| sasl.h | sasl.h | |||
|---|---|---|---|---|
| skipping to change at line 245 | skipping to change at line 245 | |||
| /* These are the various security flags apps can specify. */ | /* These are the various security flags apps can specify. */ | |||
| /* NOPLAINTEXT -- don't permit mechanisms susceptible to simple | /* NOPLAINTEXT -- don't permit mechanisms susceptible to simple | |||
| * passive attack (e.g., PLAIN, LOGIN) | * passive attack (e.g., PLAIN, LOGIN) | |||
| * NOACTIVE -- protection from active (non-dictionary) attacks | * NOACTIVE -- protection from active (non-dictionary) attacks | |||
| * during authentication exchange. | * during authentication exchange. | |||
| * Authenticates server. | * Authenticates server. | |||
| * NODICTIONARY -- don't permit mechanisms susceptible to passive | * NODICTIONARY -- don't permit mechanisms susceptible to passive | |||
| * dictionary attack | * dictionary attack | |||
| * FORWARD_SECRECY -- require forward secrecy between sessions | * FORWARD_SECRECY -- require forward secrecy between sessions | |||
| * (breaking one won't help break next) | * (breaking one won't help break next) | |||
| * MAXIMUM -- require all security attributes | * NOANONYMOUS -- don't permit mechanisms that allow anonymous log | |||
| * known by the library at runtime | in | |||
| * PASS_CREDENTIALS -- prefer mechanisms which pass client | * PASS_CREDENTIALS -- require mechanisms which pass client | |||
| * credentials (if available), | * credentials, and allow mechanisms which can pass | |||
| * and allow mechanisms which can pass | ||||
| * credentials to do so | * credentials to do so | |||
| */ | */ | |||
| #define SASL_SEC_NOPLAINTEXT (0x0001) | #define SASL_SEC_NOPLAINTEXT (0x0001) | |||
| #define SASL_SEC_NOACTIVE (0x0002) | #define SASL_SEC_NOACTIVE (0x0002) | |||
| #define SASL_SEC_NODICTIONARY (0x0004) | #define SASL_SEC_NODICTIONARY (0x0004) | |||
| #define SASL_SEC_FORWARD_SECRECY (0x0008) | #define SASL_SEC_FORWARD_SECRECY (0x0008) | |||
| #define SASL_SEC_MAX_DEFINED (0x000F) | #define SASL_SEC_NOANONYMOUS (0x0010) | |||
| #define SASL_SEC_MAXIMUM (0x0100) | ||||
| #define SASL_SEC_PASS_CREDENTIALS (0x0200) | #define SASL_SEC_PASS_CREDENTIALS (0x0200) | |||
| typedef struct sasl_security_properties | typedef struct sasl_security_properties | |||
| { | { | |||
| /* security strength factor | /* security strength factor | |||
| * min_ssf = minimum acceptable final level | * min_ssf = minimum acceptable final level | |||
| * max_ssf = maximum acceptable final level | * max_ssf = maximum acceptable final level | |||
| */ | */ | |||
| sasl_ssf_t min_ssf; | sasl_ssf_t min_ssf; | |||
| sasl_ssf_t max_ssf; | sasl_ssf_t max_ssf; | |||
| skipping to change at line 385 | skipping to change at line 382 | |||
| * library call). | * library call). | |||
| * returns: | * returns: | |||
| * SASL_OK -- no error | * SASL_OK -- no error | |||
| * SASL_FAIL -- error | * SASL_FAIL -- error | |||
| */ | */ | |||
| typedef int sasl_getpath_t(void * context, | typedef int sasl_getpath_t(void * context, | |||
| char ** path); | char ** path); | |||
| #define SASL_CB_GETPATH (3) | #define SASL_CB_GETPATH (3) | |||
| /* verify file callback -- this allows applications to check if they | ||||
| * want SASL to use files, file by file. This is intended to allow | ||||
| * applications to sanity check the environment to make sure plugins | ||||
| * or the configuration file can't be written to, etc. | ||||
| * inputs: | ||||
| * context -- verifypath context from the callback record | ||||
| * file -- full path to file to verify | ||||
| * returns: | ||||
| * SASL_OK -- no error (file can safely be used) | ||||
| * SASL_CONTINUE -- continue WITHOUT using this file | ||||
| * SASL_FAIL -- error | ||||
| */ | ||||
| typedef int sasl_verifyfile_t(void * context, | ||||
| const char * file); | ||||
| #define SASL_CB_VERIFYFILE (4) | ||||
| /* client/user interaction callbacks: | /* client/user interaction callbacks: | |||
| */ | */ | |||
| /* Simple prompt -- result must persist until next call to getsimple or | /* Simple prompt -- result must persist until next call to getsimple or | |||
| * until connection context is disposed | * until connection context is disposed | |||
| * inputs: | * inputs: | |||
| * context -- context from callback structure | * context -- context from callback structure | |||
| * id -- callback id | * id -- callback id | |||
| * outputs: | * outputs: | |||
| * result -- set to NUL terminated string | * result -- set to NUL terminated string | |||
| * NULL = user cancel | * NULL = user cancel | |||
| skipping to change at line 541 | skipping to change at line 556 | |||
| * returns: | * returns: | |||
| * SASL_OK -- value set | * SASL_OK -- value set | |||
| * SASL_BADPARAM -- invalid property or value | * SASL_BADPARAM -- invalid property or value | |||
| */ | */ | |||
| LIBSASL_API int sasl_setprop(sasl_conn_t *conn, | LIBSASL_API int sasl_setprop(sasl_conn_t *conn, | |||
| int propnum, | int propnum, | |||
| const void *value); | const void *value); | |||
| #define SASL_SSF_EXTERNAL 100 /* external SSF active -- | #define SASL_SSF_EXTERNAL 100 /* external SSF active -- | |||
| * sasl_external_properties_t */ | * sasl_external_properties_t */ | |||
| #define SASL_SEC_PROPS 101 /* sasl_security_properties_t */ | #define SASL_SEC_PROPS 101 /* sasl_security_properties_t */ | |||
| /* also allows SASL_IP_LOCAL, SASL_IP_REMOTE */ | ||||
| /* do precalculations during an idle period or network round trip | /* do precalculations during an idle period or network round trip | |||
| * may pass NULL to precompute for some mechanisms prior to connect | * may pass NULL to precompute for some mechanisms prior to connect | |||
| * returns 1 if action taken, 0 if no action taken | * returns 1 if action taken, 0 if no action taken | |||
| */ | */ | |||
| LIBSASL_API int sasl_idle(sasl_conn_t *conn); | LIBSASL_API int sasl_idle(sasl_conn_t *conn); | |||
| /************** | /************** | |||
| * Client API * | * Client API * | |||
| **************/ | **************/ | |||
| skipping to change at line 690 | skipping to change at line 706 | |||
| * SASL_OK -- success | * SASL_OK -- success | |||
| * SASL_BADPARAM -- error in config file | * SASL_BADPARAM -- error in config file | |||
| * SASL_NOMEM -- memory failure | * SASL_NOMEM -- memory failure | |||
| * SASL_BADVERS -- Mechanism version mismatch | * SASL_BADVERS -- Mechanism version mismatch | |||
| */ | */ | |||
| LIBSASL_API int sasl_server_init(const sasl_callback_t *callbacks, | LIBSASL_API int sasl_server_init(const sasl_callback_t *callbacks, | |||
| const char *appname); | const char *appname); | |||
| /* create context for a single SASL connection | /* create context for a single SASL connection | |||
| * service -- registered name of the service using SASL (e.g. "imap ") | * service -- registered name of the service using SASL (e.g. "imap ") | |||
| * local_domain -- Fully qualified local domain name. May be NULL | * serverFQDN -- Fully qualified server domain name. NULL means use | |||
| * for default domain. Useful for multi-homed servers. | * gethostname(). Useful for multi-homed servers. | |||
| * user_domain -- permits multiple user domains on server, NULL = defau | * user_realm -- permits multiple user domains on server, NULL = defau | |||
| lt | lt | |||
| * callbacks -- callbacks (e.g., authorization, lang, new getopt cont ext) | * callbacks -- callbacks (e.g., authorization, lang, new getopt cont ext) | |||
| * secflags -- security flags (see above) | * secflags -- security flags (see above) | |||
| * returns: | * returns: | |||
| * pconn -- new connection context | * pconn -- new connection context | |||
| * | * | |||
| * returns: | * returns: | |||
| * SASL_OK -- success | * SASL_OK -- success | |||
| * SASL_NOMEM -- not enough memory | * SASL_NOMEM -- not enough memory | |||
| */ | */ | |||
| LIBSASL_API int sasl_server_new(const char *service, | LIBSASL_API int sasl_server_new(const char *service, | |||
| const char *local_domain, | const char *serverFQDN, | |||
| const char *user_domain, | const char *user_realm, | |||
| const sasl_callback_t *callbacks, | const sasl_callback_t *callbacks, | |||
| int secflags, | int secflags, | |||
| sasl_conn_t **pconn); | sasl_conn_t **pconn); | |||
| /* This returns a list of mechanisms in a NUL-terminated string | /* This returns a list of mechanisms in a NUL-terminated string | |||
| * user -- restricts mechanisms to those available to that user | * user -- restricts mechanisms to those available to that user | |||
| * (may be NULL) | * (may be NULL) | |||
| * prefix -- appended to beginning of result | * prefix -- appended to beginning of result | |||
| * sep -- appended between mechanisms | * sep -- appended between mechanisms | |||
| * suffix -- appended to end of result | * suffix -- appended to end of result | |||
| skipping to change at line 781 | skipping to change at line 797 | |||
| LIBSASL_API int sasl_server_step(sasl_conn_t *conn, | LIBSASL_API int sasl_server_step(sasl_conn_t *conn, | |||
| const char *clientin, | const char *clientin, | |||
| unsigned clientinlen, | unsigned clientinlen, | |||
| char **serverout, | char **serverout, | |||
| unsigned *serveroutlen, | unsigned *serveroutlen, | |||
| const char **errstr); | const char **errstr); | |||
| /* check if a plaintext password is valid | /* check if a plaintext password is valid | |||
| * if user is NULL, check if plaintext is enabled | * if user is NULL, check if plaintext is enabled | |||
| * inputs: | * inputs: | |||
| * user -- user to query in current user_domain | * user -- user to query in current user_realm | |||
| * userlen -- length of username, 0 = strlen(user) | * userlen -- length of username, 0 = strlen(user) | |||
| * pass -- plaintext password to check | * pass -- plaintext password to check | |||
| * passlen -- length of password, 0 = strlen(pass) | * passlen -- length of password, 0 = strlen(pass) | |||
| * outputs: | * outputs: | |||
| * errstr -- set to error message for use in protocols | * errstr -- set to error message for use in protocols | |||
| * returns | * returns | |||
| * SASL_OK -- success | * SASL_OK -- success | |||
| * SASL_NOMECH -- user found, but no verifier | * SASL_NOMECH -- user found, but no verifier | |||
| * SASL_NOUSER -- user not found | * SASL_NOUSER -- user not found | |||
| */ | */ | |||
| LIBSASL_API int sasl_checkpass(sasl_conn_t *conn, | LIBSASL_API int sasl_checkpass(sasl_conn_t *conn, | |||
| const char *user, | const char *user, | |||
| unsigned userlen, | unsigned userlen, | |||
| const char *pass, | const char *pass, | |||
| unsigned passlen, | unsigned passlen, | |||
| const char **errstr); | const char **errstr); | |||
| /* check if a user exists on server | /* check if a user exists on server | |||
| * service -- registered name of the service using SASL (e.g. "imap" ) | * service -- registered name of the service using SASL (e.g. "imap" ) | |||
| * user_domain -- permits multiple user domains on server, NULL = defaul t | * user_realm -- permits multiple user domains on server, NULL = defaul t | |||
| * user -- NUL terminated user name | * user -- NUL terminated user name | |||
| * | * | |||
| * returns: | * returns: | |||
| * SASL_OK -- success | * SASL_OK -- success | |||
| * SASL_DISABLED -- account disabled | * SASL_DISABLED -- account disabled | |||
| * SASL_NOUSER -- user not found | * SASL_NOUSER -- user not found | |||
| * SASL_NOMECH -- user found, but no usable mechanism | * SASL_NOMECH -- user found, but no usable mechanism | |||
| */ | */ | |||
| LIBSASL_API int sasl_user_exists(const char *service, | LIBSASL_API int sasl_user_exists(const char *service, | |||
| const char *user_domain, | const char *user_realm, | |||
| const char *user); | const char *user); | |||
| /* set the password for a user | /* set the password for a user | |||
| * conn -- SASL connection | * conn -- SASL connection | |||
| * user -- user name | * user -- user name | |||
| * pass -- plaintext password, may be NULL to remove user | * pass -- plaintext password, may be NULL to remove user | |||
| * passlen -- length of password, 0 = strlen(pass) | * passlen -- length of password, 0 = strlen(pass) | |||
| * flags -- see flags below | * flags -- see flags below | |||
| * errstr -- optional more detailed error | * errstr -- optional more detailed error | |||
| * | * | |||
| End of changes. 9 change blocks. | ||||
| 16 lines changed or deleted | 33 lines changed or added | |||
| saslplug.h | saslplug.h | |||
|---|---|---|---|---|
| /* saslplug.h -- API for SASL plug-ins | /* saslplug.h -- API for SASL plug-ins | |||
| */ | */ | |||
| #ifndef SASLPLUG_H | #ifndef SASLPLUG_H | |||
| #define SASLPLUG_H 1 | #define SASLPLUG_H 1 | |||
| #ifndef MD5_H | #ifndef MD5GLOBAL_H | |||
| #include "md5global.h" | #include "md5global.h" | |||
| #define MD5GLOBAL_H 1 | ||||
| #endif | ||||
| #ifndef MD5_H | ||||
| #include "md5.h" | #include "md5.h" | |||
| #endif | #endif | |||
| #ifndef HMAC_MD5_H | #ifndef HMAC_MD5_H | |||
| #include "hmac-md5.h" | #include "hmac-md5.h" | |||
| #endif | #endif | |||
| /* callback to lookup a property from a SASL connection state | /* callback to lookup a property from a SASL connection state | |||
| * input: | * input: | |||
| * conn -- the connection to get a property from | * conn -- the connection to get a property from | |||
| * propnum -- property number | * propnum -- property number | |||
| skipping to change at line 95 | skipping to change at line 98 | |||
| void (*hmac_md5_precalc)(HMAC_MD5_STATE *, const unsigned char *key, | void (*hmac_md5_precalc)(HMAC_MD5_STATE *, const unsigned char *key, | |||
| int len); | int len); | |||
| void (*hmac_md5_import)(HMAC_MD5_CTX *, HMAC_MD5_STATE *); | void (*hmac_md5_import)(HMAC_MD5_CTX *, HMAC_MD5_STATE *); | |||
| /* mechanism utility functions (same as above): */ | /* mechanism utility functions (same as above): */ | |||
| int (*mkchal)(sasl_conn_t *conn, char *buf, unsigned maxlen, int hostfl ag); | int (*mkchal)(sasl_conn_t *conn, char *buf, unsigned maxlen, int hostfl ag); | |||
| int (*utf8verify)(const char *str, unsigned len); | int (*utf8verify)(const char *str, unsigned len); | |||
| void (*rand)(sasl_rand_t *rpool, char *buf, unsigned len); | void (*rand)(sasl_rand_t *rpool, char *buf, unsigned len); | |||
| void (*churn)(sasl_rand_t *rpool, const char *data, unsigned len); | void (*churn)(sasl_rand_t *rpool, const char *data, unsigned len); | |||
| /* current CMU hack. DO NOT USE EXCEPT IN PLAIN */ | ||||
| int (*checkpass)(const char *mech, const char *service, | ||||
| const char *user, const char *pass); | ||||
| /* callback function */ | /* callback function */ | |||
| sasl_getcallback_t *getcallback; | sasl_getcallback_t *getcallback; | |||
| /* logging */ | /* logging */ | |||
| int (*log)(sasl_conn_t *conn, | int (*log)(sasl_conn_t *conn, | |||
| int priority, | int priority, | |||
| const char *plugin_name, | const char *plugin_name, | |||
| int sasl_error, /* %z */ | int sasl_error, /* %z */ | |||
| int errno, /* %m */ | int errno, /* %m */ | |||
| const char *format, | const char *format, | |||
| skipping to change at line 189 | skipping to change at line 196 | |||
| /****************************** | /****************************** | |||
| * Client Mechanism Functions * | * Client Mechanism Functions * | |||
| ******************************/ | ******************************/ | |||
| /* input parameters to client SASL plugin | /* input parameters to client SASL plugin | |||
| */ | */ | |||
| typedef struct sasl_client_params { | typedef struct sasl_client_params { | |||
| const char *service; /* service name */ | const char *service; /* service name */ | |||
| const char *pass; /* plaintext passphrase, if used */ | const char *pass; /* plaintext passphrase, if used */ | |||
| const char *serverFQDN; /* server fully qualified domain name */ | const char *serverFQDN; /* server fully qualified domain name */ | |||
| const char *local_domain; /* client's local domain name */ | const char *clientFQDN; /* client's local domain name */ | |||
| sasl_utils_t *utils; /* SASL API utility routines */ | sasl_utils_t *utils; /* SASL API utility routines */ | |||
| sasl_mech_secret_t *secret; /* mech-specific decrypted secret */ | sasl_mech_secret_t *secret; /* mech-specific decrypted secret */ | |||
| /* application's security requirements & info */ | /* application's security requirements & info */ | |||
| sasl_security_properties_t props; | sasl_security_properties_t props; | |||
| sasl_ssf_t external_ssf; /* external SSF active */ | sasl_ssf_t external_ssf; /* external SSF active */ | |||
| /* set to 0 initially, this allows a plugin with extended parameters | /* set to 0 initially, this allows a plugin with extended parameters | |||
| * to work with an older framework by updating version as parameters | * to work with an older framework by updating version as parameters | |||
| * are added. | * are added. | |||
| skipping to change at line 327 | skipping to change at line 334 | |||
| /******************** | /******************** | |||
| * Server Functions * | * Server Functions * | |||
| ********************/ | ********************/ | |||
| /* input parameters to server SASL plugin | /* input parameters to server SASL plugin | |||
| */ | */ | |||
| typedef struct sasl_server_params { | typedef struct sasl_server_params { | |||
| const char *service; /* NULL = default service for user_exists | const char *service; /* NULL = default service for user_exists | |||
| and setpass */ | and setpass */ | |||
| const char *appname; /* name of calling application */ | const char *appname; /* name of calling application */ | |||
| const char *local_domain; /* local domain name */ | const char *serverFQDN; /* local domain name */ | |||
| const char *user_domain; /* set of users who are active */ | const char *user_realm; /* set of users who are active */ | |||
| sasl_utils_t *utils; /* SASL API utility routines */ | sasl_utils_t *utils; /* SASL API utility routines */ | |||
| /* application's security requirements */ | /* application's security requirements */ | |||
| sasl_security_properties_t props; | sasl_security_properties_t props; | |||
| sasl_ssf_t external_ssf; /* external SSF active */ | sasl_ssf_t external_ssf; /* external SSF active */ | |||
| /* server plug-in calls this when it first has access to the plaintext | /* server plug-in calls this when it first has access to the plaintext | |||
| * passphrase. This is used to transition users via setpass calls. | * passphrase. This is used to transition users via setpass calls. | |||
| * If passlen is 0, it defaults to strlen(pass). | * If passlen is 0, it defaults to strlen(pass). | |||
| * returns 0 if no entry added, 1 if entry added | * returns 0 if no entry added, 1 if entry added | |||
| End of changes. 5 change blocks. | ||||
| 4 lines changed or deleted | 11 lines changed or added | |||