12 files changed, 484 insertions, 27 deletions

diff --git a/libs/luci-lib-httpprotoutils/luasrc/http/mime.luadoc b/libs/luci-lib-httpprotoutils/luasrc/http/mime.luadoc
index 7751e2baf..9c7f01aed 100644
--- a/libs/luci-lib-httpprotoutils/luasrc/http/mime.luadoc
+++ b/libs/luci-lib-httpprotoutils/luasrc/http/mime.luadoc
@@ -7,7 +7,7 @@ vice versa.
 module "luci.http.mime"
 
 ---[[
-MIME mapping table containg extension - mimetype relations.
+MIME mapping table containing extension - mimetype relations.
 
 @class table
 ]]
diff --git a/libs/luci-lib-ip/src/ip.luadoc b/libs/luci-lib-ip/src/ip.luadoc
index b1ecae145..a2df96cdb 100644
--- a/libs/luci-lib-ip/src/ip.luadoc
+++ b/libs/luci-lib-ip/src/ip.luadoc
@@ -283,7 +283,7 @@ Fetch all routes, optionally matching the given criteria.
 @sort 9
 @name routes
 @param filter  <p>Table containing one or more of the possible filter
-critera described below (optional)</p><table>
+criteria described below (optional)</p><table>
 <tr><th>Field</th><th>Description</th></tr>
 <tr><td>`family`</td><td>
  Number describing the address family to return - `4` selects
@@ -363,7 +363,7 @@ Fetches entries from the IPv4 ARP and IPv6 neighbour kernel table
 @sort 10
 @name neighbors
 @param filter  <p>Table containing one or more of the possible filter
-critera described below (optional)</p><table>
+criteria described below (optional)</p><table>
 <tr><th>Field</th><th>Description</th></tr>
 <tr><td>`family`</td><td>
  Number describing the address family to return - `4` selects
@@ -652,7 +652,7 @@ are considered lower than MAC addresses</li>
 @class function
 @sort 10
 @name cidr.lower
-@param addr A `luci.ip.cidr` instance or a string convertable by
+@param addr A `luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()` to compare against.
 @return `true` if this CIDR is lower than the given address,
 	else `false`.
@@ -676,7 +676,7 @@ are considered lower than MAC addresses</li>
 @class function
 @sort 11
 @name cidr.higher
-@param addr A `luci.ip.cidr` instance or a string convertable by
+@param addr A `luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()` to compare against.
 @return `true` if this CIDR is higher than the given address,
 	else `false`.
@@ -696,7 +696,7 @@ Checks whether this CIDR instance is equal to the given argument.
 @class function
 @sort 12
 @name cidr.equal
-@param addr A `luci.ip.cidr` instance or a string convertable by
+@param addr A `luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()` to compare against.
 @return `true` if this CIDR is equal to the given address,
 	else `false`.
@@ -877,7 +877,7 @@ Test whether CIDR contains given range.
 @class function
 @sort 21
 @name cidr.contains
-@param addr A `luci.ip.cidr` instance or a string convertable by
+@param addr A `luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()` to test.
 @return `true` if this instance fully contains the given address else
 	`false`.
@@ -903,12 +903,12 @@ address space, the result is set to the highest possible address.
 @sort 22
 @name cidr.add
 @param amount A numeric value between 0 and 0xFFFFFFFF, a
-	`luci.ip.cidr` instance or a string convertable by
+	`luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()`.
 @param inplace If `true`, modify this instance instead of returning
 	a new derived CIDR instance.
 @return <ul>
-	<li>When adding inplace: Return `true` if the addition succeded
+	<li>When adding inplace: Return `true` if the addition succeeded
 	    or `false` when the addition overflowed.</li>
 	<li>When deriving new CIDR: Return new instance representing the value of
         this instance plus the added amount or the highest possible address if
@@ -952,7 +952,7 @@ possible address is returned.
 @sort 23
 @name cidr.sub
 @param amount A numeric value between 0 and 0xFFFFFFFF, a
-	`luci.ip.cidr` instance or a string convertable by
+	`luci.ip.cidr` instance or a string convertible by
 	`luci.ip.new()`.
 @param inplace If `true`, modify this instance instead of returning
 	a new derived CIDR instance.
diff --git a/libs/luci-lib-iptparser/Makefile b/libs/luci-lib-iptparser/Makefile
new file mode 100644
index 000000000..06748adbf
--- /dev/null
+++ b/libs/luci-lib-iptparser/Makefile
@@ -0,0 +1,14 @@
+#
+# Copyright (C) 2018 The LuCI Team <luci@lists.subsignal.org>
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=Iptables listing parser class
+LUCI_DEPENDS:=+luci-base
+
+include ../../luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/libs/luci-lib-iptparser/luasrc/sys/iptparser.lua b/libs/luci-lib-iptparser/luasrc/sys/iptparser.lua
new file mode 100644
index 000000000..7ff665e7a
--- /dev/null
+++ b/libs/luci-lib-iptparser/luasrc/sys/iptparser.lua
@@ -0,0 +1,374 @@
+--[[
+
+Iptables parser and query library
+(c) 2008-2009 Jo-Philipp Wich <jow@openwrt.org>
+(c) 2008-2009 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+
+]]--
+
+local luci  = {}
+luci.util   = require "luci.util"
+luci.sys    = require "luci.sys"
+luci.ip     = require "luci.ip"
+
+local pcall = pcall
+local io = require "io"
+local tonumber, ipairs, table = tonumber, ipairs, table
+
+module("luci.sys.iptparser")
+
+IptParser = luci.util.class()
+
+function IptParser.__init__( self, family )
+	self._family = (tonumber(family) == 6) and 6 or 4
+	self._rules  = { }
+	self._chains = { }
+	self._tables = { }
+
+	local t = self._tables
+	local s = self:_supported_tables(self._family)
+
+	if s.filter then t[#t+1] = "filter" end
+	if s.nat    then t[#t+1] = "nat"    end
+	if s.mangle then t[#t+1] = "mangle" end
+	if s.raw    then t[#t+1] = "raw"    end
+
+	if self._family == 4 then
+		self._nulladdr = "0.0.0.0/0"
+		self._command  = "iptables -t %s --line-numbers -nxvL"
+	else
+		self._nulladdr = "::/0"
+		self._command  = "ip6tables -t %s --line-numbers -nxvL"
+	end
+
+	self:_parse_rules()
+end
+
+function IptParser._supported_tables( self, family )
+	local tables = { }
+	local ok, lines = pcall(io.lines,
+		(family == 6) and "/proc/net/ip6_tables_names"
+		               or "/proc/net/ip_tables_names")
+
+	if ok and lines then
+		local line
+		for line in lines do
+			tables[line] = true
+		end
+	end
+
+	return tables
+end
+
+-- search criteria as only argument. If args is nil or an empty table then all
+-- rules will be returned.
+--
+-- The following keys in the args table are recognized:
+-- <ul>
+--  <li> table		 - Match rules that are located within the given table
+--  <li> chain		 - Match rules that are located within the given chain
+--  <li> target		 - Match rules with the given target
+--  <li> protocol	 - Match rules that match the given protocol, rules with
+-- 						protocol "all" are always matched
+--  <li> source		 - Match rules with the given source, rules with source
+-- 						"0.0.0.0/0" (::/0) are always matched
+--  <li> destination - Match rules with the given destination, rules with
+-- 						destination "0.0.0.0/0" (::/0) are always matched
+--  <li> inputif	 - Match rules with the given input interface, rules
+-- 						with input	interface "*" (=all) are always matched
+--  <li> outputif	 - Match rules with the given output interface, rules
+-- 						with output	interface "*" (=all) are always matched
+--  <li> flags		 - Match rules that match the given flags, current
+-- 						supported values are "-f" (--fragment)
+--						and "!f" (! --fragment)
+--  <li> options	 - Match rules containing all given options
+-- </ul>
+-- The return value is a list of tables representing the matched rules.
+-- Each rule table contains the following fields:
+-- <ul>
+--  <li> index		 - The index number of the rule
+--  <li> table		 - The table where the rule is located, can be one
+--	 					of "filter", "nat" or "mangle"
+--  <li> chain		 - The chain where the rule is located, e.g. "INPUT"
+-- 						or "postrouting_wan"
+--  <li> target		 - The rule target, e.g. "REJECT" or "DROP"
+--  <li> protocol		The matching protocols, e.g. "all" or "tcp"
+--  <li> flags		 - Special rule options ("--", "-f" or "!f")
+--  <li> inputif	 - Input interface of the rule, e.g. "eth0.0"
+-- 						or "*" for all interfaces
+--  <li> outputif	 - Output interface of the rule,e.g. "eth0.0"
+-- 						or "*" for all interfaces
+--  <li> source		 - The source ip range, e.g. "0.0.0.0/0" (::/0)
+--  <li> destination - The destination ip range, e.g. "0.0.0.0/0" (::/0)
+--  <li> options	 - A list of specific options of the rule,
+-- 						e.g. { "reject-with", "tcp-reset" }
+--  <li> packets	 - The number of packets matched by the rule
+--  <li> bytes		 - The number of total bytes matched by the rule
+-- </ul>
+-- Example:
+-- <pre>
+-- ip = luci.sys.iptparser.IptParser()
+-- result = ip.find( {
+-- 	target="REJECT",
+-- 	protocol="tcp",
+-- 	options={ "reject-with", "tcp-reset" }
+-- } )
+-- </pre>
+-- This will match all rules with target "-j REJECT",
+-- protocol "-p tcp" (or "-p all")
+-- and the option "--reject-with tcp-reset".
+function IptParser.find( self, args )
+
+	local args = args or { }
+	local rv   = { }
+
+	args.source      = args.source      and self:_parse_addr(args.source)
+	args.destination = args.destination and self:_parse_addr(args.destination)
+
+	for i, rule in ipairs(self._rules) do
+		local match = true
+
+		-- match table
+		if not ( not args.table or args.table:lower() == rule.table ) then
+			match = false
+		end
+
+		-- match chain
+		if not ( match == true and (
+			not args.chain or args.chain == rule.chain
+		) ) then
+			match = false
+		end
+
+		-- match target
+		if not ( match == true and (
+			not args.target or args.target == rule.target
+		) ) then
+			match = false
+		end
+
+		-- match protocol
+		if not ( match == true and (
+			not args.protocol or rule.protocol == "all" or
+			args.protocol:lower() == rule.protocol
+		) ) then
+			match = false
+		end
+
+		-- match source
+		if not ( match == true and (
+			not args.source or rule.source == self._nulladdr or
+			self:_parse_addr(rule.source):contains(args.source)
+		) ) then
+			match = false
+		end
+
+		-- match destination
+		if not ( match == true and (
+			not args.destination or rule.destination == self._nulladdr or
+			self:_parse_addr(rule.destination):contains(args.destination)
+		) ) then
+			match = false
+		end
+
+		-- match input interface
+		if not ( match == true and (
+			not args.inputif or rule.inputif == "*" or
+			args.inputif == rule.inputif
+		) ) then
+			match = false
+		end
+
+		-- match output interface
+		if not ( match == true and (
+			not args.outputif or rule.outputif == "*" or
+			args.outputif == rule.outputif
+		) ) then
+			match = false
+		end
+
+		-- match flags (the "opt" column)
+		if not ( match == true and (
+			not args.flags or rule.flags == args.flags
+		) ) then
+			match = false
+		end
+
+		-- match specific options
+		if not ( match == true and (
+			not args.options or
+			self:_match_options( rule.options, args.options )
+		) ) then
+			match = false
+		end
+
+		-- insert match
+		if match == true then
+			rv[#rv+1] = rule
+		end
+	end
+
+	return rv
+end
+
+
+-- through external commands.
+function IptParser.resync( self )
+	self._rules = { }
+	self._chain = nil
+	self:_parse_rules()
+end
+
+
+function IptParser.tables( self )
+	return self._tables
+end
+
+
+function IptParser.chains( self, table )
+	local lookup = { }
+	local chains = { }
+	for _, r in ipairs(self:find({table=table})) do
+		if not lookup[r.chain] then
+			lookup[r.chain]   = true
+			chains[#chains+1] = r.chain
+		end
+	end
+	return chains
+end
+
+
+--				and "rules". The "rules" field is a table of rule tables.
+function IptParser.chain( self, table, chain )
+	return self._chains[table:lower()] and self._chains[table:lower()][chain]
+end
+
+
+function IptParser.is_custom_target( self, target )
+	for _, r in ipairs(self._rules) do
+		if r.chain == target then
+			return true
+		end
+	end
+	return false
+end
+
+
+-- [internal] Parse address according to family.
+function IptParser._parse_addr( self, addr )
+	if self._family == 4 then
+		return luci.ip.IPv4(addr)
+	else
+		return luci.ip.IPv6(addr)
+	end
+end
+
+-- [internal] Parse iptables output from all tables.
+function IptParser._parse_rules( self )
+
+	for i, tbl in ipairs(self._tables) do
+
+		self._chains[tbl] = { }
+
+		for i, rule in ipairs(luci.util.execl(self._command % tbl)) do
+
+			if rule:find( "^Chain " ) == 1 then
+
+				local crefs
+				local cname, cpol, cpkt, cbytes = rule:match(
+					"^Chain ([^%s]*) %(policy (%w+) " ..
+					"(%d+) packets, (%d+) bytes%)"
+				)
+
+				if not cname then
+					cname, crefs = rule:match(
+						"^Chain ([^%s]*) %((%d+) references%)"
+					)
+				end
+
+				self._chain = cname
+				self._chains[tbl][cname] = {
+					policy     = cpol,
+					packets    = tonumber(cpkt or 0),
+					bytes      = tonumber(cbytes or 0),
+					references = tonumber(crefs or 0),
+					rules      = { }
+				}
+
+			else
+				if rule:find("%d") == 1 then
+
+					local rule_parts   = luci.util.split( rule, "%s+", nil, true )
+					local rule_details = { }
+
+					-- cope with rules that have no target assigned
+					if rule:match("^%d+%s+%d+%s+%d+%s%s") then
+						table.insert(rule_parts, 4, nil)
+					end
+
+					-- ip6tables opt column is usually zero-width
+					if self._family == 6 then
+						table.insert(rule_parts, 6, "--")
+					end
+
+					rule_details["table"]       = tbl
+					rule_details["chain"]       = self._chain
+					rule_details["index"]       = tonumber(rule_parts[1])
+					rule_details["packets"]     = tonumber(rule_parts[2])
+					rule_details["bytes"]       = tonumber(rule_parts[3])
+					rule_details["target"]      = rule_parts[4]
+					rule_details["protocol"]    = rule_parts[5]
+					rule_details["flags"]       = rule_parts[6]
+					rule_details["inputif"]     = rule_parts[7]
+					rule_details["outputif"]    = rule_parts[8]
+					rule_details["source"]      = rule_parts[9]
+					rule_details["destination"] = rule_parts[10]
+					rule_details["options"]     = { }
+
+					for i = 11, #rule_parts  do
+						if #rule_parts[i] > 0 then
+							rule_details["options"][i-10] = rule_parts[i]
+						end
+					end
+
+					self._rules[#self._rules+1] = rule_details
+
+					self._chains[tbl][self._chain].rules[
+						#self._chains[tbl][self._chain].rules + 1
+					] = rule_details
+				end
+			end
+		end
+	end
+
+	self._chain = nil
+end
+
+
+-- [internal] Return true if optlist1 contains all elements of optlist 2.
+--            Return false in all other cases.
+function IptParser._match_options( self, o1, o2 )
+
+	-- construct a hashtable of first options list to speed up lookups
+	local oh = { }
+	for i, opt in ipairs( o1 ) do oh[opt] = true end
+
+	-- iterate over second options list
+	-- each string in o2 must be also present in o1
+	-- if o2 contains a string which is not found in o1 then return false
+	for i, opt in ipairs( o2 ) do
+		if not oh[opt] then
+			return false
+		end
+	end
+
+	return true
+end
diff --git a/libs/luci-lib-iptparser/luasrc/sys/iptparser.luadoc b/libs/luci-lib-iptparser/luasrc/sys/iptparser.luadoc
new file mode 100644
index 000000000..071e7d52e
--- /dev/null
+++ b/libs/luci-lib-iptparser/luasrc/sys/iptparser.luadoc
@@ -0,0 +1,69 @@
+---[[
+LuCI iptables parser and query library
+
+@cstyle	instance
+]]
+module "luci.sys.iptparser"
+
+---[[
+Create a new iptables parser object.
+
+@class	function
+@name	IptParser
+@param	family	Number specifying the address family. 4 for IPv4, 6 for IPv6
+@return	IptParser instance
+]]
+
+---[[
+Find all firewall rules that match the given criteria. Expects a table with
+
+search criteria as only argument. If args is nil or an empty table then all
+rules will be returned.
+]]
+
+---[[
+Rebuild the internal lookup table, for example when rules have changed
+
+through external commands.
+@class function
+@name IptParser.resync
+@return	nothing
+]]
+
+---[[
+Find the names of all tables.
+
+@class function
+@name IptParser.tables
+@return		Table of table names.
+]]
+
+---[[
+Find the names of all chains within the given table name.
+
+@class function
+@name IptParser.chains
+@param table	String containing the table name
+@return		Table of chain names in the order they occur.
+]]
+
+---[[
+Return the given firewall chain within the given table name.
+
+@class function
+@name IptParser.chain
+@param table	String containing the table name
+@param chain	String containing the chain name
+@return		Table containing the fields "policy", "packets", "bytes"
+--				and "rules". The "rules" field is a table of rule tables.
+]]
+
+---[[
+Test whether the given target points to a custom chain.
+
+@class function
+@name IptParser.is_custom_target
+@param target	String containing the target action
+@return			Boolean indicating whether target is a custom chain.
+]]
+
diff --git a/libs/luci-lib-nixio/docsrc/CHANGELOG.lua b/libs/luci-lib-nixio/docsrc/CHANGELOG.lua
index aa3184140..8c9260317 100644
--- a/libs/luci-lib-nixio/docsrc/CHANGELOG.lua
+++ b/libs/luci-lib-nixio/docsrc/CHANGELOG.lua
@@ -10,7 +10,7 @@ module "nixio.CHANGELOG"
 -- <li>Added support for x509 certificates in DER format.</li>
 -- <li>Added support for splice() in UnifiedIO.copyz().</li>
 -- <li>Added interface to inject chunks into UnifiedIO.linesource() buffer.</li>
--- <li>Changed TLS behaviour to explicitely separate servers and clients.</li>
+-- <li>Changed TLS behaviour to explicitly separate servers and clients.</li>
 -- <li>Fixed usage of signed datatype breaking Base64 decoding.</li>
 -- <li>Fixed namespace clashes for nixio.fs.</li>
 -- <li>Fixed splice() support for some exotic C libraries.</li>
diff --git a/libs/luci-lib-nixio/docsrc/README.lua b/libs/luci-lib-nixio/docsrc/README.lua
index 9860cf091..d663b629e 100644
--- a/libs/luci-lib-nixio/docsrc/README.lua
+++ b/libs/luci-lib-nixio/docsrc/README.lua
@@ -18,7 +18,7 @@ module "nixio.README"
 -- table <strong>nixio.const_sock</strong> for socket error codes. This might
 -- be important if you are dealing with Windows applications, on POSIX however
 -- const_sock is just an alias for const.</li>
--- <li>With some exceptions - which are explicitely stated in the function
+-- <li>With some exceptions - which are explicitly stated in the function
 -- documentation - all blocking functions are signal-protected and will not fail
 -- with EINTR.</li>
 -- <li>On POSIX the SIGPIPE signal will be set to ignore upon initialization.
diff --git a/libs/luci-lib-nixio/docsrc/nixio.lua b/libs/luci-lib-nixio/docsrc/nixio.lua
index 1a0d69a05..56a4afbb8 100644
--- a/libs/luci-lib-nixio/docsrc/nixio.lua
+++ b/libs/luci-lib-nixio/docsrc/nixio.lua
@@ -59,7 +59,7 @@ module "nixio"
 -- <li>aliases = Table of alias names</li>
 -- </ul>
 
---- Get all or a specifc proto entry.
+--- Get all or a specific proto entry.
 -- @class function
 -- @name nixio.getproto
 -- @param proto		protocol number or name to lookup (optional)
diff --git a/libs/luci-lib-px5g/src/library/bignum.c b/libs/luci-lib-px5g/src/library/bignum.c
index 8b7c12ff0..d2a8ff42e 100644
--- a/libs/luci-lib-px5g/src/library/bignum.c
+++ b/libs/luci-lib-px5g/src/library/bignum.c
@@ -720,7 +720,7 @@ cleanup:
 }
 
 /*
- * Helper for mpi substraction
+ * Helper for mpi subtraction
  */
 static void mpi_sub_hlp( int n, t_int *s, t_int *d )
 {
@@ -741,7 +741,7 @@ static void mpi_sub_hlp( int n, t_int *s, t_int *d )
 }
 
 /*
- * Unsigned substraction: X = |A| - |B|  (HAC 14.9)
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9)
  */
 int mpi_sub_abs( mpi *X, mpi *A, mpi *B )
 {
@@ -809,7 +809,7 @@ cleanup:
 }
 
 /*
- * Signed substraction: X = A - B
+ * Signed subtraction: X = A - B
  */
 int mpi_sub_mpi( mpi *X, mpi *A, mpi *B )
 {
@@ -856,7 +856,7 @@ int mpi_add_int( mpi *X, mpi *A, int b )
 }
 
 /*
- * Signed substraction: X = A - b
+ * Signed subtraction: X = A - b
  */
 int mpi_sub_int( mpi *X, mpi *A, int b )
 {
diff --git a/libs/luci-lib-px5g/src/library/x509write.c b/libs/luci-lib-px5g/src/library/x509write.c
index 173610c1a..b9ebf35ba 100644
--- a/libs/luci-lib-px5g/src/library/x509write.c
+++ b/libs/luci-lib-px5g/src/library/x509write.c
@@ -19,7 +19,7 @@
  *  MA  02110-1301  USA
  */
 /*
- *  The ITU-T X.509 standard defines a certificat format for PKI.
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
  *
  *  http://www.ietf.org/rfc/rfc2459.txt
  *  http://www.ietf.org/rfc/rfc3279.txt
@@ -68,7 +68,7 @@ static int asn1_eval_octet(unsigned int digit)
 }
 
 /*
- * write the asn.1 lenght form into p
+ * write the asn.1 length form into p
  */
 static int asn1_add_len(unsigned int size, x509_node *node)
 {
@@ -788,7 +788,7 @@ static int x509write_parse_names(x509_node *node, unsigned char *names)
                     R_len = len;
                 }
 
-                /* set tag poiner to begin */
+                /* set tag pointer to begin */
                 tag_sp = tag;
 
                 /* is at end? */
@@ -866,7 +866,7 @@ static int x509write_parse_names(x509_node *node, unsigned char *names)
 }
 
 /*
- * Copy raw data from orginal ca to node
+ * Copy raw data from original ca to node
  */
 static int x509write_copy_from_raw(x509_node *node, x509_buf *raw)
 {
diff --git a/libs/luci-lib-px5g/src/polarssl/bignum.h b/libs/luci-lib-px5g/src/polarssl/bignum.h
index c66730332..cf443ea92 100644
--- a/libs/luci-lib-px5g/src/polarssl/bignum.h
+++ b/libs/luci-lib-px5g/src/polarssl/bignum.h
@@ -272,7 +272,7 @@ int mpi_cmp_int( mpi *X, int z );
 int mpi_add_abs( mpi *X, mpi *A, mpi *B );
 
 /**
- * \brief          Unsigned substraction: X = |A| - |B|
+ * \brief          Unsigned subtraction: X = |A| - |B|
  *
  * \return         0 if successful,
  *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if B is greater than A
@@ -288,7 +288,7 @@ int mpi_sub_abs( mpi *X, mpi *A, mpi *B );
 int mpi_add_mpi( mpi *X, mpi *A, mpi *B );
 
 /**
- * \brief          Signed substraction: X = A - B
+ * \brief          Signed subtraction: X = A - B
  *
  * \return         0 if successful,
  *                 1 if memory allocation failed
@@ -304,7 +304,7 @@ int mpi_sub_mpi( mpi *X, mpi *A, mpi *B );
 int mpi_add_int( mpi *X, mpi *A, int b );
 
 /**
- * \brief          Signed substraction: X = A - b
+ * \brief          Signed subtraction: X = A - b
  *
  * \return         0 if successful,
  *                 1 if memory allocation failed
diff --git a/libs/luci-lib-px5g/src/polarssl/x509.h b/libs/luci-lib-px5g/src/polarssl/x509.h
index 908a1dbf5..6c9ef99a8 100644
--- a/libs/luci-lib-px5g/src/polarssl/x509.h
+++ b/libs/luci-lib-px5g/src/polarssl/x509.h
@@ -375,7 +375,7 @@ int x509write_add_pubkey( x509_raw *chain, rsa_context *pubkey );
  *                 the string parse.
  *
  * \param chain    points to the raw certificate data
- * \param names    a string that can hold (separete with ";"):
+ * \param names    a string that can hold (separate with ";"):
  *                     CN=CommonName
  *                 --   O=Organization
  *                 --  OU=OrgUnit
@@ -402,7 +402,7 @@ int x509write_add_customize ( x509_raw *crt,
 * \brief          Add x509 issuer field
 *
 * \param chain    points to the raw certificate data
-* \param issuer   a string holding (separete with ";"):
+* \param issuer   a string holding (separate with ";"):
 *                     CN=CommonName
 *                 --   O=Organization
 *                 --  OU=OrgUnit
@@ -419,7 +419,7 @@ int x509write_add_issuer( x509_raw *crt, unsigned char *issuer);
  * \brief          Add x509 subject field
  *
  * \param chain    points to the raw certificate data
- * \param subject  a string holding (separete with ";"):
+ * \param subject  a string holding (separate with ";"):
  *                     CN=CommonName
  *                 --   O=Organization
  *                 --  OU=OrgUnit