vacm_vars.c

ucd-snmp源代码

	return;
    }
    if (mask) {
	int val;
	i = 0;
	for (mask = strtok(mask, ".:"); mask; mask = strtok(NULL, ".:")) {
	    if (i >= sizeof(viewMask)) {
		config_perror("MASK too long");
		return;
	    }
	    if (sscanf(mask, "%x", &val) == 0) {
		config_perror("invalid MASK");
		return;
	    }
	    viewMask[i] = val;
	    i++;
	}
    }
    else {
	for (i = 0; i < sizeof(viewMask); i++)
	    viewMask[i] = 0xff;
    }
    vp = vacm_createViewEntry(name, suboid, suboid_len);
    if (!vp) {
	config_perror("failed to create view entry");
	return;
    }
    memcpy(vp->viewMask, viewMask, sizeof(viewMask));
    vp->viewType = inclexcl;
    vp->viewStorageType = SNMP_STORAGE_PERMANENT;
    vp->viewStatus = SNMP_ROW_ACTIVE;
    free (vp->reserved);
    vp->reserved = NULL;
}

void vacm_free_view (void)
{
    vacm_destroyAllViewEntries();
}

void vacm_parse_simple(const char *token, char *confline) {
  char line[SPRINT_MAX_LEN];
  char community[COMMUNITY_MAX_LEN];
  char theoid[SPRINT_MAX_LEN];
  char viewname[SPRINT_MAX_LEN];
  char addressname[SPRINT_MAX_LEN];
  const char *rw = "none";
  const char *model = "any";
  char *cp;
  static int num = 0;
  char secname[SPRINT_MAX_LEN];
  char authtype[SPRINT_MAX_LEN];

  /* community name or user name */
  cp = copy_word(confline, community);

  if (strcmp(token,"rouser") == 0 || strcmp(token,"rwuser") == 0) {
    /* authentication type */
    if (cp && *cp)
      cp = copy_word(cp, authtype);
    else
      strcpy(authtype, "auth");
    DEBUGMSGTL((token, "setting auth type: \"%s\"\n",authtype));
    model = "usm";
  } else {
    /* source address */
    if (cp && *cp) {
      cp = copy_word(cp, addressname);
    } else {
      strcpy(addressname, "default");
    }
    /* authtype has to be noauth */
    strcpy(authtype, "noauth");
  }

  /* oid they can touch */
  if (cp && *cp) {
    cp = copy_word(cp, theoid);
  } else {
    strcpy(theoid, ".1");
  }

  if (strcmp(token,"rwcommunity") == 0 || strcmp(token,"rwuser") == 0)
    rw = viewname;

  if (strcmp(token,"rwcommunity") == 0 || strcmp(token,"rocommunity") == 0) {
    /* com2sec mapping */
    /* com2sec anonymousSecNameNUM    ADDRESS  COMMUNITY */
    sprintf(secname, "anonymousSecName%03d", num);
    sprintf(line,"%s %s %s", secname, addressname, community);
    DEBUGMSGTL((token,"passing: %s %s\n", "com2sec", line));
    vacm_parse_security("com2sec",line);

    /* sec->group mapping */
    /* group   anonymousGroupNameNUM  any      anonymousSecNameNUM */
    sprintf(line,"anonymousGroupName%03d v1 %s", num, secname);
    DEBUGMSGTL((token,"passing: %s %s\n", "group", line));
    vacm_parse_group("group",line);
    sprintf(line,"anonymousGroupName%03d v2c %s", num, secname);
    DEBUGMSGTL((token,"passing: %s %s\n", "group", line));
    vacm_parse_group("group",line);
  } else {
    strcpy(secname, community);

    /* sec->group mapping */
    /* group   anonymousGroupNameNUM  any      anonymousSecNameNUM */
    sprintf(line,"anonymousGroupName%03d usm %s", num, secname);
    DEBUGMSGTL((token,"passing: %s %s\n", "group", line));
    vacm_parse_group("group",line);
  }


  /* view definition */
  /* view    anonymousViewNUM       included OID */
  sprintf(viewname,"anonymousView%03d",num);
  sprintf(line,"%s included %s", viewname, theoid);
  DEBUGMSGTL((token,"passing: %s %s\n", "view", line));
  vacm_parse_view("view",line);

  /* map everything together */
  /* access  anonymousGroupNameNUM  "" MODEL AUTHTYPE exact anonymousViewNUM [none/anonymousViewNUM] [none/anonymousViewNUM] */
  sprintf(line, "anonymousGroupName%03d  \"\" %s %s exact %s %s %s", num,
          model, authtype, viewname, rw, rw);
  DEBUGMSGTL((token,"passing: %s %s\n", "access", line));
  vacm_parse_access("access",line);
  num++;
}

int
vacm_in_view_callback(int majorID, int minorID, void *serverarg,
                      void *clientarg) {
  struct view_parameters *view_parms = (struct view_parameters *) serverarg;
  int retval;
  
  if (view_parms == NULL)
    return 1;
  retval = vacm_in_view(view_parms->pdu, view_parms->name,
                        view_parms->namelen);
  if (retval != 0) {
    if (view_parms->pdu->version == SNMP_VERSION_1 ||
        view_parms->pdu->version == SNMP_VERSION_2c) {
        snmp_increment_statistic( retval == 1 ? STAT_SNMPINBADCOMMUNITYNAMES:
                                                STAT_SNMPINBADCOMMUNITYUSES);
    }
    view_parms->errorcode = retval;
  }
  return retval;
}


/*******************************************************************-o-******
 * vacm_in_view
 *
 * Parameters:
 *	*pdu
 *	*name
 *	 namelen
 *      
 * Returns:
 *	0	On success.
 *	1	Missing security name.
 *	2	Missing group
 *	3	Missing access
 *	4	Missing view
 *	5	Not in view
 *
 * Debug output listed as follows:
 *	<securityName> <groupName> <viewName> <viewType>
 */
int vacm_in_view (struct snmp_pdu *pdu,
		  oid *name,
		  size_t namelen)
{
    struct vacm_securityEntry *sp = securityFirst;
    struct vacm_accessEntry *ap;
    struct vacm_groupEntry *gp;
    struct vacm_viewEntry *vp;
    struct sockaddr_in *pduIp = (struct sockaddr_in*)&(pdu->address);
    struct sockaddr_in *srcIp, *srcMask;
    char *vn;
    char *sn;

    if (pdu->version == SNMP_VERSION_1 || pdu->version == SNMP_VERSION_2c) {
	if (snmp_get_do_debugging()) {
            char *buf;
            if (pdu->community) {
                buf = (char *)malloc(1+ pdu->community_len);
                memcpy(buf, pdu->community, pdu->community_len);
                buf[pdu->community_len] = '\0';
            } else {
                DEBUGMSGTL(("mibII/vacm_vars", "NULL community"));
                buf = strdup("NULL");
            }
            
	    DEBUGMSGTL(("mibII/vacm_vars", "vacm_in_view: ver=%d, source=%.8x, community=%s\n", pdu->version, pduIp->sin_addr.s_addr, buf));
	    free (buf);
	}

	/* allow running without snmpd.conf */
	if (sp == NULL && !vacm_is_configured()) {
	    DEBUGMSGTL(("mibII/vacm_vars", "vacm_in_view: accepted with no com2sec entries\n"));
	    switch (pdu->command) {
	    case SNMP_MSG_GET:
	    case SNMP_MSG_GETNEXT:
	    case SNMP_MSG_GETBULK:
		return 0;
	    default:
		return 1;
	    }
	}
	while (sp) {
	    srcIp   = (struct sockaddr_in *)&(sp->sourceIp);
	    srcMask = (struct sockaddr_in *)&(sp->sourceMask);
	    if ((pduIp->sin_addr.s_addr & srcMask->sin_addr.s_addr)
		    == srcIp->sin_addr.s_addr
                && strlen(sp->community) == pdu->community_len
		&& !strncmp(sp->community, (char *)pdu->community, pdu->community_len))
		break;
	    sp = sp->next;
	}
	if (sp == NULL) return 1;
	sn = sp->securityName;
    } else if (pdu->securityModel == SNMP_SEC_MODEL_USM) {
      DEBUGMSG (("mibII/vacm_vars",
                 "vacm_in_view: ver=%d, model=%d, secName=%s\n",
                 pdu->version, pdu->securityModel, pdu->securityName));
      sn = pdu->securityName;
    } else {
	sn = NULL;
    }

    if (sn == NULL) return 1;
    DEBUGMSGTL(("mibII/vacm_vars", "vacm_in_view: sn=%s", sn));

    gp = vacm_getGroupEntry(pdu->securityModel, sn);
    if (gp == NULL) { DEBUGMSG(("mibII/vacm_vars", "\n")); return 2; }
    DEBUGMSG (("mibII/vacm_vars", ", gn=%s", gp->groupName));

    ap = vacm_getAccessEntry(gp->groupName, "", pdu->securityModel,
                             pdu->securityLevel);
    if (ap == NULL) { DEBUGMSG(("mibII/vacm_vars", "\n")); return 3; }

    if (name == 0) { /* only check the setup of the vacm for the request */
        DEBUGMSG(("mibII/vacm_vars", ", Done checking setup\n"));
        return 0;
    }

    switch (pdu->command) {
      case SNMP_MSG_GET:
      case SNMP_MSG_GETNEXT:
      case SNMP_MSG_GETBULK:
	vn = ap->readView;
	break;
      case SNMP_MSG_SET:
	vn = ap->writeView;
	break;
      case SNMP_MSG_TRAP:
      case SNMP_MSG_TRAP2:
      case SNMP_MSG_INFORM:
	vn = ap->notifyView;
	break;
      default:
        snmp_log(LOG_ERR, "bad msg type in vacm_in_view: %d\n", pdu->command);
	vn = ap->readView;
    }
    DEBUGMSG (("mibII/vacm_vars", ", vn=%s", vn));

    vp = vacm_getViewEntry (vn, name, namelen, 0);
    if (vp == NULL) { DEBUGMSG(("mibII/vacm_vars", "\n")); return 4; }
    DEBUGMSG(("mibII/vacm_vars", ", vt=%d\n", vp->viewType));

    if (vp->viewType == SNMP_VIEW_EXCLUDED) return 5;

    return 0;

}  /* end vacm_in_view() */


u_char *var_vacm_sec2group(struct variable *vp,
			   oid *name,
			   size_t *length,
			   int exact,
			   size_t *var_len,
			   WriteMethod **write_method)
{
    struct vacm_groupEntry *gp;
    oid *groupSubtree;
    int groupSubtreeLen;
    unsigned long secmodel;
    char secname[VACMSTRINGLEN], *cp;

    /*  Set up write_method first, in case we return NULL before getting to
	the switch (vp->magic) below.  In some of these cases, we still want
	to call the appropriate write_method, if only to have it return the
	appropriate error.  */

    switch (vp->magic) {
    case SECURITYGROUP:
	*write_method = write_vacmGroupName;
	break;
    case SECURITYSTORAGE:
	  *write_method = write_vacmSecurityToGroupStorageType;
	  break;
    case SECURITYSTATUS:
	  *write_method = write_vacmSecurityToGroupStatus;
	  break;
    default:
	*write_method = NULL;
    }

    if (memcmp(name, vp->name, sizeof(oid)*vp->namelen) != 0) {
	memcpy(name, vp->name, sizeof(oid)*vp->namelen);
	*length = vp->namelen;
    }
    if (exact) {
	if (*length < 13) return NULL;

	secmodel = name[11];
	groupSubtree = name+13;
	groupSubtreeLen = *length - 13;
	cp = secname;
	while (groupSubtreeLen-- > 0) {
            if (*groupSubtree > 255)
		return 0; /* illegal value */
	    if (cp - secname > VACM_MAX_STRING)
		return 0;
	    *cp++ = (char) *groupSubtree++;
	}
	*cp = 0;

	gp = vacm_getGroupEntry(secmodel, secname);
    } else {
	secmodel = *length > 11 ? name[11] : 0;
	groupSubtree = name+12;
	groupSubtreeLen = *length - 12;
	cp = secname;
	while (groupSubtreeLen-- > 0) {
            if (*groupSubtree > 255)
		return 0; /* illegal value */
	    if (cp - secname > VACM_MAX_STRING)
	        return 0;
	    *cp++ = (char) *groupSubtree++;
	}
	*cp = 0;
	vacm_scanGroupInit();
	while ((gp = vacm_scanGroupNext()) != NULL) {
	    if (gp->securityModel > (int)secmodel ||
		(gp->securityModel == (int)secmodel && strcmp(gp->securityName, secname) > 0))
		break;
	}
	if (gp) {
	    name[11] = gp->securityModel;
	    *length = 12;
	    cp = gp->securityName;
	    while (*cp) {
		name[(*length)++] = *cp++;
	    }
	}
    }

    if (gp == NULL) {
	return NULL;
    }

    *var_len = sizeof(long_return);
    switch (vp->magic) {
    case SECURITYMODEL:
	long_return = gp->securityModel;
	return (u_char *)&long_return;

    case SECURITYNAME:
	*var_len = gp->securityName[0];
	return (u_char *)&gp->securityName[1];

    case SECURITYGROUP:
	*var_len = strlen(gp->groupName);
	return (u_char *)gp->groupName;

    case SECURITYSTORAGE:
	long_return = gp->storageType;
	return (u_char *)&long_return;
    
    case SECURITYSTATUS:
	long_return = gp->status;
	return (u_char *)&long_return;

    default:
        break;
    }
    return NULL;
}

u_char *var_vacm_access(struct variable *vp,
			oid *name,
			size_t *length,
			int exact,
			size_t *var_len,
			WriteMethod **write_method)
{
    struct vacm_accessEntry *gp;
    unsigned long secmodel, seclevel;
    char groupName[VACMSTRINGLEN]= { 0 };
    char contextPrefix[VACMSTRINGLEN] = { 0 };
    oid *op;
    unsigned long len, i = 0;
    char *cp;
    int cmp;

    /*  Set up write_method first, in case we return NULL before getting to
	the switch (vp->magic) below.  In some of these cases, we still want
	to call the appropriate write_method, if only to have it return the
	appropriate error.  */

    switch (vp->magic) {
    case ACCESSMATCH:
	  *write_method = write_vacmAccessContextMatch;
	  break;
    case ACCESSREAD:
	  *write_method = write_vacmAccessReadViewName;
	  break;
    case ACCESSWRITE:
	  *write_method = write_vacmAccessWriteViewName;
	  break;
    case ACCESSNOTIFY:
	  *write_method = write_vacmAccessNotifyViewName;
	  break;
    case ACCESSSTORAGE:
	  *write_method = write_vacmAccessStorageType;
	  break;
    case ACCESSSTATUS:
	  *write_method = write_vacmAccessStatus;
	  break;
    default:
	*write_method = NULL;
    }
    
    if (memcmp(name, vp->name, sizeof(oid)*vp->namelen) != 0) {
	memcpy(name, vp->name, sizeof(oid)*vp->namelen);
	*length = vp->namelen;
    }

    if (exact) {
	if (*length < 15) return NULL;

	op = name+11;
	len = *op++;
	if (len > VACM_MAX_STRING)
	    return 0;
	cp = groupName;
	while (len-- > 0) {
            if (*op > 255)
		return 0; /* illegal value */
	    *cp++ = (char) *op++;
	}
	*cp = 0;
	len = *op++;
	if (len > VACM_MAX_STRING)
	    return 0;
	cp = contextPrefix;
	while (len-- > 0) {
            if (*op > 255)
		return 0; /* illegal value */
	    *cp++ = (char) *op++;
	}
	*cp = 0;
	secmodel = *op++;
	seclevel = *op++;
	if (op != name + *length) {
	    return NULL;
	}

	gp = vacm_getAccessEntry(groupName, contextPrefix, secmodel, seclevel);
    } else {
	secmodel = seclevel = 0;