From e7e79028093778d9dd028d8d408af2c75f21f211 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 27 Jul 2021 14:49:58 +1200
Subject: [PATCH] tests/krb5: Check PADATA-FX-ERROR in reply

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c)
---
 python/samba/tests/krb5/raw_testcase.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 4ebab367141..17ef8df5daa 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2316,6 +2316,7 @@ class RawKerberosTest(TestCaseInTempDir):
         pk_as_req = None
         pk_as_rep19 = None
         fast_cookie = None
+        fast_error = None
         fx_fast = None
         pac_options = None
         for pa in rep_padata:
@@ -2355,6 +2356,11 @@ class RawKerberosTest(TestCaseInTempDir):
                 fast_cookie = pavalue
                 self.assertIsNotNone(fast_cookie)
                 continue
+            if patype == PADATA_FX_ERROR:
+                self.assertIsNone(fast_error)
+                fast_error = pavalue
+                self.assertIsNotNone(fast_error)
+                continue
             if patype == PADATA_FX_FAST:
                 self.assertIsNone(fx_fast)
                 fx_fast = pavalue
@@ -2369,6 +2375,14 @@ class RawKerberosTest(TestCaseInTempDir):
         if fast_cookie is not None:
             kdc_exchange_dict['fast_cookie'] = fast_cookie
 
+        if fast_error is not None:
+            fast_error = self.der_decode(fast_error,
+                                         asn1Spec=krb5_asn1.KRB_ERROR())
+            self.generic_check_kdc_error(kdc_exchange_dict,
+                                         callback_dict,
+                                         fast_error,
+                                         inner=True)
+
         if pac_options is not None:
             self.check_pac_options_claims_support(pac_options)
 
-- 
2.11.4.GIT