From: martijn <martijn@openbsd.org>
Date: Wed, 8 Nov 2023 20:09:18 +0000 (+0000)
Subject: Don't do the time window check if we're noAuthNoPriv. It's only needed
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a7074fd3f7431bf941dfe947c189620395c9f71b;p=openbsd

Don't do the time window check if we're noAuthNoPriv. It's only needed
if we're authenticating according to RFC3414 section 2.3.

OK tb@
---

diff --git a/usr.sbin/snmpd/usm.c b/usr.sbin/snmpd/usm.c
index 586925c0eee..1e37dcb8c0a 100644
--- a/usr.sbin/snmpd/usm.c
+++ b/usr.sbin/snmpd/usm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: usm.c,v 1.27 2023/11/08 20:07:14 martijn Exp $	*/
+/*	$OpenBSD: usm.c,v 1.28 2023/11/08 20:09:18 martijn Exp $	*/
 
 /*
  * Copyright (c) 2012 GeNUA mbH
@@ -399,14 +399,16 @@ usm_decode(struct snmp_message *msg, struct ber_element *elm, const char **errp)
 		ober_replace_elements(elm, decr);
 	}
 
-	now = snmpd_engine_time();
-	if (engine_boots != snmpd_env->sc_engine_boots ||
-	    engine_time < (long long)(now - SNMP_MAX_TIMEWINDOW) ||
-	    engine_time > (long long)(now + SNMP_MAX_TIMEWINDOW)) {
-		*errp = "out of time window";
-		msg->sm_usmerr = OIDVAL_usmErrTimeWindow;
-		stats->snmp_usmtimewindow++;
-		goto done;
+	if (MSG_HAS_AUTH(msg)) {
+		now = snmpd_engine_time();
+		if (engine_boots != snmpd_env->sc_engine_boots ||
+		    engine_time < (long long)(now - SNMP_MAX_TIMEWINDOW) ||
+		    engine_time > (long long)(now + SNMP_MAX_TIMEWINDOW)) {
+			*errp = "out of time window";
+			msg->sm_usmerr = OIDVAL_usmErrTimeWindow;
+			stats->snmp_usmtimewindow++;
+			goto done;
+		}
 	}
 
 	next = elm->be_next;