From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 17 Sep 2021 12:11:40 +0000 (-0400)
Subject: correct PAC lifetime calculation
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df05228d0027854dd0964a032a1c8ff5e3aceccc;p=thirdparty%2Ffreeradius-server.git

correct PAC lifetime calculation

the lifetime is a delta, and the "expires" field is a wall-clock
time.
---

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index ccc3ac29fa..3b7421b435 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -856,7 +856,7 @@ static fr_radius_packet_code_t eap_fast_process_tlvs(request_t *request, eap_ses
 			if (vp->da == attr_eap_fast_pac_acknowledge) {
 				if (vp->vp_uint32 == EAP_FAST_TLV_RESULT_SUCCESS) {
 					code = FR_RADIUS_CODE_ACCESS_ACCEPT;
-					t->pac.expires = UINT32_MAX;
+					t->pac.expires = ~((fr_time_t) 0);
 					t->pac.expired = false;
 					t->stage = EAP_FAST_COMPLETE;
 				}
@@ -937,7 +937,11 @@ fr_radius_packet_code_t eap_fast_process(request_t *request, eap_session_t *eap_
 				t->mode = EAP_FAST_PROVISIONING_AUTH;
 			}
 
-			if (!t->pac.expires || t->pac.expired || (t->pac.expires - fr_time_to_sec(request->packet->timestamp)) < (t->pac_lifetime * 6) / 10) {
+			/*
+			 *	Send a new pac at ~0.6 times the lifetime.
+			 */
+			if (!t->pac.expires || t->pac.expired ||
+			    t->pac.expires <= (request->packet->timestamp + fr_time_delta_from_sec((t->pac_lifetime >> 1) + (t->pac_lifetime >> 3)))) {
 				t->pac.send = true;
 			}
 		}
diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
index cef09c1eb0..1c83b1979c 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.h
@@ -191,7 +191,7 @@ typedef struct {
 	struct {
 		uint8_t			*key;
 		eap_fast_pac_type_t	type;
-		uint32_t		expires;
+		fr_time_t		expires;
 		bool			expired;
 		bool			send;
 	}			pac;
diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
index 98175ab209..f78b641c78 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
@@ -334,8 +334,8 @@ error:
 			t->pac.type = vp->vp_uint32;
 		} else if (vp->da == attr_eap_fast_pac_info_pac_lifetime) {
 			fr_assert(t->pac.expires == 0);
-			t->pac.expires = vp->vp_uint32;
-			t->pac.expired = (vp->vp_uint32 <= fr_time_to_sec(request->packet->timestamp));
+			t->pac.expires = request->packet->timestamp + fr_time_delta_from_sec(vp->vp_uint32);
+			t->pac.expired = false;
 		/*
 		 *	Not sure if this is the correct attr
 		 *	The original enum didn't match a specific TLV nesting level