path: root/src/ap/accounting.c
Commit message (Collapse)AuthorAgeFilesLines
* Extra RADIUS request attributes from SQLiteTerry Burton2019-07-301-0/+3
| | | | | | | | | | | | | | | Add an SQLite table for defining per station MAC address version of radius_auth_req_attr/radius_acct_req_attr information. Create the necessary table and index where this doesn't exist. Select attributes from the table keyed by station MAC address and request type (auth or acct), parse and apply to a RADIUS message. Add radius_req_attr_sqlite hostapd config option for SQLite database file. Open/close RADIUS attribute database for a lifetime of a BSS and invoke functions to add extra attributes during RADIUS auth and accounting request generation. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* Remove unused generation of Request Authenticator in Account-RequestNick Lowe2016-09-211-5/+0
| | | | | | | | | Do not generate an unused and invalid Request Authenticator (random value) when constructing Accounting-Request packets. The correct Request Authenticator is calculated subsequently in radius_msg_finish_acct() using MD5(msg + shared secret). Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Add Acct-Delay-Time into accounting messagesJouni Malinen2016-02-291-0/+9
| | | | | | | | | | | | | | | | | | This tells to the server how long we have been trying to transmit the message so that the actual time of the message generation can be determined from receive time (ignoring network delays and only at accuracy of one second). For interim updates, only value 0 is used since there are no retransmissions of the same message. For other accounting messages, the initial attempt goes out with value 0 and the retransmissions, if needed, show the number of seconds the message has been waiting in the queue. Update the Identifier and Authenticator in the messages whenever updating the Acct-Delay-Time per RFC 2866, 4.1 requirements. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Update full message for interim accounting updatesJouni Malinen2016-02-291-0/+59
| | | | | | | | | | | | Instead of using the RADIUS client retransmission design with the old RADIUS message contents for each retry, trigger a completely new interim accounting update instance more quickly (using the same schedule as RADIUS message retransmissions) to improve accounting updates in cases where RADIUS message delivery fails. This allows the server to get up to date information from the time the "retry" message was sent instead of the old information from the time the first failed attempt was sent. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use 64-bit TX/RX byte counters for statisticsNick Lowe2016-02-201-32/+40
| | | | | | | | | | | | | | | If the driver supports 64-bit TX/RX byte counters, use them directly. The old 32-bit counter extension is maintained for backwards compatibility with older drivers. For nl80211 driver interface, the newer NL80211_STA_INFO_RX_BYTES64 and NL80211_STA_INFO_TX_BYTES64 attributes are used when available. This resolves the race vulnerable 32-bit value wrap/overflow. Rework RADIUS accounting to use these for Acct-Input-Octets, Acct-Input-Gigawords, Acct-Output-Octets, and Acct-Output-Gigawords, these values are often used for billing purposes. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Print Acct-Session-Id and Acct-Multi-Session-Id 64-bit valuesNick Lowe2016-02-181-6/+6
| | | | | | | These are now 64-bit variables and the printf formats and type casts need to be updated to match. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Share a single function for generating session IDsJouni Malinen2016-02-061-14/+4
| | | | | | | There is no need to maintain three copies of this functionality even if it is currently implemented as a single function call. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS: Redesign Request Authenticator generationNick Lowe2016-02-061-4/+3
| | | | | | | Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Send an Acct-Multi-Session-Id attribute in Access-Request packetsNick Lowe2016-02-061-15/+0
| | | | | | Previously, this was included only in Accounting-Request packets. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Add Acct-Session-Id to Accounting-On/OffNick Lowe2016-02-061-0/+19
| | | | | | | An Acct-Session-Id is required on Accounting-On and Accounting-Off forms of Accounting-Request. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-IdNick Lowe2016-02-061-27/+16
| | | | | | | | | | | | | | | | Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to give better global and temporal uniqueness. Previously, only 32-bits of the Acct-Session-Id would contain random data, the other 32-bits would be incremented. Previously, the Acct-Multi-Session-Id would not use random data. Switch from two u32 variables to a single u64 for the Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves no legitimate purpose. Exclusively use os_get_random() to get quality random numbers, do not use or mix in the time. Inherently take a dependency on /dev/urandom working properly therefore. Remove the global Acct-Session-Id and Acct-Multi-Session-Id values that serve no legitimate purpose. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Add Event-Timestamp to all Accounting-Request packetsNick Lowe2016-02-051-8/+9
| | | | | | | | Event-Timestamp should be sent for all Accounting-Request packets and only after the system clock has a sane value, not where there's a value close to the Unix time epoch. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Do not send Acct-Authentic in Accounting-On/OffNick Lowe2016-02-051-10/+11
| | | | | | | Acct-Authentic is used to indicate how the user was authenticated and as such, should not be sent in Accounting-On and Accounting-Off. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* RADIUS: Do not include Acct-Terminate-Cause in Accounting-On/OffNick Lowe2016-02-051-8/+0
| | | | | | | | Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in Accounting-On and Accounting-Off (this is included only when Acct-Status-Type is set to Stop). Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* Add Framed-IP-Address to Accounting-Request if STA address is knownJouni Malinen2015-10-171-1/+10
| | | | | | | | | The recently added ProxyARP support (proxy_arp=1) in hostapd allows a STA IPv4 address to be learned from DHCP or ARP messages. If that information is available, add it to Account-Request messages in Framed-IP-Address attribute. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix spelling of initialize in a comment and an error messageJouni Malinen2015-06-101-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Set Acct-Session-Id from os_get_random() instead of os_get_time()Alan T. DeKok2015-06-061-3/+7
| | | | | | | | | | | So that systems with bad clocks will send random session IDs, instead of always ones starting at the same second. If os_get_random() isn't available, use os_get_time(). But also mix in now.tv_usec, so that the accounting session ID is more likely to be globally and temporally unique. Signed-off-by: Alan DeKok <aland@freeradius.org>
* Add Acct-Multi-Session-Id into RADIUS Accounting messagesJouni Malinen2014-10-181-0/+17
| | | | | | | | | This allows multiple sessions using the same PMKSA cache entry to be combined more easily at the server side. Acct-Session-Id is still a unique identifier for each association, while Acct-Multi-Session-Id will maintain its value for all associations that use the same PMKSA. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove duplicated Acct-Session-Id from Accounting-RequestJouni Malinen2014-10-181-8/+0
| | | | | | | | | | | | Commit 8b2486115479582b2ab164a4508f22ed23a9a4cb ('Add Acct-Session-Id into Access-Request messages') added Acct-Session-Id building into the helper function shared between authentication and accounting messages. However, it forgot to remove the same code from the generation of accounting messages and as such, ended up with Accounting-Request messages containing two copies of this attribute. Fix this by removing the addition of this attribute from the accounting specific function. Signed-off-by: Jouni Malinen <j@w1.fi>
* Include driver.h in hostapd.hAndrei Otcheretianski2013-12-241-1/+0
| | | | | | | This allows use of structs (and not only pointers) defined in drivers.h. Remove also some not needed forward declarations and redundant includes. Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* AP: Use monotonic time for STA accountingJohannes Berg2013-12-241-4/+5
| | | | | | | | | | | | For type-safety, make sta->acct_session_start a struct os_reltime and then use monotonic time for accounting. For RADIUS reporting, continue to use wall clock time as specified by RFC 2869, but for the session time use monotonic time. Interestingly, RFC 2869 doesn't specify a timezone, so the value is somewhat arbitrary. Signed-hostap: Johannes Berg <johannes.berg@intel.com>
* Convert perror/printf calls to wpa_printfJouni Malinen2013-11-021-20/+19
| | | | | | | This makes debug and error logging more consistent and allows them to be directed to a file more easily. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add Acct-Session-Id into Access-Request messagesJouni Malinen2012-12-181-4/+1
| | | | | | | | | This optional attribute may make it easier to bind together the Access-Request and Accounting-Request messages. The accounting session identifier is now generated when the STA associates instead of waiting for the actual session to start after successfull authentication. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add User-Name/CUI from RADIUS ACL in Accounting messagesMichael Braun2012-08-191-0/+19
| | | | | | | | This allows User-Name and Chargeable-User-Identity attributes to be passed from Access-Accept into Accounting messages even when IEEE 802.1X is not used. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Use shared function for adding common RADIUS attributesJouni Malinen2012-08-071-91/+2
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Convert remaining SSID routines from char* to u8*Jouni Malinen2012-08-071-1/+3
| | | | | | | This makes it more explicit that the SSID is not a null terminated C string. Signed-hostap: Jouni Malinen <j@w1.fi>
* accounting: Staticise accounting_sta_interimBaruch Siach2012-08-051-1/+4
| | | | | | This routine is not used anywhere else. Signed-hostap: Baruch Siach <baruch@tkos.co.il>
* hostapd: Allow addition of arbitrary RADIUS attributesJouni Malinen2012-05-051-8/+38
| | | | | | | | New configuration parameters radius_auth_req_attr and radius_acct_req_attr can now be used to add (or override) RADIUS attributes in Access-Request and Accounting-Request packets. Signed-hostap: Jouni Malinen <j@w1.fi>
* hostapd: Copy Chargeable-User-Identity into accounting (RFC 4372)Jouni Malinen2012-05-051-1/+11
| | | | | | | If Access-Accept packet includes the Chargeable-User-Identity attribute, copy this attribute as-is into accounting messages. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix memory leaks on radius_client_send error pathsJouni Malinen2012-04-011-6/+9
| | | | | | | In case this function returns an error, the RADIUS message needs to freed in the caller. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove references to time_t/time()Per Ekman2011-09-121-1/+3
| | | | Use os_time() in AP mode instead of direct time() calls.
* Remove references to time_t/time()/random()Per Ekman2011-04-111-3/+8
| | | | Replace direct calls in AP mode code with os_*() wrappers.
* hostapd_driver_ops reductionJouni Malinen2010-11-241-2/+3
| | | | | | send_eapol, set_key, read_sta_data, sta_clear_stats, set_radius_acl_auth, set_radius_acl_expire, and set_beacon to use inline functions instead of extra abstraction.
* Rename some src/ap files to avoid duplicate file namesJouni Malinen2009-12-251-6/+6
| | | | | | Doxygen and some build tools may get a bit confused about same file name being used in different directories. Clean this up a bit by renaming some of the duplicated file names in src/ap.
* Move generic AP functionality implementation into src/apJouni Malinen2009-12-241-0/+499
This code can be shared by both hostapd and wpa_supplicant and this is an initial step in getting the generic code moved to be under the src directories. Couple of generic files still remain under the hostapd directory due to direct dependencies to files there. Once the dependencies have been removed, they will also be moved to the src/ap directory to allow wpa_supplicant to be built without requiring anything from the hostapd directory.