[PATCH] Switch from os_get_time(...) to os_get_reltime(...) to avoid malfunction if-and-when the system clock shifts.

Jouni Malinen j at w1.fi
Fri Feb 19 08:29:12 PST 2016


On Wed, Feb 10, 2016 at 11:26:14AM +0000, Nick Lowe wrote:
> Switch from os_get_time(...) to os_get_reltime(...) to avoid
> malfunction if-and-when the system clock shifts.

>  src/eap_server/eap_server_fast.c | 8 ++++----
> diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
> @@ -127,7 +127,7 @@ static int eap_fast_session_ticket_cb(void *ctx,
> - struct os_time now;
> + struct os_reltime now;

> - if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
> + if (os_get_reltime(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
>   wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "

This does not look appropriate. The lifetime is stored at the client
side and this needs to work after the server boot (which would clear
reltime) and this also needs to work with multiple servers (it is
possible to share the same PAC encryption key between multiple
authentication servers). In other words, this really needs to be the
correct calendar time and system clocks needs to be synced correctly for
this to work.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list