feat: Add SASL security layer support for GSSAPI

[vrlo]

What this does

Implements SASL security layers (RFC 4752) for GSSAPI/Kerberos authentication
providing message integrity protection and confidentiality after authentication.

Follows RFC 4121 (GSS-API v2 WrapToken format), RFC 4752 (GSSAPI SASL mechanism),
and RFC 4422 (SASL framing with 4-byte length prefix).

Tested against Windows Active Directory (LDAP on port 389).

Fixes #567

Impact

This adds new APIs -- requires a minor version bump

Implementation

Three new components in v8/gssapi:

SecurityLayerSession - Session management for message wrapping/unwrapping:

session, err := gssapi.NewSecurityLayerSession(sessionKey, gssapi.SecurityLayerIntegrity, true, 65536)
wrapped, err := session.Wrap(message)
unwrapped, err := session.Unwrap(wrapped)

SASL Framing - RFC 4422 framing with 4-byte length prefix:

framedMessage, err := session.WrapWithSASLFraming(message)
unwrapped, err := session.UnwrapFromSASLFraming(data)

SecureConn - Transparent net.Conn wrapper:

secureConn := gssapi.NewSecureConn(conn, session)
// All Read/Write operations automatically protected

Testing

Production tested against Windows Active Directory:

• Integrity layer (RRC=12) ✅
• Confidentiality layer (RRC=28) ✅
• LDAP search operations ✅

Compatibility

No breaking changes - all new exports:

• SecurityLayer (type)
• SecurityLayerSession (type)
• SecureConn (type)
• NewSecurityLayerSession() (function)
• NewSecureConn() (function)

Platform agnostic, zero external dependencies, targets v8 only.

Related issues

• GSSAPI Bind Support ”Strong Auth“ security layer go-ldap/ldap#552
• Using gokrb5 with go-ldap #247

Builds on:

• Implement support for GSSAPI Wrap Tokens #87 (this adds the high-level API)

Note: This implements RFC 4121 (modern GSS-API v2). For RFC 1964 (legacy), see #460.

[Neustradamus]

@vrlo: Thanks for your PR!

If you can look for Channel Binding too, it will be nice :)