From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 17 Sep 2021 12:02:29 +0000 (-0400)
Subject: correct PAC lifetime calculation
X-Git-Tag: release_3_0_24~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c0c1a87426778447fdf416c8e55ad46820b0710;p=thirdparty%2Ffreeradius-server.git

correct PAC lifetime calculation

the lifetime is a delta, and the "expires" field is a wall-clock
time.
---

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index beba44de3c6..37df73072ab 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -1220,7 +1220,10 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session)
 				t->mode = EAP_FAST_PROVISIONING_AUTH;
 			}
 
-			if (!t->pac.expires || t->pac.expired || t->pac.expires - time(NULL) < t->pac_lifetime * 0.6)
+			/*
+			 *	Send a new pac at ~0.6 times the lifetime.
+			 */
+			if (!t->pac.expires || t->pac.expired || t->pac.expires < (time(NULL) + (t->pac_lifetime >> 1) + (t->pac_lifetime >> 3))) {
 				t->pac.send = true;
 		}
 
diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
index 528a143d47f..7c91d340507 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
@@ -333,8 +333,8 @@ error:
 			break;
 		case PAC_INFO_PAC_LIFETIME:
 			rad_assert(t->pac.expires == 0);
-			t->pac.expires = vp->vp_integer;
-			t->pac.expired = (vp->vp_integer <= time(NULL));
+			t->pac.expires = vp->vp_integer + time(NULL);
+			t->pac.expired = false;
 			break;
 		case PAC_INFO_PAC_KEY:
 			rad_assert(t->pac.key == NULL);