamp + 8, ts.tv_nsec);
+}
 static struct wg_session *
 wg_get_unstable_session(struct wg_peer *wgp, struct psref *psref)
+{
 	int s;
 	struct wg_session *wgs;
 	s = pserialize_read_enter();
 	wgs = wgp->wgp_session_unstable;
 	psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
 	pserialize_read_exit(s);
 	return wgs;
+}
 static struct wg_session *
 wg_get_stable_session(struct wg_peer *wgp, struct psref *psref)
+{
 	int s;
 	struct wg_session *wgs;
 	s = pserialize_read_enter();
 	wgs = wgp->wgp_session_stable;
 	psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
 	pserialize_read_exit(s);
 	return wgs;
+}
 static void
 wg_get_session(struct wg_session *wgs, struct psref *psref)
+{
 	psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
+}
 static void
 wg_put_session(struct wg_session *wgs, struct psref *psref)
+{
 	psref_release(psref, &wgs->wgs_psref, wg_psref_class);
+}
 static struct wg_session *
 wg_lock_unstable_session(struct wg_peer *wgp)
+{
 	struct wg_session *wgs;
 	mutex_enter(wgp->wgp_lock);
 	wgs = wgp->wgp_session_unstable;
 	mutex_enter(wgs->wgs_lock);
 	mutex_exit(wgp->wgp_lock);
 	return wgs;
+}
 #if 0
 static void
 wg_unlock_session(struct wg_peer *wgp, struct wg_session *wgs)
+{
 	mutex_exit(wgs->wgs_lock);
+}
 #endif
 static uint32_t
 wg_assign_sender_index(struct wg_softc *wg, struct wg_session *wgs)
+{
 	struct wg_peer *wgp = wgs->wgs_peer;
 	struct wg_session *wgs0;
 	uint32_t index;
 	void *garbage;
 	mutex_enter(wgs->wgs_lock);
 	/* Release the current index, if there is one.  */
 	while ((index = wgs->wgs_sender_index) != 0) {
 		/* Remove the session by index.  */
 		thmap_del(wg->wg_sessions_byindex, &index, sizeof index);
 		wgs->wgs_sender_index = 0;
 		mutex_exit(wgs->wgs_lock);
 		/* Wait for all thmap_gets to complete, and GC.  */
 		garbage = thmap_stage_gc(wg->wg_sessions_byindex);
 		mutex_enter(wgs->wgs_peer->wgp_lock);
 		pserialize_perform(wgp->wgp_psz);
 		mutex_exit(wgs->wgs_peer->wgp_lock);
 		thmap_gc(wg->wg_sessions_byindex, garbage);
 		mutex_enter(wgs->wgs_lock);
+	}
 restart:
 	/* Pick a uniform random nonzero index.  */
 	while (__predict_false((index = cprng_strong32()) == 0))
 		continue;
 	/* Try to take it.  */
 	wgs->wgs_sender_index = index;
 	wgs0 = thmap_put(wg->wg_sessions_byindex,
 	    &wgs->wgs_sender_index, sizeof wgs->wgs_sender_index, wgs);
 	/* If someone else beat us, start over.  */
 	if (__predict_false(wgs0 != wgs))
 		goto restart;
 	mutex_exit(wgs->wgs_lock);
 	return index;
+}
 /*
  * Handshake patterns
+ *
  * [W] 5: "These messages use the "IK" pattern from Noise"
  * [N] 7.5. Interactive handshake patterns (fundamental)
  *     "The first character refers to the initiator’s static key:"
  *     "I = Static key for initiator Immediately transmitted to responder,
  *          despite reduced or absent identity hiding"
  *     "The second character refers to the responder’s static key:"
  *     "K = Static key for responder Known to initiator"
  *     "IK:
  *        <- s
  *        ...
  *        -> e, es, s, ss
  *        <- e, ee, se"
  * [N] 9.4. Pattern modifiers
  *     "IKpsk2:
  *        <- s
  *        ...
  *        -> e, es, s, ss
  *        <- e, ee, se, psk"
  */
 static void
 wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp,
     struct wg_session *wgs, struct wg_msg_init *wgmi)
+{
 	uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */
 	uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */
 	uint8_t cipher_key[WG_CIPHER_KEY_LEN];
 	uint8_t pubkey[WG_EPHEMERAL_KEY_LEN];
 	uint8_t privkey[WG_EPHEMERAL_KEY_LEN];
 	wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT);
 	wgmi->wgmi_sender = wg_assign_sender_index(wg, wgs);
 	/* [W] 5.4.2: First Message: Initiator to Responder */
 	/* Ci := HASH(CONSTRUCTION) */
 	/* Hi := HASH(Ci || IDENTIFIER) */
 	wg_init_key_and_hash(ckey, hash);
 	/* Hi := HASH(Hi || Sr^pub) */
 	wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey));
 	WG_DUMP_HASH("hash", hash);
 	/* [N] 2.2: "e" */
 	/* Ei^priv, Ei^pub := DH-GENERATE() */
 	wg_algo_generate_keypair(pubkey, privkey);
 	/* Ci := KDF1(Ci, Ei^pub) */
 	wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey));
 	/* msg.ephemeral := Ei^pub */
 	memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral));
 	/* Hi := HASH(Hi || msg.ephemeral) */
 	wg_algo_hash(hash, pubkey, sizeof(pubkey));
 	WG_DUMP_HASH("ckey", ckey);
 	WG_DUMP_HASH("hash", hash);
 	/* [N] 2.2: "es" */
 	/* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */
 	wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey);
 	/* [N] 2.2: "s" */
 	/* msg.static := AEAD(k, 0, Si^pub, Hi) */
 	wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static),
 	    cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey),
 	    hash, sizeof(hash));
 	/* Hi := HASH(Hi || msg.static) */
 	wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static));
 	WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static);
 	/* [N] 2.2: "ss" */
 	/* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
 	wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
 	/* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
 	wg_timestamp_t timestamp;
 	wg_algo_tai64n(timestamp);
 	wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
 	    cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash));
 	/* Hi := HASH(Hi || msg.timestamp) */
 	wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
 	/* [W] 5.4.4 Cookie MACs */
 	wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1),
 	    wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey),
 	    (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1));
 	/* Need mac1 to decrypt a cookie from a cookie message */
 	memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1,
 	    sizeof(wgp->wgp_last_sent_mac1));
 	wgp->wgp_last_sent_mac1_valid = true;
 	if (wgp->wgp_latest_cookie_time == 0 ||
 	    (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME)
 		memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2));
 	else {
 		wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2),
 		    wgp->wgp_latest_cookie, WG_COOKIE_LEN,
 		    (const uint8_t *)wgmi,
 		    offsetof(struct wg_msg_init, wgmi_mac2),
 		    NULL, 0);
+	}
 	memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey));
 	memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey));
 	memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
 	memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
 	WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_sender_index);
+}
 static void
 wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi,
     const struct sockaddr *src)
+{
 	uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */
 	uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */
 	uint8_t cipher_key[WG_CIPHER_KEY_LEN];
 	uint8_t peer_pubkey[WG_STATIC_KEY_LEN];
 	struct wg_peer *wgp;
 	struct wg_session *wgs;
 	bool reset_state_on_error = false;
 	int error, ret;
 	struct psref psref_peer;
 	struct psref psref_session;
 	uint8_t mac1[WG_MAC_LEN];
 	WG_TRACE("init msg received");
 	/*
 	 * [W] 5.4.2: First Message: Initiator to Responder
 	 * "When the responder receives this message, it does the same
 	 *  operations so that its final state variables are identical,
 	 *  replacing the operands of the DH function to produce equivalent
 	 *  values."
 	 *  Note that the following comments of operations are just copies of
 	 *  the initiator's ones.
 	 */
 	/* Ci := HASH(CONSTRUCTION) */
 	/* Hi := HASH(Ci || IDENTIFIER) */
 	wg_init_key_and_hash(ckey, hash);
 	/* Hi := HASH(Hi || Sr^pub) */
 	wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey));
 	/* [N] 2.2: "e" */
 	/* Ci := KDF1(Ci, Ei^pub) */
 	wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral,
 	    sizeof(wgmi->wgmi_ephemeral));
 	/* Hi := HASH(Hi || msg.ephemeral) */
 	wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral));
 	WG_DUMP_HASH("ckey", ckey);
 	/* [N] 2.2: "es" */
 	/* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */
 	wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral);
 	WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static);
 	/* [N] 2.2: "s" */
 	/* msg.static := AEAD(k, 0, Si^pub, Hi) */
 	error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0,
 	    wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash));
 	if (error != 0) {
 		WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG,
 		    "wg_algo_aead_dec for secret key failed\n");
 		return;
+	}
 	/* Hi := HASH(Hi || msg.static) */
 	wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static));
 	wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer);
 	if (wgp == NULL) {
 		WG_DLOG("peer not found\n");
 		return;
+	}
 	wgs = wg_lock_unstable_session(wgp);
 	if (wgs->wgs_state == WGS_STATE_DESTROYING) {
 		/*
 		 * We can assume that the peer doesn't have an
 		 * established session, so clear it now.  If the timer
 		 * fired, tough -- it won't have any effect unless we
 		 * manage to transition back to WGS_STATE_DESTROYING.
 		 */
 		WG_TRACE("Session destroying, but force to clear");
 		callout_stop(&wgp->wgp_session_dtor_timer);
 		wg_clear_states(wgs);
 		wgs->wgs_state = WGS_STATE_UNKNOWN;
+	}
 	if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) {
 		WG_TRACE("Sesssion already initializing, ignoring the message");
 		mutex_exit(wgs->wgs_lock);
 		goto out_wgp;
+	}
 	if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) {
 		WG_TRACE("Sesssion already initializing, destroying old states");
 		wg_clear_states(wgs);
+	}
 	wgs->wgs_state = WGS_STATE_INIT_PASSIVE;
 	reset_state_on_error = true;
 	wg_get_session(wgs, &psref_session);
 	mutex_exit(wgs->wgs_lock);
 	wg_algo_mac_mac1(mac1, sizeof(mac1),
 	    wg->wg_pubkey, sizeof(wg->wg_pubkey),
 	    (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1));
 	/*
 	 * [W] 5.3: Denial of Service Mitigation & Cookies
 	 * "the responder, ..., must always reject messages with an invalid
 	 *  msg.mac1"
 	 */
 	if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) {
 		WG_DLOG("mac1 is invalid\n");
 		goto out;
+	}
 	if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) {
 		WG_TRACE("under load");
 		/*
 		 * [W] 5.3: Denial of Service Mitigation & Cookies
 		 * "the responder, ..., and when under load may reject messages
 		 *  with an invalid msg.mac2.  If the responder receives a
 		 *  message with a valid msg.mac1 yet with an invalid msg.mac2,
 		 *  and is under load, it may respond with a cookie reply
 		 *  message"
 		 */
 		uint8_t zero[WG_MAC_LEN] = {0};
 		if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) {
 			WG_TRACE("sending a cookie message: no cookie included");
 			(void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
 			    wgmi->wgmi_mac1, src);
 			goto out;
+		}
 		if (!wgp->wgp_last_sent_cookie_valid) {
 			WG_TRACE("sending a cookie message: no cookie sent ever");
 			(void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
 			    wgmi->wgmi_mac1, src);
 			goto out;
+		}
 		uint8_t mac2[WG_MAC_LEN];
 		wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
 		    WG_COOKIE_LEN, (const uint8_t *)wgmi,
 		    offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0);
 		if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) {
 			WG_DLOG("mac2 is invalid\n");
 			goto out;
+		}
 		WG_TRACE("under load, but continue to sending");
+	}
 	/* [N] 2.2: "ss" */
 	/* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
 	wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
 	/* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
 	wg_timestamp_t timestamp;
 	error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0,
 	    wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
 	    hash, sizeof(hash));
 	if (error != 0) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "wg_algo_aead_dec for timestamp failed\n");
 		goto out;
+	}
 	/* Hi := HASH(Hi || msg.timestamp) */
 	wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
 	/*
 	 * [W] 5.1 "The responder keeps track of the greatest timestamp
 	 *      received per peer and discards packets containing
 	 *      timestamps less than or equal to it."
 	 */
 	ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init,
 	    sizeof(timestamp));
 	if (ret <= 0) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "invalid init msg: timestamp is old\n");
 		goto out;
+	}
 	memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp));
 	memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
 	memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
 	memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral,
 	    sizeof(wgmi->wgmi_ephemeral));
 	wg_update_endpoint_if_necessary(wgp, src);
 	(void)wg_send_handshake_msg_resp(wg, wgp, wgmi);
 	wg_calculate_keys(wgs, false);
 	wg_clear_states(wgs);
 	wg_put_session(wgs, &psref_session);
 	wg_put_peer(wgp, &psref_peer);
 	return;
 out:
-	if (reset_state_on_error) {
+	mutex_enter(wgs->wgs_lock);
-		mutex_enter(wgs->wgs_lock);
+	KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
-		KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
+	wgs->wgs_state = WGS_STATE_UNKNOWN;
-		wgs->wgs_state = WGS_STATE_UNKNOWN;
+	mutex_exit(wgs->wgs_lock);
 		mutex_exit(wgs->wgs_lock);
 	wg_put_session(wgs, &psref_session);
 out_wgp:
 	wg_put_peer(wgp, &psref_peer);
+}
 static void
 wg_schedule_handshake_timeout_timer(struct wg_peer *wgp)
+{
 	mutex_enter(wgp->wgp_lock);
 	if (__predict_true(wgp->wgp_state != WGP_STATE_DESTROYING)) {
 		callout_schedule(&wgp->wgp_handshake_timeout_timer,
 		    MIN(wg_rekey_timeout, INT_MAX/hz) * hz);
+	}
 	mutex_exit(wgp->wgp_lock);
+}
 static struct socket *
 wg_get_so_by_af(struct wg_worker *wgw, const int af)
+{
 	return (af == AF_INET) ? wgw->wgw_so4 : wgw->wgw_so6;
+}
 static struct socket *
 wg_get_so_by_peer(struct wg_peer *wgp)
+{
 	return wg_get_so_by_af(wgp->wgp_sc->wg_worker, wgp->wgp_sa.sa_family);
+}
 static struct wg_sockaddr *
 wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref)
+{
 	struct wg_sockaddr *wgsa;
 	int s;
 	s = pserialize_read_enter();
 	wgsa = wgp->wgp_endpoint;
 	psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class);
 	pserialize_read_exit(s);
 	return wgsa;
+}
 static void
 wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref)
+{
 	psref_release(psref, &wgsa->wgsa_psref, wg_psref_class);
+}
 static int
 wg_send_so(struct wg_peer *wgp, struct mbuf *m)
+{
 	int error;
 	struct socket *so;
 	struct psref psref;
 	struct wg_sockaddr *wgsa;
 	so = wg_get_so_by_peer(wgp);
 	wgsa = wg_get_endpoint_sa(wgp, &psref);
 	error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp);
 	wg_put_sa(wgp, wgsa, &psref);
 	return error;
+}
 static int
 wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp)
+{
 	int error;
 	struct mbuf *m;
 	struct wg_msg_init *wgmi;
 	struct wg_session *wgs;
 	struct psref psref;
 	wgs = wg_lock_unstable_session(wgp);
 	if (wgs->wgs_state == WGS_STATE_DESTROYING) {
 		WG_TRACE("Session destroying");
 		mutex_exit(wgs->wgs_lock);
 		/* XXX should wait? */
 		return EBUSY;
+	}
 	if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) {
 		WG_TRACE("Sesssion already initializing, skip starting a new one");
 		mutex_exit(wgs->wgs_lock);
 		return EBUSY;
+	}
 	if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) {
 		WG_TRACE("Sesssion already initializing, destroying old states");
 		wg_clear_states(wgs);
+	}
 	wgs->wgs_state = WGS_STATE_INIT_ACTIVE;
 	wg_get_session(wgs, &psref);
 	mutex_exit(wgs->wgs_lock);
 	m = m_gethdr(M_WAIT, MT_DATA);
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmi);
 	wgmi = mtod(m, struct wg_msg_init *);
 	wg_fill_msg_init(wg, wgp, wgs, wgmi);
 	error = wg->wg_ops->send_hs_msg(wgp, m);
 	if (error == 0) {
 		WG_TRACE("init msg sent");
 		if (wgp->wgp_handshake_start_time == 0)
 			wgp->wgp_handshake_start_time = time_uptime;
 		wg_schedule_handshake_timeout_timer(wgp);
 	} else {
 		mutex_enter(wgs->wgs_lock);
 		KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE);
 		wgs->wgs_state = WGS_STATE_UNKNOWN;
 		mutex_exit(wgs->wgs_lock);
+	}
 	wg_put_session(wgs, &psref);
 	return error;
+}
 static void
 wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp,
     struct wg_msg_resp *wgmr, const struct wg_msg_init *wgmi)
+{
 	uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */
 	uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */
 	uint8_t cipher_key[WG_KDF_OUTPUT_LEN];
 	uint8_t pubkey[WG_EPHEMERAL_KEY_LEN];
 	uint8_t privkey[WG_EPHEMERAL_KEY_LEN];
 	struct wg_session *wgs;
 	struct psref psref;
 	wgs = wg_get_unstable_session(wgp, &psref);
 	memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash));
 	memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey));
 	wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP);
 	wgmr->wgmr_sender = wg_assign_sender_index(wg, wgs);
 	wgmr->wgmr_receiver = wgmi->wgmi_sender;
 	/* [W] 5.4.3 Second Message: Responder to Initiator */
 	/* [N] 2.2: "e" */
 	/* Er^priv, Er^pub := DH-GENERATE() */
 	wg_algo_generate_keypair(pubkey, privkey);
 	/* Cr := KDF1(Cr, Er^pub) */
 	wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey));
 	/* msg.ephemeral := Er^pub */
 	memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral));
 	/* Hr := HASH(Hr || msg.ephemeral) */
 	wg_algo_hash(hash, pubkey, sizeof(pubkey));
 	WG_DUMP_HASH("ckey", ckey);
 	WG_DUMP_HASH("hash", hash);
 	/* [N] 2.2: "ee" */
 	/* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */
 	wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer);
 	/* [N] 2.2: "se" */
 	/* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */
 	wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey);
 	/* [N] 9.2: "psk" */
+    {
 	uint8_t kdfout[WG_KDF_OUTPUT_LEN];
 	/* Cr, r, k := KDF3(Cr, Q) */
 	wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk,
 	    sizeof(wgp->wgp_psk));
 	/* Hr := HASH(Hr || r) */
 	wg_algo_hash(hash, kdfout, sizeof(kdfout));
+    }
 	/* msg.empty := AEAD(k, 0, e, Hr) */
 	wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty),
 	    cipher_key, 0, NULL, 0, hash, sizeof(hash));
 	/* Hr := HASH(Hr || msg.empty) */
 	wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty));
 	WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty);
 	/* [W] 5.4.4: Cookie MACs */
 	/* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */
 	wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1),
 	    wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey),
 	    (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1));
 	/* Need mac1 to decrypt a cookie from a cookie message */
 	memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1,
 	    sizeof(wgp->wgp_last_sent_mac1));
 	wgp->wgp_last_sent_mac1_valid = true;
 	if (wgp->wgp_latest_cookie_time == 0 ||
 	    (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME)
 		/* msg.mac2 := 0^16 */
 		memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2));
 	else {
 		/* msg.mac2 := MAC(Lm, msg_b) */
 		wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2),
 		    wgp->wgp_latest_cookie, WG_COOKIE_LEN,
 		    (const uint8_t *)wgmr,
 		    offsetof(struct wg_msg_resp, wgmr_mac2),
 		    NULL, 0);
+	}
 	memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
 	memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
 	memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey));
 	memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey));
 	wgs->wgs_receiver_index = wgmi->wgmi_sender;
 	WG_DLOG("sender=%x\n", wgs->wgs_sender_index);
 	WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index);
 	wg_put_session(wgs, &psref);
+}
 static void
 wg_swap_sessions(struct wg_peer *wgp)
+{
 	KASSERT(mutex_owned(wgp->wgp_lock));
 	wgp->wgp_session_unstable = atomic_swap_ptr(&wgp->wgp_session_stable,
 	    wgp->wgp_session_unstable);
 	KASSERT(wgp->wgp_session_stable->wgs_state == WGS_STATE_ESTABLISHED);
+}
 static void
 wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr,
     const struct sockaddr *src)
+{
 	uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */
 	uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */
 	uint8_t cipher_key[WG_KDF_OUTPUT_LEN];
 	struct wg_peer *wgp;
 	struct wg_session *wgs;
 	struct psref psref;
 	int error;
 	uint8_t mac1[WG_MAC_LEN];
 	struct wg_session *wgs_prev;
 	WG_TRACE("resp msg received");
 	wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref);
 	if (wgs == NULL) {
 		WG_TRACE("No session found");
 		return;
+	}
 	wgp = wgs->wgs_peer;
 	wg_algo_mac_mac1(mac1, sizeof(mac1),
 	    wg->wg_pubkey, sizeof(wg->wg_pubkey),
 	    (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1));
 	/*
 	 * [W] 5.3: Denial of Service Mitigation & Cookies
 	 * "the responder, ..., must always reject messages with an invalid
 	 *  msg.mac1"
 	 */
 	if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) {
 		WG_DLOG("mac1 is invalid\n");
 		goto out;
+	}
 	if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) {
 		WG_TRACE("under load");
 		/*
 		 * [W] 5.3: Denial of Service Mitigation & Cookies
 		 * "the responder, ..., and when under load may reject messages
 		 *  with an invalid msg.mac2.  If the responder receives a
 		 *  message with a valid msg.mac1 yet with an invalid msg.mac2,
 		 *  and is under load, it may respond with a cookie reply
 		 *  message"
 		 */
 		uint8_t zero[WG_MAC_LEN] = {0};
 		if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) {
 			WG_TRACE("sending a cookie message: no cookie included");
 			(void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender,
 			    wgmr->wgmr_mac1, src);
 			goto out;
+		}
 		if (!wgp->wgp_last_sent_cookie_valid) {
 			WG_TRACE("sending a cookie message: no cookie sent ever");
 			(void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender,
 			    wgmr->wgmr_mac1, src);
 			goto out;
+		}
 		uint8_t mac2[WG_MAC_LEN];
 		wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
 		    WG_COOKIE_LEN, (const uint8_t *)wgmr,
 		    offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0);
 		if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) {
 			WG_DLOG("mac2 is invalid\n");
 			goto out;
+		}
 		WG_TRACE("under load, but continue to sending");
+	}
 	memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash));
 	memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey));
 	/*
 	 * [W] 5.4.3 Second Message: Responder to Initiator
 	 * "When the initiator receives this message, it does the same
 	 *  operations so that its final state variables are identical,
 	 *  replacing the operands of the DH function to produce equivalent
 	 *  values."
 	 *  Note that the following comments of operations are just copies of
 	 *  the initiator's ones.
 	 */
 	/* [N] 2.2: "e" */
 	/* Cr := KDF1(Cr, Er^pub) */
 	wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral,
 	    sizeof(wgmr->wgmr_ephemeral));
 	/* Hr := HASH(Hr || msg.ephemeral) */
 	wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral));
 	WG_DUMP_HASH("ckey", ckey);
 	WG_DUMP_HASH("hash", hash);
 	/* [N] 2.2: "ee" */
 	/* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */
 	wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv,
 	    wgmr->wgmr_ephemeral);
 	/* [N] 2.2: "se" */
 	/* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */
 	wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral);
 	/* [N] 9.2: "psk" */
+    {
 	uint8_t kdfout[WG_KDF_OUTPUT_LEN];
 	/* Cr, r, k := KDF3(Cr, Q) */
 	wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk,
 	    sizeof(wgp->wgp_psk));
 	/* Hr := HASH(Hr || r) */
 	wg_algo_hash(hash, kdfout, sizeof(kdfout));
+    }
+    {
 	uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */
 	/* msg.empty := AEAD(k, 0, e, Hr) */
 	error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty,
 	    sizeof(wgmr->wgmr_empty), hash, sizeof(hash));
 	WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty);
 	if (error != 0) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "wg_algo_aead_dec for empty message failed\n");
 		goto out;
+	}
 	/* Hr := HASH(Hr || msg.empty) */
 	wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty));
+    }
 	memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash));
 	memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key));
 	wgs->wgs_receiver_index = wgmr->wgmr_sender;
 	WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index);
 	wgs->wgs_state = WGS_STATE_ESTABLISHED;
 	wgs->wgs_time_established = time_uptime;
 	wgs->wgs_time_last_data_sent = 0;
 	wgs->wgs_is_initiator = true;
 	wg_calculate_keys(wgs, true);
 	wg_clear_states(wgs);
 	WG_TRACE("WGS_STATE_ESTABLISHED");
 	callout_halt(&wgp->wgp_handshake_timeout_timer, NULL);
 	mutex_enter(wgp->wgp_lock);
 	wg_swap_sessions(wgp);
 	wgs_prev = wgp->wgp_session_unstable;
 	mutex_enter(wgs_prev->wgs_lock);
 	getnanotime(&wgp->wgp_last_handshake_time);
 	wgp->wgp_handshake_start_time = 0;
 	wgp->wgp_last_sent_mac1_valid = false;
 	wgp->wgp_last_sent_cookie_valid = false;
 	mutex_exit(wgp->wgp_lock);
 	wg_schedule_rekey_timer(wgp);
 	wg_update_endpoint_if_necessary(wgp, src);
 	/*
 	 * Send something immediately (same as the official implementation)
 	 * XXX if there are pending data packets, we don't need to send
 	 *     a keepalive message.
 	 */
 	wg_send_keepalive_msg(wgp, wgs);
 	/* Anyway run a softint to flush pending packets */
 	kpreempt_disable();
 	softint_schedule(wgp->wgp_si);
 	kpreempt_enable();
 	WG_TRACE("softint scheduled");
 	if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) {
 		wgs_prev->wgs_state = WGS_STATE_DESTROYING;
 		/* We can't destroy the old session immediately */
 		wg_schedule_session_dtor_timer(wgp);
+	}
 	mutex_exit(wgs_prev->wgs_lock);
 out:
 	wg_put_session(wgs, &psref);
+}
 static int
 wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp,
     const struct wg_msg_init *wgmi)
+{
 	int error;
 	struct mbuf *m;
 	struct wg_msg_resp *wgmr;
 	m = m_gethdr(M_WAIT, MT_DATA);
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmr);
 	wgmr = mtod(m, struct wg_msg_resp *);
 	wg_fill_msg_resp(wg, wgp, wgmr, wgmi);
 	error = wg->wg_ops->send_hs_msg(wgp, m);
 	if (error == 0)
 		WG_TRACE("resp msg sent");
 	return error;
+}
 static struct wg_peer *
 wg_lookup_peer_by_pubkey(struct wg_softc *wg,
     const uint8_t pubkey[WG_STATIC_KEY_LEN], struct psref *psref)
+{
 	struct wg_peer *wgp;
 	int s = pserialize_read_enter();
 	wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN);
 	if (wgp != NULL)
 		wg_get_peer(wgp, psref);
 	pserialize_read_exit(s);
 	return wgp;
+}
 static void
 wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp,
     struct wg_msg_cookie *wgmc, const uint32_t sender,
     const uint8_t mac1[WG_MAC_LEN], const struct sockaddr *src)
+{
 	uint8_t cookie[WG_COOKIE_LEN];
 	uint8_t key[WG_HASH_LEN];
 	uint8_t addr[sizeof(struct in6_addr)];
 	size_t addrlen;
 	uint16_t uh_sport; /* be */
 	wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE);
 	wgmc->wgmc_receiver = sender;
 	cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt));
 	/*
 	 * [W] 5.4.7: Under Load: Cookie Reply Message
 	 * "The secret variable, Rm, changes every two minutes to a
 	 * random value"
 	 */
 	if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) {
 		wgp->wgp_randval = cprng_strong32();
 		wgp->wgp_last_genrandval_time = time_uptime;
+	}
 	switch (src->sa_family) {
 	case AF_INET: {
 		const struct sockaddr_in *sin = satocsin(src);
 		addrlen = sizeof(sin->sin_addr);
 		memcpy(addr, &sin->sin_addr, addrlen);
 		uh_sport = sin->sin_port;
 		break;
+	    }
 #ifdef INET6
 	case AF_INET6: {
 		const struct sockaddr_in6 *sin6 = satocsin6(src);
 		addrlen = sizeof(sin6->sin6_addr);
 		memcpy(addr, &sin6->sin6_addr, addrlen);
 		uh_sport = sin6->sin6_port;
 		break;
+	    }
 #endif
 	default:
 		panic("invalid af=%d", wgp->wgp_sa.sa_family);
+	}
 	wg_algo_mac(cookie, sizeof(cookie),
 	    (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval),
 	    addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport));
 	wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey,
 	    sizeof(wg->wg_pubkey));
 	wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key,
 	    cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt);
 	/* Need to store to calculate mac2 */
 	memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie));
 	wgp->wgp_last_sent_cookie_valid = true;
+}
 static int
 wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp,
     const uint32_t sender, const uint8_t mac1[WG_MAC_LEN],
     const struct sockaddr *src)
+{
 	int error;
 	struct mbuf *m;
 	struct wg_msg_cookie *wgmc;
 	m = m_gethdr(M_WAIT, MT_DATA);
 	m->m_pkthdr.len = m->m_len = sizeof(*wgmc);
 	wgmc = mtod(m, struct wg_msg_cookie *);
 	wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src);
 	error = wg->wg_ops->send_hs_msg(wgp, m);
 	if (error == 0)
 		WG_TRACE("cookie msg sent");
 	return error;
+}
 static bool
 wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype)
+{
 #ifdef WG_DEBUG_PARAMS
 	if (wg_force_underload)
 		return true;
 #endif
 	/*
 	 * XXX we don't have a means of a load estimation.  The purpose of
 	 * the mechanism is a DoS mitigation, so we consider frequent handshake
 	 * messages as (a kind of) load; if a message of the same type comes
 	 * to a peer within 1 second, we consider we are under load.
 	 */
 	time_t last = wgp->wgp_last_msg_received_time[msgtype];
 	wgp->wgp_last_msg_received_time[msgtype] = time_uptime;
 	return (time_uptime - last) == 0;
+}
 static void
 wg_calculate_keys(struct wg_session *wgs, const bool initiator)
+{
 	/*
 	 * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e)
 	 */
 	if (initiator) {
 		wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL,
 		    wgs->wgs_chaining_key, NULL, 0);
 	} else {
 		wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL,
 		    wgs->wgs_chaining_key, NULL, 0);
+	}
 	WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send);
 	WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv);
+}
 static uint64_t
 wg_session_get_send_counter(struct wg_session *wgs)
+{
 #ifdef __HAVE_ATOMIC64_LOADSTORE
 	return atomic_load_relaxed(&wgs->wgs_send_counter);
 #else
 	uint64_t send_counter;
 	mutex_enter(&wgs->wgs_send_counter_lock);
 	send_counter = wgs->wgs_send_counter;
 	mutex_exit(&wgs->wgs_send_counter_lock);
 	return send_counter;
 #endif
+}
 static uint64_t
 wg_session_inc_send_counter(struct wg_session *wgs)
+{
 #ifdef __HAVE_ATOMIC64_LOADSTORE
 	return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1;
 #else
 	uint64_t send_counter;
 	mutex_enter(&wgs->wgs_send_counter_lock);
 	send_counter = wgs->wgs_send_counter++;
 	mutex_exit(&wgs->wgs_send_counter_lock);
 	return send_counter;
 #endif
+}
 static void
 wg_clear_states(struct wg_session *wgs)
+{
 	wgs->wgs_send_counter = 0;
 	sliwin_reset(&wgs->wgs_recvwin->window);
 #define wgs_clear(v)	explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v))
 	wgs_clear(handshake_hash);
 	wgs_clear(chaining_key);
 	wgs_clear(ephemeral_key_pub);
 	wgs_clear(ephemeral_key_priv);
 	wgs_clear(ephemeral_key_peer);
 #undef wgs_clear
+}
 static struct wg_session *
 wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index,
     struct psref *psref)
+{
 	struct wg_session *wgs;
 	int s = pserialize_read_enter();
 	wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index);
 	if (wgs != NULL)
 		psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
 	pserialize_read_exit(s);
 	return wgs;
+}
 static void
 wg_schedule_rekey_timer(struct wg_peer *wgp)
+{
 	int timeout = MIN(wg_rekey_after_time, INT_MAX/hz);
 	callout_schedule(&wgp->wgp_rekey_timer, timeout * hz);
+}
 static void
 wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs)
+{
 	struct mbuf *m;
 	/*
 	 * [W] 6.5 Passive Keepalive
 	 * "A keepalive message is simply a transport data message with
 	 *  a zero-length encapsulated encrypted inner-packet."
 	 */
 	m = m_gethdr(M_WAIT, MT_DATA);
 	wg_send_data_msg(wgp, wgs, m);
+}
 static bool
 wg_need_to_send_init_message(struct wg_session *wgs)
+{
 	/*
 	 * [W] 6.2 Transport Message Limits
 	 * "if a peer is the initiator of a current secure session,
 	 *  WireGuard will send a handshake initiation message to begin
 	 *  a new secure session ... if after receiving a transport data
 	 *  message, the current secure session is (REJECT-AFTER-TIME −
 	 *  KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has
 	 *  not yet acted upon this event."
 	 */
 	return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 &&
 	    (time_uptime - wgs->wgs_time_established) >=
 	    (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout);
+}
 static void
 wg_schedule_peer_task(struct wg_peer *wgp, int task)
+{
 	atomic_or_uint(&wgp->wgp_tasks, task);
 	WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task);
 	wg_wakeup_worker(wgp->wgp_sc->wg_worker, WG_WAKEUP_REASON_PEER);
+}
 static void
 wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new)
+{
 	KASSERT(mutex_owned(wgp->wgp_lock));
 	WG_TRACE("Changing endpoint");
 	memcpy(wgp->wgp_endpoint0, new, new->sa_len);
 	wgp->wgp_endpoint0 = atomic_swap_ptr(&wgp->wgp_endpoint,
 	    wgp->wgp_endpoint0);
 	if (!wgp->wgp_endpoint_available)
 		wgp->wgp_endpoint_available = true;
 	wgp->wgp_endpoint_changing = true;
 	wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED);
+}
 static bool
 wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af)
+{
 	uint16_t packet_len;
 	const struct ip *ip;
 	if (__predict_false(decrypted_len < sizeof(struct ip)))
 		return false;
 	ip = (const struct ip *)packet;
 	if (ip->ip_v == 4)
 		*af = AF_INET;
 	else if (ip->ip_v == 6)
 		*af = AF_INET6;
 	else
 		return false;
 	WG_DLOG("af=%d\n", *af);
 	if (*af == AF_INET) {
 		packet_len = ntohs(ip->ip_len);
 	} else {
 		const struct ip6_hdr *ip6;
 		if (__predict_false(decrypted_len < sizeof(struct ip6_hdr)))
 			return false;
 		ip6 = (const struct ip6_hdr *)packet;
 		packet_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
+	}
 	WG_DLOG("packet_len=%u\n", packet_len);
 	if (packet_len > decrypted_len)
 		return false;
 	return true;
+}
 static bool
 wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected,
     int af, char *packet)
+{
 	struct sockaddr_storage ss;
 	struct sockaddr *sa;
 	struct psref psref;
 	struct wg_peer *wgp;
 	bool ok;
 	/*
 	 * II CRYPTOKEY ROUTING
 	 * "it will only accept it if its source IP resolves in the
 	 *  table to the public key used in the secure session for
 	 *  decrypting it."
 	 */
 	if (af == AF_INET) {
 		const struct ip *ip = (const struct ip *)packet;
 		struct sockaddr_in *sin = (struct sockaddr_in *)&ss;
 		sockaddr_in_init(sin, &ip->ip_src, 0);
 		sa = sintosa(sin);
 #ifdef INET6
 	} else {
 		const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet;
 		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss;
 		sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0);
 		sa = sin6tosa(sin6);
 #endif
+	}
 	wgp = wg_pick_peer_by_sa(wg, sa, &psref);
 	ok = (wgp == wgp_expected);
 	if (wgp != NULL)
 		wg_put_peer(wgp, &psref);
 	return ok;
+}
 static void
 wg_session_dtor_timer(void *arg)
+{
 	struct wg_peer *wgp = arg;
 	WG_TRACE("enter");
 	mutex_enter(wgp->wgp_lock);
 	if (__predict_false(wgp->wgp_state == WGP_STATE_DESTROYING)) {
 		mutex_exit(wgp->wgp_lock);
 		return;
+	}
 	mutex_exit(wgp->wgp_lock);
 	wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION);
+}
 static void
 wg_schedule_session_dtor_timer(struct wg_peer *wgp)
+{
 	/* 1 second grace period */
 	callout_schedule(&wgp->wgp_session_dtor_timer, hz);
+}
 static bool
 sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2)
+{
 	if (sa1->sa_family != sa2->sa_family)
 		return false;
 	switch (sa1->sa_family) {
 	case AF_INET:
 		return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port;
 	case AF_INET6:
 		return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port;
 	default:
 		return true;
+	}
+}
 static void
 wg_update_endpoint_if_necessary(struct wg_peer *wgp,
     const struct sockaddr *src)
+{
 #ifdef WG_DEBUG_LOG
 	char oldaddr[128], newaddr[128];
 	sockaddr_format(&wgp->wgp_sa, oldaddr, sizeof(oldaddr));
 	sockaddr_format(src, newaddr, sizeof(newaddr));
 	WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr);
 #endif
 	/*
 	 * III: "Since the packet has authenticated correctly, the source IP of
 	 * the outer UDP/IP packet is used to update the endpoint for peer..."
 	 */
 	if (__predict_false(sockaddr_cmp(src, &wgp->wgp_sa) != 0 ||
 	                    !sockaddr_port_match(src, &wgp->wgp_sa))) {
 		mutex_enter(wgp->wgp_lock);
 		/* XXX We can't change the endpoint twice in a short period */
 		if (!wgp->wgp_endpoint_changing) {
 			wg_change_endpoint(wgp, src);
+		}
 		mutex_exit(wgp->wgp_lock);
+	}
+}
 static void
 wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m,
     const struct sockaddr *src)
+{
 	struct wg_msg_data *wgmd;
 	char *encrypted_buf = NULL, *decrypted_buf;
 	size_t encrypted_len, decrypted_len;
 	struct wg_session *wgs;
 	struct wg_peer *wgp;
 	size_t mlen;
 	struct psref psref;
 	int error, af;
 	bool success, free_encrypted_buf = false, ok;
 	struct mbuf *n;
 	KASSERT(m->m_len >= sizeof(struct wg_msg_data));
 	wgmd = mtod(m, struct wg_msg_data *);
 	KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA));
 	WG_TRACE("data");
 	wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref);
 	if (wgs == NULL) {
 		WG_TRACE("No session found");
 		m_freem(m);
 		return;
+	}
 	wgp = wgs->wgs_peer;
 	error = sliwin_check_fast(&wgs->wgs_recvwin->window,
 	    le64toh(wgmd->wgmd_counter));
 	if (error) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "out-of-window packet: %"PRIu64"\n",
 		    le64toh(wgmd->wgmd_counter));
 		goto out;
+	}
 	mlen = m_length(m);
 	encrypted_len = mlen - sizeof(*wgmd);
 	if (encrypted_len < WG_AUTHTAG_LEN) {
 		WG_DLOG("Short encrypted_len: %lu\n", encrypted_len);
 		goto out;
+	}
 	success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len);
 	if (success) {
 		encrypted_buf = mtod(m, char *) + sizeof(*wgmd);
 	} else {
 		encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP);
 		if (encrypted_buf == NULL) {
 			WG_DLOG("failed to allocate encrypted_buf\n");
 			goto out;
+		}
 		m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf);
 		free_encrypted_buf = true;
+	}
 	/* m_ensure_contig may change m regardless of its result */
 	KASSERT(m->m_len >= sizeof(*wgmd));
 	wgmd = mtod(m, struct wg_msg_data *);
 	decrypted_len = encrypted_len - WG_AUTHTAG_LEN;
 	if (decrypted_len > MCLBYTES) {
 		/* FIXME handle larger data than MCLBYTES */
 		WG_DLOG("couldn't handle larger data than MCLBYTES\n");
 		goto out;
+	}
 	/* To avoid zero length */
 	n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN);
 	if (n == NULL) {
 		WG_DLOG("wg_get_mbuf failed\n");
 		goto out;
+	}
 	decrypted_buf = mtod(n, char *);
 	WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len);
 	error = wg_algo_aead_dec(decrypted_buf,
 	    encrypted_len - WG_AUTHTAG_LEN /* can be 0 */,
 	    wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf,
 	    encrypted_len, NULL, 0);
 	if (error != 0) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "failed to wg_algo_aead_dec\n");
 		m_freem(n);
 		goto out;
+	}
 	WG_DLOG("outsize=%u\n", (u_int)decrypted_len);
 	mutex_enter(&wgs->wgs_recvwin->lock);
 	error = sliwin_update(&wgs->wgs_recvwin->window,
 	    le64toh(wgmd->wgmd_counter));
 	mutex_exit(&wgs->wgs_recvwin->lock);
 	if (error) {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "replay or out-of-window packet: %"PRIu64"\n",
 		    le64toh(wgmd->wgmd_counter));
 		m_freem(n);
 		goto out;
+	}
 	m_freem(m);
 	m = NULL;
 	wgmd = NULL;
 	ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af);
 	if (!ok) {
 		/* something wrong... */
 		m_freem(n);
 		goto out;
+	}
 	wg_update_endpoint_if_necessary(wgp, src);
 	ok = wg_validate_route(wg, wgp, af, decrypted_buf);
 	if (ok) {
 		wg->wg_ops->input(&wg->wg_if, n, af);
 	} else {
 		WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
 		    "invalid source address\n");
 		m_freem(n);
 		/*
 		 * The inner address is invalid however the session is valid
 		 * so continue the session processing below.
 		 */
+	}
 	n = NULL;
 	if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) {
 		struct wg_session *wgs_prev;
 		KASSERT(wgs == wgp->wgp_session_unstable);
 		wgs->wgs_state = WGS_STATE_ESTABLISHED;
 		wgs->wgs_time_established = time_uptime;
 		wgs->wgs_time_last_data_sent = 0;
 		wgs->wgs_is_initiator = false;
 		WG_TRACE("WGS_STATE_ESTABLISHED");
 		mutex_enter(wgp->wgp_lock);
 		wg_swap_sessions(wgp);
 		wgs_prev = wgp->wgp_session_unstable;
 		mutex_enter(wgs_prev->wgs_lock);
 		getnanotime(&wgp->wgp_last_handshake_time);
 		wgp->wgp_handshake_start_time = 0;
 		wgp->wgp_last_sent_mac1_valid = false;
 		wgp->wgp_last_sent_cookie_valid = false;
 		mutex_exit(wgp->wgp_lock);
 		if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) {
 			wgs_prev->wgs_state = WGS_STATE_DESTROYING;
 			/* We can't destroy the old session immediately */
 			wg_schedule_session_dtor_timer(wgp);
 		} else {
 			wg_clear_states(wgs_prev);
 			wgs_prev->wgs_state = WGS_STATE_UNKNOWN;
+		}
 		mutex_exit(wgs_prev->wgs_lock);
 		/* Anyway run a softint to flush pending packets */
 		kpreempt_disable();
 		softint_schedule(wgp->wgp_si);
 		kpreempt_enable();
 	} else {
 		if (__predict_false(wg_need_to_send_init_message(wgs))) {
 			wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
+		}
 		/*
 		 * [W] 6.5 Passive Keepalive