X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/b02b720ac62afd3a45c44e7ced37c090e7b39da9..HEAD:/secnet.8 diff --git a/secnet.8 b/secnet.8 index 2bf2250..9ffa605 100644 --- a/secnet.8 +++ b/secnet.8 @@ -1,3 +1,21 @@ +.\" Man page for secnet. +.\" +.\" See the secnet.git README, or the Debian copyright file, for full +.\" list of copyright holders. +.\" +.\" secnet is free software; you can redistribute it and/or modify it +.\" under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" secnet is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" version 3 along with secnet; if not, see +.\" https://www.gnu.org/licenses/gpl.html. .TH secnet 8 .SH NAME @@ -266,7 +284,6 @@ Boolean. If \fBtrue\fR (the default) then check if \fIp\fR is prime. .PP A \fIdh closure\fR defines a group to be used for key exchange. -The same group must be used by all sites in the VPN. .SS logfile \fBlogfile(\fIDICT\fB)\fR => \fIlog closure\fR @@ -416,7 +433,7 @@ A \fIrandomsource closure\fR is a source of random numbers. Read the contents of the file \fIPATH\fR (a string) and return it as a string. .SS eax-serpent -\eax-fBserpent(\fIDICT\fB)\fR => \fItransform closure\fR +\fBeax-serpent(\fIDICT\fB)\fR => \fItransform closure\fR .PP Valid keys in the \fIDICT\fR argument are: .TP @@ -434,6 +451,17 @@ blocksize, 16. Must be have the same value at both ends. .B padding-rounding Messages are padded to a multiple of this many bytes. This serves to obscure the exact length of messages. The default is 16, +.TP +.B capab-num +The transform capability number to use when advertising this +transform. Both ends must have the same meaning (or, at least, a +compatible transform) for each transform capability number they have +in common. The default for serpent-eax is 9. +.IP +Transform capability numbers in the range 8..15 are intended for +allocation by the implementation, and may be assigned as the default +for new transforms in the future. Transform capability numbers in the +range 0..7 are reserved for definition by the user. .PP A \fItransform closure\fR is a reversible means of transforming messages for transmission over a (presumably) insecure network. @@ -442,8 +470,15 @@ It is responsible for both confidentiality and integrity. .SS serpent256-cbc \fBserpent256-cbc(\fIDICT\fB)\fR => \fItransform closure\fR .PP +This transform +is deprecated as its security properties are poor; it should be +specified only alongside a better transform such as eax-serpent. +.PP Valid keys in the \fIDICT\fR argument are: .TP +.B capab-num +As above. The default for serpent256-cbc is 8. +.TP .B max-sequence-skew As above. .PP @@ -520,8 +555,13 @@ An \fIrsapubkey closure\fR. The key used to verify the peer's identity. .TP .B transform -A \fItransform closure\fR. -Used to protect packets exchanged with the peer. +One or more \fItransform closures\fR. +Used to protect packets exchanged with the peer. These should +all have distinct \fBcapab-num\fR values, and the same \fBcapab-num\fR +value should refer to the same (or a compatible) transform at both +ends. The list should be in order of preference, most preferred +first. (The end which sends MSG1,MSG3 ends up choosing; the ordering +at the other end is irrelevant.) .TP .B dh A \fIdh closure\fR.