From 09662337441c40c23da7b557c4cceacd7cc3b76e Mon Sep 17 00:00:00 2001
From: georgeok <giorgos.n.oikonomou@gmail.com>
Date: Tue, 27 Nov 2018 18:39:45 +0100
Subject: ntlm_sspi: add support for channel binding

Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
---
 lib/vtls/schannel.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'lib/vtls/schannel.c')

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index ab7f83f46..af22ecbb6 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1414,6 +1414,16 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
     connssl->state = ssl_connection_complete;
     conn->recv[sockindex] = schannel_recv;
     conn->send[sockindex] = schannel_send;
+
+#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
+    /* When SSPI is used in combination with Schannel
+     * we need the Schannel context to create the Schannel
+     * binding to pass the IIS extended protection checks.
+     * Available on Windows 7 or later.
+     */
+    conn->ntlm.sslContext = &BACKEND->ctxt->ctxt_handle;
+#endif
+
     *done = TRUE;
   }
   else
-- 
cgit v1.2.3