Tcl Library Source Code

Bounty program for improvements to Tcl and certain Tcl packages.

[ Main Table Of Contents | Table Of Contents | Keyword Index | Categories | Modules | Applications ]


SASL - Implementation of SASL mechanisms for Tcl

Table Of Contents


package require Tcl 8.2
package require SASL ?1.3.3?

::SASL::new option value ?...?
::SASL::configure option value ?...?
::SASL::step context challenge ?...?
::SASL::response context
::SASL::reset context
::SASL::cleanup context
::SASL::mechanisms ?type? ?minimum?
::SASL::register mechanism preference clientproc ?serverproc?


The Simple Authentication and Security Layer (SASL) is a framework for providing authentication and authorization to comunications protocols. The SASL framework is structured to permit negotiation among a number of authentication mechanisms. SASL may be used in SMTP, IMAP and HTTP authentication. It is also in use in XMPP, LDAP and BEEP. See MECHANISMS for the set of available SASL mechanisms provided with tcllib.

The SASL framework operates using a simple multi-step challenge response mechanism. All the mechanisms work the same way although the number of steps may vary. In this implementation a callback procedure must be provided from which the SASL framework will obtain users details. See CALLBACK PROCEDURE for details of this procedure.




When the SASL framework requires any user details it will call the procedure provided when the context was created with an argument that specfies the item of information required.

In all cases a single response string should be returned.



See the examples subdirectory for more complete samples using SASL with network protocols. The following should give an idea how the SASL commands are to be used. In reality this should be event driven. Each time the step command is called, the last server response should be provided as the command argument so that the SASL mechanism can take appropriate action.

proc ClientCallback {context command args} {
    switch -exact -- $command {
        login    { return "" }
        username { return $::tcl_platform(user) }
        password { return "SecRet" }
        realm    { return "" }
        hostname { return [info host] }
        default  { return -code error unxpected }

proc Demo {{mech PLAIN}} {
    set ctx [SASL::new -mechanism $mech -callback ClientCallback]
    set challenge ""
    while {1} {
        set more_steps [SASL::step $ctx challenge]
        puts "Send '[SASL::response $ctx]'"
        puts "Read server response into challenge var"
        if {!$more_steps} {break}
    SASL::cleanup $ctx


  1. Myers, J. "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. (

  2. Newman, C. "Anonymous SASL Mechanism", RFC 2245, November 1997. (

  3. Leach, P., Newman, C. "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000, (

  4. Klensin, J., Catoe, R. and Krumviede, P., "IMAP/POP AUTHorize Extension for Simple Challenge/Response" RFC 2195, September 1997. (

  5. No official specification is available. However, provides a good description.

  6. Haller, N. et al., "A One-Time Password System", RFC 2289, February 1998, (

  7. Newman, C. et al., "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010, (


Pat Thoyts

Bugs, Ideas, Feedback

This document, and the package it describes, will undoubtedly contain bugs and other problems. Please report such in the category sasl of the Tcllib Trackers. Please also report any ideas for enhancements you may have for either package and/or documentation.

When proposing code changes, please provide unified diffs, i.e the output of diff -u.

Note further that attachments are strongly preferred over inlined patches. Attachments can be made by going to the Edit form of the ticket immediately after its creation, and then using the left-most button in the secondary navigation bar.


SASL, authentication




Copyright © 2005-2006, Pat Thoyts