From 93c8d57091fa9fbb0987dc84b802c58f37131b67 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sat, 1 Jan 2022 17:15:37 +1100
Subject: [PATCH] kdc: call HDB audit function in both AS and TGS

Call the HDB audit method, if present, in both AS and TGS, immediately prior to
generating an error response to send to the clinet.
---
 kdc/kerberos5.c | 19 +------------------
 kdc/krb5tgs.c   |  1 +
 kdc/misc.c      | 17 +++++++++++++++++
 lib/hdb/hdb.h   |  4 +++-
 4 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 83e55a6c4..030dd0f54 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -77,23 +77,6 @@ audited_auth_event_p(astgs_request_t r)
     return !!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT_TYPE);
 }
 
-/*
- * Notify the HDB backend of the audited event.
- */
-
-static krb5_error_code
-notify_hdb_audit(astgs_request_t r)
-{
-    struct HDB *hdb;
-
-    hdb = r->clientdb ? r->clientdb : r->config->db[0];
-
-    if (hdb && hdb->hdb_audit && audited_auth_event_p(r))
-	return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
-
-    return 0;
-}
-
 void
 _kdc_fix_time(time_t **t)
 {
@@ -2770,7 +2753,7 @@ _kdc_as_rep(astgs_request_t r)
 
 out:
     r->ret = ret;
-    notify_hdb_audit(r);
+    _kdc_hdb_audit(r);
 
     /*
      * In case of a non proxy error, build an error message.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index e0e4102c7..b7673eb15 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2575,6 +2575,7 @@ _kdc_tgs_rep(astgs_request_t r)
 
 out:
     r->ret = ret;
+    _kdc_hdb_audit(r);
 
     if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
 	METHOD_DATA error_method = { 0, NULL };
diff --git a/kdc/misc.c b/kdc/misc.c
index 61296ffa0..ee73b4a3e 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -341,3 +341,20 @@ _kdc_include_pac_p(astgs_request_t r)
 
     return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
 }
+
+/*
+ * Notify the HDB backend of the audited event.
+ */
+
+krb5_error_code
+_kdc_hdb_audit(astgs_request_t r)
+{
+    struct HDB *hdb;
+
+    hdb = r->clientdb ? r->clientdb : r->config->db[0];
+
+    if (hdb && hdb->hdb_audit)
+	return hdb->hdb_audit(r->context, hdb, r->client, (hdb_request_t)r);
+
+    return 0;
+}
diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h
index 899881307..bb9d6497d 100644
--- a/lib/hdb/hdb.h
+++ b/lib/hdb/hdb.h
@@ -305,7 +305,9 @@ typedef struct HDB {
     krb5_error_code (*hdb_password)(krb5_context, struct HDB*, hdb_entry_ex*, const char *, int);
 
     /**
-     * Authentication auditing
+     * Authentication auditing. Note that this function is called by
+     * both the AS and TGS, but currently only the AS sets the auth
+     * event type and details. This may change in a future version.
      *
      * Event details are available by querying the request using
      * heim_audit_getkv(HDB_REQUEST_KV_...).