X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/c2655c2b98253e03c42eeeee1e5c60fe7107c5a4..94187a80bd60baab4b9c4b949ad820d730578123:/h/netsec.h

diff --git a/h/netsec.h b/h/netsec.h
index b115ed7c..3e7975b4 100644
--- a/h/netsec.h
+++ b/h/netsec.h
@@ -285,10 +285,12 @@ enum sasl_message_type {
  *			  this point SASL exchange should have completed
  *			  and we should get a message back from the server
  *			  telling us whether or not authentication is
- *			  successful.  All buffer parameters are NULL.
+ *			  successful; the plugin should return OK/NOTOK
+ *			  to indicate whether or not the authentication
+ *			  was successful.  All buffer parameters are NULL.
  * NETSEC_SASL_CANCEL	- Generate a protocol message that cancels the
- *			  SASL protocol exchange; outdata/outdatasize
- *			  should contain this message.
+ *			  SASL protocol exchange; the plugin should
+ *			  send this message.  All buffer parameters are NULL.
  *
  * The callback should return OK on success, NOTOK on failure.  Depending
  * at the point of the authentication exchange, the callback may be asked
@@ -358,6 +360,24 @@ int netsec_negotiate_sasl(netsec_context *ns_context, const char *mechlist,
 
 char *netsec_get_sasl_mechanism(netsec_context *ns_context) PURE;
 
+/*
+ * Returns the SASL strength security factor (SSF) for the negotiated
+ * authentication mechanism.
+ *
+ * The exact meaning of the SSF depends on the mechanism chosen, but in
+ * general:
+ *
+ * 0	- No encryption or integrity protection via SASL.
+ * 1	- Integrity protection only.
+ * >1	- Encryption
+ *
+ * The SSF is distinct from any encryption that is negotiated by TLS;
+ * if TLS is negotiated then the netsec SASL code will automatically disable
+ * any attempt to negotiate a security layer and thus the SSF will be 0.
+ */
+
+int netsec_get_sasl_ssf(netsec_context *ns_context) PURE;
+
 /*
  * Set the OAuth service name used to retrieve the OAuth parameters from
  * user's profile.  Just calling this function is not enough to guarantee