From f4604a86fe1251b86b6f08a7fb3843a65092724d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 4 Jul 2024 18:00:52 +0200
Subject: [PATCH] third_party/heimdal: Import lorikeet-heimdal-202407041740
 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix clock skew error message and memory cache clock skew recovery

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul  5 10:02:26 UTC 2024 on atb-devel-224

(cherry picked from commit e4d6a19e49260af22bffd2a417119489719ba364)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jul 10 09:14:10 UTC 2024 on atb-devel-224
---
 third_party/heimdal/lib/krb5/fast.c   | 12 ++++++++----
 third_party/heimdal/lib/krb5/mcache.c |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c
index 90133a7abc0..4026ed62327 100644
--- a/third_party/heimdal/lib/krb5/fast.c
+++ b/third_party/heimdal/lib/krb5/fast.c
@@ -691,10 +691,14 @@ _krb5_fast_unwrap_error(krb5_context context,
     idx = 0;
     pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx);
     if (pa == NULL) {
-	ret = KRB5_KDCREP_MODIFIED;
-	krb5_set_error_message(context, ret,
-			       N_("FAST fast response is missing FX-FAST", ""));
-	goto out;
+	/*
+	 * Typically _krb5_fast_wrap_req() has set KRB5_FAST_EXPECTED, which
+	 * means check_fast() will complain and return KRB5KRB_AP_ERR_MODIFIED.
+	 *
+	 * But for TGS-REP init_tgs_req() clears KRB5_FAST_EXPECTED and we'll
+	 * ignore a missing KRB5_PADATA_FX_FAST.
+	 */
+	return check_fast(context, state);
     }
 
     ret = unwrap_fast_rep(context, state, pa, &fastrep);
diff --git a/third_party/heimdal/lib/krb5/mcache.c b/third_party/heimdal/lib/krb5/mcache.c
index fdd5674c3b8..e916bf4e6be 100644
--- a/third_party/heimdal/lib/krb5/mcache.c
+++ b/third_party/heimdal/lib/krb5/mcache.c
@@ -225,7 +225,7 @@ mcc_initialize(krb5_context context,
      */
     mcc_destroy_internal(context, m);
     m->dead = 0;
-    m->kdc_offset = 0;
+    m->kdc_offset = context->kdc_sec_offset;
     m->mtime = time(NULL);
     ret = krb5_copy_principal (context,
 			       primary_principal,