. ds se \d\s0
. if \n(.g \{\
. fam P
+. ev an-1
+. fam P
+. ev
. \}
.\}
.el \{\
.BR @MASTER-SEQUENCE@ .
.SS "Master repository parameters"
.TP
-.I base-url
+.B base-url
The base URL of the key repository (usually with a trailing
.RB ` / ').
Typically, this will be something like
-.RB http://www.distorted.org.uk/vpn/ .
+.RB ` http://www.distorted.org.uk/vpn/ '.
No default.
.TP
-.I repos-base
+.B repos-base
The basename for the repository archive. Default is
-.BR tripe-keys.tar.gz .
+.RB ` tripe-keys.tar.gz '.
.TP
-.I sig-base
+.B sig-base
The basename template for repository signatures. Default is
-.BR tripe-keys.sig-<SEQ> .
+.RB ` tripe-keys.sig-<SEQ> '.
The
.RB ` <SEQ> '
portion, if any, is replaced by the sequence number of the key which
made the signature.
.TP
-.I repos-url
+.B repos-url
The URL for the key repository tarball. Default is the concatenation of
.I base-url
and
.IR repos-base .
.TP
-.I sig-url
+.B sig-url
The URL template for key repository signatures. Default is the
concatenation of
.I base-url
and
.IR sig-base .
.TP
-.I master-sequence
+.B master-sequence
The sequence number of the master authority's current signing key. No
default. Usually set up automatically.
.TP
-.I master-keygen-flags
+.B master-keygen-flags
Additional options for generating master keys. Default is
-.RB ` -l '.
+.RB ` \-l '.
.TP
-.I master-attrs
+.B master-attrs
Additional attributes to set on the master key,
as
.IB key = value
pairs separated by spaces.
Default is empty.
.TP
-.I hk-master
+.B hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
.TP
-.I upload-hook
+.B upload-hook
A shell command to run by
.B tripe-keys upload
after it has successfully written the
and
.IR sig-file s.
Default is
-.B ": run upload hook"
+.RB ` ": run upload hook" '
which does nothing.
.SS "Crypto parameters"
.TP
-.I kx
+.B kx
Key-exchange algorithm to use. Either
.B dh
(integer Diffie-Hellman)
or
.B ec
(elliptic curves). The default is
-.BR dh .
+.RB ` dh '.
.ne 9
.TP
-.I kx-genalg
+.B kx-genalg
Key generation algorithm name to pass to
.B "key add"
when generating keys.
.TE
.ne 9
.TP
-.I kx-param-genalg
+.B kx-param-genalg
Key generation algorithm name to pass to
.B "key add"
when generating the parameters key.
.TE
.ne 9
.TP
-.I kx-param
+.B kx-param
Options to pass to
.B "key add"
when generating the parameters key. Default depends on
.TE
.ne 9
.TP
-.I kx-attrs
+.B kx-attrs
Additional attributes to set on the parameters
(and therefore copied to peer keys),
as
_
.TE
.TP
-.I kx-expire
+.B kx-expire
Expiry time for generated keys. Default is
-.BR "now + 1 year" .
+.RB ` "now + 1 year" '.
.TP
-.I hash
+.B hash
Hashing algorithm to use. Default is
-.BR sha256 .
+.RB ` sha256 '.
.TP
-.I bulk
+.B bulk
The bulk crypto transform to use.
Default is
-.BR iiv .
+.RB ` iiv '.
.ne 8
.TP
-.I mac
+.B mac
Message authentication algorithm to use.
Default depends on
.I bulk
bulk mac
_
v0 \fIhash\fB-hmac/\fIhalfhashlen
-iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
+iiv \fIhash\fB-hmac/\fIhalfhashlen
naclbox poly1305/128
_
.TE
.IR hash 's
output length.)
.TP
-.I mgf
+.B mgf
Mask-generation algorithm to use. Default is
-.IB hash -mgf \fR.
+.BI \fR` hash -mgf \fR'.
This is probably a good choice.
.ne 7
.TP
-.I cipher
+.B cipher
Symmetric encryption scheme to use.
Default depends on
.I bulk
.TE
.ne 8
.TP
-.I sig
+.B sig
Signature scheme to use. Must be one of those recognized by
.BR catsign (1).
Default depends on
.TE
.ne 12
.TP
-.I sig-genalg
+.B sig-genalg
Key-generation algorithm for signing key. Default depends on
.I sig
as follows.
.TE
.ne 10
.TP
-.I sig-param
+.B sig-param
Signature-key generation parameters. Default depends on
.I sig-genalg
as follows.
_
.TE
.TP
-.I sig-hash
+.B sig-hash
Hash function to use for making signatures. Default is
.IR hash .
.TP
-.I sig-fresh
+.B sig-fresh
Oldest time we should consider a signed archive to be fresh. Default is
-.BR always ,
+.RB ` always ',
meaning that all signatures are fresh.
.TP
-.I sig-expire
+.B sig-expire
Expiry time for master signing key. Default is
-.BR forever .
+.RB ` forever '.
.TP
-.I fingerprint-hash
+.B fingerprint-hash
Hash function to use for key fingerprinting. Default is
.IR hash .
.SS "Master maintenance parameters"
.TP
-.I base-dir
+.B base-dir
Local base directory for the repository files. This probably ought to
end in a
.RB ` / '
character. Unexpected files in this directory will be removed by the
-.B tripe-keys upload
+.RB ` "tripe-keys upload" '
command. No default.
.TP
-.I repos-file
+.B repos-file
Filename for local repository tarball. Default is the concatenation of
.I base-dir
and
.IB repos-base .
.TP
-.I sig-file
+.B sig-file
Template for repository signatures. Default is the concatenation of
.I base-dir
and
.IR sig-base .
.TP
-.I conf-file
+.B conf-file
Filename for local repository configuration file. Default is
-.IB basedir /tripe-keys.conf \fR.
+.BI \fR` basedir /tripe-keys.conf \fR'.
.TP
-.I kx-warn-days
+.B kx-warn-days
The
.B "tripe-keys check"
command will warn about keys which will in less than
.B auto
in the section (or in its parent, etc.), and the value is
.BR y ,
-.BR yes .
+.BR yes ,
.BR t ,
.BR true ,
.BR 1 ,
path.append(me.name)
try:
- ## If we've been this way before on another pass through then return the
- ## value we found then. If we're still thinking about it then we've
- ## found a cycle.
+ ## If we've been this way before on another pass through then return
+ ## the value we found then. If we're still thinking about it then
+ ## we've found a cycle.
try: v, p = me._cache[key]
except KeyError: pass
else:
return;
bad_syntax:
- a_fail(a, "bad-syntax", "%s", cmd, "[OPTIONS] PEER", cmd, A_END);
+ a_fail(a, "bad-syntax", "%s", cmd, "[OPTIONS] PEER", A_END);
fail:
if (pg) xfree(pg);
return;
## End of the test, now run the server.
) && :; } | {
cd $1
- echo TRIPE $2 >&2
+ echo "TRIPE $2" >&2
WITH_STRACE([tripe], [TRIPE $2 >server-output.full 2>server-errors.full])
stat=$?
echo $stat >server-status
## Watch for the key-exchange completion announcement in the background.
COPROCESSES([wait-$1], [
- echo WATCH +n
+ echo "WATCH +n"
while read line; do
set x $line; shift
echo >&2 ">>> $line"
AT_SETUP([server basics])
SETUPDIR([alpha])
-AT_CHECK([echo port | TRIPE -p54321],, [INFO 54321[]nl[]OK[]nl])
+AT_CHECK([echo "port" | TRIPE -p54321],, [INFO 54321[]nl[]OK[]nl])
AT_CLEANUP
###--------------------------------------------------------------------------
## server chose the same key is negligible.)
AT_CHECK([TRIPECTL checkchal AAAAAHyoOL+HMaE0Y9B3ivuszt0], [1],,
[tripectl: invalid-challenge[]nl])
- echo WARN CHAL incorrect-tag >>expected-server-output
+ echo "WARN CHAL incorrect-tag" >>expected-server-output
## A duplicated challenge.
AT_CHECK([
TRIPECTL CHECKCHAL $chal
TRIPECTL CHECKCHAL $chal
], [1],, [tripectl: invalid-challenge[]nl])
- echo WARN CHAL replay duplicated-sequence >>expected-server-output
+ echo "WARN CHAL replay duplicated-sequence" >>expected-server-output
## Out-of-order reception. There should be a window of 32 challenges; we
## make 33 and check them in a strange order.
## Run a simple service.
rm -f svc-test-running tripectl-status
COPROCESSES([svc], [
- echo SVCCLAIM test 1.0.0
+ echo "SVCCLAIM test 1.0.0"
read line
case "$line" in
OK)
exit 1
;;
esac
- echo ok >svc-test-running
+ echo "ok" >svc-test-running
while read line; do
set -- $line
case "$[]1,$[]3,$[]4" in
SVCJOB,test,HELP)
- echo SVCINFO try not to use this service for anything useful
- echo SVCOK $[]2
+ echo "SVCINFO try not to use this service for anything useful"
+ echo "SVCOK $[]2"
;;
SVCJOB,test,GOOD)
- echo SVCOK $[]2
+ echo "SVCOK $[]2"
;;
SVCJOB,test,BAD)
- echo SVCFAIL $[]2 this-command-always-fails
+ echo "SVCFAIL $[]2 this-command-always-fails"
;;
SVCJOB,test,UGLY)
tag=$2
firsttag=$[]2
;;
SVCJOB,test,SECOND)
- echo SVCOK $firsttag
- echo SVCOK $[]2
+ echo "SVCOK $firsttag"
+ echo "SVCOK $[]2"
;;
SVCJOB,*)
- echo SVCFAIL $[]2 unknown-svc-command $[]4
+ echo "SVCFAIL $[]2 unknown-svc-command $[]4"
;;
SVCCLAIM,*)
break
.BI "KILL " peer
Causes the server to forget all about
.IR peer .
-All keys are destroyed, and no more packets are sent. No notification
-is sent to the peer: if it's important that the peer be notified, you
-must think of a way to do that yourself.
+All keys are destroyed, and no more packets are sent. A
+.B bye
+message is sent to the peer if it's marked as
+.B "\-ephemeral"
+\(en see the
+.B "ADD"
+command.
.SP
.B "LIST"
For each currently-known peer, an
.TP
.BI "\-T, \-\-trace=" trace-opts
Allows the enabling or disabling of various internal diagnostics. See
-below for the list of options.
+the
+.B TRACE
+command in
+.BR trace-admin (5)
+for the list of options.
.SS "Key exchange group types"
The
.B tripe
me._sabotage = False
else:
S.kill(me._peer)
- except TripeError, e:
+ except T.TripeError, e:
if e.args[0] == 'unknown-peer': me._pinger.kill(me._peer)
def event(me, code, stuff):
def info(me):
if not me._nping:
- mean = sd = '-'
+ mean = sd = min = max = '-'
else:
- mean = me._sigma_t/me._nping
- sd = sqrt(me._sigma_t2/me._nping - mean*mean)
+ meanval = me._sigma_t/me._nping
+ mean = '%.1fms' % meanval
+ sd = '%.1fms' % sqrt(me._sigma_t2/me._nping - meanval*meanval)
+ min = '%.1fms' % me._min
+ max = '%.1fms' % me._max
n = me._nping + me._nlost
if not n: pclost = '-'
else: pclost = '%d' % ((100*me._nlost + n//2)//n)
return { 'last-ping': me._last,
- 'mean-ping': '%.1fms' % mean,
- 'sd-ping': '%.1fms' % sd,
+ 'mean-ping': mean,
+ 'sd-ping': sd,
'n-ping': '%d' % me._nping,
'n-lost': '%d' % me._nlost,
'percent-lost': pclost,
- 'min-ping': '%.1fms' % me._min,
- 'max-ping': '%.1fms' % me._max,
+ 'min-ping': min,
+ 'max-ping': max,
'state': me._timer and 'idle' or 'check',
- 'failures': me._failures }
+ 'failures': str(me._failures) }
@T._callback
def _time(me):
return opts
## Service table, for running manually.
-service_info = [('connect', T.VERSION, {
+service_info = [('connect', VERSION, {
'adopted': (0, 0, '', cmd_adopted),
'kick': (1, 1, 'PEER', cmd_kick),
'passive': (1, None, '[OPTIONS] USER', cmd_passive),
~mdw / tripe / commitdiff