correct PAC lifetime calculation

the lifetime is a delta, and the "expires" field is a wall-clock
time.

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index beba44de3c68e9717b4cf80a455a0ddcf304188e..37df73072ab5765082b30fd076e0939af6d2c616 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -1220,7 +1220,10 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session)
                                t->mode = EAP_FAST_PROVISIONING_AUTH;
                        }
 
-                       if (!t->pac.expires || t->pac.expired || t->pac.expires - time(NULL) < t->pac_lifetime * 0.6)
+                       /*
+                        *      Send a new pac at ~0.6 times the lifetime.
+                        */
+                       if (!t->pac.expires || t->pac.expired || t->pac.expires < (time(NULL) + (t->pac_lifetime >> 1) + (t->pac_lifetime >> 3))) {
                                t->pac.send = true;
                }
 

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
index 528a143d47f9b63e1669eac79abb7a6c18280c40..7c91d340507993cd1f68216b37d6640fb460e143 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
@@ -333,8 +333,8 @@ error:
                        break;
                case PAC_INFO_PAC_LIFETIME:
                        rad_assert(t->pac.expires == 0);
-                       t->pac.expires = vp->vp_integer;
-                       t->pac.expired = (vp->vp_integer <= time(NULL));
+                       t->pac.expires = vp->vp_integer + time(NULL);
+                       t->pac.expired = false;
                        break;
                case PAC_INFO_PAC_KEY:
                        rad_assert(t->pac.key == NULL);