This file is indexed.

/usr/lib/ocaml/netsys/netsys_sasl.mli is in libocamlnet-ocaml-dev 4.1.2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
(* $Id$ *)

(** User interface for SASL mechanisms *)

type sasl_mechanism = (module Netsys_sasl_types.SASL_MECHANISM)

type credentials =
    (string * string * (string * string) list) list
  (** Credentials are given as list
      [(type,value,params)]. The mechanism may pick any element
      of this list which are considered as equivalent.

      Types are defined per mechanism. All mechanisms understand the
      "password" type, which is just the cleartext password, e.g.

      {[
        [ "password", "ThE sEcReT", [] ]
      ]}
   *)


module Info : sig
  val mechanism_name : sasl_mechanism -> string
  val client_first : sasl_mechanism -> [`Required | `Optional | `No]
      (** Whether the client sends the first message:
           - [`Required]: always
           - [`Optional]: the client may choose to do so if the protocol
             permits this
           - [`No]: the server sends the first message
       *)
  val server_sends_final_data : sasl_mechanism -> bool
      (** Whether final data from the server must be interpreted by the
          mechanism
       *)
  val supports_authz : sasl_mechanism -> bool
      (** whether the authorization name can be transmitted *)
end


module Client : sig

  type session

  val create_session : 
          mech:sasl_mechanism ->
          user:string ->
          authz:string ->
          creds:credentials ->
          params:(string * string * bool) list -> 
          unit ->
            session
      (** The new client session authenticate as [user] and authorizes as
          [authz] (empty string if not applicable). The credentials are
          [creds].

          [user] and [authz] must be encoded in UTF-8.

          The parameters are given as list [(name,value,critical)]. 
          Critical parameters must be interpreted by the mechanism, and
          unknown critical parameters must be rejected by a [Failure]
          exception. Non-critical parameters are ignored if they are unknown
          to the mechanism.
       *)

  val state : session -> Netsys_sasl_types.client_state
    (** report the state (whether expecting challenges or responding) *)

  val configure_channel_binding : session -> Netsys_sasl_types.cb -> session
    (** Configure GS2-style channel binding *)

  val restart : session -> session
      (** Restart the session for another authentication round. The session
          must be in state [`OK].
       *)

  val process_challenge :
        session -> string -> session
    (** Process the challenge from the server. The state must be [`Wait].
        As an exception, this function can also be called for the initial
        challenge from the server, even if the state is [`Emit].
     *)

  val emit_response :
        session -> session * string
    (** Emit a new response. The state must be [`Emit]. *)

  val channel_binding : session -> Netsys_sasl_types.cb
    (** Whether the client suggests or demands channel binding *)

  val user_name : session -> string
    (** The user name *)

  val authz_name : session -> string
    (** The authorization name *)

  val stash_session :
        session -> string
    (** Serializes the session as string *)

  val resume_session :
        sasl_mechanism -> string -> 
           session
    (** Unserializes the session *)

  val session_id : session -> string option
    (** Optionally return a string that can be used to identify the
        client session. Not all mechanisms support this.
     *)

  val prop : session -> string -> string
    (** Get a mechanism-specific property of the session. E.g. this can
        be the "realm" sent by the server.
     *)

  val gssapi_props : session -> Netsys_gssapi.client_props
    (** Get the GSSAPI props, or raise [Not_found] *)

end


module Server : sig
  type session

  type 'credentials init_credentials =
      (string * string * (string * string) list) list -> 'credentials
    (** A function for preparing credentials, provided by the mechanism.
        The credentials are given as list
        [(type,value,params)]. The mechanism may pick any element
        of this list which are considered as equivalent.

        Types are defined per mechanism. All mechanisms understand the
        "password" type, which is just the cleartext password, e.g.

        {[
          [ "password", "ThE sEcReT", [] ]
        ]}
       *)

  type lookup =
      { lookup : 'c . sasl_mechanism -> 'c init_credentials -> string ->
                 string -> 'c option
      }
    (** see [create_session] *)


  val create_session :
        mech:sasl_mechanism ->
        lookup:lookup ->
        params:(string * string * bool) list -> 
        unit ->
            session
      (** Create a new server session. The [lookup] function is used to
          get the credentials for a given user name and a given authorization
          name (which is the empty string if not applicable). If the [lookup]
          function returns [None], the user can either not be found, or the
          user does not have the privileges for the authorization name.

          [lookup] is called as [lookup.lookup mech init_creds user authz]. You
          need to call [init_creds] back in order to prepare the credentials,
          e.g.

          {[
  let f_lookup : 'c . sasl_mechanism -> 'c init_credentials -> string ->
                string -> 'c option =
    fun mech init_creds user authz =
      try
        let password = ... in
        let creds = init_creds [ ("password", password, []) ] in
        Some creds
      with Not_found -> None

  let lookup = {lookup = f_lookup }
          ]}

          User name and authorization name are passed in UTF-8 encoding.

          The parameters are given as list [(name,value,critical)]. 
          Critical parameters must be interpreted by the mechanism, and
          unknown critical parameters must be rejected by a [Failure]
          exception. Non-critical parameters are ignored if they are unknown
          to the mechanism.
       *)

  val process_response :
        session -> string -> session
    (** Process the response from the client. This function must generally
        only be called when the session state is [`Wait]. As an exception,
        however, this function may also be invoked with the initial client
        response, even if the session state is [`Emit], so far the mechanism
        permits at least optionally that the client starts the protocol.
     *)

  val process_response_restart :
        session -> string -> bool -> session * bool
    (** Process the response from the client when another session can be
        continued. The string argument is the initial client response.
        This function must only be called when the state reaches
        [`Restart id] after [process_response], and in this case
        the old session with [id] can be restarted. This function
        should be called with the same message string as
        [process_repsonse] was just called with.

        If the bool arg is true, a stale response is created. This is
        a special restart which forces the client to run through the
        authentication process again, although everything else was
        successful. (If the protocol does not support the stale flag, it
        is silently ignored.)

        Returns true if the restart is successful. If not, false is
        returned. In this case, the [session] object can (and
        should) still be used, but the caller must treat it as new
        session. In particular, the session ID may change.

        All in all, the idea of this function is best illustrated by
        this authentication snippet how to process responses
        (the session cache functions need to be written by the user
        of this module):

        {[
let update_cache() =
  match session_id session with
    | None -> ()
    | Some id ->
        replace_in_session_cache id (stash_session session) in

let rec check_state_after_response() =
  match state session with
    | `Restart id ->
         let old_session_s, time = find_in_session_cache id in
         let old_session = resume_session ~lookup old_session_s in
         let set_stale = current_time - time > limit in
         let cont = process_response_restart session msg set_stale in
         if not cont then 
           delete_in_session_cache id;
         (* Now check state again, should be `Emit now *)
         check_state_after_response()
    | `Emit ->
         let out_msg = emit_challenge session in
         update_cache();
         ...
    | ... ->
in
process_response session msg;

        ]}
     *)

  val emit_challenge :
        session -> session * string
    (** Emit a server challenge. This function must only be called when the
        session state is [`Emit].
     *)

  val stash_session :
        session -> string
    (** Serializes the session as string *)

  val resume_session :
        mech:sasl_mechanism ->
        lookup:lookup ->
        string -> 
           session
    (** Unserializes the session, and connect with the [lookup] function. *)

  val session_id : session -> string option
    (** Optionally return a string that can be used to identify the
        server session. Not all mechanisms support this.
     *)

  val prop : session -> string -> string
    (** Get a mechanism-specific property of the session. E.g. this can
        be the "digest-uri" sent by the client.
     *)

  val gssapi_props : session -> Netsys_gssapi.server_props
    (** Get the GSSAPI props, or raise [Not_found] *)

  val user_name : session -> string
    (** The name the client has authenticated as (or [Not_found]) *)

  val authz_name : session -> string
    (** The name the client authorizes as (or [Not_found]) *)

  val channel_binding : session -> Netsys_sasl_types.cb
    (** Whether the client suggests or demands channel binding *)

end