Documentation
¶
Overview ¶
Package SASL implements Simple Authentication and Security Layer, RFC 4422.
Index ¶
- type Client
- func NewClientCRAMMD5(username, password string) Client
- func NewClientLogin(username, password string) Client
- func NewClientPlain(username, password string) Client
- func NewClientSCRAMSHA1(username, password string, noServerPlus bool) Client
- func NewClientSCRAMSHA1PLUS(username, password string, cs tls.ConnectionState) Client
- func NewClientSCRAMSHA256(username, password string, noServerPlus bool) Client
- func NewClientSCRAMSHA256PLUS(username, password string, cs tls.ConnectionState) Client
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client interface {
// Name as used in SMTP or IMAP authentication, e.g. PLAIN, CRAM-MD5,
// SCRAM-SHA-256. cleartextCredentials indicates if credentials are exchanged in
// clear text, which can be used to decide if the exchange is logged.
Info() (name string, cleartextCredentials bool)
// Next must be called for each step of the SASL transaction. The first call has a
// nil fromServer and serves to get a possible "initial response" from the client
// to the server. When last is true, the message from client to server is the last
// one, and the server must send a verdict. If err is set, the transaction must be
// aborted.
//
// For the first toServer ("initial response"), a nil toServer indicates there is
// no data, which is different from a non-nil zero-length toServer.
Next(fromServer []byte) (toServer []byte, last bool, err error)
}
Client is a SASL client.
A SASL client can be used for authentication in IMAP, SMTP and other protocols. A client and server exchange messages in step lock. In IMAP and SMTP, these messages are encoded with base64. Each SASL mechanism has predefined steps, but the transaction can be aborted by either side at any time. An IMAP or SMTP client must choose a SASL mechanism, instantiate a SASL client, and call Next with a nil parameter. The resulting data must be written to the server, properly encoded. The client must then read the response from the server and feed it to the SASL client, which will return more data to send, or an error.
func NewClientCRAMMD5 ¶
NewClientCRAMMD5 returns a client for SASL CRAM-MD5 authentication.
CRAM-MD5 is specified in RFC 2195, IMAP/POP AUTHorize Extension for Simple Challenge/Response.
func NewClientLogin ¶ added in v0.0.8
NewClientLogin returns a client for the obsolete SASL LOGIN authentication.
See https://datatracker.ietf.org/doc/html/draft-murchison-sasl-login-00
func NewClientPlain ¶
NewClientPlain returns a client for SASL PLAIN authentication.
PLAIN is specified in RFC 4616, The PLAIN Simple Authentication and Security Layer (SASL) Mechanism.
func NewClientSCRAMSHA1 ¶
NewClientSCRAMSHA1 returns a client for SASL SCRAM-SHA-1 authentication.
Clients should prefer using the PLUS-variant with TLS channel binding, if supported by a server. If noServerPlus is set, this mechanism was chosen because the PLUS-variant was not supported by the server. If the server actually does implement the PLUS variant, this can indicate a MitM attempt, which is detected by the server and causes the authentication attempt to be aborted.
SCRAM-SHA-1 is specified in RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms".
func NewClientSCRAMSHA1PLUS ¶ added in v0.0.9
func NewClientSCRAMSHA1PLUS(username, password string, cs tls.ConnectionState) Client
NewClientSCRAMSHA1PLUS returns a client for SASL SCRAM-SHA-1-PLUS authentication.
The PLUS-variant binds the authentication exchange to the TLS connection, detecting any MitM attempt.
SCRAM-SHA-1-PLUS is specified in RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms".
func NewClientSCRAMSHA256 ¶
NewClientSCRAMSHA256 returns a client for SASL SCRAM-SHA-256 authentication.
Clients should prefer using the PLUS-variant with TLS channel binding, if supported by a server. If noServerPlus is set, this mechanism was chosen because the PLUS-variant was not supported by the server. If the server actually does implement the PLUS variant, this can indicate a MitM attempt, which is detected by the server and causes the authentication attempt to be aborted.
SCRAM-SHA-256 is specified in RFC 7677, "SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms".
func NewClientSCRAMSHA256PLUS ¶ added in v0.0.9
func NewClientSCRAMSHA256PLUS(username, password string, cs tls.ConnectionState) Client
NewClientSCRAMSHA256PLUS returns a client for SASL SCRAM-SHA-256-PLUS authentication.
The PLUS-variant binds the authentication exchange to the TLS connection, detecting any MitM attempt.
SCRAM-SHA-256-PLUS is specified in RFC 7677, "SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms".
Source Files