1 /*
2 * hostapd / RADIUS Accounting
3 * Copyright (c) 2002-2009, 2012-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "eapol_auth/eapol_auth_sm.h"
14 #include "eapol_auth/eapol_auth_sm_i.h"
15 #include "radius/radius.h"
16 #include "radius/radius_client.h"
17 #include "hostapd.h"
18 #include "ieee802_1x.h"
19 #include "ap_config.h"
20 #include "sta_info.h"
21 #include "ap_drv_ops.h"
22 #include "accounting.h"
23
24
25 /* Default interval in seconds for polling TX/RX octets from the driver if
26 * STA is not using interim accounting. This detects wrap arounds for
27 * input/output octets and updates Acct-{Input,Output}-Gigawords. */
28 #define ACCT_DEFAULT_UPDATE_INTERVAL 300
29
30 static void accounting_sta_interim(struct hostapd_data *hapd,
31 struct sta_info *sta);
32
33
accounting_msg(struct hostapd_data * hapd,struct sta_info * sta,int status_type)34 static struct radius_msg * accounting_msg(struct hostapd_data *hapd,
35 struct sta_info *sta,
36 int status_type)
37 {
38 struct radius_msg *msg;
39 char buf[128];
40 u8 *val;
41 size_t len;
42 int i;
43 struct wpabuf *b;
44 struct os_time now;
45
46 msg = radius_msg_new(RADIUS_CODE_ACCOUNTING_REQUEST,
47 radius_client_get_id(hapd->radius));
48 if (msg == NULL) {
49 wpa_printf(MSG_INFO, "Could not create new RADIUS packet");
50 return NULL;
51 }
52
53 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
54 status_type)) {
55 wpa_printf(MSG_INFO, "Could not add Acct-Status-Type");
56 goto fail;
57 }
58
59 if (sta) {
60 if (!hostapd_config_get_radius_attr(
61 hapd->conf->radius_acct_req_attr,
62 RADIUS_ATTR_ACCT_AUTHENTIC) &&
63 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_AUTHENTIC,
64 hapd->conf->ieee802_1x ?
65 RADIUS_ACCT_AUTHENTIC_RADIUS :
66 RADIUS_ACCT_AUTHENTIC_LOCAL)) {
67 wpa_printf(MSG_INFO, "Could not add Acct-Authentic");
68 goto fail;
69 }
70
71 /* Use 802.1X identity if available */
72 val = ieee802_1x_get_identity(sta->eapol_sm, &len);
73
74 /* Use RADIUS ACL identity if 802.1X provides no identity */
75 if (!val && sta->identity) {
76 val = (u8 *) sta->identity;
77 len = os_strlen(sta->identity);
78 }
79
80 /* Use STA MAC if neither 802.1X nor RADIUS ACL provided
81 * identity */
82 if (!val) {
83 os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT,
84 MAC2STR(sta->addr));
85 val = (u8 *) buf;
86 len = os_strlen(buf);
87 }
88
89 if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, val,
90 len)) {
91 wpa_printf(MSG_INFO, "Could not add User-Name");
92 goto fail;
93 }
94 }
95
96 if (add_common_radius_attr(hapd, hapd->conf->radius_acct_req_attr, sta,
97 msg) < 0)
98 goto fail;
99
100 if (sta && add_sqlite_radius_attr(hapd, sta, msg, 1) < 0)
101 goto fail;
102
103 if (sta) {
104 for (i = 0; ; i++) {
105 val = ieee802_1x_get_radius_class(sta->eapol_sm, &len,
106 i);
107 if (val == NULL)
108 break;
109
110 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CLASS,
111 val, len)) {
112 wpa_printf(MSG_INFO, "Could not add Class");
113 goto fail;
114 }
115 }
116
117 b = ieee802_1x_get_radius_cui(sta->eapol_sm);
118 if (b &&
119 !radius_msg_add_attr(msg,
120 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
121 wpabuf_head(b), wpabuf_len(b))) {
122 wpa_printf(MSG_ERROR, "Could not add CUI");
123 goto fail;
124 }
125
126 if (!b && sta->radius_cui &&
127 !radius_msg_add_attr(msg,
128 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
129 (u8 *) sta->radius_cui,
130 os_strlen(sta->radius_cui))) {
131 wpa_printf(MSG_ERROR, "Could not add CUI from ACL");
132 goto fail;
133 }
134
135 if (sta->ipaddr &&
136 !radius_msg_add_attr_int32(msg,
137 RADIUS_ATTR_FRAMED_IP_ADDRESS,
138 be_to_host32(sta->ipaddr))) {
139 wpa_printf(MSG_ERROR,
140 "Could not add Framed-IP-Address");
141 goto fail;
142 }
143 }
144
145 os_get_time(&now);
146 if (now.sec > 1000000000 &&
147 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
148 now.sec)) {
149 wpa_printf(MSG_INFO, "Could not add Event-Timestamp");
150 goto fail;
151 }
152
153 /*
154 * Add Acct-Delay-Time with zero value for the first transmission. This
155 * will be updated within radius_client.c when retransmitting the frame.
156 */
157 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_DELAY_TIME, 0)) {
158 wpa_printf(MSG_INFO, "Could not add Acct-Delay-Time");
159 goto fail;
160 }
161
162 return msg;
163
164 fail:
165 radius_msg_free(msg);
166 return NULL;
167 }
168
169
accounting_sta_update_stats(struct hostapd_data * hapd,struct sta_info * sta,struct hostap_sta_driver_data * data)170 static int accounting_sta_update_stats(struct hostapd_data *hapd,
171 struct sta_info *sta,
172 struct hostap_sta_driver_data *data)
173 {
174 if (hostapd_drv_read_sta_data(hapd, data, sta->addr))
175 return -1;
176
177 if (!data->bytes_64bit) {
178 /* Extend 32-bit counters from the driver to 64-bit counters */
179 if (sta->last_rx_bytes_lo > data->rx_bytes)
180 sta->last_rx_bytes_hi++;
181 sta->last_rx_bytes_lo = data->rx_bytes;
182
183 if (sta->last_tx_bytes_lo > data->tx_bytes)
184 sta->last_tx_bytes_hi++;
185 sta->last_tx_bytes_lo = data->tx_bytes;
186 }
187
188 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
189 HOSTAPD_LEVEL_DEBUG,
190 "updated TX/RX stats: rx_bytes=%llu [%u:%u] tx_bytes=%llu [%u:%u] bytes_64bit=%d",
191 data->rx_bytes, sta->last_rx_bytes_hi,
192 sta->last_rx_bytes_lo,
193 data->tx_bytes, sta->last_tx_bytes_hi,
194 sta->last_tx_bytes_lo,
195 data->bytes_64bit);
196
197 return 0;
198 }
199
200
accounting_interim_update(void * eloop_ctx,void * timeout_ctx)201 static void accounting_interim_update(void *eloop_ctx, void *timeout_ctx)
202 {
203 struct hostapd_data *hapd = eloop_ctx;
204 struct sta_info *sta = timeout_ctx;
205 int interval;
206
207 if (sta->acct_interim_interval) {
208 accounting_sta_interim(hapd, sta);
209 interval = sta->acct_interim_interval;
210 } else {
211 struct hostap_sta_driver_data data;
212 accounting_sta_update_stats(hapd, sta, &data);
213 interval = ACCT_DEFAULT_UPDATE_INTERVAL;
214 }
215
216 eloop_register_timeout(interval, 0, accounting_interim_update,
217 hapd, sta);
218 }
219
220
221 /**
222 * accounting_sta_start - Start STA accounting
223 * @hapd: hostapd BSS data
224 * @sta: The station
225 */
accounting_sta_start(struct hostapd_data * hapd,struct sta_info * sta)226 void accounting_sta_start(struct hostapd_data *hapd, struct sta_info *sta)
227 {
228 struct radius_msg *msg;
229 int interval;
230
231 if (sta->acct_session_started)
232 return;
233
234 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
235 HOSTAPD_LEVEL_INFO,
236 "starting accounting session %016llX",
237 (unsigned long long) sta->acct_session_id);
238
239 os_get_reltime(&sta->acct_session_start);
240 sta->last_rx_bytes_hi = 0;
241 sta->last_rx_bytes_lo = 0;
242 sta->last_tx_bytes_hi = 0;
243 sta->last_tx_bytes_lo = 0;
244 hostapd_drv_sta_clear_stats(hapd, sta->addr);
245
246 if (!hapd->conf->radius->acct_server)
247 return;
248
249 if (sta->acct_interim_interval)
250 interval = sta->acct_interim_interval;
251 else
252 interval = ACCT_DEFAULT_UPDATE_INTERVAL;
253 eloop_register_timeout(interval, 0, accounting_interim_update,
254 hapd, sta);
255
256 msg = accounting_msg(hapd, sta, RADIUS_ACCT_STATUS_TYPE_START);
257 if (msg &&
258 radius_client_send(hapd->radius, msg, RADIUS_ACCT, sta->addr) < 0)
259 radius_msg_free(msg);
260
261 sta->acct_session_started = 1;
262 }
263
264
accounting_sta_report(struct hostapd_data * hapd,struct sta_info * sta,int stop)265 static void accounting_sta_report(struct hostapd_data *hapd,
266 struct sta_info *sta, int stop)
267 {
268 struct radius_msg *msg;
269 int cause = sta->acct_terminate_cause;
270 struct hostap_sta_driver_data data;
271 struct os_reltime now_r, diff;
272 u64 bytes;
273
274 if (!hapd->conf->radius->acct_server)
275 return;
276
277 msg = accounting_msg(hapd, sta,
278 stop ? RADIUS_ACCT_STATUS_TYPE_STOP :
279 RADIUS_ACCT_STATUS_TYPE_INTERIM_UPDATE);
280 if (!msg) {
281 wpa_printf(MSG_INFO, "Could not create RADIUS Accounting message");
282 return;
283 }
284
285 os_get_reltime(&now_r);
286 os_reltime_sub(&now_r, &sta->acct_session_start, &diff);
287 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_SESSION_TIME,
288 diff.sec)) {
289 wpa_printf(MSG_INFO, "Could not add Acct-Session-Time");
290 goto fail;
291 }
292
293 if (accounting_sta_update_stats(hapd, sta, &data) == 0) {
294 if (!radius_msg_add_attr_int32(msg,
295 RADIUS_ATTR_ACCT_INPUT_PACKETS,
296 data.rx_packets)) {
297 wpa_printf(MSG_INFO, "Could not add Acct-Input-Packets");
298 goto fail;
299 }
300 if (!radius_msg_add_attr_int32(msg,
301 RADIUS_ATTR_ACCT_OUTPUT_PACKETS,
302 data.tx_packets)) {
303 wpa_printf(MSG_INFO, "Could not add Acct-Output-Packets");
304 goto fail;
305 }
306 if (data.bytes_64bit)
307 bytes = data.rx_bytes;
308 else
309 bytes = ((u64) sta->last_rx_bytes_hi << 32) |
310 sta->last_rx_bytes_lo;
311 if (!radius_msg_add_attr_int32(msg,
312 RADIUS_ATTR_ACCT_INPUT_OCTETS,
313 (u32) bytes)) {
314 wpa_printf(MSG_INFO, "Could not add Acct-Input-Octets");
315 goto fail;
316 }
317 if (!radius_msg_add_attr_int32(msg,
318 RADIUS_ATTR_ACCT_INPUT_GIGAWORDS,
319 (u32) (bytes >> 32))) {
320 wpa_printf(MSG_INFO, "Could not add Acct-Input-Gigawords");
321 goto fail;
322 }
323 if (data.bytes_64bit)
324 bytes = data.tx_bytes;
325 else
326 bytes = ((u64) sta->last_tx_bytes_hi << 32) |
327 sta->last_tx_bytes_lo;
328 if (!radius_msg_add_attr_int32(msg,
329 RADIUS_ATTR_ACCT_OUTPUT_OCTETS,
330 (u32) bytes)) {
331 wpa_printf(MSG_INFO, "Could not add Acct-Output-Octets");
332 goto fail;
333 }
334 if (!radius_msg_add_attr_int32(msg,
335 RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS,
336 (u32) (bytes >> 32))) {
337 wpa_printf(MSG_INFO, "Could not add Acct-Output-Gigawords");
338 goto fail;
339 }
340 }
341
342 if (eloop_terminated())
343 cause = RADIUS_ACCT_TERMINATE_CAUSE_ADMIN_REBOOT;
344
345 if (stop && cause &&
346 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_ACCT_TERMINATE_CAUSE,
347 cause)) {
348 wpa_printf(MSG_INFO, "Could not add Acct-Terminate-Cause");
349 goto fail;
350 }
351
352 if (radius_client_send(hapd->radius, msg,
353 stop ? RADIUS_ACCT : RADIUS_ACCT_INTERIM,
354 sta->addr) < 0)
355 goto fail;
356 return;
357
358 fail:
359 radius_msg_free(msg);
360 }
361
362
363 /**
364 * accounting_sta_interim - Send a interim STA accounting report
365 * @hapd: hostapd BSS data
366 * @sta: The station
367 */
accounting_sta_interim(struct hostapd_data * hapd,struct sta_info * sta)368 static void accounting_sta_interim(struct hostapd_data *hapd,
369 struct sta_info *sta)
370 {
371 if (sta->acct_session_started)
372 accounting_sta_report(hapd, sta, 0);
373 }
374
375
376 /**
377 * accounting_sta_stop - Stop STA accounting
378 * @hapd: hostapd BSS data
379 * @sta: The station
380 */
accounting_sta_stop(struct hostapd_data * hapd,struct sta_info * sta)381 void accounting_sta_stop(struct hostapd_data *hapd, struct sta_info *sta)
382 {
383 if (sta->acct_session_started) {
384 accounting_sta_report(hapd, sta, 1);
385 eloop_cancel_timeout(accounting_interim_update, hapd, sta);
386 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
387 HOSTAPD_LEVEL_INFO,
388 "stopped accounting session %016llX",
389 (unsigned long long) sta->acct_session_id);
390 sta->acct_session_started = 0;
391 }
392 }
393
394
accounting_sta_get_id(struct hostapd_data * hapd,struct sta_info * sta)395 int accounting_sta_get_id(struct hostapd_data *hapd, struct sta_info *sta)
396 {
397 return radius_gen_session_id((u8 *) &sta->acct_session_id,
398 sizeof(sta->acct_session_id));
399 }
400
401
402 /**
403 * accounting_receive - Process the RADIUS frames from Accounting Server
404 * @msg: RADIUS response message
405 * @req: RADIUS request message
406 * @shared_secret: RADIUS shared secret
407 * @shared_secret_len: Length of shared_secret in octets
408 * @data: Context data (struct hostapd_data *)
409 * Returns: Processing status
410 */
411 static RadiusRxResult
accounting_receive(struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len,void * data)412 accounting_receive(struct radius_msg *msg, struct radius_msg *req,
413 const u8 *shared_secret, size_t shared_secret_len,
414 void *data)
415 {
416 if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCOUNTING_RESPONSE) {
417 wpa_printf(MSG_INFO, "Unknown RADIUS message code");
418 return RADIUS_RX_UNKNOWN;
419 }
420
421 if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
422 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Authenticator - dropped");
423 return RADIUS_RX_INVALID_AUTHENTICATOR;
424 }
425
426 return RADIUS_RX_PROCESSED;
427 }
428
429
accounting_report_state(struct hostapd_data * hapd,int on)430 static void accounting_report_state(struct hostapd_data *hapd, int on)
431 {
432 struct radius_msg *msg;
433
434 if (!hapd->conf->radius->acct_server || hapd->radius == NULL)
435 return;
436
437 /* Inform RADIUS server that accounting will start/stop so that the
438 * server can close old accounting sessions. */
439 msg = accounting_msg(hapd, NULL,
440 on ? RADIUS_ACCT_STATUS_TYPE_ACCOUNTING_ON :
441 RADIUS_ACCT_STATUS_TYPE_ACCOUNTING_OFF);
442 if (!msg)
443 return;
444
445 if (hapd->acct_session_id) {
446 char buf[20];
447
448 os_snprintf(buf, sizeof(buf), "%016llX",
449 (unsigned long long) hapd->acct_session_id);
450 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
451 (u8 *) buf, os_strlen(buf)))
452 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id");
453 }
454
455 if (radius_client_send(hapd->radius, msg, RADIUS_ACCT, NULL) < 0)
456 radius_msg_free(msg);
457 }
458
459
accounting_interim_error_cb(const u8 * addr,void * ctx)460 static void accounting_interim_error_cb(const u8 *addr, void *ctx)
461 {
462 struct hostapd_data *hapd = ctx;
463 struct sta_info *sta;
464 unsigned int i, wait_time;
465 int res;
466
467 sta = ap_get_sta(hapd, addr);
468 if (!sta)
469 return;
470 sta->acct_interim_errors++;
471 if (sta->acct_interim_errors > 10 /* RADIUS_CLIENT_MAX_RETRIES */) {
472 wpa_printf(MSG_DEBUG,
473 "Interim RADIUS accounting update failed for " MACSTR_SEC
474 " - too many errors, abandon this interim accounting update",
475 MAC2STR_SEC(addr));
476 sta->acct_interim_errors = 0;
477 /* Next update will be tried after normal update interval */
478 return;
479 }
480
481 /*
482 * Use a shorter update interval as an improved retransmission mechanism
483 * for failed interim accounting updates. This allows the statistics to
484 * be updated for each retransmission.
485 *
486 * RADIUS client code has already waited RADIUS_CLIENT_FIRST_WAIT.
487 * Schedule the first retry attempt immediately and every following one
488 * with exponential backoff.
489 */
490 if (sta->acct_interim_errors == 1) {
491 wait_time = 0;
492 } else {
493 wait_time = 3; /* RADIUS_CLIENT_FIRST_WAIT */
494 for (i = 1; i < sta->acct_interim_errors; i++)
495 wait_time *= 2;
496 }
497 res = eloop_deplete_timeout(wait_time, 0, accounting_interim_update,
498 hapd, sta);
499 if (res == 1)
500 wpa_printf(MSG_DEBUG,
501 "Interim RADIUS accounting update failed for " MACSTR_SEC
502 " (error count: %u) - schedule next update in %u seconds",
503 MAC2STR_SEC(addr), sta->acct_interim_errors, wait_time);
504 else if (res == 0)
505 wpa_printf(MSG_DEBUG,
506 "Interim RADIUS accounting update failed for " MACSTR_SEC
507 " (error count: %u)", MAC2STR_SEC(addr),
508 sta->acct_interim_errors);
509 else
510 wpa_printf(MSG_DEBUG,
511 "Interim RADIUS accounting update failed for " MACSTR_SEC
512 " (error count: %u) - no timer found", MAC2STR_SEC(addr),
513 sta->acct_interim_errors);
514 }
515
516
517 /**
518 * accounting_init: Initialize accounting
519 * @hapd: hostapd BSS data
520 * Returns: 0 on success, -1 on failure
521 */
accounting_init(struct hostapd_data * hapd)522 int accounting_init(struct hostapd_data *hapd)
523 {
524 if (radius_gen_session_id((u8 *) &hapd->acct_session_id,
525 sizeof(hapd->acct_session_id)) < 0)
526 return -1;
527
528 if (radius_client_register(hapd->radius, RADIUS_ACCT,
529 accounting_receive, hapd))
530 return -1;
531 radius_client_set_interim_error_cb(hapd->radius,
532 accounting_interim_error_cb, hapd);
533
534 accounting_report_state(hapd, 1);
535
536 return 0;
537 }
538
539
540 /**
541 * accounting_deinit: Deinitialize accounting
542 * @hapd: hostapd BSS data
543 */
accounting_deinit(struct hostapd_data * hapd)544 void accounting_deinit(struct hostapd_data *hapd)
545 {
546 accounting_report_state(hapd, 0);
547 }
548