v0.11.2

What's Changed

• Fix CredSSP acceptor with LibreSSL by @jborean93 in #92
• Bump dev deps and add 3.13 support by @jborean93 in #93
• Update integration tests for 3.13 by @jborean93 in #94

0.11.2 - 2024-11-12

• Fix up CredSSP acceptor when running with a LibreSSL based Python install (OpenBSD)
• Added official support for Python 3.13

Full Changelog: v0.11.1...v0.11.2

v0.11.1

What's Changed

• Fix deprecation warning for Cryptography 44.0.0 or newer by @hamarituc in #87

0.11.1 - 2024-07-24

• Import ARC4 cipher from the new decrepits module sub-package, this removes the warning issued in newer versions of the cryptography library

New Contributors

• @hamarituc made their first contribution in #87

Full Changelog: v0.11.0...v0.11.1

v0.11.0

What's Changed

• Add support for gMSA/machine passwords by @jborean93 in #77
• Move away from dep datetime call by @jborean93 in #79
• Update CI action versions by @jborean93 in #80
• Bump dev dependencies by @jborean93 in #82
• Fix handling of empty passwords by @psfrolov in #73
• Update CI matrix and dev deps by @jborean93 in #83
• Tidy up NTLM error messages and update changelog by @jborean93 in #84
• Prepare for v0.11.0 release by @jborean93 in #85

0.11.0 - 2024-06-12

• Support input password string encoded with the surrogatepass error option
  • This allows the caller to provide a password for a gMSA or machine account that could contain invalid surrogate pairs for both NTLM and Kerberos auth.
• Stop using deprecated datetime.dateime.utcnow() for CredSSP acceptor context
• Treat an empty string as a valid password, None is kept as use the cached credential
• Improve the exception shown when no password was provided and no cached credential was available

New Contributors

• @psfrolov made their first contribution in #73

Full Changelog: v0.10.2...v0.11.0

v0.10.2

What's Changed

• Rename sspic to sspilib by @jborean93 in #72

Full Changelog: v0.10.1...v0.10.2

v0.10.1

What's Changed

• Rename sspi dep to sspic by @jborean93 in #70

Full Changelog: v0.10.0...v0.10.1

v0.10.0

What's Changed

• Migrate SSPI to external library by @jborean93 in #69

0.10.0 - 2023-09-27

• Drop support for Python 3.7 - new minimum is 3.8+
• Moved SSPI bindings out into a separate package called sspi
  • This simplifies this project as it doesn't have to worry about SSPI correctness
  • The sspi package improves performance and memory allocation with a more robust API
  • Fixes an issue with Cython 3 allowing it to align with more modern versions going forward

Full Changelog: v0.9.2...v0.10.0

v0.9.2

What's Changed

• Added Python 3.12 win wheels and test in CI by @jborean93 in #67

0.9.2 - 2023-08-29

• Added Python 3.12 wheel for Windows

Full Changelog: v0.9.1...v0.9.2

v0.9.1

What's Changed

• Set NTLM Negotiate Version field by @jborean93 in #65

0.9.1 - 2023-06-14

• Always set the NTLMSSP_REQUEST_VERSION flag on the NTLM Negotiate message
  • This aligns the behaviour with how SSPI generates this message

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

• Fix up try/import checks by @jborean93 in #62
• Add support for DCE style authentication. by @jborean93 in #63
• Prepare for v0.9.0 release by @jborean93 in #64

0.9.0 - 2023-04-29

• Added the spnego.ContextReq.dce_style flag to enable DCE authentication mode
  • This is used in protocols like RPC/DCE
• The value for spnego.iov.BufferType.sign_only on SSPI has changed from representing SECBUFFER_MECHLIST to SECBUFFER_READONLY_WITH_CHECKSUM
  • This is to better match what sign_only means when using it with GSSAPI
  • It is needed to support RPC encryption and signature headers on SSPI
  • The use of SECBUFFER_MECHLIST is not seen in any examples in the wild and is most likely an internal flag
• Added the IOV buffer type spnego.iov.BufferType.data_readonly
  • For SSPI this corresponds to SECBUFFER_DATA | SECBUFFER_READONLY
  • For GSSAPI this corresponds to GSS_IOV_BUFFER_TYPE_EMPTY
  • As GSSAPI has no actual equivalent to this the empty buffer type is used which in testing results in compatible buffers
  • This is used for DCE/RPC wrapping when the PDU header and sec trailer are not signed but are included in the wrap_iov buffers.
• Added limited support for wrap_iov and unwrap_iov in the Python NTLM context provider.
  • This currently only supports spnego.iov.BufferType.header, spnego.iov.BufferType.data, spnego.iov.BufferType.sign_only, spnego.iov.BufferType.data_readonly, and spnego.iov.BufferType.stream
  • header
    • wrap_iov: Used to place the resulting signature in the buffer
    • unwrap_iov: Used as the signature source for validation
  • data
    • wrap_iov: Data to be encrypted/sealed
    • unwrap_iov: Data to be decrypted/unsealed
  • sign_only
    • wrap_iov: Data to be included in the signature/header generation
    • unwrap_iov: Data to be included in the signature/header verification
  • data_readonly is treated the same as sign_only
  • stream
    • wrap_iov: Not supported
    • unwrap_iov: Contains the full value to decrypt with the headers in the beginning, must be coupled with a subsequent data buffer of the type data to place the decrypted value into
  • The behaviour used here is modelled as closely as possible to how SSPI works but not all the permutations have been tested.
  • The header/signature will be generated from the data, sign_only, data_readonly values concat together in the order they are provided.
• Added the query_message_sizes() function on a context to retrieve the important message sizes
  • Currently this only contains the size of the message header, also known as the signature or security trailer

Full Changelog: v0.8.0...v0.9.0

v0.8.0

0.8.0 - 2023-02-17

• Added the spnego.ContextReq.no_integrity flag to disable integrity/confidentiality on Kerberos/Negotiate contexts
  • This is used by authentication contexts that need to disable integrity/confidentiality explicitly
  • An example would be the LDAP SASL GSS-SPNEGO where the context flags control the SSF flags
• Added optional kwargs to step() on a security context channel_bindings
  • This can be used to supply the channel bindings when performing a context step rather than when creating the context

Full Changelog: v0.7.0...v0.8.0