2 * tsig.h -- defines for TSIG [RFC2845]
4 * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
6 * See LICENSE for the license.
19 * Defines functions for TSIG usage
24 * Contains credentials for TSIG
26 typedef struct ldns_tsig_credentials_struct
31 /* XXX More eventually. */
32 } ldns_tsig_credentials;
34 char *ldns_tsig_algorithm(ldns_tsig_credentials *);
35 char *ldns_tsig_keyname(ldns_tsig_credentials *);
36 char *ldns_tsig_keydata(ldns_tsig_credentials *);
37 char *ldns_tsig_keyname_clone(ldns_tsig_credentials *);
38 char *ldns_tsig_keydata_clone(ldns_tsig_credentials *);
41 * verifies the tsig rr for the given packet and key.
42 * The wire must be given too because tsig does not sign normalized packets.
43 * \param[in] pkt the packet to verify
44 * \param[in] wire needed to verify the mac
45 * \param[in] wire_size size of wire
46 * \param[in] key_name the name of the shared key
47 * \param[in] key_data the key in base 64 format
48 * \param[in] mac original mac
49 * \return true if tsig is correct, false if not, or if tsig is not set
51 bool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac);
54 * verifies the tsig rr for the given packet and key.
55 * The wire must be given too because tsig does not sign normalized packets.
56 * \param[in] pkt the packet to verify
57 * \param[in] wire needed to verify the mac
58 * \param[in] wire_size size of wire
59 * \param[in] key_name the name of the shared key
60 * \param[in] key_data the key in base 64 format
61 * \param[in] mac original mac
62 * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest
63 components are used to verify the _mac. If non-zero, only the TSIG timers are used to verify the mac.
64 * \return true if tsig is correct, false if not, or if tsig is not set
66 bool ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac,
67 int tsig_timers_only);
70 * creates a tsig rr for the given packet and key.
71 * \param[in] pkt the packet to sign
72 * \param[in] key_name the name of the shared key
73 * \param[in] key_data the key in base 64 format
74 * \param[in] fudge seconds of error permitted in time signed
75 * \param[in] algorithm_name the name of the algorithm used
76 * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers)
77 * \return status (OK if success)
79 ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge,
80 const char *algorithm_name, ldns_rdf *query_mac);
83 * creates a tsig rr for the given packet and key.
84 * \param[in] pkt the packet to sign
85 * \param[in] key_name the name of the shared key
86 * \param[in] key_data the key in base 64 format
87 * \param[in] fudge seconds of error permitted in time signed
88 * \param[in] algorithm_name the name of the algorithm used
89 * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers)
90 * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest
91 components are used to create the query_mac. If non-zero, only the TSIG timers are used to create the query_mac.
92 * \return status (OK if success)
94 ldns_status ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge,
95 const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only);
101 #endif /* LDNS_TSIG_H */