From a730432e59754df97c8985eb3094ca1cdd3e4955 Mon Sep 17 00:00:00 2001
From: georgeok <giorgos.n.oikonomou@gmail.com>
Date: Tue, 29 Jan 2019 18:26:31 +0100
Subject: spnego_sspi: add support for channel binding

Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
---
 lib/http_negotiate.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib/http_negotiate.c')

diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 4713d1bd5..2a97707eb 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -89,6 +89,11 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
     }
   }
 
+  /* Supports SSL channel binding for Windows ISS extended protection */
+#if defined(USE_WINDOWS_SSPI) && defined(SECPKG_ATTR_ENDPOINT_BINDINGS)
+  neg_ctx->sslContext = conn->sslContext;
+#endif
+
   /* Initialize the security context and decode our challenge */
   result = Curl_auth_decode_spnego_message(data, userp, passwdp, service,
                                            host, header, neg_ctx);
-- 
cgit v1.2.3