Written by hannes
Published: 2016-08-24 (last updated: 2018-02-15)

SASL is used widely for authentication of users - we need it for MirageOS. Its purpose is to authenticate a user with their credentials (password, certificate, ..). SASL is protocol-agnostic and used in a variety of Internet protocols (POP3, IMAP, XMPP, SMTP, ...), always with a slightly different wire encodings.

SASL is also agnostic about its authentication mechanism, ranging from MD5 digests, CRAM/SCRAM hashing, external (used with X.509 client certificates over a TLS connection).

The SASL library itself should be agnostic over the wire encoding and over the mechanism, but implement a solid base of each. At the moment there is the ocaml-gsasl library, which is an interface to the GNU SASL library (written in C). The erm-xmpp contains some ad-hoc SASL client code (here.

SASL nowadays also deals with Unicode in usernames and passwords by using the PRECIS framework (earlier SASLprep etc.). I started an implementation of the PRECIS framework in OCaml using the available Unicode libaries, which will soon be published.

The SASL library should be lightweight (effect-free, minimal dependencies) developed purely in OCaml with a reasonably sized test suite, and fuzz-based testing. An initial prototype can be integrated into existing libaries that use SASL.

If you're interested in starting this project, please drop a mail to or mail hannes directly.