kdc: allow audit plugins to influence return code

Honor the return code of _kdc_audit_request(), propagating if non-zero. Note that this is principally intended to allow the audit plugin to return HDB_ERR_NOT_FOUND_HERE, which influences whether the KDC sends an error reply or not. If the audit plugin also wishes to rewrite r->error_code, it must do so separately. Closes: #964
2022-03-03 09:44:53 +11:00
parent 8495f63bc3
commit df655cecd1
2 changed files with 14 additions and 2 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2733,7 +2733,13 @@ _kdc_as_rep(astgs_request_t r)

 out:
    r->error_code = ret;
-    _kdc_audit_request(r);
+    {
+	krb5_error_code ret2 = _kdc_audit_request(r);
+	if (ret2) {
+	    krb5_data_free(r->reply);
+	    ret = ret2;
+	}
+    }

    /*
     * In case of a non proxy error, build an error message.