GNU SASL Library - Libgsasl
GNU SASL is an implementation of the Simple Authentication and
Security Layer framework and a few common SASL mechanisms. SASL is
used by network servers (e.g., IMAP, SMTP) to request authentication
from clients, and in clients to authenticate against servers.
GNU SASL consists of a library (`libgsasl'), a command line utility
(`gsasl') to access the library from the shell, and a manual. The
library includes support for the framework (with authentication
functions and application data privacy and integrity functions) and
at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI,
ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1,
SCRAM-SHA-1-PLUS, LOGIN, and NTLM mechanisms.
The library is portable because it does not do network communication
by itself, but rather leaves it up to the calling application. The
library is flexible with regards to the authorization infrastructure
used, as it utilizes callbacks into the application to decide
whether an user is authorized or not.
GNU SASL is written in pure ANSI C89 to be portable to embedded
and otherwise limited platforms. The entire library, with full
support for ANONYMOUS, EXTERNAL, PLAIN, LOGIN and CRAM-MD5, and the
front-end that supports client and server mode, and the IMAP and
SMTP protocols, fits in under 80kb on an Intel x86 platform, without
any modifications to the code. (This figure was accurate as of
GNU SASL is developed for the GNU/Linux system, but runs on over 20
platforms including most major Unix platforms and Windows, and many
kind of devices including iPAQ handhelds and S/390 mainframes.
The core GNU SASL library, and most mechanisms, are licensed under
the GNU Lesser General Public version 2.1 (or later). It is
distributed separately, as the "libgsasl" package. The GNU SASL
command line application, self test suite and more are licensed
under the GNU General Public License version 3 (or later). The
"gsasl" package distribution includes the library part as well, so
you do not need to install two packages.
Some of the goals with this project are:
- Clean room implementation. This means the copyright and
license conditions are clear.
- Internationalization. It handles non-ASCII username and
passwords by using SASLprep. User visible strings used in the
library (error messages) can be translated into the users'
- Thread safe library. This library uses no global state
and multiple concurrent SASL sessions are possibly (e.g. in a
- Portable. It should work on all Unix like operating
systems, including Windows. The library itself should be portable
to any C89 system, not even POSIX is required.
Refer to the GNU SASL Manual web page for
links to the manual in all formats; however, quick links to the most
See also the various standard texts:
Currently the ANONYMOUS, EXTERNAL, CRAM-MD5, DIGEST-MD5, GS2-KRB5,
GSS-API, PLAIN, LOGIN, SCRAM-SHA-1, SCRAM-SHA-1-PLUS, and SECURID
mechanisms are implemented and work both in client and server mode.
The NTLM mechanism is implemented in client mode only.
The library has been used in production for several years and should
be considered mature.
GNU SASL has been ported to Windows and there are some resources
around this effort:
Free software projects using GNU SASL include:
Let us know about more
free software projects that use GNU SASL!
A mailing list where GNU SASL users may help each other exists, and
you can reach it by sending e-mail
Archives of the mailing list discussions, and an interface to manage
subscriptions, is available through the World Wide Web at
If you are interested in paid support of GNU SASL, or sponsor the
development, please contact
me. If you provide paid services for GNU SASL, and would like
to be mentioned here,
also contact me.
If you find GNU SASL useful, please consider making a donation. No
amount is too small!
Note that new releases are only mentioned here if they introduce a
major feature or is significant in some other way. Read
help-gsasl mailing list if you seek more frequent announcements.
Information on what is new in the library itself is found in
the NEWS and
file (live version).
- 2010-12-14: New stable release 1.6.0 with SCRAM-SHA-1(-PLUS) and
- 2010-11-14: SCRAM-SHA-1-PLUS is supported in experimental 1.5.3
- 2010-03-31: GS2-KRB5 is supported in the experimental 1.5.0
- 2009-11-07: SCRAM-SHA-1 is now intended for stable use with the
version 1.4 release.
- 2009-10-08: As of version 1.3 the library experimentally
- 2008-08-19: The library can be built as a native Windows Visual
- 2008-01-12: Instructions
for building GNU SASL
under uClinux have been published.
- 2007-10-08: Git repository moved to Savannah, you
- 2007-07-09: The command line, self tests, examples etc of GNU
SASL are now licensed under the GPL version 3. The library
remains licensed under the LGPL version 2.1.
- 2007-06-01: GNU SASL is now developed in git instead of cvs.
- 2007-04-20: Version 0.2.16, released today, will likely be the
last release on the 0.2.x. branch, next we'll focus on
- 2006-06-14: Newly released version 0.2.13 works well under
- 2004-11-07: A new major release, version 0.2.0, has been
- 2004-04-16: The license for the core library, and most common
mechanisms, is being changed to LGPL. A release candidate of
0.0.15 with this change is available.
- 2004-01-01: Savannah had problems last month, and still isn't
operating fully. CVS has been moved to a private machine, a
read-only mirror of it will hopefully be available via Savannah in
- 2003-10-11 Version 0.0.8 includes API for SASLprep/trace string
preparation, improved portability, and more.
- 2003-06-02 The GSSAPI mechanism now supports
GSS and Heimdal, besides MIT Kerberos.
- 2003-03-17 Debian
libgsasl, thanks to Ryan M. Golbeck.
- 2003-02-02 The
document is updated with examples from our library used in
GNU Mailutil's imap4d server.
- 2003-01-30 Implementation of
mechanism proposal started, using
- 2002-12-16 gnu.org web pages opened and development moved to
- 2002-12-13 Version 0.0.4 renames the package from "libgsasl" to
GNU SASL and the license is changed to the GPL.
- 2002-12-09 Official GNU project.
- 2002-10-07 Initial release of version 0.0.0.
The releases are distributed from
All official releases are signed with
an OpenPGP key with
Unofficial Windows binaries are provided by Francis Brosnan Blazquez
Sourceforge's Vortex project.
There is a
Savannah GNU SASL project page. You can
the sources by using git as
$ git clone git://git.savannah.gnu.org/gsasl.git
git interface is available.
Notifications of each commit is sent
If you have trouble using git, you may download
a daily snapshot.
The snapshots are prepared similar to regular releases, i.e., you
simply build them using
./configure && make.
Build logs from building the package, where you can also contribute
a build system for your own platform, are available from
the GNU SASL
on how to bootstrap and build the package from version controlled
For every release, we publish
cyclomatic code complexity charts for the package. There is
also self-test code coverage charts
You need at least a shell, a C compiler and a Make tool to build GNU
GNU SASL will enable certain features if you have the following
optional external libraries installed:
Report all problems
to email@example.com, but
please read the manual
on how to report bugs