[19237] in Kerberos
Re: ASN.1 failed call to system time library
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue May 13 16:56:51 2003
To: Russ Allbery <rra@stanford.edu>
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Tue, 13 May 2003 16:55:56 -0400
In-Reply-To: <ylk7cusqvx.fsf@windlord.stanford.edu> (Russ Allbery's message
of "Tue, 13 May 2003 10:22:42 -0700")
Message-ID: <tx1of26sh0j.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> writes:
> We're seeing a regular trickle of these log messages from our KDCs. Is
> this anything to worry about, or should we just ignore them?
>
> krb5kdc[3531]: ASN.1 failed call to system time library - while dispatching
How odd. That indicates an error reported by our gmt_mktime routine,
applied to the parsed ASN.1 time encoding sent by some client. If the
client in question is using the MIT code, we'd certainly like to know
about it. :-)
Most of the checks are on individual fields -- i.e., the year needs to
be in 1901..2038 inclusive (not all dates in 1901 and 2038 are
representable in 32 bits, but we don't check for that), month must be
in 01..12 (tm_mon in 0..11), day of month 0..31, hour 0..23, minute
0..59, second 0..62.
Perhaps some client without the 2038 limit is using a year like 2099
for something?
It probably is preventing someone from getting a ticket, though for
what it's hard to tell without examining the raw packet. (Our ASN.1
code doesn't do partial decoding -- if it didn't work, you just lose.)
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
