minssl
Software
www.skarnet.org

The minssl-tunnel program

minssl-tunnel performs shared-secret encryption and decryption between a process and the network.

Interface

     minssl-tunnel fd

• minssl-tunnel reads 176 bytes on file descriptor fd, then closes it. The bytes are, in that order:
  • (4 bytes, little-endian) the pid of a child to wait for
  • (4 bytes, little-endian) a timeout value, in seconds (0 means infinite)
  • (4 bytes, little-endian) a file descriptor fdr
  • (4 bytes, little-endian) a file descriptor fdw
  • (80 bytes) the decryption secret
  • (80 bytes) the encryption secret
  The 80-byte secrets are used as follows:
  • data confidentiality: 32 bytes (256 bits) to initialize the encryption (or decryption) RC4 pseudorandom number genetrator. This makes minssl-tunnel a 256-bit secret key encryption program.
  • data integrity: 48 bytes to initialize the hash127mac structures.
    • 16 bytes (128 bits) are used as the hash127 authentication secret.
    • 32 bytes (256 bits) are used to initialize another RC4 pseudorandom number generator, which will serve as a nonce generator for hash127.
• minssl-tunnel reads ciphertext on stdin and decodes it into cleartext, written on fdw. It also reads cleartext on fdr and encodes it into ciphertext, written on stdout. The read ciphertext must have been produced by a peer minssl-tunnel program with the same secrets.
• If minssl-tunnel detects an error when checking the incoming message authentication codes, it immediately exits 17. It immediately exits 18 if it somehow cannot decipher the incoming ciphertext.
• If timeout seconds elapse without minssl-tunnel being able to do anything (read or write), then it exits 99.
• If minssl-tunnel encounters a temporary error, it exits 111.
• If minssl-tunnel receives a SIGTERM, SIGHUP, SIGQUIT or SIGABRT, it will try to exit cleanly by ceasing to read from its child and waiting for the buffers to empty.
• When both stdin and fdr have received EOF, and there is no more data to write, minssl-tunnel waits for its child and exits with the same exit code.

Common use

minssl-tunnel should not be run manually by the user. It is meant to be executed by minssl or minssld when the connection is established.