GNU SASL Library - Libgsasl

Table of Contents

• Introduction
• Goals
• Documentation and Status
• Support
• News
• Downloading
• Development
• Dependencies
• Bugs

Introduction

GNU SASL is an implementation of the Simple Authentication and Security Layer framework and a few common SASL mechanisms. SASL is used by network servers (e.g., IMAP, SMTP) to request authentication from clients, and in clients to authenticate against servers.

GNU SASL consists of a library (`libgsasl'), a command line utility (`gsasl') to access the library from the shell, and a manual. The library includes support for the SASL framework (with authentication functions and application data privacy and integrity functions) and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, LOGIN, NTLM and KERBEROS_V5 mechanisms.

The library is portable because it does not do network communication by itself, but rather leaves it up to the calling application. The library is flexible with regards to the authorization infrastructure used, as it utilizes callbacks into the application to decide whether an user is authorized or not.

GNU SASL is written in pure ANSI C89 to be portable to embedded and otherwise limited platforms. The entire library, with full support for ANONYMOUS, EXTERNAL, PLAIN, LOGIN and CRAM-MD5, and the front-end that support client and server mode, and the IMAP and SMTP protocols, fits in under 60kb on an Intel x86 platform, without any modifications to the code.

GNU SASL is developed for the GNU/Linux system, but runs on over 20 platforms including most major Unix platforms and Windows, and many kind of devices including iPAQ handhelds and S/390 mainframes.

For more information:

• RFC 4422, the core SASL specification
• RFC 4505, the ANONYMOUS mechanism

The core GNU SASL library, and most mechanisms, are licensed under the GNU Lesser General Public License. It is distributed separately, as the "libgsasl" package. The GNU SASL command line application, self test suite and more are licensed under the GNU General Public License. The "gsasl" package distribution includes the library part as well, so you do not need to install two packages.

Goals

Clean room implementation

This means the copyright and license conditions are clear.

Internationalization

It handles non-ASCII username and passwords by using SASLprep. User visible strings used in the library (error messages) can be translated into the users' language.

Thread safe library

This library uses no global state and multiple concurrent SASL sessions are possibly (e.g. in a multithreaded server).

Portable

It should work on all Unix like operating systems, including Windows. The library itself should be portable to any C89 system, not even POSIX is required.

Documentation and Status

Refer to the GNU SASL Manual web page for links to the manual in all formats; however, quick links to the most popular formats:

• Online HTML manual
• PDF manual
• API reference in HTML

Currently the ANONYMOUS, EXTERNAL, PLAIN, LOGIN, SECURID, and CRAM-MD5 mechanisms are fully implemented in both client and server mode. The NTLM mechanism is implemented in client mode only. DIGEST-MD5 and GSSAPI are implemented in client and server mode, but not all features are supported (e.g., no security layers nor fast resumption).

The library has received very little real-world testing and should be considered alpha quality.

Projects using GNU SASL include:

• GNU Emacs, in the Gnus MUA.
• GNU Mailutils.
• GNU Anubis.
• MSMTP.
• MPOP.
• VMIME.
• Vortex Library, a BEEP stack.

Let us know about more projects that use GNU SASL!

Support

A mailing list where GNU SASL users may help each other exists, and you can reach it by sending e-mail to help-gsasl@gnu.org. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at http://lists.gnu.org/mailman/listinfo/help-gsasl.

If you are interested in paid support of GNU SASL, or sponsor the development, please contact me. If you provide paid services for GNU SASL, and would like to be mentioned here, also contact me.

If you find GNU SASL useful, please consider making a donation. No amount is too small!

News

• 2006-06-14: Newly released version 0.2.13 works well under Windows.
• 2004-11-07: A new major release, version 0.2.0, has been released.
• 2004-04-16: The license for the core library, and most common mechanisms, is being changed to LGPL. A release candidate of 0.0.15 with this change is available.
• 2004-01-01: Savannah had problems last month, and still isn't operating fully. CVS has been moved to a private machine, a read-only mirror of it will hopefully be available via Savannah in the future.
• 2003-10-11 Version 0.0.8 includes API for SASLprep/trace string preparation, improved portability, and more.
• 2003-06-02 The GSSAPI mechanism now supports GSS and Heimdal, besides MIT Kerberos.
• 2003-03-17 Debian includes libgsasl, thanks to Ryan M. Golbeck.
• 2003-02-02 The KERBEROS_V5 document is updated with examples from our library used in GNU Mailutil's imap4d server.
• 2003-01-30 Implementation of our KERBEROS_V5 mechanism proposal started, using Shishi.
• 2002-12-16 gnu.org web pages opened and development moved to savannah.
• 2002-12-13 Version 0.0.4 renames the package from "libgsasl" to GNU SASL and the license is changed to the GPL.
• 2002-12-09 Official GNU project.
• 2002-10-07 Initial release of version 0.0.0.

Information on what is new in the package itself can be found in the NEWS file (live CVS version).

Downloading

The releases are distributed from ftp://alpha.gnu.org/pub/gnu/gsasl/ and http://josefsson.org/gsasl/releases/.

All official releases are signed with an OpenPGP key with fingerprint 0xB565716F.

Development

GNU SASL is developed in CVS on a private machine. At irregular intervals, it is synchronized against a publicly available machine (just press enter at the password prompt):

$ cvs -d :pserver:anoncvs@yxa.extundo.com:/home/cvs/public-cvs login
Logging in to :pserver:anoncvs@yxa.extundo.com:2401/home/cvs/public-cvs
CVS password:
$ cvs -d :pserver:anoncvs@yxa.extundo.com:/home/cvs/public-cvs co gsasl

See the file README-alpha on how to bootstrap and build the package from CVS.

If you only wish to extract the code covered by LGPL, do as follows:

$ cvs -d :pserver:anoncvs@yxa.extundo.com:/home/cvs/public-cvs co gsasl/lib

This package is simpler to bootstrap, as it only includes a library and no manual or programs, but see lib/README-alpha for the full story.

The online CVS repository is available, and there is also some CVS statistics.

A log of recent CVS activity is also available. If you prefer a mailing list, notifications of each CVS change is also sent to gsasl-commit@gnu.org.

If you have trouble using CVS, you may download a daily snapshot. The snapshots are prepared similar to regular releases, i.e., you simply build them using ./configure && make.

Before each release, the package is built on many platforms. The latest results from the autobuilder are available online.

Dependencies

You need at least a shell, a C compiler and a Make tool to build GNU SASL.

GNU SASL will enable certain features if you have the following optional external libraries installed:

• Non-ASCII support (e.g., username and passwords): GNU Libidn
• NTLM mechanism: libntlm 0.3.1 or later
• GSSAPI mechanism: GNU GSSLib, MIT Kerberos, Heimdal
• KERBEROS_V5 mechanism: GNU Shishi

Bugs

Report all problems to bug-gsasl@gnu.org, but please read the manual on how to report bugs first.

Return to GNU's home page.

Please send FSF & GNU inquiries & questions to gnu@gnu.org. There are also other ways to contact the FSF.

Please send comments on these web pages to webmasters@gnu.org, send other questions to gnu@gnu.org.

Copyright © 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

Updated: $Date: 2006/11/24 08:37:28 $ $Author: ramprasadb $