GNU SASL Library - Libgsasl

---

Introduction

GNU SASL is an implementation of the Simple Authentication and Security Layer framework and a few common SASL mechanisms. SASL is used by network servers (e.g., IMAP, SMTP, XMPP) to request authentication from clients, and in clients to authenticate against servers.

GNU SASL consists of a C library (libgsasl), a command-line application (gsasl), and a manual. The library supports the ANONYMOUS, CRAM-MD5, DIGEST-MD5, EXTERNAL, GS2-KRB5, GSSAPI, LOGIN, NTLM, OPENID20, PLAIN, SCRAM-SHA-1, SCRAM-SHA-1-PLUS, SCRAM-SHA-256, SCRAM-SHA-256-PLUS, SAML20, and SECURID mechanisms.

The library is portable because it does not do network communication by itself, but rather leaves it up to the calling application. The library is flexible with regards to the authorization infrastructure used, as it utilizes callbacks into the application to decide whether an user is authorized or not.

The GNU SASL Library (lib/) is licensed under the GNU Lesser General Public License (LGPL) version 2.1 (or later). The GNU project typically uses the GNU General Public License (GPL) for libraries, and not the LGPL, but for this project we decided that we would get more help from the community if we used the LGPLv2.1+, as other free SASL implementations exists. See also Why you shouldn't use the Lesser GPL for your next library.

The command-line application and test suite (src/ and tests/) are licensed under the GNU General Public License license version 3.0 (or later). The documentation (doc/) is licensed under the GNU Free Documentation License version 1.3 (or later). See the file doc/fdl-1.3.texi.

Some of the goals with this project are:

• Clean room implementation. This means the copyright and license conditions are clear.
• Internationalization. It handles non-ASCII username and passwords by using SASLprep. User visible strings used in the library (error messages) can be translated into the users' language.
• Thread safe library. This library uses no global state and multiple concurrent SASL sessions are possibly (e.g. in a multithreaded server).
• Portable. It should work on all Unix like operating systems, including Windows. The library itself should be portable to any C89 system, not even POSIX is required.

Table of Contents

• Introduction
• Documentation and Status
• Support
• News
• Downloading
• Development
• Dependencies
• Bugs

Documentation and Status

Refer to the GNU SASL Manual web page for links to the manual in all formats; however, quick links to the most popular formats:

• Online HTML manual
• PDF manual
• API reference in HTML

See also the various standard texts:

• RFC 4422, the core SASL specification
• RFC 2831, the DIGEST-MD5 mechanism
• RFC 4505, the ANONYMOUS mechanism
• RFC 4616, the PLAIN mechanism
• RFC 4752, the Kerberos V5 GSSAPI mechanism
• RFC 5801, the GS2 mechanism (GS2-KRB5)
• RFC 5802, the SCRAM-SHA-1/SCRAM-SHA-1-PLUS mechanisms
• RFC 6595, the SAML20 mechanism
• RFC 6616, the OPENID20 mechanism
• RFC 7677, the SCRAM-SHA-256/SCRAM-SHA-256-PLUS mechanisms

GNU SASL has been ported to Windows and there are some resources around this effort:

• Installing under Windows
• Kerberos on Windows
• Pre-built Windows binaries

Free software projects using GNU SASL include:

• Exim
• Mutt
• GNU Mailutils
• MSMTP and MPOP
• VMIME
• Curl
• Jabberd2, an XMPP server
• GNU Anubis

Let us know about more free software projects that use GNU SASL!

Support

A mailing list where GNU SASL users may help each other exists, and you can reach it by sending e-mail to help-gsasl@gnu.org. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at https://lists.gnu.org/mailman/listinfo/help-gsasl.

Downloading

The releases are distributed from https://ftp.gnu.org/gnu/gsasl/.

The latest release is signed with OpenPGP key with fingerprint F8C4 D73C F638 C53C 06BE. Earlier releases were signed with an OpenPGP key with fingerprint B565716F or OpenPGP key with fingerprint 5A33 0664 A769 5426 5E8C.

Development

There are Savannah GNU SASL and GitLab GNU SASL project pages. You can check out the sources as follows:

$ git clone https://gitlab.com/gsasl/gsasl.git

See the file README-hacking for complete information on how to bootstrap and build the package from version controlled sources.

We publish cyclomatic code complexity charts, self-test code coverage charts, and Clang code analysis

Dependencies

You need at least a shell, a C compiler and a Make tool to build GNU SASL.

GNU SASL will enable certain features if you have the following optional external libraries installed:

• Non-ASCII support (e.g., username and passwords): GNU Libidn.
• NTLM mechanism: libntlm 0.3.1 or later.
• GSSAPI mechanism: GNU GSS, MIT Kerberos, Heimdal.

Bugs

Report all problems to help-gsasl@gnu.org, but please read the manual on how to report bugs first.

News

Note that new releases are only mentioned here if they introduce a major feature or is significant in some other way. Read the help-gsasl mailing list if you seek more frequent announcements.

Information on what is new in the software is found in the NEWS and lib/NEWS file (live version).

• 2022-06-20: New stable release 2.0.0 dropping all obsolete APIs.
• 2021-01-01: New stable release 1.10.0 with SCRAM-SHA-256 (RFC 7677).
• 2012-05-28: New stable release 1.8.0 with SAML20 (RFC 6595) and OPENID20 (RFC 6616).
• 2010-12-14: New stable release 1.6.0 with SCRAM-SHA-1(-PLUS) and GS2-KRB5 support.
• 2010-11-14: SCRAM-SHA-1-PLUS is supported in experimental 1.5.3 release.
• 2010-03-31: GS2-KRB5 is supported in the experimental 1.5.0 release.
• 2009-11-07: SCRAM-SHA-1 is now intended for stable use with the version 1.4 release.
• 2009-10-08: As of version 1.3 the library experimentally supports SCRAM-SHA-1.
• 2008-08-19: The library can be built as a native Windows Visual Studio project.
• 2008-01-12: Instructions for building GNU SASL under uClinux have been published.
• 2007-10-08: Git repository moved to Savannah, you can browse it.
• 2007-07-09: The command line, self tests, examples etc of GNU SASL are now licensed under the GPL version 3. The library remains licensed under the LGPL version 2.1.
• 2007-06-01: GNU SASL is now developed in git instead of cvs.
• 2007-04-20: Version 0.2.16, released today, will likely be the last release on the 0.2.x. branch, next we'll focus on implementing GS2.
• 2006-06-14: Newly released version 0.2.13 works well under Windows.
• 2004-11-07: A new major release, version 0.2.0, has been released.
• 2004-04-16: The license for the core library, and most common mechanisms, is being changed to LGPL. A release candidate of 0.0.15 with this change is available.
• 2004-01-01: Savannah had problems last month, and still isn't operating fully. CVS has been moved to a private machine, a read-only mirror of it will hopefully be available via Savannah in the future.
• 2003-10-11 Version 0.0.8 includes API for SASLprep/trace string preparation, improved portability, and more.
• 2003-06-02 The GSSAPI mechanism now supports GSS and Heimdal, besides MIT Kerberos.
• 2003-03-17 Debian includes libgsasl, thanks to Ryan M. Golbeck.
• 2003-02-02 The KERBEROS_V5 document is updated with examples from our library used in GNU Mailutil's imap4d server.
• 2003-01-30 Implementation of our KERBEROS_V5 mechanism proposal started, using Shishi.
• 2002-12-16 gnu.org web pages opened and development moved to savannah.
• 2002-12-13 Version 0.0.4 renames the package from "libgsasl" to GNU SASL and the license is changed to the GPL.
• 2002-12-09 Official GNU project.
• 2002-10-07 Initial release of version 0.0.0.