1
(* $Id: netmech_scram_gssapi.mli 1546 2011-02-12 17:24:41Z gerd $ *)
3
(** The SCRAM security mechanism for GSS-API *)
10
(** The OID of SCRAM *)
12
(** A [client_key_ring] identifies the user on the client side *)
13
class type client_key_ring =
15
method password_of_user_name : string -> string
16
(** Returns the cleartext password for a user name, or
17
raises [Not_found] if the user is unknown
20
method default_user_name : string option
21
(** This method may return a default user name *)
25
(** A [server_key_verifier] verifies on the server side that the users
26
exist and have the right authentication credentials
28
class type server_key_verifier =
30
method scram_credentials : string -> string * string * int
31
(** Returns the triple
32
{[ (salted_password, salt, iteration_count) ]}
33
for a user, or raises [Not_found]. See
34
{!Netmech_scram.create_server_session} for the meaning of this
41
?client_key_ring:client_key_ring ->
42
?server_key_verifier:server_key_verifier ->
43
Netmech_scram.profile ->
45
(** Returns a standard-compliant GSS-API object for the passed SCRAM
46
profile. The object can be used on the client side for all
47
users whose passwords are available via [client_key_ring].
48
By default, the key ring is empty. On the server side, the object
49
authenticates all users whose credentials are available via
50
[server_key_verifier]. By default, no user can be verified.
52
SCRAM only allows usernames of type [NT_USER_NAME] for identifying
55
For principals (servers), this SCRAM implementation allows identifiers
56
of type [NT_HOSTBASED_SERVICE] and [NT_USER_NAME]. Any such name
57
can be used, because the SCRAM protocol does not use principal
58
names. The contexts will always return the hostbased service "@" as
59
name of the principals.
61
This implementation checks whether the messages are verified and
62
unwrapped in the same order than generated, and reports this via the
63
[`Unseq_token] and [`Gap_token] flags. Support for true replay
64
detection ([`Duplicate_token]) is not implemented, though.
65
Replayed tokens will also be marked as [`Unseq_token].