1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gate /* saslplug.h -- API for SASL plug-ins */ 7*7c478bd9Sstevel@tonic-gate 8*7c478bd9Sstevel@tonic-gate #ifndef _SASL_SASLPLUG_H 9*7c478bd9Sstevel@tonic-gate #define _SASL_SASLPLUG_H 10*7c478bd9Sstevel@tonic-gate 11*7c478bd9Sstevel@tonic-gate #ifndef _SASL_SASL_H 12*7c478bd9Sstevel@tonic-gate #include <sasl/sasl.h> 13*7c478bd9Sstevel@tonic-gate #endif 14*7c478bd9Sstevel@tonic-gate 15*7c478bd9Sstevel@tonic-gate #ifndef _MD5_H 16*7c478bd9Sstevel@tonic-gate #include <md5.h> 17*7c478bd9Sstevel@tonic-gate #endif /* _MD5_H */ 18*7c478bd9Sstevel@tonic-gate 19*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 20*7c478bd9Sstevel@tonic-gate extern "C" { 21*7c478bd9Sstevel@tonic-gate #endif 22*7c478bd9Sstevel@tonic-gate 23*7c478bd9Sstevel@tonic-gate /* intermediate MD5 context */ 24*7c478bd9Sstevel@tonic-gate typedef struct HMAC_MD5_CTX_s { 25*7c478bd9Sstevel@tonic-gate MD5_CTX ictx, octx; 26*7c478bd9Sstevel@tonic-gate } HMAC_MD5_CTX; 27*7c478bd9Sstevel@tonic-gate 28*7c478bd9Sstevel@tonic-gate /* 29*7c478bd9Sstevel@tonic-gate * intermediate HMAC state 30*7c478bd9Sstevel@tonic-gate * values stored in network byte order (Big Endian) 31*7c478bd9Sstevel@tonic-gate */ 32*7c478bd9Sstevel@tonic-gate typedef struct HMAC_MD5_STATE_s { 33*7c478bd9Sstevel@tonic-gate uint32_t istate[4]; 34*7c478bd9Sstevel@tonic-gate uint32_t ostate[4]; 35*7c478bd9Sstevel@tonic-gate } HMAC_MD5_STATE; 36*7c478bd9Sstevel@tonic-gate 37*7c478bd9Sstevel@tonic-gate /* 38*7c478bd9Sstevel@tonic-gate * callback to lookup a sasl_callback_t for a connection 39*7c478bd9Sstevel@tonic-gate * input: 40*7c478bd9Sstevel@tonic-gate * conn -- the connection to lookup a callback for 41*7c478bd9Sstevel@tonic-gate * callbacknum -- the number of the callback 42*7c478bd9Sstevel@tonic-gate * output: 43*7c478bd9Sstevel@tonic-gate * pproc -- pointer to the callback function (set to NULL on failure) 44*7c478bd9Sstevel@tonic-gate * pcontext -- pointer to the callback context (set to NULL on failure) 45*7c478bd9Sstevel@tonic-gate * returns: 46*7c478bd9Sstevel@tonic-gate * SASL_OK -- no error 47*7c478bd9Sstevel@tonic-gate * SASL_FAIL -- unable to find a callback of the requested type 48*7c478bd9Sstevel@tonic-gate * SASL_INTERACT -- caller must use interaction to get data 49*7c478bd9Sstevel@tonic-gate */ 50*7c478bd9Sstevel@tonic-gate typedef int sasl_getcallback_t(sasl_conn_t *conn, 51*7c478bd9Sstevel@tonic-gate unsigned long callbackid, 52*7c478bd9Sstevel@tonic-gate int (**pproc)(), 53*7c478bd9Sstevel@tonic-gate void **pcontext); 54*7c478bd9Sstevel@tonic-gate 55*7c478bd9Sstevel@tonic-gate /* 56*7c478bd9Sstevel@tonic-gate * The sasl_utils structure will remain backwards compatible unless 57*7c478bd9Sstevel@tonic-gate * the SASL_*_PLUG_VERSION is changed incompatibly 58*7c478bd9Sstevel@tonic-gate * higher SASL_UTILS_VERSION numbers indicate more functions are available 59*7c478bd9Sstevel@tonic-gate */ 60*7c478bd9Sstevel@tonic-gate #define SASL_UTILS_VERSION 4 61*7c478bd9Sstevel@tonic-gate 62*7c478bd9Sstevel@tonic-gate /* utility function set for plug-ins */ 63*7c478bd9Sstevel@tonic-gate typedef struct sasl_utils { 64*7c478bd9Sstevel@tonic-gate int version; 65*7c478bd9Sstevel@tonic-gate 66*7c478bd9Sstevel@tonic-gate /* contexts */ 67*7c478bd9Sstevel@tonic-gate sasl_conn_t *conn; 68*7c478bd9Sstevel@tonic-gate sasl_rand_t *rpool; 69*7c478bd9Sstevel@tonic-gate void *getopt_context; 70*7c478bd9Sstevel@tonic-gate 71*7c478bd9Sstevel@tonic-gate /* option function */ 72*7c478bd9Sstevel@tonic-gate sasl_getopt_t *getopt; 73*7c478bd9Sstevel@tonic-gate 74*7c478bd9Sstevel@tonic-gate /* allocation functions: */ 75*7c478bd9Sstevel@tonic-gate sasl_malloc_t *malloc; 76*7c478bd9Sstevel@tonic-gate sasl_calloc_t *calloc; 77*7c478bd9Sstevel@tonic-gate sasl_realloc_t *realloc; 78*7c478bd9Sstevel@tonic-gate sasl_free_t *free; 79*7c478bd9Sstevel@tonic-gate 80*7c478bd9Sstevel@tonic-gate /* mutex functions: */ 81*7c478bd9Sstevel@tonic-gate sasl_mutex_alloc_t *mutex_alloc; 82*7c478bd9Sstevel@tonic-gate sasl_mutex_lock_t *mutex_lock; 83*7c478bd9Sstevel@tonic-gate sasl_mutex_unlock_t *mutex_unlock; 84*7c478bd9Sstevel@tonic-gate sasl_mutex_free_t *mutex_free; 85*7c478bd9Sstevel@tonic-gate 86*7c478bd9Sstevel@tonic-gate /* MD5 hash and HMAC functions */ 87*7c478bd9Sstevel@tonic-gate void (*MD5Init)(MD5_CTX *); 88*7c478bd9Sstevel@tonic-gate void (*MD5Update)(MD5_CTX *, const unsigned char *text, unsigned int len); 89*7c478bd9Sstevel@tonic-gate void (*MD5Final)(unsigned char [16], MD5_CTX *); 90*7c478bd9Sstevel@tonic-gate void (*hmac_md5)(const unsigned char *text, int text_len, 91*7c478bd9Sstevel@tonic-gate const unsigned char *key, int key_len, 92*7c478bd9Sstevel@tonic-gate unsigned char [16]); 93*7c478bd9Sstevel@tonic-gate void (*hmac_md5_init)(HMAC_MD5_CTX *, const unsigned char *key, int len); 94*7c478bd9Sstevel@tonic-gate /* hmac_md5_update() is just a call to MD5Update on inner context */ 95*7c478bd9Sstevel@tonic-gate void (*hmac_md5_final)(unsigned char [16], HMAC_MD5_CTX *); 96*7c478bd9Sstevel@tonic-gate void (*hmac_md5_precalc)(HMAC_MD5_STATE *, 97*7c478bd9Sstevel@tonic-gate const unsigned char *key, int len); 98*7c478bd9Sstevel@tonic-gate void (*hmac_md5_import)(HMAC_MD5_CTX *, HMAC_MD5_STATE *); 99*7c478bd9Sstevel@tonic-gate 100*7c478bd9Sstevel@tonic-gate /* mechanism utility functions (same as above): */ 101*7c478bd9Sstevel@tonic-gate int (*mkchal)(sasl_conn_t *conn, char *buf, unsigned maxlen, 102*7c478bd9Sstevel@tonic-gate unsigned hostflag); 103*7c478bd9Sstevel@tonic-gate int (*utf8verify)(const char *str, unsigned len); 104*7c478bd9Sstevel@tonic-gate void (*rand)(sasl_rand_t *rpool, char *buf, unsigned len); 105*7c478bd9Sstevel@tonic-gate void (*churn)(sasl_rand_t *rpool, const char *data, unsigned len); 106*7c478bd9Sstevel@tonic-gate 107*7c478bd9Sstevel@tonic-gate /* 108*7c478bd9Sstevel@tonic-gate * This allows recursive calls to the sasl_checkpass() routine from 109*7c478bd9Sstevel@tonic-gate * within a SASL plug-in. This MUST NOT be used in the PLAIN mechanism 110*7c478bd9Sstevel@tonic-gate * as sasl_checkpass MAY be a front-end for the PLAIN mechanism. 111*7c478bd9Sstevel@tonic-gate * This is intended for use by the non-standard LOGIN mechanism and 112*7c478bd9Sstevel@tonic-gate * potentially by a future mechanism which uses public-key technology 113*7c478bd9Sstevel@tonic-gate * to set up a lightweight encryption layer just for sending a 114*7c478bd9Sstevel@tonic-gate * password. 115*7c478bd9Sstevel@tonic-gate */ 116*7c478bd9Sstevel@tonic-gate int (*checkpass)(sasl_conn_t *conn, 117*7c478bd9Sstevel@tonic-gate const char *user, unsigned userlen, 118*7c478bd9Sstevel@tonic-gate const char *pass, unsigned passlen); 119*7c478bd9Sstevel@tonic-gate 120*7c478bd9Sstevel@tonic-gate /* Access to base64 encode/decode routines */ 121*7c478bd9Sstevel@tonic-gate int (*decode64)(const char *in, unsigned inlen, 122*7c478bd9Sstevel@tonic-gate char *out, unsigned outmax, unsigned *outlen); 123*7c478bd9Sstevel@tonic-gate int (*encode64)(const char *in, unsigned inlen, 124*7c478bd9Sstevel@tonic-gate char *out, unsigned outmax, unsigned *outlen); 125*7c478bd9Sstevel@tonic-gate 126*7c478bd9Sstevel@tonic-gate /* erase a buffer */ 127*7c478bd9Sstevel@tonic-gate void (*erasebuffer)(char *buf, unsigned len); 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate /* callback to sasl_getprop() and sasl_setprop() */ 130*7c478bd9Sstevel@tonic-gate int (*getprop)(sasl_conn_t *conn, int propnum, const void **pvalue); 131*7c478bd9Sstevel@tonic-gate int (*setprop)(sasl_conn_t *conn, int propnum, const void *value); 132*7c478bd9Sstevel@tonic-gate 133*7c478bd9Sstevel@tonic-gate /* callback function */ 134*7c478bd9Sstevel@tonic-gate sasl_getcallback_t *getcallback; 135*7c478bd9Sstevel@tonic-gate 136*7c478bd9Sstevel@tonic-gate /* 137*7c478bd9Sstevel@tonic-gate * format a message and then pass it to the SASL_CB_LOG callback 138*7c478bd9Sstevel@tonic-gate * 139*7c478bd9Sstevel@tonic-gate * use syslog()-style formatting (printf with %m as most recent errno 140*7c478bd9Sstevel@tonic-gate * error). The implementation may use a fixed size buffer not smaller 141*7c478bd9Sstevel@tonic-gate * than 512 octets if it securely truncates the message. 142*7c478bd9Sstevel@tonic-gate * 143*7c478bd9Sstevel@tonic-gate * level is a SASL_LOG_* level (see sasl.h) 144*7c478bd9Sstevel@tonic-gate */ 145*7c478bd9Sstevel@tonic-gate void (*log)(sasl_conn_t *conn, int level, const char *fmt, ...); 146*7c478bd9Sstevel@tonic-gate 147*7c478bd9Sstevel@tonic-gate /* callback to sasl_seterror() */ 148*7c478bd9Sstevel@tonic-gate void (*seterror)(sasl_conn_t *conn, unsigned flags, const char *fmt, ...); 149*7c478bd9Sstevel@tonic-gate 150*7c478bd9Sstevel@tonic-gate /* spare function pointer */ 151*7c478bd9Sstevel@tonic-gate int *(*spare_fptr)(); 152*7c478bd9Sstevel@tonic-gate 153*7c478bd9Sstevel@tonic-gate /* auxiliary property utilities */ 154*7c478bd9Sstevel@tonic-gate struct propctx *(*prop_new)(unsigned estimate); 155*7c478bd9Sstevel@tonic-gate int (*prop_dup)(struct propctx *src_ctx, struct propctx **dst_ctx); 156*7c478bd9Sstevel@tonic-gate int (*prop_request)(struct propctx *ctx, const char **names); 157*7c478bd9Sstevel@tonic-gate const struct propval *(*prop_get)(struct propctx *ctx); 158*7c478bd9Sstevel@tonic-gate int (*prop_getnames)(struct propctx *ctx, const char **names, 159*7c478bd9Sstevel@tonic-gate struct propval *vals); 160*7c478bd9Sstevel@tonic-gate void (*prop_clear)(struct propctx *ctx, int requests); 161*7c478bd9Sstevel@tonic-gate void (*prop_dispose)(struct propctx **ctx); 162*7c478bd9Sstevel@tonic-gate int (*prop_format)(struct propctx *ctx, const char *sep, int seplen, 163*7c478bd9Sstevel@tonic-gate char *outbuf, unsigned outmax, unsigned *outlen); 164*7c478bd9Sstevel@tonic-gate int (*prop_set)(struct propctx *ctx, const char *name, 165*7c478bd9Sstevel@tonic-gate const char *value, int vallen); 166*7c478bd9Sstevel@tonic-gate int (*prop_setvals)(struct propctx *ctx, const char *name, 167*7c478bd9Sstevel@tonic-gate const char **values); 168*7c478bd9Sstevel@tonic-gate void (*prop_erase)(struct propctx *ctx, const char *name); 169*7c478bd9Sstevel@tonic-gate 170*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 171*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 172*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 173*7c478bd9Sstevel@tonic-gate int (*spare_fptr3)(); 174*7c478bd9Sstevel@tonic-gate } sasl_utils_t; 175*7c478bd9Sstevel@tonic-gate 176*7c478bd9Sstevel@tonic-gate /* 177*7c478bd9Sstevel@tonic-gate * output parameters from SASL API 178*7c478bd9Sstevel@tonic-gate * 179*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code, though probably filled in 180*7c478bd9Sstevel@tonic-gate * by a combination of the plugin, the glue code, and the canon_user callback. 181*7c478bd9Sstevel@tonic-gate * 182*7c478bd9Sstevel@tonic-gate */ 183*7c478bd9Sstevel@tonic-gate typedef struct sasl_out_params { 184*7c478bd9Sstevel@tonic-gate unsigned doneflag; /* exchange complete */ 185*7c478bd9Sstevel@tonic-gate 186*7c478bd9Sstevel@tonic-gate const char *user; /* canonicalized user name */ 187*7c478bd9Sstevel@tonic-gate const char *authid; /* canonicalized authentication id */ 188*7c478bd9Sstevel@tonic-gate 189*7c478bd9Sstevel@tonic-gate unsigned ulen; /* length of canonicalized user name */ 190*7c478bd9Sstevel@tonic-gate unsigned alen; /* length of canonicalized authid */ 191*7c478bd9Sstevel@tonic-gate 192*7c478bd9Sstevel@tonic-gate /* security layer information */ 193*7c478bd9Sstevel@tonic-gate unsigned maxoutbuf; 194*7c478bd9Sstevel@tonic-gate sasl_ssf_t mech_ssf; /* Should be set non-zero if negotiation of a */ 195*7c478bd9Sstevel@tonic-gate /* security layer was *attempted*, even if */ 196*7c478bd9Sstevel@tonic-gate /* the negotiation failed */ 197*7c478bd9Sstevel@tonic-gate void *encode_context; 198*7c478bd9Sstevel@tonic-gate int (*encode)(void *context, const struct iovec *invec, unsigned numiov, 199*7c478bd9Sstevel@tonic-gate const char **output, unsigned *outputlen); 200*7c478bd9Sstevel@tonic-gate void *decode_context; 201*7c478bd9Sstevel@tonic-gate int (*decode)(void *context, const char *input, unsigned inputlen, 202*7c478bd9Sstevel@tonic-gate const char **output, unsigned *outputlen); 203*7c478bd9Sstevel@tonic-gate 204*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 205*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 206*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 207*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 208*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 209*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 210*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 211*7c478bd9Sstevel@tonic-gate int spare_int1; 212*7c478bd9Sstevel@tonic-gate int spare_int2; 213*7c478bd9Sstevel@tonic-gate int spare_int3; 214*7c478bd9Sstevel@tonic-gate int spare_int4; 215*7c478bd9Sstevel@tonic-gate 216*7c478bd9Sstevel@tonic-gate /* 217*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 218*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 219*7c478bd9Sstevel@tonic-gate * are added. 220*7c478bd9Sstevel@tonic-gate */ 221*7c478bd9Sstevel@tonic-gate int param_version; 222*7c478bd9Sstevel@tonic-gate } sasl_out_params_t; 223*7c478bd9Sstevel@tonic-gate 224*7c478bd9Sstevel@tonic-gate /* 225*7c478bd9Sstevel@tonic-gate * Client Mechanism Functions 226*7c478bd9Sstevel@tonic-gate */ 227*7c478bd9Sstevel@tonic-gate 228*7c478bd9Sstevel@tonic-gate /* 229*7c478bd9Sstevel@tonic-gate * input parameters to client SASL plugin 230*7c478bd9Sstevel@tonic-gate * 231*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code 232*7c478bd9Sstevel@tonic-gate * 233*7c478bd9Sstevel@tonic-gate */ 234*7c478bd9Sstevel@tonic-gate typedef struct sasl_client_params { 235*7c478bd9Sstevel@tonic-gate const char *service; /* service name */ 236*7c478bd9Sstevel@tonic-gate const char *serverFQDN; /* server fully qualified domain name */ 237*7c478bd9Sstevel@tonic-gate const char *clientFQDN; /* client's fully qualified domain name */ 238*7c478bd9Sstevel@tonic-gate const sasl_utils_t *utils; /* SASL API utility routines -- */ 239*7c478bd9Sstevel@tonic-gate /* for a particular sasl_conn_t, */ 240*7c478bd9Sstevel@tonic-gate /* MUST remain valid until mech_free is */ 241*7c478bd9Sstevel@tonic-gate /* called */ 242*7c478bd9Sstevel@tonic-gate const sasl_callback_t *prompt_supp; /* client callback list */ 243*7c478bd9Sstevel@tonic-gate const char *iplocalport; /* server IP domain literal & port */ 244*7c478bd9Sstevel@tonic-gate const char *ipremoteport; /* client IP domain literal & port */ 245*7c478bd9Sstevel@tonic-gate 246*7c478bd9Sstevel@tonic-gate unsigned servicelen; /* length of service */ 247*7c478bd9Sstevel@tonic-gate unsigned slen; /* length of serverFQDN */ 248*7c478bd9Sstevel@tonic-gate unsigned clen; /* length of clientFQDN */ 249*7c478bd9Sstevel@tonic-gate unsigned iploclen; /* length of iplocalport */ 250*7c478bd9Sstevel@tonic-gate unsigned ipremlen; /* length of ipremoteport */ 251*7c478bd9Sstevel@tonic-gate 252*7c478bd9Sstevel@tonic-gate /* application's security requirements & info */ 253*7c478bd9Sstevel@tonic-gate sasl_security_properties_t props; 254*7c478bd9Sstevel@tonic-gate sasl_ssf_t external_ssf; /* external SSF active */ 255*7c478bd9Sstevel@tonic-gate 256*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 257*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 258*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 259*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 260*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 261*7c478bd9Sstevel@tonic-gate 262*7c478bd9Sstevel@tonic-gate /* 263*7c478bd9Sstevel@tonic-gate * Canonicalize a user name from on-wire to internal format 264*7c478bd9Sstevel@tonic-gate * added rjs3 2001-05-23 265*7c478bd9Sstevel@tonic-gate * Must be called once user name aquired if canon_user is non-NULL. 266*7c478bd9Sstevel@tonic-gate * conn connection context 267*7c478bd9Sstevel@tonic-gate * in user name from wire protocol (need not be NUL terminated) 268*7c478bd9Sstevel@tonic-gate * len length of user name from wire protocol (0 = strlen(user)) 269*7c478bd9Sstevel@tonic-gate * flags for SASL_CU_* flags 270*7c478bd9Sstevel@tonic-gate * oparams the user, authid, ulen, alen, fields are 271*7c478bd9Sstevel@tonic-gate * set appropriately after canonicalization/copying and 272*7c478bd9Sstevel@tonic-gate * authorization of arguments 273*7c478bd9Sstevel@tonic-gate * 274*7c478bd9Sstevel@tonic-gate * responsible for setting user, ulen, authid, and alen in the oparams 275*7c478bd9Sstevel@tonic-gate * structure 276*7c478bd9Sstevel@tonic-gate * 277*7c478bd9Sstevel@tonic-gate * default behavior is to strip leading and trailing whitespace, as 278*7c478bd9Sstevel@tonic-gate * well as allocating space for and copying the parameters. 279*7c478bd9Sstevel@tonic-gate * 280*7c478bd9Sstevel@tonic-gate * results: 281*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 282*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- out of memory 283*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- invalid conn 284*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- invalid user/authid 285*7c478bd9Sstevel@tonic-gate */ 286*7c478bd9Sstevel@tonic-gate int (*canon_user)(sasl_conn_t *conn, 287*7c478bd9Sstevel@tonic-gate const char *in, unsigned len, 288*7c478bd9Sstevel@tonic-gate unsigned flags, 289*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 290*7c478bd9Sstevel@tonic-gate 291*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 292*7c478bd9Sstevel@tonic-gate 293*7c478bd9Sstevel@tonic-gate int spare_int1; 294*7c478bd9Sstevel@tonic-gate int spare_int2; 295*7c478bd9Sstevel@tonic-gate int spare_int3; 296*7c478bd9Sstevel@tonic-gate 297*7c478bd9Sstevel@tonic-gate /* flags field as passed to sasl_client_new */ 298*7c478bd9Sstevel@tonic-gate unsigned flags; 299*7c478bd9Sstevel@tonic-gate 300*7c478bd9Sstevel@tonic-gate /* 301*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 302*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 303*7c478bd9Sstevel@tonic-gate * are added. 304*7c478bd9Sstevel@tonic-gate */ 305*7c478bd9Sstevel@tonic-gate int param_version; 306*7c478bd9Sstevel@tonic-gate } sasl_client_params_t; 307*7c478bd9Sstevel@tonic-gate 308*7c478bd9Sstevel@tonic-gate /* features shared between client and server */ 309*7c478bd9Sstevel@tonic-gate /* These allow the glue code to handle client-first and server-last issues */ 310*7c478bd9Sstevel@tonic-gate 311*7c478bd9Sstevel@tonic-gate /* 312*7c478bd9Sstevel@tonic-gate * This indicates that the mechanism prefers to do client-send-first 313*7c478bd9Sstevel@tonic-gate * if the protocol allows it. 314*7c478bd9Sstevel@tonic-gate */ 315*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_WANT_CLIENT_FIRST 0x0002 316*7c478bd9Sstevel@tonic-gate 317*7c478bd9Sstevel@tonic-gate /* 318*7c478bd9Sstevel@tonic-gate * This feature is deprecated, instead, plugins should set *serverout to 319*7c478bd9Sstevel@tonic-gate * non-NULL and return SASL_OK intelligently to allow flexible use of 320*7c478bd9Sstevel@tonic-gate * server-last semantics 321*7c478bd9Sstevel@tonic-gate */ 322*7c478bd9Sstevel@tonic-gate /* #define SASL_FEAT_WANT_SERVER_LAST 0x0004 */ 323*7c478bd9Sstevel@tonic-gate 324*7c478bd9Sstevel@tonic-gate /* 325*7c478bd9Sstevel@tonic-gate * This feature is deprecated, instead plugins should correctly set 326*7c478bd9Sstevel@tonic-gate * SASL_FEAT_SERVER_FIRST as needed 327*7c478bd9Sstevel@tonic-gate */ 328*7c478bd9Sstevel@tonic-gate /* #define SASL_FEAT_INTERNAL_CLIENT_FIRST 0x0008 */ 329*7c478bd9Sstevel@tonic-gate 330*7c478bd9Sstevel@tonic-gate /* 331*7c478bd9Sstevel@tonic-gate * This indicates that the plugin is server-first only. 332*7c478bd9Sstevel@tonic-gate * Not defining either of SASL_FEAT_SERVER_FIRST or 333*7c478bd9Sstevel@tonic-gate * SASL_FEAT_WANT_CLIENT_FIRST indicates that the mechanism will take care 334*7c478bd9Sstevel@tonic-gate * of the client-first situation internally. 335*7c478bd9Sstevel@tonic-gate */ 336*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_SERVER_FIRST 0x0010 337*7c478bd9Sstevel@tonic-gate 338*7c478bd9Sstevel@tonic-gate /* This plugin allows proxying */ 339*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_ALLOWS_PROXY 0x0020 340*7c478bd9Sstevel@tonic-gate 341*7c478bd9Sstevel@tonic-gate /* client plug-in features */ 342*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_NEEDSERVERFQDN 0x0001 343*7c478bd9Sstevel@tonic-gate 344*7c478bd9Sstevel@tonic-gate /* a C object for a client mechanism */ 345*7c478bd9Sstevel@tonic-gate typedef struct sasl_client_plug { 346*7c478bd9Sstevel@tonic-gate /* mechanism name */ 347*7c478bd9Sstevel@tonic-gate const char *mech_name; 348*7c478bd9Sstevel@tonic-gate 349*7c478bd9Sstevel@tonic-gate /* best mech additional security layer strength factor */ 350*7c478bd9Sstevel@tonic-gate sasl_ssf_t max_ssf; 351*7c478bd9Sstevel@tonic-gate 352*7c478bd9Sstevel@tonic-gate /* best security flags, as defined in sasl_security_properties_t */ 353*7c478bd9Sstevel@tonic-gate unsigned security_flags; 354*7c478bd9Sstevel@tonic-gate 355*7c478bd9Sstevel@tonic-gate /* features of plugin */ 356*7c478bd9Sstevel@tonic-gate unsigned features; 357*7c478bd9Sstevel@tonic-gate 358*7c478bd9Sstevel@tonic-gate /* required prompt ids, NULL = user/pass only */ 359*7c478bd9Sstevel@tonic-gate const unsigned long *required_prompts; 360*7c478bd9Sstevel@tonic-gate 361*7c478bd9Sstevel@tonic-gate /* global state for mechanism */ 362*7c478bd9Sstevel@tonic-gate void *glob_context; 363*7c478bd9Sstevel@tonic-gate 364*7c478bd9Sstevel@tonic-gate /* 365*7c478bd9Sstevel@tonic-gate * create context for mechanism, using params supplied 366*7c478bd9Sstevel@tonic-gate * glob_context -- from above 367*7c478bd9Sstevel@tonic-gate * params -- params from sasl_client_new 368*7c478bd9Sstevel@tonic-gate * conn_context -- context for one connection 369*7c478bd9Sstevel@tonic-gate * returns: 370*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 371*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- not enough memory 372*7c478bd9Sstevel@tonic-gate * SASL_WRONGMECH -- mech doesn't support security params 373*7c478bd9Sstevel@tonic-gate */ 374*7c478bd9Sstevel@tonic-gate int (*mech_new)(void *glob_context, 375*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 376*7c478bd9Sstevel@tonic-gate void **conn_context); 377*7c478bd9Sstevel@tonic-gate 378*7c478bd9Sstevel@tonic-gate /* 379*7c478bd9Sstevel@tonic-gate * perform one step of exchange. NULL is passed for serverin on 380*7c478bd9Sstevel@tonic-gate * first step. 381*7c478bd9Sstevel@tonic-gate * returns: 382*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 383*7c478bd9Sstevel@tonic-gate * SASL_INTERACT -- user interaction needed to fill in prompts 384*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- server protocol incorrect/cancelled 385*7c478bd9Sstevel@tonic-gate * SASL_BADSERV -- server failed mutual auth 386*7c478bd9Sstevel@tonic-gate */ 387*7c478bd9Sstevel@tonic-gate int (*mech_step)(void *conn_context, 388*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 389*7c478bd9Sstevel@tonic-gate const char *serverin, 390*7c478bd9Sstevel@tonic-gate unsigned serverinlen, 391*7c478bd9Sstevel@tonic-gate sasl_interact_t **prompt_need, 392*7c478bd9Sstevel@tonic-gate const char **clientout, 393*7c478bd9Sstevel@tonic-gate unsigned *clientoutlen, 394*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 395*7c478bd9Sstevel@tonic-gate 396*7c478bd9Sstevel@tonic-gate /* dispose of connection context from mech_new */ 397*7c478bd9Sstevel@tonic-gate void (*mech_dispose)(void *conn_context, const sasl_utils_t *utils); 398*7c478bd9Sstevel@tonic-gate 399*7c478bd9Sstevel@tonic-gate /* 400*7c478bd9Sstevel@tonic-gate * free all global space used by mechanism 401*7c478bd9Sstevel@tonic-gate * mech_dispose must be called on all mechanisms first 402*7c478bd9Sstevel@tonic-gate */ 403*7c478bd9Sstevel@tonic-gate void (*mech_free)(void *glob_context, const sasl_utils_t *utils); 404*7c478bd9Sstevel@tonic-gate 405*7c478bd9Sstevel@tonic-gate /* 406*7c478bd9Sstevel@tonic-gate * perform precalculations during a network round-trip 407*7c478bd9Sstevel@tonic-gate * or idle period. conn_context may be NULL 408*7c478bd9Sstevel@tonic-gate * returns 1 if action taken, 0 if no action taken 409*7c478bd9Sstevel@tonic-gate */ 410*7c478bd9Sstevel@tonic-gate int (*idle)(void *glob_context, 411*7c478bd9Sstevel@tonic-gate void *conn_context, 412*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams); 413*7c478bd9Sstevel@tonic-gate 414*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 415*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 416*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 417*7c478bd9Sstevel@tonic-gate } sasl_client_plug_t; 418*7c478bd9Sstevel@tonic-gate 419*7c478bd9Sstevel@tonic-gate #define SASL_CLIENT_PLUG_VERSION 4 420*7c478bd9Sstevel@tonic-gate 421*7c478bd9Sstevel@tonic-gate /* 422*7c478bd9Sstevel@tonic-gate * plug-in entry point: 423*7c478bd9Sstevel@tonic-gate * utils -- utility callback functions 424*7c478bd9Sstevel@tonic-gate * max_version -- highest client plug version supported 425*7c478bd9Sstevel@tonic-gate * returns: 426*7c478bd9Sstevel@tonic-gate * out_version -- client plug version of result 427*7c478bd9Sstevel@tonic-gate * pluglist -- list of mechanism plug-ins 428*7c478bd9Sstevel@tonic-gate * plugcount -- number of mechanism plug-ins 429*7c478bd9Sstevel@tonic-gate * results: 430*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 431*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- failure 432*7c478bd9Sstevel@tonic-gate * SASL_BADVERS -- max_version too small 433*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- bad config string 434*7c478bd9Sstevel@tonic-gate * ... 435*7c478bd9Sstevel@tonic-gate */ 436*7c478bd9Sstevel@tonic-gate typedef int sasl_client_plug_init_t(const sasl_utils_t *utils, 437*7c478bd9Sstevel@tonic-gate int max_version, 438*7c478bd9Sstevel@tonic-gate int *out_version, 439*7c478bd9Sstevel@tonic-gate sasl_client_plug_t **pluglist, 440*7c478bd9Sstevel@tonic-gate int *plugcount); 441*7c478bd9Sstevel@tonic-gate 442*7c478bd9Sstevel@tonic-gate /* add a client plug-in */ 443*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_client_add_plugin(const char *plugname, 444*7c478bd9Sstevel@tonic-gate sasl_client_plug_init_t *cplugfunc); 445*7c478bd9Sstevel@tonic-gate 446*7c478bd9Sstevel@tonic-gate /* 447*7c478bd9Sstevel@tonic-gate * Server Functions 448*7c478bd9Sstevel@tonic-gate */ 449*7c478bd9Sstevel@tonic-gate 450*7c478bd9Sstevel@tonic-gate /* 451*7c478bd9Sstevel@tonic-gate * input parameters to server SASL plugin 452*7c478bd9Sstevel@tonic-gate * 453*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code 454*7c478bd9Sstevel@tonic-gate * 455*7c478bd9Sstevel@tonic-gate */ 456*7c478bd9Sstevel@tonic-gate typedef struct sasl_server_params { 457*7c478bd9Sstevel@tonic-gate const char *service; /* NULL = default service for user_exists */ 458*7c478bd9Sstevel@tonic-gate /* and setpass */ 459*7c478bd9Sstevel@tonic-gate const char *appname; /* name of calling application */ 460*7c478bd9Sstevel@tonic-gate const char *serverFQDN; /* server default fully qualified domain name */ 461*7c478bd9Sstevel@tonic-gate /* (e.g., gethostname) */ 462*7c478bd9Sstevel@tonic-gate const char *user_realm; /* realm for user (NULL = client supplied) */ 463*7c478bd9Sstevel@tonic-gate const char *iplocalport; /* server IP domain literal & port */ 464*7c478bd9Sstevel@tonic-gate const char *ipremoteport; /* client IP domain literal & port */ 465*7c478bd9Sstevel@tonic-gate 466*7c478bd9Sstevel@tonic-gate unsigned servicelen; /* length of service */ 467*7c478bd9Sstevel@tonic-gate unsigned applen; /* length of appname */ 468*7c478bd9Sstevel@tonic-gate unsigned slen; /* length of serverFQDN */ 469*7c478bd9Sstevel@tonic-gate unsigned urlen; /* length of user_realm */ 470*7c478bd9Sstevel@tonic-gate unsigned iploclen; /* length of iplocalport */ 471*7c478bd9Sstevel@tonic-gate unsigned ipremlen; /* length of ipremoteport */ 472*7c478bd9Sstevel@tonic-gate 473*7c478bd9Sstevel@tonic-gate /* 474*7c478bd9Sstevel@tonic-gate * This indicates the level of logging desired. See SASL_LOG_* 475*7c478bd9Sstevel@tonic-gate * in sasl.h 476*7c478bd9Sstevel@tonic-gate * 477*7c478bd9Sstevel@tonic-gate * Plug-ins can ignore this and just pass their desired level to 478*7c478bd9Sstevel@tonic-gate * the log callback. This is primarily used to eliminate logging which 479*7c478bd9Sstevel@tonic-gate * might be a performance problem (e.g., full protocol trace) and 480*7c478bd9Sstevel@tonic-gate * to select between SASL_LOG_TRACE and SASL_LOG_PASS alternatives 481*7c478bd9Sstevel@tonic-gate */ 482*7c478bd9Sstevel@tonic-gate int log_level; 483*7c478bd9Sstevel@tonic-gate 484*7c478bd9Sstevel@tonic-gate const sasl_utils_t *utils; /* SASL API utility routines -- */ 485*7c478bd9Sstevel@tonic-gate /* for a particular sasl_conn_t, */ 486*7c478bd9Sstevel@tonic-gate /* MUST remain valid until mech_free is */ 487*7c478bd9Sstevel@tonic-gate /* called */ 488*7c478bd9Sstevel@tonic-gate 489*7c478bd9Sstevel@tonic-gate const sasl_callback_t *callbacks; /* Callbacks from application */ 490*7c478bd9Sstevel@tonic-gate 491*7c478bd9Sstevel@tonic-gate /* application's security requirements */ 492*7c478bd9Sstevel@tonic-gate sasl_security_properties_t props; 493*7c478bd9Sstevel@tonic-gate sasl_ssf_t external_ssf; /* external SSF active */ 494*7c478bd9Sstevel@tonic-gate 495*7c478bd9Sstevel@tonic-gate /* 496*7c478bd9Sstevel@tonic-gate * server plug-in calls this when it first has access to the plaintext 497*7c478bd9Sstevel@tonic-gate * passphrase. This is used to transition users via setpass calls. 498*7c478bd9Sstevel@tonic-gate * If passlen is 0, it defaults to strlen(pass). 499*7c478bd9Sstevel@tonic-gate * returns 0 if no entry added, 1 if entry added 500*7c478bd9Sstevel@tonic-gate */ 501*7c478bd9Sstevel@tonic-gate int (*transition)(sasl_conn_t *conn, const char *pass, unsigned passlen); 502*7c478bd9Sstevel@tonic-gate 503*7c478bd9Sstevel@tonic-gate /* 504*7c478bd9Sstevel@tonic-gate * Canonicalize a user name from on-wire to internal format 505*7c478bd9Sstevel@tonic-gate * added cjn 1999-09-21 506*7c478bd9Sstevel@tonic-gate * Must be called once user name aquired if canon_user is non-NULL. 507*7c478bd9Sstevel@tonic-gate * conn connection context 508*7c478bd9Sstevel@tonic-gate * user user name from wire protocol (need not be NUL terminated) 509*7c478bd9Sstevel@tonic-gate * ulen length of user name from wire protocol (0 = strlen(user)) 510*7c478bd9Sstevel@tonic-gate * flags for SASL_CU_* flags 511*7c478bd9Sstevel@tonic-gate * oparams the user, authid, ulen, alen, fields are 512*7c478bd9Sstevel@tonic-gate * set appropriately after canonicalization/copying and 513*7c478bd9Sstevel@tonic-gate * authorization of arguments 514*7c478bd9Sstevel@tonic-gate * 515*7c478bd9Sstevel@tonic-gate * responsible for setting user, ulen, authid, and alen in the oparams 516*7c478bd9Sstevel@tonic-gate * structure 517*7c478bd9Sstevel@tonic-gate * 518*7c478bd9Sstevel@tonic-gate * default behavior is to strip leading and trailing whitespace, as 519*7c478bd9Sstevel@tonic-gate * well as allocating space for and copying the parameters. 520*7c478bd9Sstevel@tonic-gate * 521*7c478bd9Sstevel@tonic-gate * results: 522*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 523*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- out of memory 524*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- invalid conn 525*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- invalid user/authid 526*7c478bd9Sstevel@tonic-gate */ 527*7c478bd9Sstevel@tonic-gate int (*canon_user)(sasl_conn_t *conn, 528*7c478bd9Sstevel@tonic-gate const char *user, unsigned ulen, 529*7c478bd9Sstevel@tonic-gate unsigned flags, 530*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 531*7c478bd9Sstevel@tonic-gate 532*7c478bd9Sstevel@tonic-gate /* 533*7c478bd9Sstevel@tonic-gate * auxiliary property context (see definitions in prop.h) 534*7c478bd9Sstevel@tonic-gate * added cjn 2000-01-30 535*7c478bd9Sstevel@tonic-gate * 536*7c478bd9Sstevel@tonic-gate * NOTE: these properties are the ones associated with the 537*7c478bd9Sstevel@tonic-gate * canonicalized "user" (user to login as / authorization id), not 538*7c478bd9Sstevel@tonic-gate * the "authid" (user whose credentials are used / authentication id) 539*7c478bd9Sstevel@tonic-gate * Prefix the property name with a "*" if a property associated with 540*7c478bd9Sstevel@tonic-gate * the "authid" is interesting. 541*7c478bd9Sstevel@tonic-gate */ 542*7c478bd9Sstevel@tonic-gate struct propctx *propctx; 543*7c478bd9Sstevel@tonic-gate 544*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 545*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 546*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 547*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 548*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 549*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 550*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 551*7c478bd9Sstevel@tonic-gate int spare_int1; 552*7c478bd9Sstevel@tonic-gate int spare_int2; 553*7c478bd9Sstevel@tonic-gate int spare_int3; 554*7c478bd9Sstevel@tonic-gate 555*7c478bd9Sstevel@tonic-gate /* flags field as passed to sasl_server_new */ 556*7c478bd9Sstevel@tonic-gate unsigned flags; 557*7c478bd9Sstevel@tonic-gate 558*7c478bd9Sstevel@tonic-gate /* 559*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 560*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 561*7c478bd9Sstevel@tonic-gate * are added. 562*7c478bd9Sstevel@tonic-gate */ 563*7c478bd9Sstevel@tonic-gate int param_version; 564*7c478bd9Sstevel@tonic-gate } sasl_server_params_t; 565*7c478bd9Sstevel@tonic-gate 566*7c478bd9Sstevel@tonic-gate /* features for server plug-in */ 567*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_SERVICE 0x0200 /* service-specific passwords supported */ 568*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_GETSECRET 0x0400 /* sasl_server_{get,put}secret_t */ 569*7c478bd9Sstevel@tonic-gate /* callbacks required by plug-in */ 570*7c478bd9Sstevel@tonic-gate 571*7c478bd9Sstevel@tonic-gate /* a C object for a server mechanism */ 572*7c478bd9Sstevel@tonic-gate typedef struct sasl_server_plug { 573*7c478bd9Sstevel@tonic-gate /* mechanism name */ 574*7c478bd9Sstevel@tonic-gate const char *mech_name; 575*7c478bd9Sstevel@tonic-gate 576*7c478bd9Sstevel@tonic-gate /* best mech additional security layer strength factor */ 577*7c478bd9Sstevel@tonic-gate sasl_ssf_t max_ssf; 578*7c478bd9Sstevel@tonic-gate 579*7c478bd9Sstevel@tonic-gate /* best security flags, as defined in sasl_security_properties_t */ 580*7c478bd9Sstevel@tonic-gate unsigned security_flags; 581*7c478bd9Sstevel@tonic-gate 582*7c478bd9Sstevel@tonic-gate /* features of plugin */ 583*7c478bd9Sstevel@tonic-gate unsigned features; 584*7c478bd9Sstevel@tonic-gate 585*7c478bd9Sstevel@tonic-gate /* global state for mechanism */ 586*7c478bd9Sstevel@tonic-gate void *glob_context; 587*7c478bd9Sstevel@tonic-gate 588*7c478bd9Sstevel@tonic-gate /* 589*7c478bd9Sstevel@tonic-gate * create a new mechanism handler 590*7c478bd9Sstevel@tonic-gate * glob_context -- global context 591*7c478bd9Sstevel@tonic-gate * sparams -- server config params 592*7c478bd9Sstevel@tonic-gate * challenge -- server challenge from previous instance or NULL 593*7c478bd9Sstevel@tonic-gate * challen -- length of challenge from previous instance or 0 594*7c478bd9Sstevel@tonic-gate * out: 595*7c478bd9Sstevel@tonic-gate * conn_context -- connection context 596*7c478bd9Sstevel@tonic-gate * errinfo -- error information 597*7c478bd9Sstevel@tonic-gate * 598*7c478bd9Sstevel@tonic-gate * returns: 599*7c478bd9Sstevel@tonic-gate * SASL_OK -- successfully created mech instance 600*7c478bd9Sstevel@tonic-gate * SASL_* -- any other server error code 601*7c478bd9Sstevel@tonic-gate */ 602*7c478bd9Sstevel@tonic-gate int (*mech_new)(void *glob_context, 603*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 604*7c478bd9Sstevel@tonic-gate const char *challenge, 605*7c478bd9Sstevel@tonic-gate unsigned challen, 606*7c478bd9Sstevel@tonic-gate void **conn_context); 607*7c478bd9Sstevel@tonic-gate 608*7c478bd9Sstevel@tonic-gate /* 609*7c478bd9Sstevel@tonic-gate * perform one step in exchange 610*7c478bd9Sstevel@tonic-gate * 611*7c478bd9Sstevel@tonic-gate * returns: 612*7c478bd9Sstevel@tonic-gate * SASL_OK -- success, all done 613*7c478bd9Sstevel@tonic-gate * SASL_CONTINUE -- success, one more round trip 614*7c478bd9Sstevel@tonic-gate * SASL_* -- any other server error code 615*7c478bd9Sstevel@tonic-gate */ 616*7c478bd9Sstevel@tonic-gate int (*mech_step)(void *conn_context, 617*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 618*7c478bd9Sstevel@tonic-gate const char *clientin, 619*7c478bd9Sstevel@tonic-gate unsigned clientinlen, 620*7c478bd9Sstevel@tonic-gate const char **serverout, 621*7c478bd9Sstevel@tonic-gate unsigned *serveroutlen, 622*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 623*7c478bd9Sstevel@tonic-gate 624*7c478bd9Sstevel@tonic-gate /* dispose of a connection state */ 625*7c478bd9Sstevel@tonic-gate void (*mech_dispose)(void *conn_context, const sasl_utils_t *utils); 626*7c478bd9Sstevel@tonic-gate 627*7c478bd9Sstevel@tonic-gate /* 628*7c478bd9Sstevel@tonic-gate * free global state for mechanism 629*7c478bd9Sstevel@tonic-gate * mech_dispose must be called on all mechanisms first 630*7c478bd9Sstevel@tonic-gate */ 631*7c478bd9Sstevel@tonic-gate void (*mech_free)(void *glob_context, const sasl_utils_t *utils); 632*7c478bd9Sstevel@tonic-gate 633*7c478bd9Sstevel@tonic-gate /* 634*7c478bd9Sstevel@tonic-gate * set a password (optional) 635*7c478bd9Sstevel@tonic-gate * glob_context -- global context 636*7c478bd9Sstevel@tonic-gate * sparams -- service, middleware utilities, etc. props ignored 637*7c478bd9Sstevel@tonic-gate * user -- user name 638*7c478bd9Sstevel@tonic-gate * pass -- password/passphrase (NULL = disable/remove/delete) 639*7c478bd9Sstevel@tonic-gate * passlen -- length of password/passphrase 640*7c478bd9Sstevel@tonic-gate * oldpass -- old password/passphrase (NULL = transition) 641*7c478bd9Sstevel@tonic-gate * oldpasslen -- length of password/passphrase 642*7c478bd9Sstevel@tonic-gate * flags -- see above 643*7c478bd9Sstevel@tonic-gate * 644*7c478bd9Sstevel@tonic-gate * returns: 645*7c478bd9Sstevel@tonic-gate * SASL_NOCHANGE -- no change was needed 646*7c478bd9Sstevel@tonic-gate * SASL_NOUSER -- no entry for user 647*7c478bd9Sstevel@tonic-gate * SASL_NOVERIFY -- no mechanism compatible entry for user 648*7c478bd9Sstevel@tonic-gate * SASL_PWLOCK -- password locked 649*7c478bd9Sstevel@tonic-gate * SASL_DIABLED -- account disabled 650*7c478bd9Sstevel@tonic-gate * etc. 651*7c478bd9Sstevel@tonic-gate */ 652*7c478bd9Sstevel@tonic-gate int (*setpass)(void *glob_context, 653*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 654*7c478bd9Sstevel@tonic-gate const char *user, 655*7c478bd9Sstevel@tonic-gate const char *pass, unsigned passlen, 656*7c478bd9Sstevel@tonic-gate const char *oldpass, unsigned oldpasslen, 657*7c478bd9Sstevel@tonic-gate unsigned flags); 658*7c478bd9Sstevel@tonic-gate 659*7c478bd9Sstevel@tonic-gate /* 660*7c478bd9Sstevel@tonic-gate * query which mechanisms are available for user 661*7c478bd9Sstevel@tonic-gate * glob_context -- context 662*7c478bd9Sstevel@tonic-gate * sparams -- service, middleware utilities, etc. props ignored 663*7c478bd9Sstevel@tonic-gate * user -- NUL terminated user name 664*7c478bd9Sstevel@tonic-gate * maxmech -- max number of strings in mechlist (0 = no output) 665*7c478bd9Sstevel@tonic-gate * output: 666*7c478bd9Sstevel@tonic-gate * mechlist -- an array of C string pointers, filled in with 667*7c478bd9Sstevel@tonic-gate * mechanism names available to the user 668*7c478bd9Sstevel@tonic-gate * 669*7c478bd9Sstevel@tonic-gate * returns: 670*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 671*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- not enough memory 672*7c478bd9Sstevel@tonic-gate * SASL_FAIL -- lower level failure 673*7c478bd9Sstevel@tonic-gate * SASL_DISABLED -- account disabled 674*7c478bd9Sstevel@tonic-gate * SASL_NOUSER -- user not found 675*7c478bd9Sstevel@tonic-gate * SASL_BUFOVER -- maxmech is too small 676*7c478bd9Sstevel@tonic-gate * SASL_NOVERIFY -- user found, but no mechanisms available 677*7c478bd9Sstevel@tonic-gate */ 678*7c478bd9Sstevel@tonic-gate int (*user_query)(void *glob_context, 679*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 680*7c478bd9Sstevel@tonic-gate const char *user, 681*7c478bd9Sstevel@tonic-gate int maxmech, 682*7c478bd9Sstevel@tonic-gate const char **mechlist); 683*7c478bd9Sstevel@tonic-gate 684*7c478bd9Sstevel@tonic-gate /* 685*7c478bd9Sstevel@tonic-gate * perform precalculations during a network round-trip 686*7c478bd9Sstevel@tonic-gate * or idle period. conn_context may be NULL (optional) 687*7c478bd9Sstevel@tonic-gate * returns 1 if action taken, 0 if no action taken 688*7c478bd9Sstevel@tonic-gate */ 689*7c478bd9Sstevel@tonic-gate int (*idle)(void *glob_context, 690*7c478bd9Sstevel@tonic-gate void *conn_context, 691*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams); 692*7c478bd9Sstevel@tonic-gate 693*7c478bd9Sstevel@tonic-gate /* 694*7c478bd9Sstevel@tonic-gate * check if mechanism is available 695*7c478bd9Sstevel@tonic-gate * TODO - Is this correct? 696*7c478bd9Sstevel@tonic-gate * optional--if NULL, mechanism is available based on ENABLE= 697*7c478bd9Sstevel@tonic-gate * in config 698*7c478bd9Sstevel@tonic-gate * 699*7c478bd9Sstevel@tonic-gate * If this routine sets conn_context to a non-NULL value, then the call 700*7c478bd9Sstevel@tonic-gate * to mech_new will be skipped. This should not be done unless 701*7c478bd9Sstevel@tonic-gate * there's a significant performance benefit, since it can cause 702*7c478bd9Sstevel@tonic-gate * additional memory allocation in SASL core code to keep track of 703*7c478bd9Sstevel@tonic-gate * contexts potentially for multiple mechanisms. 704*7c478bd9Sstevel@tonic-gate * 705*7c478bd9Sstevel@tonic-gate * This is called by the first call to sasl_listmech() for a 706*7c478bd9Sstevel@tonic-gate * given connection context, thus for a given protocol it may 707*7c478bd9Sstevel@tonic-gate * never be called. Note that if mech_avail returns SASL_NOMECH, 708*7c478bd9Sstevel@tonic-gate * then that mechanism is considered disabled for the remainder 709*7c478bd9Sstevel@tonic-gate * of the session. 710*7c478bd9Sstevel@tonic-gate * 711*7c478bd9Sstevel@tonic-gate * returns SASL_OK on success, 712*7c478bd9Sstevel@tonic-gate * SASL_NOMECH if mech disabled 713*7c478bd9Sstevel@tonic-gate */ 714*7c478bd9Sstevel@tonic-gate int (*mech_avail)(void *glob_context, 715*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 716*7c478bd9Sstevel@tonic-gate void **conn_context); 717*7c478bd9Sstevel@tonic-gate 718*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 719*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 720*7c478bd9Sstevel@tonic-gate } sasl_server_plug_t; 721*7c478bd9Sstevel@tonic-gate 722*7c478bd9Sstevel@tonic-gate #define SASL_SERVER_PLUG_VERSION 4 723*7c478bd9Sstevel@tonic-gate 724*7c478bd9Sstevel@tonic-gate /* 725*7c478bd9Sstevel@tonic-gate * plug-in entry point: 726*7c478bd9Sstevel@tonic-gate * utils -- utility callback functions 727*7c478bd9Sstevel@tonic-gate * plugname -- name of plug-in (may be NULL) 728*7c478bd9Sstevel@tonic-gate * max_version -- highest server plug version supported 729*7c478bd9Sstevel@tonic-gate * returns: 730*7c478bd9Sstevel@tonic-gate * out_version -- server plug-in version of result 731*7c478bd9Sstevel@tonic-gate * pluglist -- list of mechanism plug-ins 732*7c478bd9Sstevel@tonic-gate * plugcount -- number of mechanism plug-ins 733*7c478bd9Sstevel@tonic-gate * results: 734*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 735*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- failure 736*7c478bd9Sstevel@tonic-gate * SASL_BADVERS -- max_version too small 737*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- bad config string 738*7c478bd9Sstevel@tonic-gate * ... 739*7c478bd9Sstevel@tonic-gate */ 740*7c478bd9Sstevel@tonic-gate typedef int sasl_server_plug_init_t(const sasl_utils_t *utils, 741*7c478bd9Sstevel@tonic-gate int max_version, 742*7c478bd9Sstevel@tonic-gate int *out_version, 743*7c478bd9Sstevel@tonic-gate sasl_server_plug_t **pluglist, 744*7c478bd9Sstevel@tonic-gate int *plugcount); 745*7c478bd9Sstevel@tonic-gate 746*7c478bd9Sstevel@tonic-gate /* 747*7c478bd9Sstevel@tonic-gate * add a server plug-in 748*7c478bd9Sstevel@tonic-gate */ 749*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_server_add_plugin(const char *plugname, 750*7c478bd9Sstevel@tonic-gate sasl_server_plug_init_t *splugfunc); 751*7c478bd9Sstevel@tonic-gate 752*7c478bd9Sstevel@tonic-gate /* 753*7c478bd9Sstevel@tonic-gate * user canonicalization plug-in -- added cjn 1999-09-29 754*7c478bd9Sstevel@tonic-gate */ 755*7c478bd9Sstevel@tonic-gate 756*7c478bd9Sstevel@tonic-gate typedef struct sasl_canonuser { 757*7c478bd9Sstevel@tonic-gate /* optional features of plugin (set to 0) */ 758*7c478bd9Sstevel@tonic-gate int features; 759*7c478bd9Sstevel@tonic-gate 760*7c478bd9Sstevel@tonic-gate /* spare integer (set to 0) */ 761*7c478bd9Sstevel@tonic-gate int spare_int1; 762*7c478bd9Sstevel@tonic-gate 763*7c478bd9Sstevel@tonic-gate /* global state for plugin */ 764*7c478bd9Sstevel@tonic-gate void *glob_context; 765*7c478bd9Sstevel@tonic-gate 766*7c478bd9Sstevel@tonic-gate /* name of plugin */ 767*7c478bd9Sstevel@tonic-gate char *name; 768*7c478bd9Sstevel@tonic-gate 769*7c478bd9Sstevel@tonic-gate /* free global state for plugin */ 770*7c478bd9Sstevel@tonic-gate void (*canon_user_free)(void *glob_context, const sasl_utils_t *utils); 771*7c478bd9Sstevel@tonic-gate 772*7c478bd9Sstevel@tonic-gate /* 773*7c478bd9Sstevel@tonic-gate * canonicalize a username 774*7c478bd9Sstevel@tonic-gate * glob_context -- global context from this structure 775*7c478bd9Sstevel@tonic-gate * sparams -- server params, note user_realm&propctx elements 776*7c478bd9Sstevel@tonic-gate * user -- user to login as (may not be NUL terminated) 777*7c478bd9Sstevel@tonic-gate * len -- length of user name (0 = strlen(user)) 778*7c478bd9Sstevel@tonic-gate * flags -- for SASL_CU_* flags 779*7c478bd9Sstevel@tonic-gate * out -- buffer to copy user name 780*7c478bd9Sstevel@tonic-gate * out_max -- max length of user name 781*7c478bd9Sstevel@tonic-gate * out_len -- set to length of user name 782*7c478bd9Sstevel@tonic-gate * 783*7c478bd9Sstevel@tonic-gate * note that the output buffers MAY be the same as the input buffers. 784*7c478bd9Sstevel@tonic-gate * 785*7c478bd9Sstevel@tonic-gate * returns 786*7c478bd9Sstevel@tonic-gate * SASL_OK on success 787*7c478bd9Sstevel@tonic-gate * SASL_BADPROT username contains invalid character 788*7c478bd9Sstevel@tonic-gate */ 789*7c478bd9Sstevel@tonic-gate int (*canon_user_server)(void *glob_context, 790*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 791*7c478bd9Sstevel@tonic-gate const char *user, unsigned len, 792*7c478bd9Sstevel@tonic-gate unsigned flags, 793*7c478bd9Sstevel@tonic-gate char *out, 794*7c478bd9Sstevel@tonic-gate unsigned out_umax, unsigned *out_ulen); 795*7c478bd9Sstevel@tonic-gate 796*7c478bd9Sstevel@tonic-gate int (*canon_user_client)(void *glob_context, 797*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 798*7c478bd9Sstevel@tonic-gate const char *user, unsigned len, 799*7c478bd9Sstevel@tonic-gate unsigned flags, 800*7c478bd9Sstevel@tonic-gate char *out, 801*7c478bd9Sstevel@tonic-gate unsigned out_max, unsigned *out_len); 802*7c478bd9Sstevel@tonic-gate 803*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 804*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 805*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 806*7c478bd9Sstevel@tonic-gate int (*spare_fptr3)(); 807*7c478bd9Sstevel@tonic-gate } sasl_canonuser_plug_t; 808*7c478bd9Sstevel@tonic-gate 809*7c478bd9Sstevel@tonic-gate #define SASL_CANONUSER_PLUG_VERSION 5 810*7c478bd9Sstevel@tonic-gate 811*7c478bd9Sstevel@tonic-gate /* 812*7c478bd9Sstevel@tonic-gate * default name for canonuser plug-in entry point is "sasl_canonuser_init" 813*7c478bd9Sstevel@tonic-gate * similar to sasl_server_plug_init model, except only returns one 814*7c478bd9Sstevel@tonic-gate * sasl_canonuser_plug_t structure; 815*7c478bd9Sstevel@tonic-gate */ 816*7c478bd9Sstevel@tonic-gate typedef int sasl_canonuser_init_t(const sasl_utils_t *utils, 817*7c478bd9Sstevel@tonic-gate int max_version, 818*7c478bd9Sstevel@tonic-gate int *out_version, 819*7c478bd9Sstevel@tonic-gate sasl_canonuser_plug_t **plug, 820*7c478bd9Sstevel@tonic-gate const char *plugname); 821*7c478bd9Sstevel@tonic-gate 822*7c478bd9Sstevel@tonic-gate /* add a canonuser plugin */ 823*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_canonuser_add_plugin(const char *plugname, 824*7c478bd9Sstevel@tonic-gate sasl_canonuser_init_t *canonuserfunc); 825*7c478bd9Sstevel@tonic-gate 826*7c478bd9Sstevel@tonic-gate /* 827*7c478bd9Sstevel@tonic-gate * auxiliary property plug-in -- added cjn 1999-09-29 828*7c478bd9Sstevel@tonic-gate */ 829*7c478bd9Sstevel@tonic-gate 830*7c478bd9Sstevel@tonic-gate typedef struct sasl_auxprop_plug { 831*7c478bd9Sstevel@tonic-gate /* optional features of plugin (none defined yet, set to 0) */ 832*7c478bd9Sstevel@tonic-gate int features; 833*7c478bd9Sstevel@tonic-gate 834*7c478bd9Sstevel@tonic-gate /* spare integer, must be set to 0 */ 835*7c478bd9Sstevel@tonic-gate int spare_int1; 836*7c478bd9Sstevel@tonic-gate 837*7c478bd9Sstevel@tonic-gate /* global state for plugin */ 838*7c478bd9Sstevel@tonic-gate void *glob_context; 839*7c478bd9Sstevel@tonic-gate 840*7c478bd9Sstevel@tonic-gate /* free global state for plugin (OPTIONAL) */ 841*7c478bd9Sstevel@tonic-gate void (*auxprop_free)(void *glob_context, const sasl_utils_t *utils); 842*7c478bd9Sstevel@tonic-gate 843*7c478bd9Sstevel@tonic-gate /* 844*7c478bd9Sstevel@tonic-gate * fill in fields of an auxiliary property context 845*7c478bd9Sstevel@tonic-gate * last element in array has id of SASL_AUX_END 846*7c478bd9Sstevel@tonic-gate * elements with non-0 len should be ignored. 847*7c478bd9Sstevel@tonic-gate */ 848*7c478bd9Sstevel@tonic-gate void (*auxprop_lookup)(void *glob_context, 849*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 850*7c478bd9Sstevel@tonic-gate unsigned flags, 851*7c478bd9Sstevel@tonic-gate const char *user, unsigned ulen); 852*7c478bd9Sstevel@tonic-gate 853*7c478bd9Sstevel@tonic-gate /* name of the auxprop plugin */ 854*7c478bd9Sstevel@tonic-gate char *name; 855*7c478bd9Sstevel@tonic-gate 856*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 857*7c478bd9Sstevel@tonic-gate void (*spare_fptr1)(); 858*7c478bd9Sstevel@tonic-gate } sasl_auxprop_plug_t; 859*7c478bd9Sstevel@tonic-gate 860*7c478bd9Sstevel@tonic-gate /* auxprop lookup flags */ 861*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_OVERRIDE 0x01 /* if clear, ignore auxiliary properties */ 862*7c478bd9Sstevel@tonic-gate /* with non-zero len field. If set, */ 863*7c478bd9Sstevel@tonic-gate /* override value of those properties */ 864*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_AUTHZID 0x02 /* if clear, we are looking up the */ 865*7c478bd9Sstevel@tonic-gate /* authid flags (prefixed with *), */ 866*7c478bd9Sstevel@tonic-gate /* otherwise we are looking up the */ 867*7c478bd9Sstevel@tonic-gate /* authzid flags (no prefix) */ 868*7c478bd9Sstevel@tonic-gate 869*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_PLUG_VERSION 4 870*7c478bd9Sstevel@tonic-gate 871*7c478bd9Sstevel@tonic-gate /* 872*7c478bd9Sstevel@tonic-gate * default name for auxprop plug-in entry point is "sasl_auxprop_init" 873*7c478bd9Sstevel@tonic-gate * similar to sasl_server_plug_init model, except only returns one 874*7c478bd9Sstevel@tonic-gate * sasl_auxprop_plug_t structure; 875*7c478bd9Sstevel@tonic-gate */ 876*7c478bd9Sstevel@tonic-gate typedef int sasl_auxprop_init_t(const sasl_utils_t *utils, 877*7c478bd9Sstevel@tonic-gate int max_version, 878*7c478bd9Sstevel@tonic-gate int *out_version, 879*7c478bd9Sstevel@tonic-gate sasl_auxprop_plug_t **plug, 880*7c478bd9Sstevel@tonic-gate const char *plugname); 881*7c478bd9Sstevel@tonic-gate 882*7c478bd9Sstevel@tonic-gate /* add an auxiliary property plug-in */ 883*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_auxprop_add_plugin(const char *plugname, 884*7c478bd9Sstevel@tonic-gate sasl_auxprop_init_t *auxpropfunc); 885*7c478bd9Sstevel@tonic-gate 886*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 887*7c478bd9Sstevel@tonic-gate } 888*7c478bd9Sstevel@tonic-gate #endif 889*7c478bd9Sstevel@tonic-gate 890*7c478bd9Sstevel@tonic-gate #endif /* _SASL_SASLPLUG_H */ 891