chore: ⬆️ updated deps

vendor/github.com/microsoft/go-mssqldb/integratedauth/ntlm/ntlm.go

@@ -57,11 +57,24 @@ const _NEGOTIATE_FLAGS = _NEGOTIATE_UNICODE |
 	_NEGOTIATE_ALWAYS_SIGN |
 	_NEGOTIATE_EXTENDED_SESSIONSECURITY
 
+const (
+	AV_PAIR_MsvAvChannelBindings = 0x000A
+)
+
 type Auth struct {
-	Domain      string
-	UserName    string
-	Password    string
-	Workstation string
+	Domain         string
+	UserName       string
+	Password       string
+	Workstation    string
+	ChannelBinding []byte
+}
+
+func (auth *Auth) SetChannelBinding(channelBinding *integratedauth.ChannelBindings) {
+	if channelBinding.Type == integratedauth.ChannelBindingsTypeTLSExporter {
+		auth.ChannelBinding = channelBinding.ApplicationData
+	} else {
+		auth.ChannelBinding = channelBinding.Md5Hash()
+	}
 }
 
 // getAuth returns an authentication handle Auth to provide authentication content
@@ -72,10 +85,11 @@ func getAuth(config msdsn.Config) (integratedauth.IntegratedAuthenticator, error
 	}
 	domainUser := strings.SplitN(config.User, "\\", 2)
 	return &Auth{
-		Domain:      domainUser[0],
-		UserName:    domainUser[1],
-		Password:    config.Password,
-		Workstation: config.Workstation,
+		Domain:         domainUser[0],
+		UserName:       domainUser[1],
+		Password:       config.Password,
+		Workstation:    config.Workstation,
+		ChannelBinding: []byte{},
 	}, nil
 }
 
@@ -243,7 +257,7 @@ func getNTLMv2AndLMv2ResponsePayloads(userDomain, username, password string, cha
 	return
 }
 
-func negotiateExtendedSessionSecurity(flags uint32, message []byte, challenge [8]byte, username, password, userDom string) (lm, nt []byte, err error) {
+func negotiateExtendedSessionSecurity(flags uint32, message []byte, challenge [8]byte, username, password, userDom string, channelBinding []byte) (lm, nt []byte, err error) {
 	nonce := clientChallenge()
 
 	// Official specification: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
@@ -254,6 +268,19 @@ func negotiateExtendedSessionSecurity(flags uint32, message []byte, challenge [8
 			return lm, nt, err
 		}
 
+		if len(channelBinding) > 0 {
+			av_pair_cb := make([]byte, 4)
+			// Create the AV_PAIR structure for channel bindings as specified in MS-NLMP.
+			// Set AvId to MsvAvChannelBindings and AvLen to the length of the channel binding data.
+			// See: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/83f5e789-660d-4781-8491-5f8c6641f75e
+			binary.LittleEndian.PutUint16(av_pair_cb[0:2], AV_PAIR_MsvAvChannelBindings)
+			binary.LittleEndian.PutUint16(av_pair_cb[2:4], uint16(len(channelBinding)))
+			av_pair_cb = append(av_pair_cb, channelBinding...)
+
+			targetInfoFields = append(targetInfoFields[:len(targetInfoFields)-4], av_pair_cb...)
+			targetInfoFields = append(targetInfoFields, 0, 0, 0, 0)
+		}
+
 		nt, lm = getNTLMv2AndLMv2ResponsePayloads(userDom, username, password, challenge, nonce, targetInfoFields, time.Now())
 
 		return lm, nt, nil
@@ -376,7 +403,7 @@ func (auth *Auth) NextBytes(bytes []byte) ([]byte, error) {
 	copy(challenge[:], bytes[24:32])
 	flags := binary.LittleEndian.Uint32(bytes[20:24])
 	if (flags & _NEGOTIATE_EXTENDED_SESSIONSECURITY) != 0 {
-		lm, nt, err := negotiateExtendedSessionSecurity(flags, bytes, challenge, auth.UserName, auth.Password, auth.Domain)
+		lm, nt, err := negotiateExtendedSessionSecurity(flags, bytes, challenge, auth.UserName, auth.Password, auth.Domain, auth.ChannelBinding)
 		if err != nil {
 			return nil, err
 		}