Capture Module-Failure-Message from verify certificate subrequest

diff --git a/src/lib/tls/attrs.h b/src/lib/tls/attrs.h
index bac5d1aee482224ef092790a242796194d4ba7e9..f651e32187acd921aea49b4a676b180d54ed6588 100644 (file)
--- a/src/lib/tls/attrs.h
+++ b/src/lib/tls/attrs.h
@@ -64,6 +64,8 @@ extern HIDDEN fr_dict_attr_t const *attr_tls_session_cipher_suite;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_version;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_resume_type;
 
+extern HIDDEN fr_dict_attr_t const *attr_module_failure_message;
+
 extern HIDDEN fr_dict_attr_t const *attr_tls_packet_type;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_data;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_id;

diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 3afcbbd08cf4964b6257f55b401875ff989669dc..db8168a2bd97e71fe506ed2868772f3ab4d8abd4 100644 (file)
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -124,6 +124,8 @@ fr_dict_attr_t const *attr_tls_session_cipher_suite;
 fr_dict_attr_t const *attr_tls_session_version;
 fr_dict_attr_t const *attr_tls_session_resume_type;
 
+fr_dict_attr_t const *attr_module_failure_message;
+
 fr_dict_attr_t const *attr_tls_packet_type;
 fr_dict_attr_t const *attr_tls_session_data;
 fr_dict_attr_t const *attr_tls_session_id;
@@ -169,6 +171,8 @@ fr_dict_attr_autoload_t tls_dict_attr[] = {
        { .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
        { .out = &attr_tls_session_resume_type, .name = "TLS-Session-Resume-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
 
+       { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+
        /*
         *      Eventually all TLS attributes will be in the TLS dictionary
         */

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 13cc0fff9571752b54aab6de323f2195c4295514..06dde306c9959c3aad0aee19b6db78519c0762c8 100644 (file)
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -415,13 +415,26 @@ static unlang_action_t tls_verify_client_cert_result(UNUSED rlm_rcode_t *p_resul
                                                     request_t *request, void *uctx)
 {
        fr_tls_session_t        *tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
-       fr_pair_t               *vp;
+       fr_pair_t               *vp, *next;
 
        fr_assert(tls_session->validate.state == FR_TLS_VALIDATION_REQUESTED);
 
        vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_tls_packet_type);
        if (!vp || (vp->vp_uint32 != enum_tls_packet_type_success->vb_uint32)) {
                REDEBUG("Failed (re-)validating certificates");
+
+               /*
+                *      Hoist any instances of Module-Failure-Message from the subrequest
+                *      so they can be used for logging failures.
+                */
+               vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_module_failure_message);
+               while (vp && request->parent) {
+                       next = fr_pair_find_by_da(&request->request_pairs, vp, attr_module_failure_message);
+                       fr_pair_remove(&request->request_pairs, vp);
+                       fr_pair_steal_append(request->parent->request_ctx, &request->parent->request_pairs, vp);
+                       vp = next;
+               }
+
                tls_session->validate.state = FR_TLS_VALIDATION_FAILED;
                return UNLANG_ACTION_CALCULATE_RESULT;
        }