1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gate /* saslplug.h -- API for SASL plug-ins */ 7*7c478bd9Sstevel@tonic-gate 8*7c478bd9Sstevel@tonic-gate #ifndef _SASL_SASLPLUG_H 9*7c478bd9Sstevel@tonic-gate #define _SASL_SASLPLUG_H 10*7c478bd9Sstevel@tonic-gate 11*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 12*7c478bd9Sstevel@tonic-gate 13*7c478bd9Sstevel@tonic-gate #ifndef _SASL_SASL_H 14*7c478bd9Sstevel@tonic-gate #include <sasl/sasl.h> 15*7c478bd9Sstevel@tonic-gate #endif 16*7c478bd9Sstevel@tonic-gate 17*7c478bd9Sstevel@tonic-gate #ifndef _MD5_H 18*7c478bd9Sstevel@tonic-gate #include <md5.h> 19*7c478bd9Sstevel@tonic-gate #endif /* _MD5_H */ 20*7c478bd9Sstevel@tonic-gate 21*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 22*7c478bd9Sstevel@tonic-gate extern "C" { 23*7c478bd9Sstevel@tonic-gate #endif 24*7c478bd9Sstevel@tonic-gate 25*7c478bd9Sstevel@tonic-gate /* intermediate MD5 context */ 26*7c478bd9Sstevel@tonic-gate typedef struct HMAC_MD5_CTX_s { 27*7c478bd9Sstevel@tonic-gate MD5_CTX ictx, octx; 28*7c478bd9Sstevel@tonic-gate } HMAC_MD5_CTX; 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate /* 31*7c478bd9Sstevel@tonic-gate * intermediate HMAC state 32*7c478bd9Sstevel@tonic-gate * values stored in network byte order (Big Endian) 33*7c478bd9Sstevel@tonic-gate */ 34*7c478bd9Sstevel@tonic-gate typedef struct HMAC_MD5_STATE_s { 35*7c478bd9Sstevel@tonic-gate uint32_t istate[4]; 36*7c478bd9Sstevel@tonic-gate uint32_t ostate[4]; 37*7c478bd9Sstevel@tonic-gate } HMAC_MD5_STATE; 38*7c478bd9Sstevel@tonic-gate 39*7c478bd9Sstevel@tonic-gate /* 40*7c478bd9Sstevel@tonic-gate * callback to lookup a sasl_callback_t for a connection 41*7c478bd9Sstevel@tonic-gate * input: 42*7c478bd9Sstevel@tonic-gate * conn -- the connection to lookup a callback for 43*7c478bd9Sstevel@tonic-gate * callbacknum -- the number of the callback 44*7c478bd9Sstevel@tonic-gate * output: 45*7c478bd9Sstevel@tonic-gate * pproc -- pointer to the callback function (set to NULL on failure) 46*7c478bd9Sstevel@tonic-gate * pcontext -- pointer to the callback context (set to NULL on failure) 47*7c478bd9Sstevel@tonic-gate * returns: 48*7c478bd9Sstevel@tonic-gate * SASL_OK -- no error 49*7c478bd9Sstevel@tonic-gate * SASL_FAIL -- unable to find a callback of the requested type 50*7c478bd9Sstevel@tonic-gate * SASL_INTERACT -- caller must use interaction to get data 51*7c478bd9Sstevel@tonic-gate */ 52*7c478bd9Sstevel@tonic-gate typedef int sasl_getcallback_t(sasl_conn_t *conn, 53*7c478bd9Sstevel@tonic-gate unsigned long callbackid, 54*7c478bd9Sstevel@tonic-gate int (**pproc)(), 55*7c478bd9Sstevel@tonic-gate void **pcontext); 56*7c478bd9Sstevel@tonic-gate 57*7c478bd9Sstevel@tonic-gate /* 58*7c478bd9Sstevel@tonic-gate * The sasl_utils structure will remain backwards compatible unless 59*7c478bd9Sstevel@tonic-gate * the SASL_*_PLUG_VERSION is changed incompatibly 60*7c478bd9Sstevel@tonic-gate * higher SASL_UTILS_VERSION numbers indicate more functions are available 61*7c478bd9Sstevel@tonic-gate */ 62*7c478bd9Sstevel@tonic-gate #define SASL_UTILS_VERSION 4 63*7c478bd9Sstevel@tonic-gate 64*7c478bd9Sstevel@tonic-gate /* utility function set for plug-ins */ 65*7c478bd9Sstevel@tonic-gate typedef struct sasl_utils { 66*7c478bd9Sstevel@tonic-gate int version; 67*7c478bd9Sstevel@tonic-gate 68*7c478bd9Sstevel@tonic-gate /* contexts */ 69*7c478bd9Sstevel@tonic-gate sasl_conn_t *conn; 70*7c478bd9Sstevel@tonic-gate sasl_rand_t *rpool; 71*7c478bd9Sstevel@tonic-gate void *getopt_context; 72*7c478bd9Sstevel@tonic-gate 73*7c478bd9Sstevel@tonic-gate /* option function */ 74*7c478bd9Sstevel@tonic-gate sasl_getopt_t *getopt; 75*7c478bd9Sstevel@tonic-gate 76*7c478bd9Sstevel@tonic-gate /* allocation functions: */ 77*7c478bd9Sstevel@tonic-gate sasl_malloc_t *malloc; 78*7c478bd9Sstevel@tonic-gate sasl_calloc_t *calloc; 79*7c478bd9Sstevel@tonic-gate sasl_realloc_t *realloc; 80*7c478bd9Sstevel@tonic-gate sasl_free_t *free; 81*7c478bd9Sstevel@tonic-gate 82*7c478bd9Sstevel@tonic-gate /* mutex functions: */ 83*7c478bd9Sstevel@tonic-gate sasl_mutex_alloc_t *mutex_alloc; 84*7c478bd9Sstevel@tonic-gate sasl_mutex_lock_t *mutex_lock; 85*7c478bd9Sstevel@tonic-gate sasl_mutex_unlock_t *mutex_unlock; 86*7c478bd9Sstevel@tonic-gate sasl_mutex_free_t *mutex_free; 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate /* MD5 hash and HMAC functions */ 89*7c478bd9Sstevel@tonic-gate void (*MD5Init)(MD5_CTX *); 90*7c478bd9Sstevel@tonic-gate void (*MD5Update)(MD5_CTX *, const unsigned char *text, unsigned int len); 91*7c478bd9Sstevel@tonic-gate void (*MD5Final)(unsigned char [16], MD5_CTX *); 92*7c478bd9Sstevel@tonic-gate void (*hmac_md5)(const unsigned char *text, int text_len, 93*7c478bd9Sstevel@tonic-gate const unsigned char *key, int key_len, 94*7c478bd9Sstevel@tonic-gate unsigned char [16]); 95*7c478bd9Sstevel@tonic-gate void (*hmac_md5_init)(HMAC_MD5_CTX *, const unsigned char *key, int len); 96*7c478bd9Sstevel@tonic-gate /* hmac_md5_update() is just a call to MD5Update on inner context */ 97*7c478bd9Sstevel@tonic-gate void (*hmac_md5_final)(unsigned char [16], HMAC_MD5_CTX *); 98*7c478bd9Sstevel@tonic-gate void (*hmac_md5_precalc)(HMAC_MD5_STATE *, 99*7c478bd9Sstevel@tonic-gate const unsigned char *key, int len); 100*7c478bd9Sstevel@tonic-gate void (*hmac_md5_import)(HMAC_MD5_CTX *, HMAC_MD5_STATE *); 101*7c478bd9Sstevel@tonic-gate 102*7c478bd9Sstevel@tonic-gate /* mechanism utility functions (same as above): */ 103*7c478bd9Sstevel@tonic-gate int (*mkchal)(sasl_conn_t *conn, char *buf, unsigned maxlen, 104*7c478bd9Sstevel@tonic-gate unsigned hostflag); 105*7c478bd9Sstevel@tonic-gate int (*utf8verify)(const char *str, unsigned len); 106*7c478bd9Sstevel@tonic-gate void (*rand)(sasl_rand_t *rpool, char *buf, unsigned len); 107*7c478bd9Sstevel@tonic-gate void (*churn)(sasl_rand_t *rpool, const char *data, unsigned len); 108*7c478bd9Sstevel@tonic-gate 109*7c478bd9Sstevel@tonic-gate /* 110*7c478bd9Sstevel@tonic-gate * This allows recursive calls to the sasl_checkpass() routine from 111*7c478bd9Sstevel@tonic-gate * within a SASL plug-in. This MUST NOT be used in the PLAIN mechanism 112*7c478bd9Sstevel@tonic-gate * as sasl_checkpass MAY be a front-end for the PLAIN mechanism. 113*7c478bd9Sstevel@tonic-gate * This is intended for use by the non-standard LOGIN mechanism and 114*7c478bd9Sstevel@tonic-gate * potentially by a future mechanism which uses public-key technology 115*7c478bd9Sstevel@tonic-gate * to set up a lightweight encryption layer just for sending a 116*7c478bd9Sstevel@tonic-gate * password. 117*7c478bd9Sstevel@tonic-gate */ 118*7c478bd9Sstevel@tonic-gate int (*checkpass)(sasl_conn_t *conn, 119*7c478bd9Sstevel@tonic-gate const char *user, unsigned userlen, 120*7c478bd9Sstevel@tonic-gate const char *pass, unsigned passlen); 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate /* Access to base64 encode/decode routines */ 123*7c478bd9Sstevel@tonic-gate int (*decode64)(const char *in, unsigned inlen, 124*7c478bd9Sstevel@tonic-gate char *out, unsigned outmax, unsigned *outlen); 125*7c478bd9Sstevel@tonic-gate int (*encode64)(const char *in, unsigned inlen, 126*7c478bd9Sstevel@tonic-gate char *out, unsigned outmax, unsigned *outlen); 127*7c478bd9Sstevel@tonic-gate 128*7c478bd9Sstevel@tonic-gate /* erase a buffer */ 129*7c478bd9Sstevel@tonic-gate void (*erasebuffer)(char *buf, unsigned len); 130*7c478bd9Sstevel@tonic-gate 131*7c478bd9Sstevel@tonic-gate /* callback to sasl_getprop() and sasl_setprop() */ 132*7c478bd9Sstevel@tonic-gate int (*getprop)(sasl_conn_t *conn, int propnum, const void **pvalue); 133*7c478bd9Sstevel@tonic-gate int (*setprop)(sasl_conn_t *conn, int propnum, const void *value); 134*7c478bd9Sstevel@tonic-gate 135*7c478bd9Sstevel@tonic-gate /* callback function */ 136*7c478bd9Sstevel@tonic-gate sasl_getcallback_t *getcallback; 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate /* 139*7c478bd9Sstevel@tonic-gate * format a message and then pass it to the SASL_CB_LOG callback 140*7c478bd9Sstevel@tonic-gate * 141*7c478bd9Sstevel@tonic-gate * use syslog()-style formatting (printf with %m as most recent errno 142*7c478bd9Sstevel@tonic-gate * error). The implementation may use a fixed size buffer not smaller 143*7c478bd9Sstevel@tonic-gate * than 512 octets if it securely truncates the message. 144*7c478bd9Sstevel@tonic-gate * 145*7c478bd9Sstevel@tonic-gate * level is a SASL_LOG_* level (see sasl.h) 146*7c478bd9Sstevel@tonic-gate */ 147*7c478bd9Sstevel@tonic-gate void (*log)(sasl_conn_t *conn, int level, const char *fmt, ...); 148*7c478bd9Sstevel@tonic-gate 149*7c478bd9Sstevel@tonic-gate /* callback to sasl_seterror() */ 150*7c478bd9Sstevel@tonic-gate void (*seterror)(sasl_conn_t *conn, unsigned flags, const char *fmt, ...); 151*7c478bd9Sstevel@tonic-gate 152*7c478bd9Sstevel@tonic-gate /* spare function pointer */ 153*7c478bd9Sstevel@tonic-gate int *(*spare_fptr)(); 154*7c478bd9Sstevel@tonic-gate 155*7c478bd9Sstevel@tonic-gate /* auxiliary property utilities */ 156*7c478bd9Sstevel@tonic-gate struct propctx *(*prop_new)(unsigned estimate); 157*7c478bd9Sstevel@tonic-gate int (*prop_dup)(struct propctx *src_ctx, struct propctx **dst_ctx); 158*7c478bd9Sstevel@tonic-gate int (*prop_request)(struct propctx *ctx, const char **names); 159*7c478bd9Sstevel@tonic-gate const struct propval *(*prop_get)(struct propctx *ctx); 160*7c478bd9Sstevel@tonic-gate int (*prop_getnames)(struct propctx *ctx, const char **names, 161*7c478bd9Sstevel@tonic-gate struct propval *vals); 162*7c478bd9Sstevel@tonic-gate void (*prop_clear)(struct propctx *ctx, int requests); 163*7c478bd9Sstevel@tonic-gate void (*prop_dispose)(struct propctx **ctx); 164*7c478bd9Sstevel@tonic-gate int (*prop_format)(struct propctx *ctx, const char *sep, int seplen, 165*7c478bd9Sstevel@tonic-gate char *outbuf, unsigned outmax, unsigned *outlen); 166*7c478bd9Sstevel@tonic-gate int (*prop_set)(struct propctx *ctx, const char *name, 167*7c478bd9Sstevel@tonic-gate const char *value, int vallen); 168*7c478bd9Sstevel@tonic-gate int (*prop_setvals)(struct propctx *ctx, const char *name, 169*7c478bd9Sstevel@tonic-gate const char **values); 170*7c478bd9Sstevel@tonic-gate void (*prop_erase)(struct propctx *ctx, const char *name); 171*7c478bd9Sstevel@tonic-gate 172*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 173*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 174*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 175*7c478bd9Sstevel@tonic-gate int (*spare_fptr3)(); 176*7c478bd9Sstevel@tonic-gate } sasl_utils_t; 177*7c478bd9Sstevel@tonic-gate 178*7c478bd9Sstevel@tonic-gate /* 179*7c478bd9Sstevel@tonic-gate * output parameters from SASL API 180*7c478bd9Sstevel@tonic-gate * 181*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code, though probably filled in 182*7c478bd9Sstevel@tonic-gate * by a combination of the plugin, the glue code, and the canon_user callback. 183*7c478bd9Sstevel@tonic-gate * 184*7c478bd9Sstevel@tonic-gate */ 185*7c478bd9Sstevel@tonic-gate typedef struct sasl_out_params { 186*7c478bd9Sstevel@tonic-gate unsigned doneflag; /* exchange complete */ 187*7c478bd9Sstevel@tonic-gate 188*7c478bd9Sstevel@tonic-gate const char *user; /* canonicalized user name */ 189*7c478bd9Sstevel@tonic-gate const char *authid; /* canonicalized authentication id */ 190*7c478bd9Sstevel@tonic-gate 191*7c478bd9Sstevel@tonic-gate unsigned ulen; /* length of canonicalized user name */ 192*7c478bd9Sstevel@tonic-gate unsigned alen; /* length of canonicalized authid */ 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate /* security layer information */ 195*7c478bd9Sstevel@tonic-gate unsigned maxoutbuf; 196*7c478bd9Sstevel@tonic-gate sasl_ssf_t mech_ssf; /* Should be set non-zero if negotiation of a */ 197*7c478bd9Sstevel@tonic-gate /* security layer was *attempted*, even if */ 198*7c478bd9Sstevel@tonic-gate /* the negotiation failed */ 199*7c478bd9Sstevel@tonic-gate void *encode_context; 200*7c478bd9Sstevel@tonic-gate int (*encode)(void *context, const struct iovec *invec, unsigned numiov, 201*7c478bd9Sstevel@tonic-gate const char **output, unsigned *outputlen); 202*7c478bd9Sstevel@tonic-gate void *decode_context; 203*7c478bd9Sstevel@tonic-gate int (*decode)(void *context, const char *input, unsigned inputlen, 204*7c478bd9Sstevel@tonic-gate const char **output, unsigned *outputlen); 205*7c478bd9Sstevel@tonic-gate 206*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 207*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 208*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 209*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 210*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 211*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 212*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 213*7c478bd9Sstevel@tonic-gate int spare_int1; 214*7c478bd9Sstevel@tonic-gate int spare_int2; 215*7c478bd9Sstevel@tonic-gate int spare_int3; 216*7c478bd9Sstevel@tonic-gate int spare_int4; 217*7c478bd9Sstevel@tonic-gate 218*7c478bd9Sstevel@tonic-gate /* 219*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 220*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 221*7c478bd9Sstevel@tonic-gate * are added. 222*7c478bd9Sstevel@tonic-gate */ 223*7c478bd9Sstevel@tonic-gate int param_version; 224*7c478bd9Sstevel@tonic-gate } sasl_out_params_t; 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate /* 227*7c478bd9Sstevel@tonic-gate * Client Mechanism Functions 228*7c478bd9Sstevel@tonic-gate */ 229*7c478bd9Sstevel@tonic-gate 230*7c478bd9Sstevel@tonic-gate /* 231*7c478bd9Sstevel@tonic-gate * input parameters to client SASL plugin 232*7c478bd9Sstevel@tonic-gate * 233*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code 234*7c478bd9Sstevel@tonic-gate * 235*7c478bd9Sstevel@tonic-gate */ 236*7c478bd9Sstevel@tonic-gate typedef struct sasl_client_params { 237*7c478bd9Sstevel@tonic-gate const char *service; /* service name */ 238*7c478bd9Sstevel@tonic-gate const char *serverFQDN; /* server fully qualified domain name */ 239*7c478bd9Sstevel@tonic-gate const char *clientFQDN; /* client's fully qualified domain name */ 240*7c478bd9Sstevel@tonic-gate const sasl_utils_t *utils; /* SASL API utility routines -- */ 241*7c478bd9Sstevel@tonic-gate /* for a particular sasl_conn_t, */ 242*7c478bd9Sstevel@tonic-gate /* MUST remain valid until mech_free is */ 243*7c478bd9Sstevel@tonic-gate /* called */ 244*7c478bd9Sstevel@tonic-gate const sasl_callback_t *prompt_supp; /* client callback list */ 245*7c478bd9Sstevel@tonic-gate const char *iplocalport; /* server IP domain literal & port */ 246*7c478bd9Sstevel@tonic-gate const char *ipremoteport; /* client IP domain literal & port */ 247*7c478bd9Sstevel@tonic-gate 248*7c478bd9Sstevel@tonic-gate unsigned servicelen; /* length of service */ 249*7c478bd9Sstevel@tonic-gate unsigned slen; /* length of serverFQDN */ 250*7c478bd9Sstevel@tonic-gate unsigned clen; /* length of clientFQDN */ 251*7c478bd9Sstevel@tonic-gate unsigned iploclen; /* length of iplocalport */ 252*7c478bd9Sstevel@tonic-gate unsigned ipremlen; /* length of ipremoteport */ 253*7c478bd9Sstevel@tonic-gate 254*7c478bd9Sstevel@tonic-gate /* application's security requirements & info */ 255*7c478bd9Sstevel@tonic-gate sasl_security_properties_t props; 256*7c478bd9Sstevel@tonic-gate sasl_ssf_t external_ssf; /* external SSF active */ 257*7c478bd9Sstevel@tonic-gate 258*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 259*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 260*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 261*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 262*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 263*7c478bd9Sstevel@tonic-gate 264*7c478bd9Sstevel@tonic-gate /* 265*7c478bd9Sstevel@tonic-gate * Canonicalize a user name from on-wire to internal format 266*7c478bd9Sstevel@tonic-gate * added rjs3 2001-05-23 267*7c478bd9Sstevel@tonic-gate * Must be called once user name aquired if canon_user is non-NULL. 268*7c478bd9Sstevel@tonic-gate * conn connection context 269*7c478bd9Sstevel@tonic-gate * in user name from wire protocol (need not be NUL terminated) 270*7c478bd9Sstevel@tonic-gate * len length of user name from wire protocol (0 = strlen(user)) 271*7c478bd9Sstevel@tonic-gate * flags for SASL_CU_* flags 272*7c478bd9Sstevel@tonic-gate * oparams the user, authid, ulen, alen, fields are 273*7c478bd9Sstevel@tonic-gate * set appropriately after canonicalization/copying and 274*7c478bd9Sstevel@tonic-gate * authorization of arguments 275*7c478bd9Sstevel@tonic-gate * 276*7c478bd9Sstevel@tonic-gate * responsible for setting user, ulen, authid, and alen in the oparams 277*7c478bd9Sstevel@tonic-gate * structure 278*7c478bd9Sstevel@tonic-gate * 279*7c478bd9Sstevel@tonic-gate * default behavior is to strip leading and trailing whitespace, as 280*7c478bd9Sstevel@tonic-gate * well as allocating space for and copying the parameters. 281*7c478bd9Sstevel@tonic-gate * 282*7c478bd9Sstevel@tonic-gate * results: 283*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 284*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- out of memory 285*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- invalid conn 286*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- invalid user/authid 287*7c478bd9Sstevel@tonic-gate */ 288*7c478bd9Sstevel@tonic-gate int (*canon_user)(sasl_conn_t *conn, 289*7c478bd9Sstevel@tonic-gate const char *in, unsigned len, 290*7c478bd9Sstevel@tonic-gate unsigned flags, 291*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 292*7c478bd9Sstevel@tonic-gate 293*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 294*7c478bd9Sstevel@tonic-gate 295*7c478bd9Sstevel@tonic-gate int spare_int1; 296*7c478bd9Sstevel@tonic-gate int spare_int2; 297*7c478bd9Sstevel@tonic-gate int spare_int3; 298*7c478bd9Sstevel@tonic-gate 299*7c478bd9Sstevel@tonic-gate /* flags field as passed to sasl_client_new */ 300*7c478bd9Sstevel@tonic-gate unsigned flags; 301*7c478bd9Sstevel@tonic-gate 302*7c478bd9Sstevel@tonic-gate /* 303*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 304*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 305*7c478bd9Sstevel@tonic-gate * are added. 306*7c478bd9Sstevel@tonic-gate */ 307*7c478bd9Sstevel@tonic-gate int param_version; 308*7c478bd9Sstevel@tonic-gate } sasl_client_params_t; 309*7c478bd9Sstevel@tonic-gate 310*7c478bd9Sstevel@tonic-gate /* features shared between client and server */ 311*7c478bd9Sstevel@tonic-gate /* These allow the glue code to handle client-first and server-last issues */ 312*7c478bd9Sstevel@tonic-gate 313*7c478bd9Sstevel@tonic-gate /* 314*7c478bd9Sstevel@tonic-gate * This indicates that the mechanism prefers to do client-send-first 315*7c478bd9Sstevel@tonic-gate * if the protocol allows it. 316*7c478bd9Sstevel@tonic-gate */ 317*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_WANT_CLIENT_FIRST 0x0002 318*7c478bd9Sstevel@tonic-gate 319*7c478bd9Sstevel@tonic-gate /* 320*7c478bd9Sstevel@tonic-gate * This feature is deprecated, instead, plugins should set *serverout to 321*7c478bd9Sstevel@tonic-gate * non-NULL and return SASL_OK intelligently to allow flexible use of 322*7c478bd9Sstevel@tonic-gate * server-last semantics 323*7c478bd9Sstevel@tonic-gate */ 324*7c478bd9Sstevel@tonic-gate /* #define SASL_FEAT_WANT_SERVER_LAST 0x0004 */ 325*7c478bd9Sstevel@tonic-gate 326*7c478bd9Sstevel@tonic-gate /* 327*7c478bd9Sstevel@tonic-gate * This feature is deprecated, instead plugins should correctly set 328*7c478bd9Sstevel@tonic-gate * SASL_FEAT_SERVER_FIRST as needed 329*7c478bd9Sstevel@tonic-gate */ 330*7c478bd9Sstevel@tonic-gate /* #define SASL_FEAT_INTERNAL_CLIENT_FIRST 0x0008 */ 331*7c478bd9Sstevel@tonic-gate 332*7c478bd9Sstevel@tonic-gate /* 333*7c478bd9Sstevel@tonic-gate * This indicates that the plugin is server-first only. 334*7c478bd9Sstevel@tonic-gate * Not defining either of SASL_FEAT_SERVER_FIRST or 335*7c478bd9Sstevel@tonic-gate * SASL_FEAT_WANT_CLIENT_FIRST indicates that the mechanism will take care 336*7c478bd9Sstevel@tonic-gate * of the client-first situation internally. 337*7c478bd9Sstevel@tonic-gate */ 338*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_SERVER_FIRST 0x0010 339*7c478bd9Sstevel@tonic-gate 340*7c478bd9Sstevel@tonic-gate /* This plugin allows proxying */ 341*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_ALLOWS_PROXY 0x0020 342*7c478bd9Sstevel@tonic-gate 343*7c478bd9Sstevel@tonic-gate /* client plug-in features */ 344*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_NEEDSERVERFQDN 0x0001 345*7c478bd9Sstevel@tonic-gate 346*7c478bd9Sstevel@tonic-gate /* a C object for a client mechanism */ 347*7c478bd9Sstevel@tonic-gate typedef struct sasl_client_plug { 348*7c478bd9Sstevel@tonic-gate /* mechanism name */ 349*7c478bd9Sstevel@tonic-gate const char *mech_name; 350*7c478bd9Sstevel@tonic-gate 351*7c478bd9Sstevel@tonic-gate /* best mech additional security layer strength factor */ 352*7c478bd9Sstevel@tonic-gate sasl_ssf_t max_ssf; 353*7c478bd9Sstevel@tonic-gate 354*7c478bd9Sstevel@tonic-gate /* best security flags, as defined in sasl_security_properties_t */ 355*7c478bd9Sstevel@tonic-gate unsigned security_flags; 356*7c478bd9Sstevel@tonic-gate 357*7c478bd9Sstevel@tonic-gate /* features of plugin */ 358*7c478bd9Sstevel@tonic-gate unsigned features; 359*7c478bd9Sstevel@tonic-gate 360*7c478bd9Sstevel@tonic-gate /* required prompt ids, NULL = user/pass only */ 361*7c478bd9Sstevel@tonic-gate const unsigned long *required_prompts; 362*7c478bd9Sstevel@tonic-gate 363*7c478bd9Sstevel@tonic-gate /* global state for mechanism */ 364*7c478bd9Sstevel@tonic-gate void *glob_context; 365*7c478bd9Sstevel@tonic-gate 366*7c478bd9Sstevel@tonic-gate /* 367*7c478bd9Sstevel@tonic-gate * create context for mechanism, using params supplied 368*7c478bd9Sstevel@tonic-gate * glob_context -- from above 369*7c478bd9Sstevel@tonic-gate * params -- params from sasl_client_new 370*7c478bd9Sstevel@tonic-gate * conn_context -- context for one connection 371*7c478bd9Sstevel@tonic-gate * returns: 372*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 373*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- not enough memory 374*7c478bd9Sstevel@tonic-gate * SASL_WRONGMECH -- mech doesn't support security params 375*7c478bd9Sstevel@tonic-gate */ 376*7c478bd9Sstevel@tonic-gate int (*mech_new)(void *glob_context, 377*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 378*7c478bd9Sstevel@tonic-gate void **conn_context); 379*7c478bd9Sstevel@tonic-gate 380*7c478bd9Sstevel@tonic-gate /* 381*7c478bd9Sstevel@tonic-gate * perform one step of exchange. NULL is passed for serverin on 382*7c478bd9Sstevel@tonic-gate * first step. 383*7c478bd9Sstevel@tonic-gate * returns: 384*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 385*7c478bd9Sstevel@tonic-gate * SASL_INTERACT -- user interaction needed to fill in prompts 386*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- server protocol incorrect/cancelled 387*7c478bd9Sstevel@tonic-gate * SASL_BADSERV -- server failed mutual auth 388*7c478bd9Sstevel@tonic-gate */ 389*7c478bd9Sstevel@tonic-gate int (*mech_step)(void *conn_context, 390*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 391*7c478bd9Sstevel@tonic-gate const char *serverin, 392*7c478bd9Sstevel@tonic-gate unsigned serverinlen, 393*7c478bd9Sstevel@tonic-gate sasl_interact_t **prompt_need, 394*7c478bd9Sstevel@tonic-gate const char **clientout, 395*7c478bd9Sstevel@tonic-gate unsigned *clientoutlen, 396*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 397*7c478bd9Sstevel@tonic-gate 398*7c478bd9Sstevel@tonic-gate /* dispose of connection context from mech_new */ 399*7c478bd9Sstevel@tonic-gate void (*mech_dispose)(void *conn_context, const sasl_utils_t *utils); 400*7c478bd9Sstevel@tonic-gate 401*7c478bd9Sstevel@tonic-gate /* 402*7c478bd9Sstevel@tonic-gate * free all global space used by mechanism 403*7c478bd9Sstevel@tonic-gate * mech_dispose must be called on all mechanisms first 404*7c478bd9Sstevel@tonic-gate */ 405*7c478bd9Sstevel@tonic-gate void (*mech_free)(void *glob_context, const sasl_utils_t *utils); 406*7c478bd9Sstevel@tonic-gate 407*7c478bd9Sstevel@tonic-gate /* 408*7c478bd9Sstevel@tonic-gate * perform precalculations during a network round-trip 409*7c478bd9Sstevel@tonic-gate * or idle period. conn_context may be NULL 410*7c478bd9Sstevel@tonic-gate * returns 1 if action taken, 0 if no action taken 411*7c478bd9Sstevel@tonic-gate */ 412*7c478bd9Sstevel@tonic-gate int (*idle)(void *glob_context, 413*7c478bd9Sstevel@tonic-gate void *conn_context, 414*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams); 415*7c478bd9Sstevel@tonic-gate 416*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 417*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 418*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 419*7c478bd9Sstevel@tonic-gate } sasl_client_plug_t; 420*7c478bd9Sstevel@tonic-gate 421*7c478bd9Sstevel@tonic-gate #define SASL_CLIENT_PLUG_VERSION 4 422*7c478bd9Sstevel@tonic-gate 423*7c478bd9Sstevel@tonic-gate /* 424*7c478bd9Sstevel@tonic-gate * plug-in entry point: 425*7c478bd9Sstevel@tonic-gate * utils -- utility callback functions 426*7c478bd9Sstevel@tonic-gate * max_version -- highest client plug version supported 427*7c478bd9Sstevel@tonic-gate * returns: 428*7c478bd9Sstevel@tonic-gate * out_version -- client plug version of result 429*7c478bd9Sstevel@tonic-gate * pluglist -- list of mechanism plug-ins 430*7c478bd9Sstevel@tonic-gate * plugcount -- number of mechanism plug-ins 431*7c478bd9Sstevel@tonic-gate * results: 432*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 433*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- failure 434*7c478bd9Sstevel@tonic-gate * SASL_BADVERS -- max_version too small 435*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- bad config string 436*7c478bd9Sstevel@tonic-gate * ... 437*7c478bd9Sstevel@tonic-gate */ 438*7c478bd9Sstevel@tonic-gate typedef int sasl_client_plug_init_t(const sasl_utils_t *utils, 439*7c478bd9Sstevel@tonic-gate int max_version, 440*7c478bd9Sstevel@tonic-gate int *out_version, 441*7c478bd9Sstevel@tonic-gate sasl_client_plug_t **pluglist, 442*7c478bd9Sstevel@tonic-gate int *plugcount); 443*7c478bd9Sstevel@tonic-gate 444*7c478bd9Sstevel@tonic-gate /* add a client plug-in */ 445*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_client_add_plugin(const char *plugname, 446*7c478bd9Sstevel@tonic-gate sasl_client_plug_init_t *cplugfunc); 447*7c478bd9Sstevel@tonic-gate 448*7c478bd9Sstevel@tonic-gate /* 449*7c478bd9Sstevel@tonic-gate * Server Functions 450*7c478bd9Sstevel@tonic-gate */ 451*7c478bd9Sstevel@tonic-gate 452*7c478bd9Sstevel@tonic-gate /* 453*7c478bd9Sstevel@tonic-gate * input parameters to server SASL plugin 454*7c478bd9Sstevel@tonic-gate * 455*7c478bd9Sstevel@tonic-gate * created / destroyed by the glue code 456*7c478bd9Sstevel@tonic-gate * 457*7c478bd9Sstevel@tonic-gate */ 458*7c478bd9Sstevel@tonic-gate typedef struct sasl_server_params { 459*7c478bd9Sstevel@tonic-gate const char *service; /* NULL = default service for user_exists */ 460*7c478bd9Sstevel@tonic-gate /* and setpass */ 461*7c478bd9Sstevel@tonic-gate const char *appname; /* name of calling application */ 462*7c478bd9Sstevel@tonic-gate const char *serverFQDN; /* server default fully qualified domain name */ 463*7c478bd9Sstevel@tonic-gate /* (e.g., gethostname) */ 464*7c478bd9Sstevel@tonic-gate const char *user_realm; /* realm for user (NULL = client supplied) */ 465*7c478bd9Sstevel@tonic-gate const char *iplocalport; /* server IP domain literal & port */ 466*7c478bd9Sstevel@tonic-gate const char *ipremoteport; /* client IP domain literal & port */ 467*7c478bd9Sstevel@tonic-gate 468*7c478bd9Sstevel@tonic-gate unsigned servicelen; /* length of service */ 469*7c478bd9Sstevel@tonic-gate unsigned applen; /* length of appname */ 470*7c478bd9Sstevel@tonic-gate unsigned slen; /* length of serverFQDN */ 471*7c478bd9Sstevel@tonic-gate unsigned urlen; /* length of user_realm */ 472*7c478bd9Sstevel@tonic-gate unsigned iploclen; /* length of iplocalport */ 473*7c478bd9Sstevel@tonic-gate unsigned ipremlen; /* length of ipremoteport */ 474*7c478bd9Sstevel@tonic-gate 475*7c478bd9Sstevel@tonic-gate /* 476*7c478bd9Sstevel@tonic-gate * This indicates the level of logging desired. See SASL_LOG_* 477*7c478bd9Sstevel@tonic-gate * in sasl.h 478*7c478bd9Sstevel@tonic-gate * 479*7c478bd9Sstevel@tonic-gate * Plug-ins can ignore this and just pass their desired level to 480*7c478bd9Sstevel@tonic-gate * the log callback. This is primarily used to eliminate logging which 481*7c478bd9Sstevel@tonic-gate * might be a performance problem (e.g., full protocol trace) and 482*7c478bd9Sstevel@tonic-gate * to select between SASL_LOG_TRACE and SASL_LOG_PASS alternatives 483*7c478bd9Sstevel@tonic-gate */ 484*7c478bd9Sstevel@tonic-gate int log_level; 485*7c478bd9Sstevel@tonic-gate 486*7c478bd9Sstevel@tonic-gate const sasl_utils_t *utils; /* SASL API utility routines -- */ 487*7c478bd9Sstevel@tonic-gate /* for a particular sasl_conn_t, */ 488*7c478bd9Sstevel@tonic-gate /* MUST remain valid until mech_free is */ 489*7c478bd9Sstevel@tonic-gate /* called */ 490*7c478bd9Sstevel@tonic-gate 491*7c478bd9Sstevel@tonic-gate const sasl_callback_t *callbacks; /* Callbacks from application */ 492*7c478bd9Sstevel@tonic-gate 493*7c478bd9Sstevel@tonic-gate /* application's security requirements */ 494*7c478bd9Sstevel@tonic-gate sasl_security_properties_t props; 495*7c478bd9Sstevel@tonic-gate sasl_ssf_t external_ssf; /* external SSF active */ 496*7c478bd9Sstevel@tonic-gate 497*7c478bd9Sstevel@tonic-gate /* 498*7c478bd9Sstevel@tonic-gate * server plug-in calls this when it first has access to the plaintext 499*7c478bd9Sstevel@tonic-gate * passphrase. This is used to transition users via setpass calls. 500*7c478bd9Sstevel@tonic-gate * If passlen is 0, it defaults to strlen(pass). 501*7c478bd9Sstevel@tonic-gate * returns 0 if no entry added, 1 if entry added 502*7c478bd9Sstevel@tonic-gate */ 503*7c478bd9Sstevel@tonic-gate int (*transition)(sasl_conn_t *conn, const char *pass, unsigned passlen); 504*7c478bd9Sstevel@tonic-gate 505*7c478bd9Sstevel@tonic-gate /* 506*7c478bd9Sstevel@tonic-gate * Canonicalize a user name from on-wire to internal format 507*7c478bd9Sstevel@tonic-gate * added cjn 1999-09-21 508*7c478bd9Sstevel@tonic-gate * Must be called once user name aquired if canon_user is non-NULL. 509*7c478bd9Sstevel@tonic-gate * conn connection context 510*7c478bd9Sstevel@tonic-gate * user user name from wire protocol (need not be NUL terminated) 511*7c478bd9Sstevel@tonic-gate * ulen length of user name from wire protocol (0 = strlen(user)) 512*7c478bd9Sstevel@tonic-gate * flags for SASL_CU_* flags 513*7c478bd9Sstevel@tonic-gate * oparams the user, authid, ulen, alen, fields are 514*7c478bd9Sstevel@tonic-gate * set appropriately after canonicalization/copying and 515*7c478bd9Sstevel@tonic-gate * authorization of arguments 516*7c478bd9Sstevel@tonic-gate * 517*7c478bd9Sstevel@tonic-gate * responsible for setting user, ulen, authid, and alen in the oparams 518*7c478bd9Sstevel@tonic-gate * structure 519*7c478bd9Sstevel@tonic-gate * 520*7c478bd9Sstevel@tonic-gate * default behavior is to strip leading and trailing whitespace, as 521*7c478bd9Sstevel@tonic-gate * well as allocating space for and copying the parameters. 522*7c478bd9Sstevel@tonic-gate * 523*7c478bd9Sstevel@tonic-gate * results: 524*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 525*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- out of memory 526*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- invalid conn 527*7c478bd9Sstevel@tonic-gate * SASL_BADPROT -- invalid user/authid 528*7c478bd9Sstevel@tonic-gate */ 529*7c478bd9Sstevel@tonic-gate int (*canon_user)(sasl_conn_t *conn, 530*7c478bd9Sstevel@tonic-gate const char *user, unsigned ulen, 531*7c478bd9Sstevel@tonic-gate unsigned flags, 532*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 533*7c478bd9Sstevel@tonic-gate 534*7c478bd9Sstevel@tonic-gate /* 535*7c478bd9Sstevel@tonic-gate * auxiliary property context (see definitions in prop.h) 536*7c478bd9Sstevel@tonic-gate * added cjn 2000-01-30 537*7c478bd9Sstevel@tonic-gate * 538*7c478bd9Sstevel@tonic-gate * NOTE: these properties are the ones associated with the 539*7c478bd9Sstevel@tonic-gate * canonicalized "user" (user to login as / authorization id), not 540*7c478bd9Sstevel@tonic-gate * the "authid" (user whose credentials are used / authentication id) 541*7c478bd9Sstevel@tonic-gate * Prefix the property name with a "*" if a property associated with 542*7c478bd9Sstevel@tonic-gate * the "authid" is interesting. 543*7c478bd9Sstevel@tonic-gate */ 544*7c478bd9Sstevel@tonic-gate struct propctx *propctx; 545*7c478bd9Sstevel@tonic-gate 546*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 547*7c478bd9Sstevel@tonic-gate void *spare_ptr1; 548*7c478bd9Sstevel@tonic-gate void *spare_ptr2; 549*7c478bd9Sstevel@tonic-gate void *spare_ptr3; 550*7c478bd9Sstevel@tonic-gate void *spare_ptr4; 551*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 552*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 553*7c478bd9Sstevel@tonic-gate int spare_int1; 554*7c478bd9Sstevel@tonic-gate int spare_int2; 555*7c478bd9Sstevel@tonic-gate int spare_int3; 556*7c478bd9Sstevel@tonic-gate 557*7c478bd9Sstevel@tonic-gate /* flags field as passed to sasl_server_new */ 558*7c478bd9Sstevel@tonic-gate unsigned flags; 559*7c478bd9Sstevel@tonic-gate 560*7c478bd9Sstevel@tonic-gate /* 561*7c478bd9Sstevel@tonic-gate * set to 0 initially, this allows a plugin with extended parameters 562*7c478bd9Sstevel@tonic-gate * to work with an older framework by updating version as parameters 563*7c478bd9Sstevel@tonic-gate * are added. 564*7c478bd9Sstevel@tonic-gate */ 565*7c478bd9Sstevel@tonic-gate int param_version; 566*7c478bd9Sstevel@tonic-gate } sasl_server_params_t; 567*7c478bd9Sstevel@tonic-gate 568*7c478bd9Sstevel@tonic-gate /* features for server plug-in */ 569*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_SERVICE 0x0200 /* service-specific passwords supported */ 570*7c478bd9Sstevel@tonic-gate #define SASL_FEAT_GETSECRET 0x0400 /* sasl_server_{get,put}secret_t */ 571*7c478bd9Sstevel@tonic-gate /* callbacks required by plug-in */ 572*7c478bd9Sstevel@tonic-gate 573*7c478bd9Sstevel@tonic-gate /* a C object for a server mechanism */ 574*7c478bd9Sstevel@tonic-gate typedef struct sasl_server_plug { 575*7c478bd9Sstevel@tonic-gate /* mechanism name */ 576*7c478bd9Sstevel@tonic-gate const char *mech_name; 577*7c478bd9Sstevel@tonic-gate 578*7c478bd9Sstevel@tonic-gate /* best mech additional security layer strength factor */ 579*7c478bd9Sstevel@tonic-gate sasl_ssf_t max_ssf; 580*7c478bd9Sstevel@tonic-gate 581*7c478bd9Sstevel@tonic-gate /* best security flags, as defined in sasl_security_properties_t */ 582*7c478bd9Sstevel@tonic-gate unsigned security_flags; 583*7c478bd9Sstevel@tonic-gate 584*7c478bd9Sstevel@tonic-gate /* features of plugin */ 585*7c478bd9Sstevel@tonic-gate unsigned features; 586*7c478bd9Sstevel@tonic-gate 587*7c478bd9Sstevel@tonic-gate /* global state for mechanism */ 588*7c478bd9Sstevel@tonic-gate void *glob_context; 589*7c478bd9Sstevel@tonic-gate 590*7c478bd9Sstevel@tonic-gate /* 591*7c478bd9Sstevel@tonic-gate * create a new mechanism handler 592*7c478bd9Sstevel@tonic-gate * glob_context -- global context 593*7c478bd9Sstevel@tonic-gate * sparams -- server config params 594*7c478bd9Sstevel@tonic-gate * challenge -- server challenge from previous instance or NULL 595*7c478bd9Sstevel@tonic-gate * challen -- length of challenge from previous instance or 0 596*7c478bd9Sstevel@tonic-gate * out: 597*7c478bd9Sstevel@tonic-gate * conn_context -- connection context 598*7c478bd9Sstevel@tonic-gate * errinfo -- error information 599*7c478bd9Sstevel@tonic-gate * 600*7c478bd9Sstevel@tonic-gate * returns: 601*7c478bd9Sstevel@tonic-gate * SASL_OK -- successfully created mech instance 602*7c478bd9Sstevel@tonic-gate * SASL_* -- any other server error code 603*7c478bd9Sstevel@tonic-gate */ 604*7c478bd9Sstevel@tonic-gate int (*mech_new)(void *glob_context, 605*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 606*7c478bd9Sstevel@tonic-gate const char *challenge, 607*7c478bd9Sstevel@tonic-gate unsigned challen, 608*7c478bd9Sstevel@tonic-gate void **conn_context); 609*7c478bd9Sstevel@tonic-gate 610*7c478bd9Sstevel@tonic-gate /* 611*7c478bd9Sstevel@tonic-gate * perform one step in exchange 612*7c478bd9Sstevel@tonic-gate * 613*7c478bd9Sstevel@tonic-gate * returns: 614*7c478bd9Sstevel@tonic-gate * SASL_OK -- success, all done 615*7c478bd9Sstevel@tonic-gate * SASL_CONTINUE -- success, one more round trip 616*7c478bd9Sstevel@tonic-gate * SASL_* -- any other server error code 617*7c478bd9Sstevel@tonic-gate */ 618*7c478bd9Sstevel@tonic-gate int (*mech_step)(void *conn_context, 619*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 620*7c478bd9Sstevel@tonic-gate const char *clientin, 621*7c478bd9Sstevel@tonic-gate unsigned clientinlen, 622*7c478bd9Sstevel@tonic-gate const char **serverout, 623*7c478bd9Sstevel@tonic-gate unsigned *serveroutlen, 624*7c478bd9Sstevel@tonic-gate sasl_out_params_t *oparams); 625*7c478bd9Sstevel@tonic-gate 626*7c478bd9Sstevel@tonic-gate /* dispose of a connection state */ 627*7c478bd9Sstevel@tonic-gate void (*mech_dispose)(void *conn_context, const sasl_utils_t *utils); 628*7c478bd9Sstevel@tonic-gate 629*7c478bd9Sstevel@tonic-gate /* 630*7c478bd9Sstevel@tonic-gate * free global state for mechanism 631*7c478bd9Sstevel@tonic-gate * mech_dispose must be called on all mechanisms first 632*7c478bd9Sstevel@tonic-gate */ 633*7c478bd9Sstevel@tonic-gate void (*mech_free)(void *glob_context, const sasl_utils_t *utils); 634*7c478bd9Sstevel@tonic-gate 635*7c478bd9Sstevel@tonic-gate /* 636*7c478bd9Sstevel@tonic-gate * set a password (optional) 637*7c478bd9Sstevel@tonic-gate * glob_context -- global context 638*7c478bd9Sstevel@tonic-gate * sparams -- service, middleware utilities, etc. props ignored 639*7c478bd9Sstevel@tonic-gate * user -- user name 640*7c478bd9Sstevel@tonic-gate * pass -- password/passphrase (NULL = disable/remove/delete) 641*7c478bd9Sstevel@tonic-gate * passlen -- length of password/passphrase 642*7c478bd9Sstevel@tonic-gate * oldpass -- old password/passphrase (NULL = transition) 643*7c478bd9Sstevel@tonic-gate * oldpasslen -- length of password/passphrase 644*7c478bd9Sstevel@tonic-gate * flags -- see above 645*7c478bd9Sstevel@tonic-gate * 646*7c478bd9Sstevel@tonic-gate * returns: 647*7c478bd9Sstevel@tonic-gate * SASL_NOCHANGE -- no change was needed 648*7c478bd9Sstevel@tonic-gate * SASL_NOUSER -- no entry for user 649*7c478bd9Sstevel@tonic-gate * SASL_NOVERIFY -- no mechanism compatible entry for user 650*7c478bd9Sstevel@tonic-gate * SASL_PWLOCK -- password locked 651*7c478bd9Sstevel@tonic-gate * SASL_DIABLED -- account disabled 652*7c478bd9Sstevel@tonic-gate * etc. 653*7c478bd9Sstevel@tonic-gate */ 654*7c478bd9Sstevel@tonic-gate int (*setpass)(void *glob_context, 655*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 656*7c478bd9Sstevel@tonic-gate const char *user, 657*7c478bd9Sstevel@tonic-gate const char *pass, unsigned passlen, 658*7c478bd9Sstevel@tonic-gate const char *oldpass, unsigned oldpasslen, 659*7c478bd9Sstevel@tonic-gate unsigned flags); 660*7c478bd9Sstevel@tonic-gate 661*7c478bd9Sstevel@tonic-gate /* 662*7c478bd9Sstevel@tonic-gate * query which mechanisms are available for user 663*7c478bd9Sstevel@tonic-gate * glob_context -- context 664*7c478bd9Sstevel@tonic-gate * sparams -- service, middleware utilities, etc. props ignored 665*7c478bd9Sstevel@tonic-gate * user -- NUL terminated user name 666*7c478bd9Sstevel@tonic-gate * maxmech -- max number of strings in mechlist (0 = no output) 667*7c478bd9Sstevel@tonic-gate * output: 668*7c478bd9Sstevel@tonic-gate * mechlist -- an array of C string pointers, filled in with 669*7c478bd9Sstevel@tonic-gate * mechanism names available to the user 670*7c478bd9Sstevel@tonic-gate * 671*7c478bd9Sstevel@tonic-gate * returns: 672*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 673*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- not enough memory 674*7c478bd9Sstevel@tonic-gate * SASL_FAIL -- lower level failure 675*7c478bd9Sstevel@tonic-gate * SASL_DISABLED -- account disabled 676*7c478bd9Sstevel@tonic-gate * SASL_NOUSER -- user not found 677*7c478bd9Sstevel@tonic-gate * SASL_BUFOVER -- maxmech is too small 678*7c478bd9Sstevel@tonic-gate * SASL_NOVERIFY -- user found, but no mechanisms available 679*7c478bd9Sstevel@tonic-gate */ 680*7c478bd9Sstevel@tonic-gate int (*user_query)(void *glob_context, 681*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 682*7c478bd9Sstevel@tonic-gate const char *user, 683*7c478bd9Sstevel@tonic-gate int maxmech, 684*7c478bd9Sstevel@tonic-gate const char **mechlist); 685*7c478bd9Sstevel@tonic-gate 686*7c478bd9Sstevel@tonic-gate /* 687*7c478bd9Sstevel@tonic-gate * perform precalculations during a network round-trip 688*7c478bd9Sstevel@tonic-gate * or idle period. conn_context may be NULL (optional) 689*7c478bd9Sstevel@tonic-gate * returns 1 if action taken, 0 if no action taken 690*7c478bd9Sstevel@tonic-gate */ 691*7c478bd9Sstevel@tonic-gate int (*idle)(void *glob_context, 692*7c478bd9Sstevel@tonic-gate void *conn_context, 693*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams); 694*7c478bd9Sstevel@tonic-gate 695*7c478bd9Sstevel@tonic-gate /* 696*7c478bd9Sstevel@tonic-gate * check if mechanism is available 697*7c478bd9Sstevel@tonic-gate * TODO - Is this correct? 698*7c478bd9Sstevel@tonic-gate * optional--if NULL, mechanism is available based on ENABLE= 699*7c478bd9Sstevel@tonic-gate * in config 700*7c478bd9Sstevel@tonic-gate * 701*7c478bd9Sstevel@tonic-gate * If this routine sets conn_context to a non-NULL value, then the call 702*7c478bd9Sstevel@tonic-gate * to mech_new will be skipped. This should not be done unless 703*7c478bd9Sstevel@tonic-gate * there's a significant performance benefit, since it can cause 704*7c478bd9Sstevel@tonic-gate * additional memory allocation in SASL core code to keep track of 705*7c478bd9Sstevel@tonic-gate * contexts potentially for multiple mechanisms. 706*7c478bd9Sstevel@tonic-gate * 707*7c478bd9Sstevel@tonic-gate * This is called by the first call to sasl_listmech() for a 708*7c478bd9Sstevel@tonic-gate * given connection context, thus for a given protocol it may 709*7c478bd9Sstevel@tonic-gate * never be called. Note that if mech_avail returns SASL_NOMECH, 710*7c478bd9Sstevel@tonic-gate * then that mechanism is considered disabled for the remainder 711*7c478bd9Sstevel@tonic-gate * of the session. 712*7c478bd9Sstevel@tonic-gate * 713*7c478bd9Sstevel@tonic-gate * returns SASL_OK on success, 714*7c478bd9Sstevel@tonic-gate * SASL_NOMECH if mech disabled 715*7c478bd9Sstevel@tonic-gate */ 716*7c478bd9Sstevel@tonic-gate int (*mech_avail)(void *glob_context, 717*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 718*7c478bd9Sstevel@tonic-gate void **conn_context); 719*7c478bd9Sstevel@tonic-gate 720*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 721*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 722*7c478bd9Sstevel@tonic-gate } sasl_server_plug_t; 723*7c478bd9Sstevel@tonic-gate 724*7c478bd9Sstevel@tonic-gate #define SASL_SERVER_PLUG_VERSION 4 725*7c478bd9Sstevel@tonic-gate 726*7c478bd9Sstevel@tonic-gate /* 727*7c478bd9Sstevel@tonic-gate * plug-in entry point: 728*7c478bd9Sstevel@tonic-gate * utils -- utility callback functions 729*7c478bd9Sstevel@tonic-gate * plugname -- name of plug-in (may be NULL) 730*7c478bd9Sstevel@tonic-gate * max_version -- highest server plug version supported 731*7c478bd9Sstevel@tonic-gate * returns: 732*7c478bd9Sstevel@tonic-gate * out_version -- server plug-in version of result 733*7c478bd9Sstevel@tonic-gate * pluglist -- list of mechanism plug-ins 734*7c478bd9Sstevel@tonic-gate * plugcount -- number of mechanism plug-ins 735*7c478bd9Sstevel@tonic-gate * results: 736*7c478bd9Sstevel@tonic-gate * SASL_OK -- success 737*7c478bd9Sstevel@tonic-gate * SASL_NOMEM -- failure 738*7c478bd9Sstevel@tonic-gate * SASL_BADVERS -- max_version too small 739*7c478bd9Sstevel@tonic-gate * SASL_BADPARAM -- bad config string 740*7c478bd9Sstevel@tonic-gate * ... 741*7c478bd9Sstevel@tonic-gate */ 742*7c478bd9Sstevel@tonic-gate typedef int sasl_server_plug_init_t(const sasl_utils_t *utils, 743*7c478bd9Sstevel@tonic-gate int max_version, 744*7c478bd9Sstevel@tonic-gate int *out_version, 745*7c478bd9Sstevel@tonic-gate sasl_server_plug_t **pluglist, 746*7c478bd9Sstevel@tonic-gate int *plugcount); 747*7c478bd9Sstevel@tonic-gate 748*7c478bd9Sstevel@tonic-gate /* 749*7c478bd9Sstevel@tonic-gate * add a server plug-in 750*7c478bd9Sstevel@tonic-gate */ 751*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_server_add_plugin(const char *plugname, 752*7c478bd9Sstevel@tonic-gate sasl_server_plug_init_t *splugfunc); 753*7c478bd9Sstevel@tonic-gate 754*7c478bd9Sstevel@tonic-gate /* 755*7c478bd9Sstevel@tonic-gate * user canonicalization plug-in -- added cjn 1999-09-29 756*7c478bd9Sstevel@tonic-gate */ 757*7c478bd9Sstevel@tonic-gate 758*7c478bd9Sstevel@tonic-gate typedef struct sasl_canonuser { 759*7c478bd9Sstevel@tonic-gate /* optional features of plugin (set to 0) */ 760*7c478bd9Sstevel@tonic-gate int features; 761*7c478bd9Sstevel@tonic-gate 762*7c478bd9Sstevel@tonic-gate /* spare integer (set to 0) */ 763*7c478bd9Sstevel@tonic-gate int spare_int1; 764*7c478bd9Sstevel@tonic-gate 765*7c478bd9Sstevel@tonic-gate /* global state for plugin */ 766*7c478bd9Sstevel@tonic-gate void *glob_context; 767*7c478bd9Sstevel@tonic-gate 768*7c478bd9Sstevel@tonic-gate /* name of plugin */ 769*7c478bd9Sstevel@tonic-gate char *name; 770*7c478bd9Sstevel@tonic-gate 771*7c478bd9Sstevel@tonic-gate /* free global state for plugin */ 772*7c478bd9Sstevel@tonic-gate void (*canon_user_free)(void *glob_context, const sasl_utils_t *utils); 773*7c478bd9Sstevel@tonic-gate 774*7c478bd9Sstevel@tonic-gate /* 775*7c478bd9Sstevel@tonic-gate * canonicalize a username 776*7c478bd9Sstevel@tonic-gate * glob_context -- global context from this structure 777*7c478bd9Sstevel@tonic-gate * sparams -- server params, note user_realm&propctx elements 778*7c478bd9Sstevel@tonic-gate * user -- user to login as (may not be NUL terminated) 779*7c478bd9Sstevel@tonic-gate * len -- length of user name (0 = strlen(user)) 780*7c478bd9Sstevel@tonic-gate * flags -- for SASL_CU_* flags 781*7c478bd9Sstevel@tonic-gate * out -- buffer to copy user name 782*7c478bd9Sstevel@tonic-gate * out_max -- max length of user name 783*7c478bd9Sstevel@tonic-gate * out_len -- set to length of user name 784*7c478bd9Sstevel@tonic-gate * 785*7c478bd9Sstevel@tonic-gate * note that the output buffers MAY be the same as the input buffers. 786*7c478bd9Sstevel@tonic-gate * 787*7c478bd9Sstevel@tonic-gate * returns 788*7c478bd9Sstevel@tonic-gate * SASL_OK on success 789*7c478bd9Sstevel@tonic-gate * SASL_BADPROT username contains invalid character 790*7c478bd9Sstevel@tonic-gate */ 791*7c478bd9Sstevel@tonic-gate int (*canon_user_server)(void *glob_context, 792*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 793*7c478bd9Sstevel@tonic-gate const char *user, unsigned len, 794*7c478bd9Sstevel@tonic-gate unsigned flags, 795*7c478bd9Sstevel@tonic-gate char *out, 796*7c478bd9Sstevel@tonic-gate unsigned out_umax, unsigned *out_ulen); 797*7c478bd9Sstevel@tonic-gate 798*7c478bd9Sstevel@tonic-gate int (*canon_user_client)(void *glob_context, 799*7c478bd9Sstevel@tonic-gate sasl_client_params_t *cparams, 800*7c478bd9Sstevel@tonic-gate const char *user, unsigned len, 801*7c478bd9Sstevel@tonic-gate unsigned flags, 802*7c478bd9Sstevel@tonic-gate char *out, 803*7c478bd9Sstevel@tonic-gate unsigned out_max, unsigned *out_len); 804*7c478bd9Sstevel@tonic-gate 805*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 806*7c478bd9Sstevel@tonic-gate int (*spare_fptr1)(); 807*7c478bd9Sstevel@tonic-gate int (*spare_fptr2)(); 808*7c478bd9Sstevel@tonic-gate int (*spare_fptr3)(); 809*7c478bd9Sstevel@tonic-gate } sasl_canonuser_plug_t; 810*7c478bd9Sstevel@tonic-gate 811*7c478bd9Sstevel@tonic-gate #define SASL_CANONUSER_PLUG_VERSION 5 812*7c478bd9Sstevel@tonic-gate 813*7c478bd9Sstevel@tonic-gate /* 814*7c478bd9Sstevel@tonic-gate * default name for canonuser plug-in entry point is "sasl_canonuser_init" 815*7c478bd9Sstevel@tonic-gate * similar to sasl_server_plug_init model, except only returns one 816*7c478bd9Sstevel@tonic-gate * sasl_canonuser_plug_t structure; 817*7c478bd9Sstevel@tonic-gate */ 818*7c478bd9Sstevel@tonic-gate typedef int sasl_canonuser_init_t(const sasl_utils_t *utils, 819*7c478bd9Sstevel@tonic-gate int max_version, 820*7c478bd9Sstevel@tonic-gate int *out_version, 821*7c478bd9Sstevel@tonic-gate sasl_canonuser_plug_t **plug, 822*7c478bd9Sstevel@tonic-gate const char *plugname); 823*7c478bd9Sstevel@tonic-gate 824*7c478bd9Sstevel@tonic-gate /* add a canonuser plugin */ 825*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_canonuser_add_plugin(const char *plugname, 826*7c478bd9Sstevel@tonic-gate sasl_canonuser_init_t *canonuserfunc); 827*7c478bd9Sstevel@tonic-gate 828*7c478bd9Sstevel@tonic-gate /* 829*7c478bd9Sstevel@tonic-gate * auxiliary property plug-in -- added cjn 1999-09-29 830*7c478bd9Sstevel@tonic-gate */ 831*7c478bd9Sstevel@tonic-gate 832*7c478bd9Sstevel@tonic-gate typedef struct sasl_auxprop_plug { 833*7c478bd9Sstevel@tonic-gate /* optional features of plugin (none defined yet, set to 0) */ 834*7c478bd9Sstevel@tonic-gate int features; 835*7c478bd9Sstevel@tonic-gate 836*7c478bd9Sstevel@tonic-gate /* spare integer, must be set to 0 */ 837*7c478bd9Sstevel@tonic-gate int spare_int1; 838*7c478bd9Sstevel@tonic-gate 839*7c478bd9Sstevel@tonic-gate /* global state for plugin */ 840*7c478bd9Sstevel@tonic-gate void *glob_context; 841*7c478bd9Sstevel@tonic-gate 842*7c478bd9Sstevel@tonic-gate /* free global state for plugin (OPTIONAL) */ 843*7c478bd9Sstevel@tonic-gate void (*auxprop_free)(void *glob_context, const sasl_utils_t *utils); 844*7c478bd9Sstevel@tonic-gate 845*7c478bd9Sstevel@tonic-gate /* 846*7c478bd9Sstevel@tonic-gate * fill in fields of an auxiliary property context 847*7c478bd9Sstevel@tonic-gate * last element in array has id of SASL_AUX_END 848*7c478bd9Sstevel@tonic-gate * elements with non-0 len should be ignored. 849*7c478bd9Sstevel@tonic-gate */ 850*7c478bd9Sstevel@tonic-gate void (*auxprop_lookup)(void *glob_context, 851*7c478bd9Sstevel@tonic-gate sasl_server_params_t *sparams, 852*7c478bd9Sstevel@tonic-gate unsigned flags, 853*7c478bd9Sstevel@tonic-gate const char *user, unsigned ulen); 854*7c478bd9Sstevel@tonic-gate 855*7c478bd9Sstevel@tonic-gate /* name of the auxprop plugin */ 856*7c478bd9Sstevel@tonic-gate char *name; 857*7c478bd9Sstevel@tonic-gate 858*7c478bd9Sstevel@tonic-gate /* for additions which don't require a version upgrade; set to 0 */ 859*7c478bd9Sstevel@tonic-gate void (*spare_fptr1)(); 860*7c478bd9Sstevel@tonic-gate } sasl_auxprop_plug_t; 861*7c478bd9Sstevel@tonic-gate 862*7c478bd9Sstevel@tonic-gate /* auxprop lookup flags */ 863*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_OVERRIDE 0x01 /* if clear, ignore auxiliary properties */ 864*7c478bd9Sstevel@tonic-gate /* with non-zero len field. If set, */ 865*7c478bd9Sstevel@tonic-gate /* override value of those properties */ 866*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_AUTHZID 0x02 /* if clear, we are looking up the */ 867*7c478bd9Sstevel@tonic-gate /* authid flags (prefixed with *), */ 868*7c478bd9Sstevel@tonic-gate /* otherwise we are looking up the */ 869*7c478bd9Sstevel@tonic-gate /* authzid flags (no prefix) */ 870*7c478bd9Sstevel@tonic-gate 871*7c478bd9Sstevel@tonic-gate #define SASL_AUXPROP_PLUG_VERSION 4 872*7c478bd9Sstevel@tonic-gate 873*7c478bd9Sstevel@tonic-gate /* 874*7c478bd9Sstevel@tonic-gate * default name for auxprop plug-in entry point is "sasl_auxprop_init" 875*7c478bd9Sstevel@tonic-gate * similar to sasl_server_plug_init model, except only returns one 876*7c478bd9Sstevel@tonic-gate * sasl_auxprop_plug_t structure; 877*7c478bd9Sstevel@tonic-gate */ 878*7c478bd9Sstevel@tonic-gate typedef int sasl_auxprop_init_t(const sasl_utils_t *utils, 879*7c478bd9Sstevel@tonic-gate int max_version, 880*7c478bd9Sstevel@tonic-gate int *out_version, 881*7c478bd9Sstevel@tonic-gate sasl_auxprop_plug_t **plug, 882*7c478bd9Sstevel@tonic-gate const char *plugname); 883*7c478bd9Sstevel@tonic-gate 884*7c478bd9Sstevel@tonic-gate /* add an auxiliary property plug-in */ 885*7c478bd9Sstevel@tonic-gate LIBSASL_API int sasl_auxprop_add_plugin(const char *plugname, 886*7c478bd9Sstevel@tonic-gate sasl_auxprop_init_t *auxpropfunc); 887*7c478bd9Sstevel@tonic-gate 888*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 889*7c478bd9Sstevel@tonic-gate } 890*7c478bd9Sstevel@tonic-gate #endif 891*7c478bd9Sstevel@tonic-gate 892*7c478bd9Sstevel@tonic-gate #endif /* _SASL_SASLPLUG_H */ 893