/usr/lib/ocaml/netsys/netsys_sasl.mli is in libocamlnet-ocaml-dev 4.1.2-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 | (* $Id$ *)
(** User interface for SASL mechanisms *)
type sasl_mechanism = (module Netsys_sasl_types.SASL_MECHANISM)
type credentials =
(string * string * (string * string) list) list
(** Credentials are given as list
[(type,value,params)]. The mechanism may pick any element
of this list which are considered as equivalent.
Types are defined per mechanism. All mechanisms understand the
"password" type, which is just the cleartext password, e.g.
{[
[ "password", "ThE sEcReT", [] ]
]}
*)
module Info : sig
val mechanism_name : sasl_mechanism -> string
val client_first : sasl_mechanism -> [`Required | `Optional | `No]
(** Whether the client sends the first message:
- [`Required]: always
- [`Optional]: the client may choose to do so if the protocol
permits this
- [`No]: the server sends the first message
*)
val server_sends_final_data : sasl_mechanism -> bool
(** Whether final data from the server must be interpreted by the
mechanism
*)
val supports_authz : sasl_mechanism -> bool
(** whether the authorization name can be transmitted *)
end
module Client : sig
type session
val create_session :
mech:sasl_mechanism ->
user:string ->
authz:string ->
creds:credentials ->
params:(string * string * bool) list ->
unit ->
session
(** The new client session authenticate as [user] and authorizes as
[authz] (empty string if not applicable). The credentials are
[creds].
[user] and [authz] must be encoded in UTF-8.
The parameters are given as list [(name,value,critical)].
Critical parameters must be interpreted by the mechanism, and
unknown critical parameters must be rejected by a [Failure]
exception. Non-critical parameters are ignored if they are unknown
to the mechanism.
*)
val state : session -> Netsys_sasl_types.client_state
(** report the state (whether expecting challenges or responding) *)
val configure_channel_binding : session -> Netsys_sasl_types.cb -> session
(** Configure GS2-style channel binding *)
val restart : session -> session
(** Restart the session for another authentication round. The session
must be in state [`OK].
*)
val process_challenge :
session -> string -> session
(** Process the challenge from the server. The state must be [`Wait].
As an exception, this function can also be called for the initial
challenge from the server, even if the state is [`Emit].
*)
val emit_response :
session -> session * string
(** Emit a new response. The state must be [`Emit]. *)
val channel_binding : session -> Netsys_sasl_types.cb
(** Whether the client suggests or demands channel binding *)
val user_name : session -> string
(** The user name *)
val authz_name : session -> string
(** The authorization name *)
val stash_session :
session -> string
(** Serializes the session as string *)
val resume_session :
sasl_mechanism -> string ->
session
(** Unserializes the session *)
val session_id : session -> string option
(** Optionally return a string that can be used to identify the
client session. Not all mechanisms support this.
*)
val prop : session -> string -> string
(** Get a mechanism-specific property of the session. E.g. this can
be the "realm" sent by the server.
*)
val gssapi_props : session -> Netsys_gssapi.client_props
(** Get the GSSAPI props, or raise [Not_found] *)
end
module Server : sig
type session
type 'credentials init_credentials =
(string * string * (string * string) list) list -> 'credentials
(** A function for preparing credentials, provided by the mechanism.
The credentials are given as list
[(type,value,params)]. The mechanism may pick any element
of this list which are considered as equivalent.
Types are defined per mechanism. All mechanisms understand the
"password" type, which is just the cleartext password, e.g.
{[
[ "password", "ThE sEcReT", [] ]
]}
*)
type lookup =
{ lookup : 'c . sasl_mechanism -> 'c init_credentials -> string ->
string -> 'c option
}
(** see [create_session] *)
val create_session :
mech:sasl_mechanism ->
lookup:lookup ->
params:(string * string * bool) list ->
unit ->
session
(** Create a new server session. The [lookup] function is used to
get the credentials for a given user name and a given authorization
name (which is the empty string if not applicable). If the [lookup]
function returns [None], the user can either not be found, or the
user does not have the privileges for the authorization name.
[lookup] is called as [lookup.lookup mech init_creds user authz]. You
need to call [init_creds] back in order to prepare the credentials,
e.g.
{[
let f_lookup : 'c . sasl_mechanism -> 'c init_credentials -> string ->
string -> 'c option =
fun mech init_creds user authz =
try
let password = ... in
let creds = init_creds [ ("password", password, []) ] in
Some creds
with Not_found -> None
let lookup = {lookup = f_lookup }
]}
User name and authorization name are passed in UTF-8 encoding.
The parameters are given as list [(name,value,critical)].
Critical parameters must be interpreted by the mechanism, and
unknown critical parameters must be rejected by a [Failure]
exception. Non-critical parameters are ignored if they are unknown
to the mechanism.
*)
val process_response :
session -> string -> session
(** Process the response from the client. This function must generally
only be called when the session state is [`Wait]. As an exception,
however, this function may also be invoked with the initial client
response, even if the session state is [`Emit], so far the mechanism
permits at least optionally that the client starts the protocol.
*)
val process_response_restart :
session -> string -> bool -> session * bool
(** Process the response from the client when another session can be
continued. The string argument is the initial client response.
This function must only be called when the state reaches
[`Restart id] after [process_response], and in this case
the old session with [id] can be restarted. This function
should be called with the same message string as
[process_repsonse] was just called with.
If the bool arg is true, a stale response is created. This is
a special restart which forces the client to run through the
authentication process again, although everything else was
successful. (If the protocol does not support the stale flag, it
is silently ignored.)
Returns true if the restart is successful. If not, false is
returned. In this case, the [session] object can (and
should) still be used, but the caller must treat it as new
session. In particular, the session ID may change.
All in all, the idea of this function is best illustrated by
this authentication snippet how to process responses
(the session cache functions need to be written by the user
of this module):
{[
let update_cache() =
match session_id session with
| None -> ()
| Some id ->
replace_in_session_cache id (stash_session session) in
let rec check_state_after_response() =
match state session with
| `Restart id ->
let old_session_s, time = find_in_session_cache id in
let old_session = resume_session ~lookup old_session_s in
let set_stale = current_time - time > limit in
let cont = process_response_restart session msg set_stale in
if not cont then
delete_in_session_cache id;
(* Now check state again, should be `Emit now *)
check_state_after_response()
| `Emit ->
let out_msg = emit_challenge session in
update_cache();
...
| ... ->
in
process_response session msg;
]}
*)
val emit_challenge :
session -> session * string
(** Emit a server challenge. This function must only be called when the
session state is [`Emit].
*)
val stash_session :
session -> string
(** Serializes the session as string *)
val resume_session :
mech:sasl_mechanism ->
lookup:lookup ->
string ->
session
(** Unserializes the session, and connect with the [lookup] function. *)
val session_id : session -> string option
(** Optionally return a string that can be used to identify the
server session. Not all mechanisms support this.
*)
val prop : session -> string -> string
(** Get a mechanism-specific property of the session. E.g. this can
be the "digest-uri" sent by the client.
*)
val gssapi_props : session -> Netsys_gssapi.server_props
(** Get the GSSAPI props, or raise [Not_found] *)
val user_name : session -> string
(** The name the client has authenticated as (or [Not_found]) *)
val authz_name : session -> string
(** The name the client authorizes as (or [Not_found]) *)
val channel_binding : session -> Netsys_sasl_types.cb
(** Whether the client suggests or demands channel binding *)
end
|