chore(release): prepare for publishing

[devolutionsbot]

🤖 New release

• sspi: 0.21.0 -> 0.21.1 (✓ API compatible changes)

Changelog

[0.21.1] - 2026-06-24

Features

• Add support for SECPKG_ATTR_NAMES (#676) (be6315d475)

• Generate dotnet bindings with csbindgen (#679) (07f280b930)

• Add keytab client credentials and standards-compliant SASL/GSSAPI acceptor support (#681) (d95f249622)

  Extends the sspi Kerberos implementation to interoperate with standards-compliant SASL/GSSAPI (RFC 4752 / RFC 4121) peers by adding keytab-backed client credentials, supporting integrity-only (unsealed) GSS_Wrap tokens, and allowing acceptors to validate tickets for multiple configured service principals.

• Support for Kerberos cross realm referral (#694) (797365417f)

  RDP/NLA via FreeRDP and sspi-rs failed when a parent-domain user
  (richard@rjm.local) authenticated to a host in a child domain
  (TERMSRV/WIN-UE7FOENEK0D.dev.rjm.local) with

  InvalidToken: Asn1 error: "Expected Application number tag 15 but got:
  30"

  (Kerberos app tags: 15 = AP-REP, 30 = KRB-ERROR — i.e. we expected
  an AP-REP from the server but got a KRB-ERROR.)

  Root cause

  sspi-rs has no cross-realm referral chasing. A KDC only issues tickets
  for principals in its own realm; for a service in another realm it
  returns a referral TGT (sname = krbtgt/<NEXT_REALM>), and the client
  must re-send the TGS-REQ to that next realm. Instead, sspi-rs:

  1. Sent the TGS-REQ to the home KDC (RJM.LOCAL) → got back a referral
     TGT for krbtgt/DEV.RJM.LOCAL.
  2. Stuffed that referral TGT directly into the AP_REQ as if it were
     the service ticket.
  3. The target (WIN-UE7FOENEK0D) couldn't decrypt a ticket encrypted with
     the trust key; returned KRB-ERROR 41 (KRB_AP_ERR_MODIFIED).
  4. sspi-rs tried to parse that KRB-ERROR as an AP-REP --->
     InvalidToken.

  What we changed

  Referral chasing loop in the TGS exchange
  (src/kerberos/client/mod.rs): after each TGS-REP, if the returned
  ticket sname is krbtgt/<NEXT_REALM>, re-issue the TGS-REQ for the same
  SPN to that realm using the referral TGT, chaining the session key and
  authenticator each hop, until the real service ticket comes back.
  Bounded to 10 hops with a no-progress guard.

  Per-realm KDC routing (src/kerberos/mod.rs): split send into
  send/send_to and added send_for_realm. The pinned kdc_url (KDC
  proxy) stays authoritative for the home realm only; referral hops
  resolve through detect_kdc_url(realm).

  Helper and tests: extracted referral_target_realm(sname) (testable
  predicate) with 5 unit tests.

  Key decisions

  Reuse the existing per-realm resolution chain rather than add new
  config. Referral hops route via the existing SSPI_KDC_URL_<REALM> env
  → krb5.conf → DNS SRV (_kerberos._tcp.) fallback. No new
  FFI/config plumbing; set one env var (or rely on DNS) and it works.

  Pinned KDC = home realm only. A KDC proxy pinned to the home DC can't
  decrypt a krbtgt/<NEXT_REALM> referral ticket, so referral hops must
  reach the target realm's KDC.

  For further discussion

  (Because I'm trying to keep these changes focussed)

  Windows DNS SRV limitations
  (src/dns.rs):
  the Windows path forces port :88 (ignores the SRV port) and reads only
  the first SRV record (no multi-DC failover).

  Dotted env-var friction: SSPI_KDC_URL_DEV.RJM.LOCAL breaks PowerShell
  $env: parsing. Add underscore-normalized aliasing
  (SSPI_KDC_URL_DEV_RJM_LOCAL)?

  U2U + referral interaction: additional_tickets is only carried on the
  first hop; edge case, likely fine, but worth a sanity check.

Bug Fixes

• Ntlm: NTLM_SSP_NEGOTIATE_KEY_EXCH flag usage (#670) (a26a3692b0)

• Package list handling (#677) (ee75161bcd)

• Disable mechListMIC for NTLM guest logon in negotiate module (#680) (80bdedf387)

• Don't attempt to package tests during NuGet CI build (#683) (958d9e5900)

• Server side CresSSP + SPNEGO + NTLM (#689) (77c283167c)

• Read channel bindings on the client authenticate step (#695) (82741f6630)

Build

• Add arm64 iOS simulator NuGet RID (#693) (ab1c19f4a5)

• Advance RustCrypto pins to the current rc.18/rc.33/rc.10 cluster (#692) (095e3f341c)

---

This PR was generated with release-plz.

[Benoît Cortier (CBenoit)]

Copilot Address the new clippy lints, and clean up the changelog.

[Copilot]

Copilot Address the new clippy lints, and clean up the changelog.

Done in the latest commit:

• Clippy lint (crates/winscard/src/chuid.rs): replaced the deprecated time::format_description::parse(...) with format_description::parse_borrowed::<2>(...) — this was the call failing CI with -D deprecated implied by -D warnings.
• Changelog: removed the raw PR body (multi-section technical write-up + broken vscode-webview URL) from the "Support for Kerberos cross realm referral" entry, leaving just the one-liner summary consistent with the other entries.