auth/gensec: fix non-AES schannel seal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14134

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 709d54d68a9c2cb3cda91d9ab63228a7adbaceb4)

2 files changed, 9 insertions, 1 deletions

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 8ba1eafc76d..74a3eb5c690 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -296,6 +296,15 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
 			ZERO_ARRAY(_sealing_key);
 			return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
 		}
+		gnutls_cipher_deinit(cipher_hnd);
+		rc = gnutls_cipher_init(&cipher_hnd,
+					GNUTLS_CIPHER_ARCFOUR_128,
+					&sealing_key,
+					NULL);
+		if (rc < 0) {
+			ZERO_ARRAY(_sealing_key);
+			return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+		}
 		rc = gnutls_cipher_encrypt(cipher_hnd,
 					   data,
 					   length);
diff --git a/selftest/knownfail b/selftest/knownfail
index 94b0f014749..7b54b77a708 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -374,4 +374,3 @@
 ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-^samba.unittests.schannel.torture_schannel_seal_rc4