From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 13 Jun 2025 07:44:49 +0000 (+0100)
Subject: Capture Module-Failure-Message from verify certificate subrequest
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f697806da40e9f2c950ff7a1fa0f01881728925;p=thirdparty%2Ffreeradius-server.git

Capture Module-Failure-Message from verify certificate subrequest
---

diff --git a/src/lib/tls/attrs.h b/src/lib/tls/attrs.h
index bac5d1aee48..f651e32187a 100644
--- a/src/lib/tls/attrs.h
+++ b/src/lib/tls/attrs.h
@@ -64,6 +64,8 @@ extern HIDDEN fr_dict_attr_t const *attr_tls_session_cipher_suite;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_version;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_resume_type;
 
+extern HIDDEN fr_dict_attr_t const *attr_module_failure_message;
+
 extern HIDDEN fr_dict_attr_t const *attr_tls_packet_type;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_data;
 extern HIDDEN fr_dict_attr_t const *attr_tls_session_id;
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 3afcbbd08cf..db8168a2bd9 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -124,6 +124,8 @@ fr_dict_attr_t const *attr_tls_session_cipher_suite;
 fr_dict_attr_t const *attr_tls_session_version;
 fr_dict_attr_t const *attr_tls_session_resume_type;
 
+fr_dict_attr_t const *attr_module_failure_message;
+
 fr_dict_attr_t const *attr_tls_packet_type;
 fr_dict_attr_t const *attr_tls_session_data;
 fr_dict_attr_t const *attr_tls_session_id;
@@ -169,6 +171,8 @@ fr_dict_attr_autoload_t tls_dict_attr[] = {
 	{ .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_tls_session_resume_type, .name = "TLS-Session-Resume-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
 
+	{ .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+
 	/*
 	 *	Eventually all TLS attributes will be in the TLS dictionary
 	 */
diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 13cc0fff957..06dde306c99 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -415,13 +415,26 @@ static unlang_action_t tls_verify_client_cert_result(UNUSED rlm_rcode_t *p_resul
 						     request_t *request, void *uctx)
 {
 	fr_tls_session_t	*tls_session = talloc_get_type_abort(uctx, fr_tls_session_t);
-	fr_pair_t		*vp;
+	fr_pair_t		*vp, *next;
 
 	fr_assert(tls_session->validate.state == FR_TLS_VALIDATION_REQUESTED);
 
 	vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_tls_packet_type);
 	if (!vp || (vp->vp_uint32 != enum_tls_packet_type_success->vb_uint32)) {
 		REDEBUG("Failed (re-)validating certificates");
+
+		/*
+		 *	Hoist any instances of Module-Failure-Message from the subrequest
+		 *	so they can be used for logging failures.
+		 */
+		vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_module_failure_message);
+		while (vp && request->parent) {
+			next = fr_pair_find_by_da(&request->request_pairs, vp, attr_module_failure_message);
+			fr_pair_remove(&request->request_pairs, vp);
+			fr_pair_steal_append(request->parent->request_ctx, &request->parent->request_pairs, vp);
+			vp = next;
+		}
+
 		tls_session->validate.state = FR_TLS_VALIDATION_FAILED;
 		return UNLANG_ACTION_CALCULATE_RESULT;
 	}