NAME
Authen::SASL - SASL Authentication framework
VERSION
version 2.2000
SYNOPSIS
use Authen::SASL;
$sasl = Authen::SASL->new(
mechanism => 'CRAM-MD5 PLAIN ANONYMOUS',
callback => {
pass => \&fetch_password,
user => $user,
}
);DESCRIPTION
SASL is a generic mechanism for authentication used by several network protocols. Authen::SASL provides an implementation framework that all protocols should be able to share.
The framework allows different implementations of the connection class to be plugged in. At the time of writing there were two such plugins.
- Authen::SASL::Perl
-
This module implements several mechanisms and is implemented entirely in Perl.
- Authen::SASL::XS
-
This module uses the Cyrus SASL C-library (both version 1 and 2 are supported).
- Authen::SASL::Cyrus
-
This module is the predecessor to Authen::SASL::XS.
Until version 2.16, Authen::SASL::Cyrus was loaded as an alternative to Authen::SASL::XS.
By default Authen::SASL tries to load Authen::SASL::XS first, followed by Authen::SASL::Perl on failure. If you want to change the order or want to specifically use one implementation only simply do
use Authen::SASL qw(Perl);or if you have another plugin module that supports the Authen::SASL API
use Authen::SASL qw(My::SASL::Plugin);CONTRUCTOR
- new ( OPTIONS )
-
The constructor may be called with or without arguments. Passing arguments is just a short cut to calling the
mechanismandcallbackmethods.- callback => { NAME => VALUE, NAME => VALUE, ... }
-
Set the callbacks. See the callback method for details.
- mechanism => NAMES
- mech => NAMES
-
Set the list of mechanisms to choose from. See the mechanism method for details.
- debug => VALUE
-
Set the debug level bit-value to
VALUEDebug output will be sent to
STDERR. The bits of this value are:1 Show debug messages in the Perl modules for the mechanisms. (Currently only used in GSSAPI) 4 With security layers in place show information on packages read. 8 With security layers in place show information on packages written.The default value is 0.
METHODS
- mechanism ( )
-
Returns the current list of mechanisms
- mechanism ( NAMES )
-
Set the list of mechanisms to choose from.
NAMESshould be a space separated string of the names. - callback ( NAME )
-
Returns the current callback associated with
NAME. - callback ( NAME => VALUE, NAME => VALUE, ... )
-
Sets the given callbacks to the given values
- client_new ( SERVICE, HOST, SECURITY )
-
Creates and returns a new connection object for a client-side connection.
- server_new ( SERVICE, HOST, OPTIONS )
-
Creates and returns a new connection object for a server-side connection.
- error ( )
-
Returns any error from the last connection
The Connection Class
The connection class matches the capabilities of the client with those of the server; eg., for a client:
my $sasl->mechanisms( $mechlist );
my $conn = $sasl->client_new( 'smtp', 'smtp.examlpe.com', 'noplaintext noanonymous' );
my $challenge = $conn->client_start
or die "Authentication failure:" . $conn->error;
# optionally set connection properties
while ($conn->need_step) {
$sock->send( $challenge )
or die "I/O error: $!";
my $response = $sock->read()
or die "I/O error: $!";
$challenge = $conn->client_step( $response );
die $conn->error if $conn->error;
}
if (not $conn->success()) {
die "Authentication failed";
}- server_start ( CHALLENGE )
-
server_start begins the authentication using the chosen mechanism. If the mechanism is not supported by the installed SASL it fails. Because for some mechanisms the client has to start the negotiation, you can give the client challenge as a parameter.
- server_step ( CHALLENGE )
-
server_step performs the next step in the negotiation process. The first parameter you give is the clients challenge/response.
- client_start ( )
-
The initial step to be performed. Returns the initial value to pass to the server or an empty list on error.
- client_step ( CHALLENGE )
-
This method is called when a response from the server requires it. CHALLENGE is the value from the server. Returns the next value to pass to the server or an empty list on error.
- need_step ( )
-
Returns true if the selected mechanism requires another step before completion (error or success).
- answer ( NAME )
-
The method will return the value returned from the last call to the callback NAME
- property ( NAME )
-
Returns the property value associated with
NAME. - property ( NAME => VALUE, NAME => VALUE, ... )
-
Sets the named properties to their associated values.
- service ( )
-
Returns the service argument that was passed to *_new-methods.
- host ( )
-
Returns the host argument that was passed to *_new-methods.
- mechanism ( )
-
Returns the name of the chosen mechanism.
- is_success ( )
-
Once need_step() returns false, then you can check if the authentication succeeded by calling this method which returns a boolean value.
Callbacks
There are three different ways in which a callback may be passed
- CODEREF
-
If the value passed is a code reference then, when needed, it will be called and the connection object will be passed as the first argument. In addition some callbacks may be passed additional arguments.
- ARRAYREF
-
If the value passed is an array reference, the first element in the array must be a code reference. When the callback is called the code reference will be called with the connection object passed as the first argument and all other values from the array passed after.
- SCALAR
-
All other values passed will be used directly. ie it is the same as passing an code reference that, when called, returns the value.
The Security Layer
In addition to negotiating authentication, SASL is also capable of negotiating a security layer: encryption for connections that do not use eg. TLS for encryption. This is supported by the DIGEST-MD5 and GSSAPI mechanisms, of which only GSSAPI isn't deprecated.
# optionally set connection parameters
$conn->property( minssf => 56 );
$conn->property( maxssf => 0xFFFF );
$conn->property( maxbuf => 0x10000 );
# in case of TLS:
$conn->property( externalssf => $tls_key_strength_in_bits );When authentication completes, the ssf property indicates whether a security layer has been negotiated or not:
my $with_sec_layer = defined $conn->property( 'ssf' )
and $conn->property( 'ssf' ) > 0;- encode
-
my $len = length( $payload ); my $idx = 0; my $bufsize = $conn->property( 'maxbuf' ); while ($len > 0) { my $encrypted = $conn->encode( substr( $payload, $idx, $bufsize ), $len ); my $output = pack('N', length($encrypted)) . $encrypted; $fh->write( $output, length( $output ) ); $idx += $bufsize; $len -= $bufsize; }Encodes
$payload. The maximum size of the data being encoded should be taken from$conn->property( 'maxbuf' ). Payloads longer thanmaxbufneed to be split across multiple encoded blocks. - decode
-
my $buf = ''; $fh->read( $buf, 4 ); my $encrypted = ''; my $len = unpack('N', $buf ); $fh->read( $encrypted, $len ); my $payload = $conn->decode( $encrypted, $len );Decodes
$encrypted. The encrypted block is preseded by a 4-byte unsigned integer in network byte order ('N'). A block of that many bytes must be read from the stream and fed to thedecodefunction. - securesocket
-
my $sec_sock_handle = $conn->securesocket( $sock );Wraps the
$sockhandle creating a file handle which encrypts written data and decrypts data being read. Wrapping a non-blocking file handle will fail to work correctly.
SEE ALSO
Authen::SASL::Perl, Authen::SASL::XS, Authen::SASL::Cyrus, Authen::SASL::SCRAM, Authen::SASL::Perl::NTLM
MAINTAINER
Erik Huelsmann <ehuels@gmail.com>
AUTHOR
Graham Barr <gbarr@pobox.com>
BUGS
Please report any bugs, or any suggestions, in the GitHub project at https://github.com/perl-authen-sasl/perl-authen-sasl/issues.
COPYRIGHT
Copyright (c) 2023-2025 Erik Huelsmann
Copyright (c) 1998-2005 Graham Barr.All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.