GNU SASL Library - Libgsasl
GNU SASL is an implementation of the Simple Authentication and Security Layer framework and a few common SASL mechanisms. SASL is used by network servers (e.g., IMAP, SMTP) to request authentication from clients, and in clients to authenticate against servers.
GNU SASL consists of a library (`libgsasl'), a command line utility (`gsasl') to access the library from the shell, and a manual. The library includes support for the framework (with authentication functions and application data privacy and integrity functions) and at least partial support for the CRAM-MD5, EXTERNAL, GSSAPI, ANONYMOUS, PLAIN, SECURID, DIGEST-MD5, SCRAM-SHA-1, SCRAM-SHA-1-PLUS, LOGIN, and NTLM mechanisms.
The library is portable because it does not do network communication by itself, but rather leaves it up to the calling application. The library is flexible with regards to the authorization infrastructure used, as it utilizes callbacks into the application to decide whether an user is authorized or not.
GNU SASL is written in pure ANSI C89 to be portable to embedded and otherwise limited platforms. The entire library, with full support for ANONYMOUS, EXTERNAL, PLAIN, LOGIN and CRAM-MD5, and the front-end that supports client and server mode, and the IMAP and SMTP protocols, fits in under 80kb on an Intel x86 platform, without any modifications to the code. (This figure was accurate as of version 1.1.)
GNU SASL is developed for the GNU/Linux system, but runs on over 20 platforms including most major Unix platforms and Windows, and many kind of devices including iPAQ handhelds and S/390 mainframes.
The core GNU SASL library, and most mechanisms, are licensed under the GNU Lesser General Public version 2.1 (or later). It is distributed separately, as the "libgsasl" package. The GNU SASL command line application, self test suite and more are licensed under the GNU General Public License version 3 (or later). The "gsasl" package distribution includes the library part as well, so you do not need to install two packages.
Some of the goals with this project are:
- Clean room implementation. This means the copyright and license conditions are clear.
- Internationalization. It handles non-ASCII username and passwords by using SASLprep. User visible strings used in the library (error messages) can be translated into the users' language.
- Thread safe library. This library uses no global state and multiple concurrent SASL sessions are possibly (e.g. in a multithreaded server).
- Portable. It should work on all Unix like operating systems, including Windows. The library itself should be portable to any C89 system, not even POSIX is required.
Refer to the GNU SASL Manual web page for links to the manual in all formats; however, quick links to the most popular formats:
See also the various standard texts:
- RFC 4422, the core SASL specification
- RFC 2831, the DIGEST-MD5 mechanism
- RFC 4505, the ANONYMOUS mechanism
- RFC 4616, the PLAIN mechanism
- RFC 4752, the Kerberos V5 GSSAPI mechanism
- RFC 5801, the GS2 mechanism (GS2-KRB5)
- RFC 5802, the SCRAM mechanism
- RFC 6595, the SAML20 mechanism
- RFC 6616, the OPENID20 mechanism
Currently the ANONYMOUS, EXTERNAL, CRAM-MD5, DIGEST-MD5, GS2-KRB5, GSS-API, PLAIN, LOGIN, SCRAM-SHA-1, SCRAM-SHA-1-PLUS, and SECURID mechanisms are implemented and work both in client and server mode. The NTLM mechanism is implemented in client mode only.
The library has been used in production for several years and should be considered mature.
GNU SASL has been ported to Windows and there are some resources around this effort:
Free software projects using GNU SASL include:
- GNU Emacs, in the Gnus MUA.
- GNU Mailutils.
- GNU Anubis.
- Vortex Library, a BEEP stack.
- Jabberd2, a XMPP server.
Let us know about more free software projects that use GNU SASL!
A mailing list where GNU SASL users may help each other exists, and you can reach it by sending e-mail to email@example.com. Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at http://lists.gnu.org/mailman/listinfo/help-gsasl.
If you find GNU SASL useful, please consider making a donation. No amount is too small!
Note that new releases are only mentioned here if they introduce a major feature or is significant in some other way. Read the help-gsasl mailing list if you seek more frequent announcements.
- 2010-12-14: New stable release 1.6.0 with SCRAM-SHA-1(-PLUS) and GS2-KRB5 support.
- 2010-11-14: SCRAM-SHA-1-PLUS is supported in experimental 1.5.3 release.
- 2010-03-31: GS2-KRB5 is supported in the experimental 1.5.0 release.
- 2009-11-07: SCRAM-SHA-1 is now intended for stable use with the version 1.4 release.
- 2009-10-08: As of version 1.3 the library experimentally supports SCRAM-SHA-1.
- 2008-08-19: The library can be built as a native Windows Visual Studio project.
- 2008-01-12: Instructions for building GNU SASL under uClinux have been published.
- 2007-10-08: Git repository moved to Savannah, you can browse it.
- 2007-07-09: The command line, self tests, examples etc of GNU SASL are now licensed under the GPL version 3. The library remains licensed under the LGPL version 2.1.
- 2007-06-01: GNU SASL is now developed in git instead of cvs.
- 2007-04-20: Version 0.2.16, released today, will likely be the last release on the 0.2.x. branch, next we'll focus on implementing GS2.
- 2006-06-14: Newly released version 0.2.13 works well under Windows.
- 2004-11-07: A new major release, version 0.2.0, has been released.
- 2004-04-16: The license for the core library, and most common mechanisms, is being changed to LGPL. A release candidate of 0.0.15 with this change is available.
- 2004-01-01: Savannah had problems last month, and still isn't operating fully. CVS has been moved to a private machine, a read-only mirror of it will hopefully be available via Savannah in the future.
- 2003-10-11 Version 0.0.8 includes API for SASLprep/trace string preparation, improved portability, and more.
- 2003-06-02 The GSSAPI mechanism now supports GSS and Heimdal, besides MIT Kerberos.
- 2003-03-17 Debian includes libgsasl, thanks to Ryan M. Golbeck.
- 2003-02-02 The KERBEROS_V5 document is updated with examples from our library used in GNU Mailutil's imap4d server.
- 2003-01-30 Implementation of our KERBEROS_V5 mechanism proposal started, using Shishi.
- 2002-12-16 gnu.org web pages opened and development moved to savannah.
- 2002-12-13 Version 0.0.4 renames the package from "libgsasl" to GNU SASL and the license is changed to the GPL.
- 2002-12-09 Official GNU project.
- 2002-10-07 Initial release of version 0.0.0.
The releases are distributed from ftp://ftp.gnu.org/gnu/gsasl/.
All official releases are signed with an OpenPGP key with fingerprint 0xB565716F.
Unofficial Windows binaries are provided by Francis Brosnan Blazquez at Sourceforge's Vortex project.
$ git clone git://git.savannah.gnu.org/gsasl.git
The online git interface is available.
Notifications of each commit is sent to firstname.lastname@example.org.
If you have trouble using git, you may download
a daily snapshot.
The snapshots are prepared similar to regular releases, i.e., you
simply build them using
./configure && make.
Build logs from building the package, where you can also contribute a build system for your own platform, are available from the GNU SASL autobuild page.
See the file README-alpha on how to bootstrap and build the package from version controlled sources.
You need at least a shell, a C compiler and a Make tool to build GNU SASL.
GNU SASL will enable certain features if you have the following optional external libraries installed:
- Non-ASCII support (e.g., username and passwords): GNU Libidn.
- NTLM mechanism: libntlm 0.3.1 or later.
- GSSAPI mechanism: GNU GSS, MIT Kerberos, Heimdal.