correct PAC lifetime calculation

the lifetime is a delta, and the "expires" field is a wall-clock
time.

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index ccc3ac29faeb4a0d3bd1adecf0bb1eb61f525ac2..3b7421b435ebfecb355298bd0c87176a58fa6f8e 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -856,7 +856,7 @@ static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, eap_ses
                        if (vp->da == attr_eap_fast_pac_acknowledge) {
                                if (vp->vp_uint32 == EAP_FAST_TLV_RESULT_SUCCESS) {
                                        code = FR_RADIUS_CODE_ACCESS_ACCEPT;
-                                       t->pac.expires = UINT32_MAX;
+                                       t->pac.expires = ~((fr_time_t) 0);
                                        t->pac.expired = false;
                                        t->stage = EAP_FAST_COMPLETE;
                                }
@@ -937,7 +937,11 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_
                                t->mode = EAP_FAST_PROVISIONING_AUTH;
                        }
 
-                       if (!t->pac.expires || t->pac.expired || (t->pac.expires - fr_time_to_sec(request->packet->timestamp)) < (t->pac_lifetime * 6) / 10) {
+                       /*
+                        *      Send a new pac at ~0.6 times the lifetime.
+                        */
+                       if (!t->pac.expires || t->pac.expired ||
+                           t->pac.expires <= (request->packet->timestamp + fr_time_delta_from_sec((t->pac_lifetime >> 1) + (t->pac_lifetime >> 3)))) {
                                t->pac.send = true;
                        }
                }

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
index cef09c1eb0c3e073316c54a8019a1fad19db4ed7..1c83b1979c66f1d085670e73596c3e2db5110396 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
@@ -191,7 +191,7 @@ typedef struct {
        struct {
                uint8_t                 *key;
                eap_fast_pac_type_t     type;
-               uint32_t                expires;
+               fr_time_t               expires;
                bool                    expired;
                bool                    send;
        }                       pac;

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
index 98175ab2096b9bbe0a9cc8adc3060054fd787279..f78b641c7851aec3a99b6ee3d1c20db27d6c57eb 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
@@ -334,8 +334,8 @@ error:
                        t->pac.type = vp->vp_uint32;
                } else if (vp->da == attr_eap_fast_pac_info_pac_lifetime) {
                        fr_assert(t->pac.expires == 0);
-                       t->pac.expires = vp->vp_uint32;
-                       t->pac.expired = (vp->vp_uint32 <= fr_time_to_sec(request->packet->timestamp));
+                       t->pac.expires = request->packet->timestamp + fr_time_delta_from_sec(vp->vp_uint32);
+                       t->pac.expired = false;
                /*
                 *      Not sure if this is the correct attr
                 *      The original enum didn't match a specific TLV nesting level