From df655cecd12712e7f7df5128b123eee0066a8216 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 3 Mar 2022 09:44:53 +1100
Subject: [PATCH] kdc: allow audit plugins to influence return code

Honor the return code of _kdc_audit_request(), propagating if non-zero. Note
that this is principally intended to allow the audit plugin to return
HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply
or not. If the audit plugin also wishes to rewrite r->error_code, it must do so
separately.

Closes: #964
---
 kdc/kerberos5.c | 8 +++++++-
 kdc/krb5tgs.c   | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index a7e92c785..241d0eac6 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2733,7 +2733,13 @@ _kdc_as_rep(astgs_request_t r)
 
 out:
     r->error_code = ret;
-    _kdc_audit_request(r);
+    {
+	krb5_error_code ret2 = _kdc_audit_request(r);
+	if (ret2) {
+	    krb5_data_free(r->reply);
+	    ret = ret2;
+	}
+    }
 
     /*
      * In case of a non proxy error, build an error message.
diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index a12191a66..871484e29 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2157,7 +2157,13 @@ _kdc_tgs_rep(astgs_request_t r)
 
 out:
     r->error_code = ret;
-    _kdc_audit_request(r);
+    {
+	krb5_error_code ret2 = _kdc_audit_request(r);
+	if (ret2) {
+	    krb5_data_free(data);
+	    ret = ret2;
+	}
+    }
 
     if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
 	METHOD_DATA error_method = { 0, NULL };