Skip to content

Draft: Add support for EPA #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Draft: Add support for EPA #295

wants to merge 8 commits into from

Conversation

@paraddise
Copy link

@paraddise paraddise commented Nov 1, 2025
edited
Loading

TODO:

  • Implement for NTLM tds < 8.0
  • Implement for WinSSPI
  • Implement for Kerberos tds < 8.0
  • Implement for tds 8.0

@paraddise
Copy link
Author

paraddise commented Nov 1, 2025

As I understand I need to pass tls-unique to gss_init_sec_context as a field in gss_channel_bindings_struct, and it seems I need to patch https://github.com/jcmturner/gokrb5

@paraddise
Copy link
Author

paraddise commented Nov 1, 2025

@paraddise please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

@codecov-commenter
Copy link

codecov-commenter commented Nov 1, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.04%. Comparing base (e574861) to head (0e339c3).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
tds.go 5.88% 14 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #295      +/-   ##
==========================================
- Coverage   75.23%   75.04%   -0.19%     
==========================================
  Files          33       33              
  Lines        6501     6517      +16     
==========================================
  Hits         4891     4891              
- Misses       1326     1339      +13     
- Partials      284      287       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paraddise
Copy link
Author

paraddise commented Nov 6, 2025

#294

@shueybubbles shueybubbles requested a review from Copilot November 6, 2025 14:45
shueybubbles
shueybubbles reviewed Nov 6, 2025
View reviewed changes
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements Extended Protection for Authentication (EPA) through TLS channel binding tokens for integrated authentication methods (NTLM and Kerberos). The implementation generates channel binding tokens from the TLS unique value and passes them to authenticators to enhance security against man-in-the-middle attacks.

  • Adds channel binding token generation from TLS unique values
  • Implements EPA support in NTLM authentication with AV_PAIR structure
  • Adds a DisableEPA connection string parameter to opt out of channel binding
  • Updates all integrated authenticators to support the new SetChannelBinding interface method

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
tds.go Extracts TLS unique value from connection state and generates channel binding token, then passes it to authenticators before login
msdsn/conn_str.go Adds DisableEPA parameter parsing and Config field for disabling Extended Protection for Authentication
integratedauth/integratedauthenticator.go Adds SetChannelBinding method to IntegratedAuthenticator interface
integratedauth/channel_binding.go New file implementing CBT generation from TLS unique value per MS-NLMP specification
integratedauth/ntlm/ntlm.go Implements channel binding in NTLM by adding MsvAvChannelBindings AV_PAIR to target info fields
integratedauth/krb5/krb5.go Adds channelBinding field and SetChannelBinding method to krbAuth struct
integratedauth/winsspi/winsspi.go Adds stub SetChannelBinding implementation for Windows SSPI auth
integratedauth/auth_test.go Updates stub authenticator with SetChannelBinding method
examples/channel_binding/tsql.go New example demonstrating channel binding usage with both NTLM and Kerberos authentication

integratedauth/krb5/krb5.go Outdated
Comment on lines 255 to 261
channelBinding []byte
}

func (k *krbAuth) SetChannelBinding(channelBinding []byte) {
k.channelBinding = channelBinding
}

Copy link

Copilot AI Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The channelBinding field is stored but never used in the Kerberos authentication flow. The field should either be integrated into the authentication logic (e.g., passed to the SPNEGO client) or removed if channel binding is not supported for Kerberos authentication in this implementation.

Suggested change
channelBinding []byte
}
func (k *krbAuth) SetChannelBinding(channelBinding []byte) {
k.channelBinding = channelBinding
}
}

Copilot uses AI. Check for mistakes.
@shueybubbles
Copy link
Collaborator

shueybubbles commented Nov 6, 2025

thx for opening a PR!
If you have trouble getting EPA plumbed through the jcmturner/gokrb5 project due to lack of engagement, consider adopting that code into this repo, assuming its license allows it. We did that for our named pipe implementation. See #264 too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shueybubbles shueybubbles shueybubbles left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paraddise @codecov-commenter @shueybubbles