* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
/* Key agreement modes */
#define DNS_TKEYMODE_SERVERASSIGNED 1
#define DNS_TKEYMODE_DIFFIEHELLMAN 2
#define DNS_TKEYMODE_GSSAPI 3
#define DNS_TKEYMODE_RESOLVERASSIGNED 4
#define DNS_TKEYMODE_DELETE 5
dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx,
* Create an empty TKEY context.
*\li return codes from dns_name_fromtext()
dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
* Frees all data associated with the TKEY context
dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
dns_tsig_keyring_t *ring);
* Processes a query containing a TKEY record, adding or deleting TSIG
* keys if necessary, and modifies the message to contain the response.
*\li 'msg' is a valid message
*\li 'tctx' is a valid TKEY context
*\li 'ring' is a valid TSIG keyring
*\li #ISC_R_SUCCESS msg was updated (the TKEY operation succeeded,
* or msg now includes a TKEY with an error set)
* DNS_R_FORMERR the packet was malformed (missing a TKEY
*\li other An error occurred while processing the message
dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
dns_name_t *algorithm, isc_buffer_t *nonce,
* Builds a query containing a TKEY that will generate a shared
* secret using a Diffie-Hellman key exchange. The shared key
* will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
* is supported), and will be named either 'name',
* 'name' + server chosen domain, or random data + server chosen domain
* if 'name' == dns_rootname. If nonce is not NULL, it supplies
* random data used in the shared secret computation. The key is
* requested to have the specified lifetime (in seconds)
*\li 'msg' is a valid message
*\li 'key' is a valid Diffie Hellman dst key
*\li 'name' is a valid name
*\li 'algorithm' is a valid name
*\li #ISC_R_SUCCESS msg was successfully updated to include the
*\li other an error occurred while building the message
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
isc_buffer_t *intoken, uint32_t lifetime,
gss_ctx_id_t *context, bool win2k,
isc_mem_t *mctx, char **err_message);
* Builds a query containing a TKEY that will generate a GSSAPI context.
* The key is requested to have the specified lifetime (in seconds).
*\li 'msg' is a valid message
*\li 'name' is a valid name
*\li 'gname' is a valid name
*\li 'context' is a pointer to a valid gss_ctx_id_t
* (which may have the value GSS_C_NO_CONTEXT)
*\li 'win2k' when true says to turn on some hacks to work
* with the non-standard GSS-TSIG of Windows 2000
*\li ISC_R_SUCCESS msg was successfully updated to include the
*\li other an error occurred while building the message
*\li *err_message optional error message
dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
* Builds a query containing a TKEY record that will delete the
* specified shared secret from the server.
*\li 'msg' is a valid message
*\li 'key' is a valid TSIG key
*\li #ISC_R_SUCCESS msg was successfully updated to include the
*\li other an error occurred while building the message
dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dst_key_t *key, isc_buffer_t *nonce,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
* Processes a response to a query containing a TKEY that was
* designed to generate a shared secret using a Diffie-Hellman key
* exchange. If the query was successful, a new shared key
* is created and added to the list of shared keys.
*\li 'qmsg' is a valid message (the query)
*\li 'rmsg' is a valid message (the response)
*\li 'key' is a valid Diffie Hellman dst key
*\li 'outkey' is either NULL or a pointer to NULL
*\li 'ring' is a valid keyring or NULL
*\li #ISC_R_SUCCESS the shared key was successfully added
*\li #ISC_R_NOTFOUND an error occurred while looking for a
* component of the query or response
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dns_name_t *gname, gss_ctx_id_t *context,
isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
dns_tsig_keyring_t *ring, char **err_message);
dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dns_tsig_keyring_t *ring);
* Processes a response to a query containing a TKEY that was
* designed to delete a shared secret. If the query was successful,
* the shared key is deleted from the list of shared keys.
*\li 'qmsg' is a valid message (the query)
*\li 'rmsg' is a valid message (the response)
*\li #ISC_R_SUCCESS the shared key was successfully deleted
*\li #ISC_R_NOTFOUND an error occurred while looking for a
* component of the query or response
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
dns_name_t *server, gss_ctx_id_t *context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
bool win2k, char **err_message);
* Client side negotiation of GSS-TSIG. Process the response
* to a TKEY, and establish a TSIG key if negotiation was successful.
* Build a response to the input TKEY message. Can take multiple
* calls to successfully establish the context.
* 'qmsg' is a valid message, the original TKEY request;
* it will be filled with the new message to send
* 'rmsg' is a valid message, the incoming TKEY message
* 'server' is the server name
* 'context' is the input context handle
* 'outkey' receives the established key, if non-NULL;
* if non-NULL must point to NULL
* 'ring' is the keyring in which to establish the key,
* 'win2k' when true says to turn on some hacks to work
* with the non-standard GSS-TSIG of Windows 2000
* ISC_R_SUCCESS context was successfully established
* ISC_R_NOTFOUND couldn't find a needed part of the query
* DNS_R_CONTINUE additional context negotiation is required;
* send the new qmsg to the server
