277 lines (145 loc) · 13.5 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.18.8] - 2026-02-26

Features

Improve domain->realm mapping in kerberos backend (#604) (50cff70f0e)

Bug Fixes

Correct Negotiate (SPNEGO) implementation (#600) (c016e18863)

Build

Update dependencies

[0.18.7] - 2026-01-16

Features

NT Hash Authentication (#585) (21b45e16dc)

Adds support for NT hash (pass-the-hash) authentication, allowing authentication using pre-computed NT hashes instead of plaintext passwords.

[0.18.6] - 2026-01-05

Bug Fixes

Accept variable-length MsvAvSingleHost AvPair (#580) (28f8d74b8c)

Windows 11 Build 26200+ sends an 80-byte MsvAvSingleHost structure instead of the traditional 48 bytes. Per MS-NLMP specification, fields after MachineID MUST be ignored on receipt.

This change:
- Changes SingleHost from fixed [u8; 48] to Vec
- Relaxes validation from == 48 to >= 48 bytes
- Preserves full data for round-trip serialization
Fixes RDP credential injection failures when clients use Windows 11 Build 26200 or later.

[0.18.5] - 2025-12-11

Bug Fixes

Don't use eprintln on unknown packages (#558) (df6181291c)
Use String::from_utf16_lossy over String::from_utf16 to avoid changing the meaning of some buffers in case of invalid UTF-16 input (#568) (a4889f5b1e)

Build

Update dependencies

[0.18.4] - 2025-11-18

Build

Exclude cryptoki for WASM (#545) (9e4a84a9ee)

This fixes builds for the wasm32 target.

[0.18.3] - 2025-11-07

Features

Add NT_ENTERPRISE support in server-side Kerberos (#535) (40785e3123)

This is needed when want to connect using FQDN instead of down-level logon name.

Revert

Implement Default for SmartCardType (#534) (7280f7a67b)

It actually does not make sense to implement Default for SmartCardType. A user-provided PIN must be set.

Release 0.18.2 was yanked.

Bug Fixes

TLS 1.3 support in TSSSP module (#536) (0605cf01f8)
- Adds CipherSuite::TLS13_AES_256_GCM_SHA384 support.
- Fixes TLS packet header validation: TLS 1.3 uses TLS 1.2 version in the packet header.
Pin leftover pre-release crypto crates (#538) (6fc91fa977)

The patch version upgrade is not allowed to bring breaking changes, but this rule doesn't work for an rc version. So we should pin the rc versions, to not allow cargo update to a new rc automatically.

[0.18.2] - 2025-11-04 (Yanked)

Features

Implement Default for SmartCardType (#532) (3555b377e8)

[0.18.1] - 2025-10-29

Build

Bump hickory-resolver from 0.24.4 to 0.25.2 (#426) (59857e66c2)

[0.18.0] - 2025-10-14

Bug Fixes

DH client default parameters: remove leading zero (#514) (8114b570bc)
[breaking] Async network client returns !Send future (#513) (218ddf3e79)

Build

Bump picky to the latest version (#516) (972e04b153)
Bump the patch group across 1 directory with 2 updates (#519) (aaa6e78617)

[0.17.0] - 2025-10-06

Features

Data sigining using scard (#491) (6728fb525c)

Bug Fixes

[breaking] Move cert_utils from sspi crate to ffi (#507) (c9337c8f64)
[breaking] Fix lifetimes in initialize_security_context_impl (#495) (370951c1b0)

Build

Bump the windows crates
Bump the crypto dependencies (#489) (1ecba764ec)

[0.16.1] - 2025-08-19

Features

Add method to set the channel bindings for a session (#479) (0c0e225fe7)

Setting and sending the CBs is described in Sec. 3.1.5.2.1 of the NTLM spec, admittedly in a slightly confusing way, which may seem to suggest that the bindings are somehow part of the CHALLENGE message, but they are not: knowledge of CBs is strictly local to the client, therefore the client should send them in AUTHENTICATE.

[0.16.0] - 2025-07-07

Features

Server-side Kerberos implementation (#440) (943a297edd)

Bug Fixes

Server-side Kerberos fixes (#457) (27ce28dad5)
Kerberos server MIC token generation and validation (#464) (12fbd706a8)
Kerberos server WRAP token generation and validation (#463) (4bbe4071c8)

[0.15.14] - 2025-07-01

Build

Update picky-krb to 0.11 (#460) (5157bee02b)

[0.15.13] - 2025-06-23

Build

Bump windows-sys from 0.59.0 to 0.60.2 in the windows group across 1 directory (#455) (5744c8b4b3)

[0.15.12] - 2025-06-20

Bug Fixes

Invalid Kerberos token DER encoding (#453) (0ec3e687dd)

The default behavior of serializing a KrbMessage was accidentally changed.

[0.15.11] - 2025-06-11

Bug Fixes

Negotiate attempts KDC detection even when Kerberos is disabled (#447) (c56132c3f8)

[0.15.10] - 2025-06-10

Build

Update picky-krb to 0.10 (#448) (b8b983d7ae)

[0.15.9] - 2025-06-05

Build

Bump windows-registry from 0.4.0 to 0.5.2 in the windows group across 1 directory (#444) (9a349f7bdc)

[0.15.8] - 2025-06-05

Build

Migrate from winreg to windows-registry crate (#441) (8631235c8a)

[0.15.7] - 2025-05-29

Bug Fixes

Do not log at info-level return values (#438) (68d02e410d)

[0.15.6] - 2025-05-27

Bug Fixes

Lower info-level logs to debug-level (#436) (665cb1e1dc)

[0.15.5] - 2025-04-25

Features

Add query_context_session_key (#417) (862657a57c)

This addition is an implementation for the SSP API QueryContextAttributesEx(SECPKG_ATTR_SESSION_KEY). It is required for protocols such as SMB, and adding it to the Sspi trait, enables access to it across all the SSP packages implemented.

This adds the option for using Kerberos and Negotiate session keys.

[0.15.4] - 2025-03-24

Build

Update dependencies

[0.15.3] - 2025-03-12

Bug Fixes

Set correct seq number in MIC token (#390) (69f03c2933)

Fixes Kerberos LDAP auth. The problem was in the invalid sequence number in MIC token.
NTLM RPC auth (#395) (34d896c9ce)

[0.15.2] - 2025-02-27

Features

Support SECBUFFER_READONLY_WITH_CHECKSUM flag (#357) (397fd9502d)
Add USE_DCE_STYLE flag support (#358) (0f78bccaea)

Bug Fixes

Kerberos authentication and encryption for RPC and RDP (#372) (442dfc1382)

[0.15.1] - 2025-02-04

Features

Add make_signature and verify_signature to Sspi trait (#343) (040188a34d)

Bug Fixes

Store session key when using server-side NTLM implementation (#354) (41d1ca7fed)