.TP
.B "\-ephemeral"
The association with the peer is not intended to persist indefinitely.
-If a peer marked as ephemeral is killed, or the
+When a peer is killed, or the
.BR tripe (8)
-daemon is shut down, send a
+daemon is shut down, a
.B bye
-packet to the peer so that it forgets about us; if a peer marked as
-ephemeral sends us a
+packet is to the peer(s). If a peer marked as ephemeral sends us a
.B bye
packet then it is killed (but in this case no further
.B bye
-packet is sent). Peers not marked as ephemeral exhibit neither of these
-behaviours; each peer must have the other marked as ephemeral for the
-association to be fully torn down if either end kills the other.
+packet is sent). A
+.B bye
+packet from a peer which isn't marked as ephemeral leaves the peer alone
+in the hope that the connection can be reestablished.
.TP
.BI "\-keepalive " time
Send a no-op packet if we've not sent a packet to the peer in the last
.B KNOCK
notification stating the peer's (claimed) name and address. The server
will already have verified that the sender is using the peer's private
-key by this point. This option implies
+key by this point. Prior to version 1.6.0, this option used to imply
.BR \-ephemeral .
.TP
.B "\-mobile"
and if one succeeds, the server will update its idea of the peer's
address and emit an
.B NEWADDR
-notification. This option implies
+notification. Prior to version 1.6.0, this option used to imply
.BR \-ephemeral .
.TP
.BI "\-priv " tag
.BI "KILL " peer
Causes the server to forget all about
.IR peer .
-All keys are destroyed, and no more packets are sent. No notification
-is sent to the peer: if it's important that the peer be notified, you
-must think of a way to do that yourself.
+All keys are destroyed, and no more packets are sent. A
+.B bye
+message is sent to the peer if it's marked as
+.B "\-ephemeral"
+\(en see the
+.B "ADD"
+command.
.SP
.B "LIST"
For each currently-known peer, an
.BI "ABORT repeated-select-errors"
The main event loop is repeatedly failing. If the server doesn't quit,
it will probably waste all available CPU doing nothing.
+.SP
+.BI "ABORT hash-size-too-large hash " name " size " sz " limit " max
+An internal inconsistency: the hash function
+.I name
+produces a
+.IR sz -byte
+hash, but the server has been compiled to assume that no hash function
+returns more than
+.I max
+bytes.
.SS "ADMIN warnings"
These indicate a problem with the administration socket interface.
.SP
tag may be given next, preceded by the token
.BR key .
.SP
-.BI "KEYMGMT private-keyring " file " key " tag " incorrect-public-key"
-The private key doesn't record the correct corresponding public key.
-.SP
.BI "KEYMGMT public-keyring " file " key " tag " algorithm-mismatch"
A peer's public key doesn't request the same algorithms as our private
key.
.I str
where a MAC tag length was expected. The key was generated wrongly.
.SP
+.BI "KEYMGMT private-keyring " file " key " tag " incorrect-public-key"
+The private key doesn't record the correct corresponding public key.
+.SP
+.BI "KEYMGMT " which "-keyring " file " io-error " ecode " " message
+A system error occurred while opening or reading the keyring file.
+.SP
.BI "KEYMGMT private-keyring " file " key " tag " changed-group"
The private keyring has been changed, but the new private key can't be
used because it uses a different group for Diffie\(enHellman key
exchange.
.SP
-.BI "KEYMGMT " which "-keyring " file " io-error " ecode " " message
-A system error occurred while opening or reading the keyring file.
+.BI "KEYMGMT " which "-keyring " file " key " tag " no-hmac-for-hash " hash
+No message authentication code was given explicitly, and there's no
+implementation of HMAC for the selected hash function
+.IR hash .
.SP
.BI "KEYMGMT " which "-keyring " file " key " tag " unknown-bulk-transform " bulk
The key specifies the use of an unknown bulk-crypto transform
for hashing group elements. Maybe the key was generated wrongly, or
maybe the version of Catacomb installed is too old.
.SP
-.BI "KEYMGMT " which "-keyring " file " key " tag " no-hmac-for-hash " hash
-No message authentication code was given explicitly, and there's no
-implementation of HMAC for the selected hash function
-.IR hash .
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "no-aad"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which does not support the processing of additional authenticated data.
+The most prominent examples of such schemes are the
+.IB cipher -naclbox
+collection, where
+.I cipher
+is
+.BR salsa20 ,
+.BR salsa20/12 ,
+.BR salsa20/8 ,
+.BR chacha20 ,
+.BR chacha12 ,
+or
+.BR chacha8 ;
+use the
+.B naclbox
+bulk transform rather than
+.B aead
+for these
+(or switch to the IETF
+.IB cipher -poly1305
+schemes instead).
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonce-too-small"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which doesn't even allow a 5-byte (40-bit) nonce. Catacomb doesn't
+implement any such limited AE schemes: you must be doing something
+strange.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonce-too-large"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which doesn't support any nonce size smaller than 64 bytes (512 bits).
+Catacomb doesn't implement any such extravagant AE schemes: you must be
+doing something strange.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonempty-ciphertext-for-empty-message"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which produces ciphertext output even when given a completely empty
+message. Catacomb doesn't implement any such unhelpful AE schemes: you
+must be doing something strange.
.SP
.BI "KEYMGMT " which "-keyring " file " key " tag " " alg " " name " no-key-size " hashsz
The
~mdw / tripe / blobdiff