Draft: Add support for EPA

[paraddise]

TODO:

• Implement for NTLM tds < 8.0
• Implement for WinSSPI
• Implement for Kerberos tds < 8.0
• Implement for tds 8.0

[paraddise]

As I understand I need to pass tls-unique to gss_init_sec_context as a field in gss_channel_bindings_struct, and it seems I need to patch https://github.com/jcmturner/gokrb5

[paraddise]

@paraddise please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

[codecov-commenter]

Codecov Report

❌ Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.04%. Comparing base (e574861) to head (0e339c3).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
tds.go	5.88%	14 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #295      +/-   ##
==========================================
- Coverage   75.23%   75.04%   -0.19%     
==========================================
  Files          33       33              
  Lines        6501     6517      +16     
==========================================
  Hits         4891     4891              
- Misses       1326     1339      +13     
- Partials      284      287       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[paraddise]

#294

[Copilot]

Pull Request Overview

This PR implements Extended Protection for Authentication (EPA) through TLS channel binding tokens for integrated authentication methods (NTLM and Kerberos). The implementation generates channel binding tokens from the TLS unique value and passes them to authenticators to enhance security against man-in-the-middle attacks.

• Adds channel binding token generation from TLS unique values
• Implements EPA support in NTLM authentication with AV_PAIR structure
• Adds a DisableEPA connection string parameter to opt out of channel binding
• Updates all integrated authenticators to support the new SetChannelBinding interface method

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
tds.go	Extracts TLS unique value from connection state and generates channel binding token, then passes it to authenticators before login
msdsn/conn_str.go	Adds DisableEPA parameter parsing and Config field for disabling Extended Protection for Authentication
integratedauth/integratedauthenticator.go	Adds SetChannelBinding method to IntegratedAuthenticator interface
integratedauth/channel_binding.go	New file implementing CBT generation from TLS unique value per MS-NLMP specification
integratedauth/ntlm/ntlm.go	Implements channel binding in NTLM by adding MsvAvChannelBindings AV_PAIR to target info fields
integratedauth/krb5/krb5.go	Adds channelBinding field and SetChannelBinding method to krbAuth struct
integratedauth/winsspi/winsspi.go	Adds stub SetChannelBinding implementation for Windows SSPI auth
integratedauth/auth_test.go	Updates stub authenticator with SetChannelBinding method
examples/channel_binding/tsql.go	New example demonstrating channel binding usage with both NTLM and Kerberos authentication

[Copilot]

The channelBinding field is stored but never used in the Kerberos authentication flow. The field should either be integrated into the authentication logic (e.g., passed to the SPNEGO client) or removed if channel binding is not supported for Kerberos authentication in this implementation.

Suggested change

	channelBinding []byte
	}
	func (k *krbAuth) SetChannelBinding(channelBinding []byte) {
	k.channelBinding = channelBinding
	}
	}

[shueybubbles]

thx for opening a PR!
If you have trouble getting EPA plumbed through the jcmturner/gokrb5 project due to lack of engagement, consider adopting that code into this repo, assuming its license allows it. We did that for our named pipe implementation. See #264 too