Backport fixes for timesync with keyring caches

add patch to always retrieve the KDC time offsets from keyring caches,
so that we don't mistakenly interpret creds as expired before their
time when our clock is ahead of the KDC's (RT#7820, #1030607)

krb5-master-keyring-kdcsync.patch

@@ -0,0 +1,108 @@
+commit 2ac550e648ff88f84cc2da3c573202845f14e655
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Thu Jan 16 17:48:54 2014 -0500
+
+    Get time offsets for all keyring ccaches
+    
+    Move the time offset lookup from krb5_krcc_resolve to make_cache, so
+    that we fetch time offsets for caches created by
+    krb5_krcc_ptcursor_next.
+    
+    ticket: 7820
+    target_version: 1.12.2
+    tags: pullup
+
+diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
+index a0c8035..27bad9d 100644
+--- a/src/lib/krb5/ccache/cc_keyring.c
++++ b/src/lib/krb5/ccache/cc_keyring.c
+@@ -1077,11 +1077,13 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id)
+ 
+ /* Create a cache handle for a cache ID. */
+ static krb5_error_code
+-make_cache(key_serial_t collection_id, key_serial_t cache_id,
+-           const char *anchor_name, const char *collection_name,
+-           const char *subsidiary_name, krb5_ccache *cache_out)
++make_cache(krb5_context context, key_serial_t collection_id,
++           key_serial_t cache_id, const char *anchor_name,
++           const char *collection_name, const char *subsidiary_name,
++           krb5_ccache *cache_out)
+ {
+     krb5_error_code ret;
++    krb5_os_context os_ctx = &context->os_context;
+     krb5_ccache ccache = NULL;
+     krb5_krcc_data *d;
+     key_serial_t pkey = 0;
+@@ -1108,6 +1110,18 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+     ccache->data = d;
+     ccache->magic = KV5M_CCACHE;
+     *cache_out = ccache;
++
++    /* Lookup time offsets if necessary. */
++    if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
++        !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
++        if (krb5_krcc_get_time_offsets(context, ccache,
++                                       &os_ctx->time_offset,
++                                       &os_ctx->usec_offset) == 0) {
++            os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
++            os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
++        }
++    }
++
+     return 0;
+ }
+ 
+@@ -1134,7 +1148,6 @@ make_cache(key_serial_t collection_id, key_serial_t cache_id,
+ static krb5_error_code KRB5_CALLCONV
+ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+ {
+-    krb5_os_context os_ctx = &context->os_context;
+     krb5_error_code ret;
+     key_serial_t collection_id, cache_id;
+     char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
+@@ -1161,22 +1174,11 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache *id, const char *residual)
+     if (cache_id < 0)
+         cache_id = 0;
+ 
+-    ret = make_cache(collection_id, cache_id, anchor_name, collection_name,
+-                     subsidiary_name, id);
++    ret = make_cache(context, collection_id, cache_id, anchor_name,
++                     collection_name, subsidiary_name, id);
+     if (ret)
+         goto cleanup;
+ 
+-    /* Lookup time offsets if necessary. */
+-    if ((context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) &&
+-        !(os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) {
+-        if (krb5_krcc_get_time_offsets(context, *id,
+-                                       &os_ctx->time_offset,
+-                                       &os_ctx->usec_offset) == 0) {
+-            os_ctx->os_flags &= ~KRB5_OS_TOFFSET_TIME;
+-            os_ctx->os_flags |= KRB5_OS_TOFFSET_VALID;
+-        }
+-    }
+-
+ cleanup:
+     free(anchor_name);
+     free(collection_name);
+@@ -1928,8 +1930,9 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+         cache_id = keyctl_search(data->collection_id, KRCC_KEY_TYPE_KEYRING,
+                                  first_name, 0);
+         if (cache_id != -1) {
+-            return make_cache(data->collection_id, cache_id, data->anchor_name,
+-                              data->collection_name, first_name, cache_out);
++            return make_cache(context, data->collection_id, cache_id,
++                              data->anchor_name, data->collection_name,
++                              first_name, cache_out);
+         }
+     }
+ 
+@@ -1967,7 +1970,7 @@ krb5_krcc_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor,
+ 
+         /* We found a valid key */
+         data->next_key++;
+-        ret = make_cache(data->collection_id, key, data->anchor_name,
++        ret = make_cache(context, data->collection_id, key, data->anchor_name,
+                          data->collection_name, subsidiary_name, cache_out);
+         free(description);
+         return ret;

krb5.spec

@@ -90,6 +90,7 @@ Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
 Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
+Patch135: krb5-master-keyring-kdcsync.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -315,6 +316,8 @@ ln -s NOTICE LICENSE
 
 %patch134 -p1 -b .kpasswdtest
 
+%patch135 -p1 -b .keyring-kdcsync
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt
 
@@ -971,6 +974,9 @@ exit 0
   - drop patch for RT#7807, included now
   - drop patch for RT#7045, included now
   - drop patches for RT#7813 and RT#7815, included now
+  - add patch to always retrieve the KDC time offsets from keyring caches,
+    so that we don't mistakenly interpret creds as expired before their
+    time when our clock is ahead of the KDC's (RT#7820, #1030607)
 
 * Mon Jan 13 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-11
 - update the PIC patch for iaesx86.s to not use ELF relocations to the version