From 5a0575ee4eb7b5380bf08b17e3861c2dcbc2989f Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 2 Mar 2018 14:15:31 +0600
Subject: [PATCH] Compile AKA sections

---
 .../rlm_eap/types/rlm_eap_aka/eap_aka.h       | 13 +--
 .../rlm_eap/types/rlm_eap_aka/rlm_eap_aka.c   | 89 +++++++++++++++++++
 2 files changed, 97 insertions(+), 5 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_aka/eap_aka.h b/src/modules/rlm_eap/types/rlm_eap_aka/eap_aka.h
index 0328dbe27431..68ccd8d2b480 100644
--- a/src/modules/rlm_eap/types/rlm_eap_aka/eap_aka.h
+++ b/src/modules/rlm_eap/types/rlm_eap_aka/eap_aka.h
@@ -61,14 +61,15 @@ typedef struct {
 
 	CONF_SECTION			*send_identity_request;		//!< Called when we're about to request a
 									///< different identity.
+	CONF_SECTION			*recv_identity_response;	//!< Called when we receive a new identity.
+
 	CONF_SECTION			*send_challenge_request;	//!< Called when we're about to send a
 									///< a challenge.
-	CONF_SECTION			*send_fast_reauth_request;	//!< Called when we're about to send a
-									///< Fast-Reauth-Request.
-
-	CONF_SECTION			*recv_identity_response;	//!< Called when we receive a new identity.
 	CONF_SECTION			*recv_challenge_response;	//!< Called when we receive a response
 									///< to a previous challenge.
+
+	CONF_SECTION			*send_fast_reauth_request;	//!< Called when we're about to send a
+									///< Fast-Reauth-Request.
 	CONF_SECTION			*recv_fast_reauth_response;	//!< Called when we receive a response
 									///< to a previous Fast-Reauth-Request.
 
@@ -95,7 +96,7 @@ typedef struct {
 	CONF_SECTION			*load_session;			//!< Load cached authentication vectors.
 	CONF_SECTION			*store_session;			//!< Store authentication vectors.
 	CONF_SECTION			*clear_session;			//!< Clear authentication vectors.
-} eap_aka_sections_t;
+} eap_aka_actions_t;
 
 typedef struct {
 	eap_aka_server_state_t		state;				//!< Current session state.
@@ -142,4 +143,6 @@ typedef struct {
 									///< the subscriber.
 	char const			*virtual_server;		//!< Virtual server for HLR integration.
 	bool				protected_success;
+
+	eap_aka_actions_t		actions;			//!< Pre-compiled virtual server sections.
 } rlm_eap_aka_t;
diff --git a/src/modules/rlm_eap/types/rlm_eap_aka/rlm_eap_aka.c b/src/modules/rlm_eap/types/rlm_eap_aka/rlm_eap_aka.c
index ee59cd0fe54e..101ba41b7b51 100644
--- a/src/modules/rlm_eap/types/rlm_eap_aka/rlm_eap_aka.c
+++ b/src/modules/rlm_eap/types/rlm_eap_aka/rlm_eap_aka.c
@@ -1173,6 +1173,95 @@ static rlm_rcode_t mod_session_init(void *instance, eap_session_t *eap_session)
 	return RLM_MODULE_HANDLED;
 }
 
+#define ACTION_SECTION(_out, _verb, _name) \
+do { \
+	CONF_SECTION *_tmp; \
+	_tmp = cf_section_find(server_cs, _verb, _name); \
+	if (_tmp) { \
+		if (unlang_compile(_tmp, MOD_AUTHORIZE) < 0) return -1; \
+		found = true; \
+	} \
+	if (actions) _out = _tmp; \
+} while (0)
+
+static int mod_section_compile(eap_aka_actions_t *actions, CONF_SECTION *server_cs)
+{
+	bool found = false;
+
+	if (!fr_cond_assert(server_cs)) return -1;
+
+	/*
+	 *	Initial Identity-Response
+	 *
+	 *	We then either:
+	 *	- Request a new identity
+	 *	- Start full authentication
+	 *	- Start fast re-authentication
+	 *	- Fail...
+	 */
+	ACTION_SECTION(actions->recv_eap_identity_response, "recv", "EAP-Identity-Response");
+
+	/*
+	 *	Identity negotiation
+	 */
+	ACTION_SECTION(actions->send_identity_request, "send", "Identity-Request");
+	ACTION_SECTION(actions->recv_identity_response, "recv", "Identity-Response");
+
+	/*
+	 *	Full-Authentication
+	 */
+	ACTION_SECTION(actions->send_challenge_request, "send", "Challenge-Request");
+	ACTION_SECTION(actions->recv_challenge_response, "recv", "Challenge-Response");
+
+	/*
+	 *	Fast-Re-Authentication
+	 */
+	ACTION_SECTION(actions->send_fast_reauth_request, "send", "Fast-Reauth-Request");
+	ACTION_SECTION(actions->recv_fast_reauth_response, "recv", "Fast-Reauth-Response");
+
+	/*
+	 *	Failures originating from the supplicant
+	 */
+	ACTION_SECTION(actions->recv_client_error, "recv", "Client-Error");
+	ACTION_SECTION(actions->recv_authentication_reject, "recv", "Authentication-Reject");
+	ACTION_SECTION(actions->recv_syncronization_failure, "recv", "Syncronization-Failure");
+
+	/*
+	 *	Failure originating from the server
+	 */
+	ACTION_SECTION(actions->send_failure_notification, "send", "Failure-Notification");
+	ACTION_SECTION(actions->recv_failure_notification_ack, "recv", "Failure-Notification-ACK");
+
+	/*
+	 *	Protected success indication
+	 */
+	ACTION_SECTION(actions->send_success_notification, "send", "Success-Notification");
+	ACTION_SECTION(actions->recv_success_notification_ack, "recv", "Success-Notification-ACK");
+
+	/*
+	 *	Final EAP-Success and EAP-Failure messages
+	 */
+	ACTION_SECTION(actions->send_eap_success, "send", "EAP-Success");
+	ACTION_SECTION(actions->send_eap_failure, "send", "EAP-Failure");
+
+	/*
+	 *	Fast-Reauth vectors
+	 */
+	ACTION_SECTION(actions->load_session, "load", "session");
+	ACTION_SECTION(actions->store_session, "store", "session");
+	ACTION_SECTION(actions->clear_session, "clear", "session");
+
+	/*
+	 *	Warn if we couldn't find any actions.
+	 */
+	if (!found) {
+		cf_log_warn(server_cs, "No ocsp-state cache actions found in virtual server \"%s\"",
+			    cf_section_name2(server_cs));
+	}
+
+	return 0;
+}
+
 static int mod_load(void)
 {
 	dict_aka_root = fr_dict_attr_child_by_num(fr_dict_root(fr_dict_internal), FR_EAP_AKA_ROOT);