xref: /freebsd-10.1-release/contrib/bsnmp/snmp_vacm/vacm_snmp.c

/*-
 * Copyright (c) 2010 The FreeBSD Foundation
 * All rights reserved.
 *
 * This software was developed by Shteryana Sotirova Shopova under
 * sponsorship from the FreeBSD Foundation.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD$
 */
#include <sys/queue.h>
#include <sys/types.h>

#include <errno.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <syslog.h>

#include "asn1.h"
#include "snmp.h"
#include "snmpmod.h"

#include "vacm_tree.h"
#include "vacm_oid.h"

static struct lmodule *vacm_module;
/* For the registration. */
static const struct asn_oid oid_vacm = OIDX_snmpVacmMIB;

static uint reg_vacm;

static int32_t vacm_lock;

/*
 * Internal datastructures and forward declarations.
 */
static void		vacm_append_userindex(struct asn_oid *,
    uint, const struct vacm_user *);
static int		vacm_user_index_decode(const struct asn_oid *,
    uint, int32_t *, char *);
static struct vacm_user *vacm_get_user(const struct asn_oid *,
    uint);
static struct vacm_user *vacm_get_next_user(const struct asn_oid *,
    uint);
static void		vacm_append_access_rule_index(struct asn_oid *,
    uint, const struct vacm_access *);
static int		vacm_access_rule_index_decode(const struct asn_oid *,
    uint, char *, char *, int32_t *, int32_t *);
static struct vacm_access *	vacm_get_access_rule(const struct asn_oid *,
    uint);
static struct vacm_access *	vacm_get_next_access_rule(const struct asn_oid *,
    uint);
static int		vacm_view_index_decode(const struct asn_oid *, uint,
    char *, struct asn_oid *);
static void		vacm_append_viewindex(struct asn_oid *, uint,
    const struct vacm_view *);
static struct vacm_view	*vacm_get_view(const struct asn_oid *, uint);
static struct vacm_view	*vacm_get_next_view(const struct asn_oid *, uint);
static struct vacm_view *vacm_get_view_by_name(u_char *, u_int);
static struct vacm_context	*vacm_get_context(const struct asn_oid *, uint);
static struct vacm_context	*vacm_get_next_context(const struct asn_oid *,
    uint);
static void			vacm_append_ctxindex(struct asn_oid *, uint,
    const struct vacm_context *);

int
op_vacm_context(struct snmp_context *ctx __unused, struct snmp_value *val,
    uint32_t sub, uint32_t iidx __unused, enum snmp_op op)
{
	char cname[SNMP_ADM_STR32_SIZ];
	size_t cnamelen;
	struct vacm_context *vacm_ctx;

	if (val->var.subs[sub - 1] != LEAF_vacmContextName)
		abort();

	switch (op) {
	case SNMP_OP_GET:
		if ((vacm_ctx = vacm_get_context(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		break;

	case SNMP_OP_GETNEXT:
		if ((vacm_ctx = vacm_get_next_context(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		vacm_append_ctxindex(&val->var, sub, vacm_ctx);
		break;

	case SNMP_OP_SET:
		if ((vacm_ctx = vacm_get_context(&val->var, sub)) != NULL)
			return (SNMP_ERR_WRONG_VALUE);
		if (community != COMM_INITIALIZE)
			return (SNMP_ERR_NOT_WRITEABLE);
		if (val->var.subs[sub] >= SNMP_ADM_STR32_SIZ)
			return (SNMP_ERR_WRONG_VALUE);
		if (index_decode(&val->var, sub, iidx, &cname, &cnamelen))
			return (SNMP_ERR_GENERR);
		cname[cnamelen] = '\0';
		if ((vacm_ctx = vacm_add_context(cname, reg_vacm)) == NULL)
			return (SNMP_ERR_GENERR);
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_COMMIT:
		/* FALLTHROUGH*/
	case SNMP_OP_ROLLBACK:
		return (SNMP_ERR_NOERROR);
	default:
		abort();
	}

	return (string_get(val, vacm_ctx->ctxname, -1));
}

int
op_vacm_security_to_group(struct snmp_context *ctx, struct snmp_value *val,
    uint32_t sub, uint32_t iidx __unused, enum snmp_op op)
{
	int32_t smodel;
	char uname[SNMP_ADM_STR32_SIZ];
	struct vacm_user *user;

	switch (op) {
	case SNMP_OP_GET:
		if ((user = vacm_get_user(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		break;

	case SNMP_OP_GETNEXT:
		if ((user = vacm_get_next_user(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		vacm_append_userindex(&val->var, sub, user);
		break;

	case SNMP_OP_SET:
		if ((user = vacm_get_user(&val->var, sub)) == NULL &&
		    val->var.subs[sub - 1] != LEAF_vacmSecurityToGroupStatus)
			return (SNMP_ERR_NOSUCHNAME);

		if (user != NULL) {
			if (community != COMM_INITIALIZE &&
			    user->type == StorageType_readOnly)
				return (SNMP_ERR_NOT_WRITEABLE);
			if (user->status == RowStatus_active &&
			    val->v.integer != RowStatus_destroy)
				return (SNMP_ERR_INCONS_VALUE);
		}

		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmGroupName:
			ctx->scratch->ptr1 = user->group->groupname;
			ctx->scratch->int1 = strlen(user->group->groupname);
			return (vacm_user_set_group(user,
			    val->v.octetstring.octets,val->v.octetstring.len));

		case LEAF_vacmSecurityToGroupStorageType:
			return (SNMP_ERR_INCONS_VALUE);

		case LEAF_vacmSecurityToGroupStatus:
			if (user == NULL) {
				if (val->v.integer != RowStatus_createAndGo ||
				    vacm_user_index_decode(&val->var, sub,
				    &smodel, uname) < 0)
					return (SNMP_ERR_INCONS_VALUE);
				user = vacm_new_user(smodel, uname);
				if (user == NULL)
					return (SNMP_ERR_GENERR);
				user->status = RowStatus_destroy;
				if (community != COMM_INITIALIZE)
					user->type = StorageType_volatile;
				else
					user->type = StorageType_readOnly;
			} else if (val->v.integer != RowStatus_active &&
			    val->v.integer != RowStatus_destroy)
				return (SNMP_ERR_INCONS_VALUE);
			ctx->scratch->int1 = user->status;
			user->status = val->v.integer;
			break;
		}
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_COMMIT:
		if (val->var.subs[sub - 1] != LEAF_vacmSecurityToGroupStatus)
			return (SNMP_ERR_NOERROR);
		if ((user = vacm_get_user(&val->var, sub)) == NULL)
			return (SNMP_ERR_GENERR);
		switch (val->v.integer) {
		case  RowStatus_destroy:
			return (vacm_delete_user(user));

		case RowStatus_createAndGo:
			user->status = RowStatus_active;
			break;

		default:
			break;
		}
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_ROLLBACK:
		if ((user = vacm_get_user(&val->var, sub)) == NULL)
			return (SNMP_ERR_GENERR);
		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmGroupName:
			return (vacm_user_set_group(user, ctx->scratch->ptr1,
			    ctx->scratch->int1));

		case LEAF_vacmSecurityToGroupStatus:
			if (ctx->scratch->int1 == RowStatus_destroy)
				return (vacm_delete_user(user));
			user->status = ctx->scratch->int1;
			break;

		default:
			break;
		}
		return (SNMP_ERR_NOERROR);

	default:
		abort();
	}

	switch (val->var.subs[sub - 1]) {
	case LEAF_vacmGroupName:
		return (string_get(val, user->group->groupname, -1));
	case LEAF_vacmSecurityToGroupStorageType:
		val->v.integer = user->type;
		break;
	case LEAF_vacmSecurityToGroupStatus:
		val->v.integer = user->status;
		break;
	default:
		abort();
	}

	return (SNMP_ERR_NOERROR);
}

int
op_vacm_access(struct snmp_context *ctx, struct snmp_value *val, uint32_t sub,
    uint32_t iidx __unused, enum snmp_op op)
{
	int32_t smodel, slevel;
	char gname[SNMP_ADM_STR32_SIZ], cprefix[SNMP_ADM_STR32_SIZ];
	struct vacm_access *acl;

	switch (op) {
	case SNMP_OP_GET:
		if ((acl = vacm_get_access_rule(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		break;

	case SNMP_OP_GETNEXT:
		if ((acl = vacm_get_next_access_rule(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		vacm_append_access_rule_index(&val->var, sub, acl);
		break;

	case SNMP_OP_SET:
		if ((acl = vacm_get_access_rule(&val->var, sub)) == NULL &&
		    val->var.subs[sub - 1] != LEAF_vacmAccessStatus)
				return (SNMP_ERR_NOSUCHNAME);
		if (acl != NULL && community != COMM_INITIALIZE &&
		    acl->type == StorageType_readOnly)
			return (SNMP_ERR_NOT_WRITEABLE);

		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmAccessContextMatch:
			ctx->scratch->int1 = acl->ctx_match;
			if (val->v.integer == vacmAccessContextMatch_exact)
				acl->ctx_match = 1;
			else if (val->v.integer == vacmAccessContextMatch_prefix)
				acl->ctx_match = 0;
			else
				return (SNMP_ERR_WRONG_VALUE);
			break;

		case LEAF_vacmAccessReadViewName:
			ctx->scratch->ptr1 = acl->read_view;
			acl->read_view = vacm_get_view_by_name(val->v.octetstring.octets, val->v.octetstring.len);
			if (acl->read_view == NULL) {
				acl->read_view = ctx->scratch->ptr1;
				return (SNMP_ERR_INCONS_VALUE);
			}
			return (SNMP_ERR_NOERROR);

		case LEAF_vacmAccessWriteViewName:
			ctx->scratch->ptr1 = acl->write_view;
			if ((acl->write_view =
			    vacm_get_view_by_name(val->v.octetstring.octets,
			    val->v.octetstring.len)) == NULL) {
				acl->write_view = ctx->scratch->ptr1;
				return (SNMP_ERR_INCONS_VALUE);
			}
			break;

		case LEAF_vacmAccessNotifyViewName:
			ctx->scratch->ptr1 = acl->notify_view;
			if ((acl->notify_view =
			    vacm_get_view_by_name(val->v.octetstring.octets,
			    val->v.octetstring.len)) == NULL) {
				acl->notify_view = ctx->scratch->ptr1;
				return (SNMP_ERR_INCONS_VALUE);
			}
			break;

		case LEAF_vacmAccessStorageType:
			return (SNMP_ERR_INCONS_VALUE);

		case LEAF_vacmAccessStatus:
			if (acl == NULL) {
				if (val->v.integer != RowStatus_createAndGo ||
				    vacm_access_rule_index_decode(&val->var,
				    sub, gname, cprefix, &smodel, &slevel) < 0)
					return (SNMP_ERR_INCONS_VALUE);
				if ((acl = vacm_new_access_rule(gname, cprefix,
				    smodel, slevel)) == NULL)
					return (SNMP_ERR_GENERR);
				acl->status = RowStatus_destroy;
				if (community != COMM_INITIALIZE)
					acl->type = StorageType_volatile;
				else
					acl->type = StorageType_readOnly;
			} else if (val->v.integer != RowStatus_active &&
			    val->v.integer != RowStatus_destroy)
				return (SNMP_ERR_INCONS_VALUE);
			ctx->scratch->int1 = acl->status;
			acl->status = val->v.integer;
			break;
		}
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_COMMIT:
		if (val->var.subs[sub - 1] != LEAF_vacmAccessStatus)
			return (SNMP_ERR_NOERROR);
		if ((acl = vacm_get_access_rule(&val->var, sub)) == NULL)
			return (SNMP_ERR_GENERR);
		if (val->v.integer == RowStatus_destroy)
			return (vacm_delete_access_rule(acl));
		else
			acl->status = RowStatus_active;
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_ROLLBACK:
		if ((acl = vacm_get_access_rule(&val->var, sub)) == NULL)
			return (SNMP_ERR_GENERR);
		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmAccessContextMatch:
			acl->ctx_match = ctx->scratch->int1;
			break;
		case LEAF_vacmAccessReadViewName:
			acl->read_view = ctx->scratch->ptr1;
			break;
		case LEAF_vacmAccessWriteViewName:
			acl->write_view = ctx->scratch->ptr1;
			break;
		case LEAF_vacmAccessNotifyViewName:
			acl->notify_view = ctx->scratch->ptr1;
			break;
		case LEAF_vacmAccessStatus:
			if (ctx->scratch->int1 == RowStatus_destroy)
				return (vacm_delete_access_rule(acl));
		default:
			break;
		}
		return (SNMP_ERR_NOERROR);

	default:
		abort();
	}

	switch (val->var.subs[sub - 1]) {
	case LEAF_vacmAccessContextMatch:
		return (string_get(val, acl->ctx_prefix, -1));
	case LEAF_vacmAccessReadViewName:
		if (acl->read_view != NULL)
			return (string_get(val, acl->read_view->viewname, -1));
		else
			return (string_get(val, NULL, 0));
	case LEAF_vacmAccessWriteViewName:
		if (acl->write_view != NULL)
			return (string_get(val, acl->write_view->viewname, -1));
		else
			return (string_get(val, NULL, 0));
	case LEAF_vacmAccessNotifyViewName:
		if (acl->notify_view != NULL)
			return (string_get(val, acl->notify_view->viewname, -1));
		else
			return (string_get(val, NULL, 0));
	case LEAF_vacmAccessStorageType:
		val->v.integer = acl->type;
		break;
	case LEAF_vacmAccessStatus:
		val->v.integer = acl->status;
		break;
	default:
		abort();
	}

	return (SNMP_ERR_NOERROR);
}

int
op_vacm_view_lock(struct snmp_context *ctx __unused, struct snmp_value *val,
    uint32_t sub, uint32_t iidx __unused, enum snmp_op op)
{
	if (val->var.subs[sub - 1] != LEAF_vacmViewSpinLock)
		return (SNMP_ERR_NOSUCHNAME);

	switch (op) {
	case SNMP_OP_GET:
		if (++vacm_lock == INT32_MAX)
			vacm_lock = 0;
		val->v.integer = vacm_lock;
		break;

	case SNMP_OP_GETNEXT:
		abort();

	case SNMP_OP_SET:
		if (val->v.integer != vacm_lock)
			return (SNMP_ERR_INCONS_VALUE);
		break;

	case SNMP_OP_ROLLBACK:
		/* FALLTHROUGH */
	case SNMP_OP_COMMIT:
		break;
	}

	return (SNMP_ERR_NOERROR);
}

int
op_vacm_view(struct snmp_context *ctx, struct snmp_value *val, uint32_t sub,
    uint32_t iidx __unused, enum snmp_op op)
{
	char vname[SNMP_ADM_STR32_SIZ];
	struct asn_oid oid;
	struct vacm_view *view;

	switch (op) {
	case SNMP_OP_GET:
		if ((view = vacm_get_view(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		break;

	case SNMP_OP_GETNEXT:
		if ((view = vacm_get_next_view(&val->var, sub)) == NULL)
			return (SNMP_ERR_NOSUCHNAME);
		vacm_append_viewindex(&val->var, sub, view);
		break;

	case SNMP_OP_SET:
		if ((view = vacm_get_view(&val->var, sub)) == NULL &&
		    val->var.subs[sub - 1] != LEAF_vacmViewTreeFamilyStatus)
				return (SNMP_ERR_NOSUCHNAME);

		if (view != NULL) {
			if (community != COMM_INITIALIZE &&
			    view->type == StorageType_readOnly)
				return (SNMP_ERR_NOT_WRITEABLE);
			if (view->status == RowStatus_active &&
			    val->v.integer != RowStatus_destroy)
				return (SNMP_ERR_INCONS_VALUE);
		}

		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmViewTreeFamilyMask:
			if (val->v.octetstring.len > sizeof(view->mask))
			ctx->scratch->ptr1 = malloc(sizeof(view->mask));
			if (ctx->scratch->ptr1 == NULL)
				return (SNMP_ERR_GENERR);
			memset(ctx->scratch->ptr1, 0, sizeof(view->mask));
			memcpy(ctx->scratch->ptr1, view->mask,
			    sizeof(view->mask));
			memset(view->mask, 0, sizeof(view->mask));
			memcpy(view->mask, val->v.octetstring.octets,
			    val->v.octetstring.len);
			break;

		case LEAF_vacmViewTreeFamilyType:
			ctx->scratch->int1 = view->exclude;
			if (val->v.integer == vacmViewTreeFamilyType_included)
				view->exclude = 0;
			else if (val->v.integer == vacmViewTreeFamilyType_excluded)
				view->exclude = 1;
			else
				return (SNMP_ERR_WRONG_VALUE);
			break;

		case LEAF_vacmViewTreeFamilyStorageType:
			return (SNMP_ERR_INCONS_VALUE);

		case LEAF_vacmViewTreeFamilyStatus:
			if (view == NULL) {
				if (val->v.integer != RowStatus_createAndGo ||
				    vacm_view_index_decode(&val->var, sub, vname,
				    &oid) < 0)
					return (SNMP_ERR_INCONS_VALUE);
				if ((view = vacm_new_view(vname, &oid)) == NULL)
					return (SNMP_ERR_GENERR);
				view->status = RowStatus_destroy;
				if (community != COMM_INITIALIZE)
					view->type = StorageType_volatile;
				else
					view->type = StorageType_readOnly;
			} else if (val->v.integer != RowStatus_active &&
			    val->v.integer != RowStatus_destroy)
				return (SNMP_ERR_INCONS_VALUE);
			ctx->scratch->int1 = view->status;
			view->status = val->v.integer;
			break;
		}
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_COMMIT:
		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmViewTreeFamilyMask:
			free(ctx->scratch->ptr1);
			break;
		case LEAF_vacmViewTreeFamilyStatus:
			if ((view = vacm_get_view(&val->var, sub)) == NULL)
				return (SNMP_ERR_GENERR);
			switch (val->v.integer) {
			case  RowStatus_destroy:
				return (vacm_delete_view(view));

			case RowStatus_createAndGo:
				view->status = RowStatus_active;
				break;

			default:
				/* NOTREACHED*/
				return (SNMP_ERR_GENERR);
			}
		default:
			break;
		}
		return (SNMP_ERR_NOERROR);

	case SNMP_OP_ROLLBACK:
		if ((view = vacm_get_view(&val->var, sub)) == NULL)
			return (SNMP_ERR_GENERR);
		switch (val->var.subs[sub - 1]) {
		case LEAF_vacmViewTreeFamilyMask:
			memcpy(view->mask, ctx->scratch->ptr1,
			    sizeof(view->mask));
			free(ctx->scratch->ptr1);
			break;
		case LEAF_vacmViewTreeFamilyType:
			view->exclude = ctx->scratch->int1;
			break;
		case LEAF_vacmViewTreeFamilyStatus:
			if (ctx->scratch->int1 == RowStatus_destroy)
				return (vacm_delete_view(view));
			break;
		default:
			break;
		}
		return (SNMP_ERR_NOERROR);

	default:
		abort();
	}

	switch (val->var.subs[sub - 1]) {
	case LEAF_vacmViewTreeFamilyMask:
		return (string_get(val, view->mask, sizeof(view->mask)));
	case LEAF_vacmViewTreeFamilyType:
		if (view->exclude)
			val->v.integer = vacmViewTreeFamilyType_excluded;
		else
			val->v.integer = vacmViewTreeFamilyType_included;
		break;
	case LEAF_vacmViewTreeFamilyStorageType:
		val->v.integer = view->type;
		break;
	case LEAF_vacmViewTreeFamilyStatus:
		val->v.integer = view->status;
		break;
	default:
		abort();
	}

	return (SNMP_ERR_NOERROR);
}

static void
vacm_append_userindex(struct asn_oid *oid, uint sub,
    const struct vacm_user *user)
{
	uint32_t i;

	oid->len = sub + strlen(user->secname) + 2;
	oid->subs[sub++] = user->sec_model;
	oid->subs[sub] = strlen(user->secname);
	for (i = 1; i <= strlen(user->secname); i++)
		oid->subs[sub + i] = user->secname[i - 1];
}

static int
vacm_user_index_decode(const struct asn_oid *oid, uint sub,
    int32_t *smodel, char *uname)
{
	uint32_t i;

	*smodel = oid->subs[sub++];

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (-1);

	for (i = 0; i < oid->subs[sub]; i++)
		uname[i] = oid->subs[sub + i + 1];
	uname[i] = '\0';

	return (0);
}

static struct vacm_user *
vacm_get_user(const struct asn_oid *oid, uint sub)
{
	int32_t smodel;
	char uname[SNMP_ADM_STR32_SIZ];
	struct vacm_user *user;

	if (vacm_user_index_decode(oid, sub, &smodel, uname) < 0)
		return (NULL);

	for (user = vacm_first_user(); user != NULL; user = vacm_next_user(user))
		if (strcmp(uname, user->secname) == 0 &&
		    user->sec_model == smodel)
			return (user);

	return (NULL);
}

static struct vacm_user *
vacm_get_next_user(const struct asn_oid *oid, uint sub)
{
	int32_t smodel;
	char uname[SNMP_ADM_STR32_SIZ];
	struct vacm_user *user;

	if (oid->len - sub == 0)
		return (vacm_first_user());

	if (vacm_user_index_decode(oid, sub, &smodel, uname) < 0)
		return (NULL);

	for (user = vacm_first_user(); user != NULL; user = vacm_next_user(user))
		if (strcmp(uname, user->secname) == 0 &&
		    user->sec_model == smodel)
			return (vacm_next_user(user));

	return (NULL);
}

static void
vacm_append_access_rule_index(struct asn_oid *oid, uint sub,
    const struct vacm_access *acl)
{
	uint32_t i;

	oid->len = sub + strlen(acl->group->groupname) +
	    strlen(acl->ctx_prefix) + 4;

	oid->subs[sub] = strlen(acl->group->groupname);
	for (i = 1; i <= strlen(acl->group->groupname); i++)
		oid->subs[sub + i] = acl->group->groupname[i - 1];
	sub += strlen(acl->group->groupname) + 1;

	oid->subs[sub] = strlen(acl->ctx_prefix);
	for (i = 1; i <= strlen(acl->ctx_prefix); i++)
		oid->subs[sub + i] = acl->ctx_prefix[i - 1];
	sub += strlen(acl->ctx_prefix) + 1;
	oid->subs[sub++] = acl->sec_model;
	oid->subs[sub] = acl->sec_level;
}

static int
vacm_access_rule_index_decode(const struct asn_oid *oid, uint sub, char *gname,
    char *cprefix, int32_t *smodel, int32_t *slevel)
{
	uint32_t i;

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (-1);

	for (i = 0; i < oid->subs[sub]; i++)
		gname[i] = oid->subs[sub + i + 1];
	gname[i] = '\0';
	sub += strlen(gname) + 1;

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (-1);

	for (i = 0; i < oid->subs[sub]; i++)
		cprefix[i] = oid->subs[sub + i + 1];
	cprefix[i] = '\0';
	sub += strlen(cprefix) + 1;

	*smodel = oid->subs[sub++];
	*slevel = oid->subs[sub];

	return (0);
}

struct vacm_access *
vacm_get_access_rule(const struct asn_oid *oid, uint sub)
{
	int32_t smodel, slevel;
	char gname[SNMP_ADM_STR32_SIZ], prefix[SNMP_ADM_STR32_SIZ];
	struct vacm_access *acl;

	if (vacm_access_rule_index_decode(oid, sub, gname, prefix, &smodel,
	    &slevel) < 0)
		return (NULL);

	for (acl = vacm_first_access_rule(); acl != NULL;
	    acl = vacm_next_access_rule(acl))
		if (strcmp(gname, acl->group->groupname) == 0 &&
		    strcmp(prefix, acl->ctx_prefix) == 0 &&
		    smodel == acl->sec_model && slevel == acl->sec_level)
			return (acl);

	return (NULL);
}

struct vacm_access *
vacm_get_next_access_rule(const struct asn_oid *oid __unused, uint sub __unused)
{
	int32_t smodel, slevel;
	char gname[SNMP_ADM_STR32_SIZ], prefix[SNMP_ADM_STR32_SIZ];
	struct vacm_access *acl;

	if (oid->len - sub == 0)
		return (vacm_first_access_rule());

	if (vacm_access_rule_index_decode(oid, sub, gname, prefix, &smodel,
	    &slevel) < 0)
		return (NULL);

	for (acl = vacm_first_access_rule(); acl != NULL;
	    acl = vacm_next_access_rule(acl))
		if (strcmp(gname, acl->group->groupname) == 0 &&
		    strcmp(prefix, acl->ctx_prefix) == 0 &&
		    smodel == acl->sec_model && slevel == acl->sec_model)
			return (vacm_next_access_rule(acl));

	return (NULL);
}

static int
vacm_view_index_decode(const struct asn_oid *oid, uint sub, char *vname,
   struct asn_oid *view_oid)
{
	uint32_t i;
	int viod_off;

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (-1);

	for (i = 0; i < oid->subs[sub]; i++)
		vname[i] = oid->subs[sub + i + 1];
	vname[i] = '\0';

	viod_off = sub + oid->subs[sub] + 1;
	if ((view_oid->len = oid->subs[viod_off]) > ASN_MAXOIDLEN)
		return (-1);

	memcpy(&view_oid->subs[0], &oid->subs[viod_off + 1],
	    view_oid->len * sizeof(view_oid->subs[0]));

	return (0);
}

static void
vacm_append_viewindex(struct asn_oid *oid, uint sub, const struct vacm_view *view)
{
	uint32_t i;

	oid->len = sub + strlen(view->viewname) + 1;
	oid->subs[sub] = strlen(view->viewname);
	for (i = 1; i <= strlen(view->viewname); i++)
		oid->subs[sub + i] = view->viewname[i - 1];

	sub += strlen(view->viewname) + 1;
	oid->subs[sub] = view->subtree.len;
	oid->len++;
	asn_append_oid(oid, &view->subtree);
}

struct vacm_view *
vacm_get_view(const struct asn_oid *oid, uint sub)
{
	char vname[SNMP_ADM_STR32_SIZ];
	struct asn_oid subtree;
	struct vacm_view *view;

	if (vacm_view_index_decode(oid, sub, vname, &subtree) < 0)
		return (NULL);

	for (view = vacm_first_view(); view != NULL; view = vacm_next_view(view))
		if (strcmp(vname, view->viewname) == 0 &&
		    asn_compare_oid(&subtree, &view->subtree)== 0)
			return (view);

	return (NULL);
}

struct vacm_view *
vacm_get_next_view(const struct asn_oid *oid, uint sub)
{
	char vname[SNMP_ADM_STR32_SIZ];
	struct asn_oid subtree;
	struct vacm_view *view;

	if (oid->len - sub == 0)
		return (vacm_first_view());

	if (vacm_view_index_decode(oid, sub, vname, &subtree) < 0)
		return (NULL);

	for (view = vacm_first_view(); view != NULL; view = vacm_next_view(view))
		if (strcmp(vname, view->viewname) == 0 &&
		    asn_compare_oid(&subtree, &view->subtree)== 0)
			return (vacm_next_view(view));

	return (NULL);
}

static struct vacm_view *
vacm_get_view_by_name(u_char *octets, u_int len)
{
	struct vacm_view *view;

	for (view = vacm_first_view(); view != NULL; view = vacm_next_view(view))
		if (strlen(view->viewname) == len &&
		    memcmp(octets, view->viewname, len) == 0)
			return (view);

	return (NULL);
}

static struct vacm_context *
vacm_get_context(const struct asn_oid *oid, uint sub)
{
	char cname[SNMP_ADM_STR32_SIZ];
	size_t cnamelen;
	u_int index_count;
	struct vacm_context *vacm_ctx;

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (NULL);

	index_count = 0;
	index_count = SNMP_INDEX(index_count, 1);
	if (index_decode(oid, sub, index_count, &cname, &cnamelen))
		return (NULL);

	for (vacm_ctx = vacm_first_context(); vacm_ctx != NULL;
	    vacm_ctx = vacm_next_context(vacm_ctx))
		if (strcmp(cname, vacm_ctx->ctxname) == 0)
			return (vacm_ctx);

	return (NULL);
}

static struct vacm_context *
vacm_get_next_context(const struct asn_oid *oid, uint sub)
{
	char cname[SNMP_ADM_STR32_SIZ];
	size_t cnamelen;
	u_int index_count;
	struct vacm_context *vacm_ctx;

	if (oid->len - sub == 0)
		return (vacm_first_context());

	if (oid->subs[sub] >= SNMP_ADM_STR32_SIZ)
		return (NULL);

	index_count = 0;
	index_count = SNMP_INDEX(index_count, 1);
	if (index_decode(oid, sub, index_count, &cname, &cnamelen))
		return (NULL);

	for (vacm_ctx = vacm_first_context(); vacm_ctx != NULL;
	    vacm_ctx = vacm_next_context(vacm_ctx))
		if (strcmp(cname, vacm_ctx->ctxname) == 0)
			return (vacm_next_context(vacm_ctx));

	return (NULL);
}

static void
vacm_append_ctxindex(struct asn_oid *oid, uint sub,
    const struct vacm_context *ctx)
{
	uint32_t i;

	oid->len = sub + strlen(ctx->ctxname) + 1;
	oid->subs[sub] = strlen(ctx->ctxname);
	for (i = 1; i <= strlen(ctx->ctxname); i++)
		oid->subs[sub + i] = ctx->ctxname[i - 1];
}

/*
 * VACM snmp module initialization hook.
 * Returns 0 on success, < 0 on error.
 */
static int
vacm_init(struct lmodule *mod, int argc __unused, char *argv[] __unused)
{
	vacm_module = mod;
	vacm_lock = random();
	vacm_groups_init();

	/* XXX: TODO - initialize structures */
	return (0);
}

/*
 * VACM snmp module finalization hook.
 */
static int
vacm_fini(void)
{
	/* XXX: TODO - cleanup */
	vacm_flush_contexts(reg_vacm);
	or_unregister(reg_vacm);

	return (0);
}

/*
 * VACM snmp module start operation.
 */
static void
vacm_start(void)
{
	static char dflt_ctx[] = "";

	reg_vacm = or_register(&oid_vacm,
	    "The MIB module for managing SNMP View-based Access Control Model.",
	    vacm_module);

	(void)vacm_add_context(dflt_ctx, reg_vacm);
}

static void
vacm_dump(void)
{
	struct vacm_context *vacmctx;
	struct vacm_user *vuser;
	struct vacm_access *vacl;
	struct vacm_view *view;
	static char oidbuf[ASN_OIDSTRLEN];

	syslog(LOG_ERR, "\n");
	syslog(LOG_ERR, "Context list:");
	for (vacmctx = vacm_first_context(); vacmctx != NULL;
	    vacmctx = vacm_next_context(vacmctx))
		syslog(LOG_ERR, "Context \"%s\", module id %d",
		    vacmctx->ctxname, vacmctx->regid);

	syslog(LOG_ERR, "VACM users:");
	for (vuser = vacm_first_user(); vuser != NULL;
	    vuser = vacm_next_user(vuser))
		syslog(LOG_ERR, "Uname %s, Group %s, model %d", vuser->secname,
		    vuser->group!= NULL?vuser->group->groupname:"Unknown",
		    vuser->sec_model);

	syslog(LOG_ERR, "VACM Access rules:");
	for (vacl = vacm_first_access_rule(); vacl != NULL;
	    vacl = vacm_next_access_rule(vacl))
		syslog(LOG_ERR, "Group %s, CtxPrefix %s, Model %d, Level %d, "
		    "RV %s, WR %s, NV %s", vacl->group!=NULL?
		    vacl->group->groupname:"Unknown", vacl->ctx_prefix,
		    vacl->sec_model, vacl->sec_level, vacl->read_view!=NULL?
		    vacl->read_view->viewname:"None", vacl->write_view!=NULL?
		    vacl->write_view->viewname:"None", vacl->notify_view!=NULL?
		    vacl->notify_view->viewname:"None");

	syslog(LOG_ERR, "VACM Views:");
	for (view = vacm_first_view(); view != NULL; view = vacm_next_view(view))
		syslog(LOG_ERR, "View %s, Tree %s - %s", view->viewname,
		    asn_oid2str_r(&view->subtree, oidbuf), view->exclude?
		    "excluded":"included");
}

const char vacm_comment[] = \
"This module implements SNMP View-based Access Control Model defined in RFC 3415.";

const struct snmp_module config = {
	.comment =	vacm_comment,
	.init =		vacm_init,
	.fini =		vacm_fini,
	.start =	vacm_start,
	.tree =		vacm_ctree,
	.dump =		vacm_dump,
	.tree_size =	vacm_CTREE_SIZE,
};