ASN.1 failed call to system time library

Ken Raeburn raeburn at MIT.EDU
Tue May 13 16:55:56 EDT 2003


Russ Allbery <rra at stanford.edu> writes:

> We're seeing a regular trickle of these log messages from our KDCs.  Is
> this anything to worry about, or should we just ignore them?
>
> krb5kdc[3531]: ASN.1 failed call to system time library - while dispatching

How odd.  That indicates an error reported by our gmt_mktime routine,
applied to the parsed ASN.1 time encoding sent by some client.  If the
client in question is using the MIT code, we'd certainly like to know
about it. :-)

Most of the checks are on individual fields -- i.e., the year needs to
be in 1901..2038 inclusive (not all dates in 1901 and 2038 are
representable in 32 bits, but we don't check for that), month must be
in 01..12 (tm_mon in 0..11), day of month 0..31, hour 0..23, minute
0..59, second 0..62.

Perhaps some client without the 2038 limit is using a year like 2099
for something?

It probably is preventing someone from getting a ticket, though for
what it's hard to tell without examining the raw packet.  (Our ASN.1
code doesn't do partial decoding -- if it didn't work, you just lose.)

Ken


More information about the Kerberos mailing list