v0.10.2

What's Changed

• Rename sspic to sspilib by @jborean93 in #72

Full Changelog: v0.10.1...v0.10.2

v0.10.1

What's Changed

• Rename sspi dep to sspic by @jborean93 in #70

Full Changelog: v0.10.0...v0.10.1

v0.10.0

What's Changed

• Migrate SSPI to external library by @jborean93 in #69

0.10.0 - 2023-09-27

• Drop support for Python 3.7 - new minimum is 3.8+
• Moved SSPI bindings out into a separate package called sspi
  • This simplifies this project as it doesn't have to worry about SSPI correctness
  • The sspi package improves performance and memory allocation with a more robust API
  • Fixes an issue with Cython 3 allowing it to align with more modern versions going forward

Full Changelog: v0.9.2...v0.10.0

v0.9.2

What's Changed

• Added Python 3.12 win wheels and test in CI by @jborean93 in #67

0.9.2 - 2023-08-29

• Added Python 3.12 wheel for Windows

Full Changelog: v0.9.1...v0.9.2

v0.9.1

What's Changed

• Set NTLM Negotiate Version field by @jborean93 in #65

0.9.1 - 2023-06-14

• Always set the NTLMSSP_REQUEST_VERSION flag on the NTLM Negotiate message
  • This aligns the behaviour with how SSPI generates this message

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

• Fix up try/import checks by @jborean93 in #62
• Add support for DCE style authentication. by @jborean93 in #63
• Prepare for v0.9.0 release by @jborean93 in #64

0.9.0 - 2023-04-29

• Added the spnego.ContextReq.dce_style flag to enable DCE authentication mode
  • This is used in protocols like RPC/DCE
• The value for spnego.iov.BufferType.sign_only on SSPI has changed from representing SECBUFFER_MECHLIST to SECBUFFER_READONLY_WITH_CHECKSUM
  • This is to better match what sign_only means when using it with GSSAPI
  • It is needed to support RPC encryption and signature headers on SSPI
  • The use of SECBUFFER_MECHLIST is not seen in any examples in the wild and is most likely an internal flag
• Added the IOV buffer type spnego.iov.BufferType.data_readonly
  • For SSPI this corresponds to SECBUFFER_DATA | SECBUFFER_READONLY
  • For GSSAPI this corresponds to GSS_IOV_BUFFER_TYPE_EMPTY
  • As GSSAPI has no actual equivalent to this the empty buffer type is used which in testing results in compatible buffers
  • This is used for DCE/RPC wrapping when the PDU header and sec trailer are not signed but are included in the wrap_iov buffers.
• Added limited support for wrap_iov and unwrap_iov in the Python NTLM context provider.
  • This currently only supports spnego.iov.BufferType.header, spnego.iov.BufferType.data, spnego.iov.BufferType.sign_only, spnego.iov.BufferType.data_readonly, and spnego.iov.BufferType.stream
  • header
    • wrap_iov: Used to place the resulting signature in the buffer
    • unwrap_iov: Used as the signature source for validation
  • data
    • wrap_iov: Data to be encrypted/sealed
    • unwrap_iov: Data to be decrypted/unsealed
  • sign_only
    • wrap_iov: Data to be included in the signature/header generation
    • unwrap_iov: Data to be included in the signature/header verification
  • data_readonly is treated the same as sign_only
  • stream
    • wrap_iov: Not supported
    • unwrap_iov: Contains the full value to decrypt with the headers in the beginning, must be coupled with a subsequent data buffer of the type data to place the decrypted value into
  • The behaviour used here is modelled as closely as possible to how SSPI works but not all the permutations have been tested.
  • The header/signature will be generated from the data, sign_only, data_readonly values concat together in the order they are provided.
• Added the query_message_sizes() function on a context to retrieve the important message sizes
  • Currently this only contains the size of the message header, also known as the signature or security trailer

Full Changelog: v0.8.0...v0.9.0

v0.8.0

0.8.0 - 2023-02-17

• Added the spnego.ContextReq.no_integrity flag to disable integrity/confidentiality on Kerberos/Negotiate contexts
  • This is used by authentication contexts that need to disable integrity/confidentiality explicitly
  • An example would be the LDAP SASL GSS-SPNEGO where the context flags control the SSF flags
• Added optional kwargs to step() on a security context channel_bindings
  • This can be used to supply the channel bindings when performing a context step rather than when creating the context

Full Changelog: v0.7.0...v0.8.0

v0.7.0

What's Changed

• Added support for decoding the following TLS payloads with python -m spnego --token ...
  • Client Hello
  • Server Hello
  • Certificate
  • Server Key Exchange
  • Client Key Exchange
  • Certificate Request
• Added the new_context() method on the context proxies to provide an easy and efficient way to re-use the context credentials and options for a new context
• Removed use of gssntlmssp to simplify codebase and ensure a consistent experience across OS versions
  • Using NTLM on a non-Windows system will use the Python NTLM implementation instead

Full Changelog: v0.6.3...v0.7.0

v0.6.3

0.6.3 - 2022-11-04

• Ignore GSS_S_NO_CONTEXT errors on GSSAPI after stepping through the token exchange before the context is complete
  • This is raised by MIT krb5 before 1.14.x and can be ignored

v0.6.2

0.6.2 - 2022-10-27

• Fix up sdist and wheels to include py.typed type annotation marker