renew at 60% of PAC lifetime

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index 7c0214f3020ce15b502ce9e5d430142cd0fda8a4..fec2b4f303aa2d5e08bb4d3af6494c8ffd0dd87c 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -930,6 +930,8 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_
                        t->mode = EAP_FAST_PROVISIONING_ANON;
                        t->pac.send = true;
                } else {
+                       fr_time_t renew;
+
                        if (SSL_session_reused(tls_session->ssl)) {
                                RDEBUG2("Session Resumed from PAC");
                                t->mode = EAP_FAST_NORMAL_AUTH;
@@ -939,11 +941,13 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_
                        }
 
                        /*
-                        *      Send a new pac at ~0.6 times the lifetime.
+                        *      Send a new pac at 60% of the lifetime,
+                        *      or if the PAC has expired, or if no lifetime was set.
                         */
-                       if (fr_time_eq(t->pac.expires, fr_time_wrap(0)) || t->pac.expired ||
-                           fr_time_lteq(t->pac.expires,
-                                        fr_time_add(request->packet->timestamp, t->pac_lifetime))) {
+                       renew = fr_time_add(request->packet->timestamp, ((t->pac_lifetime * 3) / 5));
+
+                       if (t->pac.expired || fr_time_eq(t->pac.expires, fr_time_wrap(0)) ||
+                            fr_time_lteq(t->pac.expires, renew)) {
                                t->pac.send = true;
                        }
                }