Copyright 1995-2003 Peter Benie
Copyright 2011 Richard Kettlewell
Copyright 2012 Matthew Vernon
- Copyright 2013 Mark Wooding
+ Copyright 2013-2019 Mark Wooding
Copyright 1995-2013 Simon Tatham
secnet is distributed under the terms of the GNU General Public
--help display this help and exit
--version output version information and exit
+* base91s
+
+secnet defines a variant of the base91 encoding `basE91', from
+ http://base91.sourceforge.net/
+
+base91s is the same as baseE91 except that:
+ - in the encoded charset, `"' is replaced with `-'
+ - spaces, newlines etc. and other characters outside the charset
+ are not permitted (although in some places they may be ignored,
+ this is not guaranteed).
+
* secnet builtin modules
** resolver
buffer (buffer closure): buffer for incoming packets
authbind (string): optional, path to authbind-helper program
max-interfaces (number): optional, max number of different interfaces to
- use (also, maximum steady-state amount of packet multiplication)
+ use (also, maximum steady-state amount of packet multiplication);
+ interfaces marked with `@' do not count.
interfaces (string list): which interfaces to process; each entry is
- optionally `!' or `+' followed by a glob pattern (which is applied to a
- prospective interface using fnmatch with no flags). If no list is
- specified, or the list ends with a `!' entry, a default list is
- used/appended: "!tun*","!tap*","!sl*","!userv*","!lo","*". Patterns
- which do not start with `*' or an alphanumeric need to be preceded
- by `!' or `+'.
+ optionally `!' or `+' or `@' followed by a glob pattern (which is
+ applied to a prospective interface using fnmatch with no flags).
+ `+' or nothing means to process normally. `!' means to ignore;
+ `@' means to use only in conjunction with dedicated-interface-addr.
+ If no list is specified, or the list ends with a `!' entry, a
+ default list is used/appended:
+ "!tun*","!tap*","!sl*","!userv*","!lo","@hippo*","*".
+ Patterns which do not start with `*' or an alphanumeric need to be
+ preceded by `!' or `+' or `@'.
monitor-command (string list): Program to use to monitor appearance
and disappearance of addresses on local network interfaces. Should
produce lines of the form `+|-<ifname> 4|6 <addr>' where <addr> is
mobile the address selection machinery might fixate on an unsuitable
address.
+polypath takes site-specific informtion as passed to the `comm-info'
+site closure parameter. The entries understood in the dictionary
+are:
+ dedicated-interface-addr (string): IPv4 or IPv6 address
+ literal. Interfaces specified with `@' in `interfaces' will be
+ used for the corresponding site iff the interface local address
+ is this address.
+
For an interface to work with polypath, it must either have a suitable
default route, or be a point-to-point interface. In the general case
this might mean that the host would have to have multiple default
syslog (closure => log closure)
logfile: dict argument
- filename (string): where to log to
+ filename (string): where to log to; default is stderr
+ prefix (string): added to messages [""]
class (string list): what type of messages to log
{ "debug-config", M_DEBUG_CONFIG },
{ "debug-phase", M_DEBUG_PHASE },
them.
resolver (resolver closure)
random (randomsrc closure)
- local-key (rsaprivkey closure)
+ key-cache (privcache closure)
+ local-key (sigprivkey closure): Deprecated; use key-cache instead.
address (string list): optional, DNS name(s) used to find our peer;
address literals are supported too if enclosed in `[' `]'.
port (integer): mandatory if 'address' is specified: the port used
to contact our peer
- key (rsapubkey closure): our peer's public key
+ peer-keys (string): path (prefix) for peer public key set file(s);
+ see README.make-secnet-sites re `pub' etc. and NOTES.peer-keys.
+ key (sigpubkey closure): our peer's public key (obsolete)
transform (transform closure): how to mangle packets sent between sites
dh (dh closure)
- hash (hash closure)
+ hash (hash closure): used for keys whose algorithm (or public
+ or private key file) does not imply the hash function
key-lifetime (integer): max lifetime of a session key, in ms
[one hour; mobile: 2 days]
setup-retries (integer): max number of times to transmit a key negotiation
packet [5; mobile: 30]
setup-timeout (integer): time between retransmissions of key negotiation
packets, in ms [2000; mobile: 1000]
- wait-time (integer): after failed key setup, wait this long (in ms) before
- allowing another attempt [20000; mobile: 10000]
+ wait-time (integer): after failed key setup, wait roughly this long
+ (in ms) before allowing another attempt [20000; mobile: 10000]
+ Actual wait time is randomly chosen between ~0.5x and ~1.5x this.
renegotiate-time (integer): if we see traffic on the link after this time
then renegotiate another session key immediately (in ms)
[half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours),
to 0, the default is to use the local private link mtu.
comm-info (dict): Information for the comm, used when this site
wants to transmit. If the comm does not support this, it is
- ignored. (Currently nothing uses this.)
+ ignored.
Links involving mobile peers have some different tuning parameter
default values, which are generally more aggressive about retrying key
I recommend you don't specify the 'interface' option unless you're
doing something that requires the interface name to be constant.
+** privcache
+
+Cache of dynamically loaded private keys.
+
+Defines:
+ priv-cache (closure => privcache closure)
+
+priv-cache: dict argument
+ privkeys (string): path prefix for private keys. Each key is
+ looked for at this path prefix followed by the 10-character
+ hex key id.
+ privcache-size (integer): optional, maximum number of private
+ keys to retain at once. [5]
+ privkey-max (integer): optional, maximum size of private key
+ file in bytes. [4095]
+
+** pubkeys
+
+Defines:
+ make-public (closure => sigpubkey closure)
+
+make-public: (
+ arg1: sigscheme name
+ arg2: base91s encoded public key data, according to algorithm
+
** rsa
Defines:
- rsa-private (closure => rsaprivkey closure)
- rsa-public (closure => rsapubkey closure)
+ sigscheme algorithm 00 "rsa1"
+ rsa-private (closure => sigprivkey closure)
+ rsa-public (closure => sigpubkey closure)
+
+rsa1 sigscheme algorithm:
+ private key: SSH private key file, version 1, no password
+ public key: SSH public key file, version 1
+ (length, restrictions, email, etc., ignored)
rsa-private: string[,bool]
arg1: filename of SSH private key file (version 1, no password)