server/tripe-admin.5.in: Remove incorrect blame on Catacomb.

[tripe] / server / tripe-admin.5.in

diff --git a/server/tripe-admin.5.in b/server/tripe-admin.5.in
index cc97298a0bcaf94283a55d8b7363a92b6fdb4ffe..0e7d87d72db1451448bf99fc3451b2994216630c 100644 (file)
--- a/server/tripe-admin.5.in
+++ b/server/tripe-admin.5.in
@@ -363,18 +363,18 @@ sends us something before responding.
 .TP
 .B "\-ephemeral"
 The association with the peer is not intended to persist indefinitely.
-If a peer marked as ephemeral is killed, or the
+When a peer is killed, or the
 .BR tripe (8)
-daemon is shut down, send a
+daemon is shut down, a
 .B bye
-packet to the peer so that it forgets about us; if a peer marked as
-ephemeral sends us a
+packet is to the peer(s).  If a peer marked as ephemeral sends us a
 .B bye
 packet then it is killed (but in this case no further
 .B bye
-packet is sent).  Peers not marked as ephemeral exhibit neither of these
-behaviours; each peer must have the other marked as ephemeral for the
-association to be fully torn down if either end kills the other.
+packet is sent).  A
+.B bye
+packet from a peer which isn't marked as ephemeral leaves the peer alone
+in the hope that the connection can be reestablished.
 .TP
 .BI "\-keepalive " time
 Send a no-op packet if we've not sent a packet to the peer in the last
@@ -414,7 +414,7 @@ emits a
 .B KNOCK
 notification stating the peer's (claimed) name and address.  The server
 will already have verified that the sender is using the peer's private
-key by this point.  This option implies
+key by this point.  Prior to version 1.6.0, this option used to imply
 .BR \-ephemeral .
 .TP
 .B "\-mobile"
@@ -425,7 +425,7 @@ peers, however, it will attempt to decrypt the packet using their keys,
 and if one succeeds, the server will update its idea of the peer's
 address and emit an
 .B NEWADDR
-notification.  This option implies
+notification.  Prior to version 1.6.0, this option used to imply
 .BR \-ephemeral .
 .TP
 .BI "\-priv " tag
@@ -1060,7 +1060,9 @@ string was invalid.
 of arguments was wrong.
 .SP
 .BI "bad-time-spec " token
-The
+(For commands accepting a
+.I time
+argument.)  The
 .I token
 is not a valid time interval specification.  Acceptable time
 specifications are nonnegative integers followed optionally by
@@ -1086,6 +1088,12 @@ An unknown watch option was requested.
 .BR DAEMON .)
 An error occurred during the attempt to become a daemon, as reported by
 .IR message .
+See
+.B WARNINGS
+below for the meanings of
+.I ecode
+and
+.IR message .
 .SP
 .BI "disabled-address-family " afam
 (For
@@ -1129,6 +1137,8 @@ There is already a peer named
 .IR peer .
 .SP
 .B "ping-send-failed"
+(For
+.BR EPING .)
 The attempt to send a ping packet failed, probably due to lack of
 encryption keys.
 .SP
@@ -1439,7 +1449,7 @@ command or in greeting packets.
 .SP
 .B "CHAL impossible-challenge"
 The server hasn't issued any challenges yet.  Quite how anyone else
-thought he could make one up is hard to imagine.
+thought they could make one up is hard to imagine.
 .SP
 .B "CHAL incorrect-tag"
 Challenge received contained the wrong authentication data.  It might be
@@ -1539,9 +1549,52 @@ version of Catacomb installed is too old.
 .BI "KEYMGMT " which "-keyring " file " key " tag " unknown-serialization-format " ser
 The key specifies the use of an unknown serialization format
 .I ser
-for hashing group elements.  Maybe the key was generated wrongly, or
-maybe the version of Catacomb installed is too old.
-.SP
+for hashing group elements.  Maybe the key was generated wrongly.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "no-aad"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which does not support the processing of additional authenticated data.
+The most prominent examples of such schemes are the
+.IB cipher -naclbox
+collection, where
+.I cipher
+is
+.BR salsa20 ,
+.BR salsa20/12 ,
+.BR salsa20/8 ,
+.BR chacha20 ,
+.BR chacha12 ,
+or
+.BR chacha8 ;
+use the
+.B naclbox
+bulk transform rather than
+.B aead
+for these, or switch to one of the IETF
+.IB cipher -poly1305
+schemes instead.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonce-too-small"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which doesn't even allow a 5-byte (40-bit) nonce.  Catacomb doesn't
+implement any such limited AE schemes: you must be doing something
+strange.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonce-too-large"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which doesn't support any nonce size smaller than 64 bytes (512 bits).
+Catacomb doesn't implement any such extravagant AE schemes: you must be
+doing something strange.
+.SP
+.BI "KEYMGMT " which "-keyring " file " key " tag " unsuitable-aead-cipher " cipher "nonempty-ciphertext-for-empty-message"
+The key specifies the use of an authenticated encryption scheme
+.I cipher
+which produces ciphertext output even when given a completely empty
+message.  Catacomb doesn't implement any such unhelpful AE schemes: you
+must be doing something strange.
 .SP
 .BI "KEYMGMT " which "-keyring " file " key " tag " " alg " " name " no-key-size " hashsz
 The