1238104Sdes/*
2238104Sdes * tsig.h -- defines for TSIG [RFC2845]
3238104Sdes *
4238104Sdes * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
5238104Sdes *
6238104Sdes * See LICENSE for the license.
7238104Sdes */
8238104Sdes
9238104Sdes#ifndef LDNS_TSIG_H
10238104Sdes#define LDNS_TSIG_H
11238104Sdes
12238104Sdes#ifdef __cplusplus
13238104Sdesextern "C" {
14238104Sdes#endif
15238104Sdes
16238104Sdes/**
17238104Sdes * \file
18238104Sdes *
19238104Sdes * Defines functions for TSIG usage
20238104Sdes */
21238104Sdes
22238104Sdes
23238104Sdes/**
24238104Sdes * Contains credentials for TSIG
25238104Sdes*/
26238104Sdestypedef struct ldns_tsig_credentials_struct
27238104Sdes{
28238104Sdes    char *algorithm;
29238104Sdes    char *keyname;
30238104Sdes    char *keydata;
31238104Sdes    /* XXX More eventually. */
32238104Sdes} ldns_tsig_credentials;
33238104Sdes
34238104Sdeschar *ldns_tsig_algorithm(ldns_tsig_credentials *);
35238104Sdeschar *ldns_tsig_keyname(ldns_tsig_credentials *);
36238104Sdeschar *ldns_tsig_keydata(ldns_tsig_credentials *);
37238104Sdeschar *ldns_tsig_keyname_clone(ldns_tsig_credentials *);
38238104Sdeschar *ldns_tsig_keydata_clone(ldns_tsig_credentials *);
39238104Sdes
40238104Sdes/**
41238104Sdes * verifies the tsig rr for the given packet and key.
42238104Sdes * The wire must be given too because tsig does not sign normalized packets.
43238104Sdes * \param[in] pkt the packet to verify
44238104Sdes * \param[in] wire needed to verify the mac
45238104Sdes * \param[in] wire_size size of wire
46238104Sdes * \param[in] key_name the name of the shared key
47238104Sdes * \param[in] key_data the key in base 64 format
48238104Sdes * \param[in] mac original mac
49238104Sdes * \return true if tsig is correct, false if not, or if tsig is not set
50238104Sdes */
51238104Sdesbool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac);
52238104Sdes
53238104Sdes/**
54238104Sdes * verifies the tsig rr for the given packet and key.
55238104Sdes * The wire must be given too because tsig does not sign normalized packets.
56238104Sdes * \param[in] pkt the packet to verify
57238104Sdes * \param[in] wire needed to verify the mac
58238104Sdes * \param[in] wire_size size of wire
59238104Sdes * \param[in] key_name the name of the shared key
60238104Sdes * \param[in] key_data the key in base 64 format
61238104Sdes * \param[in] mac original mac
62238104Sdes * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest
63238104Sdes   components are used to verify the _mac. If non-zero, only the TSIG timers are used to verify the mac.
64238104Sdes * \return true if tsig is correct, false if not, or if tsig is not set
65238104Sdes */
66238104Sdesbool ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac,
67238104Sdes    int tsig_timers_only);
68238104Sdes
69238104Sdes/**
70238104Sdes * creates a tsig rr for the given packet and key.
71238104Sdes * \param[in] pkt the packet to sign
72238104Sdes * \param[in] key_name the name of the shared key
73238104Sdes * \param[in] key_data the key in base 64 format
74238104Sdes * \param[in] fudge seconds of error permitted in time signed
75238104Sdes * \param[in] algorithm_name the name of the algorithm used
76238104Sdes * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers)
77238104Sdes * \return status (OK if success)
78238104Sdes */
79238104Sdesldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge,
80238104Sdes    const char *algorithm_name, ldns_rdf *query_mac);
81238104Sdes
82238104Sdes/**
83238104Sdes * creates a tsig rr for the given packet and key.
84238104Sdes * \param[in] pkt the packet to sign
85238104Sdes * \param[in] key_name the name of the shared key
86238104Sdes * \param[in] key_data the key in base 64 format
87238104Sdes * \param[in] fudge seconds of error permitted in time signed
88238104Sdes * \param[in] algorithm_name the name of the algorithm used
89238104Sdes * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers)
90238104Sdes * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest
91238104Sdes   components are used to create the query_mac. If non-zero, only the TSIG timers are used to create the query_mac.
92238104Sdes * \return status (OK if success)
93238104Sdes */
94238104Sdesldns_status ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge,
95238104Sdes    const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only);
96238104Sdes
97238104Sdes#ifdef __cplusplus
98238104Sdes}
99238104Sdes#endif
100238104Sdes
101238104Sdes#endif /* LDNS_TSIG_H */
102