archive-org.com » ORG » J » JOSEFSSON.ORG

Total: 236

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Libtasn1
    LibNTLM OpenWRT Various Libtasn1 Libtasn1 is a highly portable C library that encode and decode DER BER data following a ASN 1 schema Libtasn1 is used by Shishi and GnuTLS Please see the Libtasn 1 homepage for more information Last

    Original URL path: http://www.josefsson.org/libtasn1.html (2016-04-30)
    Open archived version from archive


  • LibNTLM
    Projects LibIDN GSASL Shishi GSS GnuTLS Libtasn1 LibNTLM OpenWRT Various LibNTLM LibNTLM implement the Microsoft NTLM authentication procedure and is a re usable library Please see the LibNTLM homepage for more information Last updated 2015 03 04 11 33 11

    Original URL path: http://www.josefsson.org/libntlm.html (2016-04-30)
    Open archived version from archive

  • OpenWRT Work
    open source GNU Linux distribution for wireless routers and other small devices This page collect links to some of our OpenWRT related work We have written three articles on OpenWRT configuration Wireless router with HSDPA dongle Wireless home network setup

    Original URL path: http://www.josefsson.org/openwrt.html (2016-04-30)
    Open archived version from archive

  • Various Stuff
    utility for DNSSEC zones GNU Privacy Guard DNS keyserver client DNS based OpenPGP Keyserver for CryptNET Gnus MUA IMAP RFC 2060 implementation for Emacs and Gnus Message submission RFC 2476 implementation for Emacs Authenticated SMTP RFC 2554 implementation for Emacs including a HMAC RFC 2104 implementation for Emacs MD5 RFC 1321 support for Emacs STARTTLS SMTP RFC 2595 support for Emacs Implementation of format flowed RFC 2646 for Emacs Sieve

    Original URL path: http://www.josefsson.org/projects.html (2016-04-30)
    Open archived version from archive


  • b2Za7uP RQ dQ5sRu8VV7pLKRsLptZDK0ARflst3vhBNZYWXoUmM 8Z4MaU4L4VeQCRswQr4cI 6j1WPbEW12O ZXfKm5 HLysQXwJlyograbDVWSh1TW 9UlWqhYCi5BVv8xBzG 9O VZDOItZcWWgj rwTUqRLOfJ4I32PPwq8rAg1mOucrgMLESt8f3leWZR5Pj1SR8qQ 8Xk Xf9fvES5cneuVFfIalR5Mvj7ZkzzOu3RB9ceRr0PXHLwsJ0S62wBvMCYNzP3 GEPdsz G JI0WsziLfpQJaH3zAZrepZxhuo2bktMeOTUfPN3WaL3 VHCNOVXdAXF SVxyiQm2aFLAmy 4OiAMPkzuzOIZOcVKawTYbolJ8cNBIY2LDkHZZvvBqYlMLwLU jjd29V DDBZeDNTym qvpvY7d4XqDxLGN0CvDo5lDAWS04SnW6PuD rVxpJ2dp l Li qHzV76P6StOLDLHqxXyeNegEs1iL7hinZ012ErJhEJahQvCyrDU5VAqcUZfr3 CC g1yZNJfuqDEVPC2 KzoxWHn5N8jtfBTY80o3qBrkIIJFwBXIP23NN9VGiXni3 W1FeuT3Tkkl umubqa6sNW1S9yLj4Onnk3UGPg4 y Y3fBNWTQ60c8csm5Z fHbO uI7QPmgd5krevZOvl3TjskNQuEaT9to hlvcXfs Dmq0JVNpbW9uIEpvc2Vmc3Nv biA8c2ltb25Aam9zZWZzc29uLm9yZz6IRgQQEQgABgUCU yt8QAKCRB4MCxLjb s L00mAKDyk8 4axph mes0lV HCWErS4BjgCgvxNjuHvtahfKB8URqMsBCXeclc6I RgQQEQoABgUCU9g1bgAKCRByBDZwveXx7saCAJ4kjup0u3Ql5ZVPBjMiw6xdPCmy YwCgkcYxCTgV vXSKcVGT04YVt0djRCIvAQQAQIABgUCU6cyowAKCRDtoh6UtWVx byi0BP4yGWSKUvoTzj xJVkOH5Q5xOU SKYewWjXwxf8GhfJiUYVTXwrrOLbhlIn jGNHKwEJNoywPaerf7Yxkx pvuOKGICCulXMBzA7 QvTxivGjlpCdsyTgSoHH3Zc WbUK1qTbXuNpXlEcDtqYLIlBAYNFge1rVcph7wgJUjnLTl1Nf4NW9wXckEPPDh1C m9ap7cbyMc3axIyv8SLr5SUKYmFQiQEcBBABCAAGBQJTqCzGAAoJELygD9SyFowK gkoIAJXLgjiUINV2boM6qYTLEO7020e54d4iYeuSZl0z1ZzCR2IwlXWQzLf1ATCx iNElv6Bl pNbLNwzhS1h8cL yFhxYkrW43EpmYLu43zwsm2dJ1e5m27FMCLSvmyH dPw T4j05pzV5VSpIaUcpq1X9m07f6NMF NkPOrZBi0NP8Y3nwtCS hanp1aafPr gCa868t9Y1Vzt 4uoE016m4z1XsIhoRxo58E7t9uS QaXbBZZEFnf uiWS l sew K2wwkdXGzJ1Oph1oEO bm5 EE2nktufDRmjL04bI3bHmRbVohKzZgAVBn fHGE6d 9dyKV64i iL5mrdWSpdx4LA96cuJARwEEAEIAAYFAlSuaTAACgkQ8ENnCW 6lejY aAf9FgRpmNusTNztj ekL78jxoNVYt2W0gMg05m56WyXUcR7 UsvtCJNaEuvCOVL r3zHl4u5qEicD WsmlLgmy3Wz1ex4rtlHrPQxuLER 70Zj06as8BK7rn3etIVME4 g8DovBbG3WHxvVrGcmSqQk0V4bAQcLcDEE9S5i0Q1FNhjjW1exd OI 5Oa OObEe Gp6g RxHBEQYATFGaeSbzPUkK4MRE6 Y881654kc67V6CYQFv0Uw4bBbsgovumwS 232JIxPt Z9Ve0L1qWb4Mp4FoPFsVSjQ7xVjEo X8943cxApNace1Ldu6yvmGmEy Qyrjre3KriW7GbIJnP 7f 6bC4kCEQQTAQoAJwIbAwUJAIPWAAgLCQgHDQwLCgUV CgkICwIeAQIXgAUCU6crKgIZAQAKCRAGZKdpVCZejL6ODp9AHgC04sxWhI1K84mF fRZVriVVUDUm4K9wxfCDSK36PyNCL2TRCCYYaQqqBZucKil tSbJyA qwulgT0P8 7YqtqCDk9dd6vKlwat1QhkeO5HQVMmVYzk4bQ97OmxWFPV hCFCGOj7Bol8MBIhX mqAZLuWUq4pLEjQUJB5Ji3XNBwHFaZJEaKj9T7aiv8EHpPNXwoCwMg3LD71H9P9e aCSUmUVUTtpUDfI2Hml6PSr4AfeAAXwA HpQmRQDJpDp22nEX93xkHpmt3BteC7K uG0Tzorvaf Xq fcyPbcu l3BmcjtDNauZgM2 7DYeBbCXrmUFcW3crzLfS31n pCjZXetYEnDOju0WprfiHa5HPkgOhpP8mor1eeciWoikZsR5Ob8OILIrsJ38ivRv 0gzh6lWf9euMY83V5dRmqDmbGiqu0mwRMj1aGSvPskNWz1ffnzLAR OS1Lyr6KiS SBQqC64dEMEU2e3O7wl6tuZXa6jq1cKHPRkfUwD t74lcbvQKB7i727q2u3JVZua jT nRu X5JDf0 HRO970DBklPhquHmUkVNRWiLtampm4ADxmv7ht0LXQvX7CxJKp nVIXEOYrfRycR9Tf5Fo6nxJ4yI0jRi JAhEEEwEKACcCGwMICwkIBw0MCwoFFQoJ CAsCHgECF4ACGQEFAlP8nh4FCQEbNJMACgkQBmSnaVQmXoxcsg6gp2YDDtzqENTd 3 nUTDc8WCkEbeeWzVVkN5ehqB3otJR rf9 tQjMAdl5gYpl1VkpBmdhyaHzeLiK EWWeGo8ilLArWpElvZnZiH4RegDZPdHZsWTPhGO3e0ePUlyyN0iYH8 7yXzVP2I4 qgNsnIl7HiGLbw6wS9Pyf5urCTFBJxZaEpVW6ijuXM8zVY8X my9SZprzA2THQdf 5fpNYJ9Wn3QM qZSfoM Vl0aRII0u6RXf5LjdwG0Om7iHZqjo MhMd7 3REV0Y6R GKO8PfcuF1OvNuT4zERjb00XVUNQLAWkuCirPf7qaj35 VdnG1WgHokKGqYJFJVc VAokc7rEjD6rag4A3mHAfuWc7wPWuq2whhnnLNbbOCPsgJWxH0JfBuzhWlMOY0tX QU1aUTWzdQKvSDUUcvEtoZfmtlenmjUOg G4Iyh3oCXeJKeQVLY5xxxgfjXf3CQx KP7CaV4 AeEHbtweDqNrtth ruaaLKroJRBm845JRO8APM1eRz2nfFlMQp cKIr pi4Tf jzzRLmaIEi07f6jFmY8JH98Cf53ITk7UFQ HCv8xIZOk6IEoXEgIjCzJAC Dw 7RSjSeBo 1S8g01b6bB7VKYmyvyi8A9 IiQIcBBABCAAGBQJT7K53AAoJEMQ1 cPgMwpXmzRwP 2QYndweiAdGD8HgtwbW38tYF7Wp2oM5vJNCIMjuf42WeBhG3aLg aRLoonCV3D0a5JQeVCISbmQXEuLaIQZMxdruMHu2WFTxdvzzibbTjDWMdJcE0mNA QKCrXhUzJ6CPKFXOiontqkRvsfBZlMSfFDQjJc16Bp2CTrCcdcbxviR7yzq3b41K C6TiQx05OHgiw7oM pdmzXa8Xlsuqeg6pWA5XGQZJ4i mKVlmBgzVcuWid22o 4H cWIzyg8hjaVOjXS4SOJek2HdIa4Z42NLLwNa23Zbv9bzPsvKXpxZFOcIeLPobmfx I ICBJ27t2YetoEzNT0ZLY8kWu2q8GrJEqlC01kIH0mkcQCHT m3 sAbHEbHI6ar ZyGXylg5eokOgyxHBWwoDjYhKUoya8XclF IddOYEAMSSblVX3xRgMjUhPRwxcnB N9PcuaygjuwV qnFSHtgJJYTwURR9saxCTVKyH1i7sEBQ 7uF 2m 5tSLtdqCQVg jRbYhoqDZZbyk8OIjY6bWPGaiQWYy Q5cutQKRc0p4AnI5rM7 1ytNiXE5Ug2cYF YzdE0NbN4lp8gBz tp augp0 nGGQ9iJIf8rpYC6NnCUQ4UcLzAhEjxG7z8RgD0c mr0EyILlQ5iYKgmlPcwsw4h7hKxvJXjgBErXZnR86WvCIohvcxZD VfZiQIcBBAB CgAGBQJTrHXzAAoJEH Z MsAC 7u5 MQAJu8ulYkxnNEfNCAr BQrhHlBcg2elmd LNlfqDSEXpqo 7Owbqh1DECaOOmA v13ma VOfDGHIXgE kJ yFEH6d ERT oxKu w3BXmnHpGeRC4XxWh mtn g0S7w9OoMzgz2v139u81qX5GD6OzkjyJ4cyNVkT43k yONfdmMV 6LHuenF2wUnZpU2Tqc0O4PF rxbETIASLYbo8aJLiVDIHkAbK5HOvGN vV9nl8Pwf9cnsYMI4ozCNV22BYXzvSzXUHNLoqI3S8ueFqyeKDgZA dwCLsVWUrx MPN3hnzWLyb2NDIAWbBsc C4sLOCTNKlYpPO7Yicj5cRqzvexxl0cBRaz8Dr MPF vC 4Jmar3RF tCFXBZSyamS2UwQ2yVF91DsAEsLaz9fY8B3PTdvbB457ME4Z8XAw shioUa9KRT xokQL7Y 2TB6xNP7Ys9HmI3KPSseDU9JwrOQ38ibgqfVl8pYTYxmf z6K29k0YB90qBW1TW0UO i4mcAhtYOGhcHnUkb2xsIF6k8zC2HOxYcpm52MXdWlC 6kOS34njZ2MOh8JEeGSLaqzRVQKuKyycQIP7pQ4Y1Ub1wTcd2A7y7pHLkYLxNN1m b5DGALHf23ws9iIpSZpzD2Hh60W84CpGeu vmARtlaQ5LASHPBga1sJEfTfnmVbD sBqH5pjBrlANiQIcBBABCgAGBQJT2DYkAAoJEAvEfcZNE1MGGvAP RWaWhsE6ZjW 36xpE6smJwKWo yYDV5DAMpFlcEEmytLo0mIp drkdG P2ppgbb1GhrBjcD8sm47 mTn91Rdnil2ojN3l1t2lNDO4rqgPpu nAgZq5he4ZvsbrmzdgZQz JIwlbpQACg IAFPFc6cXzhZYXYjyiYVOqGl0PcIoBC3KcWNuY16LGD728f6AUffrGPVxTZ eAPk cFI1o75dp6Xl36x r3gR9sqqLsiyedyRHLeFN3gOrDz905n9PUKDuOGCDzJHXYgT FxgNO9R8HwMZVCsb8PNexwU1ADbuYImCJZMUWPaqYUpNAScQI tVZWDV3jqZylM PRriAP6k00wHycRul64zmmR20q1GQYf8aKwKVx3DEEAgDIoOSg0HvQ6Y20zqbw1 MHk0DQsScBKj7UCkJBTDxhYhMJir7ij3PVFlnuotMEP0j62mOaXwJMejXtpQmZCH qICuAlBqOK6xvl 62 kIkYUogEMfQ2nWP0nuCNyFYYdszzYuLAcE 7YqXdA DuLF 6mp37sH8KeglApGpRIDE9wlCA6F4kp6JlEJPHO3uFaxTh4le5HRMpuXIZHFB4Ho6 iNODFSf75Hr3tkxhX DLbuhKVdBlf5abqQpmGCMRSwXjO3oWbvvbJKJ5hVE1a9JU 0nW2OVCZIKBm1EB7RHZNbWCprURIDWgBiQIRBBMBCgAnAhsDCAsJCAcNDAsKBRUK CQgLAh4BAheAAhkBBQJUuCoZBQkCLcOYAAoJEAZkp2lUJl6MYc8On2RCKpEwtaXh cRXEIAbnHTHTMZfJr91qDn4vBg IEYlDgRA otv8w0 hdUHQEA476Y0Q0Usi 8JN s5rbGsNYYpFeXbazqicxZ3864UMF2Vm9Lv Wrid5F 3igpM1 kuChLa1GnA4dF9 78Ig2IXe XkRXL0ml8P7v5RP6dQhauWZoi05nFyNeenw3awefZIetvZRrBySfDtM EXeAxkXDd69BDksZvJKB1bpTvsH3E5N6fAVOTjpyWtw02KIT5vRubc7bRwO3rSGj fiCfUxo BU7vXCyHM2e ffAB2mbZ3o62 7cXn UkHAsEdjyiUw 0P3KGF1ZOSot8 0vsywxgzQzyMC4ti5u6 a qnmm69Um Z2RKeQuvMN1GKRdZY4BxfkQf8ME9IyQCc Z mjAQNO19LCIin0coUlOXJW9QDBR0S1Ci OenZXXBoyarl i42K0LLYI5M5 jrk LuEm1G0B7zB8Mcdt32 TgK2XD57 rMnAVdqFi A9edk cSYBiNOJjI MS9aAYOXY HDepRCQOrju2giMrsaJ6gAtG 5f8BiJT1zzpH0P xS65GDEO4QaBDvT0RD5XX SH 4MdmIdAoieY pbkM8OCvS 1fawC7iYec1zcbXIhrBBARAgArBQJUuS67BYMB4oUA HhpodHRwOi8vd3d3LmNhY2VydC5vcmcvY3BzLnBocAAKCRDSuw0BZdD9WMReAJ0f V4TGVUb583ZCRhn4ddDbD2UUQwCfXSiGb6 dSzoGkcA UbdfcyM0FlKIRgQSEQIA BgUCVM6T gAKCRBu1RX7Gygumoj AJ9JwrYAYMlQXCW4Dtv6m4NzjHpBIwCgli0m 9poppBBg0q bqbHs5CDx pqJAfAEEAECAAYFAlTOqWEACgkQ9DJRnSc2ItchRA6f aPeOruvBJAx9duOgdXwSPpD7N6tRsbeXLhZ1eNRUj1zHkeq9sgfpFg5 isp0O07O obcF1Adx eXBRxKC DMRaVc0m4OREeT7a7R8Deul5FV xCJg7pgGMVnTuNgum77A Zkgm1zmcvEKlxOjY6iXw0JmjV0EcGxQ6NYPxKVkT0fta8qNvRIZpRQaNikW4WLCP nVLxTK9Dz4f12gI7x1ZxNwheWyv6SvFATpz6gny8E47f4ZDUBfC1RDP1LDTABFyv rzo1crnrISXcWxCSE91vpGHPzeJpGXnok51 o1 WthNOvfHeEWY5g0PnIe2 5tOF aJuSAyTQStx96qhiI R1Ioqd A8zWe2g8h5vZnFNeXrlO3oUehhWeAn9 dhTkP k WDhYaLLxum QfOsbQr94ADE5Fpka4mSNbf9Mj1VWASkJQLlBN884JXtnAWYBhn5l H1Vt1FfDqA5xdvLCL2n yHOpHl6FAnk58hHOQcHjfZwghh19zk 0JJ 9JnS fEES UeaolRvfhyHTanQq048yx QGNPZs4irRKvVQiG1Wcu9RhRNotbdxJrNbs0OxD7X zhlwe1sX3hifaQ6u4chqPtPoacNiwH7VzqnUMacKrdOBABDriQIcBBABAgAGBQJU 0OecAAoJEPaFUazsAhFFEFcQALCDT604rf TPTGieG720nR42SDhKH4RoUbqZZ D EEodUwVNQ6Ld mbe2XUYEbrJx9TvnAzG1u7CLpWdRVlgeKVhy4QJ0 pMeMT3gEHf rpcT2ksfIF6U0UOIs11xQBvxSu9SKEGfv8MOtD0zVsfVrU1AYwrXVZvDdv0igYbn mdG40BKYXhKqzK1thiaRvhQVn I5tBEQ G1PU4T1F5UjQz0E4bvwpABXGgw5Vp D MhJYMr60H4uR8 V0bUGzDqI FeBSWxF CGdam931YoyjGB 3dNT56MxVhnNOcuX4 UGZxuGhQZX6gzI17XiSbShncXGfP8x4ypL9ff JK16MvByscu1hRuc2XaW9wG3TD 5zMyBTffTbFTRrv7dMz1YY5Le4B3QrSKyT jYvqWUS MRaInPcQNONfSCBFv9EUI 4NHBdyUCckL jBiRlY3eco YQNrrlP2 Rgrh4pbSh8iohBETQzLWU M5Jln O7O 9v39F6o9npvLUbikW9kXm7RSxu2svx0WQNxoK93Ae5ARz1gYtmtT1WFsH3Y8rZ 3 AEbRNIn1DHVf2Wk7Urdhzz8S7i4w GO0UvuHozz6Rj1iWFtrXbvlL S05jSajwdV yCd8ys0gJT b6QHDdssRFxSaKwwQ6KODh7FeXEHDSo05aFaV2JYS43Muz9xpjR0j PXK4iQIcBBMBAgAGBQJU0AeRAAoJEOt0k4te68c ZkYP i1Ei2X2kagJB16YX24w qa2wPxqL xGKRCMfJ umuoGlLcYFWmtqTtLtQUkh5qIfeu99WT1PXbajl7Ew4wsh gY0Srr0r7ixpuJ hQBUkAAilJUMO6nuyNHPtlZaA1 E nWYBJCcCJzmC09M cLZ6 rDI wsmdTbmHPbJaDJ5UF9k9suWvrHtFF9FJyAeOaW8sJUD HXdgBKji JrfHAF tcJUzpkMiky8fPTzDMx8zAC7wTw768GnkQHZfJIB0RbAuQ uUukILVSlXFHNa8Og H6V 1p3KNrIzGZltmc21oKpbBp3cmboCJZnbuaaWWQgYqMUBArhFFWJEXnS8yM1Z avnE1SlOfiGZPJbO1YieDxFhiwV1E1GOtd6zui72Dmoi8VGfo7nYhfzStTkhvpkO T471ekFRyIOeuwLQdfi I7t89as4I2udUEnzY50DfTbE2TBmR3mBLE8OHj2ZOYuc LJf4MSNWgi6s5thXVzx7JCdyVfGU0EE08OtAyKLcPBa83 wpQLF4MFP6AeXukPzo 8Pvgte0L1EjZJLeZqprttC6v34w 1apqf1DbCp5FVY5bgcwgVScdUjHnNVtvCzII DWk2Pyj2MXb6APxkN1ZAmRXgV4adSH1f6cY5j5KVHDgzMDer IQi3lgrO73lcf7F LDeUrJ5o RmfN7qChyz30vMviQEcBBMBAgAGBQJUz2y9AAoJEHROOs vPPimkTgI AMJIVDXM1NaJFCw1UxGRBJKoK6dVYHyhmrU9h2UW3ZfDCExljHV8s8R5 mgiOdgn ONeST eNSRu3xbPZBpxM5AKseaAtkzn31nAcIAMi7 I5dz8jLQqWJ1xNZhj8yDZb 9vrXDDp248iQIaABg61abSle 7Tv40EosOgEO0QW3JZQLRv7RG7B26lvRNZ0EP8K 9CpTB3eHE5gGAKIlpoojtkDDBvWgqcCAIO1AL0w2Im x4M VyI1 HDFDp5S89Ea7 1tu1VaoZ230Z5 vys7UD5kWFGZEyp2wmJMdFbqxrd0lJ5FV2VwmFRyPC4773Vof PgogLLDWqbWnoVGAsNtHI66JAhwEEAECAAYFAlTOWC8ACgkQv7zLtVJXfzSJww LdENsbrWLTgy6YVaAniunj9d1XpW0 K43TvsZsSIubrQREGHcRWVXax6KzvNHisj jejHZol99VfM5IGu4xfI1i9ZHBEDXot uOCJic5A15oXdAUVuyfVRITN3VF8C6ln H1LME3WD3iikWp91G7H4jUhxYfa5af879PZDnfJojvBaPoQcWdu5sotK bbjS 1x 4 vCwYc JD6K2koW92QmuwLodtb sH8n61VSLC1yw4 L6ZON4ibwhpnQ S789wBp 36X44BWQsm5MNRPkQA GYHxtoWXOsLrWRnAWpkmkup8C70w9LMbwpRfft4tkvYxY agHTiPxrPvmtmF5pRd LKlYLCy 3 f HDcTwo5NCYISLywRC riJHeQz0zIMd7Kw 2dyV93TGsdk26V1nMpUcYzeEoHKvz9ml8HLS5EAhBFqOMeatCOlafEYOwfcNeokM XqO1wd mcKEjMhN9xAR5kT7V7x6xEz9Ckm4 O MFBhjcWSyIPBQjROie3lgAdhex HAZzQSaqTBsuSCcBZA DX9Tl heqNQrxTwCdc4HJGzuViZabWrjn b wh5mcQ5eW pez9TgspsatFDp5LOur27 FhjBNWmnIJjmOx5uJL BtBcSrC 8k6qf sgTnE ggj bHErt3KgPY9Cs hCdRTTGu9seRrXoez0bdcdQGPVsKqJAhwEEAECAAYFAlTOf7QA CgkQV0quhCiCs2kMHhAAyvJNz LsErT5et pY15Jkhyl4rIwOV1V8ZiEKEtTbv9N SSMqzUagjp6ugFYiFG60hfwAER11Umuls2kH6Ye6tchCQ4CqkubGA4vzhE 2HDsj VR4SOh9X4QvldpZrXs4WOJelHBsK9rdTJE9U2kGsC4OIo7YpQvcCAX szPyaLvaz 13TrstlzeG61eaoTTRi5Sqy6RvqiPH6JzwPDLiJO2YsT25pXcCh602KvXTFZ9Tp9 HDcgduOIicAyB7ITzr lP3qca2PfxKFLjM86qkjwR10rTIpzXCU0MMgyYXHTkyVQ 2ww5M2PXy7L0qSttj64vz lVHzrIjrjQpVx EDGoZ2YNt6oIZaEy5HHOcMsludD EA9WS cgDAZ0ztLDxM e7eUWBJJvWXJs1M5APBRnt wzeDNR5xLjYRuMw6eIKBuK 8DxKn7 ypakHgYTG64QEGSqFI6cbup02sBNi3VDU zBAfbLo5IJGizgifcuyjZby onLYnEDz0G7ye6ZUPoHTIoG9yJG4k0mLl1Q 3fN GjFBaji6raWc r0iM6 IeJC uo0CaIMGINcqnwMqY5nUh9l0MR GjySX5 7x0rfIthfg2hK xaCLjJLtHISpKeII sl5Dp0nU4so43Blo6nyfdh 318sw1SFh WUWTaGp1BRr52Vv65FQbXNhYV7FGQyJ AhwEEAECAAYFAlTP4A8ACgkQjSr93VmvkEzzpQ YEBljizvVfxIezEg KKfjFce KbylQb4JOSQ29Dt3nwynLqhFfytD9T7Mbykra0iqUZ 6pLOpN34OiqnOVHdz8biw T48qdD9Z8lpU1tInLYYR8HGiRE1JfOeuwV X yOcsp03jVDXZXsCepnGLhkqc3UQ QEUn93bZQJJekzevp qOaGRICp91ojsfFOFnJHlk9yA0C8lh1xWeH2q7jF7jLXTZ RcS57wDCKhe6SexXpyHzom 6WyI78LcI0dsc52qyu0Dbpp4k02qG5qNP7VC18R f mMMNXtq8cBmjvWNQ30KTS8nd5pbI9YnJyD1XLtUMpY 600FXj g1v1lscGGNwNTn 5TjlxsG5kVpCAzzhzQ242yCumATMtGb00WNPAJMSXXyRj6vvR6E3fzbP7OYsYgrY 7wcOY m1wK5yN5O2SWXXBW2fw3DAcG5Zi1rpD tSkYSm38AWJBB6xxYA2TTJFh8t Sisw8fHvG7f0chAUWCEm2hlf7Jyh8bkkSjnadbdG58WeT DsmCLifCFReK4qAlh3 XOSGvIXVk1 nzH4tnJZiPlWEo9iU4FYRiK09jgilT3jaehECcE1e9GDbqIqfikCm AsPvT2Gdrui7unrlqyITVA7YtmJk5jS5hwdPfj 7svKnwobk sQrdJovwjQwaASV xOE2jehxUoMvfYhta4SJAhwEEAEKAAYFAlTPj9IACgkQryWiwoYqo2iYzxAAgqZT A0pIs ZXw DuUJqEPlPohpLyUuxRAxPpqbgamghBP00r21BnaIJE3hJ2G1wfsvuM

    Original URL path: http://www.josefsson.org/54265e8c.txt (2016-04-30)
    Open archived version from archive


  • 3 in Base32 RFC4648 Thus the SASL mechanism name for the Kerberos V5 GSS API mechanism would be GS2 QLJHGJLWNPL and because this mechanism supports channel binding GS2 QLJHGJLWNPL PLUS Instead the next section assigns the Kerberos V5 mechanism a non hash derived mechanism name 3 4 Grandfathered Mechanism Names Some older GSS API mechanisms were not specified with a SASL GS2 mechanism name Using a shorter name can be useful nonetheless We specify the names GS2 KRB5 and GS2 KRB5 PLUS for the Kerberos V5 mechanism to be used as if the original specification documented it see Section 15 Josefsson Williams Standards Track Page 7 RFC 5801 SASL GS2 July 2010 4 SASL Authentication Exchange Message Format During the SASL authentication exchange for GS2 a number of messages following the following format are sent between the client and server On success this number is the same as the number of context tokens that the GSS API mechanism would normally require in order to establish a security context On failures the exchange can be terminated early by any party When using a GS2 mechanism the SASL client is always a GSS API initiator and the SASL server is always a GSS API acceptor The client calls GSS Init sec context and the server calls GSS Accept sec context All the SASL authentication messages exchanged are exactly the same as the security context tokens of the GSS API mechanism except for the initial security context token The client and server MAY send GSS API error tokens tokens output by GSS Init sec context or GSS Accept sec context when the major status code is other than GSS S COMPLETE or GSS S CONTINUE NEEDED As this indicates an error condition after sending the token the sending side should fail the authentication The initial security context token is modified as follows o The initial context token header see Section 3 1 of RFC2743 MUST be removed if present If the header is not present the client MUST send a gs2 nonstd flag flag see below On the server side this header MUST be recomputed and restored prior to passing the token to GSS Accept sec context except when the gs2 nonstd flag is sent o A GS2 header MUST be prefixed to the resulting initial context token This header has the form gs2 header given below in ABNF RFC5234 The figure below describes the permissible attributes their use and the format of their values All attribute names are single US ASCII letters and are case sensitive Josefsson Williams Standards Track Page 8 RFC 5801 SASL GS2 July 2010 UTF8 1 safe x01 2B x2D 3C x3E 7F As UTF8 1 in RFC 3629 except NUL and UTF8 2 UTF8 3 UTF8 4 UTF8 char safe UTF8 1 safe UTF8 2 UTF8 3 UTF8 4 saslname 1 UTF8 char safe 2C 3D gs2 authzid a saslname GS2 has to transport an authzid since the GSS API has no equivalent gs2 nonstd flag F F means the mechanism is not a standard GSS API mechanism in that the RFC 2743 Section 3 1 header was missing cb name 1 ALPHA DIGIT See RFC 5056 Section 7 gs2 cb flag p cb name n y GS2 channel binding CB flag p client supports and used CB n client does not support CB y client supports CB thinks the server does not gs2 header gs2 nonstd flag gs2 cb flag gs2 authzid The GS2 header is gs2 header When the gs2 nonstd flag flag is present the client did not find remove a token header RFC2743 Section 3 1 from the initial token returned by GSS Init sec context This signals to the server that it MUST NOT re add the data that is normally removed by the client The gs2 cb flag signals the channel binding mode One of p n or y is used A p means the client supports and used a channel binding and the name of the channel binding type is indicated An n means that the client does not support channel binding A y means the client supports channel binding but believes the server does not support it so it did not use a channel binding See the next section for more details The gs2 authzid holds the SASL authorization identity It is encoded using UTF 8 RFC3629 with three exceptions o The NUL character is forbidden as required by section 3 4 1 of RFC4422 o The server MUST replace any comma in the string with 2C Josefsson Williams Standards Track Page 9 RFC 5801 SASL GS2 July 2010 o The server MUST replace any equals in the string with 3D Upon receipt of this value the server verifies its correctness according to the used SASL protocol profile Failed verification results in a failed authentication exchange 5 Channel Bindings GS2 supports channel binding to external secure channels such as TLS Clients and servers may or may not support channel binding therefore the use of channel binding is negotiable However GS2 does not provide security layers therefore it is imperative that GS2 provide integrity protection for the negotiation of channel binding Use of channel binding is negotiated as follows o Servers that support the use of channel binding SHOULD advertise both the non PLUS and PLUS variant of each GS2 mechanism name If the server cannot support channel binding it SHOULD advertise only the non PLUS variant If the server would never succeed in the authentication of the non PLUS variant due to policy reasons it MUST advertise only the PLUS variant o If the client supports channel binding and the server does not appear to i e the client did not see the PLUS name advertised by the server then the client MUST NOT use an n gs2 cb flag o Clients that support mechanism negotiation and channel binding MUST use a p gs2 cb flag when the server offers the PLUS variant of the desired GS2 mechanism o If the client does not support channel binding then it MUST use an n gs2 cb flag Conversely if the client requires the use of channel binding then it MUST use a p gs2 cb flag Clients that do not support mechanism negotiation never use a y gs2 cb flag they use either p or n according to whether they require and support the use of channel binding or whether they do not respectively o The client generates the chan bindings input parameter for GSS Init sec context as described below o Upon receipt of the initial authentication message the server checks the gs2 cb flag in the GS2 header and constructs a chan bindings parameter for GSS Accept sec context as described below If the client channel binding flag was y and the server did advertise support for channel bindings by advertising the Josefsson Williams Standards Track Page 10 RFC 5801 SASL GS2 July 2010 PLUS variant of the mechanism chosen by the client then the server MUST fail authentication If the client channel binding flag was p and the server does not support the indicated channel binding type then the server MUST fail authentication o If the client used an n gs2 cb flag and the server requires the use of channel binding then the server MUST fail authentication FLAG CLIENT CB SUPPORT SERVER CB SUPPORT DISPOSITION n no support N A If server disallows non channel bound authentication then fail y Yes not required No Authentication may succeed CB not used y Yes not required Yes Authentication must fail p Yes Yes Authentication may succeed with CB used p Yes No Authentication will fail N A Yes required No Client does not even try For more discussion of channel bindings and the syntax of the channel binding data for various security protocols see RFC5056 5 1 Content of GSS CHANNEL BINDINGS Structure The calls to GSS Init sec context and GSS Accept sec context take a chan bindings parameter The value is a GSS CHANNEL BINDINGS structure RFC5554 The initiator address type and acceptor address type fields of the GSS CHANNEL BINDINGS structure MUST be set to 0 The initiator address and acceptor address fields MUST be the empty string The application data field MUST be set to the gs2 header excluding the initial gs2 nonstd flag part concatenated with when a gs2 cb flag of p is used the application s channel binding data Josefsson Williams Standards Track Page 11 RFC 5801 SASL GS2 July 2010 5 2 Default Channel Binding A default channel binding type agreement process for all SASL application protocols that do not provide their own channel binding type agreement is provided as follows tls unique is the default channel binding type for any application that doesn t specify one Servers MUST implement the tls unique RFC5929 channel binding type if they implement any channel binding Clients SHOULD implement the tls unique channel binding type if they implement any channel binding Clients and servers SHOULD choose the highest layer innermost end to end TLS channel as the channel to which to bind Servers MUST choose the channel binding type indicated by the client or fail authentication if they don t support it 6 Examples Example 1 a one round trip GSS API context token exchange no channel binding optional authzid given C Request authentication exchange S Empty Challenge C n a someuser S Send reply context token as is C Empty message S Outcome of authentication exchange Example 2 a one and one half round trip GSS API context token exchange no channel binding C Request authentication exchange S Empty Challenge C n S Send reply context token as is C Send reply context token as is S Outcome of authentication exchange Josefsson Williams Standards Track Page 12 RFC 5801 SASL GS2 July 2010 Example 3 a two round trip GSS API context token exchange no channel binding no standard token header C Request authentication exchange S Empty Challenge C F n S Send reply context token as is C Send reply context token as is S Send reply context token as is C Empty message S Outcome of authentication exchange Example 4 using channel binding optional authzid given C Request authentication exchange S Empty Challenge C p tls unique a someuser S Send reply context token as is Example 5 using channel binding C Request authentication exchange S Empty Challenge C p tls unique S Send reply context token as is Example 6 using non standard channel binding requires out of band negotiation C Request authentication exchange S Empty Challenge C p tls server end point S Send reply context token as is Josefsson Williams Standards Track Page 13 RFC 5801 SASL GS2 July 2010 Example 7 client supports channel bindings but server does not optional authzid given C Request authentication exchange S Empty Challenge C y a someuser S Send reply context token as is GSS API authentication is always initiated by the client The SASL framework allows either the client or the server to initiate authentication In GS2 the server will send an initial empty challenge zero byte string if it has not yet received a token from the client See Section 3 of RFC4422 7 Authentication Conditions Authentication MUST NOT succeed if any one of the following conditions are true o If GSS Init Accept sec context returns anything other than GSS S CONTINUE NEEDED or GSS S COMPLETE o If the client s initial GS2 header does not match the ABNF o In particular if the initial character of the client message is anything except F p n or y o If the client s GS2 channel binding flag was y and the server supports channel bindings o If the client s GS2 channel binding flag was p and the server does not support the indicated channel binding o If the client requires use of channel binding and the server did not advertise support for channel binding o If authorization of client principal i e src name in GSS Accept sec context to requested authzid failed o If the client is not authorized to the requested authzid or an authzid could not be derived from the client s initiator principal name Josefsson Williams Standards Track Page 14 RFC 5801 SASL GS2 July 2010 8 GSS API Parameters GS2 does not use any GSS API per message tokens Therefore the per message token ret flags from GSS Init sec context and GSS Accept sec context are irrelevant implementations SHOULD NOT set the per message req flags The mutual req flag MUST be set Clients MUST check that the corresponding ret flag is set when the context is fully established else authentication MUST fail Use or non use of deleg req flag and anon req flag is an implementation specific detail SASL and GS2 implementors are encouraged to provide programming interfaces by which clients may choose to delegate credentials and by which servers may receive them SASL and GS2 implementors are encouraged to provide programming interfaces that provide a good mapping of GSS API naming options 9 Naming There is no requirement that any particular GSS API name types be used However typically SASL servers will have host based acceptor principal names see RFC2743 Section 4 1 and clients will typically have username initiator principal names see RFC2743 Section 4 2 When a host based acceptor principal name is used service hostname service is the service name specified in the protocol s profile and hostname is the fully qualified host name of the server 10 GSS Inquire SASLname for mech Call We specify a new GSS API utility function to allow SASL implementations to more efficiently identify the GSS API mechanism to which a particular SASL mechanism name refers Inputs o desired mech OBJECT IDENTIFIER Outputs o major status INTEGER o minor status INTEGER o sasl mech name UTF 8 STRING SASL name for this mechanism caller must release with GSS Release buffer Josefsson Williams Standards Track Page 15 RFC 5801 SASL GS2 July 2010 o mech name UTF 8 STRING name of this mechanism possibly localized caller must release with GSS Release buffer o mech description UTF 8 STRING possibly localized description of this mechanism caller must release with GSS Release buffer Return major status codes o GSS S COMPLETE indicates successful completion and that output parameters holds correct information o GSS S BAD MECH indicates that a desired mech was unsupported by the GSS API implementation o GSS S FAILURE indicates that the operation failed for reasons unspecified at the GSS API level The GSS Inquire SASLname for mech call is used to get the SASL mechanism name for a GSS API mechanism It also returns a name and description of the mechanism in user friendly form The output variable sasl mech name will hold the IANA registered mechanism name for the GSS API mechanism or if none is registered a mechanism name computed from the OID as described in Section 3 1 of this document 10 1 gss inquire saslname for mech The C binding for the GSS Inquire SASLname for mech call is as follows As mentioned in RFC2744 routines may return GSS S FAILURE indicating an implementation specific or mechanism specific error condition further details of which are reported via the minor status parameter Josefsson Williams Standards Track Page 16 RFC 5801 SASL GS2 July 2010 OM uint32 gss inquire saslname for mech OM uint32 minor status const gss OID desired mech gss buffer t sasl mech name gss buffer t mech name gss buffer t mech description Purpose Output the SASL mechanism name of a GSS API mechanism It also returns a name and description of the mechanism in a user friendly form Parameters minor status Integer modify Mechanism specific status code desired mech OID read Identifies the GSS API mechanism to query sasl mech name buffer character string modify optional Buffer to receive SASL mechanism name The application must free storage associated with this name after use with a call to gss release buffer mech name buffer character string modify optional Buffer to receive human readable mechanism name The application must free storage associated with this name after use with a call to gss release buffer mech description buffer character string modify optional Buffer to receive description of mechanism The application must free storage associated with this name after use with a call to gss release buffer Function value GSS status code GSS S COMPLETE Successful completion GSS S BAD MECH The desired mech OID is unsupported Josefsson Williams Standards Track Page 17 RFC 5801 SASL GS2 July 2010 11 GSS Inquire mech for SASLname Call To allow SASL clients to more efficiently identify to which GSS API mechanism a particular SASL mechanism name refers we specify a new GSS API utility function for this purpose Inputs o sasl mech name UTF 8 STRING SASL name of mechanism Outputs o major status INTEGER o minor status INTEGER o mech type OBJECT IDENTIFIER must be explicit mechanism and not default specifier Caller should treat as read only and should not attempt to release Return major status codes o GSS S COMPLETE indicates successful completion and that output parameters holds correct information o GSS S BAD MECH indicates that no supported GSS API mechanism had the indicated sasl mech name o GSS S FAILURE indicates that the operation failed for reasons unspecified at the GSS API level The GSS Inquire mech for SASLname call is used to get the GSS API mechanism OID associated with a SASL mechanism name Josefsson Williams Standards Track Page 18 RFC 5801 SASL GS2 July 2010 11 1 gss inquire mech for saslname The C binding for the GSS Inquire mech for SASLname call is as follows As mentioned in RFC2744 routines may return GSS S FAILURE indicating an implementation specific or mechanism specific error condition further details of which are reported via the minor status parameter OM uint32 gss

    Original URL path: http://www.josefsson.org/sasl-gs2/rfc5801.txt (2016-04-30)
    Open archived version from archive

  • Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family
    diff between 05 and 06 diff between 04 and 05 diff between 03 and 04 diff between 02 and 03 diff between 01 and 02 diff between 00 and 01 Implementations If you know of projects that implements SASL GS2 that you think should be mentioned here please let me know GNU SASL Supported since version 1 3 released on 2009 10 08 GNU Generic Security Services Plans to support it as a native mechanism based on GNU SASL code base History 2010 07 13 Final RFC 5801 published Hooray 2010 01 11 Published 20 WG document to use a new table should be ready for publication now 2010 01 08 Published 19 WG document to address GenArt SecDir and IESG tracker comments 2009 11 18 IETF wide last call ends 2009 11 09 Published 18 WG document Minor fixes 2009 10 26 The document is in 4 week IETF wide last call you can track IESG discussions 2009 09 09 Published 17 WG document Minor fixes 2009 05 26 Published 13 WG document Minor fixes 2009 04 18 Published 12 WG document Minor fixes 2009 03 23 Published 11 WG document New protocol based on SCRAM discussions 2008 07 13 Published 10 WG document Refresh expired document 2007 10 09 Published 09 WG document Answered AD review comments 2007 02 06 Published 08 WG document Fixes WGLC comments 2007 02 06 Published 07 WG document Minor editorial fixes before WGLC 2007 02 06 Published 06 WG document Minor editorial fixes 2007 01 09 Published 05 WG document Adds support for non integrity capable GSS API mechanisms 2006 12 07 Published 04 WG document Incorporates various suggestions and improvements since 03 2006 11 07 Wrote presentation for IETF 67 as PDF 2006 10 23 Published 03 WG document Solves most

    Original URL path: http://www.josefsson.org/sasl-gs2/ (2016-04-30)
    Open archived version from archive


  • that is required by the client If the second 4 octet value is a supported extension the KDC MUST respond by sending a 4 octet zero value i e 0x00000000 The KDC MAY directly send additional data after the zero value as specified by the particular negotiated extension The client and KDC SHOULD wait for the other side to respond according to this protocol and the client and KDC SHOULD NOT close the connection prematurely Resource availability considerations may influence whether and for how long the client and KDC will wait for the other side to respond to a request The KDC MUST NOT support the extension mechanism if it does not support any extensions If no extensions are supported the KDC MUST return a KRB ERROR message with the error KRB ERR FIELD TOOLONG and MUST close the TCP stream similar to what an implementation that does not understand this extension mechanism would do The behaviour when more than one non high bit is set depends on the particular extension mechanisms If a requested extension bit X does not specify how it interacts with another requested extension bit Y the KDC MUST treat the request as a PROBE or unsupported extension and proceed as above Each extension MUST describe the structure of protocol data beyond the length field and the behaviour of the client and KDC In particular the structure may be a protocol with its own message framing If an extension mechanism reserves multiple bits it MUST describe how they interact 4 Interoperability Consideration Implementations with support for TCP that do not claim to conform to RFC 4120 may not handle the high bit correctly The KDC behaviour may include closing the TCP connection without any response and logging an error message in the KDC log When this was written this problem existed in modern versions of popular KDC implementations Implementations experiencing trouble getting the expected responses from a KDC might assume that the KDC does not support this extension mechanism A client might remember this semi permanently to avoid Josefsson Standards Track Page 3 RFC 5021 Kerberos V5 TCP Extension August 2007 triggering the same problematic behaviour on the KDC every time Care should be taken to avoid unexpected behaviour for the user when the KDC is eventually upgraded Implementations might also provide a way to enable and disable this extension on a per realm basis How to handle these backwards compatibility quirks are in general left unspecified 5 Security Considerations Because the initial length field is not protected it is possible for an active attacker i e one that is able to modify traffic between the client and the KDC to make it appear to the client that the server does not support this extension mechanism a downgrade attack Further active attackers can also interfere with the negotiation of which extensions are supported which may also result in a downgrade attack This problem can be solved by having a policy in the clients and in the

    Original URL path: http://www.josefsson.org/krb5starttls/rfc5021.txt (2016-04-30)
    Open archived version from archive



  •