From 527906c821b9df90929eef36d04731d1d9a1b5f7 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 6 Dec 2021 14:32:49 +1300
Subject: [PATCH] heimdal:kdc: Properly check for unsupported critical FAST
 options

Decoding a FAST request will only give us the FastOptions flags that are
explicitly declared in the ASN1 source. This meant that the check for
unsupported mandatory options would never succeed, and an unsupported
option would go undetected.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 lib/asn1/krb5.asn1 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1
index 4780f8ce2..17969624a 100644
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -774,6 +774,20 @@ PA-ServerReferralData ::= SEQUENCE {
 FastOptions ::= BIT STRING {
 	    reserved(0),
 	    hide-client-names(1),
+	    critical2(2),
+	    critical3(3),
+	    critical4(4),
+	    critical5(5),
+	    critical6(6),
+	    critical7(7),
+	    critical8(8),
+	    critical9(9),
+	    critical10(10),
+	    critical11(11),
+	    critical12(12),
+	    critical13(13),
+	    critical14(14),
+	    critical15(15),
 	    kdc-follow-referrals(16)
 }