Index of Section 3 Manual Pages
| Interix / SUA | ns_sign_tcp.3 | Interix / SUA |
ns_sign_tcp(3) ns_sign_tcp(3)
tsig
NAME
ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
ns_verify_tcp_init, ns_find_tsig - TSIG system
SYNOPSIS
int ns_sign(u_char *msg, int *msglen, int msgsize,
int error, void *k,const u_char *querysig,
int querysiglen, u_char *sig, int *siglen,
time_t in_timesigned);
int ns_sign_tcp(u_char *msg,
int *msglen, int msgsize,
int error, ns_tcp_tsig_state *state, int done);
int ns_sign_tcp_init(void *k, const u_char *querysig,
int querysiglen, ns_tcp_tsig_state *state);
int ns_verify(u_char *msg, int *msglen, void *k,
const u_char *querysig, int querysiglen, u_char *sig,
int *siglen, time_t in_timesigned, int nostrip);
int ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
int required);
int ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
ns_tcp_tsig_state *state);
u_char *ns_find_tsig(u_char *msg, u_char *eom);
DESCRIPTION
The TSIG routines are used to implement transaction/request security of
DNS messages.
The ns_sign() and ns_verify() functions are the basic routines.
ns_sign_tcp() and ns_verify_tcp() are used to sign/verify TCP messages
that may be split into multiple packets, such as zone transfers, and
ns_sign_tcp_init(), ns_verify_tcp_init() initialize the state structure
necessary for TCP operations. ns_find_tsig() locates the TSIG record in a
message, if one is present.
ns_sign
msg
the incoming DNS message, which will be modified
msglen
the length of the DNS message, on input and output
msgsize
the size of the buffer containing the DNS message on input
error
the value to be placed in the TSIG error field
key
the (DST_KEY *) to sign the data
querysig
for a response, the signature contained in the query
querysiglen
the length of the query signature
sig
a buffer to be filled with the generated signature
siglen
the length of the signature buffer on input, the signature length on
output
ns_sign_tcp
msg
the incoming DNS message, which will be modified
msglen
the length of the DNS message, on input and output
msgsize
the size of the buffer containing the DNS message on input
error
the value to be placed in the TSIG error field
state
the state of the operation
done
non-zero value signifies that this is the last packet
ns_sign_tcp_init
k
the (DST_KEY *) to sign the data
querysig
for a response, the signature contained in the query
querysiglen
the length of the query signature
state
the state of the operation, which this initializes
ns_verify
msg
the incoming DNS message, which will be modified
msglen
the length of the DNS message, on input and output
key
the (DST_KEY *) to sign the data
querysig
for a response, the signature contained in the query
querysiglen
the length of the query signature
sig
a buffer to be filled with the signature contained
siglen
the length of the signature buffer on input, the signature length on
output
nostrip
non-zero value means that the TSIG is left intact
ns_verify_tcp
msg
the incoming DNS message, which will be modified
msglen
the length of the DNS message, on input and output
state
the state of the operation
required
non-zero value signifies that a TSIG record must be present at this
step
ns_verify_tcp_init
k
the (DST_KEY *) to verify the data
querysig
for a response, the signature contained in the query
querysiglen
the length of the query signature
state
the state of the operation, which this initializes
ns_find_tsig
msg
the incoming DNS message
msglen
the length of the DNS message
RETURN VALUES
The ns_find_tsig() routine returns a pointer to the TSIG record if one is
found, and NULL otherwise.
All other routines return 0 on success, modifying arguments when
necessary.
The ns_sign() and ns_sign_tcp() routines return the following errors:
(-ns_r_badkey)
the key was invalid, or the signing failed
NS_TSIG_ERROR_NO_SPACE
the message buffer is too small
The ns_verify() and ns_verify_tcp() routines return the following errors:
(-1)
bad input data
NS_TSIG_ERROR_FORMERR
The message is malformed
NS_TSIG_ERROR_NO_TSIG
The message does not contain a TSIG record
NS_TSIG_ERROR_ID_MISMATCH
The TSIG original ID field does not match the message ID
(-ns_r_badkey)
Verification failed due to an invalid key
(-ns_r_badsig)
Verification failed due to an invalid signature
(-ns_r_badtime)
Verification failed due to an invalid timestamp
ns_r_badkey
Verification succeeded but the message had an error of BADKEY
ns_r_badsig
Verification succeeded but the message had an error of BADSIG
ns_r_badtime
Verification succeeded but the message had an error of BADTIME
SEE ALSO
resolver(3)
AUTHORS
Brian Wellington, TISLabs at Network Associates
4th Berkeley Distribution January 1, 1996 4th Berkeley Distribution
USAGE NOTES
None of these functions are thread safe.
None of these functions are async-signal safe.