Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
UNTITLED()			     LOCAL			    UNTITLED()

NAME
       ns_sign,	  ns_sign_tcp,	 ns_sign_tcp_init,  ns_verify,	ns_verify_tcp,
       ns_verify_tcp_init, ns_find_tsig	-- TSIG	system

SYNOPSIS
       int
       ns_sign(u_char *msg,  int *msglen,  int msgsize,	 int error,   void *k,
	   const u_char	*querysig,  int	querysiglen, u_char *sig, int *siglen,
	   time_t in_timesigned);

       int
       ns_sign_tcp(u_char  *msg,  int  *msglen,	 int   msgsize,	  int	error,
	   ns_tcp_tsig_state *state, int done);

       int
       ns_sign_tcp_init(void  *k,  const  u_char  *querysig,  int querysiglen,
	   ns_tcp_tsig_state *state);

       int
       ns_verify(u_char	*msg,  int *msglen,  void *k,  const u_char *querysig,
	   int querysiglen,  u_char *sig,  int *siglen,	 time_t	in_timesigned,
	   int nostrip);

       int
       ns_verify_tcp(u_char  *msg,  int	 *msglen,  ns_tcp_tsig_state   *state,
	   int required);

       int
       ns_verify_tcp_init(void	*k,  const  u_char *querysig, int querysiglen,
	   ns_tcp_tsig_state *state);

       u_char *
       ns_find_tsig(u_char *msg, u_char	*eom);

DESCRIPTION
       The TSIG	routines are used to implement transaction/request security of
       DNS messages.

       ns_sign() and ns_verify() are the basic	routines.   ns_sign_tcp()  and
       ns_verify_tcp()	are used to sign/verify	TCP messages that may be split
       into multiple packets, such as zone transfers, and  ns_sign_tcp_init(),
       ns_verify_tcp_init()  initialize	 the state structure necessary for TCP
       operations.  ns_find_tsig() locates the TSIG record in  a  message,  if
       one is present.

       ns_sign()
	     msg	    the	incoming DNS message, which will be modified
	     msglen	    the	length of the DNS message, on input and	output
	     msgsize	    the	 size of the buffer containing the DNS message
			    on input
	     error	    the	value to be placed in the TSIG error field
	     key	    the	(DST_KEY *) to sign the	data
	     querysig	    for	a response, the	 signature  contained  in  the
			    query
	     querysiglen    the	length of the query signature
	     sig	    a buffer to	be filled with the generated signature
	     siglen	    the	 length	 of the	signature buffer on input, the
			    signature length on	output

       ns_sign_tcp()
	     msg	    the	incoming DNS message, which will be modified
	     msglen	    the	length of the DNS message, on input and	output
	     msgsize	    the	size of	the buffer containing the DNS  message
			    on input
	     error	    the	value to be placed in the TSIG error field
	     state	    the	state of the operation
	     done	    non-zero  value  signifies	that  this is the last
			    packet

       ns_sign_tcp_init()
	     k		    the	(DST_KEY *) to sign the	data
	     querysig	    for	a response, the	 signature  contained  in  the
			    query
	     querysiglen    the	length of the query signature
	     state	    the	state of the operation,	which this initializes

       ns_verify()
	     msg	    the	incoming DNS message, which will be modified
	     msglen	    the	length of the DNS message, on input and	output
	     key	    the	(DST_KEY *) to sign the	data
	     querysig	    for	 a  response,  the  signature contained	in the
			    query
	     querysiglen    the	length of the query signature
	     sig	    a buffer to	be filled with the signature contained
	     siglen	    the	length of the signature	buffer on  input,  the
			    signature length on	output
	     nostrip	    non-zero value means that the TSIG is left intact

       ns_verify_tcp()
	     msg	    the	incoming DNS message, which will be modified
	     msglen	    the	length of the DNS message, on input and	output
	     state	    the	state of the operation
	     required	    non-zero  value  signifies that a TSIG record must
			    be present at this step

       ns_verify_tcp_init()
	     k		    the	(DST_KEY *) to verify the data
	     querysig	    for	a response, the	 signature  contained  in  the
			    query
	     querysiglen    the	length of the query signature
	     state	    the	state of the operation,	which this initializes

       ns_find_tsig()
	     msg	    the	incoming DNS message
	     msglen	    the	length of the DNS message

RETURN VALUES
       ns_find_tsig()  returns	a  pointer to the TSIG record if one is	found,
       and NULL	otherwise.

       All other routines return 0 on success, modifying arguments when	neces-
       sary.

       ns_sign() and ns_sign_tcp() return the following	errors:
	     (-1)		     bad input data
	     (-ns_r_badkey)	     The  key  was  invalid,  or  the  signing
				     failed
	     NS_TSIG_ERROR_NO_SPACE  the message buffer	is too small.

       ns_verify() and ns_verify_tcp() return the following errors:
	     (-1)		     bad input data
	     NS_TSIG_ERROR_FORMERR   The message is malformed
	     NS_TSIG_ERROR_NO_TSIG   The  message  does	 not  contain  a  TSIG
				     record
	     NS_TSIG_ERROR_ID_MISMATCH
				     The TSIG original ID field	does not match
				     the message ID
	     (-ns_r_badkey)	     Verification failed due to	an invalid key
	     (-ns_r_badsig)	     Verification failed  due  to  an  invalid
				     signature
	     (-ns_r_badtime)	     Verification  failed  due	to  an invalid
				     timestamp
	     ns_r_badkey	     Verification succeeded  but  the  message
				     had an error of BADKEY
	     ns_r_badsig	     Verification  succeeded  but  the message
				     had an error of BADSIG
	     ns_r_badtime	     Verification succeeded  but  the  message
				     had an error of BADTIME

SEE ALSO
       resolver(3).

AUTHORS
       Brian Wellington, TISLabs at Network Associates

4th Berkeley Distribution	January	1, 1996				TSIG()

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tsig&sektion=3&manpath=FreeBSD+Ports+15.0>

home | help