diff --git a/Knot.files b/Knot.files
index 8dda7fffc12a7c3fb39c4af671c7e37ec018a1ce..06fff5e9a6b62071199c59fbc3a120417740b057 100644
--- a/Knot.files
+++ b/Knot.files
@@ -249,3 +249,5 @@ src/tests/libknot/libknot/zone_tree_tests.h
samples/Makefile.am
libknot/tsig.h
libknot/tsig.c
+libknot/tsig-op.c
+libknot/tsig-op.h
diff --git a/libknot/Makefile.am b/libknot/Makefile.am
index 944133b6944bc4db1d43b23905154323b0d12229..de27de3a98b433da4f8d9589691da9d2f2054b60 100644
--- a/libknot/Makefile.am
+++ b/libknot/Makefile.am
@@ -102,4 +102,6 @@ libknot_la_SOURCES = \
rrset.h \
nsec3.h \
tsig.h \
- tsig.c
+ tsig.c \
+ tsig-op.h \
+ tsig-op.c
diff --git a/libknot/consts.h b/libknot/consts.h
index cc9f0c161f85ffc0115e2b77e100621090ee708b..ad3fac392418084039d786470de761abcfb9f203 100644
--- a/libknot/consts.h
+++ b/libknot/consts.h
@@ -75,9 +75,15 @@ typedef enum knot_rcode {
KNOT_RCODE_YXRRSET = 7, /* rrset should not exist */
KNOT_RCODE_NXRRSET = 8, /* rrset does not exist */
KNOT_RCODE_NOTAUTH = 9, /* server not authoritative */
- KNOT_RCODE_NOTZONE = 10 /* name not inside zone */
+ KNOT_RCODE_NOTZONE = 10, /* name not inside zone */
} knot_rcode_t;
+typedef enum knot_tsig_rcode {
+ KNOT_TSIG_RCODE_BADSIG = 16,
+ KNOT_TSIG_RCODE_BADKEY = 17,
+ KNOT_TSIG_RCODE_BADTIME = 18
+} knot_tsig_rcode_t;
+
/*
* CLASSes
*/
diff --git a/libknot/tsig-op.c b/libknot/tsig-op.c
new file mode 100644
index 0000000000000000000000000000000000000000..929753421dca2156ca9de161047acf853139e7c7
--- /dev/null
+++ b/libknot/tsig-op.c
@@ -0,0 +1,3 @@
+#include "tsig-op.h"
+
+
diff --git a/libknot/tsig-op.h b/libknot/tsig-op.h
new file mode 100644
index 0000000000000000000000000000000000000000..99c50c9e0dec0a8ee305f99c67675816d5f5106f
--- /dev/null
+++ b/libknot/tsig-op.h
@@ -0,0 +1,122 @@
+/*!
+ * \file tsig-op.h
+ *
+ * \author Lubos Slovak <lubos.slovak@nic.cz>
+ *
+ * \brief TSIG signing and validating.
+ *
+ * \addtogroup libknot
+ * @{
+ */
+/* Copyright (C) 2011 CZ.NIC Labs
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _KNOT_TSIG_OP_H_
+#define _KNOT_TSIG_OP_H_
+
+#include <stdint.h>
+
+#include "rrset.h"
+
+/*!
+ * \brief Generate TSIG signature of a message.
+ *
+ * \param msg Message to be signed.
+ * \param msg_len Size of the message in bytes.
+ * \param request_mac Request MAC. (may be NULL).
+ * \param request_mac_len Size of the request MAC in bytes.
+ * \param tsig_rr RRSet containing the TSIG RR to be used. Data from the RR are
+ * appended to the signed message.
+ * \param mac Generated message digest.
+ * \param size Size of the digest in bytes.
+ *
+ * \retval KNOT_EOK if everything went OK.
+ * \retval TODO
+ */
+int knot_tsig_sign(const uint8_t *msg, size_t msg_len,
+ const uint8_t *request_mac, size_t request_mac_len,
+ const knot_rrset_t *tsig_rr,
+ uint8_t *mac, size_t size);
+
+/*!
+ * \brief Generate TSIG signature of a 2nd or later message in a TCP session.
+ *
+ * \param msg Message to be signed.
+ * \param msg_len Size of the message in bytes.
+ * \param prev_digest Previous digest sent by the server in the session.
+ * \param prev_digest_len Size of the previous digest in bytes.
+ * \param tsig_rr RRSet containing the TSIG RR to be used. Data from the RR are
+ * appended to the signed message.
+ * \param mac Generated message digest.
+ * \param size Size of the digest in bytes.
+ *
+ * \retval KNOT_EOK if successful.
+ * \retval TODO
+ */
+int knot_tsig_sign_next(const uint8_t *msg, size_t msg_len,
+ const uint8_t *prev_digest, size_t prev_digest_len,
+ const knot_rrset_t *tsig_rr,
+ uint8_t *mac, size_t size);
+
+/*!
+ * \brief Checks incoming request.
+ *
+ * \param tsig_rr TSIG extracted from the packet.
+ * \param wire Wire format of the packet (including the TSIG RR).
+ * \param size Size of the wire format of packet in bytes.
+ *
+ * \retval KNOT_EOK If the signature is valid.
+ * \retval TODO
+ */
+int knot_tsig_server_check(const knot_rrset_t *tsig_rr,
+ const uint8_t *wire, size_t size);
+
+/*!
+ * \brief Checks incoming response.
+ *
+ * \param tsig_rr TSIG extracted from the packet.
+ * \param wire Wire format of the packet (including the TSIG RR).
+ * \param size Size of the wire format of packet in bytes.
+ * \param request_mac Request MAC. (may be NULL).
+ * \param request_mac_len Size of the request MAC in bytes.
+ *
+ * \retval KNOT_EOK If the signature is valid.
+ * \retval TODO
+ */
+int knot_tsig_client_check(const knot_rrset_t *tsig_rr,
+ const uint8_t *wire, size_t size,
+ const uint8_t *request_mac, size_t request_mac_len);
+
+/*!
+ * \brief Checks signature of 2nd or next packet in a TCP session.
+ *
+ * \param tsig_rr TSIG extracted from the packet.
+ * \param wire Wire format of the packet (including the TSIG RR).
+ * \param size Size of the wire format of packet in bytes.
+ * \param prev_digest Previous digest sent by the server in the session.
+ * \param prev_digest_len Size of the previous digest in bytes.
+ *
+ * \retval KNOT_EOK If the signature is valid.
+ * \retval TODO
+ */
+int knot_tsig_client_check_next(const knot_rrset_t *tsig_rr,
+ const uint8_t *wire, size_t size,
+ const uint8_t *prev_digest,
+ size_t prev_digest_len);
+
+#endif /* _KNOT_TSIG_H_ */
+
+/*! @} */