module Netmech_scram:SCRAM mechanism for authentication (RFC 5802)sig..end
    As we do not implement SASLprep, usernames and passwords are restricted
    to US-ASCII.
typeptype =[ `GSSAPI ]
`GSSAPI is supportedtypemechanism =[ `SHA_1 ]
type |    | ptype :  | |||
|    | mechanism :  | (* | Which mechanism | *) | 
|    | return_unknown_user :  | (* | Whether servers exhibit the fact that the user is unknown | *) | 
|    | iteration_count_limit :  | (* | Largest supported iteration number | *) | 
typeserver_error =[ `Channel_binding_not_supported
| `Channel_bindings_dont_match
| `Extension of string
| `Extensions_not_supported
| `Invalid_encoding
| `Invalid_proof
| `Invalid_username_encoding
| `No_resources
| `Other_error
| `Server_does_support_channel_binding
| `Unknown_user
| `Unsupported_channel_binding_type ]
type 
type 
exception Invalid_encoding of string * string
exception Invalid_username_encoding of string * string
Invalid_encoding.exception Extensions_not_supported of string * string
Invalid_encoding.exception Protocol_error of string
exception Invalid_server_signature
exception Server_error of server_error
val profile : ?return_unknown_user:bool ->
       ?iteration_count_limit:int -> ptype -> profileval string_of_server_error : server_error -> stringval server_error_of_string : string -> server_errors first. The functions
    client_emit_flag and client_recv_flag indicate now whether
    the client needs to emit a new message, or whether it needs to
    receive a message, respectively. Emission is done by client_emit_message,
    reception by client_recv_message. If everything goes well, the
    protocol state advances, and finally client_finish_flag is true.
    This indicates that the client is authenticated and that the server
    knows the client's password. If an error occurs, an exception is
    raised (see above for possibilities), and client_error_flag signals
    true.val create_client_session : profile -> string -> string -> client_sessioncreate_client_session p username password: Creates a new client
      session for profile p so that the client authenticates as user
      username, and proves its identify with the given password.val client_configure_channel_binding : client_session -> string -> unitc parameter (before encoding it via Base64. The function
      needs to be called before sending the second message to the server.
      It fails if called too late.val client_emit_flag : client_session -> boolclient_emit_message can now be calledval client_recv_flag : client_session -> boolclient_recv_message can now be calledval client_finish_flag : client_session -> boolval client_error_flag : client_session -> boolval client_channel_binding : client_session -> stringval client_emit_message : client_session -> stringval client_recv_message : client_session -> string -> unitval client_protocol_key : client_session -> string optionval client_user_name : client_session -> stringval client_export : client_session -> stringval client_import : string -> client_sessionclient_finish_flag is true).
      The export format is just a marshalled Ocaml value.
s first. The functions
    server_emit_flag and server_recv_flag indicate now whether
    the server needs to emit a new message, or whether it needs to
    receive a message, respectively. Emission is done by server_emit_message,
    reception by server_recv_message. If everything goes well, the
    protocol state advances, and finally server_finish_flag is true.
    This indicates that the client could be authenticated.
    If an error occurs, no exception is raised, and the protocol
    advances nevertheless, and finally the server sends an error token
    to the client. After this, server_error_flag returns true.
val create_server_session : profile ->
       (string -> string * string * int) -> server_sessioncreate_server_session p auth: Creates a new server session with
      profile p and authenticator function auth.
      The function is auth is called when the credentials of the
      client have been received to check whether the client can be
      authenticated. It is called as
      let (salted_password, salt, iteration_count) = auth username
      
      where username is the user name. The function can now raise
      Not_found if the user is unknown, or it can return the
      shown triple. Note that the cleartext password needs not to
      be known. salt is a random string, and iteration_count a
      security parameter that should be at least 4096. Whereas salt
      should be different for each user, the iteration_count can be
      chosen as a constant (e.g. 4096). Now salted_password can be
      computed from the cleartext password and these two extra parameters.
      See salt_password below.
val create_salt : unit -> stringval salt_password : string -> string -> int -> stringlet salted_password = salt_password password salt iteration_count
      As we do not implement SASLprep only passwords consisting of
      US-ASCII characters are accepted (Invalid_encoding otherwise).
val server_emit_flag : server_session -> boolserver_emit_message can now be calledval server_recv_flag : server_session -> boolserver_recv_message can now be calledval server_finish_flag : server_session -> boolval server_error_flag : server_session -> boolval server_emit_message : server_session -> stringval server_recv_message : server_session -> string -> unitval server_protocol_key : server_session -> string optionval server_channel_binding : server_session -> string optionval server_user_name : server_session -> string optionval server_export : server_session -> stringval server_import : string -> server_sessionserver_finish_flag is true).
      The export format is just a marshalled Ocaml value.
type |    | kc :  | 
|    | ke :  | 
|    | ki :  | 
module AES_CTS:sig..end
module Cryptosystem:sig..end
module Debug:sig..end
