- Fix up CredSSP acceptor when running with a LibreSSL based Python install (OpenBSD)
- Added official support for Python 3.13
- Import
ARC4
cipher from the newdecrepits
module sub-package, this removes the warning issued in newer versions of thecryptography
library
- Support input password string encoded with the
surrogatepass
error option- This allows the caller to provide a password for a gMSA or machine account that could contain invalid surrogate pairs for both NTLM and Kerberos auth.
- Stop using deprecated
datetime.dateime.utcnow()
for CredSSP acceptor context - Treat an empty string as a valid password,
None
is kept as use the cached credential - Improve the exception shown when no password was provided and no cached credential was available
- Another rename of the
sspi
package dependency tosspilib
- Rename
sspi
package dependency tosspic
to avoid conflicts with pywin32
- Drop support for Python 3.7 - new minimum is 3.8+
- Moved SSPI bindings out into a separate package called
sspi
- This simplifies this project as it doesn't have to worry about SSPI correctness
- The
sspi
package improves performance and memory allocation with a more robust API - Fixes an issue with Cython 3 allowing it to align with more modern versions going forward
- Added Python 3.12 wheel for Windows
- Always set the
NTLMSSP_REQUEST_VERSION
flag on the NTLMNegotiate
message- This aligns the behaviour with how SSPI generates this message
- Added the
spnego.ContextReq.dce_style
flag to enable DCE authentication mode- This is used in protocols like RPC/DCE
- The value for
spnego.iov.BufferType.sign_only
on SSPI has changed from representingSECBUFFER_MECHLIST
toSECBUFFER_READONLY_WITH_CHECKSUM
- This is to better match what
sign_only
means when using it with GSSAPI - It is needed to support RPC encryption and signature headers on SSPI
- The use of
SECBUFFER_MECHLIST
is not seen in any examples in the wild and is most likely an internal flag
- This is to better match what
- Added the IOV buffer type
spnego.iov.BufferType.data_readonly
- For SSPI this corresponds to
SECBUFFER_DATA | SECBUFFER_READONLY
- For GSSAPI this corresponds to
GSS_IOV_BUFFER_TYPE_EMPTY
- As GSSAPI has no actual equivalent to this the empty buffer type is used which in testing results in compatible buffers
- This is used for DCE/RPC wrapping when the PDU header and sec trailer are not signed but are included in the wrap_iov buffers.
- For SSPI this corresponds to
- Added limited support for
wrap_iov
andunwrap_iov
in the Python NTLM context provider.- This currently only supports
spnego.iov.BufferType.header
,spnego.iov.BufferType.data
,spnego.iov.BufferType.sign_only
,spnego.iov.BufferType.data_readonly
, andspnego.iov.BufferType.stream
header
wrap_iov
: Used to place the resulting signature in the bufferunwrap_iov
: Used as the signature source for validation
data
wrap_iov
: Data to be encrypted/sealedunwrap_iov
: Data to be decrypted/unsealed
sign_only
wrap_iov
: Data to be included in the signature/header generationunwrap_iov
: Data to be included in the signature/header verification
data_readonly
is treated the same assign_only
stream
wrap_iov
: Not supportedunwrap_iov
: Contains the full value to decrypt with the headers in the beginning, must be coupled with a subsequent data buffer of the typedata
to place the decrypted value into
- The behaviour used here is modelled as closely as possible to how
SSPI
works but not all the permutations have been tested. - The header/signature will be generated from the
data
,sign_only
,data_readonly
values concat together in the order they are provided.
- This currently only supports
- Added the
query_message_sizes()
function on a context to retrieve the important message sizes- Currently this only contains the size of the message
header
, also known as the signature or security trailer
- Currently this only contains the size of the message
- Added the
spnego.ContextReq.no_integrity
flag to disable integrity/confidentiality on Kerberos/Negotiate contexts- This is used by authentication contexts that need to disable integrity/confidentiality explicitly
- An example would be the LDAP SASL
GSS-SPNEGO
where the context flags control the SSF flags
- Added optional kwargs to
step()
on a security contextchannel_bindings
- This can be used to supply the channel bindings when performing a context step rather than when creating the context
- Added support for decoding the following TLS payloads with
python -m spnego --token ...
- Client Hello
- Server Hello
- Certificate
- Server Key Exchange
- Client Key Exchange
- Certificate Request
- Added the
new_context()
method on the context proxies to provide an easy and efficient way to re-use the context credentials and options for a new context - Removed use of
gssntlmssp
to simplify codebase and ensure a consistent experience across OS versions- Using NTLM on a non-Windows system will use the Python NTLM implementation instead
- Ignore
GSS_S_NO_CONTEXT
errors on GSSAPI after stepping through the token exchange before the context is complete- This is raised by MIT krb5 before 1.14.x and can be ignored
- Fix up sdist and wheels to include
py.typed
type annotation marker
- Added Python 3.11 wheel
- Drop support for Python 3.6 - new minimum is 3.7+
- Moved setuptools config into
pyproject.toml
and madeCython
a build requirement for Windows- For most users this is a hidden change
- If a tool follows the PEP 517 standard, like pip, this build dependency will work automatically
- The pre cythonised files are no longer included in the sdist going forward
- Fix str of enum values when running in Python 3.11 to be consistent with older versions
- Support
gssapi
on 1.5.x which comes with RHEL 8.
- Fix heap allocation errors when running with heap allocation monitoring on Windows
- Added custom MD4 hashing code for NTLM to use.
- Newer Linux distributions ship with OpenSSL 3.x which typically disables MD4 breaking the use of
hashlib.new('md4', b"")
- Using this custom code allows NTLM to continue to work
- While it's bad to continue to use older hashing mechanisms in this case there is no valid alternative available
- Newer Linux distributions ship with OpenSSL 3.x which typically disables MD4 breaking the use of
- Call
gss_inquire_sec_context_by_oid(ctx, spnego_req_mechlistMIC_oid)
when using pure NTLM over GSSAPI to ensure the token contains a MIC
- Added the
auth_stage
extra_info for a CredSSP context to give a human friendly indication of what sub auth stage it is up to. - Added the
protocol_version
extra_info for a CredSSP context to return the negotiated CredSSP protocol version. - Added the
credssp_min_protocol
keyword argument for a CredSSP context to set a minimum version the caller will accept of the peer.- This can be set to
5+
to ensure the peer supports and applies the mitigations for CVE-2018-0886.
- This can be set to
- Added safeguards when trying to retrieve the completed context attributes of
NegotiateProxy
before any contexts have been set up (#33)
- Add
usage
argument fortls.default_tls_context
to control whether the context is for a initiator or acceptor - Add type annotations and include
py.typed
in the package for downstream library use - Expose the
ContextProxy
class for type annotation use - Added
get_extra_info
toContextProxy
to expose a common way to retrieve context specific information, this is currently used by CredSSP to retrieveclient_credential
: The delegated client credential for acceptors once the context is completesslcontext
: The SSL context used to create the TLS objectssl_object
: The TLS object used during the CredSSP exchange
- The
client_credential
property onCredSSP
has been removed in favour of `context.get_extra_info('client_credential') - Added support for custom credential types
- Can be used to for things like NTLM authentication with NT/LM hashes, Kerberos with a keytab or from an explicit CCache, etc
- Support calling SSPI through
pyspnego
's Negotiate proxy context- This allows users on Windows to still use Negotiate auth but with a complex set of credentials
- Also opens up the ability to use Negotiate but only with Kerberos auth
- The
username
andpassword
property on the auth context object are deprecated and will returnNone
until it is removed in a future release
- Do not convert GSSAPI service to lowercase for GSSAPI and uppercase for SSPI
- SPNs are case insensitive on Windows but case sensitive on Linux
- Convering the service portion to upper or lower case could cause problems finding the target server on non-Windows GSSAPI implementations
- Changed project structure to a
src
layout - Include both Cython
pyx/pyd
andC
files for SSPI in the sdist generated - Added Python 3.10 wheel
- Ensure bad SPNEGO token inputs are raised as
InvalidTokenError
rather thanstruct.error
- Drop support for Python 2.7 and 3.5 - new minimum is 3.6+
- Made the
gss
,negotiate
,ntlm
,sspi
exports private, use thespnego.client
andspnego.server
functions instead- A deprecation warning is raised when importing from these package directly and this will be removed in the next major release
- Added support for CredSSP authentication using
protocol='credssp'
- Allow optional keyword arguments to be used with
spnego.client
andspnego.server
to control authentication specific options
- Use Kerberos API to acquire Kerberos credential to get a forwardable token in a thread safe manner
- Fix default credential logic when no username is provided based on GSSAPI rules rather than just the default principal - #15
- Ignore SPNEGO
mechListMIC
if it contains the same value as theresponseToken
due to an old Windows SPNEGO logic bug - https://github.com/krb5/krb5/blob/3f5a348287646d65700854650fe668b9c4249013/src/lib/gssapi/spnego/spnego_mech.c#L3734-L3744 - Do not use SSPI when
auth='ntlm'
and the password is in the form{lm_hash}:{nt_hash}
- This will be the last release that supports Python 2.7 and 3.5
- Change enum type of
iov.BufferType
toIntEnum
to fix load on Python 3.10 - #10 - Make
pyspnego-parse
and entry point which uses__main__.py
in thespnego
package- This allows Windows (and Linux) users to use the parser script by running
python -m spnego --token ...
- This allows Windows (and Linux) users to use the parser script by running
- Respect
NETBIOS_COMPUTER_NAME
when getting the workstation name for NTLM tokens. This matches the behaviour ofgss-ntlmssp
to ensure a consistent approach.
- Only send
negState: request-mic
for the first reply from an acceptor for Negotiate auth.- Strict interpretations of SPNEGO will fail if the initiator sends this state as it is against the RFC.
- Added Python 3.9 to CI and build Windows wheel for this version
- Fix up WinRM wrapping on SSPI
- Include the cython files in the built sdist
Initial release of pyspnego
- Added the
wrap_winrm
andunwrap_winrm
methods to a context to cover the complexity of WinRM wrapping - Re-added
ContextReq.delegate_policy
and just make it optional based on the python-gssapi version installed
- Remove
ContextReq.delegate_policy
because python-gssapi does not support flags that they do not define
- Ensure any explicit Kerberos credentials have the
forwardable
flags set whenContextReq.delegate
is requested - Fix protocol check to use the options passed in by the caller
- Expanded
pyspnego-parse
help messages a bit more - Added the
yaml
extras group to installruamel.yaml
which is an optional feature forpyspengo-parse
- Fix context has been set up check on Windows initiator when running against localhost
- Ensure built wheels are not built with
linetrace=True
which breaks debugging in PyCharm
First beta release of pyspnego.