hdb: consolidate preauth audit event types

Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.

Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.

Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.

kdc/kerberos5.c

@@ -488,8 +488,6 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	_kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
 		   r->cname);
-	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_PKINIT_FAILED);
 	goto out;
     }
 
@@ -501,7 +499,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
 	_kdc_set_e_text(r, "PKINIT certificate not allowed to "
 			"impersonate principal");
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED);
+				HDB_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
 	goto out;
     }
 
@@ -521,7 +519,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
 					pkp, &r->et);
 
     _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-			    HDB_AUTH_EVENT_PKINIT_SUCCEEDED);
+			    HDB_AUTH_EVENT_PREAUTH_SUCCEEDED);
 
  out:
     if (pkp)
@@ -554,7 +552,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
 	    _kdc_set_e_text(r, "GSS-API client not allowed to "
 			    "impersonate principal");
 	    _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				    HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED);
+				    HDB_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED);
 	    goto out;
 	}
 
@@ -563,7 +561,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
 	_kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s",
 		   r->cname, client_name);
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_GSS_PA_SUCCEEDED);
+				HDB_AUTH_EVENT_PREAUTH_SUCCEEDED);
 
 	ret = _kdc_gss_mk_composite_name_ad(r, gcp);
 	if (ret) {
@@ -574,12 +572,8 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa)
 
     ret = _kdc_gss_mk_pa_reply(r, gcp);
     if (ret) {
-	if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) {
+	if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
 	    _kdc_set_e_text(r, "Failed to build GSS pre-authentication reply");
-	    _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				    HDB_AUTH_EVENT_GSS_PA_FAILED);
-	}
-
 	goto out;
     }
 
@@ -759,13 +753,13 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	 * Success
 	 */
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED);
+				HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
 	goto out;
     }
 
     if (invalidPassword) {
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_LTK_PREAUTH_FAILED);
+				HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY);
 	ret = KRB5KDC_ERR_PREAUTH_FAILED;
     } else {
 	ret = KRB5KDC_ERR_ETYPE_NOSUPP;
@@ -876,7 +870,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
 				pa_key->key.keytype);
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-				HDB_AUTH_EVENT_LTK_PREAUTH_FAILED);
+				HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY);
 	if(hdb_next_enctype2key(r->context, &r->client->entry, NULL,
 				enc_data.etype, &pa_key) == 0)
 	    goto try_next_key;
@@ -939,7 +933,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
 			    pa_key->key.keytype);
     _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-			    HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED);
+			    HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY);
 
     ret = 0;
 
@@ -2256,7 +2250,7 @@ _kdc_as_rep(astgs_request_t r)
 		    if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED &&
 			!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
 			_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-						HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED);
+						HDB_AUTH_EVENT_PREAUTH_FAILED);
 
 		    /*
 		     * If there is a client key, send ETYPE_INFO{,2}
@@ -2274,7 +2268,7 @@ _kdc_as_rep(astgs_request_t r)
 		}
 		if (!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
 		    _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
-					    HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED);
+					    HDB_AUTH_EVENT_PREAUTH_SUCCEEDED);
 		kdc_log(r->context, config, 4,
 			"%s pre-authentication succeeded -- %s",
 			pat[n].name, r->cname);

lib/hdb/hdb.h

@@ -91,16 +91,11 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_AUTH_EVENT_CLIENT_UNKNOWN	        2   /* client unknown */
 #define HDB_AUTH_EVENT_CLIENT_LOCKED_OUT	3   /* client locked out */
 #define HDB_AUTH_EVENT_CLIENT_TIME_SKEW		4   /* client time skew */
-#define HDB_AUTH_EVENT_LTK_PREAUTH_FAILED	5   /* long term key preauth failed */
-#define HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED	6   /* long term key preauth succeeded */
-#define HDB_AUTH_EVENT_PKINIT_SUCCEEDED	        7   /* PKINIT preauth succeeded */
-#define HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED	8   /* PKINIT cert not authorized */
-#define HDB_AUTH_EVENT_PKINIT_FAILED	        9   /* PKINIT preauth succeeded */
-#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED		10  /* GSS preauth succeeded */
-#define HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED	11  /* GSS preauth mapping failed */
-#define HDB_AUTH_EVENT_GSS_PA_FAILED		12  /* GSS preauth failed */
-#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED   	13  /* unknown preauth failed */
-#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED	14  /* unknown preauth succeeded */
+#define HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY	5   /* PA failed to validate long term key */
+#define HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY	6   /* PA validated long term key */
+#define HDB_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED	7   /* couldn't map GSS/PKINIT name to principal */
+#define HDB_AUTH_EVENT_PREAUTH_FAILED		8   /* generic PA failure */
+#define HDB_AUTH_EVENT_PREAUTH_SUCCEEDED	9   /* generic (non-long term key) PA success */
 
 /*
  * Audit keys to be queried using heim_audit_getkv(). There are other keys