1238104Sdes/* 2238104Sdes * tsig.h -- defines for TSIG [RFC2845] 3238104Sdes * 4238104Sdes * Copyright (c) 2005-2008, NLnet Labs. All rights reserved. 5238104Sdes * 6238104Sdes * See LICENSE for the license. 7238104Sdes */ 8238104Sdes 9238104Sdes#ifndef LDNS_TSIG_H 10238104Sdes#define LDNS_TSIG_H 11238104Sdes 12238104Sdes#ifdef __cplusplus 13238104Sdesextern "C" { 14238104Sdes#endif 15238104Sdes 16238104Sdes/** 17238104Sdes * \file 18238104Sdes * 19238104Sdes * Defines functions for TSIG usage 20238104Sdes */ 21238104Sdes 22238104Sdes 23238104Sdes/** 24238104Sdes * Contains credentials for TSIG 25238104Sdes*/ 26238104Sdestypedef struct ldns_tsig_credentials_struct 27238104Sdes{ 28238104Sdes char *algorithm; 29238104Sdes char *keyname; 30238104Sdes char *keydata; 31238104Sdes /* XXX More eventually. */ 32238104Sdes} ldns_tsig_credentials; 33238104Sdes 34238104Sdeschar *ldns_tsig_algorithm(ldns_tsig_credentials *); 35238104Sdeschar *ldns_tsig_keyname(ldns_tsig_credentials *); 36238104Sdeschar *ldns_tsig_keydata(ldns_tsig_credentials *); 37238104Sdeschar *ldns_tsig_keyname_clone(ldns_tsig_credentials *); 38238104Sdeschar *ldns_tsig_keydata_clone(ldns_tsig_credentials *); 39238104Sdes 40238104Sdes/** 41238104Sdes * verifies the tsig rr for the given packet and key. 42238104Sdes * The wire must be given too because tsig does not sign normalized packets. 43238104Sdes * \param[in] pkt the packet to verify 44238104Sdes * \param[in] wire needed to verify the mac 45238104Sdes * \param[in] wire_size size of wire 46238104Sdes * \param[in] key_name the name of the shared key 47238104Sdes * \param[in] key_data the key in base 64 format 48238104Sdes * \param[in] mac original mac 49238104Sdes * \return true if tsig is correct, false if not, or if tsig is not set 50238104Sdes */ 51238104Sdesbool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac); 52238104Sdes 53238104Sdes/** 54238104Sdes * verifies the tsig rr for the given packet and key. 55238104Sdes * The wire must be given too because tsig does not sign normalized packets. 56238104Sdes * \param[in] pkt the packet to verify 57238104Sdes * \param[in] wire needed to verify the mac 58238104Sdes * \param[in] wire_size size of wire 59238104Sdes * \param[in] key_name the name of the shared key 60238104Sdes * \param[in] key_data the key in base 64 format 61238104Sdes * \param[in] mac original mac 62238104Sdes * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest 63238104Sdes components are used to verify the _mac. If non-zero, only the TSIG timers are used to verify the mac. 64238104Sdes * \return true if tsig is correct, false if not, or if tsig is not set 65238104Sdes */ 66238104Sdesbool ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac, 67238104Sdes int tsig_timers_only); 68238104Sdes 69238104Sdes/** 70238104Sdes * creates a tsig rr for the given packet and key. 71238104Sdes * \param[in] pkt the packet to sign 72238104Sdes * \param[in] key_name the name of the shared key 73238104Sdes * \param[in] key_data the key in base 64 format 74238104Sdes * \param[in] fudge seconds of error permitted in time signed 75238104Sdes * \param[in] algorithm_name the name of the algorithm used 76238104Sdes * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers) 77238104Sdes * \return status (OK if success) 78238104Sdes */ 79238104Sdesldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, 80238104Sdes const char *algorithm_name, ldns_rdf *query_mac); 81238104Sdes 82238104Sdes/** 83238104Sdes * creates a tsig rr for the given packet and key. 84238104Sdes * \param[in] pkt the packet to sign 85238104Sdes * \param[in] key_name the name of the shared key 86238104Sdes * \param[in] key_data the key in base 64 format 87238104Sdes * \param[in] fudge seconds of error permitted in time signed 88238104Sdes * \param[in] algorithm_name the name of the algorithm used 89238104Sdes * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers) 90238104Sdes * \param[in] tsig_timers_only must be zero for the first packet and positive for subsequent packets. If zero, all digest 91238104Sdes components are used to create the query_mac. If non-zero, only the TSIG timers are used to create the query_mac. 92238104Sdes * \return status (OK if success) 93238104Sdes */ 94238104Sdesldns_status ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, 95238104Sdes const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only); 96238104Sdes 97238104Sdes#ifdef __cplusplus 98238104Sdes} 99238104Sdes#endif 100238104Sdes 101238104Sdes#endif /* LDNS_TSIG_H */ 102