GNU Simple Authentication and Security Layer 1.7.0

Table of Contents


Next: , Up: (dir)

GNU Simple Authentication and Security Layer

This manual was last updated 22 October 2010 for version 1.7.0 of GNU SASL.

Copyright © 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Simon Josefsson.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

Appendices

Indices


Next: , Previous: Top, Up: Top

1 Introduction

This manual can be used in several ways. If read from the beginning to the end, it gives the reader an understanding of the SASL framework and the GNU SASL implementation, and how the GNU SASL library is used in an application. Forward references are included where necessary. Later on, the manual can be used as a reference manual to get just the information needed about any particular interface of the library. Experienced programmers might want to start looking at the examples at the end of the manual, and then only read up those parts of the interface which are unclear.


Next: , Up: Introduction

1.1 SASL Overview

SASL is a framework for application protocols, such as SMTP or IMAP, to add authentication support. For example, SASL is used to prove to the server who you are when you access an IMAP server to read your e-mail.

The SASL framework does not specify the technology used to perform the authentication, that is the responsibility for each SASL mechanism. Popular SASL mechanisms include CRAM-MD5 and GSSAPI (for Kerberos V5).

Typically a SASL negotiation works as follows. First the client requests authentication (possibly implicitly by connecting to the server). The server responds with a list of supported mechanisms. The client chose one of the mechanisms. The client and server then exchange data, one round-trip at a time, until authentication either succeeds or fails. After that, the client and server knows more about who is on the other end of the channel.

For example, in SMTP communication happens like this:

     250-mail.example.com Hello pc.example.org [192.168.1.42], pleased to meet you
     250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
     250 HELP
     AUTH CRAM-MD5
     334 PDk5MDgwNDEzMDUwNTUyMTE1NDQ5LjBAbG9jYWxob3N0Pg==
     amFzIDBkZDRkODZkMDVjNjI4ODRkYzc3OTcwODE4ZGI5MGY3
     235 2.0.0 OK Authenticated

Here the first three lines are sent by the server and contains the list of supported mechanisms (DIGEST-MD5, CRAM-MD5, etc). The next line is sent by the client to select the CRAM-MD5 mechanism. The server replies with a challenge, which is a message that can be generated by calling GNU SASL functions. The client replies with a response, which also is a message that can be generated by GNU SASL functions. Depending on the mechanism, there can be more than one round trip, so do not assume all authentication exchanges consists of one message from the server and one from the client. The server accepts the authentication. At that point it knows it is talking to a authenticated client, and the application protocol can continue.

Essentially, your application is responsible for implementing the framing protocol (e.g., SMTP or XMPP) according to the particular specifications. Your application uses GNU SASL to generate the authentication messages.


Next: , Previous: SASL Overview, Up: Introduction

1.2 Implementation

GNU SASL is an implementation of the Simple Authentication and Security Layer framework and a few common SASL mechanisms.

GNU SASL consists of a library (libgsasl), a command line utility (gsasl) to access the library from the shell, and a manual. The library includes support for the framework (with authentication functions and application data privacy and integrity functions) and at least partial support for the ANONYMOUS, CRAM-MD5, DIGEST-MD5, EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, PLAIN, SCRAM-SHA-1, SAML20 and SECURID mechanisms.

The library is easily ported because it does not do network communication by itself, but rather leaves it up to the calling application. The library is flexible with regards to the authorization infrastructure used, as it utilizes a callback into the application to decide whether a user is authorized or not.

GNU SASL is developed for the GNU/Linux system, but runs on over 20 platforms including most major Unix platforms and Windows, and many kind of devices including iPAQ handhelds and S/390 mainframes.

GNU SASL is written in pure ANSI C89 to be portable to embedded and otherwise limited platforms. The entire library, with full support for ANONYMOUS, EXTERNAL, PLAIN, LOGIN and CRAM-MD5, and the front-end that supports client and server mode, and the IMAP and SMTP protocols, fits in under 80kb on an Intel x86 platform, without any modifications to the code. (This figure was accurate as of version 1.1.)

The design of the library and the intended interaction between applications and the library through the official API is illustrated below.

abstraction.png

Illustration 1.1: Logical overview showing how applications use authentication mechanisms through an abstract interface.


Next: , Previous: Implementation, Up: Introduction

1.3 Features

GNU SASL might have a couple of advantages over other libraries doing a similar job.

It's Free Software
Anybody can use, modify, and redistribute it under the terms of the GNU General Public License version 3.0 or later. The library uses the GNU Lesser General Public License version 2.1 or later.
It's thread-safe
No global variables are used and multiple library handles and session handles may be used in parallel.
It's internationalized
It handles non-ASCII usernames and passwords and user visible strings used in the library (error messages) can be translated into the users' language.
It's portable
It should work on all Unix like operating systems, including Windows. The library itself should be portable to any C89 system, not even POSIX is required.
It's small
The library has been rewritten with embedded platforms in mind. For example, no API consumes more than around 250 bytes of stack space.

Note that the library does not implement any policy to decide whether a certain user is “authenticated” or “authorized” or not. Rather, it uses a callback into the application to answer these questions.


Next: , Previous: Features, Up: Introduction

1.4 Requirements

The GNU SASL library does not have any required external dependencies, but some optional features are enabled if you have a specific external library.

LibNTLM
The NTLM mechanism requires the library LibNTLM, http://www.nongnu.org/libntlm/.
GSS-API
The GSSAPI and GS2-KRB5 mechanisms requires a GSS-API library, see GNU GSS (http://www.gnu.org/software/gss/). MIT Kerberos or Heimdal are also supported.
LibIDN
Processing of non-ASCII usernames and passwords requires the SASLprep implementation in LibIDN (http://www.gnu.org/software/libidn/). This is needed for full conformance with the latest SASL protocol drafts, but is optional in the library for improved portability.
Libgcrypt
The GNU SASL library ships with its own cryptographic implementation, but it can use the one in libgcrypt (http://www.gnupg.org/) instead, if it is available. This is typically useful for desktop machines which have libgcrypt installed.

The command-line interface to GNU SASL requires a POSIX or Windows platform for network connectivity. The command-line tool can make use of GnuTLS (http://www.gnutls.org/) to support the STARTTLS modes of IMAP and SMTP, but GnuTLS is not required.

Note that the library does not need a POSIX platform or network connectivity.


Next: , Previous: Requirements, Up: Introduction

1.5 Supported Platforms

GNU SASL has at some point in time been tested on the following platforms. Daily online build reports are available at http://autobuild.josefsson.org/gsasl/.

  1. Debian GNU/Linux 3.0 (Woody) GCC 2.95.4 and GNU Make. This is the main development platform. alphaev67-unknown-linux-gnu, alphaev6-unknown-linux-gnu, arm-unknown-linux-gnu, hppa-unknown-linux-gnu, hppa64-unknown-linux-gnu, i686-pc-linux-gnu, ia64-unknown-linux-gnu, m68k-unknown-linux-gnu, mips-unknown-linux-gnu, mipsel-unknown-linux-gnu, powerpc-unknown-linux-gnu, s390-ibm-linux-gnu, sparc-unknown-linux-gnu.
  2. Debian GNU/Linux 2.1 GCC 2.95.1 and GNU Make. armv4l-unknown-linux-gnu.
  3. Tru64 UNIX Tru64 UNIX C compiler and Tru64 Make. alphaev67-dec-osf5.1, alphaev68-dec-osf5.1.
  4. SuSE Linux 7.1 GCC 2.96 and GNU Make. alphaev6-unknown-linux-gnu, alphaev67-unknown-linux-gnu.
  5. SuSE Linux 7.2a GCC 3.0 and GNU Make. ia64-unknown-linux-gnu.
  6. RedHat Linux 7.2 GCC 2.96 and GNU Make. alphaev6-unknown-linux-gnu, alphaev67-unknown-linux-gnu, ia64-unknown-linux-gnu.
  7. RedHat Linux 8.0 GCC 3.2 and GNU Make. i686-pc-linux-gnu.
  8. RedHat Advanced Server 2.1 GCC 2.96 and GNU Make. i686-pc-linux-gnu.
  9. Slackware Linux 8.0.01 GCC 2.95.3 and GNU Make. i686-pc-linux-gnu.
  10. Mandrake Linux 9.0 GCC 3.2 and GNU Make. i686-pc-linux-gnu.
  11. IRIX 6.5 MIPS C compiler, IRIX Make. mips-sgi-irix6.5.
  12. AIX 4.3.2 IBM C for AIX compiler, AIX Make. rs6000-ibm-aix4.3.2.0.
  13. Microsoft Windows 2000 (Cygwin) GCC 3.2, GNU make. i686-pc-cygwin.
  14. HP-UX 11 HP-UX C compiler and HP Make. ia64-hp-hpux11.22, hppa2.0w-hp-hpux11.11.
  15. SUN Solaris 2.8 Sun WorkShop Compiler C 6.0 and SUN Make. sparc-sun-solaris2.8.
  16. SUN Solaris 2.9 Sun Forte Developer 7 C compiler and GNU Make. sparc-sun-solaris2.9.
  17. NetBSD 1.6 GCC 2.95.3 and GNU Make. alpha-unknown-netbsd1.6, i386-unknown-netbsdelf1.6.
  18. OpenBSD 3.1 and 3.2 GCC 2.95.3 and GNU Make. alpha-unknown-openbsd3.1, i386-unknown-openbsd3.1.
  19. FreeBSD 4.7 GCC 2.95.4 and GNU Make. alpha-unknown-freebsd4.7, i386-unknown-freebsd4.7.
  20. Cross compiled to uClinux/uClibc on Motorola Coldfire. GCC 3.4 and GNU Make m68k-uclinux-elf.

If you port GNU SASL to a new platform, please report it to the author so this list can be updated.


Next: , Previous: Supported Platforms, Up: Introduction

1.6 Getting help

A mailing list where users may help each other exists, and you can reach it by sending e-mail to help-gsasl@gnu.org. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at http://lists.gnu.org/mailman/listinfo/help-gsasl/.


Next: , Previous: Getting help, Up: Introduction

1.7 Commercial Support

Commercial support is available for users of GNU SASL. The kind of support that can be purchased may include:

If you are interested, please write to:

Simon Josefsson Datakonsult AB
Hagagatan 24
113 47 Stockholm
Sweden

E-mail: simon@josefsson.org

If your company provides support related to GNU SASL and would like to be mentioned here, contact the author (see Bug Reports).


Next: , Previous: Commercial Support, Up: Introduction

1.8 Downloading and Installing

The package can be downloaded from several places, including:

ftp://ftp.gnu.org/gnu/gsasl/

The latest version is stored in a file, e.g., ‘gsasl-1.7.0.tar.gz’ where the ‘1.7.0’ value is the highest version number in the directory.

The package is then extracted, configured and built like many other packages that use Autoconf. For detailed information on configuring and building it, refer to the INSTALL file that is part of the distribution archive.

Here is an example terminal session that downloads, configures, builds and install the package. You will need a few basic tools, such as ‘sh’, ‘make’ and ‘cc’.

     $ wget -q ftp://ftp.gnu.org/gnu/gsasl/gsasl-1.7.0.tar.gz
     $ tar xfz gsasl-1.7.0.tar.gz
     $ cd gsasl-1.7.0/
     $ ./configure
     ...
     $ make
     ...
     $ make install
     ...

After that gsasl should be properly installed and ready for use.

A few configure options may be relevant, summarized in the table.

--disable-client
--disable-server
If your target system require a minimal implementation, you may wish to disable the client or the server part of the code. This does not remove symbols from the library, so if you attempt to call an application that uses server functions in a library built with --disable-server, the function will return an error code.
--disable-obsolete
Remove backwards compatibility (see Old Functions). Use if you want to limit the size of the library.
--disable-anonymous
--disable-external
--disable-plain
--disable-login
--disable-securid
--disable-ntlm
--disable-cram-md5
--disable-digest-md5
--disable-gssapi
--disable-gs2
--enable-kerberos_v5
--disable-scram-sha1
--disable-saml20
Disable or enable individual mechanisms (see Mechanisms).
--without-stringprep
Disable internationalized string processing. Note that this will result in a SASL library that is only compatible with RFC 2222.

For the complete list, refer to the output from configure --help.


Next: , Up: Downloading and Installing

1.8.1 Installing under Windows

There are two ways to build GNU SASL on Windows: via MinGW or via Microsoft Visual Studio. Note that a binary release for Windows is available from http://josefsson.org/gnutls4win/.

With MinGW, you can build a GNU SASL DLL and use it from other applications. After installing MinGW (http://mingw.org/) follow the generic installation instructions (see Downloading and Installing). The DLL is installed by default.

For information on how to use the DLL in other applications, see: http://www.mingw.org/mingwfaq.shtml#faq-msvcdll.

You can build GNU SASL as a native Visual Studio C++ project. This allows you to build the code for other platforms that VS supports, such as Windows Mobile. You need Visual Studio 2005 or later.

First download and unpack the archive as described in the generic installation instructions (see Downloading and Installing). Don't run ./configure. Instead, start Visual Studio and open the project file lib/win32/libgsasl.sln inside the GNU SASL directory. You should be able to build the project using Build Project.

Output libraries will be written into the lib/win32/lib (or lib/win32/lib/debug for Debug versions) folder.

Warning! Unless you build GNU SASL linked with libgcrypt, GNU SASL uses the Windows function CryptGenRandom for generating cryptographic random data. The function is known to have some security weaknesses. See http://eprint.iacr.org/2007/419 for more information. The code will attempt to use the Intel RND crypto provider if it is installed, see lib/gl/gc-gnulib.c.


Previous: Installing under Windows, Up: Downloading and Installing

1.8.2 Kerberos on Windows

Building GNU SASL with support for Kerberos via GSS-API on Windows is straight forward if you use GNU GSS and GNU Shishi as the Kerberos implementation.

If you are using MIT Kerberos for Windows (KfW), getting GNU SASL to build with Kerberos support is not straightforward because KfW does not follow the GNU coding style and it has bugs that needs to be worked around. We provide instructions for this environment as well, in the hope that it will be useful for GNU SASL users.

Our instructions assumes you are building the software on a dpkg-based GNU/Linux systems (e.g., gNewSense) using the MinGW cross-compiler suite. These instructions were compiled for KfW version 3.2.2 which were the latest as of 2010-09-25.

We assume that you have installed a normal build environment including the MinGW cross-compiler. Download and unpack the KfW SDK like this:

     $ mkdir ~/kfw
     $ cd ~/kfw
     $ wget -q http://web.mit.edu/kerberos/dist/kfw/3.2/kfw-3.2.2/kfw-3-2-2-sdk.zip
     $ unzip kfw-3-2-2-sdk.zip

Fix a bug in the "win-mac.h" header inside KfW by replacing #include <sys\foo.h> with #include <sys/foo.h>:

     perl -pi -e 's,sys\\,sys/,' ~/kfw/kfw-3-2-2-final/inc/krb5/win-mac.h

Unpack your copy of GNU SASL:

     $ wget -q ftp://alpha.gnu.org/gnu/gsasl/gsasl-1.7.0.tar.gz
     $ tar xfz gsasl-1.7.0.tar.gz
     $ cd gsasl-1.7.0

Configure GNU SASL like this:

     $ lt_cv_deplibs_check_method=pass_all ./configure --host=i586-mingw32msvc --build=i686-pc-linux-gnu --with-gssapi-impl=kfw LDFLAGS="-L$HOME/kfw/kfw-3-2-2-final/lib/i386" CPPFLAGS="-I$HOME/kfw/kfw-3-2-2-final/inc/krb5 -DSSIZE_T_DEFINED"

The 'lt_cv_deplibs_check_method=pass_all' setting is required because the KfW SDK does not ship with Libtool *.la files and is using non-standard DLL names. The -DSSIZE_T_DEFINED is necessary because the win-mac.h file would provide an incorrect duplicate definitions of ssize_t otherwise. By passing --with-gssapi-impl=kfw you activate other bug workarounds, such as providing a GSS_C_NT_HOSTBASED_SERVICE symbol.

Build the software using:

     $ make

If you have Wine installed and your kernel is able to invoke it automatically for Windows programs, you can run the self tests. This is recommended to make sure the build is sane.

     $ make

You may get error messages about missing DLLs, like this error:

     err:module:import_dll Library gssapi32.dll (which is needed by L"Z:\\home\\jas\\src\\gsasl-1.5.2\\lib\\src\\.libs\\libgsasl-7.dll") not found

If that happens, you need to make sure that Wine can find the appropriate DLL. The simplest solution is to copy the necessary DLLs to ~/.wine/drive_c/windows/system32/.

You may now copy the following files onto the Windows machine (e.g., through a USB memory device):

     lib/src/.libs/libgsasl-7.dll
     src/.libs/gsasl.exe

The remaining steps are done on the Windows XP machine. Install KfW and configure it for your realm. To make sure KfW is working properly, acquire a user ticket and then remove it. For testing purposes, you may use the realm 'interop.josefsson.org' with KDC 'interop.josefsson.org' and username 'user' and password 'pass'.

Change to the directory where you placed the files above, and invoke a command like this:

     gsasl.exe -d interop.josefsson.org

KfW should query you for a password, and the tool should negotiate authentication against the server using GS2-KRB5.


Next: , Previous: Downloading and Installing, Up: Introduction

1.9 Bug Reports

If you think you have found a bug in GNU SASL, please investigate it and report it.

Please make an effort to produce a self-contained report, with something definite that can be tested or debugged. Vague queries or piecemeal messages are difficult to act on and don't help the development effort.

If your bug report is good, we will do our best to help you to get a corrected version of the software; if the bug report is poor, we won't do anything about it (apart from asking you to send better bug reports).

If you think something in this manual is unclear, or downright incorrect, or if the language needs to be improved, please also send a note.

Send your bug report to:

bug-gsasl@gnu.org


Previous: Bug Reports, Up: Introduction

1.10 Contributing

If you want to submit a patch for inclusion – from solve a typo you discovered, up to adding support for a new feature – you should submit it as a bug report (see Bug Reports). There are some things that you can do to increase the chances for it to be included in the official package.

Unless your patch is very small (say, under 10 lines) we require that you assign the copyright of your work to the Free Software Foundation. This is to protect the freedom of the project. If you have not already signed papers, we will send you the necessary information when you submit your contribution.

For contributions that doesn't consist of actual programming code, the only guidelines are common sense. Use it.

For code contributions, a number of style guides will help you:


Next: , Previous: Introduction, Up: Top

2 Preparation

To use GNU SASL, you have to perform some changes to your sources and the build system. The necessary changes are small and explained in the following sections. At the end of this chapter, it is described how the library is initialized, and how the requirements of the library are verified.

A faster way to find out how to adapt your application for use with GNU SASL may be to look at the examples at the end of this manual (see Examples).


Next: , Up: Preparation

2.1 Header

All interfaces (data types and functions) of the library are defined in the header file gsasl.h. You must include this in all programs using the library, either directly or through some other header file, like this:

     #include <gsasl.h>

The name space is gsasl_* for function names, Gsasl* for data types and GSASL_* for other symbols. In addition the same name prefixes with one prepended underscore are reserved for internal use and should never be used by an application.


Next: , Previous: Header, Up: Preparation

2.2 Initialization

The library must be initialized before it can be used. The library is initialized by calling gsasl_init (see Global Functions). The resources allocated by the initialization process can be released if the application no longer has a need to call `Libgsasl' functions, this is done by calling gsasl_done. For example:

     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     ...
       rc = gsasl_init (&ctx);
       if (rc != GSASL_OK)
         {
           printf ("SASL initialization failure (%d): %s\n",
                   rc, gsasl_strerror (rc));
           return 1;
         }
     ...

In order to make error messages from gsasl_strerror be translated (see Top) the application must set the current locale using setlocale before calling gsasl_init. For example:

     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     ...
       setlocale (LC_ALL, "");
     ...
       rc = gsasl_init (&ctx);
       if (rc != GSASL_OK)
         {
           printf (gettext ("SASL initialization failure (%d): %s\n"),
                   rc, gsasl_strerror (rc));
           return 1;
         }
     ...

In order to take advantage of the secure memory features in Libgcrypt1, you need to initialize secure memory in your application, and for some platforms even make your application setuid root. See the Libgcrypt documentation for more information. Here is example code to initialize secure memory in your code:

     #include <gcrypt.h>
     ...
     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     ...
       /* Check version of libgcrypt. */
       if (!gcry_check_version (GCRYPT_VERSION))
         die ("version mismatch\n");
     
       /* Allocate a pool of 16k secure memory.  This also drops priviliges
          on some systems. */
       gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
     
       /* Tell Libgcrypt that initialization has completed. */
       gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
     ...
       rc = gsasl_init (&ctx);
       if (rc != GSASL_OK)
         {
           printf ("SASL initialization failure (%d): %s\n",
                   rc, gsasl_strerror (rc));
           return 1;
         }
     ...

If you do not do this, keying material will not be allocated in secure memory (which, for most applications, is not the biggest secure problem anyway). Note that the GNU SASL Library has not been audited to make sure it stores passwords or keys in secure memory.


Next: , Previous: Initialization, Up: Preparation

2.3 Version Check

It is often desirable to check that the version of the library used is indeed one which fits all requirements. Even with binary compatibility, new features may have been introduced but, due to problem with the dynamic linker, an old version may actually be used. So you may want to check that the version is okay right after program startup.

gsasl_check_version

— Function: const char * gsasl_check_version (const char * req_version)

req_version: version string to compare with, or NULL.

Check GNU SASL Library version.

See GSASL_VERSION for a suitable req_version string.

This function is one of few in the library that can be used without a successful call to gsasl_init().

Return value: Check that the version of the library is at minimum the one given as a string in req_version and return the actual version string of the library; return NULL if the condition is not met. If NULL is passed to this function no check is done and only the version string is returned.

The normal way to use the function is to put something similar to the following early in your main:

       if (!gsasl_check_version (GSASL_VERSION))
         {
           printf ("gsasl_check_version failed:\n"
                   "Header file incompatible with shared library.\n");
           exit(1);
         }


Next: , Previous: Version Check, Up: Preparation

2.4 Building the source

If you want to compile a source file including the gsasl.h header file, you must make sure that the compiler can find it in the directory hierarchy. This is accomplished by adding the path to the directory in which the header file is located to the compilers include file search path (via the -I option).

However, the path to the include file is determined at the time the source is configured. To solve this problem, the library uses the external package pkg-config that knows the path to the include file and other configuration options. The options that need to be added to the compiler invocation at compile time are output by the --cflags option to pkg-config libgsasl. The following example shows how it can be used at the command line:

     gcc -c foo.c `pkg-config libgsasl --cflags`

Adding the output of ‘pkg-config libgsasl --cflags’ to the compiler command line will ensure that the compiler can find the gsasl.h header file.

A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path (via the -L option). For this, the option --libs to pkg-config libgsasl can be used. For convenience, this option also outputs all other options that are required to link the program with the library (for instance, the ‘-lidn’ option). The example shows how to link foo.o with the library to a program foo.

     gcc -o foo foo.o `pkg-config libgsasl --libs`

Of course you can also combine both examples to a single command by specifying both options to pkg-config:

     gcc -o foo foo.c `pkg-config libgsasl --cflags --libs`


Previous: Building the source, Up: Preparation

2.5 Autoconf tests

If you work on a project that uses Autoconf (see GNU Autoconf) to help find installed libraries, the suggestions in the previous section are not the entire story. There are a few methods to detect and incorporate the GNU SASL Library into your Autoconf based package. The preferred approach, is to use Libtool in your project, and use the normal Autoconf header file and library tests.

2.5.1 Autoconf test via ‘pkg-config

If your audience is a typical GNU/Linux desktop, you can often assume they have the ‘pkg-config’ tool installed, in which you can use its Autoconf M4 macro to find and set up your package for use with Libgsasl. The following example illustrates this scenario.

     AC_ARG_ENABLE(gsasl,
       AC_HELP_STRING([--disable-gsasl], [don't use GNU SASL]),
       gsasl=$enableval)
     if test "$gsal" != "no" ; then
       PKG_CHECK_MODULES(GSASL, libgsasl >= 1.7.0,
         [gsasl=yes],
         [gsasl=no])
       if test "$gsasl" != "yes" ; then
         gsasl=no
         AC_MSG_WARN([Cannot find GNU SASL, disabling])
       else
         gsasl=yes
         AC_DEFINE(USE_GSASL, 1, [Define to 1 if you want GNU SASL.])
       fi
     fi
     AC_MSG_CHECKING([if GNU SASL should be used])
     AC_MSG_RESULT($gsasl)

2.5.2 Standalone Autoconf test using Libtool

If your package uses Libtool (see GNU Libtool), you can use the normal Autoconf tests to find Libgsasl and rely on the Libtool dependency tracking to include the proper dependency libraries (e.g., Libidn). The following example illustrates this scenario.

     AC_CHECK_HEADER(gsasl.h,
       AC_CHECK_LIB(gsasl, gsasl_check_version,
         [gsasl=yes AC_SUBST(GSASL_LIBS, -lgsasl)],
         gsasl=no),
       gsasl=no)
     AC_ARG_ENABLE(gsasl,
       AC_HELP_STRING([--disable-gsasl], [don't use GNU SASL]),
       gsasl=$enableval)
     if test "$gsasl" != "no" ; then
       AC_DEFINE(USE_SASL, 1, [Define to 1 if you want GNU SASL.])
     else
       AC_MSG_WARN([Cannot find GNU SASL, diabling])
     fi
     AC_MSG_CHECKING([if GNU SASL should be used])
     AC_MSG_RESULT($gsasl)


Next: , Previous: Preparation, Up: Top

3 Using the Library

Your application's use of the library can be roughly modeled into the following steps: initialize the library, optionally specify the callback, perform the authentication, and finally clean up. The following image illustrates this.

controlflow.png

The third step may look complex, but for a simple client it will actually not involve any code. If your application needs to handle several concurrent clients, or if it is a server that needs to serve many clients simultaneous, things do get a bit more complicated.

For illustration, we will write a simple client. Writing a server would be similar, the only difference is that, later on, instead of supplying a username and password, you need to decide whether someone should be allowed to log in or not. The code for what we have discussed so far make up the main function in our client (see Example 1):

     int main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     
       if ((rc = gsasl_init (&ctx)) != GSASL_OK)
         {
           printf ("Cannot initialize libgsasl (%d): %s",
                   rc, gsasl_strerror (rc));
           return 1;
         }
     
       client (ctx);
     
       gsasl_done (ctx);
     
       return 0;
     }

Here, the call to the function client correspond to the third step in the image above.

For a more complicated application, having several clients running simultaneous, instead of a simple call to client, it may have created new threads for each session, and call client within each thread. The library is thread safe.

An actual authentication session is more complicated than what we have seen so far. These are the steps: decide which mechanism to use, start the session, optionally specify the callback, optionally set any properties, perform the authentication loop, and clean up. Naturally, your application will start to talk its own protocol (e.g., SMTP or IMAP) after these steps have concluded.

The authentication loop is based on sending tokens (typically short messages encoded in base 64) back and forth between the client and server. It continues until authentication succeeds or an error occurs. The format of the data to be transferred, the number of iterations in the loop, and other details are specified by each mechanism. The goal of the library is to isolate your application from the details of all different mechanisms.

Note that the library does not send data to the server itself, but returns it in an buffer. You must send it to the server, following an application protocol profile. For example, the SASL application protocol profile for SMTP is described in RFC 2554.

The following image illustrates the steps we have been talking about.

controlflow2.png

We will now show the implementation of the client function used before.

     void client (Gsasl *ctx)
     {
       Gsasl_session *session;
       const char *mech = "PLAIN";
       int rc;
     
       /* Create new authentication session. */
       if ((rc = gsasl_client_start (ctx, mech, &session)) != GSASL_OK)
         {
           printf ("Cannot initialize client (%d): %s\n",
                   rc, gsasl_strerror (rc));
           return;
         }
     
       /* Set username and password in session handle.  This info will be
          lost when this session is deallocated below.  */
       gsasl_property_set (session, GSASL_AUTHID, "jas");
       gsasl_property_set (session, GSASL_PASSWORD, "secret");
     
       /* Do it. */
       client_authenticate (session);
     
       /* Cleanup. */
       gsasl_finish (session);
     }

This function is responsible for deciding which mechanism to use. In this case, the ‘PLAIN’ mechanism is hard coded, but you will see later how this can be made more flexible. The function creates a new session, then it stores the username and password in the session handle, then it calls another function client_authenticate to handle the authentication loop, and finally it cleans up up. Let's continue with the implementation of client_authenticate.

     void client_authenticate (Gsasl_session * session)
     {
       char buf[BUFSIZ] = "";
       char *p;
       int rc;
     
       /* This loop mimics a protocol where the server sends data
          first. */
     
       do
         {
           printf ("Input base64 encoded data from server:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           if (buf[strlen (buf) - 1] == '\n')
             buf[strlen (buf) - 1] = '\0';
     
           rc = gsasl_step64 (session, buf, &p);
     
           if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
             {
               printf ("Output:\n%s\n", p);
               free (p);
             }
         }
       while (rc == GSASL_NEEDS_MORE);
     
       printf ("\n");
     
       if (rc != GSASL_OK)
         {
           printf ("Authentication error (%d): %s\n",
                   rc, gsasl_strerror (rc));
           return;
         }
     
       /* The client is done.  Here you would typically check if the
          server let the client in.  If not, you could try again. */
     
       printf ("If server accepted us, we're done.\n");
     }

This last function needs to be discussed in some detail. First, you should be aware that there are two versions of this function, that differ in a subtle way. The version above (see Example 2) is used for application profiles where the server sends data first. For some mechanisms, this may waste a roundtrip, because the server needs input from the client to proceed. Therefor, today the recommended approach is to permit client to send data first (see Example 1). Which version you should use depends on which application protocol you are implementing.

Further, you should realize that it is bad programming style to use a fixed size buffer. On GNU systems, you may use the getline functions instead of fgets. However, in practice, there are few mechanisms that use very large tokens. In typical configurations, the mechanism with the largest tokens (GSSAPI) can use at least 500 bytes. A fixed buffer size of 8192 bytes may thus be sufficient for now. But don't say I didn't warn you, when a future mechanism doesn't work in your application, because of a fixed size buffer.

The function gsasl_step64 (and of course also gasl_step) returns two non-error return codes. GSASL_OK is used for success, indicating that the library considers the authentication finished. That may include a successful server authentication, depending on the mechanism. You must not let the client continue to the application protocol part unless you receive GSASL_OK from these functions. In particular, don't be fooled into believing authentication were successful if the server replies “OK” but these functions have failed with an error. The server may have been hacked, and could be tricking you into sending confidential data, without having successfully authenticated the server.

The non-error return code GSASL_NEEDS_MORE is used to signal to your application that you should send the output token to the peer, and wait for a new token, and do another iteration. If the server concludes the authentication process, with no data, you should call gsasl_step64 (or gsasl_step) specifying a zero-length token.

If the functions (gsasl_step and gsasl_step64) return any non-error code, the content of the output buffer is undefined. Otherwise, it is the callers responsibility to deallocate the buffer, by calling free. Note that in some situations, where the buffer is empty, NULL is returned as the buffer value. You should treat this as an empty buffer.

3.1 Choosing a mechanism

Our earlier code was hard coded to use a specific mechanism. This is rarely a good idea. Instead, it is recommended to select the best mechanism available from the list of mechanisms supported by the server. Note that without TLS or similar, the list may have been maliciously altered, by an attacker. This means that you should abort if you cannot find any mechanism that exceeds your minimum security level. There is a function gsasl_client_suggest_mechanism (see Global Functions) that will try to pick the “best” available mechanism from a list of mechanisms. Our simple interactive example client (see Example 3) includes the following function to decide which mechanism to use. Note that the code doesn't blindly use what is returned from gsasl_client_suggest_mechanism, rather it lets some logic (in this case the user, through an interactive query) decide which mechanism is acceptable.

     const char *client_mechanism (Gsasl *ctx)
     {
       static char mech[GSASL_MAX_MECHANISM_SIZE + 1] = "";
       char mechlist[BUFSIZ] = "";
       const char *suggestion;
     
       printf ("Enter list of server supported mechanisms, separate by SPC:\n");
       fgets (mechlist, sizeof (mechlist) - 1, stdin);
     
       suggestion = gsasl_client_suggest_mechanism (ctx, mechlist);
       if (suggestion)
         printf ("Library suggests use of `%s'.\n", suggestion);
     
       printf ("Enter mechanism to use:\n");
       fgets (mech, sizeof (mech) - 1, stdin);
       mech[strlen (mech) - 1] = '\0';
     
       return mech;
     }

When running this example code, it might look like in the following output.

     Enter list server supported mechanisms, separate by SPC:
     CRAM-MD5 DIGEST-MD5 GSSAPI FOO BAR
     Library suggests use of `GSSAPI'.
     Enter mechanism to use:
     CRAM-MD5
     Input base64 encoded data from server:
     Zm5vcmQ=
     Output:
     amFzIDkyY2U1NWE5MTM2ZTY4NzEyMTUyZTFjYmFmNjVkZjgx
     
     If server accepted us, we're done.

3.2 Using a callback

Our earlier code specified the username and password before the authentication loop, as in:

     gsasl_property_set (ctx, GSASL_AUTHID, "jas");
     gsasl_property_set (ctx, GSASL_PASSWORD, "secret");

This may work for simple mechanisms, that need only a username and a password. But some mechanism requires more information, such as an authorization identity, a special PIN or passcode, a realm, a hostname, a service name, or an anonymous identifier. Querying the user for all that information, without knowing exactly which of it is really needed will result in a poor user interface. The user should not have to input private information, if it isn't required.

The approach is a bad idea for another reason. What if the server aborts the authentication process? Then your application has already queried the user for a username and password. It would be better if you only asked the user for this information, annoying to input, when it is known to be needed.

A better approach to this problem is to use a callback. Then the mechanism may query your application whenever it needs some information, like the username and password. It will only do this at the precise step in the authentication when the information is actually needed. Further, if the user aborts, e.g., a password prompt, the mechanism is directly informed of this (because it invoked the callback), and could recover somehow.

Our final example (see Example 4) specifies a callback function, inside main as below.

     /* Set the callback handler for the library. */
     gsasl_callback_set (ctx, callback);

The function itself is implemented as follows.

     int callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property prop)
     {
       char buf[BUFSIZ] = "";
       int rc = GSASL_NO_CALLBACK;
     
       /* Get user info from user. */
     
       printf ("Callback invoked, for property %d.\n", prop);
     
       switch (prop)
         {
         case GSASL_PASSCODE:
           printf ("Enter passcode:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           buf[strlen (buf) - 1] = '\0';
     
           gsasl_property_set (sctx, GSASL_PASSCODE, buf);
           rc = GSASL_OK;
           break;
     
         case GSASL_AUTHID:
           printf ("Enter username:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           buf[strlen (buf) - 1] = '\0';
     
           gsasl_property_set (sctx, GSASL_AUTHID, buf);
           rc = GSASL_OK;
           break;
     
         default:
           printf ("Unknown property!  Don't worry.\n");
           break;
         }
     
       return rc;
     }

Again, it is bad style to use a fixed size buffer. Mmm'kay.

Which properties you should handle is up to you. If you don't know how to respond to a certain property, simply return GSASL_NO_CALLBACK. The basic properties to support are authentication identity (GSASL_AUTHID), authorization identity (GSASL_AUTHZID), and password (GSASL_PASSWORD). See See Properties, for the list of all properties, and what your callback should (ideally) do for them, and which properties each mechanism require in order to work.


Next: , Previous: Using the Library, Up: Top

4 Properties

The library uses a concept called “properties” to request and pass data between the application and the individual authentication mechanisms. The application can set property values using the gsasl_property_set function. If a mechanism needs a property value the application has not yet provided, this is handled through a callback. The application provides a callback, using gsasl_callback_set, which will be invoked with a property parameter. The callback should set the property before returning, or fail. For more information, see See Callback Functions.

There are two kind of properties. The first, a “data property” is the simplest to understand because it normally refers to short strings. For example, the property called GSASL_AUTHID correspond to the username string, e.g., simon.

The latter properties, called “logical properties”, are used by the server to make a authentication decision, and is used as a way to get the application callback invoked. For example, the property GSASL_VALIDATE_SIMPLE is used by the server-side part of mechanisms like PLAIN. The purpose is to ask the server application to decide whether the user should be authenticated successfully or not. The callback typically look at other property fields, such as GSASL_AUTHID and GSASL_PASSWORD, and compare those values with external information (for example data stored in a database or on a LDAP server) and then return OK or not.

Warning: Don't expect that all mechanisms invoke one of the logical properties in the server mode. For example, the CRAM-MD5 and SCRAM-SHA-1 mechanisms will use the data properties (i.e., username and password) provided by the application to internally decide whether to successfully authenticate the user. User authorization decisions needs to be made by the application outside of the SASL mechanism negotiation.

The logical properties are currently only used by servers, but data properties are used by both client and servers. It makes sense to think about the latter category as ‘server properties’ but the reverse is not valid nor useful.

The semantics associated with a data property is different when it is used in client context and in the server context. For example, in the client context, the application is expected to set the property GSASL_AUTHID to signal to the mechanism the username to use, but in the server context, the GSASL_AUTHID property is set by the mechanism and can be used by the application (in the callback) to find out what username the client provided.

Below is a list of all properties and an explanation for each. First is the list of data properties:

Next follows a list of data properties used to trigger the callback, typically used in servers to validate client credentials:


Next: , Previous: Properties, Up: Top

5 Mechanisms

Different SASL mechanisms have different requirements on the application using it. To handle these differences the library can use a callback function into your application in several different ways. Some mechanisms, such as ‘PLAIN’, are simple to explain and use. The client callback queries the user for a username and password. The server callback hands the username and password into any local policy deciding authentication system (such as /etc/passwd via PAM).

Mechanism such as ‘CRAM-MD5’ and ‘SCRAM-SHA-1’ uses hashed passwords. The client callback behaviour is the same as for PLAIN. However, the server does not receive the plain text password over the network but rather a hash of it. Existing policy deciding systems like PAM cannot handle this, so the server callback for these mechanisms are more complicated.

Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a specific authentication system. In theory this means that the SASL library would not need to interact with the application, but rather call this specific authentication system directly. However, some callbacks are supported anyway, to modify the behaviour of how the specific authentication system is used (i.e., to handle “super-user” login as some other user).

Some mechanisms, like ‘EXTERNAL’ and ‘ANONYMOUS’ are entirely dependent on callbacks.


Next: , Up: Mechanisms

5.1 The EXTERNAL mechanism

The EXTERNAL mechanism is used to authenticate a user to a server based on out-of-band authentication. EXTERNAL is typically used over TLS authenticated channels. Note that in the server, you need to make sure that TLS actually authenticated the client successfully. It is normally not sufficient to use TLS, since it also supports anonymous modes.

In the client, this mechanism is always enabled, and it will send the GSASL_AUTHZID property as the authorization name to the server, if the property is set. If the property is not set, the empty authorization name is sent. You need not implement a callback.

In the server, this mechanism will request the GSASL_VALIDATE_EXTERNAL callback property to decide whether the client is authenticated and authorized to log in. Your callback can retrieve the GSASL_AUTHZID property to inspect the requested authorization name from the client.


Next: , Previous: EXTERNAL, Up: Mechanisms

5.2 The ANONYMOUS mechanism

The ANONYMOUS mechanism is used to “authenticate” clients to anonymous services; or rather, just indicate that the client wishes to use the service anonymously. The client sends a token, usually her email address, which serve the purpose of some trace information suitable for log files. The token is not permitted to be empty.

In the client, this mechanism is always enabled, and will send the GSASL_ANONYMOUS_TOKEN property as the trace information to the server.

In the server, this mechanism will invoke the GSASL_VALIDATE_ANONYMOUS callback to decide whether the client should be permitted to log in. Your callback can retrieve the GSASL_ANONYMOUS_TOKEN property to, for example, save it in a log file. The token is normally not used to decide whether the client should be permitted to log in or not.


Next: , Previous: ANONYMOUS, Up: Mechanisms

5.3 The PLAIN mechanism

The PLAIN mechanism uses username and password to authenticate users. Two user names are relevant. The first, the authentication identity, indicates the credential holder, i.e., whom the provided password belongs to. The second, the authorization identity, is typically empty, to indicate that the user requests to log on to the server as herself. However, if the authorization identity is not empty, the server should decide whether the authenticated user may log on as the authorization identity. Normally, only “super-user” accounts such as ‘admin’ or similar should be allowed this.

In the client, this mechanism is always enabled, and require the GSASL_AUTHID and GSASL_PASSWORD properties. If set, GSASL_AUTHZID will also be used.

In the server, the mechanism is always enabled. Two approaches to authenticate and authorize the client are provided.

In the first approach, the server side of the mechanism will request the GSASL_VALIDATE_SIMPLE callback property to decide whether the client should be accepted or not. The callback may inspect the GSASL_AUTHID, GSASL_AUTHID, and GSASL_PASSWORD properties. These property values will be normalized.

If the first approach fails (because, e.g., your callback returns ‘GSASL_NO_CALLBACK’ to signal that it does not implement GSASL_VALIDATE_SIMPLE) the mechanism will continue to query the application for a password, via the GSASL_PASSWORD property. Your callback may use the GSASL_AUTHID and GSASL_AUTHZID properties to select the proper password. The password is then normalized and compared to the client credential.

Which approach to use? If your database stores hashed passwords, you have no option, but must use the first approach. If passwords in your user database are stored in prepared (SASLprep) form, the first approach will be faster. If you do not have prepared passwords available, you can use the second approach to make sure the password is prepared properly before comparison.


Next: , Previous: PLAIN, Up: Mechanisms

5.4 The LOGIN mechanism

The LOGIN mechanism is a non-standard mechanism, and is similar to the PLAIN mechanism except that LOGIN lacks the support for authorization identities. Always use PLAIN instead of LOGIN in new applications.

The callback behaviour is the same as for PLAIN, except that GSASL_AUTHZID is neither used nor required, and that the server does not normalize the password using SASLprep.

See Use of SASLprep in LOGIN, for a proposed clarification of the interpretation of a hypothetical LOGIN specification.


Next: , Previous: LOGIN, Up: Mechanisms

5.5 The CRAM-MD5 mechanism

The CRAM-MD5 is a widely used, but officially deprecated (apparently in favor of DIGEST-MD5), challenge-response mechanism that transfers hashed passwords instead of clear text passwords. For insecure channels (e.g., when TLS is not used), it is safer than PLAIN. The CRAM-MD5 mechanism does not support authorization identities; making the relationship between CRAM-MD5 and DIGEST-MD5 similar to the relationship between LOGIN and PLAIN.

The disadvantage with hashed passwords is that the server cannot use normal authentication infrastructures such as PAM, because the server must have access to the correct password in order to validate an authentication attempt.

In the client, this mechanism is always enabled, and it requires the GSASL_AUTHID and GSASL_PASSWORD properties.

In the server, the mechanism will require the GSASL_PASSWORD callback property, which may use the GSASL_AUTHID property to determine which users' password should be used. The GSASL_AUTHID will be in normalized form. The server will then normalize the returned password, and compare the client response with the computed correct response, and accept the user accordingly.

See Use of SASLprep in CRAM-MD5, for a clarification on the interpretation of the CRAM-MD5 specification that this implementation rely on.


Next: , Previous: CRAM-MD5, Up: Mechanisms

5.6 The DIGEST-MD5 mechanism

The DIGEST-MD5 mechanism is based on repeated hashing using MD5, which after the MD5 break may be argued to be weaker than HMAC-MD5, but supports more features. For example, authorization identities and data integrity and privacy protection are supported. Like CRAM-MD5, only a hashed password is transferred. Consequently, DIGEST-MD5 needs access to the correct password (although it may be hashed, another improvement compared to CRAM-MD5) to verify the client response. Alas, this makes it impossible to use, e.g., PAM on the server side.

In the client, this mechanism is always enabled, and it requires the GSASL_AUTHID, GSASL_PASSWORD, GSASL_SERVICE, and GSASL_HOSTNAME properties. If set, GSASL_AUTHZID and GSASL_REALM will also be used.

In the server, the mechanism will first request the GSASL_DIGEST_MD5_HASHED_PASSWORD callback property to get the user's hashed password. If the callback doesn't supply a hashed password, the GSASL_PASSWORD callback property will be requested. Both callbacks may use the GSASL_AUTHID, GSASL_AUTHZID and GSASL_REALM properties to determine which users' password should be used. The server will then compare the client response with a computed correct response, and accept the user accordingly.

The server uses the GSASL_QOPS callback to get the set of quality of protection values to use. By default, it advertises support for authentication (qop-auth) only. You can use the callback, for example, to make the server advertise support for authentication with integrity layers.

The client uses the GSASL_QOP callback to get the quality of protection value to request. The client must choose one of the QOP values offered by the server (which may be inspected through the GSASL_QOPS property). If the client does not return a value, qop-auth is used by default.


Next: , Previous: DIGEST-MD5, Up: Mechanisms

5.7 The SCRAM-SHA-1 mechanism

The SCRAM-SHA-1 mechanism is designed to provide (almost) the same capabilities as CRAM-MD5 and DIGEST-MD5 but use modern cryptographic techniques such as HMAC-SHA-1 hashing and PKCS#5 PBKDF2 key derivation. SCRAM-SHA-1 supports authorization identities. Like CRAM-MD5 and DIGEST-MD5, only a hashed password is transferred. Consequently, SCRAM-SHA-1 needs access to the correct password to verify the client response.

In the client, this mechanism is always enabled, and it requires the GSASL_AUTHID property, and either GSASL_PASSWORD or GSASL_SCRAM_SALTED_PASSWORD. If set, GSASL_AUTHZID will be used by the client. To be able to return the proper GSASL_SCRAM_SALTED_PASSWORD value, the client needs to check the GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values which are available when the GSASL_SCRAM_SALTED_PASSWORD property is queried for.

In the server, the mechanism will require the GSASL_PASSWORD callback property, which may use the GSASL_AUTHID property to determine which users' password should be used. The GSASL_AUTHID will be in normalized form. The server will then normalize the returned password, and compare the client response with the computed correct response, and accept the user accordingly. The server may also set the GSASL_SCRAM_ITER and GSASL_SCRAM_SALT properties to influence the values to be used by clients to derive a key from a password.

Currently channel bindings are not supported, so there is no support for SCRAM-SHA-1-PLUS.


Next: , Previous: SCRAM-SHA-1, Up: Mechanisms

5.8 The NTLM mechanism

The NTLM is a non-standard mechanism. Do not use it in new applications, and do not expect it to be secure. Currently only the client side is supported.

In the client, this mechanism is always enabled, and it requires the GSASL_AUTHID and GSASL_PASSWORD properties. It will set the ‘domain’ field in the NTLM request to the value of GSASL_REALM. Some servers reportedly need non-empty but arbitrary values in that field.


Next: , Previous: NTLM, Up: Mechanisms

5.9 The SECURID mechanism

The SECURID mechanism uses authentication and authorization identity together with a passcode from a hardware token to authenticate users.

In the client, this mechanism is always enabled, and it requires the GSASL_AUTHID and GSASL_PASSCODE properties. If set, GSASL_AUTHZID will also be used. If the server requests it, the GSASL_PIN property is also required, and its callback may inspect the GSASL_SUGGESTED_PIN property to discover a server-provided PIN to use.

In the server, this mechanism will invoke the GSASL_VALIDATE_SECURID callback. The callback may inspect the GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSCODE properties. The callback can return GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to ask for another additional passcode from the client. The callback can return GSASL_SECURID_SERVER_NEED_NEW_PIN to ask for a new PIN code from the client, in which case it may also set the GSASL_SUGGESTED_PIN property to indicate a recommended new PIN. If the callbacks is invoked again, after having returned GSASL_SECURID_SERVER_NEED_NEW_PIN, it may also inspect the GSASL_PIN property, in addition to the other properties, to find out the client selected PIN code.


Next: , Previous: SECURID, Up: Mechanisms

5.10 The GSSAPI mechanism

The GSSAPI mechanism allows you to authenticate using Kerberos V5. The mechanism was originally designed to allow for any GSS-API mechanism to be used, but problems with the protocol made it unpractical and it is today restricted for use with Kerberos V5. See the GS2 mechanism (see GS2-KRB5) for a general solution.

In the client, the mechanism is enabled only if the user has acquired credentials (i.e., a ticket granting ticket), and it requires the GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME properties.

In the server, the mechanism requires the GSASL_SERVICE and GSASL_HOSTNAME properties, and it will invoke the GSASL_VALIDATE_GSSAPI callback property in order to validate the user. The callback may inspect the GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to authorize the user. Note that authentication is performed by the GSS-API library.

XXX: explain more about quality of service, maximum buffer size, etc.


Next: , Previous: GSSAPI, Up: Mechanisms

5.11 The GS2-KRB5 mechanism

GS2 is a protocol bridge between GSS-API and SASL, and allows every GSS-API mechanism that supports mutual authentication and channel bindings to be used as a SASL mechanism. Currently we support the GS2-KRB5 mechanism, for Kerberos V5 authentication, however our GS2 implementation is flexible enough to easily support other GSS-API mechanism if any gains popularity.

In the client, the mechanism is enabled only if the user has acquired credentials (i.e., a ticket granting ticket), and it requires the GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME properties.

In the server, the mechanism requires the GSASL_SERVICE and GSASL_HOSTNAME properties, and it will invoke the GSASL_VALIDATE_GSSAPI callback property in order to validate the user. The callback may inspect the GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to authorize the user. Note that authentication is performed by the GSS-API library.

The GS2 framework supports a variant of each mechanism, called the PLUS variant, which can also bind the authentication to a secure channel through channel bindings. Currently this is not supported by GNU SASL.


Next: , Previous: GS2-KRB5, Up: Mechanisms

5.12 The KERBEROS_V5 mechanism

The KERBEROS_V5 is an experimental mechanism, the protocol specification is available on the GNU SASL homepage. It can operate in three modes, non-infrastructure mode, infrastructure mode and proxied infrastructure mode. Currently only non-infrastructure mode is supported.

In the non-infrastructure mode, it works as a superset of most features provided by PLAIN, CRAM-MD5, DIGEST-MD5 and GSSAPI while at the same time building on what is believed to be proven technology (the RFC 1510 network security system). In the non-infrastructure mode, the client must specify (via callbacks) the name of the user, and optionally the server name and realm. The server must be able to retrieve passwords given the name of the user.

In the infrastructure mode (proxied or otherwise), it allows clients and servers to authenticate via SASL in an RFC 1510 environment, using a trusted third party, a “Key Distribution Central”. In the normal mode, clients acquire tickets out of band and then invokes a one roundtrip AP-REQ and AP-REP exchange. In the proxied mode, which can be used by clients without IP addresses or without connectivity to the KDC (e.g., when the KDC is IPv4 and the client is IPV6-only), the client uses the server to proxy ticket requests and finishes with the AP-REQ/AP-REP exchange. In infrastructure mode (proxied or otherwise), neither the client nor server need to implement any callbacks (this will likely change later, to allow a server to authorize users, similar to the GSSAPI callback).

XXX: update when implementation has matured


Previous: KERBEROS_V5, Up: Mechanisms

5.13 The SAML20 mechanism

The SAML20 mechanism makes it possible to use SAML in SASL, in a way that offloads the authentication exchange to an external browser.

The mechanism makes use of the following properties: GSASL_AUTHZID, GSASL_SAML20_IDP_IDENTIFIER, GSASL_SAML20_REDIRECT_URL, GSASL_SAML20_AUTHENTICATE_IN_BROWSER and GSASL_VALIDATE_SAML20.

In client mode, the mechanism will retrieve the GSASL_AUTHZID and GSASL_SAML20_IDP_IDENTIFIER properties and form a request to the server. The server will respond with a redirect URL stored in the GSASL_SAML20_REDIRECT_URL property, which the client can retrieve from the GSASL_SAML20_AUTHENTICATE_IN_BROWSER callback. The intention is that the client launches a browser to the given URL, and then proceeds with authentication. The server responds whether authentication was successful or not.

In server mode, the mechanism will invoke the GSASL_SAML20_REDIRECT_URL callback and the application can inspect the GSASL_AUTHZID and GSASL_SAML20_IDP_IDENTIFIER properties when forming the redirect URL. The URL is passed to the client which will hopefully complete authentication in the browser. The server callback GSASL_VALIDATE_SAML20 should check whether the authentication attempt was successful.


Next: , Previous: Mechanisms, Up: Top

6 Global Functions

gsasl_init

— Function: int gsasl_init (Gsasl ** ctx)

ctx: pointer to libgsasl handle.

This functions initializes libgsasl. The handle pointed to by ctx is valid for use with other libgsasl functions iff this function is successful. It also register all builtin SASL mechanisms, using gsasl_register().

Return value: GSASL_OK iff successful, otherwise GSASL_MALLOC_ERROR.

gsasl_done

— Function: void gsasl_done (Gsasl * ctx)

ctx: libgsasl handle.

This function destroys a libgsasl handle. The handle must not be used with other libgsasl functions after this call.

gsasl_client_mechlist

— Function: int gsasl_client_mechlist (Gsasl * ctx, char ** out)

ctx: libgsasl handle.

out: newly allocated output character array.

Return a newly allocated string containing SASL names, separated by space, of mechanisms supported by the libgsasl client. out is allocated by this function, and it is the responsibility of caller to deallocate it.

Return value: Returns GSASL_OK if successful, or error code.

gsasl_server_mechlist

— Function: int gsasl_server_mechlist (Gsasl * ctx, char ** out)

ctx: libgsasl handle.

out: newly allocated output character array.

Return a newly allocated string containing SASL names, separated by space, of mechanisms supported by the libgsasl server. out is allocated by this function, and it is the responsibility of caller to deallocate it.

Return value: Returns GSASL_OK if successful, or error code.

gsasl_client_support_p

— Function: int gsasl_client_support_p (Gsasl * ctx, const char * name)

ctx: libgsasl handle.

name: name of SASL mechanism.

Decide whether there is client-side support for a specified mechanism.

Return value: Returns 1 if the libgsasl client supports the named mechanism, otherwise 0.

gsasl_server_support_p

— Function: int gsasl_server_support_p (Gsasl * ctx, const char * name)

ctx: libgsasl handle.

name: name of SASL mechanism.

Decide whether there is server-side support for a specified mechanism.

Return value: Returns 1 if the libgsasl server supports the named mechanism, otherwise 0.

gsasl_client_suggest_mechanism

— Function: const char * gsasl_client_suggest_mechanism (Gsasl * ctx, const char * mechlist)

ctx: libgsasl handle.

mechlist: input character array with SASL mechanism names, separated by invalid characters (e.g. SPC).

Given a list of mechanisms, suggest which to use.

Return value: Returns name of "best" SASL mechanism supported by the libgsasl client which is present in the input string, or NULL if no supported mechanism is found.

gsasl_register

— Function: int gsasl_register (Gsasl * ctx, const Gsasl_mechanism * mech)

ctx: pointer to libgsasl handle.

mech: plugin structure with information about plugin.

This function initialize given mechanism, and if successful, add it to the list of plugins that is used by the library.

Return value: GSASL_OK iff successful, otherwise GSASL_MALLOC_ERROR.

Since: 0.2.0


Next: , Previous: Global Functions, Up: Top

7 Callback Functions

The callback is used by mechanisms to retrieve information, such as username and password, from the application. In a server, the callback is used to decide whether a user is permitted to log in or not. You tell the library of your callback function by calling gsasl_callback_set.

Since your callback may need access to data from other parts of your application, there are hooks to store and retrieve application specific pointers. This avoids the use of global variables, which wouldn't be thread safe. You store a pointer to some information (opaque from the point of view of the library) by calling gsasl_callback_hook_set and can later retrieve this data in your callback by calling gsasl_callback_hook_get.

gsasl_callback_set

— Function: void gsasl_callback_set (Gsasl * ctx, Gsasl_callback_function cb)

ctx: handle received from gsasl_init().

cb: pointer to function implemented by application.

Store the pointer to the application provided callback in the library handle. The callback will be used, via gsasl_callback(), by mechanisms to discover various parameters (such as username and passwords). The callback function will be called with a Gsasl_property value indicating the requested behaviour. For example, for GSASL_ANONYMOUS_TOKEN, the function is expected to invoke gsasl_property_set(CTX, GSASL_ANONYMOUS_TOKEN, "token") where "token" is the anonymous token the application wishes the SASL mechanism to use. See the manual for the meaning of all parameters.

Since: 0.2.0

gsasl_callback

— Function: int gsasl_callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property prop)

ctx: handle received from gsasl_init(), may be NULL to derive it from sctx.

sctx: session handle.

prop: enumerated value of Gsasl_property type.

Invoke the application callback. The prop value indicate what the callback is expected to do. For example, for GSASL_ANONYMOUS_TOKEN, the function is expected to invoke gsasl_property_set(SCTX, GSASL_ANONYMOUS_TOKEN, "token") where "token" is the anonymous token the application wishes the SASL mechanism to use. See the manual for the meaning of all parameters.

Note that if no callback has been set by the application, but the obsolete callback interface has been used, this function will translate the old callback interface into the new. This interface should be sufficient to invoke all callbacks, both new and old.

Return value: Returns whatever the application callback return, or GSASL_NO_CALLBACK if no application was known.

Since: 0.2.0

gsasl_callback_hook_set

— Function: void gsasl_callback_hook_set (Gsasl * ctx, void * hook)

ctx: libgsasl handle.

hook: opaque pointer to application specific data.

Store application specific data in the libgsasl handle.

The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_callback_hook_get(). This is normally used by the application to maintain a global state between the main program and callbacks.

Since: 0.2.0

gsasl_callback_hook_get

— Function: void * gsasl_callback_hook_get (Gsasl * ctx)

ctx: libgsasl handle.

Retrieve application specific data from libgsasl handle.

The application data is set using gsasl_callback_hook_set(). This is normally used by the application to maintain a global state between the main program and callbacks.

Return value: Returns the application specific data, or NULL.

Since: 0.2.0

gsasl_session_hook_set

— Function: void gsasl_session_hook_set (Gsasl_session * sctx, void * hook)

sctx: libgsasl session handle.

hook: opaque pointer to application specific data.

Store application specific data in the libgsasl session handle.

The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_session_hook_get(). This is normally used by the application to maintain a per-session state between the main program and callbacks.

Since: 0.2.14

gsasl_session_hook_get

— Function: void * gsasl_session_hook_get (Gsasl_session * sctx)

sctx: libgsasl session handle.

Retrieve application specific data from libgsasl session handle.

The application data is set using gsasl_callback_hook_set(). This is normally used by the application to maintain a per-session state between the main program and callbacks.

Return value: Returns the application specific data, or NULL.

Since: 0.2.14


Next: , Previous: Callback Functions, Up: Top

8 Property Functions

gsasl_property_set

— Function: void gsasl_property_set (Gsasl_session * sctx, Gsasl_property prop, const char * data)

sctx: session handle.

prop: enumerated value of Gsasl_property type, indicating the type of data in data.

data: zero terminated character string to store.

Make a copy of data and store it in the session handle for the indicated property prop.

You can immediately deallocate data after calling this function, without affecting the data stored in the session handle.

Since: 0.2.0

gsasl_property_set_raw

— Function: void gsasl_property_set_raw (Gsasl_session * sctx, Gsasl_property prop, const char * data, size_t len)

sctx: session handle.

prop: enumerated value of Gsasl_property type, indicating the type of data in data.

data: character string to store.

len: length of character string to store.

Make a copy of len sized data and store a zero terminated version of it in the session handle for the indicated property prop.

You can immediately deallocate data after calling this function, without affecting the data stored in the session handle.

Except for the length indicator, this function is identical to gsasl_property_set.

Since: 0.2.0

gsasl_property_fast

— Function: const char * gsasl_property_fast (Gsasl_session * sctx, Gsasl_property prop)

sctx: session handle.

prop: enumerated value of Gsasl_property type, indicating the type of data in data.

Retrieve the data stored in the session handle for given property prop.

The pointer is to live data, and must not be deallocated or modified in any way.

This function will not invoke the application callback.

Return value: Return property value, if known, or NULL if no value known.

Since: 0.2.0

gsasl_property_get

— Function: const char * gsasl_property_get (Gsasl_session * sctx, Gsasl_property prop)

sctx: session handle.

prop: enumerated value of Gsasl_property type, indicating the type of data in data.

Retrieve the data stored in the session handle for given property prop, possibly invoking the application callback to get the value.

The pointer is to live data, and must not be deallocated or modified in any way.

This function will invoke the application callback, using gsasl_callback(), when a property value is not known.

If no value is known, and no callback is specified or if the callback fail to return data, and if any obsolete callback functions has been set by the application, this function will try to call these obsolete callbacks, and store the returned data as the corresponding property. This behaviour of this function will be removed when the obsolete callback interfaces are removed.

Return value: Return data for property, or NULL if no value known.

Since: 0.2.0


Next: , Previous: Property Functions, Up: Top

9 Session Functions

gsasl_client_start

— Function: int gsasl_client_start (Gsasl * ctx, const char * mech, Gsasl_session ** sctx)

ctx: libgsasl handle.

mech: name of SASL mechanism.

sctx: pointer to client handle.

This functions initiates a client SASL authentication. This function must be called before any other gsasl_client_*() function is called.

Return value: Returns GSASL_OK if successful, or error code.

gsasl_server_start

— Function: int gsasl_server_start (Gsasl * ctx, const char * mech, Gsasl_session ** sctx)

ctx: libgsasl handle.

mech: name of SASL mechanism.

sctx: pointer to server handle.

This functions initiates a server SASL authentication. This function must be called before any other gsasl_server_*() function is called.

Return value: Returns GSASL_OK if successful, or error code.

gsasl_step

— Function: int gsasl_step (Gsasl_session * sctx, const char * input, size_t input_len, char ** output, size_t * output_len)

sctx: libgsasl session handle.

input: input byte array.

input_len: size of input byte array.

output: newly allocated output byte array.

output_len: pointer to output variable with size of output byte array.

Perform one step of SASL authentication. This reads data from the other end (from input and input_len), processes it (potentially invoking callbacks to the application), and writes data to server (into newly allocated variable output and output_len that indicate the length of output).

The contents of the output buffer is unspecified if this functions returns anything other than GSASL_OK or GSASL_NEEDS_MORE. If this function return GSASL_OK or GSASL_NEEDS_MORE, however, the output buffer is allocated by this function, and it is the responsibility of caller to deallocate it by calling free (output).

Return value: Returns GSASL_OK if authenticated terminated successfully, GSASL_NEEDS_MORE if more data is needed, or error code.

gsasl_step64

— Function: int gsasl_step64 (Gsasl_session * sctx, const char * b64input, char ** b64output)

sctx: libgsasl client handle.

b64input: input base64 encoded byte array.

b64output: newly allocated output base64 encoded byte array.

This is a simple wrapper around gsasl_step() that base64 decodes the input and base64 encodes the output.

The contents of the b64output buffer is unspecified if this functions returns anything other than GSASL_OK or GSASL_NEEDS_MORE. If this function return GSASL_OK or GSASL_NEEDS_MORE, however, the b64output buffer is allocated by this function, and it is the responsibility of caller to deallocate it by calling free (b64output).

Return value: Returns GSASL_OK if authenticated terminated successfully, GSASL_NEEDS_MORE if more data is needed, or error code.

gsasl_finish

— Function: void gsasl_finish (Gsasl_session * sctx)

sctx: libgsasl session handle.

Destroy a libgsasl client or server handle. The handle must not be used with other libgsasl functions after this call.

gsasl_encode

— Function: int gsasl_encode (Gsasl_session * sctx, const char * input, size_t input_len, char ** output, size_t * output_len)

sctx: libgsasl session handle.

input: input byte array.

input_len: size of input byte array.

output: newly allocated output byte array.

output_len: size of output byte array.

Encode data according to negotiated SASL mechanism. This might mean that data is integrity or privacy protected.

The output buffer is allocated by this function, and it is the responsibility of caller to deallocate it by calling free(output).

Return value: Returns GSASL_OK if encoding was successful, otherwise an error code.

gsasl_decode

— Function: int gsasl_decode (Gsasl_session * sctx, const char * input, size_t input_len, char ** output, size_t * output_len)

sctx: libgsasl session handle.

input: input byte array.

input_len: size of input byte array.

output: newly allocated output byte array.

output_len: size of output byte array.

Decode data according to negotiated SASL mechanism. This might mean that data is integrity or privacy protected.

The output buffer is allocated by this function, and it is the responsibility of caller to deallocate it by calling free(output).

Return value: Returns GSASL_OK if encoding was successful, otherwise an error code.

gsasl_mechanism_name

— Function: const char * gsasl_mechanism_name (Gsasl_session * sctx)

sctx: libgsasl session handle.

This function returns the name of the SASL mechanism used in the session.

Return value: Returns a zero terminated character array with the name of the SASL mechanism, or NULL if not known.

Since: 0.2.28


Next: , Previous: Session Functions, Up: Top

10 Utilities

gsasl_saslprep

— Function: int gsasl_saslprep (const char * in, Gsasl_saslprep_flags flags, char ** out, int * stringpreprc)

in: a UTF-8 encoded string.

flags: any SASLprep flag, e.g., GSASL_ALLOW_UNASSIGNED.

out: on exit, contains newly allocated output string.

stringpreprc: if non-NULL, will hold precise stringprep return code.

Prepare string using SASLprep. On success, the out variable must be deallocated by the caller.

Return value: Returns GSASL_OK on success, or GSASL_SASLPREP_ERROR on error.

Since: 0.2.3

gsasl_base64_to

— Function: int gsasl_base64_to (const char * in, size_t inlen, char ** out, size_t * outlen)

in: input byte array

inlen: size of input byte array

out: pointer to newly allocated output byte array

outlen: pointer to size of newly allocated output byte array

Encode data as base64. The string is zero terminated, and outlen holds the length excluding the terminating zero. The out buffer must be deallocated by the caller.

Return value: Returns GSASL_OK on success, or GSASL_MALLOC_ERROR if input was too large or memory allocation fail.

Since: 0.2.2

gsasl_base64_from

— Function: int gsasl_base64_from (const char * in, size_t inlen, char ** out, size_t * outlen)

in: input byte array

inlen: size of input byte array

out: pointer to newly allocated output byte array

outlen: pointer to size of newly allocated output byte array

Decode Base64 data. The out buffer must be deallocated by the caller.

Return value: Returns GSASL_OK on success, GSASL_BASE64_ERROR if input was invalid, and GSASL_MALLOC_ERROR on memory allocation errors.

Since: 0.2.2

gsasl_simple_getpass

— Function: int gsasl_simple_getpass (const char * filename, const char * username, char ** key)

filename: filename of file containing passwords.

username: username string.

key: newly allocated output character array.

Retrieve password for user from specified file. The buffer key contain the password if this function is successful. The caller is responsible for deallocating it.

The file should be on the UoW "MD5 Based Authentication" format, which means it is in text format with comments denoted by # first on the line, with user entries looking as "usernameTABpassword". This function removes CR and LF at the end of lines before processing. TAB, CR, and LF denote ASCII values 9, 13, and 10, respectively.

Return value: Return GSASL_OK if output buffer contains the password, GSASL_AUTHENTICATION_ERROR if the user could not be found, or other error code.

gsasl_nonce

— Function: int gsasl_nonce (char * data, size_t datalen)

data: output array to be filled with unpredictable random data.

datalen: size of output array.

Store unpredictable data of given size in the provided buffer.

Return value: Returns GSASL_OK iff successful.

gsasl_random

— Function: int gsasl_random (char * data, size_t datalen)

data: output array to be filled with strong random data.

datalen: size of output array.

Store cryptographically strong random data of given size in the provided buffer.

Return value: Returns GSASL_OK iff successful.

gsasl_md5

— Function: int gsasl_md5 (const char * in, size_t inlen, char * out[16])

in: input character array of data to hash.

inlen: length of input character array of data to hash.

Compute hash of data using MD5. The out buffer must be deallocated by the caller.

Return value: Returns GSASL_OK iff successful.

gsasl_hmac_md5

— Function: int gsasl_hmac_md5 (const char * key, size_t keylen, const char * in, size_t inlen, char * outhash[16])

key: input character array with key to use.

keylen: length of input character array with key to use.

in: input character array of data to hash.

inlen: length of input character array of data to hash.

Compute keyed checksum of data using HMAC-MD5. The outhash buffer must be deallocated by the caller.

Return value: Returns GSASL_OK iff successful.

gsasl_sha1

— Function: int gsasl_sha1 (const char * in, size_t inlen, char * out[20])

in: input character array of data to hash.

inlen: length of input character array of data to hash.

Compute hash of data using SHA1. The out buffer must be deallocated by the caller.

Return value: Returns GSASL_OK iff successful.

Since: 1.3

gsasl_hmac_sha1

— Function: int gsasl_hmac_sha1 (const char * key, size_t keylen, const char * in, size_t inlen, char * outhash[20])

key: input character array with key to use.

keylen: length of input character array with key to use.

in: input character array of data to hash.

inlen: length of input character array of data to hash.

Compute keyed checksum of data using HMAC-SHA1. The outhash buffer must be deallocated by the caller.

Return value: Returns GSASL_OK iff successful.

Since: 1.3


Next: , Previous: Utilities, Up: Top

11 Memory Handling

gsasl_free

— Function: void gsasl_free (void * ptr)

ptr: memory pointer

Invoke free(ptr) to de-allocate memory pointer. Typically used on strings allocated by other libgsasl functions.

This is useful on Windows where libgsasl is linked to one CRT and the application is linked to another CRT. Then malloc/free will not use the same heap. This happens if you build libgsasl using mingw32 and the application with Visual Studio.

Since: 0.2.19


Next: , Previous: Memory Handling, Up: Top

12 Error Handling

Most functions in the GNU SASL Library return an error if they fail. For this reason, the application should always catch the error condition and take appropriate measures, for example by releasing the resources and passing the error up to the caller, or by displaying a descriptive message to the user and cancelling the operation.

Some error values do not indicate a system error or an error in the operation, but the result of an operation that failed properly.


Next: , Up: Error Handling

12.1 Error values

Errors are returned as int values.

The value of the symbol GSASL_OK is guaranteed to always be 0, and all other error codes are guaranteed to be non-0, so you may use that information to build boolean expressions involving return codes. Otherwise, an application should not depend on the particular value for error codes, and are encouraged to use the constants even for GSASL_OK to improve readability. Possible values are:

GSASL_OK
Libgsasl success
GSASL_NEEDS_MORE
SASL mechanism needs more data
GSASL_UNKNOWN_MECHANISM
Unknown SASL mechanism
GSASL_MECHANISM_CALLED_TOO_MANY_TIMES
SASL mechanism called too many times
GSASL_TOO_SMALL_BUFFER
SASL function needs larger buffer (internal error)
GSASL_FOPEN_ERROR
Could not open file in SASL library
GSASL_FCLOSE_ERROR
Could not close file in SASL library
GSASL_MALLOC_ERROR
Memory allocation error in SASL library
GSASL_BASE64_ERROR
Base 64 coding error in SASL library
GSASL_CRYPTO_ERROR
Low-level crypto error in SASL library
GSASL_NEED_CLIENT_ANONYMOUS_CALLBACK
SASL mechanism needs gsasl_client_callback_anonymous() callback (application error)
GSASL_NEED_CLIENT_PASSWORD_CALLBACK
SASL mechanism needs gsasl_client_callback_password() callback (application error)
GSASL_NEED_CLIENT_PASSCODE_CALLBACK
SASL mechanism needs gsasl_client_callback_passcode() callback (application error)
GSASL_NEED_CLIENT_PIN_CALLBACK
SASL mechanism needs gsasl_client_callback_pin() callback (application error)
GSASL_NEED_CLIENT_AUTHORIZATION_ID_CALLBACK
SASL mechanism needs gsasl_client_callback_authorization_id() callback (application error)
GSASL_NEED_CLIENT_AUTHENTICATION_ID_CALLBACK
SASL mechanism needs gsasl_client_callback_authentication_id() callback (application error)
GSASL_NEED_CLIENT_SERVICE_CALLBACK
SASL mechanism needs gsasl_client_callback_service() callback (application error)
GSASL_NEED_SERVER_VALIDATE_CALLBACK
SASL mechanism needs gsasl_server_callback_validate() callback (application error)
GSASL_NEED_SERVER_CRAM_MD5_CALLBACK
SASL mechanism needs gsasl_server_callback_cram_md5() callback (application error)
GSASL_NEED_SERVER_DIGEST_MD5_CALLBACK
SASL mechanism needs gsasl_server_callback_digest_md5() callback (application error)
GSASL_NEED_SERVER_EXTERNAL_CALLBACK
SASL mechanism needs gsasl_server_callback_external() callback (application error)
GSASL_NEED_SERVER_ANONYMOUS_CALLBACK
SASL mechanism needs gsasl_server_callback_anonymous() callback (application error)
GSASL_NEED_SERVER_REALM_CALLBACK
SASL mechanism needs gsasl_server_callback_realm() callback (application error)
GSASL_NEED_SERVER_SECURID_CALLBACK
SASL mechanism needs gsasl_server_callback_securid() callback (application error)
GSASL_NEED_SERVER_SERVICE_CALLBACK
SASL mechanism needs gsasl_server_callback_service() callback (application error)
GSASL_NEED_SERVER_GSSAPI_CALLBACK
SASL mechanism needs gsasl_server_callback_gssapi() callback (application error)
GSASL_NEED_SERVER_RETRIEVE_CALLBACK
SASL mechanism needs gsasl_server_callback_retrieve() callback (application error)
GSASL_UNICODE_NORMALIZATION_ERROR
Failed to perform Unicode Normalization on string.
GSASL_SASLPREP_ERROR
Could not prepare internationalized (non-ASCII) string.
GSASL_MECHANISM_PARSE_ERROR
SASL mechanism could not parse input
GSASL_AUTHENTICATION_ERROR
Error authenticating user
GSASL_CANNOT_GET_CTX
Cannot get internal library handle (library error)
GSASL_INTEGRITY_ERROR
Integrity error in application payload
GSASL_NO_MORE_REALMS
No more realms available (non-fatal)
GSASL_NO_CLIENT_CODE
Client-side functionality not available in library (application error)
GSASL_NO_SERVER_CODE
Server-side functionality not available in library (application error)
GSASL_GSSAPI_RELEASE_BUFFER_ERROR
GSSAPI library could not deallocate memory in gss_release_buffer() in SASL library. This is a serious internal error.
GSASL_GSSAPI_IMPORT_NAME_ERROR
GSSAPI library could not understand a peer name in gss_import_name() in SASL library. This is most likely due to incorrect service and/or hostnames.
GSASL_GSSAPI_INIT_SEC_CONTEXT_ERROR
GSSAPI error in client while negotiating security context in gss_init_sec_context() in SASL library. This is most likely due insufficient credentials or malicious interactions.
GSASL_GSSAPI_ACCEPT_SEC_CONTEXT_ERROR
GSSAPI error in server while negotiating security context in gss_accept_sec_context() in SASL library. This is most likely due insufficient credentials or malicious interactions.
GSASL_GSSAPI_UNWRAP_ERROR
GSSAPI error while decrypting or decoding data in gss_unwrap() in SASL library. This is most likely due to data corruption.
GSASL_GSSAPI_WRAP_ERROR
GSSAPI error while encrypting or encoding data in gss_wrap() in SASL library.
GSASL_GSSAPI_ACQUIRE_CRED_ERROR
GSSAPI error acquiring credentials in gss_acquire_cred() in SASL library. This is most likely due to not having the proper Kerberos key available in /etc/krb5.keytab on the server.
GSASL_GSSAPI_DISPLAY_NAME_ERROR
GSSAPI error creating a display name denoting the client in gss_display_name() in SASL library. This is probably because the client supplied bad data.
GSASL_GSSAPI_UNSUPPORTED_PROTECTION_ERROR
Other entity requested integrity or confidentiality protection in GSSAPI mechanism but this is currently not implemented.
GSASL_KERBEROS_V5_INIT_ERROR
Kerberos V5 initialization failure.
GSASL_KERBEROS_V5_INTERNAL_ERROR
Kerberos V5 internal error.
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE
SecurID needs additional passcode.
GSASL_SECURID_SERVER_NEED_NEW_PIN
SecurID needs new pin.
GSASL_INVALID_HANDLE
The provided library handle was invalid (application error)
GSASL_NO_CALLBACK
No callback specified by caller (application error).
GSASL_NO_ANONYMOUS_TOKEN
Authentication failed because the anonymous token was not provided.
GSASL_NO_AUTHID
Authentication failed because the authentication identity was not provided.
GSASL_NO_AUTHZID
Authentication failed because the authorization identity was not provided.
GSASL_NO_PASSWORD
Authentication failed because the password was not provided.
GSASL_NO_PASSCODE
Authentication failed because the passcode was not provided.
GSASL_NO_PIN
Authentication failed because the pin code was not provided.
GSASL_NO_SERVICE
Authentication failed because the service name was not provided.
GSASL_NO_HOSTNAME
Authentication failed because the host name was not provided.
GSASL_GSSAPI_ENCAPSULATE_TOKEN_ERROR
GSSAPI error encapsulating token.
GSASL_GSSAPI_DECAPSULATE_TOKEN_ERROR
GSSAPI error decapsulating token.
GSASL_GSSAPI_INQUIRE_MECH_FOR_SASLNAME_ERROR
GSSAPI error getting OID for SASL mechanism name.
GSASL_GSSAPI_TEST_OID_SET_MEMBER_ERROR
GSSAPI error testing for OID in OID set.
GSASL_GSSAPI_RELEASE_OID_SET_ERROR
GSSAPI error releasing OID set.
GSASL_NO_SAML20_IDP_IDENTIFIER
Callback failed to provide SAML20 user identifier.
GSASL_NO_SAML20_REDIRECT_URL
Callback failed to provide SAML20 redirect URL.


Previous: Error values, Up: Error Handling

12.2 Error strings

gsasl_strerror

— Function: const char * gsasl_strerror (int err)

err: libgsasl error code

Convert return code to human readable string explanation of the reason for the particular error code.

This string can be used to output a diagnostic message to the user.

This function is one of few in the library that can be used without a successful call to gsasl_init().

Return value: Returns a pointer to a statically allocated string containing an explanation of the error code err.

gsasl_strerror_name

— Function: const char * gsasl_strerror_name (int err)

err: libgsasl error code

Convert return code to human readable string representing the error code symbol itself. For example, gsasl_strerror_name(GSASL_OK) returns the string "GSASL_OK".

This string can be used to output a diagnostic message to the user.

This function is one of few in the library that can be used without a successful call to gsasl_init().

Return value: Returns a pointer to a statically allocated string containing a string version of the error code err, or NULL if the error code is not known.

Since: 0.2.29


Next: , Previous: Error Handling, Up: Top

13 Examples

This chapter contains example code which illustrates how the GNU SASL Library can be used when writing your own application.


Next: , Up: Examples

13.1 Example 1

     /* client.c --- Example SASL client.
      * Copyright (C) 2004, 2005, 2007, 2009  Simon Josefsson
      *
      * This file is part of GNU SASL.
      *
      * This program is free software: you can redistribute it and/or modify
      * it under the terms of the GNU General Public License as published by
      * the Free Software Foundation, either version 3 of the License, or
      * (at your option) any later version.
      *
      * This program is distributed in the hope that it will be useful,
      * but WITHOUT ANY WARRANTY; without even the implied warranty of
      * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      * GNU General Public License for more details.
      *
      * You should have received a copy of the GNU General Public License
      * along with this program.  If not, see <http://www.gnu.org/licenses/>.
      *
      */
     
     #include <stdarg.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     
     #include <gsasl.h>
     
     static void
     client_authenticate (Gsasl_session * session)
     {
       char buf[BUFSIZ] = "";
       char *p;
       int rc;
     
       /* This loop mimics a protocol where the client send data first. */
     
       do
         {
           /* Generate client output. */
           rc = gsasl_step64 (session, buf, &p);
     
           if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
             {
               /* If sucessful, print it. */
               printf ("Output:\n%s\n", p);
               free (p);
             }
     
           if (rc == GSASL_NEEDS_MORE)
             {
               /* If the client need more data from server, get it here. */
               printf ("Input base64 encoded data from server:\n");
               fgets (buf, sizeof (buf) - 1, stdin);
               if (buf[strlen (buf) - 1] == '\n')
                 buf[strlen (buf) - 1] = '\0';
             }
         }
       while (rc == GSASL_NEEDS_MORE);
     
       printf ("\n");
     
       if (rc != GSASL_OK)
         {
           printf ("Authentication error (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* The client is done.  Here you would typically check if the server
          let the client in.  If not, you could try again. */
     
       printf ("If server accepted us, we're done.\n");
     }
     
     static void
     client (Gsasl * ctx)
     {
       Gsasl_session *session;
       const char *mech = "PLAIN";
       int rc;
     
       /* Create new authentication session. */
       if ((rc = gsasl_client_start (ctx, mech, &session)) != GSASL_OK)
         {
           printf ("Cannot initialize client (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* Set username and password in session handle.  This info will be
          lost when this session is deallocated below.  */
       gsasl_property_set (session, GSASL_AUTHID, "jas");
       gsasl_property_set (session, GSASL_PASSWORD, "secret");
     
       /* Do it. */
       client_authenticate (session);
     
       /* Cleanup. */
       gsasl_finish (session);
     }
     
     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     
       /* Initialize library. */
       if ((rc = gsasl_init (&ctx)) != GSASL_OK)
         {
           printf ("Cannot initialize libgsasl (%d): %s", rc, gsasl_strerror (rc));
           return 1;
         }
     
       /* Do it. */
       client (ctx);
     
       /* Cleanup. */
       gsasl_done (ctx);
     
       return 0;
     }


Next: , Previous: Example 1, Up: Examples

13.2 Example 2

     /* client-serverfirst.c --- Example SASL client, where server send data first.
      * Copyright (C) 2004, 2005, 2007, 2009  Simon Josefsson
      *
      * This file is part of GNU SASL.
      *
      * This program is free software: you can redistribute it and/or modify
      * it under the terms of the GNU General Public License as published by
      * the Free Software Foundation, either version 3 of the License, or
      * (at your option) any later version.
      *
      * This program is distributed in the hope that it will be useful,
      * but WITHOUT ANY WARRANTY; without even the implied warranty of
      * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      * GNU General Public License for more details.
      *
      * You should have received a copy of the GNU General Public License
      * along with this program.  If not, see <http://www.gnu.org/licenses/>.
      *
      */
     
     #include <stdarg.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     
     #include <gsasl.h>
     
     static void
     client_authenticate (Gsasl_session * session)
     {
       char buf[BUFSIZ] = "";
       char *p;
       int rc;
     
       /* This loop mimics a protocol where the server send data first. */
     
       do
         {
           printf ("Input base64 encoded data from server:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           if (buf[strlen (buf) - 1] == '\n')
             buf[strlen (buf) - 1] = '\0';
     
           rc = gsasl_step64 (session, buf, &p);
     
           if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
             {
               printf ("Output:\n%s\n", p);
               free (p);
             }
         }
       while (rc == GSASL_NEEDS_MORE);
     
       printf ("\n");
     
       if (rc != GSASL_OK)
         {
           printf ("Authentication error (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* The client is done.  Here you would typically check if the server
          let the client in.  If not, you could try again. */
     
       printf ("If server accepted us, we're done.\n");
     }
     
     static void
     client (Gsasl * ctx)
     {
       Gsasl_session *session;
       const char *mech = "CRAM-MD5";
       int rc;
     
       /* Create new authentication session. */
       if ((rc = gsasl_client_start (ctx, mech, &session)) != GSASL_OK)
         {
           printf ("Cannot initialize client (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* Set username and password in session handle.  This info will be
          lost when this session is deallocated below.  */
       gsasl_property_set (session, GSASL_AUTHID, "jas");
       gsasl_property_set (session, GSASL_PASSWORD, "secret");
     
       /* Do it. */
       client_authenticate (session);
     
       /* Cleanup. */
       gsasl_finish (session);
     }
     
     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     
       /* Initialize library. */
       if ((rc = gsasl_init (&ctx)) != GSASL_OK)
         {
           printf ("Cannot initialize libgsasl (%d): %s", rc, gsasl_strerror (rc));
           return 1;
         }
     
       /* Do it. */
       client (ctx);
     
       /* Cleanup. */
       gsasl_done (ctx);
     
       return 0;
     }


Next: , Previous: Example 2, Up: Examples

13.3 Example 3

     /* client-mech.c --- Example SASL client, with a choice of mechanism to use.
      * Copyright (C) 2004, 2005, 2007, 2009  Simon Josefsson
      *
      * This file is part of GNU SASL.
      *
      * This program is free software: you can redistribute it and/or modify
      * it under the terms of the GNU General Public License as published by
      * the Free Software Foundation, either version 3 of the License, or
      * (at your option) any later version.
      *
      * This program is distributed in the hope that it will be useful,
      * but WITHOUT ANY WARRANTY; without even the implied warranty of
      * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      * GNU General Public License for more details.
      *
      * You should have received a copy of the GNU General Public License
      * along with this program.  If not, see <http://www.gnu.org/licenses/>.
      *
      */
     
     #include <stdarg.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     
     #include <gsasl.h>
     
     static void
     client_authenticate (Gsasl_session * session)
     {
       char buf[BUFSIZ] = "";
       char *p;
       int rc;
     
       /* This loop mimics a protocol where the server send data first. */
     
       do
         {
           printf ("Input base64 encoded data from server:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           if (buf[strlen (buf) - 1] == '\n')
             buf[strlen (buf) - 1] = '\0';
     
           rc = gsasl_step64 (session, buf, &p);
     
           if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
             {
               printf ("Output:\n%s\n", p);
               free (p);
             }
         }
       while (rc == GSASL_NEEDS_MORE);
     
       printf ("\n");
     
       if (rc != GSASL_OK)
         {
           printf ("Authentication error (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* The client is done.  Here you would typically check if the server
          let the client in.  If not, you could try again. */
     
       printf ("If server accepted us, we're done.\n");
     }
     
     static const char *
     client_mechanism (Gsasl * ctx)
     {
       static char mech[GSASL_MAX_MECHANISM_SIZE + 1] = "";
       char mechlist[BUFSIZ] = "";
       const char *suggestion;
     
       printf ("Enter list of server supported mechanisms, separate by SPC:\n");
       fgets (mechlist, sizeof (mechlist) - 1, stdin);
     
       suggestion = gsasl_client_suggest_mechanism (ctx, mechlist);
       if (suggestion)
         printf ("Library suggests use of `%s'.\n", suggestion);
     
       printf ("Enter mechanism to use:\n");
       fgets (mech, sizeof (mech) - 1, stdin);
       mech[strlen (mech) - 1] = '\0';
     
       return mech;
     }
     
     static void
     client (Gsasl * ctx)
     {
       Gsasl_session *session;
       const char *mech;
       int rc;
     
       /* Find out which mechanism to use. */
       mech = client_mechanism (ctx);
     
       /* Create new authentication session. */
       if ((rc = gsasl_client_start (ctx, mech, &session)) != GSASL_OK)
         {
           printf ("Cannot initialize client (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* Set username and password in session handle.  This info will be
          lost when this session is deallocated below.  */
       gsasl_property_set (session, GSASL_AUTHID, "jas");
       gsasl_property_set (session, GSASL_PASSWORD, "secret");
     
       /* Do it. */
       client_authenticate (session);
     
       /* Cleanup. */
       gsasl_finish (session);
     }
     
     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     
       /* Initialize library. */
       if ((rc = gsasl_init (&ctx)) != GSASL_OK)
         {
           printf ("Cannot initialize libgsasl (%d): %s", rc, gsasl_strerror (rc));
           return 1;
         }
     
       /* Do it. */
       client (ctx);
     
       /* Cleanup. */
       gsasl_done (ctx);
     
       return 0;
     }


Previous: Example 3, Up: Examples

13.4 Example 4

     /* client-callback.c --- Example SASL client, with callback for user info.
      * Copyright (C) 2004, 2005, 2007, 2009  Simon Josefsson
      *
      * This file is part of GNU SASL.
      *
      * This program is free software: you can redistribute it and/or modify
      * it under the terms of the GNU General Public License as published by
      * the Free Software Foundation, either version 3 of the License, or
      * (at your option) any later version.
      *
      * This program is distributed in the hope that it will be useful,
      * but WITHOUT ANY WARRANTY; without even the implied warranty of
      * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      * GNU General Public License for more details.
      *
      * You should have received a copy of the GNU General Public License
      * along with this program.  If not, see <http://www.gnu.org/licenses/>.
      *
      */
     
     #include <stdarg.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     
     #include <gsasl.h>
     
     static void
     client_authenticate (Gsasl_session * session)
     {
       char buf[BUFSIZ] = "";
       char *p;
       int rc;
     
       /* This loop mimics a protocol where the server send data first. */
     
       do
         {
           printf ("Input base64 encoded data from server:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           if (buf[strlen (buf) - 1] == '\n')
             buf[strlen (buf) - 1] = '\0';
     
           rc = gsasl_step64 (session, buf, &p);
     
           if (rc == GSASL_NEEDS_MORE || rc == GSASL_OK)
             {
               printf ("Output:\n%s\n", p);
               free (p);
             }
         }
       while (rc == GSASL_NEEDS_MORE);
     
       printf ("\n");
     
       if (rc != GSASL_OK)
         {
           printf ("Authentication error (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* The client is done.  Here you would typically check if the server
          let the client in.  If not, you could try again. */
     
       printf ("If server accepted us, we're done.\n");
     }
     
     static void
     client (Gsasl * ctx)
     {
       Gsasl_session *session;
       const char *mech = "SECURID";
       int rc;
     
       /* Create new authentication session. */
       if ((rc = gsasl_client_start (ctx, mech, &session)) != GSASL_OK)
         {
           printf ("Cannot initialize client (%d): %s\n", rc, gsasl_strerror (rc));
           return;
         }
     
       /* Do it. */
       client_authenticate (session);
     
       /* Cleanup. */
       gsasl_finish (session);
     }
     
     static int
     callback (Gsasl * ctx, Gsasl_session * sctx, Gsasl_property prop)
     {
       char buf[BUFSIZ] = "";
       int rc = GSASL_NO_CALLBACK;
     
       /* Get user info from user. */
     
       printf ("Callback invoked, for property %d.\n", prop);
     
       switch (prop)
         {
         case GSASL_PASSCODE:
           printf ("Enter passcode:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           buf[strlen (buf) - 1] = '\0';
     
           gsasl_property_set (sctx, GSASL_PASSCODE, buf);
           rc = GSASL_OK;
           break;
     
         case GSASL_AUTHID:
           printf ("Enter username:\n");
           fgets (buf, sizeof (buf) - 1, stdin);
           buf[strlen (buf) - 1] = '\0';
     
           gsasl_property_set (sctx, GSASL_AUTHID, buf);
           rc = GSASL_OK;
           break;
     
         default:
           printf ("Unknown property!  Don't worry.\n");
           break;
         }
     
       return rc;
     }
     
     int
     main (int argc, char *argv[])
     {
       Gsasl *ctx = NULL;
       int rc;
     
       /* Initialize library. */
       if ((rc = gsasl_init (&ctx)) != GSASL_OK)
         {
           printf ("Cannot initialize libgsasl (%d): %s", rc, gsasl_strerror (rc));
           return 1;
         }
     
       /* Set the callback handler for the library. */
       gsasl_callback_set (ctx, callback);
     
       /* Do it. */
       client (ctx);
     
       /* Cleanup. */
       gsasl_done (ctx);
     
       return 0;
     }


Next: , Previous: Examples, Up: Top

14 Acknowledgements

The makefiles, manuals, etc borrowed much from Libgcrypt written by Werner Koch.

Cryptographic functions for some SASL mechanisms uses Libgcrypt by Werner Koch et al. The NTLM mechanism uses Libntlm by Grant Edwards et al, using code from Samba written by Andrew Tridgell, and now maintained by Simon Josefsson. The KERBEROS_V5 mechanism uses Shishi by Simon Josefsson. The GSSAPI and GS2-KRB5 mechanism uses a GSS-API implementation, such as GNU GSS by Simon Josefsson.

Gnulib is used to simplify portability.

This manual borrows text from the SASL specification.


Next: , Previous: Acknowledgements, Up: Top

15 Invoking gsasl

Name

GNU SASL (gsasl) – Command line interface to libgsasl.

Description

gsasl is the main program of GNU SASL.

This section only lists the commands and options available.

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

Commands

gsasl recognizes these commands:

  -c, --client               Act as client (the default).
      --client-mechanisms    Write name of supported client mechanisms
                             separated by space to stdout.
  -s, --server               Act as server.
      --server-mechanisms    Write name of supported server mechanisms
                             separated by space to stdout.

Network Options

Normally the SASL negotiation is performed on the terminal, with reading from stdin and writing to stdout. It is also possible to perform the negotiation with a server over a TCP network connection.

      --connect=HOSTNAME[:SERVICE]
                             Connect to TCP server and negotiate on stream
                             instead of stdin/stdout. SERVICE is the protocol
                             service, or an integer denoting the port, and
                             defaults to 143 (imap) if not specified. Also sets
                             the --hostname default.

Miscellaneous Options:

These parameters affect overall behaviour.

  -d, --application-data     After authentication, read data from stdin and run
                             it through the mechanism's security layer and
                             print it base64 encoded to stdout. The default is
                             to terminate after authentication.
      --imap                 Use a IMAP-like logon procedure (client only).
                             Also sets the --service default to "imap".
  -m, --mechanism=STRING     Mechanism to use.
      --no-client-first      Disallow client to send data first (client only).

SASL Mechanism Options

These options modify the behaviour of the callbacks (see Callback Functions) in the library. The default is to query the user on the terminal.

  -n, --anonymous-token=STRING    Token for anonymous authentication, usually
                                  mail address (ANONYMOUS only).
  -a, --authentication-id=STRING  Identity of credential owner.
  -z, --authorization-id=STRING   Identity to request service for.
      --disable-cleartext-validate
                             Disable cleartext validate hook, forcing server to
                             prompt for password.
      --enable-cram-md5-validate  Validate CRAM-MD5 challenge and response
                                  interactively.
      --hostname=STRING      Set the name of the server with the requested
                             service.
  -p, --password=STRING      Password for authentication (insecure for
                             non-testing purposes).
      --passcode=NUMBER      Passcode for authentication (SECURID only).
      --quality-of-protection=<qop-auth | qop-int | qop-conf>
                             How application payload will be protected.
                             "qop-auth" means no protection,
                             "qop-int" means integrity protection,
                             "qop-conf" means confidentiality.
                             Currently only used by DIGEST-MD5, where the
                             default is "qop-int".
  -r, --realm=STRING         Realm. Defaults to hostname.
      --service=STRING       Set the requested service name (should be a
                             registered GSSAPI host based service name).
      --service-name=STRING  Set the generic server name in case of a
                             replicated server (DIGEST-MD5 only).
  -x, --maxbuf=NUMBER        Indicate maximum buffer size (DIGEST-MD5 only).

STARTTLS options

      --starttls                Force use of STARTTLS.  The default is to use
                                  STARTTLS when available.  (default=off)
      --no-starttls             Unconditionally disable STARTTLS.
                                  (default=off)
      --x509-ca-file=FILE       File containing one or more X.509 Certificate
                                  Authorities certificates in PEM format, used
                                  to verify the certificate received from the
                                  server.  If not specified, no verification of
                                  the remote server certificate will be done.
      --x509-cert-file=FILE     File containing client X.509 certificate in PEM
                                  format.  Used together with --x509-key-file
                                  to specify the certificate/key pair.
      --x509-key-file=FILE      Private key for the client X.509 certificate in
                                  PEM format.  Used together with
                                  --x509-key-file to specify the
                                  certificate/key pair.
      --priority                Cipher priority string.

Other Options

These are some standard parameters.

  -q, --quiet, --silent      Don't produce any diagnostic output.
  -v, --verbose              Produce verbose output.

  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version


Next: , Previous: Invoking gsasl, Up: Top

Appendix A Protocol Clarifications

This appendix contains clarifications to various SASL specification that we felt were necessary to include, if for nothing else it may serve as a guide for other implementers that worry about the same issues.


Next: , Up: Protocol Clarifications

A.1 Use of SASLprep in CRAM-MD5

The specification, as of draft-ietf-sasl-crammd5-04.txt, is silent on whether a SASL server implementation applying SASLprep on a password received from an external, non-SASL specific database (i.e., the passwords are not stored in SASLprep form in the database), should set or clear the AllowUnassigned bit. The motivation for the AU-bit in StringPrep/SASLprep is for stored vs query strings. It could be argued that in this situation the server can treat the external password either as a stored string (from a database) or as a query (the server uses the string as a query into the fixed HMAC-MD5 hash).

The specification is also unclear on whether clients should set or clear the AllowUnassigned flag.

In the server, GNU SASL applies SASLprep to the password with the AllowUnassigned bit cleared.


Previous: Use of SASLprep in CRAM-MD5, Up: Protocol Clarifications

A.2 Use of SASLprep in LOGIN

The non-standard mechanism LOGIN presumably does not support non-ASCII. We suggest that the client should send unprepared UTF-8 and that the server apply SASLprep with the AllowUnassigned bit cleared on the received username and password.


Next: , Previous: Protocol Clarifications, Up: Top

Appendix B Old Functions

As GNU SASL is still under heavy development, some API functions have been found to be less useful. Those old API functions will be supported during a transition period. Refer to the NEWS file to find out since when a function has been deprecated.

gsasl_client_listmech

— Function: int gsasl_client_listmech (Gsasl * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output character array.

outlen: input maximum size of output character array, on output contains actual length of output array.

Write SASL names, separated by space, of mechanisms supported by the libgsasl client to the output array. To find out how large the output array must be, call this function with a NULL out parameter.

Return value: Returns GSASL_OK if successful, or error code.

Deprecated: Use gsasl_client_mechlist() instead.

gsasl_server_listmech

— Function: int gsasl_server_listmech (Gsasl * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output character array.

outlen: input maximum size of output character array, on output contains actual length of output array.

Write SASL names, separated by space, of mechanisms supported by the libgsasl server to the output array. To find out how large the output array must be, call this function with a NULL out parameter.

Return value: Returns GSASL_OK if successful, or error code.

Deprecated: Use gsasl_server_mechlist() instead.

gsasl_client_step

— Function: int gsasl_client_step (Gsasl_session * sctx, const char * input, size_t input_len, char * output, size_t * output_len)

sctx: libgsasl client handle.

input: input byte array.

input_len: size of input byte array.

output: output byte array.

output_len: size of output byte array.

Perform one step of SASL authentication in client. This reads data from server (specified with input and input_len), processes it (potentially invoking callbacks to the application), and writes data to server (into variables output and output_len).

The contents of the output buffer is unspecified if this functions returns anything other than GSASL_NEEDS_MORE.

Return value: Returns GSASL_OK if authenticated terminated successfully, GSASL_NEEDS_MORE if more data is needed, or error code.

Deprecated: Use gsasl_step() instead.

gsasl_server_step

— Function: int gsasl_server_step (Gsasl_session * sctx, const char * input, size_t input_len, char * output, size_t * output_len)

sctx: libgsasl server handle.

input: input byte array.

input_len: size of input byte array.

output: output byte array.

output_len: size of output byte array.

Perform one step of SASL authentication in server. This reads data from client (specified with input and input_len), processes it (potentially invoking callbacks to the application), and writes data to client (into variables output and output_len).

The contents of the output buffer is unspecified if this functions returns anything other than GSASL_NEEDS_MORE.

Return value: Returns GSASL_OK if authenticated terminated successfully, GSASL_NEEDS_MORE if more data is needed, or error code.

Deprecated: Use gsasl_step() instead.

gsasl_client_step_base64

— Function: int gsasl_client_step_base64 (Gsasl_session * sctx, const char * b64input, char * b64output, size_t b64output_len)

sctx: libgsasl client handle.

b64input: input base64 encoded byte array.

b64output: output base64 encoded byte array.

b64output_len: size of output base64 encoded byte array.

This is a simple wrapper around gsasl_client_step() that base64 decodes the input and base64 encodes the output.

Return value: See gsasl_client_step().

Deprecated: Use gsasl_step64() instead.

gsasl_server_step_base64

— Function: int gsasl_server_step_base64 (Gsasl_session * sctx, const char * b64input, char * b64output, size_t b64output_len)

sctx: libgsasl server handle.

b64input: input base64 encoded byte array.

b64output: output base64 encoded byte array.

b64output_len: size of output base64 encoded byte array.

This is a simple wrapper around gsasl_server_step() that base64 decodes the input and base64 encodes the output.

Return value: See gsasl_server_step().

Deprecated: Use gsasl_step64() instead.

gsasl_client_finish

— Function: void gsasl_client_finish (Gsasl_session * sctx)

sctx: libgsasl client handle.

Destroy a libgsasl client handle. The handle must not be used with other libgsasl functions after this call.

Deprecated: Use gsasl_finish() instead.

gsasl_server_finish

— Function: void gsasl_server_finish (Gsasl_session * sctx)

sctx: libgsasl server handle.

Destroy a libgsasl server handle. The handle must not be used with other libgsasl functions after this call.

Deprecated: Use gsasl_finish() instead.

gsasl_client_ctx_get

— Function: Gsasl * gsasl_client_ctx_get (Gsasl_session * sctx)

sctx: libgsasl client handle

Get the libgsasl handle given a libgsasl client handle.

Return value: Returns the libgsasl handle given a libgsasl client handle.

Deprecated: This function is not useful with the new 0.2.0 API.

gsasl_client_application_data_set

— Function: void gsasl_client_application_data_set (Gsasl_session * sctx, void * application_data)

sctx: libgsasl client handle.

application_data: opaque pointer to application specific data.

Store application specific data in the libgsasl client handle. The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_client_application_data_get(). It is normally used by the application to maintain state between the main program and the callback.

Deprecated: Use gsasl_callback_hook_set() or gsasl_session_hook_set() instead.

gsasl_client_application_data_get

— Function: void * gsasl_client_application_data_get (Gsasl_session * sctx)

sctx: libgsasl client handle.

Retrieve application specific data from libgsasl client handle. The application data is set using gsasl_client_application_data_set(). It is normally used by the application to maintain state between the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() or gsasl_session_hook_get() instead.

gsasl_server_ctx_get

— Function: Gsasl * gsasl_server_ctx_get (Gsasl_session * sctx)

sctx: libgsasl server handle

Get the libgsasl handle given a libgsasl server handle.

Return value: Returns the libgsasl handle given a libgsasl server handle.

Deprecated: This function is not useful with the new 0.2.0 API.

gsasl_server_application_data_set

— Function: void gsasl_server_application_data_set (Gsasl_session * sctx, void * application_data)

sctx: libgsasl server handle.

application_data: opaque pointer to application specific data.

Store application specific data in the libgsasl server handle. The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_server_application_data_get(). It is normally used by the application to maintain state between the main program and the callback.

Deprecated: Use gsasl_callback_hook_set() or gsasl_session_hook_set() instead.

gsasl_server_application_data_get

— Function: void * gsasl_server_application_data_get (Gsasl_session * sctx)

sctx: libgsasl server handle.

Retrieve application specific data from libgsasl server handle. The application data is set using gsasl_server_application_data_set(). It is normally used by the application to maintain state between the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() or gsasl_session_hook_get() instead.

gsasl_randomize

— Function: int gsasl_randomize (int strong, char * data, size_t datalen)

strong: 0 iff operation should not block, non-0 for very strong randomness.

data: output array to be filled with random data.

datalen: size of output array.

Store cryptographically random data of given size in the provided buffer.

Return value: Returns GSASL_OK iff successful.

Deprecated: Use gsasl_random() or gsasl_nonce() instead.

gsasl_ctx_get

— Function: Gsasl * gsasl_ctx_get (Gsasl_session * sctx)

sctx: libgsasl session handle

Get the libgsasl handle given a libgsasl session handle.

Return value: Returns the libgsasl handle given a libgsasl session handle.

Deprecated: This function is not useful with the new 0.2.0 API.

gsasl_encode_inline

— Function: int gsasl_encode_inline (Gsasl_session * sctx, const char * input, size_t input_len, char * output, size_t * output_len)

sctx: libgsasl session handle.

input: input byte array.

input_len: size of input byte array.

output: output byte array.

output_len: size of output byte array.

Encode data according to negotiated SASL mechanism. This might mean that data is integrity or privacy protected.

Return value: Returns GSASL_OK if encoding was successful, otherwise an error code.

Deprecated: Use gsasl_encode() instead.

Since: 0.2.0

gsasl_decode_inline

— Function: int gsasl_decode_inline (Gsasl_session * sctx, const char * input, size_t input_len, char * output, size_t * output_len)

sctx: libgsasl session handle.

input: input byte array.

input_len: size of input byte array.

output: output byte array.

output_len: size of output byte array.

Decode data according to negotiated SASL mechanism. This might mean that data is integrity or privacy protected.

Return value: Returns GSASL_OK if encoding was successful, otherwise an error code.

Deprecated: Use gsasl_decode() instead.

Since: 0.2.0

gsasl_application_data_set

— Function: void gsasl_application_data_set (Gsasl * ctx, void * appdata)

ctx: libgsasl handle.

appdata: opaque pointer to application specific data.

Store application specific data in the libgsasl handle. The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_application_data_get(). It is normally used by the application to maintain state between the main program and the callback.

Deprecated: Use gsasl_callback_hook_set() instead.

gsasl_application_data_get

— Function: void * gsasl_application_data_get (Gsasl * ctx)

ctx: libgsasl handle.

Retrieve application specific data from libgsasl handle. The application data is set using gsasl_application_data_set(). It is normally used by the application to maintain state between the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() instead.

gsasl_appinfo_set

— Function: void gsasl_appinfo_set (Gsasl_session * sctx, void * appdata)

sctx: libgsasl session handle.

appdata: opaque pointer to application specific data.

Store application specific data in the libgsasl session handle. The application data can be later (for instance, inside a callback) be retrieved by calling gsasl_appinfo_get(). It is normally used by the application to maintain state between the main program and the callback.

Deprecated: Use gsasl_callback_hook_set() instead.

gsasl_appinfo_get

— Function: void * gsasl_appinfo_get (Gsasl_session * sctx)

sctx: libgsasl session handle.

Retrieve application specific data from libgsasl session handle. The application data is set using gsasl_appinfo_set(). It is normally used by the application to maintain state between the main program and the callback.

Return value: Returns the application specific data, or NULL.

Deprecated: Use gsasl_callback_hook_get() instead.

gsasl_server_suggest_mechanism

— Function: const char * gsasl_server_suggest_mechanism (Gsasl * ctx, const char * mechlist)

ctx: libgsasl handle.

mechlist: input character array with SASL mechanism names, separated by invalid characters (e.g. SPC).

Get name of "best" SASL mechanism supported by the libgsasl server which is present in the input string.

Return value: Returns name of "best" SASL mechanism supported by the libgsasl server which is present in the input string.

Deprecated: This function was never useful, since it is the client that chose which mechanism to use.

gsasl_client_callback_authentication_id_set

— Function: void gsasl_client_callback_authentication_id_set (Gsasl * ctx, Gsasl_client_callback_authentication_id cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the authentication identity. The function can be later retrieved using gsasl_client_callback_authentication_id_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_authentication_id_get

— Function: Gsasl_client_callback_authentication_id gsasl_client_callback_authentication_id_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_authentication_id_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_authentication_id_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_authorization_id_set

— Function: void gsasl_client_callback_authorization_id_set (Gsasl * ctx, Gsasl_client_callback_authorization_id cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the authorization identity. The function can be later retrieved using gsasl_client_callback_authorization_id_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_authorization_id_get

— Function: Gsasl_client_callback_authorization_id gsasl_client_callback_authorization_id_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_authorization_id_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_authorization_id_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_password_set

— Function: void gsasl_client_callback_password_set (Gsasl * ctx, Gsasl_client_callback_password cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the password. The function can be later retrieved using gsasl_client_callback_password_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_password_get

— Function: Gsasl_client_callback_password gsasl_client_callback_password_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_password_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_password_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_passcode_set

— Function: void gsasl_client_callback_passcode_set (Gsasl * ctx, Gsasl_client_callback_passcode cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the passcode. The function can be later retrieved using gsasl_client_callback_passcode_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_passcode_get

— Function: Gsasl_client_callback_passcode gsasl_client_callback_passcode_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_passcode_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_passcode_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_pin_set

— Function: void gsasl_client_callback_pin_set (Gsasl * ctx, Gsasl_client_callback_pin cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to chose a new pin, possibly suggested by the server, for the SECURID mechanism. This is not normally invoked, but only when the server requests it. The function can be later retrieved using gsasl_client_callback_pin_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_pin_get

— Function: Gsasl_client_callback_pin gsasl_client_callback_pin_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_pin_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_pin_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_service_set

— Function: void gsasl_client_callback_service_set (Gsasl * ctx, Gsasl_client_callback_service cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the name of the service. The service buffer should be a registered GSSAPI host-based service name, hostname the name of the server. Servicename is used by DIGEST-MD5 and should be the name of generic server in case of a replicated service. The function can be later retrieved using gsasl_client_callback_service_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_service_get

— Function: Gsasl_client_callback_service gsasl_client_callback_service_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_service_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_service_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_anonymous_set

— Function: void gsasl_client_callback_anonymous_set (Gsasl * ctx, Gsasl_client_callback_anonymous cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to set the anonymous token, which usually is the users email address. The function can be later retrieved using gsasl_client_callback_anonymous_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_anonymous_get

— Function: Gsasl_client_callback_anonymous gsasl_client_callback_anonymous_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_anonymous_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_anonymous_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_qop_set

— Function: void gsasl_client_callback_qop_set (Gsasl * ctx, Gsasl_client_callback_qop cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to determine the qop to use after looking at what the server offered. The function can be later retrieved using gsasl_client_callback_qop_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_qop_get

— Function: Gsasl_client_callback_qop gsasl_client_callback_qop_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_qop_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_qop_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_maxbuf_set

— Function: void gsasl_client_callback_maxbuf_set (Gsasl * ctx, Gsasl_client_callback_maxbuf cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to inform the server of the largest buffer the client is able to receive when using the DIGEST-MD5 "auth-int" or "auth-conf" Quality of Protection (qop). If this directive is missing, the default value 65536 will be assumed. The function can be later retrieved using gsasl_client_callback_maxbuf_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_maxbuf_get

— Function: Gsasl_client_callback_maxbuf gsasl_client_callback_maxbuf_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_maxbuf_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_maxbuf_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_realm_set

— Function: void gsasl_client_callback_realm_set (Gsasl * ctx, Gsasl_client_callback_realm cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the client to know which realm it belongs to. The realm is used by the server to determine which username and password to use. The function can be later retrieved using gsasl_client_callback_realm_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_client_callback_realm_get

— Function: Gsasl_client_callback_realm gsasl_client_callback_realm_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_client_callback_realm_set().

Return value: Returns the callback earlier set by calling gsasl_client_callback_realm_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_validate_set

— Function: void gsasl_server_callback_validate_set (Gsasl * ctx, Gsasl_server_callback_validate cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for deciding if user is authenticated using authentication identity, authorization identity and password. The function can be later retrieved using gsasl_server_callback_validate_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_validate_get

— Function: Gsasl_server_callback_validate gsasl_server_callback_validate_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_validate_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_validate_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_retrieve_set

— Function: void gsasl_server_callback_retrieve_set (Gsasl * ctx, Gsasl_server_callback_retrieve cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for deciding if user is authenticated using authentication identity, authorization identity and password. The function can be later retrieved using gsasl_server_callback_retrieve_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_retrieve_get

— Function: Gsasl_server_callback_retrieve gsasl_server_callback_retrieve_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_retrieve_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_retrieve_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_cram_md5_set

— Function: void gsasl_server_callback_cram_md5_set (Gsasl * ctx, Gsasl_server_callback_cram_md5 cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for deciding if user is authenticated using CRAM-MD5 challenge and response. The function can be later retrieved using gsasl_server_callback_cram_md5_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_cram_md5_get

— Function: Gsasl_server_callback_cram_md5 gsasl_server_callback_cram_md5_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_cram_md5_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_cram_md5_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_digest_md5_set

— Function: void gsasl_server_callback_digest_md5_set (Gsasl * ctx, Gsasl_server_callback_digest_md5 cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for retrieving the secret hash of the username, realm and password for use in the DIGEST-MD5 mechanism. The function can be later retrieved using gsasl_server_callback_digest_md5_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_digest_md5_get

— Function: Gsasl_server_callback_digest_md5 gsasl_server_callback_digest_md5_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_digest_md5_set().

Return value: Return the callback earlier set by calling gsasl_server_callback_digest_md5_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_external_set

— Function: void gsasl_server_callback_external_set (Gsasl * ctx, Gsasl_server_callback_external cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for deciding if user is authenticated out of band. The function can be later retrieved using gsasl_server_callback_external_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_external_get

— Function: Gsasl_server_callback_external gsasl_server_callback_external_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_external_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_external_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_anonymous_set

— Function: void gsasl_server_callback_anonymous_set (Gsasl * ctx, Gsasl_server_callback_anonymous cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for deciding if user is permitted anonymous access. The function can be later retrieved using gsasl_server_callback_anonymous_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_anonymous_get

— Function: Gsasl_server_callback_anonymous gsasl_server_callback_anonymous_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_anonymous_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_anonymous_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_realm_set

— Function: void gsasl_server_callback_realm_set (Gsasl * ctx, Gsasl_server_callback_realm cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server to know which realm it serves. The realm is used by the user to determine which username and password to use. The function can be later retrieved using gsasl_server_callback_realm_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_realm_get

— Function: Gsasl_server_callback_realm gsasl_server_callback_realm_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_realm_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_realm_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_qop_set

— Function: void gsasl_server_callback_qop_set (Gsasl * ctx, Gsasl_server_callback_qop cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server to know which quality of protection it accepts. The quality of protection eventually used is selected by the client though. It is currently used by the DIGEST-MD5 mechanism. The function can be later retrieved using gsasl_server_callback_qop_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_qop_get

— Function: Gsasl_server_callback_qop gsasl_server_callback_qop_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_qop_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_qop_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_maxbuf_set

— Function: void gsasl_server_callback_maxbuf_set (Gsasl * ctx, Gsasl_server_callback_maxbuf cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server to inform the client of the largest buffer the server is able to receive when using the DIGEST-MD5 "auth-int" or "auth-conf" Quality of Protection (qop). If this directive is missing, the default value 65536 will be assumed. The function can be later retrieved using gsasl_server_callback_maxbuf_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_maxbuf_get

— Function: Gsasl_server_callback_maxbuf gsasl_server_callback_maxbuf_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_maxbuf_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_maxbuf_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_cipher_set

— Function: void gsasl_server_callback_cipher_set (Gsasl * ctx, Gsasl_server_callback_cipher cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server to inform the client of the cipher suites supported. The DES and 3DES ciphers must be supported for interoperability. It is currently used by the DIGEST-MD5 mechanism. The function can be later retrieved using gsasl_server_callback_cipher_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_cipher_get

— Function: Gsasl_server_callback_cipher gsasl_server_callback_cipher_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_cipher_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_cipher_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_securid_set

— Function: void gsasl_server_callback_securid_set (Gsasl * ctx, Gsasl_server_callback_securid cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for validating a user via the SECURID mechanism. The function should return GSASL_OK if user authenticated successfully, GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE if it wants another passcode, GSASL_SECURID_SERVER_NEED_NEW_PIN if it wants a PIN change, or an error. When (and only when) GSASL_SECURID_SERVER_NEED_NEW_PIN is returned, suggestpin can be populated with a PIN code the server suggests, and suggestpinlen set to the length of the PIN. The function can be later retrieved using gsasl_server_callback_securid_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_securid_get

— Function: Gsasl_server_callback_securid gsasl_server_callback_securid_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_securid_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_securid_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_gssapi_set

— Function: void gsasl_server_callback_gssapi_set (Gsasl * ctx, Gsasl_server_callback_gssapi cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server for checking if a GSSAPI user is authorized for username (by, e.g., calling krb5_userok()). The function should return GSASL_OK if the user should be permitted access, or an error code such as GSASL_AUTHENTICATION_ERROR on failure. The function can be later retrieved using gsasl_server_callback_gssapi_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_gssapi_get

— Function: Gsasl_server_callback_gssapi gsasl_server_callback_gssapi_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_gssapi_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_gssapi_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_service_set

— Function: void gsasl_server_callback_service_set (Gsasl * ctx, Gsasl_server_callback_service cb)

ctx: libgsasl handle.

cb: callback function

Specify the callback function to use in the server to set the name of the service. The service buffer should be a registered GSSAPI host-based service name, hostname the name of the server. The function can be later retrieved using gsasl_server_callback_service_get().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_server_callback_service_get

— Function: Gsasl_server_callback_service gsasl_server_callback_service_get (Gsasl * ctx)

ctx: libgsasl handle.

Get the callback earlier set by calling gsasl_server_callback_service_set().

Return value: Returns the callback earlier set by calling gsasl_server_callback_service_set().

Deprecated: This function is part of the old callback interface. The new interface uses gsasl_callback_set() to set the application callback, and uses gsasl_callback() or gsasl_property_get() to invoke the callback for certain properties.

gsasl_stringprep_nfkc

— Function: char * gsasl_stringprep_nfkc (const char * in, ssize_t len)

in: a UTF-8 encoded string.

len: length of str, in bytes, or -1 if str is nul-terminated.

Converts a string into canonical form, standardizing such issues as whether a character with an accent is represented as a base character and combining accent or as a single precomposed character.

The normalization mode is NFKC (ALL COMPOSE). It standardizes differences that do not affect the text content, such as the above-mentioned accent representation. It standardizes the "compatibility" characters in Unicode, such as SUPERSCRIPT THREE to the standard forms (in this case DIGIT THREE). Formatting information may be lost but for most text operations such characters should be considered the same. It returns a result with composed forms rather than a maximally decomposed form.

Return value: Return a newly allocated string, that is the NFKC normalized form of str, o NULL on error.

Deprecated: No replacement functionality in GNU SASL, use GNU Libidn instead. Note that in SASL, you most likely want to use SASLprep and not bare NFKC, see gsasl_saslprep().

gsasl_stringprep_saslprep

— Function: char * gsasl_stringprep_saslprep (const char * in, int * stringprep_rc)

in: input ASCII or UTF-8 string with data to prepare according to SASLprep.

stringprep_rc: pointer to output variable with stringprep error code, or NULL to indicate that you don't care about it.

Process a Unicode string for comparison, according to the "SASLprep" stringprep profile. This function is intended to be used by Simple Authentication and Security Layer (SASL) mechanisms (such as PLAIN, CRAM-MD5, and DIGEST-MD5) as well as other protocols exchanging user names and/or passwords.

Return value: Return a newly allocated string that is the "SASLprep" processed form of the input string, or NULL on error, in which case stringprep_rc contain the stringprep library error code.

Deprecated: Use gsasl_saslprep() instead.

gsasl_stringprep_trace

— Function: char * gsasl_stringprep_trace (const char * in, int * stringprep_rc)

in: input ASCII or UTF-8 string with data to prepare according to "trace".

stringprep_rc: pointer to output variable with stringprep error code, or NULL to indicate that you don't care about it.

Process a Unicode string for use as trace information, according to the "trace" stringprep profile. The profile is designed for use with the SASL ANONYMOUS Mechanism.

Return value: Return a newly allocated string that is the "trace" processed form of the input string, or NULL on error, in which case stringprep_rc contain the stringprep library error code.

Deprecated: No replacement functionality in GNU SASL, use GNU Libidn instead.

gsasl_md5pwd_get_password

— Function: int gsasl_md5pwd_get_password (const char * filename, const char * username, char * key, size_t * keylen)

filename: filename of file containing passwords.

username: username string.

key: output character array.

keylen: input maximum size of output character array, on output contains actual length of output array.

Retrieve password for user from specified file. To find out how large the output array must be, call this function with out=NULL.

The file should be on the UoW "MD5 Based Authentication" format, which means it is in text format with comments denoted by # first on the line, with user entries looking as "usernameTABpassword". This function removes CR and LF at the end of lines before processing. TAB, CR, and LF denote ASCII values 9, 13, and 10, respectively.

Return value: Return GSASL_OK if output buffer contains the password, GSASL_AUTHENTICATION_ERROR if the user could not be found, or other error code.

Deprecated: Use gsasl_simple_getpass() instead.

gsasl_base64_encode

— Function: int gsasl_base64_encode (char const * src, size_t srclength, char * target, size_t targsize)

src: input byte array

srclength: size of input byte array

target: output byte array

targsize: size of output byte array

Encode data as base64. Converts characters, three at a time, starting at src into four base64 characters in the target area until the entire input buffer is encoded.

Return value: Returns the number of data bytes stored at the target, or -1 on error.

Deprecated: Use gsasl_base64_to() instead.

gsasl_base64_decode

— Function: int gsasl_base64_decode (char const * src, char * target, size_t targsize)

src: input byte array

target: output byte array

targsize: size of output byte array

Decode Base64 data. Skips all whitespace anywhere. Converts characters, four at a time, starting at (or after) src from Base64 numbers into three 8 bit bytes in the target area.

Return value: Returns the number of data bytes stored at the target, or -1 on error.

Deprecated: Use gsasl_base64_from() instead.

B.1 Obsolete callback function prototypes

— Prototype: int (*Gsasl_client_callback_anonymous) (Gsasl_session_ctx * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output array with client token.

outlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should populate the output array with some input from the user and set the output array length, and return GSASL_OK, or fail with an error code.

If OUT is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_server_callback_anonymous) (Gsasl_session_ctx * ctx, const char * token)

ctx: libgsasl handle.

ctx: output array with client token.

ctx: on input the maximum size of the output array, on output contains the actual size of the output array. If OUT is

Type of callback function the application implements. It should return GSASL_OK if user should be permitted anonymous access, otherwise GSASL_AUTHENTICATION_ERROR.

— Prototype: int (*Gsasl_client_callback_authentication_id) (Gsasl_session_ctx * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output array with authentication identity.

outlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should populate the output array with authentiction identity of user and set the output array length, and return GSASL_OK, or fail with an error code. The authentication identity must be encoded in UTF-8, but need not be normalized in any way.

If OUT is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_client_callback_authorization_id) (Gsasl_session_ctx * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output array with authorization identity.

outlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should populate the output array with authorization identity of user and set the output array length, and return GSASL_OK, or fail with an error code. The authorization identity must be encoded in UTF-8, but need not be normalized in any way.

If OUT is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_client_callback_service) (Gsasl_session_ctx * ctx, char * service, size_t * servicelen, char * hostname, size_t * hostnamelen, char * servicename, size_t * servicenamelen)

ctx: libgsasl handle.

service: output array with name of service.

servicelen: on input the maximum size of the service output array, on output contains the actual size of the service output array.

hostname: output array with hostname of server.

hostnamelen: on input the maximum size of the hostname output array, on output contains the actual size of the hostname output array.

servicename: output array with generic name of server in case of replication (DIGEST-MD5 only).

servicenamelen: on input the maximum size of the servicename output array, on output contains the actual size of the servicename output array.

Type of callback function the application implements. It should retrieve the service (which should be a registered GSSAPI host based service name, such as “imap”) on the server, hostname of server (usually canoncial DNS hostname) and optionally generic service name of server in case of replication (e.g. “mail.example.org” when the hostname is “mx42.example.org”, see the RFC 2831 for more information). It should return GSASL_OK, or an error such as GSASL_AUTHENTICATION_ERROR if it fails.

If SERVICE, HOSTNAME or SERVICENAME is NULL, the function should only populate SERVICELEN, HOSTNAMELEN or SERVICENAMELEN with the output length of the respective field, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size. Furthermore, SERVICENAMELEN may also be NULL, indicating that the mechanism is not interested in this field.

— Prototype: int (*Gsasl_server_callback_cram_md5) (Gsasl_session_ctx * ctx, char * username, char * challenge, char * response)

ctx: libgsasl handle.

username: input array with username.

challenge: input array with CRAM-MD5 challenge.

response: input array with CRAM-MD5 response.

Type of callback function the application implements. It should return GSASL_OK if and only if the validation of the provided credential was succesful. GSASL_AUTHENTICATION_ERROR is a good failure if authentication failed, but any available return code may be used.

— Prototype: int (*Gsasl_server_callback_digest_md5) (Gsasl_session_ctx * ctx, char * username, char * realm, char * secrethash)

ctx: libgsasl handle.

username: input array with authentication identity of user.

realm: input array with realm of user.

secrethash: output array that should contain hash of username, realm and password as described for the DIGEST-MD5 mechanism.

Type of callback function the application implements. It should retrieve the secret hash for the given user in given realm and return GSASL_OK, or an error such as GSASL_AUTHENTICATION_ERROR if it fails. The secrethash buffer is guaranteed to have size for the fixed length MD5 hash.

— Prototype: int (*Gsasl_server_callback_external) (Gsasl_session_ctx * ctx)

ctx: libgsasl handle.

Type of callback function the application implements. It should return GSASL_OK if user is authenticated by out of band means, otherwise GSASL_AUTHENTICATION_ERROR.

— Prototype: int (*Gsasl_server_callback_gssapi) (Gsasl_session_ctx * ctx, char * clientname, char * authentication_id)

ctx: libgsasl handle.

clientname: input array with GSSAPI client name.

authentication_id: input array with authentication identity.

Type of callback function the application implements. It should return GSASL_OK if and only if the GSSAPI user is authorized to log on as the given authentication_id. GSASL_AUTHENTICATION_ERROR is a good failure if authentication failed, but any available return code may be used. This callback is usually implemented in the application as a call to krb5_kuserok(), such as:

          int
          callback_gssapi (Gsasl_session_ctx *ctx,
          		 char *clientname,
          		 char *authentication_id)
          {
            int rc = GSASL_AUTHENTICATION_ERROR;
          
            krb5_principal p;
            krb5_context kcontext;
          
            krb5_init_context (&kcontext);
          
            if (krb5_parse_name (kcontext, clientname, &p) != 0)
              return -1;
            if (krb5_kuserok (kcontext, p, authentication_id))
              rc = GSASL_OK;
            krb5_free_principal (kcontext, p);
          
            return rc;
          }
— Prototype: int (*Gsasl_client_callback_passcode) (Gsasl_session_ctx * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output array with passcode.

outlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should populate the output array with passcode of user and set the output array length, and return GSASL_OK, or fail with an error code.

If OUT is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_client_callback_password) (Gsasl_session_ctx * ctx, char * out, size_t * outlen)

ctx: libgsasl handle.

out: output array with password.

outlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should populate the output array with password of user and set the output array length, and return GSASL_OK, or fail with an error code. The password must be encoded in UTF-8, but need not be normalized in any way.

If OUT is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_server_callback_retrieve) (Gsasl_session_ctx * ctx, char * authentication_id, char * authorization_id, char * realm, char * key, size_t * keylen)

ctx: libgsasl handle.

authentication_id: input array with authentication identity.

authorization_id: input array with authorization identity, or NULL.

realm: input array with realm of user, or NULL.

key: output array with key for authentication identity.

keylen: on input the maximum size of the key output array, on output contains the actual size of the key output array.

Type of callback function the application implements. It should retrieve the password for the indicated user and return GSASL_OK, or an error code such as GSASL_AUTHENTICATION_ERROR. The key must be encoded in UTF-8, but need not be normalized in any way.

If KEY is NULL, the function should only populate the KEYLEN output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_server_callback_validate) (Gsasl_session_ctx * ctx, char * authentication_id, char * authorization_id, char * passcode, char * pin, char * suggestpin, size_t * suggestpinlen)

ctx: libgsasl handle.

authorization_id: input array with authorization identity.

authentication_id: input array with authentication identity.

passcode: input array with passcode.

pin: input array with new pin (this may be NULL).

suggestpin: output array with new suggested PIN.

suggestpinlen: on input the maximum size of the output array, on output contains the actual size of the output array.

Type of callback function the application implements. It should return GSASL_OK if and only if the validation of the provided credential was succesful. GSASL_AUTHENTICATION_ERROR is a good failure if authentication failed, but any available return code may be used.

Two SECURID specific error codes also exists. The function can return GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to request that the client generate a new passcode. It can also return GSASL_SECURID_SERVER_NEED_NEW_PIN to request that the client generate a new PIN. If the server wishes to suggest a new PIN it can populate the SUGGESTPIN field.

If SUGGESTPIN is NULL, the function should only populate the output length field with the length, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_server_callback_service) (Gsasl_session_ctx * ctx, char * service, size_t * servicelen, char * hostname, size_t * hostnamelen)

ctx: libgsasl handle.

service: output array with name of service.

servicelen: on input the maximum size of the service output array, on output contains the actual size of the service output array.

hostname: output array with hostname of server.

hostnamelen: on input the maximum size of the hostname output array, on output contains the actual size of the hostname output array.

Type of callback function the application implements. It should retrieve the service (which should be a registered GSSAPI host based service name, such as “imap”) the server provides and hostname of server (usually canoncial DNS hostname). It should return GSASL_OK, or an error such as GSASL_AUTHENTICATION_ERROR if it fails.

If SERVICE or HOSTNAME is NULL, the function should only populate SERVICELEN or HOSTNAMELEN with the output length of the respective field, and return GSASL_OK. This usage may be used by the caller to allocate the proper buffer size.

— Prototype: int (*Gsasl_server_callback_validate) (Gsasl_session_ctx * ctx, char * authorization_id, char * authentication_id, char * password)

ctx: libgsasl handle.

authorization_id: input array with authorization identity.

authentication_id: input array with authentication identity.

password: input array with password.

Type of callback function the application implements. It should return GSASL_OK if and only if the validation of the provided credential was succesful. GSASL_AUTHENTICATION_ERROR is a good failure if authentication failed, but any available return code may be used.


Next: , Previous: Old Functions, Up: Top

Appendix C Copying Information


Next: , Up: Copying Information

C.1 GNU Free Documentation License

Version 1.3, 3 November 2008
     Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc.
     http://fsf.org/
     
     Everyone is permitted to copy and distribute verbatim copies
     of this license document, but changing it is not allowed.
  1. PREAMBLE

    The purpose of this License is to make a manual, textbook, or other functional and useful document free in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

    This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

    We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

  2. APPLICABILITY AND DEFINITIONS

    This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as “you”. You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

    A “Modified Version” of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

    A “Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

    The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

    The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

    A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not “Transparent” is called “Opaque”.

    Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

    The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, “Title Page” means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

    The “publisher” means any person or entity that distributes copies of the Document to the public.

    A section “Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as “Acknowledgements”, “Dedications”, “Endorsements”, or “History”.) To “Preserve the Title” of such a section when you modify the Document means that it remains a section “Entitled XYZ” according to this definition.

    The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

  3. VERBATIM COPYING

    You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

    You may also lend copies, under the same conditions stated above, and you may publicly display copies.

  4. COPYING IN QUANTITY

    If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

    If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

    If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

    It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

  5. MODIFICATIONS

    You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

    1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.
    2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.
    3. State on the Title page the name of the publisher of the Modified Version, as the publisher.
    4. Preserve all the copyright notices of the Document.
    5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
    6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.
    7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.
    8. Include an unaltered copy of this License.
    9. Preserve the section Entitled “History”, Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled “History” in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.
    10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the “History” section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.
    11. For any section Entitled “Acknowledgements” or “Dedications”, Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.
    12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.
    13. Delete any section Entitled “Endorsements”. Such a section may not be included in the Modified Version.
    14. Do not retitle any existing section to be Entitled “Endorsements” or to conflict in title with any Invariant Section.
    15. Preserve any Warranty Disclaimers.

    If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

    You may add a section Entitled “Endorsements”, provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

    You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

    The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

  6. COMBINING DOCUMENTS

    You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

    The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

    In the combination, you must combine any sections Entitled “History” in the various original documents, forming one section Entitled “History”; likewise combine any sections Entitled “Acknowledgements”, and any sections Entitled “Dedications”. You must delete all sections Entitled “Endorsements.”

  7. COLLECTIONS OF DOCUMENTS

    You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

    You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

  8. AGGREGATION WITH INDEPENDENT WORKS

    A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an “aggregate” if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

    If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

  9. TRANSLATION

    Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

    If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

  10. TERMINATION

    You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.

    However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

    Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

    Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.

  11. FUTURE REVISIONS OF THIS LICENSE

    The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

    Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License “or any later version” applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document.

  12. RELICENSING

    “Massive Multiauthor Collaboration Site” (or “MMC Site”) means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A “Massive Multiauthor Collaboration” (or “MMC”) contained in the site means any set of copyrightable works thus published on the MMC site.

    “CC-BY-SA” means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.

    “Incorporate” means to publish or republish a Document, in whole or in part, as part of another Document.

    An MMC is “eligible for relicensing” if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.

    The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.

ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

       Copyright (C)  year  your name.
       Permission is granted to copy, distribute and/or modify this document
       under the terms of the GNU Free Documentation License, Version 1.3
       or any later version published by the Free Software Foundation;
       with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts.  A copy of the license is included in the section entitled ``GNU
       Free Documentation License''.

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with...Texts.” line with this:

         with the Invariant Sections being list their titles, with
         the Front-Cover Texts being list, and with the Back-Cover Texts
         being list.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


Next: , Previous: GNU Free Documentation License, Up: Copying Information

C.2 GNU Lesser General Public License

Version 2.1, February 1999
     Copyright © 1991, 1999 Free Software Foundation, Inc.
     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
     
     Everyone is permitted to copy and distribute verbatim copies
     of this license document, but changing it is not allowed.
     
     [This is the first released version of the Lesser GPL.  It also counts
     as the successor of the GNU Library Public License, version 2, hence the
     version number 2.1.]

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software—to make sure the software is free for all its users.

This license, the Lesser General Public License, applies to some specially designated software—typically libraries—of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.

When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.

To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.

To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.

Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.

When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.

We call this license the Lesser General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.

For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.

In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.

Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a “work based on the library” and a “work that uses the library”. The former contains code derived from the library, whereas the latter must be combined with the library in order to run.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called “this License”). Each licensee is addressed as “you”.

    A “library” means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

    The “Library”, below, refers to any such software library or work which has been distributed under these terms. A “work based on the Library” means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term “modification”.)

    “Source code” for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

  2. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
    1. The modified work must itself be a software library.
    2. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.
    3. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
    4. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.

      (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.

    In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

    Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

    This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

  5. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

    If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

  6. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a “work that uses the Library”. Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

    However, linking a “work that uses the Library” with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a “work that uses the library”. The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.

    When a “work that uses the Library” uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.

    If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)

    Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

  7. As an exception to the Sections above, you may also combine or link a “work that uses the Library” with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

    You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

    1. Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable “work that uses the Library”, as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
    2. Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.
    3. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
    4. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
    5. Verify that the user has already received a copy of these materials or that you have already sent this user a copy.

    For an executable, the required form of the “work that uses the Library” must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

  8. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
    1. Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.
    2. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.
  9. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
  10. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.
  11. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.
  12. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

  13. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
  14. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.

  15. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
  16. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  17. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

How to Apply These Terms to Your New Libraries

If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License).

To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.

     one line to give the library's name and an idea of what it does.
     Copyright (C) year  name of author
     
     This library is free software; you can redistribute it and/or modify it
     under the terms of the GNU Lesser General Public License as published by
     the Free Software Foundation; either version 2.1 of the License, or (at
     your option) any later version.
     
     This library is distributed in the hope that it will be useful, but
     WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     Lesser General Public License for more details.
     
     You should have received a copy of the GNU Lesser General Public
     License along with this library; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
     USA.

Also add information on how to contact you by electronic and paper mail.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the library, if necessary. Here is a sample; alter the names:

     Yoyodyne, Inc., hereby disclaims all copyright interest in the library
     `Frob' (a library for tweaking knobs) written by James Random Hacker.
     
     signature of Ty Coon, 1 April 1990
     Ty Coon, President of Vice

That's all there is to it!


Previous: GNU LGPL, Up: Copying Information

C.3 GNU General Public License

Version 3, 29 June 2007
     Copyright © 2007 Free Software Foundation, Inc. http://fsf.org/
     
     Everyone is permitted to copy and distribute verbatim copies of this
     license document, but changing it is not allowed.

Preamble

The GNU General Public License is a free, copyleft license for software and other kinds of works.

The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program—to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.

To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.

For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.

Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.

Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS

  1. Definitions.

    “This License” refers to version 3 of the GNU General Public License.

    “Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.

    “The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations.

    To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work.

    A “covered work” means either the unmodified Program or a work based on the Program.

    To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.

    To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.

    An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.

  2. Source Code.

    The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.

    A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.

    The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.

    The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.

    The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.

    The Corresponding Source for a work in source code form is that same work.

  3. Basic Permissions.

    All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.

    You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.

    Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.

  4. Protecting Users' Legal Rights From Anti-Circumvention Law.

    No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.

    When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.

  5. Conveying Verbatim Copies.

    You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.

    You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.

  6. Conveying Modified Source Versions.

    You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:

    1. The work must carry prominent notices stating that you modified it, and giving a relevant date.
    2. The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”.
    3. You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
    4. If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.

    A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.

  7. Conveying Non-Source Forms.

    You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:

    1. Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
    2. Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
    3. Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
    4. Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
    5. Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.

    A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.

    A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.

    “Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.

    If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).

    The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.

    Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.

  8. Additional Terms.

    “Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.

    When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.

    Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:

    1. Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
    2. Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
    3. Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
    4. Limiting the use for publicity purposes of names of licensors or authors of the material; or
    5. Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
    6. Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.

    All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.

    If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.

    Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.

  9. Termination.

    You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).

    However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

    Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

    Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.

  10. Acceptance Not Required for Having Copies.

    You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.

  11. Automatic Licensing of Downstream Recipients.

    Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.

    An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.

    You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.

  12. Patents.

    A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.

    A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.

    Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.

    In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.

    If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.

    If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.

    A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.

    Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.

  13. No Surrender of Others' Freedom.

    If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.

  14. Use with the GNU Affero General Public License.

    Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.

  15. Revised Versions of this License.

    The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.

    If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.

    Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.

  16. Disclaimer of Warranty.

    THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  17. Limitation of Liability.

    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

  18. Interpretation of Sections 15 and 16.

    If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.

END OF TERMS AND CONDITIONS

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.

     one line to give the program's name and a brief idea of what it does.
     Copyright (C) year name of author
     
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
     the Free Software Foundation, either version 3 of the License, or (at
     your option) any later version.
     
     This program is distributed in the hope that it will be useful, but
     WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     General Public License for more details.
     
     You should have received a copy of the GNU General Public License
     along with this program.  If not, see http://www.gnu.org/licenses/.

Also add information on how to contact you by electronic and paper mail.

If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:

     program Copyright (C) year name of author
     This program comes with ABSOLUTELY NO WARRANTY; for details type ‘show w’.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type ‘show c’ for details.

The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.

You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see http://www.gnu.org/licenses/.

The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read http://www.gnu.org/philosophy/why-not-lgpl.html.


Previous: Concept Index, Up: Top

Function and Data Index


Next: , Previous: Copying Information, Up: Top

Concept Index


Footnotes

[1] Note that GNU SASL normally use its own internal implementation of the cryptographic functions. Take care to verify that GNU SASL really use Libgcrypt, if this is what you want.