Spellcheck sweep across codebase

22 files changed, 57 insertions, 69 deletions

diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 54dd1375..bec144f0 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -36,7 +36,7 @@ ZeroTier Release Notes
     * Fixed two very rare multithreading issues that were only observed on certain systems
  * Platform-Specific Changes
     * MacOS
-        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done driectly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
+        * Installer now loads the kernel extension right away so that High Sierra users will see the prompt to authorize it. This is done in the "Security & Privacy" preference pane and must be done directly on the console (not via remote desktop). On High Sierra and newer kexts must be authorized at the console via security settings system preferences pane.
     * Windows
         * The Windows installer should now install the driver without requiring a special prompt in most cases. This should make it easier for our packages to be accepted into and updated in the Chocolatey repository and should make it easier to perform remote installs across groups of machines using IT management and provisioning tools.
         * The Windows official packages are now signed with an EV certificate (with hardware key).
@@ -78,7 +78,7 @@ The largest new feature in 1.2.0, and the product of many months of work, is our
 
 Rules allow you to filter packets on your network and vector traffic to security observers. Security observation can be performed in-band using REDIRECT or out of band using TEE.
 
-Tags and capabilites provide advanced methods for implementing fine grained permission structures and micro-segmentation schemes without bloating the size and complexity of your rules table.
+Tags and capabilities provide advanced methods for implementing fine grained permission structures and micro-segmentation schemes without bloating the size and complexity of your rules table.
 
 See the [rules engine announcement blog post](https://www.zerotier.com/blog/?p=927) for an in-depth discussion of theory and implementation. The [manual](https://www.zerotier.com/manual.shtml) contains detailed information on rule, tag, and capability use, and the `rule-compiler/` subfolder of the ZeroTier source tree contains a JavaScript function to compile rules in our human-readable rule definition language into rules suitable for import into a network controller. (ZeroTier Central uses this same script to compile rules on [my.zerotier.com](https://my.zerotier.com/).)
 
@@ -161,7 +161,7 @@ A special kind of public network called an ad-hoc network may be accessed by joi
     | Start of port range (hex)
     Reserved ZeroTier address prefix indicating a controller-less network
 
-Ad-hoc networks are public (no access control) networks that have no network controller. Instead their configuration and other credentials are generated locally. Ad-hoc networks permit only IPv6 UDP and TCP unicast traffic (no multicast or broadcast) using 6plane format NDP-emulated IPv6 addresses. In addition an ad-hoc network ID encodes an IP port range. UDP packets and TCP SYN (connection open) packets are only allowed to desintation ports within the encoded range.
+Ad-hoc networks are public (no access control) networks that have no network controller. Instead their configuration and other credentials are generated locally. Ad-hoc networks permit only IPv6 UDP and TCP unicast traffic (no multicast or broadcast) using 6plane format NDP-emulated IPv6 addresses. In addition an ad-hoc network ID encodes an IP port range. UDP packets and TCP SYN (connection open) packets are only allowed to destination ports within the encoded range.
 
 For example `ff00160016000000` is an ad-hoc network allowing only SSH, while `ff0000ffff000000` is an ad-hoc network allowing any UDP or TCP port.
 
@@ -176,7 +176,7 @@ If you have data in an old SQLite3 controller we've included a NodeJS script in
 ## Major Bug Fixes in 1.2.0
 
  * **The Windows HyperV 100% CPU bug is FINALLY DEAD**: This long-running problem turns out to have been an issue with Windows itself, but one we were triggering by placing invalid data into the Windows registry. Microsoft is aware of the issue but we've also fixed the triggering problem on our side. ZeroTier should now co-exist quite well with HyperV and should now be able to be bridged with a HyperV virtual switch.
- * **Segmenation faults on musl-libc based Linux systems**: Alpine Linux and some embedded Linux systems that use musl libc (a minimal libc) experienced segmentation faults. These were due to a smaller default stack size. A work-around that sets the stack size for new threads has been added.
+ * **Segmentation faults on musl-libc based Linux systems**: Alpine Linux and some embedded Linux systems that use musl libc (a minimal libc) experienced segmentation faults. These were due to a smaller default stack size. A work-around that sets the stack size for new threads has been added.
  * **Windows firewall blocks local JSON API**: On some Windows systems the firewall likes to block 127.0.0.1:9993 for mysterious reasons. This is now fixed in the installer via the addition of another firewall exemption rule.
  * **UI crash on embedded Windows due to missing fonts**: The MSI installer now ships fonts and will install them if they are not present, so this should be fixed.
 
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index 15e15bd1..b3927c2e 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -411,7 +411,7 @@ enum ZT_ResultCode
 	ZT_RESULT_ERROR_UNSUPPORTED_OPERATION = 1001,
 
 	/**
-	 * The requestion operation was given a bad parameter or was called in an invalid state
+	 * The requested operation was given a bad parameter or was called in an invalid state
 	 */
 	ZT_RESULT_ERROR_BAD_PARAMETER = 1002
 };
@@ -1498,7 +1498,7 @@ typedef int (*ZT_WirePacketSendFunction)(
 /**
  * Function to check whether a path should be used for ZeroTier traffic
  *
- * Paramters:
+ * Parameters:
  *  (1) Node
  *  (2) User pointer
  *  (3) ZeroTier address or 0 for none/any
@@ -1531,7 +1531,7 @@ typedef int (*ZT_PathCheckFunction)(
  *  (1) Node
  *  (2) User pointer
  *  (3) ZeroTier address (least significant 40 bits)
- *  (4) Desried address family or -1 for any
+ *  (4) Desired address family or -1 for any
  *  (5) Buffer to fill with result
  *
  * If provided this function will be occasionally called to get physical
@@ -1696,7 +1696,7 @@ ZT_SDK_API enum ZT_ResultCode ZT_Node_processBackgroundTasks(ZT_Node *node,void
  * Join a network
  *
  * This may generate calls to the port config callback before it returns,
- * or these may be deffered if a netconf is not available yet.
+ * or these may be differed if a netconf is not available yet.
  *
  * If we are already a member of the network, nothing is done and OK is
  * returned.
diff --git a/node/Capability.hpp b/node/Capability.hpp
index 91a46566..775532d9 100644
--- a/node/Capability.hpp
+++ b/node/Capability.hpp
@@ -52,7 +52,7 @@ class RuntimeEnvironment;
  * (1) Evaluates its capabilities in ascending order of ID to determine
  *     which capability allows it to transmit this packet.
  * (2) If it has not done so lately, it then sends this capability to the
- *     receving peer ("presents" it).
+ *     receiving peer ("presents" it).
  * (3) The sender then sends the packet.
  *
  * On the receiving side the receiver evaluates the capabilities presented
@@ -64,7 +64,7 @@ class RuntimeEnvironment;
  *
  * Capabilities support a chain of custody. This is currently unused but
  * in the future would allow the publication of capabilities that can be
- * handed off between nodes. Limited transferrability of capabilities is
+ * handed off between nodes. Limited transferability of capabilities is
  * a feature of true capability based security.
  */
 class Capability : public Credential
@@ -81,7 +81,7 @@ public:
 	 * @param id Capability ID
 	 * @param nwid Network ID
 	 * @param ts Timestamp (at controller)
-	 * @param mccl Maximum custody chain length (1 to create non-transferrable capability)
+	 * @param mccl Maximum custody chain length (1 to create non-transferable capability)
 	 * @param rules Network flow rules for this capability
 	 * @param ruleCount Number of flow rules
 	 */
diff --git a/node/CertificateOfMembership.hpp b/node/CertificateOfMembership.hpp
index b5a90007..7fd38ad7 100644
--- a/node/CertificateOfMembership.hpp
+++ b/node/CertificateOfMembership.hpp
@@ -243,7 +243,7 @@ public:
 	 * Compare two certificates for parameter agreement
 	 *
 	 * This compares this certificate with the other and returns true if all
-	 * paramters in this cert are present in the other and if they agree to
+	 * parameters in this cert are present in the other and if they agree to
 	 * within this cert's max delta value for each given parameter.
 	 *
 	 * Tuples present in other but not in this cert are ignored, but any
diff --git a/node/Constants.hpp b/node/Constants.hpp
index b85c1b93..d86775c5 100644
--- a/node/Constants.hpp
+++ b/node/Constants.hpp
@@ -275,13 +275,13 @@
 #define ZT_MULTIPATH_BINDER_REFRESH_PERIOD 5000
 
 /**
- * Time horizon for VERB_QOS_MEASUREMENT and VERB_ACK packet processesing cutoff
+ * Time horizon for VERB_QOS_MEASUREMENT and VERB_ACK packet processing cutoff
  */
 #define ZT_PATH_QOS_ACK_CUTOFF_TIME 30000
 
 /**
  * Maximum number of VERB_QOS_MEASUREMENT and VERB_ACK packets allowed to be
- * processesed within cutoff time. Separate totals are kept for each type but
+ * processed within cutoff time. Separate totals are kept for each type but
  * the limit is the same for both.
  *
  * This limits how often this peer will compute statistical estimates
diff --git a/node/Identity.cpp b/node/Identity.cpp
index 03f27083..1687746b 100644
--- a/node/Identity.cpp
+++ b/node/Identity.cpp
@@ -50,8 +50,8 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub
 	SHA512::hash(digest,publicKey,publicKeyBytes);
 
 	// Initialize genmem[] using Salsa20 in a CBC-like configuration since
-	// ordinary Salsa20 is randomly seekable. This is good for a cipher
-	// but is not what we want for sequential memory-harndess.
+	// ordinary Salsa20 is randomly seek-able. This is good for a cipher
+	// but is not what we want for sequential memory-hardness.
 	memset(genmem,0,ZT_IDENTITY_GEN_MEMORY);
 	Salsa20 s20(digest,(char *)digest + 32);
 	s20.crypt20((char *)genmem,(char *)genmem,64);
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index 70dcff5d..6bb9734c 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -237,7 +237,7 @@ bool IncomingPacket::_doQOS_MEASUREMENT(const RuntimeEnvironment *RR,void *tPtr,
 		char *ptr = begin;
 		int count = 0;
 		int len = payloadLength();
-		// Read packet IDs and latency compensation intervals for each packet tracked by thie QoS packet
+		// Read packet IDs and latency compensation intervals for each packet tracked by this QoS packet
 		while (ptr < (begin + len) && (count < ZT_PATH_QOS_TABLE_SIZE)) {
 			memcpy((void*)&rx_id[count], ptr, sizeof(uint64_t));
 			ptr+=sizeof(uint64_t);
diff --git a/node/InetAddress.cpp b/node/InetAddress.cpp
index 36b4e434..5d6ad07f 100644
--- a/node/InetAddress.cpp
+++ b/node/InetAddress.cpp
@@ -5,7 +5,7 @@
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
- * (at your oion) any later version.
+ * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -62,23 +62,23 @@ InetAddress::IpScope InetAddress::ipScope() const
 				case 0x37: return IP_SCOPE_PSEUDOPRIVATE;                             // 55.0.0.0/8 (US DoD)
 				case 0x38: return IP_SCOPE_PSEUDOPRIVATE;                             // 56.0.0.0/8 (US Postal Service)
 				case 0x64:
-					if ((ip & 0xffc00000) == 0x64400000) return IP_SCOPE_PRIVATE;       // 100.64.0.0/10
+					if ((ip & 0xffc00000) == 0x64400000) return IP_SCOPE_PRIVATE;     // 100.64.0.0/10
 					break;
 				case 0x7f: return IP_SCOPE_LOOPBACK;                                  // 127.0.0.0/8
 				case 0xa9:
-					if ((ip & 0xffff0000) == 0xa9fe0000) return IP_SCOPE_LINK_LOCAL;    // 169.254.0.0/16
+					if ((ip & 0xffff0000) == 0xa9fe0000) return IP_SCOPE_LINK_LOCAL;  // 169.254.0.0/16
 					break;
 				case 0xac:
-					if ((ip & 0xfff00000) == 0xac100000) return IP_SCOPE_PRIVATE;       // 172.16.0.0/12
+					if ((ip & 0xfff00000) == 0xac100000) return IP_SCOPE_PRIVATE;     // 172.16.0.0/12
 					break;
 				case 0xc0:
-					if ((ip & 0xffff0000) == 0xc0a80000) return IP_SCOPE_PRIVATE;				// 192.168.0.0/16
+					if ((ip & 0xffff0000) == 0xc0a80000) return IP_SCOPE_PRIVATE;     // 192.168.0.0/16
 					break;
 				case 0xff: return IP_SCOPE_NONE;                                      // 255.0.0.0/8 (broadcast, or unused/unusable)
 			}
 			switch(ip >> 28) {
-				case 0xe: return IP_SCOPE_MULTICAST;                              // 224.0.0.0/4
-				case 0xf: return IP_SCOPE_PSEUDOPRIVATE;                          // 240.0.0.0/4 ("reserved," usually unusable)
+				case 0xe: return IP_SCOPE_MULTICAST;                                  // 224.0.0.0/4
+				case 0xf: return IP_SCOPE_PSEUDOPRIVATE;                              // 240.0.0.0/4 ("reserved," usually unusable)
 			}
 			return IP_SCOPE_GLOBAL;
 		}	break;
@@ -86,21 +86,21 @@ InetAddress::IpScope InetAddress::ipScope() const
 		case AF_INET6: {
 			const unsigned char *ip = reinterpret_cast<const unsigned char *>(reinterpret_cast<const struct sockaddr_in6 *>(this)->sin6_addr.s6_addr);
 			if ((ip[0] & 0xf0) == 0xf0) {
-				if (ip[0] == 0xff) return IP_SCOPE_MULTICAST;                              // ff00::/8
+				if (ip[0] == 0xff) return IP_SCOPE_MULTICAST;                        // ff00::/8
 				if ((ip[0] == 0xfe)&&((ip[1] & 0xc0) == 0x80)) {
 					unsigned int k = 2;
 					while ((!ip[k])&&(k < 15)) ++k;
 					if ((k == 15)&&(ip[15] == 0x01))
-						return IP_SCOPE_LOOPBACK;                                              // fe80::1/128
-					else return IP_SCOPE_LINK_LOCAL;                                         // fe80::/10
+						return IP_SCOPE_LOOPBACK;                                    // fe80::1/128
+					else return IP_SCOPE_LINK_LOCAL;                                 // fe80::/10
 				}
-				if ((ip[0] & 0xfe) == 0xfc) return IP_SCOPE_PRIVATE;                       // fc00::/7
+				if ((ip[0] & 0xfe) == 0xfc) return IP_SCOPE_PRIVATE;                 // fc00::/7
 			}
 			unsigned int k = 0;
 			while ((!ip[k])&&(k < 15)) ++k;
 			if (k == 15) { // all 0's except last byte
-				if (ip[15] == 0x01) return IP_SCOPE_LOOPBACK;                              // ::1/128
-				if (ip[15] == 0x00) return IP_SCOPE_NONE;                                  // ::/128
+				if (ip[15] == 0x01) return IP_SCOPE_LOOPBACK;                        // ::1/128
+				if (ip[15] == 0x00) return IP_SCOPE_NONE;                            // ::/128
 			}
 			return IP_SCOPE_GLOBAL;
 		}	break;
diff --git a/node/MulticastGroup.hpp b/node/MulticastGroup.hpp
index 0f4a621e..0a318136 100644
--- a/node/MulticastGroup.hpp
+++ b/node/MulticastGroup.hpp
@@ -68,7 +68,7 @@ public:
 	 * Derive the multicast group used for address resolution (ARP/NDP) for an IP
 	 *
 	 * @param ip IP address (port field is ignored)
-	 * @return Multicat group for ARP/NDP
+	 * @return Multicast group for ARP/NDP
 	 */
 	static inline MulticastGroup deriveMulticastGroupForAddressResolution(const InetAddress &ip)
 	{
diff --git a/node/Network.hpp b/node/Network.hpp
index 95b5483a..38f03eb3 100644
--- a/node/Network.hpp
+++ b/node/Network.hpp
@@ -438,6 +438,6 @@ private:
 	AtomicCounter __refCount;
 };
 
-} // naemspace ZeroTier
+} // namespace ZeroTier
 
 #endif
diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp
index 44066c86..8900bda5 100644
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@@ -562,7 +562,7 @@ public:
 	char name[ZT_MAX_NETWORK_SHORT_NAME_LENGTH + 1];
 
 	/**
-	 * Certficiate of membership (for private networks)
+	 * Certificate of membership (for private networks)
 	 */
 	CertificateOfMembership com;
 };
diff --git a/node/Packet.hpp b/node/Packet.hpp
index 6869691e..8e82bd34 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -150,7 +150,7 @@
  *
  * In cryptography, a "break" means something different from what it means in
  * common discussion. If a cipher is 256 bits strong and someone finds a way
- * to reduce key search to 254 bits, this constitues a "break" in the academic
+ * to reduce key search to 254 bits, this constitutes a "break" in the academic
  * literature. 254 bits is still far beyond what can be leveraged to accomplish
  * a "break" as most people would understand it -- the actual decryption and
  * reading of traffic.
@@ -249,7 +249,7 @@
  */
 #define ZT_PROTO_MIN_FRAGMENT_LENGTH ZT_PACKET_FRAGMENT_IDX_PAYLOAD
 
-// Field incides for parsing verbs -------------------------------------------
+// Field indices for parsing verbs -------------------------------------------
 
 // Some verbs have variable-length fields. Those aren't fully defined here
 // yet-- instead they are parsed using relative indexes in IncomingPacket.
@@ -734,7 +734,7 @@ public:
 		 * Credentials can be for any number of networks.
 		 *
 		 * The use of a zero byte to terminate the COM section is for legacy
-		 * backward compatiblity. Newer fields are prefixed with a length.
+		 * backward compatibility. Newer fields are prefixed with a length.
 		 *
 		 * OK/ERROR are not generated.
 		 */
@@ -751,7 +751,7 @@ public:
 		 * This message requests network configuration from a node capable of
 		 * providing it.
 		 *
-		 * Respones to this are always whole configs intended for the recipient.
+		 * Responses to this are always whole configs intended for the recipient.
 		 * For patches and other updates a NETWORK_CONFIG is sent instead.
 		 *
 		 * It would be valid and correct as of 1.2.0 to use NETWORK_CONFIG always,
@@ -884,7 +884,7 @@ public:
 		 *   <[6] MAC address of multicast group>
 		 *   <[4] 32-bit ADI for multicast group>
 		 *   <[1] flags>
-		 *  [<[...] network certficate of membership (DEPRECATED)>]
+		 *  [<[...] network certificate of membership (DEPRECATED)>]
 		 *  [<[...] implicit gather results if flag 0x01 is set>]
 		 *
 		 * OK flags (same bits as request flags):
@@ -933,7 +933,7 @@ public:
 		// 0x11 -- deprecated
 
 		/**
-		 * An acknowledgement of receipt of a series of recent packets from another
+		 * An acknowledgment of receipt of a series of recent packets from another
 		 * peer. This is used to calculate relative throughput values and to detect
 		 * packet loss. Only VERB_FRAME and VERB_EXT_FRAME packets are counted.
 		 *
@@ -967,7 +967,7 @@ public:
 		 * The number of possible records per QoS packet is: (1400 * 8) / 72 = 155
 		 * This packet should be sent very rarely (every few seconds) as it can be
 		 * somewhat large if the connection is saturated. Future versions might use
-		 * a bloom table to probablistically determine these values in a vastly
+		 * a bloom table to probabilistically determine these values in a vastly
 		 * more space-efficient manner.
 		 *
 		 * Note: The 'internal packet sojourn time' is a slight misnomer as it is a
@@ -1000,7 +1000,7 @@ public:
 		 *
 		 * This message contains a remote trace event. Remote trace events can
 		 * be sent to observers configured at the network level for those that
-		 * pertain directly to actiity on a network, or to global observers if
+		 * pertain directly to activity on a network, or to global observers if
 		 * locally configured.
 		 *
 		 * The instance ID is a random 64-bit value generated by each ZeroTier
@@ -1297,7 +1297,7 @@ public:
 	 * Encrypt/decrypt a separately armored portion of a packet
 	 *
 	 * This is currently only used to mask portions of HELLO as an extra
-	 * security precation since most of that message is sent in the clear.
+	 * security precaution since most of that message is sent in the clear.
 	 *
 	 * This must NEVER be used more than once in the same packet, as doing
 	 * so will result in re-use of the same key stream.
diff --git a/node/Path.hpp b/node/Path.hpp
index e7448190..80a7895a 100644
--- a/node/Path.hpp
+++ b/node/Path.hpp
@@ -353,7 +353,7 @@ public:
 	 * Record that we've received a VERB_ACK on this path, also compute throughput if required.
 	 *
 	 * @param now Current time
-	 * @param ackedBytes Number of bytes awknowledged by other peer
+	 * @param ackedBytes Number of bytes acknowledged by other peer
 	 */
 	inline void receivedAck(int64_t now, int32_t ackedBytes)
 	{
@@ -387,7 +387,7 @@ public:
 	}
 
 	/**
-	 * @return Number of bytes thusfar sent that have not been awknowledged by the remote peer
+	 * @return Number of bytes thus far sent that have not been acknowledged by the remote peer
 	 */
 	inline int64_t unackedSentBytes()
 	{
@@ -529,7 +529,7 @@ public:
 	inline char *getName() { return _ifname; }
 
 	/**
-	 * @return Packet delay varience
+	 * @return Packet delay variance
 	 */
 	inline float packetDelayVariance() { return _packetDelayVariance; }
 
diff --git a/node/Peer.cpp b/node/Peer.cpp
index a22bbffe..877ec2fd 100644
--- a/node/Peer.cpp
+++ b/node/Peer.cpp
@@ -140,7 +140,7 @@ void Peer::received(
 		if ((!havePath)&&(RR->node->shouldUsePathForZeroTierTraffic(tPtr,_id.address(),path->localSocket(),path->address()))) {
 			Mutex::Lock _l(_paths_m);
 
-			// Paths are redunant if they duplicate an alive path to the same IP or
+			// Paths are redundant if they duplicate an alive path to the same IP or
 			// with the same local socket and address family.
 			bool redundant = false;
 			for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
diff --git a/node/Peer.hpp b/node/Peer.hpp
index 8c2c496b..f7c0dbbd 100644
--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@@ -204,7 +204,7 @@ public:
 	float computeAggregateLinkPacketDelayVariance();
 
 	/**
-	 * @return The aggregate link mean latenct
+	 * @return The aggregate link mean latency
 	 */
 	float computeAggregateLinkMeanLatency();
 
diff --git a/node/Salsa20.cpp b/node/Salsa20.cpp
index 1d4117e3..ca9e4718 100644
--- a/node/Salsa20.cpp
+++ b/node/Salsa20.cpp
@@ -14,7 +14,7 @@
 #define XOR(v,w) ((v) ^ (w))
 #define PLUS(v,w) ((uint32_t)((v) + (w)))
 
-// Set up laod/store macros with appropriate endianness (we don't use these in SSE mode)
+// Set up load/store macros with appropriate endianness (we don't use these in SSE mode)
 #ifndef ZT_SALSA20_SSE
 
 #if __BYTE_ORDER == __LITTLE_ENDIAN
diff --git a/node/SelfAwareness.cpp b/node/SelfAwareness.cpp
index c4f107fb..fc222672 100644
--- a/node/SelfAwareness.cpp
+++ b/node/SelfAwareness.cpp
@@ -145,7 +145,7 @@ std::vector<InetAddress> SelfAwareness::getSymmetricNatPredictions()
 	 *
 	 * Since flows are encrypted and authenticated they could not actually
 	 * read or modify traffic, but they could gather meta-data for forensics
-	 * purpsoes or use this as a DOS attack vector. */
+	 * purposes or use this as a DOS attack vector. */
 
 	std::map< uint32_t,unsigned int > maxPortByIp;
 	InetAddress theOneTrueSurface;
diff --git a/node/Tag.hpp b/node/Tag.hpp
index d2e932c2..1d3e97fa 100644
--- a/node/Tag.hpp
+++ b/node/Tag.hpp
@@ -58,7 +58,7 @@ class RuntimeEnvironment;
  * values.
  *
  * Unlike capabilities tags are signed only by the issuer and are never
- * transferrable.
+ * transferable.
  */
 class Tag : public Credential
 {
diff --git a/node/Topology.cpp b/node/Topology.cpp
index 7c526b41..7e32f205 100644
--- a/node/Topology.cpp
+++ b/node/Topology.cpp
@@ -138,7 +138,7 @@ SharedPtr<Peer> Topology::getPeer(void *tPtr,const Address &zta)
 			}
 			return SharedPtr<Peer>();
 		}
-	} catch ( ... ) {} // ignore invalid identities or other strage failures
+	} catch ( ... ) {} // ignore invalid identities or other strange failures
 
 	return SharedPtr<Peer>();
 }
diff --git a/osdep/OSUtils.cpp b/osdep/OSUtils.cpp
index cadd4e6b..8b7fd948 100644
--- a/osdep/OSUtils.cpp
+++ b/osdep/OSUtils.cpp
@@ -366,7 +366,7 @@ std::vector<std::string> OSUtils::split(const char *s,const char *const sep,cons
 				if (buf.size() > 0) {
 					fields.push_back(buf);
 					buf.clear();
-				} // else skip runs of seperators
+				} // else skip runs of separators
 			} else buf.push_back(*s);
 		}
 		++s;
diff --git a/osdep/WindowsEthernetTap.hpp b/osdep/WindowsEthernetTap.hpp
index 1e36bdd8..4f0f89c4 100644
--- a/osdep/WindowsEthernetTap.hpp
+++ b/osdep/WindowsEthernetTap.hpp
@@ -71,7 +71,7 @@ public:
 	static std::string destroyAllPersistentTapDevices();
 
 	/**
-	 * Uninstall a specific persistent tap device by instance ID
+	 * Uninstalls a specific persistent tap device by instance ID
 	 *
 	 * @param instanceId Device instance ID
 	 * @return Empty string on success, otherwise an error message
diff --git a/service/OneService.cpp b/service/OneService.cpp
index 152dca7b..e56a4827 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -422,7 +422,7 @@ public:
 	unsigned int _primaryPort;
 	volatile unsigned int _udpPortPickerCounter;
 
-	// Local configuration and memo-ized information from it
+	// Local configuration and memoized information from it
 	json _localConfig;
 	Hashtable< uint64_t,std::vector<InetAddress> > _v4Hints;
 	Hashtable< uint64_t,std::vector<InetAddress> > _v6Hints;
@@ -438,7 +438,7 @@ public:
 	 * To attempt to handle NAT/gateway craziness we use three local UDP ports:
 	 *
 	 * [0] is the normal/default port, usually 9993
-	 * [1] is a port dervied from our ZeroTier address
+	 * [1] is a port derived from our ZeroTier address
 	 * [2] is a port computed from the normal/default for use with uPnP/NAT-PMP mappings
 	 *
 	 * [2] exists because on some gateways trying to do regular NAT-t interferes
@@ -1130,16 +1130,7 @@ public:
 #ifdef __SYNOLOGY__
 		// Authenticate via Synology's built-in cgi script
 		if (!isAuth) {
-			/*
-			fprintf(stderr, "path = %s\n", path.c_str());
-			fprintf(stderr, "headers.size=%d\n", headers.size());
-			std::map<std::string, std::string>::const_iterator it(headers.begin());
-			while(it != headers.end()) {
-				fprintf(stderr,"header[%s] = %s\n", (it->first).c_str(), (it->second).c_str());
-				it++;
-			}
-			*/
-			// parse out url args
+			// Parse out url args
 			int synotoken_pos = path.find("SynoToken");
 			int argpos = path.find("?");
 			if(synotoken_pos != std::string::npos && argpos != std::string::npos) {
@@ -1152,10 +1143,7 @@ public:
 				setenv("HTTP_COOKIE", cookie_val.c_str(), true);
 				setenv("HTTP_X_SYNO_TOKEN", synotoken_val.c_str(), true);
 				setenv("REMOTE_ADDR", ah2->second.c_str(),true);
-					//fprintf(stderr, "HTTP_COOKIE: %s\n",std::getenv ("HTTP_COOKIE"));
-					//fprintf(stderr, "HTTP_X_SYNO_TOKEN: %s\n",std::getenv ("HTTP_X_SYNO_TOKEN"));
-					//fprintf(stderr, "REMOTE_ADDR: %s\n",std::getenv ("REMOTE_ADDR"));
-				// check synology web auth
+				// Check Synology web auth
 				char user[256], buf[1024];
 				FILE *fp = NULL;
 				bzero(user, 256);