xref: /titanic_52/usr/src/cmd/cmd-inet/usr.sbin/in.routed/input.c (revision 2a9459bdd821c1cf59590a7a9069ac9c591e8a6b)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  *
5  * Copyright (c) 1983, 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. All advertising materials mentioning features or use of this software
17  *    must display the following acknowledgment:
18  *	This product includes software developed by the University of
19  *	California, Berkeley and its contributors.
20  * 4. Neither the name of the University nor the names of its contributors
21  *    may be used to endorse or promote products derived from this software
22  *    without specific prior written permission.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  *
36  * $FreeBSD: src/sbin/routed/input.c,v 1.9 2001/06/06 20:52:30 phk Exp $
37  */
38 
39 #pragma ident	"%Z%%M%	%I%	%E% SMI"
40 
41 #include "defs.h"
42 #include <md5.h>
43 
44 /*
45  * The size of the control buffer passed to recvmsg() used to receive
46  * ancillary data.
47  */
48 #define	CONTROL_BUFSIZE	1024
49 
50 static void input(struct sockaddr_in *, struct interface *, struct rip *, int);
51 static boolean_t ck_passwd(struct interface *, struct rip *, uint8_t *,
52     in_addr_t, struct msg_limit *);
53 
54 
55 /*
56  * Find the interface which received the given message.
57  */
58 struct interface *
59 receiving_interface(struct msghdr *msg, boolean_t findremote)
60 {
61 	struct interface *ifp, *ifp1, *ifp2;
62 	struct sockaddr_in *from;
63 	void *opt;
64 	uint_t ifindex;
65 
66 	from = (struct sockaddr_in *)msg->msg_name;
67 
68 	/* First see if this packet came from a remote gateway. */
69 	if (findremote && ((ifp = findremoteif(from->sin_addr.s_addr)) != NULL))
70 		return (ifp);
71 
72 	/*
73 	 * It did not come from a remote gateway.  Determine which
74 	 * physical interface this packet was received on by
75 	 * processing the message's ancillary data to find the
76 	 * IP_RECVIF option we requested.
77 	 */
78 	if ((opt = find_ancillary(msg, IP_RECVIF)) == NULL) {
79 		msglog("unable to retrieve IP_RECVIF");
80 	} else {
81 		ifindex = *(uint_t *)opt;
82 		if ((ifp = ifwithindex(ifindex, _B_TRUE)) != NULL) {
83 			/* Find the best match of the aliases */
84 			ifp2 = NULL;
85 			for (ifp1 = ifp; ifp1 != NULL;
86 			    ifp1 = ifp1->int_ilist.hl_next) {
87 				if (ifp1->int_addr == from->sin_addr.s_addr)
88 					return (ifp1);
89 				if ((ifp2 == NULL ||
90 				    (ifp2->int_state & IS_ALIAS)) &&
91 				    on_net(from->sin_addr.s_addr, ifp1->int_net,
92 				    ifp1->int_mask)) {
93 					ifp2 = ifp1;
94 				}
95 			}
96 			if (ifp2 != NULL)
97 				ifp = ifp2;
98 			return (ifp);
99 		}
100 	}
101 
102 	/*
103 	 * As a last resort (for some reason, ip didn't give us the
104 	 * IP_RECVIF index we requested), try to deduce the receiving
105 	 * interface based on the source address of the packet.
106 	 */
107 	ifp = iflookup(from->sin_addr.s_addr);
108 	if (ifp != NULL && ifp->int_phys != NULL) {
109 		ifp = ifwithname(ifp->int_phys->phyi_name);
110 	}
111 	return (ifp);
112 }
113 
114 /*
115  * Process RIP input on rip_sock.  Returns 0 for success, -1 for failure.
116  */
117 int
118 read_rip()
119 {
120 	struct sockaddr_in from;
121 	struct interface *ifp;
122 	int cc;
123 	union pkt_buf inbuf;
124 	struct msghdr msg;
125 	struct iovec iov;
126 	uint8_t ancillary_data[CONTROL_BUFSIZE];
127 
128 	iov.iov_base = &inbuf;
129 	iov.iov_len = sizeof (inbuf);
130 	msg.msg_iov = &iov;
131 	msg.msg_iovlen = 1;
132 	msg.msg_name = &from;
133 	msg.msg_control = &ancillary_data;
134 
135 	for (;;) {
136 		msg.msg_namelen = sizeof (from);
137 		msg.msg_controllen = sizeof (ancillary_data);
138 		cc = recvmsg(rip_sock, &msg, 0);
139 		if (cc == 0)
140 			return (-1);
141 		if (cc < 0) {
142 			if (errno == EWOULDBLOCK || errno == EINTR)
143 				return (0);
144 			LOGERR("recvmsg(rip_sock)");
145 			return (-1);
146 		}
147 
148 		/*
149 		 * ifp is the interface via which the packet arrived.
150 		 */
151 		ifp = receiving_interface(&msg, _B_TRUE);
152 
153 		input(&from, ifp, &inbuf.rip, cc);
154 	}
155 }
156 
157 
158 /* Process a RIP packet */
159 static void
160 input(struct sockaddr_in *from,		/* received from this IP address */
161     struct interface *ifp,		/* interface of incoming socket */
162     struct rip *rip,
163     int cc)
164 {
165 #define	FROM_NADDR from->sin_addr.s_addr
166 	static struct msg_limit use_auth, bad_len, bad_mask;
167 	static struct msg_limit unk_router, bad_router, bad_nhop;
168 
169 	struct rt_entry *rt;
170 	struct rt_spare new;
171 	struct netinfo *n, *lim;
172 	struct interface *ifp1;
173 	in_addr_t gate, mask, v1_mask, dst, ddst_h = 0;
174 	struct auth *ap;
175 	struct tgate *tg = NULL;
176 	struct tgate_net *tn;
177 	int i, j;
178 	boolean_t poll_answer = _B_FALSE; /* Set to _B_TRUE if RIPCMD_POLL */
179 	uint16_t rt_state = 0;	/* Extra route state to pass to input_route() */
180 	uint8_t metric;
181 
182 	(void) memset(&new, 0, sizeof (new));
183 	/* Notice when we hear from a remote gateway */
184 	if (ifp != NULL && (ifp->int_state & IS_REMOTE))
185 		ifp->int_act_time = now.tv_sec;
186 
187 	trace_rip("Recv", "from", from, ifp, rip, cc);
188 
189 	if (ifp != NULL && (ifp->int_if_flags & IFF_NORTEXCH)) {
190 		trace_misc("discard RIP packet received over %s (IFF_NORTEXCH)",
191 		    ifp->int_name);
192 		return;
193 	}
194 
195 	gate = ntohl(FROM_NADDR);
196 	if (IN_CLASSD(gate) || (gate >> IN_CLASSA_NSHIFT) == 0) {
197 		msglim(&bad_router, FROM_NADDR, "source address %s unusable",
198 		    naddr_ntoa(FROM_NADDR));
199 		return;
200 	}
201 
202 	if (rip->rip_vers == 0) {
203 		msglim(&bad_router, FROM_NADDR,
204 		    "RIP version 0, cmd %d, packet received from %s",
205 		    rip->rip_cmd, naddr_ntoa(FROM_NADDR));
206 		return;
207 	}
208 
209 	if (rip->rip_vers > RIPv2) {
210 		msglim(&bad_router, FROM_NADDR,
211 		    "Treating RIP version %d packet received from %s as "
212 		    "version %d", rip->rip_vers, naddr_ntoa(FROM_NADDR),
213 		    RIPv2);
214 		rip->rip_vers = RIPv2;
215 	}
216 
217 	if (cc > (int)OVER_MAXPACKETSIZE) {
218 		msglim(&bad_router, FROM_NADDR,
219 		    "packet at least %d bytes too long received from %s",
220 		    cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
221 	}
222 
223 	n = rip->rip_nets;
224 	lim = n + (cc - 4) / sizeof (struct netinfo);
225 
226 	/*
227 	 * Notice authentication.
228 	 * As required by section 5.2 of RFC 2453, discard authenticated
229 	 * RIPv2 messages, but only if configured for that silliness.
230 	 *
231 	 * RIPv2 authentication is lame.  Why authenticate queries?
232 	 * Why should a RIPv2 implementation with authentication disabled
233 	 * not be able to listen to RIPv2 packets with authentication, while
234 	 * RIPv1 systems will listen?  Crazy!
235 	 */
236 	if (!auth_ok && rip->rip_vers == RIPv2 && n < lim &&
237 	    n->n_family == RIP_AF_AUTH) {
238 		msglim(&use_auth, FROM_NADDR,
239 		    "RIPv2 message with authentication from %s discarded",
240 		    naddr_ntoa(FROM_NADDR));
241 		return;
242 	}
243 
244 	switch (rip->rip_cmd) {
245 	case RIPCMD_POLL:
246 		/*
247 		 * Similar to RIPCMD_REQUEST, this command is used to
248 		 * request either a full-table or a set of entries.  Both
249 		 * silent processes and routers can respond to this
250 		 * command.
251 		 */
252 		poll_answer = _B_TRUE;
253 		/* FALLTHRU */
254 	case RIPCMD_REQUEST:
255 		/* Are we talking to ourself or a remote gateway? */
256 		ifp1 = ifwithaddr(FROM_NADDR, _B_FALSE, _B_TRUE);
257 		if (ifp1 != NULL) {
258 			if (ifp1->int_state & IS_REMOTE) {
259 				/* remote gateway */
260 				ifp = ifp1;
261 				if (check_remote(ifp)) {
262 					ifp->int_act_time = now.tv_sec;
263 					if_ok(ifp, "remote ", _B_FALSE);
264 				}
265 			} else if (from->sin_port == htons(RIP_PORT)) {
266 				trace_pkt("    discard our own RIP request");
267 				return;
268 			}
269 		}
270 
271 		/* did the request come from a router? */
272 		if (!poll_answer && (from->sin_port == htons(RIP_PORT))) {
273 			/*
274 			 * yes, ignore the request if RIP is off so that
275 			 * the router does not depend on us.
276 			 */
277 			if (ripout_interfaces == 0 ||
278 			    (ifp != NULL && (IS_RIP_OUT_OFF(ifp->int_state) ||
279 			    !IS_IFF_ROUTING(ifp->int_if_flags)))) {
280 				trace_pkt("    discard request while RIP off");
281 				return;
282 			}
283 		}
284 
285 		/*
286 		 * According to RFC 2453 section 5.2, we should ignore
287 		 * unauthenticated queries when authentication is
288 		 * configured.  That is too silly to bother with.  Sheesh!
289 		 * Are forwarding tables supposed to be secret even though
290 		 * a bad guy can infer them with test traffic?  RIP is
291 		 * still the most common router-discovery protocol, so
292 		 * hosts need to send queries that will be answered.  What
293 		 * about `rtquery`?  Maybe on firewalls you'd care, but not
294 		 * enough to give up the diagnostic facilities of remote
295 		 * probing.
296 		 */
297 
298 		if (n >= lim) {
299 			msglim(&bad_len, FROM_NADDR, "empty request from %s",
300 			    naddr_ntoa(FROM_NADDR));
301 			return;
302 		}
303 		if (cc%sizeof (*n) != sizeof (struct rip)%sizeof (*n)) {
304 			msglim(&bad_len, FROM_NADDR,
305 			    "request of bad length (%d) from %s",
306 			    cc, naddr_ntoa(FROM_NADDR));
307 		}
308 
309 		if (rip->rip_vers == RIPv2 && (ifp == NULL ||
310 		    (ifp->int_state & IS_NO_RIPV1_OUT))) {
311 			v12buf.buf->rip_vers = RIPv2;
312 			/*
313 			 * If we have a secret but it is a cleartext secret,
314 			 * do not disclose our secret unless the other guy
315 			 * already knows it.
316 			 */
317 			ap = find_auth(ifp);
318 			if (ap != NULL &&
319 			    (ulong_t)ap->end < (ulong_t)clk.tv_sec) {
320 				/*
321 				 * Don't authenticate incoming packets
322 				 * using an expired key.
323 				 */
324 				msglim(&use_auth, FROM_NADDR,
325 				    "%s attempting to authenticate using "
326 				    "an expired password.",
327 				    naddr_ntoa(FROM_NADDR));
328 				ap = NULL;
329 			}
330 			if (ap != NULL && ap->type == RIP_AUTH_PW &&
331 			    (n->n_family != RIP_AF_AUTH ||
332 			    !ck_passwd(ifp, rip, (uint8_t *)lim, FROM_NADDR,
333 			    &use_auth)))
334 				ap = NULL;
335 		} else {
336 			v12buf.buf->rip_vers = RIPv1;
337 			ap = NULL;
338 		}
339 		clr_ws_buf(&v12buf, ap);
340 
341 		do {
342 			n->n_metric = ntohl(n->n_metric);
343 
344 			/*
345 			 * A single entry with family RIP_AF_UNSPEC and
346 			 * metric HOPCNT_INFINITY means "all routes".
347 			 * We respond to routers only if we are acting
348 			 * as a supplier, or to anyone other than a router
349 			 * (i.e. a query).
350 			 */
351 			if (n->n_family == RIP_AF_UNSPEC &&
352 			    n->n_metric == HOPCNT_INFINITY) {
353 				/*
354 				 * Answer a full-table query from a utility
355 				 * program with all we know.
356 				 */
357 				if (poll_answer ||
358 				    (from->sin_port != htons(RIP_PORT))) {
359 					supply(from, ifp, OUT_QUERY, 0,
360 					    rip->rip_vers, ap != NULL);
361 					return;
362 				}
363 
364 				/*
365 				 * A router is trying to prime its tables.
366 				 * Filter the answer in the same way
367 				 * broadcasts are filtered.
368 				 *
369 				 * Only answer a router if we are a supplier
370 				 * to keep an unwary host that is just starting
371 				 * from picking us as a router.
372 				 */
373 				if (ifp == NULL) {
374 					trace_pkt("ignore distant router");
375 					return;
376 				}
377 				if (IS_RIP_OFF(ifp->int_state) ||
378 				    !should_supply(ifp)) {
379 					trace_pkt("ignore; not supplying");
380 					return;
381 				}
382 
383 				/*
384 				 * Do not answer a RIPv1 router if
385 				 * we are sending RIPv2.  But do offer
386 				 * poor man's router discovery.
387 				 */
388 				if ((ifp->int_state & IS_NO_RIPV1_OUT) &&
389 				    rip->rip_vers == RIPv1) {
390 					if (!(ifp->int_state & IS_PM_RDISC)) {
391 						trace_pkt("ignore; sending "
392 						    "RIPv2");
393 						return;
394 					}
395 
396 					v12buf.n->n_family = RIP_AF_INET;
397 					v12buf.n->n_dst = RIP_DEFAULT;
398 					metric = ifp->int_d_metric;
399 					if (NULL !=
400 					    (rt = rtget(RIP_DEFAULT, 0)))
401 						metric = MIN(metric,
402 						    (rt->rt_metric + 1));
403 					v12buf.n->n_metric = htonl(metric);
404 					v12buf.n++;
405 					break;
406 				}
407 
408 				/*
409 				 * Respond with RIPv1 instead of RIPv2 if
410 				 * that is what we are broadcasting on the
411 				 * interface to keep the remote router from
412 				 * getting the wrong initial idea of the
413 				 * routes we send.
414 				 */
415 				supply(from, ifp, OUT_UNICAST, 0,
416 				    (ifp->int_state & IS_NO_RIPV1_OUT)
417 				    ? RIPv2 : RIPv1,
418 				    ap != NULL);
419 				return;
420 			}
421 
422 			/* Ignore authentication */
423 			if (n->n_family == RIP_AF_AUTH)
424 				continue;
425 
426 			if (n->n_family != RIP_AF_INET) {
427 				msglim(&bad_router, FROM_NADDR,
428 				    "request from %s for unsupported"
429 				    " (af %d) %s",
430 				    naddr_ntoa(FROM_NADDR),
431 				    ntohs(n->n_family),
432 				    naddr_ntoa(n->n_dst));
433 				return;
434 			}
435 
436 			/* We are being asked about a specific destination. */
437 			v12buf.n->n_dst = dst = n->n_dst;
438 			v12buf.n->n_family = RIP_AF_INET;
439 			if (!check_dst(dst)) {
440 				msglim(&bad_router, FROM_NADDR,
441 				    "bad queried destination %s from %s",
442 				    naddr_ntoa(dst),
443 				    naddr_ntoa(FROM_NADDR));
444 				v12buf.n->n_metric = HOPCNT_INFINITY;
445 				goto rte_done;
446 			}
447 
448 			/* decide what mask was intended */
449 			if (rip->rip_vers == RIPv1 ||
450 			    0 == (mask = ntohl(n->n_mask)) ||
451 			    0 != (ntohl(dst) & ~mask))
452 				mask = ripv1_mask_host(dst, ifp);
453 
454 			/*
455 			 * Try to find the answer.  If we don't have an
456 			 * explicit route for the destination, use the best
457 			 * route to the destination.
458 			 */
459 			rt = rtget(dst, mask);
460 			if (rt == NULL && dst != RIP_DEFAULT)
461 				rt = rtfind(n->n_dst);
462 
463 			if (v12buf.buf->rip_vers != RIPv1)
464 				v12buf.n->n_mask = htonl(mask);
465 			if (rt == NULL) {
466 				/* we do not have the answer */
467 				v12buf.n->n_metric = HOPCNT_INFINITY;
468 				goto rte_done;
469 			}
470 
471 			/*
472 			 * we have the answer, so compute the right metric
473 			 * and next hop.
474 			 */
475 			v12buf.n->n_metric = rt->rt_metric + 1;
476 			if (v12buf.n->n_metric > HOPCNT_INFINITY)
477 				v12buf.n->n_metric = HOPCNT_INFINITY;
478 			if (v12buf.buf->rip_vers != RIPv1) {
479 				v12buf.n->n_tag = rt->rt_tag;
480 				if (ifp != NULL &&
481 				    on_net(rt->rt_gate, ifp->int_net,
482 				    ifp->int_mask) &&
483 				    rt->rt_gate != ifp->int_addr)
484 					v12buf.n->n_nhop = rt->rt_gate;
485 			}
486 rte_done:
487 			v12buf.n->n_metric = htonl(v12buf.n->n_metric);
488 
489 			/*
490 			 * Stop paying attention if we fill the output buffer.
491 			 */
492 			if (++v12buf.n >= v12buf.lim)
493 				break;
494 		} while (++n < lim);
495 
496 		/*
497 		 * If our response is authenticated with md5, complete the
498 		 * md5 computation.
499 		 */
500 		if (ap != NULL && ap->type == RIP_AUTH_MD5)
501 			end_md5_auth(&v12buf, ap);
502 
503 		/*
504 		 * Diagnostic programs make specific requests
505 		 * from ports other than 520.  Log other types
506 		 * of specific requests as suspicious.
507 		 */
508 		if (!poll_answer && (from->sin_port == htons(RIP_PORT))) {
509 			writelog(LOG_WARNING,
510 			    "Received suspicious request from %s port %d",
511 			    naddr_ntoa(FROM_NADDR), RIP_PORT);
512 		}
513 		if (poll_answer || (from->sin_port != htons(RIP_PORT))) {
514 			/* query */
515 			(void) output(OUT_QUERY, from, ifp, v12buf.buf,
516 			    ((char *)v12buf.n - (char *)v12buf.buf));
517 		} else {
518 			(void) output(OUT_UNICAST, from, ifp,
519 			    v12buf.buf, ((char *)v12buf.n -
520 			    (char *)v12buf.buf));
521 		}
522 		return;
523 
524 	case RIPCMD_TRACEON:
525 	case RIPCMD_TRACEOFF:
526 		/*
527 		 * Notice that trace messages are turned off for all possible
528 		 * abuse if PATH_TRACE is undefined in pathnames.h.
529 		 * Notice also that because of the way the trace file is
530 		 * handled in trace.c, no abuse is plausible even if
531 		 * PATH_TRACE is defined.
532 		 *
533 		 * First verify message came from a privileged port.
534 		 */
535 		if (ntohs(from->sin_port) > IPPORT_RESERVED) {
536 			trace_pkt("trace command from untrusted port %d on %s",
537 			    ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
538 			return;
539 		}
540 		if (ifp == NULL || !remote_address_ok(ifp, FROM_NADDR)) {
541 			/*
542 			 * Use a message here to warn about strange
543 			 * messages from remote systems.
544 			 */
545 			msglim(&bad_router, FROM_NADDR,
546 			    "trace command from non-local host %s",
547 			    naddr_ntoa(FROM_NADDR));
548 			return;
549 		}
550 		if (ifp->int_state & IS_DISTRUST) {
551 			tg = tgates;
552 			while (tg->tgate_addr != FROM_NADDR) {
553 				tg = tg->tgate_next;
554 				if (tg == NULL) {
555 					trace_pkt("trace command from "
556 					    "untrusted host %s",
557 					    naddr_ntoa(FROM_NADDR));
558 					return;
559 				}
560 			}
561 		}
562 		if (ifp->int_auth[0].type != RIP_AUTH_NONE) {
563 			/*
564 			 * Technically, it would be fairly easy to add
565 			 * standard authentication to the existing
566 			 * trace commands -- just bracket the payload
567 			 * with the authentication information.
568 			 * However, the tracing message behavior
569 			 * itself is marginal enough that we don't
570 			 * actually care.  Just discard if
571 			 * authentication is needed.
572 			 */
573 			trace_pkt("trace command unauthenticated from %s",
574 			    naddr_ntoa(FROM_NADDR));
575 			return;
576 		}
577 		if (rip->rip_cmd == RIPCMD_TRACEON) {
578 			rip->rip_tracefile[cc-4] = '\0';
579 			set_tracefile(rip->rip_tracefile,
580 			    "trace command: %s\n", 0);
581 		} else {
582 			trace_off("tracing turned off by %s",
583 			    naddr_ntoa(FROM_NADDR));
584 		}
585 		return;
586 
587 	case RIPCMD_RESPONSE:
588 		if (ifp != NULL && (ifp->int_if_flags & IFF_NOXMIT)) {
589 			trace_misc("discard RIP response received over %s "
590 			    "(IFF_NOXMIT)", ifp->int_name);
591 			return;
592 		}
593 
594 		if (cc%sizeof (*n) != sizeof (struct rip)%sizeof (*n)) {
595 			msglim(&bad_len, FROM_NADDR,
596 			    "response of bad length (%d) from %s",
597 			    cc, naddr_ntoa(FROM_NADDR));
598 		}
599 
600 		if ((gate >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
601 		    IN_LINKLOCAL(gate)) {
602 			msglim(&bad_router, FROM_NADDR,
603 			    "discard RIP response from bad source address %s",
604 			    naddr_ntoa(FROM_NADDR));
605 			return;
606 		}
607 
608 		/* verify message came from a router */
609 		if (from->sin_port != htons(RIP_PORT)) {
610 			msglim(&bad_router, FROM_NADDR,
611 			    "    discard RIP response from unknown port"
612 			    " %d on host %s", ntohs(from->sin_port),
613 			    naddr_ntoa(FROM_NADDR));
614 			return;
615 		}
616 
617 		if (!rip_enabled) {
618 			trace_pkt("    discard response while RIP off");
619 			return;
620 		}
621 
622 		/* Are we talking to ourself or a remote gateway? */
623 		ifp1 = ifwithaddr(FROM_NADDR, _B_FALSE, _B_TRUE);
624 		if (ifp1 != NULL) {
625 			if (ifp1->int_state & IS_REMOTE) {
626 				/* remote gateway */
627 				ifp = ifp1;
628 				if (check_remote(ifp)) {
629 					ifp->int_act_time = now.tv_sec;
630 					if_ok(ifp, "remote ", _B_FALSE);
631 				}
632 			} else {
633 				trace_pkt("    discard our own RIP response");
634 				return;
635 			}
636 		} else {
637 			/*
638 			 * If it's not a remote gateway, then the
639 			 * remote address *must* be directly
640 			 * connected.  Make sure that it is.
641 			 */
642 			if (ifp != NULL &&
643 			    !remote_address_ok(ifp, FROM_NADDR)) {
644 				msglim(&bad_router, FROM_NADDR,
645 				    "discard RIP response; source %s not on "
646 				    "interface %s", naddr_ntoa(FROM_NADDR),
647 				    ifp->int_name);
648 				return;
649 			}
650 		}
651 
652 		/*
653 		 * Accept routing packets from routers directly connected
654 		 * via broadcast or point-to-point networks, and from
655 		 * those listed in /etc/gateways.
656 		 */
657 		if (ifp == NULL) {
658 			msglim(&unk_router, FROM_NADDR,
659 			    "   discard response from %s"
660 			    " via unexpected interface",
661 			    naddr_ntoa(FROM_NADDR));
662 			return;
663 		}
664 
665 		if (IS_RIP_IN_OFF(ifp->int_state)) {
666 			trace_pkt("    discard RIPv%d response"
667 			    " via disabled interface %s",
668 			    rip->rip_vers, ifp->int_name);
669 			return;
670 		}
671 
672 		if (n >= lim) {
673 			msglim(&bad_len, FROM_NADDR, "empty response from %s",
674 			    naddr_ntoa(FROM_NADDR));
675 			return;
676 		}
677 
678 		if (((ifp->int_state & IS_NO_RIPV1_IN) &&
679 		    rip->rip_vers == RIPv1) ||
680 		    ((ifp->int_state & IS_NO_RIPV2_IN) &&
681 		    rip->rip_vers != RIPv1)) {
682 			trace_pkt("    discard RIPv%d response",
683 			    rip->rip_vers);
684 			return;
685 		}
686 
687 		/*
688 		 * Continue to listen to routes via broken interfaces
689 		 * which might be declared IS_BROKE because of
690 		 * device-driver idiosyncracies, but might otherwise
691 		 * be perfectly healthy.
692 		 */
693 		if (ifp->int_state & IS_BROKE) {
694 			trace_pkt("response via broken interface %s",
695 			    ifp->int_name);
696 		}
697 
698 		/*
699 		 * If the interface cares, ignore bad routers.
700 		 * Trace but do not log this problem, because where it
701 		 * happens, it happens frequently.
702 		 */
703 		if (ifp->int_state & IS_DISTRUST) {
704 			tg = tgates;
705 			while (tg->tgate_addr != FROM_NADDR) {
706 				tg = tg->tgate_next;
707 				if (tg == NULL) {
708 					trace_pkt("    discard RIP response"
709 					    " from untrusted router %s",
710 					    naddr_ntoa(FROM_NADDR));
711 					return;
712 				}
713 			}
714 		}
715 
716 		/*
717 		 * Authenticate the packet if we have a secret.
718 		 * If we do not have any secrets, ignore the error in
719 		 * RFC 1723 and accept it regardless.
720 		 */
721 		if (ifp->int_auth[0].type != RIP_AUTH_NONE &&
722 		    rip->rip_vers != RIPv1 &&
723 		    !ck_passwd(ifp, rip, (uint8_t *)lim, FROM_NADDR, &use_auth))
724 			return;
725 
726 		/*
727 		 * Do this only if we're supplying routes to *nobody*.
728 		 */
729 		if (!should_supply(NULL) && save_space) {
730 			/*
731 			 * "-S" option.  Instead of entering all routes,
732 			 * only enter a default route for the sender of
733 			 * this RESPONSE message
734 			 */
735 
736 			/* Should we trust this route from this router? */
737 			if (tg != NULL && tg->tgate_nets->mask != 0) {
738 				trace_pkt("   ignored unauthorized %s",
739 				    addrname(RIP_DEFAULT, 0, 0));
740 				break;
741 			}
742 
743 			new.rts_gate = FROM_NADDR;
744 			new.rts_router = FROM_NADDR;
745 			new.rts_metric = HOPCNT_INFINITY-1;
746 			new.rts_tag = n->n_tag;
747 			new.rts_time = now.tv_sec;
748 			new.rts_ifp = ifp;
749 			new.rts_de_ag = 0;
750 			new.rts_origin = RO_RIP;
751 			/*
752 			 * Add the newly generated default route, but don't
753 			 * propagate the madness.  Treat it the same way as
754 			 * default routes learned from Router Discovery.
755 			 */
756 			input_route(RIP_DEFAULT, 0, &new, n, RS_NOPROPAGATE);
757 			return;
758 		}
759 
760 		if (!IS_IFF_ROUTING(ifp->int_if_flags)) {
761 			/*
762 			 * We don't want to propagate routes which would
763 			 * result in a black-hole.
764 			 */
765 			rt_state = RS_NOPROPAGATE;
766 		}
767 
768 		do {
769 			if (n->n_family == RIP_AF_AUTH)
770 				continue;
771 
772 			n->n_metric = ntohl(n->n_metric);
773 			dst = n->n_dst;
774 			if (n->n_family != RIP_AF_INET &&
775 			    (n->n_family != RIP_AF_UNSPEC ||
776 			    dst != RIP_DEFAULT)) {
777 				msglim(&bad_router, FROM_NADDR,
778 				    "route from %s to unsupported"
779 				    " address family=%d destination=%s",
780 				    naddr_ntoa(FROM_NADDR), n->n_family,
781 				    naddr_ntoa(dst));
782 				continue;
783 			}
784 			if (!check_dst(dst)) {
785 				msglim(&bad_router, FROM_NADDR,
786 				    "bad destination %s from %s",
787 				    naddr_ntoa(dst),
788 				    naddr_ntoa(FROM_NADDR));
789 				continue;
790 			}
791 			if (n->n_metric == 0 || n->n_metric > HOPCNT_INFINITY) {
792 				msglim(&bad_router, FROM_NADDR,
793 				    "bad metric %d from %s"
794 				    " for destination %s",
795 				    n->n_metric, naddr_ntoa(FROM_NADDR),
796 				    naddr_ntoa(dst));
797 				continue;
798 			}
799 
800 			/*
801 			 * Notice the next-hop.
802 			 */
803 			gate = FROM_NADDR;
804 			if (n->n_nhop != 0) {
805 				if (rip->rip_vers == RIPv1) {
806 					n->n_nhop = 0;
807 				} else {
808 					/* Use it only if it is valid. */
809 					if (on_net(n->n_nhop,
810 					    ifp->int_net, ifp->int_mask) &&
811 					    check_dst(n->n_nhop)) {
812 						gate = n->n_nhop;
813 					} else {
814 						msglim(&bad_nhop,
815 						    FROM_NADDR,
816 						    "router %s to %s"
817 						    " has bad next hop %s",
818 						    naddr_ntoa(FROM_NADDR),
819 						    naddr_ntoa(dst),
820 						    naddr_ntoa(n->n_nhop));
821 						n->n_nhop = 0;
822 					}
823 				}
824 			}
825 
826 			if (rip->rip_vers == RIPv1 ||
827 			    0 == (mask = ntohl(n->n_mask))) {
828 				mask = ripv1_mask_host(dst, ifp);
829 			} else if ((ntohl(dst) & ~mask) != 0) {
830 				msglim(&bad_mask, FROM_NADDR,
831 				    "router %s sent bad netmask %s with %s",
832 				    naddr_ntoa(FROM_NADDR),
833 				    naddr_ntoa(htonl(mask)),
834 				    naddr_ntoa(dst));
835 				continue;
836 			}
837 
838 			if (mask == HOST_MASK &&
839 			    (ifp->int_state & IS_NO_HOST)) {
840 				trace_pkt("   ignored host route %s",
841 				    addrname(dst, mask, 0));
842 				continue;
843 			}
844 
845 			if (rip->rip_vers == RIPv1)
846 				n->n_tag = 0;
847 
848 			/*
849 			 * Adjust metric according to incoming interface cost.
850 			 * We intentionally don't drop incoming routes with
851 			 * metric 15 on the floor even though they will
852 			 * not be advertised to other routers.  We can use
853 			 * such routes locally, resulting in a network with
854 			 * a maximum width of 15 hops rather than 14.
855 			 */
856 			n->n_metric += ifp->int_metric;
857 			if (n->n_metric > HOPCNT_INFINITY)
858 				n->n_metric = HOPCNT_INFINITY;
859 
860 			/*
861 			 * Should we trust this route from this router?
862 			 */
863 			if (tg != NULL && (tn = tg->tgate_nets)->mask != 0) {
864 				for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
865 					if (on_net(dst, tn->net, tn->mask) &&
866 					    tn->mask <= mask)
867 						break;
868 				}
869 				if (i >= MAX_TGATE_NETS || tn->mask == 0) {
870 					trace_pkt("   ignored unauthorized %s",
871 					    addrname(dst, mask, 0));
872 					continue;
873 				}
874 			}
875 
876 			/*
877 			 * Recognize and ignore a default route we faked
878 			 * which is being sent back to us by a machine with
879 			 * broken split-horizon. Be a little more paranoid
880 			 * than that, and reject default routes with the
881 			 * same metric we advertised.
882 			 */
883 			if (ifp->int_d_metric != 0 && dst == RIP_DEFAULT &&
884 			    n->n_metric >= ifp->int_d_metric)
885 				continue;
886 
887 			/*
888 			 * We can receive aggregated RIPv2 routes that must
889 			 * be broken down before they are transmitted by
890 			 * RIPv1 via an interface on a subnet. We might
891 			 * also receive the same routes aggregated via
892 			 * other RIPv2 interfaces.  This could cause
893 			 * duplicate routes to be sent on the RIPv1
894 			 * interfaces. "Longest matching variable length
895 			 * netmasks" lets RIPv2 listeners understand, but
896 			 * breaking down the aggregated routes for RIPv1
897 			 * listeners can produce duplicate routes.
898 			 *
899 			 * Breaking down aggregated routes here bloats the
900 			 * daemon table, but does not hurt the kernel
901 			 * table, since routes are always aggregated for
902 			 * the kernel.
903 			 *
904 			 * Notice that this does not break down network
905 			 * routes corresponding to subnets. This is part of
906 			 * the defense against RS_NET_SYN.
907 			 */
908 			if (have_ripv1_out &&
909 			    (((rt = rtget(dst, mask)) == NULL ||
910 			    !(rt->rt_state & RS_NET_SYN))) &&
911 			    (v1_mask = ripv1_mask_net(dst, 0)) > mask) {
912 				/* Get least significant set bit */
913 				ddst_h = v1_mask & -v1_mask;
914 				i = (v1_mask & ~mask)/ddst_h;
915 				/*
916 				 * If you're going to make 512 or more
917 				 * routes, then that's just too many.  The
918 				 * reason here is that breaking an old
919 				 * class B into /24 allocations is common
920 				 * enough that allowing for the creation of
921 				 * at least 256 deaggregated routes is
922 				 * good.  The next power of 2 is 512.
923 				 */
924 				if (i >= 511) {
925 					/*
926 					 * Punt if we would have to
927 					 * generate an unreasonable number
928 					 * of routes.
929 					 */
930 					if (TRACECONTENTS)
931 						trace_misc("accept %s-->%s as 1"
932 						    " instead of %d routes",
933 						    addrname(dst, mask, 0),
934 						    naddr_ntoa(FROM_NADDR),
935 						    i + 1);
936 					i = 0;
937 				} else {
938 					mask = v1_mask;
939 				}
940 			} else {
941 				i = 0;
942 			}
943 
944 			new.rts_gate = gate;
945 			new.rts_router = FROM_NADDR;
946 			new.rts_metric = n->n_metric;
947 			new.rts_tag = n->n_tag;
948 			new.rts_time = now.tv_sec;
949 			new.rts_ifp = ifp;
950 			new.rts_de_ag = i;
951 			new.rts_origin = RO_RIP;
952 			j = 0;
953 			for (;;) {
954 				input_route(dst, mask, &new, n, rt_state);
955 				if (++j > i)
956 					break;
957 				dst = htonl(ntohl(dst) + ddst_h);
958 			}
959 		} while (++n < lim);
960 		return;
961 	case RIPCMD_POLLENTRY:
962 		/*
963 		 * With this command one can request a single entry.
964 		 * Both silent processes and routers can respond to this
965 		 * command
966 		 */
967 
968 		if (n >= lim) {
969 			msglim(&bad_len, FROM_NADDR, "empty request from %s",
970 			    naddr_ntoa(FROM_NADDR));
971 			return;
972 		}
973 		if (cc%sizeof (*n) != sizeof (struct rip)%sizeof (*n)) {
974 			msglim(&bad_len, FROM_NADDR,
975 			    "request of bad length (%d) from %s",
976 			    cc, naddr_ntoa(FROM_NADDR));
977 		}
978 
979 		if (rip->rip_vers == RIPv2 && (ifp == NULL ||
980 		    (ifp->int_state & IS_NO_RIPV1_OUT))) {
981 			v12buf.buf->rip_vers = RIPv2;
982 		} else {
983 			v12buf.buf->rip_vers = RIPv1;
984 		}
985 		/* Dont bother with md5 authentication with POLLENTRY */
986 		ap = NULL;
987 		clr_ws_buf(&v12buf, ap);
988 
989 		n->n_metric = ntohl(n->n_metric);
990 
991 		if (n->n_family != RIP_AF_INET) {
992 			msglim(&bad_router, FROM_NADDR,
993 			    "POLLENTRY request from %s for unsupported"
994 			    " (af %d) %s",
995 			    naddr_ntoa(FROM_NADDR),
996 			    ntohs(n->n_family),
997 			    naddr_ntoa(n->n_dst));
998 			return;
999 		}
1000 
1001 		/* We are being asked about a specific destination. */
1002 		v12buf.n->n_dst = dst = n->n_dst;
1003 		v12buf.n->n_family = RIP_AF_INET;
1004 		if (!check_dst(dst)) {
1005 			msglim(&bad_router, FROM_NADDR,
1006 			    "bad queried destination %s from %s",
1007 			    naddr_ntoa(dst),
1008 			    naddr_ntoa(FROM_NADDR));
1009 			v12buf.n->n_metric = HOPCNT_INFINITY;
1010 			goto pollentry_done;
1011 		}
1012 
1013 		/* decide what mask was intended */
1014 		if (rip->rip_vers == RIPv1 ||
1015 		    0 == (mask = ntohl(n->n_mask)) ||
1016 		    0 != (ntohl(dst) & ~mask))
1017 			mask = ripv1_mask_host(dst, ifp);
1018 
1019 		/* try to find the answer */
1020 		rt = rtget(dst, mask);
1021 		if (rt == NULL && dst != RIP_DEFAULT)
1022 			rt = rtfind(n->n_dst);
1023 
1024 		if (v12buf.buf->rip_vers != RIPv1)
1025 			v12buf.n->n_mask = htonl(mask);
1026 		if (rt == NULL) {
1027 			/* we do not have the answer */
1028 			v12buf.n->n_metric = HOPCNT_INFINITY;
1029 			goto pollentry_done;
1030 		}
1031 
1032 
1033 		/*
1034 		 * we have the answer, so compute the right metric and next
1035 		 * hop.
1036 		 */
1037 		v12buf.n->n_metric = rt->rt_metric + 1;
1038 		if (v12buf.n->n_metric > HOPCNT_INFINITY)
1039 			v12buf.n->n_metric = HOPCNT_INFINITY;
1040 		if (v12buf.buf->rip_vers != RIPv1) {
1041 			v12buf.n->n_tag = rt->rt_tag;
1042 			if (ifp != NULL &&
1043 			    on_net(rt->rt_gate, ifp->int_net, ifp->int_mask) &&
1044 			    rt->rt_gate != ifp->int_addr)
1045 				v12buf.n->n_nhop = rt->rt_gate;
1046 		}
1047 pollentry_done:
1048 		v12buf.n->n_metric = htonl(v12buf.n->n_metric);
1049 
1050 		/*
1051 		 * Send the answer about specific routes.
1052 		 */
1053 		(void) output(OUT_QUERY, from, ifp, v12buf.buf,
1054 		    ((char *)v12buf.n - (char *)v12buf.buf));
1055 		break;
1056 	}
1057 #undef FROM_NADDR
1058 }
1059 
1060 
1061 /*
1062  * Process a single input route.
1063  */
1064 void
1065 input_route(in_addr_t dst,			/* network order */
1066     in_addr_t mask,
1067     struct rt_spare *new,
1068     struct netinfo *n,
1069     uint16_t rt_state)
1070 {
1071 	int i;
1072 	struct rt_entry *rt;
1073 	struct rt_spare *rts, *rts0;
1074 	struct interface *ifp1;
1075 	struct rt_spare *ptr;
1076 	size_t ptrsize;
1077 
1078 	/*
1079 	 * See if we can already get there by a working interface.  Ignore
1080 	 * if so.
1081 	 */
1082 	ifp1 = ifwithaddr(dst, _B_TRUE, _B_FALSE);
1083 	if (ifp1 != NULL && (ifp1->int_state & IS_PASSIVE))
1084 		return;
1085 
1086 	/*
1087 	 * Look for the route in our table.
1088 	 */
1089 	rt = rtget(dst, mask);
1090 
1091 	/* Consider adding the route if we do not already have it. */
1092 	if (rt == NULL) {
1093 		/* Ignore unknown routes being poisoned. */
1094 		if (new->rts_metric == HOPCNT_INFINITY)
1095 			return;
1096 
1097 		/* Ignore the route if it points to us */
1098 		if (n != NULL && n->n_nhop != 0 &&
1099 		    NULL != ifwithaddr(n->n_nhop, _B_TRUE, _B_FALSE))
1100 			return;
1101 
1102 		/*
1103 		 * If something has not gone crazy and tried to fill
1104 		 * our memory, accept the new route.
1105 		 */
1106 		rtadd(dst, mask, rt_state, new);
1107 		return;
1108 	}
1109 
1110 	/*
1111 	 * We already know about the route.  Consider this update.
1112 	 *
1113 	 * If (rt->rt_state & RS_NET_SYN), then this route
1114 	 * is the same as a network route we have inferred
1115 	 * for subnets we know, in order to tell RIPv1 routers
1116 	 * about the subnets.
1117 	 *
1118 	 * It is impossible to tell if the route is coming
1119 	 * from a distant RIPv2 router with the standard
1120 	 * netmask because that router knows about the entire
1121 	 * network, or if it is a round-about echo of a
1122 	 * synthetic, RIPv1 network route of our own.
1123 	 * The worst is that both kinds of routes might be
1124 	 * received, and the bad one might have the smaller
1125 	 * metric.  Partly solve this problem by never
1126 	 * aggregating into such a route.  Also keep it
1127 	 * around as long as the interface exists.
1128 	 */
1129 
1130 	rts0 = rt->rt_spares;
1131 	for (rts = rts0, i = rt->rt_num_spares; i != 0; i--, rts++) {
1132 		if (rts->rts_router == new->rts_router)
1133 			break;
1134 		/*
1135 		 * Note the worst slot to reuse,
1136 		 * other than the current slot.
1137 		 */
1138 		if (BETTER_LINK(rt, rts0, rts))
1139 			rts0 = rts;
1140 	}
1141 	if (i != 0) {
1142 		/*
1143 		 * Found a route from the router already in the table.
1144 		 */
1145 
1146 		/*
1147 		 * If the new route is a route broken down from an
1148 		 * aggregated route, and if the previous route is either
1149 		 * not a broken down route or was broken down from a finer
1150 		 * netmask, and if the previous route is current,
1151 		 * then forget this one.
1152 		 */
1153 		if (new->rts_de_ag > rts->rts_de_ag &&
1154 		    now_stale <= rts->rts_time)
1155 			return;
1156 
1157 		/*
1158 		 * Keep poisoned routes around only long enough to pass
1159 		 * the poison on.  Use a new timestamp for good routes.
1160 		 */
1161 		if (rts->rts_metric == HOPCNT_INFINITY &&
1162 		    new->rts_metric == HOPCNT_INFINITY)
1163 			new->rts_time = rts->rts_time;
1164 
1165 		/*
1166 		 * If this is an update for the router we currently prefer,
1167 		 * then note it.
1168 		 */
1169 		if (i == rt->rt_num_spares) {
1170 			uint8_t old_metric = rts->rts_metric;
1171 
1172 			rtchange(rt, rt->rt_state | rt_state, new, 0);
1173 			/*
1174 			 * If the route got worse, check for something better.
1175 			 */
1176 			if (new->rts_metric != old_metric)
1177 				rtswitch(rt, 0);
1178 			return;
1179 		}
1180 
1181 		/*
1182 		 * This is an update for a spare route.
1183 		 * Finished if the route is unchanged.
1184 		 */
1185 		if (rts->rts_gate == new->rts_gate &&
1186 		    rts->rts_metric == new->rts_metric &&
1187 		    rts->rts_tag == new->rts_tag) {
1188 			if ((rt->rt_dst == RIP_DEFAULT) &&
1189 			    (rts->rts_ifp != new->rts_ifp))
1190 				trace_misc("input_route update for spare");
1191 			trace_upslot(rt, rts, new);
1192 			*rts = *new;
1193 			return;
1194 		}
1195 
1196 		/*
1197 		 * Forget it if it has gone bad.
1198 		 */
1199 		if (new->rts_metric == HOPCNT_INFINITY) {
1200 			rts_delete(rt, rts);
1201 			return;
1202 		}
1203 
1204 	} else {
1205 		/*
1206 		 * The update is for a route we know about,
1207 		 * but not from a familiar router.
1208 		 *
1209 		 * Ignore the route if it points to us.
1210 		 */
1211 		if (n != NULL && n->n_nhop != 0 &&
1212 		    NULL != ifwithaddr(n->n_nhop, _B_TRUE, _B_FALSE))
1213 			return;
1214 
1215 		/* the loop above set rts0=worst spare */
1216 		if (rts0->rts_metric < HOPCNT_INFINITY) {
1217 			ptrsize = (rt->rt_num_spares + SPARE_INC) *
1218 			    sizeof (struct rt_spare);
1219 			ptr = realloc(rt->rt_spares, ptrsize);
1220 			if (ptr != NULL) {
1221 
1222 				rt->rt_spares = ptr;
1223 				rts0 = &rt->rt_spares[rt->rt_num_spares];
1224 				(void) memset(rts0, 0,
1225 				    SPARE_INC * sizeof (struct rt_spare));
1226 				rt->rt_num_spares += SPARE_INC;
1227 				for (rts = rts0, i = SPARE_INC;
1228 				    i != 0; i--, rts++)
1229 					rts->rts_metric = HOPCNT_INFINITY;
1230 			}
1231 		}
1232 		rts = rts0;
1233 
1234 		/*
1235 		 * Save the route as a spare only if it has
1236 		 * a better metric than our worst spare.
1237 		 * This also ignores poisoned routes (those
1238 		 * received with metric HOPCNT_INFINITY).
1239 		 */
1240 		if (new->rts_metric >= rts->rts_metric)
1241 			return;
1242 	}
1243 	trace_upslot(rt, rts, new);
1244 	*rts = *new;
1245 
1246 	/* try to switch to a better route */
1247 	rtswitch(rt, rts);
1248 }
1249 
1250 /*
1251  * Recorded information about peer's MD5 sequence numbers.  This is
1252  * used to validate that received sequence numbers are in
1253  * non-decreasing order as per the RFC.
1254  */
1255 struct peer_hash {
1256 	struct peer_hash *ph_next;
1257 	in_addr_t ph_addr;
1258 	time_t ph_heard;
1259 	uint32_t ph_seqno;
1260 };
1261 
1262 static struct peer_hash **peer_hashes;
1263 static int ph_index;
1264 static int ph_num_peers;
1265 
1266 /*
1267  * Get a peer_hash structure from the hash of known peers.  Create a
1268  * new one if not found.  Returns NULL on unrecoverable allocation
1269  * failure.
1270  */
1271 static struct peer_hash *
1272 get_peer_info(in_addr_t from)
1273 {
1274 	struct peer_hash *php;
1275 	struct peer_hash *pnhp;
1276 	struct peer_hash **ph_pp;
1277 	struct peer_hash **ph2_pp;
1278 	struct peer_hash **ph3_pp;
1279 	int i;
1280 	static uint_t failed_count;
1281 
1282 	if (peer_hashes == NULL) {
1283 		peer_hashes = calloc(hash_table_sizes[0],
1284 		    sizeof (peer_hashes[0]));
1285 		if (peer_hashes == NULL) {
1286 			if (++failed_count % 100 == 1)
1287 				msglog("no memory for peer hash");
1288 			return (NULL);
1289 		}
1290 	}
1291 	/* Search for peer in existing hash table */
1292 	ph_pp = peer_hashes + (from % hash_table_sizes[ph_index]);
1293 	for (php = ph_pp[0]; php != NULL; php = php->ph_next) {
1294 		if (php->ph_addr == from)
1295 			return (php);
1296 	}
1297 	/*
1298 	 * Not found; we need to add this peer to the table.  If there
1299 	 * are already too many peers, then try to expand the table
1300 	 * first.  It's not a big deal if we can't expand the table
1301 	 * right now due to memory constraints.  We'll try again
1302 	 * later.
1303 	 */
1304 	if (ph_num_peers >= hash_table_sizes[ph_index] * 5 &&
1305 	    hash_table_sizes[ph_index + 1] != 0 &&
1306 	    (ph_pp = calloc(hash_table_sizes[ph_index + 1],
1307 	    sizeof (peer_hashes[0]))) != NULL) {
1308 		ph2_pp = peer_hashes;
1309 		for (i = hash_table_sizes[ph_index] - 1; i >= 0; i--) {
1310 			for (php = ph2_pp[i]; php != NULL; php = pnhp) {
1311 				pnhp = php->ph_next;
1312 				ph3_pp = ph_pp + (php->ph_addr %
1313 				    hash_table_sizes[ph_index + 1]);
1314 				php->ph_next = ph3_pp[0];
1315 				ph3_pp[0] = php;
1316 			}
1317 		}
1318 		ph_index++;
1319 		free(peer_hashes);
1320 		peer_hashes = ph_pp;
1321 		ph_pp += from % hash_table_sizes[ph_index];
1322 	}
1323 	php = calloc(sizeof (*php), 1);
1324 	if (php == NULL) {
1325 		if (++failed_count % 100 == 1)
1326 			msglog("no memory for peer hash entry");
1327 	} else {
1328 		php->ph_addr = from;
1329 		php->ph_heard = now.tv_sec;
1330 		php->ph_next = ph_pp[0];
1331 		ph_pp[0] = php;
1332 		ph_num_peers++;
1333 	}
1334 	return (php);
1335 }
1336 
1337 /*
1338  * Age out entries in the peer table.  This is called every time we do
1339  * a normal 30 second broadcast.
1340  */
1341 void
1342 age_peer_info(void)
1343 {
1344 	struct peer_hash *php;
1345 	struct peer_hash *next_ph;
1346 	struct peer_hash *prev_ph;
1347 	struct peer_hash **ph_pp;
1348 	int i;
1349 
1350 	/*
1351 	 * Scan through the list and remove peers that should not
1352 	 * still have valid authenticated entries in the routing
1353 	 * table.
1354 	 */
1355 	if ((ph_pp = peer_hashes) == NULL || ph_num_peers == 0)
1356 		return;
1357 	for (i = hash_table_sizes[ph_index] - 1; i >= 0; i--) {
1358 		prev_ph = NULL;
1359 		for (php = ph_pp[i]; php != NULL; php = next_ph) {
1360 			next_ph = php->ph_next;
1361 			if (php->ph_heard <= now_expire) {
1362 				if (prev_ph == NULL)
1363 					ph_pp[i] = next_ph;
1364 				else
1365 					prev_ph->ph_next = next_ph;
1366 				free(php);
1367 				if (--ph_num_peers == 0)
1368 					return;
1369 			} else {
1370 				prev_ph = php;
1371 			}
1372 		}
1373 	}
1374 }
1375 
1376 static boolean_t		/* _B_FALSE if bad, _B_TRUE if good */
1377 ck_passwd(struct interface *aifp,
1378     struct rip *rip,
1379     uint8_t *lim,
1380     in_addr_t from,
1381     struct msg_limit *use_authp)
1382 {
1383 #define	NA (rip->rip_auths)
1384 	struct netauth *na2;
1385 	struct auth *ap;
1386 	MD5_CTX md5_ctx;
1387 	uchar_t hash[RIP_AUTH_PW_LEN];
1388 	int i, len;
1389 	struct peer_hash *php;
1390 	uint32_t seqno;
1391 
1392 	if ((uint8_t *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
1393 		msglim(use_authp, from, "missing auth data from %s",
1394 		    naddr_ntoa(from));
1395 		return (_B_FALSE);
1396 	}
1397 
1398 	/*
1399 	 * Validate sequence number on RIPv2 responses using keyed MD5
1400 	 * authentication per RFC 2082 section 3.2.2.  Note that if we
1401 	 * can't locate the peer information (due to transient
1402 	 * allocation problems), then we don't do the test.  Also note
1403 	 * that we assume that all sequence numbers 0x80000000 or more
1404 	 * away are "less than."
1405 	 *
1406 	 * We intentionally violate RFC 2082 with respect to one case:
1407 	 * restablishing contact.  The RFC says that you should
1408 	 * continue to ignore old sequence numbers in this case but
1409 	 * make a special allowance for 0.  This is extremely foolish.
1410 	 * The problem is that if the router has crashed, it's
1411 	 * entirely possible that either we'll miss sequence zero (or
1412 	 * that it might not even send it!) or that the peer doesn't
1413 	 * remember what it last used for a sequence number.  In
1414 	 * either case, we'll create a failure state that persists
1415 	 * until the sequence number happens to advance past the last
1416 	 * one we saw.  This is bad because it means that we may have
1417 	 * to wait until the router has been up for at least as long
1418 	 * as it was last time before we even pay attention to it.
1419 	 * Meanwhile, other routers may listen to it if they hadn't
1420 	 * seen it before (i.e., if they crashed in the meantime).
1421 	 * This means -- perversely -- that stable systems that stay
1422 	 * "up" for a long time pay a penalty for doing so.
1423 	 */
1424 	if (rip->rip_cmd == RIPCMD_RESPONSE && NA->a_type == RIP_AUTH_MD5 &&
1425 	    (php = get_peer_info(from)) != NULL) {
1426 		/*
1427 		 * If the entry that we find has been updated
1428 		 * recently enough that the routes are known
1429 		 * to still be good, but the sequence number
1430 		 * looks bad, then discard the packet.
1431 		 */
1432 		seqno = ntohl(NA->au.a_md5.md5_seqno);
1433 		if (php->ph_heard > now_expire && php->ph_seqno != 0 &&
1434 		    (seqno == 0 || ((seqno - php->ph_seqno) & 0x80000000ul))) {
1435 			msglim(use_authp, from,
1436 			    "discarding sequence %x (older than %x)",
1437 			    (unsigned)seqno, (unsigned)php->ph_seqno);
1438 			return (_B_FALSE);
1439 		}
1440 		php->ph_heard = now.tv_sec;
1441 		php->ph_seqno = seqno;
1442 	}
1443 
1444 	/*
1445 	 * accept any current (+/- 24 hours) password
1446 	 */
1447 	for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
1448 		if (ap->type != NA->a_type ||
1449 		    (ulong_t)ap->start > (ulong_t)clk.tv_sec+DAY ||
1450 		    (ulong_t)ap->end+DAY < (ulong_t)clk.tv_sec)
1451 			continue;
1452 
1453 		if (NA->a_type == RIP_AUTH_PW) {
1454 			if (0 == memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
1455 				return (_B_TRUE);
1456 
1457 		} else {
1458 			/*
1459 			 * accept MD5 secret with the right key ID
1460 			 */
1461 			if (NA->au.a_md5.md5_keyid != ap->keyid)
1462 				continue;
1463 
1464 			len = ntohs(NA->au.a_md5.md5_pkt_len);
1465 			if ((len - sizeof (*rip)) % sizeof (*NA) != 0 ||
1466 			    len > (lim - (uint8_t *)rip - sizeof (*NA))) {
1467 				msglim(use_authp, from,
1468 				    "wrong MD5 RIPv2 packet length of %d"
1469 				    " instead of %d from %s",
1470 				    len, lim - (uint8_t *)rip - sizeof (*NA),
1471 				    naddr_ntoa(from));
1472 				return (_B_FALSE);
1473 			}
1474 			na2 = (struct netauth *)(rip->rip_nets +
1475 			    (len - 4) / sizeof (struct netinfo));
1476 
1477 			/*
1478 			 * Given a good hash value, these are not security
1479 			 * problems so be generous and accept the routes,
1480 			 * after complaining.
1481 			 */
1482 			if (TRACEPACKETS) {
1483 				if (NA->au.a_md5.md5_auth_len !=
1484 				    RIP_AUTH_MD5_LEN)
1485 					msglim(use_authp, from,
1486 					    "unknown MD5 RIPv2 auth len %#x"
1487 					    " instead of %#x from %s",
1488 					    NA->au.a_md5.md5_auth_len,
1489 					    RIP_AUTH_MD5_LEN,
1490 					    naddr_ntoa(from));
1491 				if (na2->a_family != RIP_AF_AUTH)
1492 					msglim(use_authp, from,
1493 					    "unknown MD5 RIPv2 family %#x"
1494 					    " instead of %#x from %s",
1495 					    na2->a_family, RIP_AF_AUTH,
1496 					    naddr_ntoa(from));
1497 				if (na2->a_type != RIP_AUTH_TRAILER)
1498 					msglim(use_authp, from,
1499 					    "MD5 RIPv2 hash has %#x"
1500 					    " instead of %#x from %s",
1501 					    ntohs(na2->a_type),
1502 					    ntohs(RIP_AUTH_TRAILER),
1503 					    naddr_ntoa(from));
1504 			}
1505 
1506 			MD5Init(&md5_ctx);
1507 			/*
1508 			 * len+4 to include auth trailer's family/type in
1509 			 * MD5 sum
1510 			 */
1511 			MD5Update(&md5_ctx, (uchar_t *)rip, len + 4);
1512 			MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_LEN);
1513 			MD5Final(hash, &md5_ctx);
1514 			if (0 == memcmp(hash, na2->au.au_pw, sizeof (hash)))
1515 				return (_B_TRUE);
1516 		}
1517 	}
1518 
1519 	msglim(use_authp, from, "bad auth data from %s",
1520 	    naddr_ntoa(from));
1521 	return (_B_FALSE);
1522 #undef NA
1523 }
1524