2N/A * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * *******************************IMPORTANT****************************** 2N/A * send email to chris.newman@sun.com and cyrus-bugs@andrew.cmu.edu * 2N/A * if you need to add new error codes, callback types, property values, * 2N/A * etc. It is important to keep the multiple implementations of this * 2N/A * API from diverging. * 2N/A * *******************************IMPORTANT****************************** 2N/A * Basic Type Summary: 2N/A * sasl_conn_t Context for a SASL connection negotiation 2N/A * sasl_ssf_t Security layer Strength Factor 2N/A * sasl_interact_t A client interaction descriptor 2N/A * sasl_secret_t A client password 2N/A * sasl_rand_t Random data context structure 2N/A * sasl_security_properties_t An application's required security level 2N/A * Client only Callbacks: 2N/A * sasl_getrealm_t client: Get available realms 2N/A * sasl_getsecret_t client: Get authentication secret 2N/A * sasl_chalprompt_t client: Display challenge and prompt for response 2N/A * Server only Callbacks: 2N/A * sasl_authorize_t user authorization policy callback 2N/A * sasl_server_userdb_checkpass_t check password and auxprops in userdb 2N/A * sasl_server_userdb_setpass_t set password in userdb 2N/A * sasl_done Release all SASL global state 2N/A * sasl_dispose Connection done: Dispose of sasl_conn_t 2N/A * sasl_getprop Get property (e.g., user name, security layer info) 2N/A * sasl_setprop Set property (e.g., external ssf) 2N/A * sasl_errdetail Generate string from last error on connection 2N/A * sasl_errstring Translate sasl error code to a string 2N/A * sasl_encode Encode data to send using security layer 2N/A * sasl_decode Decode data received using security layer 2N/A * Utility functions: 2N/A * sasl_encode64 Encode data to send using MIME base64 encoding 2N/A * sasl_decode64 Decode data received using MIME base64 encoding 2N/A * sasl_erasebuffer Erase a buffer 2N/A * Client Function Summary: 2N/A * sasl_client_init Load and initialize client plug-ins (call once) 2N/A * sasl_client_new Initialize client connection context: sasl_conn_t 2N/A * sasl_client_start Select mechanism for connection 2N/A * sasl_client_step Perform one authentication step 2N/A * Server Function Summary 2N/A * sasl_server_init Load and initialize server plug-ins (call once) 2N/A * sasl_server_new Initialize server connection context: sasl_conn_t 2N/A * sasl_listmech Create list of available mechanisms 2N/A * sasl_server_start Begin an authentication exchange 2N/A * sasl_server_step Perform one authentication exchange step 2N/A * sasl_checkpass Check a plaintext passphrase 2N/A * mechanism similar to CRAM-MD5 mechanism; optional) 2N/A * sasl_user_exists Check if user exists 2N/A * sasl_setpass Change a password or add a user entry 2N/A * sasl_auxprop_request Request auxiliary properties 2N/A * sasl_auxprop_getctx Get auxiliary property context for connection 2N/A * Basic client model: 2N/A * 1. client calls sasl_client_init() at startup to load plug-ins 2N/A * 2. when connection formed, call sasl_client_new() 2N/A * 3. once list of supported mechanisms received from server, client 2N/A * calls sasl_client_start(). goto 4a 2N/A * 4. client calls sasl_client_step() 2N/A * [4a. If SASL_INTERACT, fill in prompts and goto 4 2N/A * -- doesn't happen if callbacks provided] 2N/A * 4b. If SASL error, goto 7 or 3 2N/A * 4c. If SASL_OK, continue or goto 6 if last server response was success 2N/A * 5. send message to server, wait for response 2N/A * 5a. On data or success with server response, goto 4 2N/A * 5b. On failure goto 7 or 3 2N/A * 5c. On success with no server response continue 2N/A * 6. continue with application protocol until connection closes 2N/A * 7. call sasl_dispose(), may return to step 2 2N/A * 8. call sasl_done() when program terminates 2N/A * Basic Server model: 2N/A * 1. call sasl_server_init() at startup to load plug-ins 2N/A * 2. On connection, call sasl_server_new() 2N/A * 3. call sasl_listmech() and send list to client] 2N/A * 4. after client AUTH command, call sasl_server_start(), goto 5a 2N/A * 5. call sasl_server_step() 2N/A * 5a. If SASL_CONTINUE, output to client, wait response, repeat 5 2N/A * 5b. If SASL error, then goto 7 2N/A * 5c. If SASL_OK, move on 2N/A * 6. continue with application protocol until connection closes 2N/A * call sasl_getprop to get username 2N/A * 7. call sasl_dispose(), may return to step 2 2N/A * 8. call sasl_done() when program terminates 2N/A * *********************************************** 2N/A * IMPORTANT NOTE: server realms / username syntax 2N/A * If a user name contains a "@", then the rightmost "@" in the user name 2N/A * separates the account name from the realm in which this account is 2N/A * located. A single server may support multiple realms. If the 2N/A * server knows the realm at connection creation time (e.g., a server 2N/A * with multiple IP addresses tightly binds one address to a specific 2N/A * realm) then that realm must be passed in the user_realm field of 2N/A * the sasl_server_new call. If user_realm is non-empty and an 2N/A * unqualified user name is supplied, then the canon_user facility is 2N/A * expected to append "@" and user_realm to the user name. The canon_user 2N/A * facility may treat other characters such as "%" as equivalent to "@". 2N/A * If the server forbids the use of "@" in user names for other 2N/A * purposes, this simplifies security validation. 2N/A * The following ifdef block is the standard way of creating macros 2N/A * which make exporting from a DLL simpler. All files within this DLL 2N/A * are compiled with the LIBSASL_EXPORTS symbol defined on the command 2N/A * line. this symbol should not be defined on any project that uses 2N/A * this DLL. This way any other project whose source files include 2N/A * this file see LIBSASL_API functions as being imported from a DLL, 2N/A * wheras this DLL sees symbols defined with this macro as being 2N/A * Under Unix, life is simpler: we just need to mark library functions 2N/A * as extern. (Technically, we don't even have to do that.) 2N/A#
else /* LIBSASL_EXPORTS */ 2N/A#
endif /* LIBSASL_EXPORTS */ 2N/A * Same as above, but used during a variable declaration. Only Unix definition 2N/A * is different, as we can't assign an initial value to an extern variable 2N/A#
else /* LIBSASL_EXPORTS */ 2N/A#
endif /* LIBSASL_EXPORTS */ 2N/A/* SASL result codes: */ 2N/A/* -- client only codes -- */ 2N/A/* -- server only codes -- */ 2N/A#
define SASL_TRANS -
17 /* One time use of a plaintext password will */ 2N/A /* enable requested mechanism for user */ 2N/A/* -- codes for password setting -- */ 2N/A/* max size of a sasl mechanism name */ 2N/A/* Define to have the same layout as a WSABUF */ 2N/Astruct iovec;
/* Defined in OS headers */ 2N/A/* per-connection SASL negotiation state for client or server */ 2N/A * Plain text password structure. 2N/A * len is the length of the password, data is the text. 2N/A unsigned char data[
1];
/* variable sized */ 2N/A/* random data context structure */ 2N/A * Configure Basic Services 2N/A * the following functions are used to adjust how allocation and mutexes work 2N/A * they must be called before all other SASL functions: 2N/A/* The following function is obsolete */ 2N/A * memory allocation functions which may optionally be replaced: 2N/A/* The following function is obsolete */ 2N/A * mutex functions which may optionally be replaced: 2N/A * sasl_mutex_alloc allocates a mutex structure 2N/A * sasl_mutex_lock blocks until mutex locked 2N/A * returns -1 on deadlock or parameter error 2N/A * returns 0 on success 2N/A * sasl_mutex_unlock unlocks mutex if it's locked 2N/A * returns -1 if not locked or parameter error 2N/A * returns 0 on success 2N/A * sasl_mutex_free frees a mutex structure 2N/A * Security preference types 2N/A * security layer strength factor -- an unsigned integer usable by the caller 2N/A * to specify approximate security layer strength desired. Roughly 2N/A * correlated to effective key length for encryption. 2N/A * 1 = integrity protection only 2N/A * 256 = baseline AES 2N/A/* usage flags provided to sasl_server_new and sasl_client_new: */ 2N/A * Security Property Types 2N/A * Structure specifying the client or server's security policy 2N/A * and optional additional properties. 2N/A/* These are the various security flags apps can specify. */ 2N/A * NOPLAINTEXT -- don't permit mechanisms susceptible to simple 2N/A * passive attack (e.g., PLAIN, LOGIN) 2N/A * NOACTIVE -- protection from active (non-dictionary) attacks 2N/A * during authentication exchange. 2N/A * Authenticates server. 2N/A * NODICTIONARY -- don't permit mechanisms susceptible to passive 2N/A * FORWARD_SECRECY -- require forward secrecy between sessions 2N/A * (breaking one won't help break next) 2N/A * NOANONYMOUS -- don't permit mechanisms that allow anonymous login 2N/A * PASS_CREDENTIALS -- require mechanisms which pass client 2N/A * credentials, and allow mechanisms which can pass 2N/A * credentials to do so 2N/A * MUTUAL_AUTH -- require mechanisms which provide mutual 2N/A * security strength factor 2N/A * min_ssf = minimum acceptable final level 2N/A * max_ssf = maximum acceptable final level 2N/A * Maximum security layer receive buffer size. 2N/A * 0=security layer not supported 2N/A/* bitfield for attacks to protect against */ 2N/A/* NULL terminated array of additional property names, values */ 2N/A * id -- identifies callback type 2N/A * proc -- procedure call arguments vary based on id 2N/A * context -- context passed to procedure 2N/A * Note that any memory that is allocated by the callback needs to be 2N/A * freed by the application, be it via function call or interaction. 2N/A * It may be freed after sasl_*_step returns SASL_OK. if the mechanism 2N/A * requires this information to persist (for a security layer, for example) 2N/A * it must maintain a private copy. 2N/A * Identifies the type of the callback function. 2N/A * Mechanisms must ignore callbacks with id's they don't recognize. 2N/A int (*
proc)();
/* Callback function. Types of arguments vary by 'id' */ 2N/A * callback ids & functions: 2N/A * option reading callback -- this allows a SASL configuration to be 2N/A * encapsulated in the caller's configuration system. Some implementations 2N/A * may use default config file(s) if this is omitted. Configuration items 2N/A * may be plugin-specific and are arbitrary strings. 2N/A * context -- option context from callback record 2N/A * plugin_name -- name of plugin (NULL = general SASL option) 2N/A * option -- name of option 2N/A * result -- set to result which persists until next getopt in 2N/A * same thread, unchanged if option not found 2N/A * len -- length of result (may be NULL) 2N/A * SASL_OK -- no error 2N/A * SASL_FAIL -- error 2N/A/* Logging levels for use with the logging callback function. */ 2N/A * logging callback -- this allows plugins and the middleware to 2N/A * log operations they perform. 2N/A * context -- logging context from the callback record 2N/A * level -- logging level; see above 2N/A * message -- message to log 2N/A * SASL_OK -- no error 2N/A * SASL_FAIL -- error 2N/A * getpath callback -- this allows applications to specify the 2N/A * colon-separated path to search for plugins (by default, 2N/A * taken from an implementation-specific location). 2N/A * context -- getpath context from the callback record 2N/A * path -- colon separated path 2N/A * SASL_OK -- no error 2N/A * SASL_FAIL -- error 2N/A/* Callback to get the location of the sasl config */ 2N/A * verify file callback -- this allows applications to check if they 2N/A * want SASL to use files, file by file. This is intended to allow 2N/A * applications to sanity check the environment to make sure plugins 2N/A * or the configuration file can't be written to, etc. 2N/A * context -- verifypath context from the callback record 2N/A * file -- full path to file to verify 2N/A * type -- type of file to verify (see below) 2N/A * SASL_OK -- no error (file can safely be used) 2N/A * SASL_CONTINUE -- continue WITHOUT using this file 2N/A * SASL_FAIL -- error 2N/A/* these are the types of files libsasl will ask about */ 2N/A * Simple prompt -- result must persist until next call to getsimple on 2N/A * same connection or until connection context is disposed 2N/A * context -- context from callback structure 2N/A * result -- set to NUL terminated string 2N/A * NULL = user cancel 2N/A * len -- length of result 2N/A * comma separated list of RFC 1766 2N/A * language codes in order of preference 2N/A * to be used to localize client prompts 2N/A * or server error codes 2N/A /* caller supplies client-nonce primarily for testing purposes */ 2N/A * get a sasl_secret_t (plaintext password with length) 2N/A * conn -- connection context 2N/A * context -- context from callback structure 2N/A * psecret -- set to NULL to cancel 2N/A * set to password structure which must persist until 2N/A * next call to getsecret in same connection, but middleware 2N/A * will erase password data when it's done with it. 2N/A * prompt for input in response to a challenge. 2N/A * context -- context from callback structure 2N/A * challenge -- server challenge 2N/A * result -- NUL terminated result, NULL = user cancel 2N/A * len -- length of result 2N/A * prompt (or autoselect) the realm to do authentication in. 2N/A * may get a list of valid realms. 2N/A * context -- context from callback structure 2N/A * availrealms -- available realms; string list; NULL terminated 2N/A * list may be empty. 2N/A * result -- NUL terminated realm; NULL is equivalent to "" 2N/A * result must persist until the next callback 2N/A/* server callbacks: */ 2N/A * improved callback to verify authorization; 2N/A * canonicalization now handled elsewhere 2N/A * conn -- connection context 2N/A * rlen -- length of requested_user 2N/A * auth_identity -- the identity associated with the secret (NUL terminated) 2N/A * alen -- length of auth_identity 2N/A * default_realm -- default user realm, as passed to sasl_server_new if 2N/A * urlen -- length of default realm 2N/A * propctx -- auxiliary properties 2N/A * returns SASL_OK on success, 2N/A * SASL_NOAUTHZ or other SASL response on failure 2N/A * functions for "userdb" based plugins to call to get/set passwords. 2N/A * the location for the passwords is determined by the caller or middleware. 2N/A * plug-ins may get passwords from other locations. 2N/A * callback to verify a plaintext password against the caller-supplied 2N/A * user database. This is necessary to allow additional <method>s for 2N/A * encoding of the userPassword property. 2N/A * user -- NUL terminated user name with user@realm syntax 2N/A * pass -- password to check (may not be NUL terminated) 2N/A * passlen -- length of password to check 2N/A * propctx -- auxiliary properties for user 2N/A * user -- NUL terminated user name with user@realm syntax 2N/A * pass -- password to store (may not be NUL terminated) 2N/A * passlen -- length of password to store 2N/A * propctx -- auxiliary properties (not stored) 2N/A * flags -- see SASL_SET_* flags below (SASL_SET_CREATE optional) 2N/A * callback for a server-supplied user canonicalization function. 2N/A * This function is called directly after the mechanism has the 2N/A * authentication and authorization IDs. It is called before any 2N/A * User Canonicalization plugin is called. It has the responsibility 2N/A * of copying its output into the provided output buffers. 2N/A * in, inlen -- user name to canonicalize, may not be NUL terminated 2N/A * may be same buffer as out 2N/A * flags -- not currently used, supplied by auth mechanism 2N/A * user_realm -- the user realm (may be NULL in case of client) 2N/A * out -- buffer to copy user name 2N/A * out_max -- max length of user name 2N/A * out_len -- set to length of user name 2N/A * SASL_OK on success 2N/A * SASL_BADPROT username contains invalid character 2N/A/* User Canonicalization Function Flags */ 2N/A/* One of the following two is required */ 2N/A * get sasl library version information 2N/A * implementation is a vendor-defined string 2N/A * version is a vender-defined representation of the version # 2N/A * dispose of all SASL plugins. Connection 2N/A * states have to be disposed of before calling this. 2N/A * dispose connection state, sets it to NULL 2N/A * checks for pointer to NULL 2N/A * translate an error number into a string 2N/A * saslerr -- the error number 2N/A * langlist -- comma separated list of RFC 1766 languages (may be NULL) 2N/A * outlang -- the language actually used (may be NULL if don't care) 2N/A * the error message in UTF-8 (only the US-ASCII subset if langlist is NULL) 2N/A * get detail about the last error that occurred on a connection 2N/A * text is sanitized so it's suitable to send over the wire 2N/A * (e.g., no distinction between SASL_BADAUTH and SASL_NOUSER) 2N/A * conn -- mandatory connection context 2N/A * the error message in UTF-8 (only the US-ASCII subset permitted if no 2N/A * SASL_CB_LANGUAGE callback is present) 2N/A * set the error string which will be returned by sasl_errdetail() using 2N/A * syslog()-style formatting (e.g. printf-style with %m as most recent 2N/A * primarily for use by server callbacks such as the sasl_authorize_t 2N/A * callback and internally to plug-ins 2N/A * This will also trigger a call to the SASL logging callback (if any) 2N/A * with a level of SASL_LOG_FAIL unless the SASL_NOLOG flag is set. 2N/A * Messages should be sensitive to the current language setting. If there 2N/A * is no SASL_CB_LANGUAGE callback messages MUST be US-ASCII otherwise UTF-8 2N/A * is used and use of RFC 2482 for mixed-language text is encouraged. 2N/A * if conn is NULL, function does nothing 2N/A * get property from SASL connection state 2N/A * propnum -- property number 2N/A * pvalue -- pointer to value 2N/A * SASL_OK -- no error 2N/A * SASL_NOTDONE -- property not available yet 2N/A * SASL_BADPARAM -- bad property number 2N/A#
define SASL_SSF 1 /* security layer security strength factor, */ 2N/A /* if 0, call to sasl_encode, sasl_decode */ 2N/A /* or set with setprop */ 2N/A /* for failed authentication tracking */ 2N/A * This returns a string which is either empty or has an error message 2N/A * from sasl_seterror (e.g., from a plug-in or callback). It differs 2N/A * from the result of sasl_errdetail() which also takes into account the 2N/A * last return status code. 2N/A * set property in SASL connection state 2N/A * SASL_OK -- value set 2N/A * SASL_BADPARAM -- invalid property or value 2N/A * If the SASL_AUTH_EXTERNAL value is non-NULL, then a special version of the 2N/A * EXTERNAL mechanism is enabled (one for server-embedded EXTERNAL mechanisms). 2N/A * Otherwise, the EXTERNAL mechanism will be absent unless a plug-in 2N/A * including EXTERNAL is present. 2N/A * do precalculations during an idle period or network round trip 2N/A * may pass NULL to precompute for some mechanisms prior to connect 2N/A * returns 1 if action taken, 0 if no action taken 2N/A * list of client interactions with user for caller to fill in 2N/A const char *
challenge;
/* presented to user (e.g. OTP challenge) */ 2N/A const char *
prompt;
/* presented to user (e.g. "Username: ") */ 2N/A const void *
result;
/* set to point to result */ 2N/A unsigned len;
/* set to length of result */ 2N/A * initialize the SASL client drivers 2N/A * callbacks -- base callbacks for all client connections; 2N/A * must include getopt callback 2N/A * SASL_OK -- Success 2N/A * SASL_NOMEM -- Not enough memory 2N/A * SASL_BADVERS -- Mechanism version mismatch 2N/A * SASL_BADPARAM -- missing getopt callback or error in config file 2N/A * SASL_NOMECH -- No mechanisms available 2N/A * initialize a client exchange based on the specified mechanism 2N/A * service -- registered name of the service using SASL (e.g. "imap") 2N/A * serverFQDN -- the fully qualified domain name of the server 2N/A * iplocalport -- client IPv4/IPv6 domain literal string with port 2N/A * (if NULL, then mechanisms requiring IPaddr are disabled) 2N/A * ipremoteport -- server IPv4/IPv6 domain literal string with port 2N/A * (if NULL, then mechanisms requiring IPaddr are disabled) 2N/A * prompt_supp -- list of client interactions supported 2N/A * may also include sasl_getopt_t context & call 2N/A * NULL proc = interaction supported via SASL_INTERACT 2N/A * flags -- server usage flags (see above) 2N/A * pconn -- sasl connection 2N/A * SASL_OK -- success 2N/A * SASL_NOMECH -- no mechanism meets requested properties 2N/A * SASL_NOMEM -- not enough memory 2N/A * select a mechanism for a connection 2N/A * mechlist -- list of mechanisms to use (punctuation ignored) 2N/A * prompt_need -- on SASL_INTERACT, list of prompts needed to continue 2N/A * may be NULL if callbacks provided 2N/A * clientout -- the initial client response to send to the server 2N/A * NULL if mech doesn't include initial client challenge 2N/A * mech -- set to mechansm name of selected mechanism (may be NULL) 2N/A * SASL_OK -- success 2N/A * SASL_NOMEM -- not enough memory 2N/A * SASL_NOMECH -- no mechanism meets requested properties 2N/A * SASL_INTERACT -- user interaction needed to fill in prompt_need list 2N/A * do a single authentication step. 2N/A * serverin -- the server message received by the client, MUST have a NUL 2N/A * sentinel, not counted by serverinlen 2N/A * prompt_need -- on SASL_INTERACT, list of prompts needed to continue 2N/A * clientout -- the client response to send to the server 2N/A * SASL_OK -- success 2N/A * SASL_INTERACT -- user interaction needed to fill in prompt_need list 2N/A * SASL_BADSERV -- server failed mutual auth 2N/A * initialize server drivers, done once per process 2N/A * callbacks -- callbacks for all server connections; must include 2N/A * appname -- name of calling application (for lower level logging) 2N/A * state -- server state 2N/A * SASL_OK -- success 2N/A * SASL_BADPARAM -- error in config file 2N/A * SASL_NOMEM -- memory failure 2N/A * SASL_BADVERS -- Mechanism version mismatch 2N/A * a.b.c.d:p where a-d are 0-255 and p is 0-65535 port number. 2N/A * [e:f:g:h:i:j:k:l]:p where e-l are 0000-ffff lower-case hexidecimal 2N/A * [e:f:g:h:i:j:a.b.c.d]:p alternate syntax for previous 2N/A * Note that one or more "0" fields in f-k can be replaced with "::" 2N/A * Thus: [e:f:0000:0000:0000:j:k:l]:p 2N/A * can be abbreviated: [e:f::j:k:l]:p 2N/A * A buffer of size 52 is adequate for the longest format with NUL terminator. 2N/A * create context for a single SASL connection 2N/A * service -- registered name of the service using SASL (e.g. "imap") 2N/A * serverFQDN -- Fully qualified domain name of server. NULL means use 2N/A * gethostname() or equivalent. 2N/A * Useful for multi-homed servers. 2N/A * user_realm -- permits multiple user realms on server, NULL = default 2N/A * iplocalport -- server IPv4/IPv6 domain literal string with port 2N/A * (if NULL, then mechanisms requiring IPaddr are disabled) 2N/A * ipremoteport -- client IPv4/IPv6 domain literal string with port 2N/A * (if NULL, then mechanisms requiring IPaddr are disabled) 2N/A * callbacks -- callbacks (e.g., authorization, lang, new getopt context) 2N/A * flags -- usage flags (see above) 2N/A * pconn -- new connection context 2N/A * SASL_OK -- success 2N/A * SASL_NOMEM -- not enough memory 2N/A/* The following function is obsolete */ 2N/A * Return an array of NUL-terminated strings, terminated by a NULL pointer, 2N/A * which lists all possible mechanisms that the library can supply 2N/A * Returns NULL on failure. 2N/A * This returns a list of mechanisms in a NUL-terminated string 2N/A * conn -- the connection to list mechanisms for (either client 2N/A * user -- restricts mechanisms to those available to that user 2N/A * (may be NULL, not used for client case) 2N/A * prefix -- appended to beginning of result 2N/A * sep -- appended between mechanisms 2N/A * suffix -- appended to end of result 2N/A * result -- NUL terminated result which persists until next 2N/A * call to sasl_listmech for this sasl_conn_t 2N/A * plen -- gets length of result (excluding NUL), may be NULL 2N/A * pcount -- gets number of mechanisms, may be NULL 2N/A * SASL_OK -- success 2N/A * SASL_NOMEM -- not enough memory 2N/A * SASL_NOMECH -- no enabled mechanisms 2N/A * start a mechanism exchange within a connection context 2N/A * mech -- the mechanism name client requested 2N/A * clientin -- client initial response (NUL terminated), NULL if empty 2N/A * clientinlen -- length of initial response 2N/A * serverout -- initial server challenge, NULL if done 2N/A * (library handles freeing this string) 2N/A * serveroutlen -- length of initial server challenge 2N/A * pconn -- the connection negotiation state on success 2N/A * Same returns as sasl_server_step() or 2N/A * SASL_NOMECH if mechanism not available. 2N/A * perform one step of the SASL exchange 2N/A * inputlen & input -- client data 2N/A * NULL on first step if no optional client step 2N/A * outputlen & output -- set to the server data to transmit 2N/A * to the client in the next step 2N/A * (library handles freeing this) 2N/A * SASL_OK -- exchange is complete. 2N/A * SASL_CONTINUE -- indicates another step is necessary. 2N/A * SASL_TRANS -- entry for user exists, but not for mechanism 2N/A * and transition is possible 2N/A * SASL_BADPARAM -- service name needed 2N/A * SASL_BADPROT -- invalid input from client 2N/A/* The following function is obsolete */ 2N/A * check if an apop exchange is valid 2N/A * (note this is an optional part of the SASL API) 2N/A * if challenge is NULL, just check if APOP is enabled 2N/A * challenge -- challenge which was sent to client 2N/A * challen -- length of challenge, 0 = strlen(challenge) 2N/A * response -- client response, "<user> <digest>" (RFC 1939) 2N/A * resplen -- length of response, 0 = strlen(response) 2N/A * SASL_OK -- success 2N/A * SASL_BADAUTH -- authentication failed 2N/A * SASL_BADPARAM -- missing challenge 2N/A * SASL_BADPROT -- protocol error (e.g., response in wrong format) 2N/A * SASL_NOVERIFY -- user found, but no verifier 2N/A * SASL_NOMECH -- mechanism not supported 2N/A * SASL_NOUSER -- user not found 2N/A * check if a plaintext password is valid 2N/A * if user is NULL, check if plaintext passwords are enabled 2N/A * user -- user to query in current user_domain 2N/A * userlen -- length of username, 0 = strlen(user) 2N/A * pass -- plaintext password to check 2N/A * passlen -- length of password, 0 = strlen(pass) 2N/A * SASL_OK -- success 2N/A * SASL_NOMECH -- mechanism not supported 2N/A * SASL_NOVERIFY -- user found, but no verifier 2N/A * SASL_NOUSER -- user not found 2N/A * check if a user exists on server 2N/A * conn -- connection context 2N/A * service -- registered name of the service using SASL (e.g. "imap") 2N/A * user_realm -- permits multiple user realms on server, NULL = default 2N/A * user -- NUL terminated user name 2N/A * SASL_OK -- success 2N/A * SASL_DISABLED -- account disabled 2N/A * SASL_NOUSER -- user not found 2N/A * SASL_NOVERIFY -- user found, but no usable mechanism 2N/A * SASL_NOMECH -- no mechanisms enabled 2N/A * set the password for a user 2N/A * conn -- SASL connection 2N/A * pass -- plaintext password, may be NULL to remove user 2N/A * passlen -- length of password, 0 = strlen(pass) 2N/A * oldpass -- NULL will sometimes work 2N/A * oldpasslen -- length of password, 0 = strlen(oldpass) 2N/A * flags -- see flags below 2N/A * SASL_NOCHANGE -- proper entry already exists 2N/A * SASL_NOMECH -- no authdb supports password setting as configured 2N/A * SASL_NOVERIFY -- user exists, but no settable password present 2N/A * SASL_DISABLED -- account disabled 2N/A * SASL_PWLOCK -- password locked 2N/A * SASL_WEAKPASS -- password too weak for security policy 2N/A * SASL_NOUSERPASS -- user-supplied passwords not permitted 2N/A * SASL_FAIL -- OS error 2N/A * SASL_BADPARAM -- password too long 2N/A * SASL_OK -- successful 2N/A * Auxiliary Property Support -- added by cjn 1999-09-29 2N/A/* traditional Posix items (should be implemented on Posix systems) */ 2N/A/* optional additional items (not necessarily implemented) */ 2N/A * single preferred mail address for user canonically-quoted 2N/A/* path to unix-style mailbox for user */ 2N/A/* SMTP mail channel name to use if user authenticates successfully */ 2N/A * Request a set of auxiliary properties 2N/A * conn connection context 2N/A * propnames list of auxiliary property names to request ending with 2N/A * Subsequent calls will add items to the request list. Call with NULL 2N/A * to clear the request list. 2N/A * SASL_OK -- success 2N/A * SASL_NOMEM -- out of memory 2N/A * Returns current auxiliary property context. 2N/A * if authentication hasn't completed, property values may be empty/NULL 2N/A * properties not recognized by active plug-ins will be left empty/NULL 2N/A * returns NULL if conn is invalid. 2N/A * security layer API 2N/A * encode a block of data for transmission using security layer, 2N/A * returning the input buffer if there is no security layer. 2N/A * output is only valid until next call to sasl_encode or sasl_encodev 2N/A * SASL_OK -- success (returns input if no layer negotiated) 2N/A * SASL_NOTDONE -- security layer negotiation not finished 2N/A * SASL_BADPARAM -- inputlen is greater than the SASL_MAXOUTBUF 2N/A * encode a block of data for transmission using security layer 2N/A * output is only valid until next call to sasl_encode or sasl_encodev 2N/A * SASL_OK -- success (returns input if no layer negotiated) 2N/A * SASL_NOTDONE -- security layer negotiation not finished 2N/A * SASL_BADPARAM -- input length is greater than the SASL_MAXOUTBUF 2N/A * or no security layer 2N/A * decode a block of data received using security layer 2N/A * returning the input buffer if there is no security layer. 2N/A * output is only valid until next call to sasl_decode 2N/A * if outputlen is 0 on return, than the value of output is undefined. 2N/A * SASL_OK -- success (returns input if no layer negotiated) 2N/A * SASL_NOTDONE -- security layer negotiation not finished 2N/A * SASL_BADMAC -- bad message integrity check 2N/A#
endif /* _SASL_SASL_H */