[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
  #ifdef SUPPORT_A6
  "a6",
  #endif
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_APL,     /* Private type for AAAA + A */
  T_AAAA,
  #ifdef SUPPORT_A6
  T_A6,
  #endif
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
any defer causes the whole lookup to defer; 'lax', where a defer causes the
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.

(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
and 'never' (default); can appear before or after (c).  The meanings are
require, try and don't-try dnssec respectively.

(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = OK;
int type;
int failrc = FAIL;
uschar *outsep = US"\n";
uschar *outsep2 = NULL;
uschar *equals, *domain, *found;
uschar buffer[256];

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

while (  strncmpic(keystring, US"defer_", 6) == 0
      || strncmpic(keystring, US"dnssec_", 7) == 0
      )
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      defer_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      defer_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      defer_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      dnssec_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      dnssec_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      dnssec_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default. */

if (type == T_SPF && outsep2 == NULL)
  outsep2 = US"";

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
        != NULL)
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_APL is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_APL)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_APL)
# if defined(SUPPORT_A6)
                                     searchtype = T_A6;
# else
                                     searchtype = T_AAAA;
# endif
      else if (searchtype == T_A6)   searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(&dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (rc != DNS_SUCCEED)
      {
      if (defer_mode == DEFER)
	{
	dns_init(FALSE, FALSE, FALSE);
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }
    if (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
      {
      failrc = DEFER;
      continue;
      }


    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A ||
          #ifdef SUPPORT_A6
          type == T_A6 ||
          #endif
          type == T_AAAA ||
	  type == T_APL)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d ", priority);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d %d %d ", priority, weight, port);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (found != domain)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_APL && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c PH	36	"aaaa",
	37	#ifdef SUPPORT_A6
	38	"a6",
	39	#endif
	40	#endif
	41	"cname",
e5a9dba6	42	"csa",
0756eb3c	43	"mx",
ea3bc19b	44	"mxh",
0756eb3c PH	45	"ns",
0756eb3c PH	46	"ptr",
eae0036b	47	"spf",
0756eb3c	48	"srv",
1e06383a	49	"tlsa",
33397d19	50	"txt",
8e669ac1	51	"zns"
33397d19	52	};
0756eb3c PH	53
	54	static int type_values[] = {
	55	T_A,
	56	#if HAVE_IPV6
3a796370	57	T_APL, /* Private type for AAAA + A */
0756eb3c PH	58	T_AAAA,
	59	#ifdef SUPPORT_A6
	60	T_A6,
	61	#endif
	62	#endif
	63	T_CNAME,
e5a9dba6	64	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	65	T_MX,
ea3bc19b	66	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	67	T_NS,
0756eb3c PH	68	T_PTR,
eae0036b	69	T_SPF,
0756eb3c	70	T_SRV,
1e06383a	71	T_TLSA,
33397d19 PH	72	T_TXT,
	73	T_ZNS /* Private type for "zone nameservers" */
	74	};
0756eb3c PH	75
	76
	77	/*************************************************
	78	* Open entry point *
	79	*************************************************/
	80
	81	/* See local README for interface description. */
	82
e6d225ae	83	static void *
0756eb3c PH	84	dnsdb_open(uschar filename, uschar *errmsg)
	85	{
	86	filename = filename; /* Keep picky compilers happy */
	87	errmsg = errmsg; /* Ditto */
	88	return (void )(-1); / Any non-0 value */
	89	}
	90
	91
	92
	93	/*************************************************
	94	* Find entry point for dnsdb *
	95	*************************************************/
	96
7bb56e1f PH	97	/* See local README for interface description. The query in the "keystring" may
	98	consist of a number of parts.
	99
8e669ac1 PH	100	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	101	separator character that is used when multiple records are found. The default
7bb56e1f PH	102	separator is newline.
7bb56e1f PH	103
0d0c6357 NM	104	(b) If the next character is ',' then the next character is the separator
	105	character used for multiple items of text in "TXT" records. Alternatively,
	106	if the next character is ';' then these multiple items are concatenated with
	107	no separator. With neither of these options specified, only the first item
8ee4b30e PP	108	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	109	items in one SPF record is the empty string, for direct concatenation.
0d0c6357 NM	110
0d0c6357 NM	111	(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
ff4dbb19 PH	112	the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
	113	any defer causes the whole lookup to defer; 'lax', where a defer causes the
	114	whole lookup to defer only if none of the DNS queries succeeds; and 'never',
	115	where all defers are as if the lookup failed. The default is 'lax'.
	116
fd3b6a4a JH	117	(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
	118	and 'never' (default); can appear before or after (c). The meanings are
	119	require, try and don't-try dnssec respectively.
	120
	121	(e) If the next sequence of characters is a sequence of letters and digits
8e669ac1	122	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	123	default is "TXT".
7bb56e1f	124
fd3b6a4a	125	(f) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	126	which may start with '<' in order to set a specific separator. The default
7bb56e1f	127	separator, as always, is colon. */
0756eb3c	128
e6d225ae	129	static int
0756eb3c PH	130	dnsdb_find(void handle, uschar filename, uschar *keystring, int length,
	131	uschar result, uschar errmsg, BOOL *do_cache)
	132	{
	133	int rc;
	134	int size = 256;
	135	int ptr = 0;
7bb56e1f	136	int sep = 0;
ff4dbb19	137	int defer_mode = PASS;
fd3b6a4a	138	int dnssec_mode = OK;
542bc632	139	int type;
c38d6da9	140	int failrc = FAIL;
7bb56e1f	141	uschar *outsep = US"\n";
0d0c6357	142	uschar *outsep2 = NULL;
e5a9dba6	143	uschar equals, domain, *found;
0756eb3c PH	144	uschar buffer[256];
	145
	146	/* Because we're the working in the search pool, we try to reclaim as much
	147	store as possible later, so we preallocate the result here */
	148
	149	uschar *yield = store_get(size);
	150
	151	dns_record *rr;
	152	dns_answer dnsa;
	153	dns_scan dnss;
	154
	155	handle = handle; /* Keep picky compilers happy */
	156	filename = filename;
	157	length = length;
	158	do_cache = do_cache;
	159
0d0c6357 NM	160	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	161	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	162
7bb56e1f PH	163	while (isspace(*keystring)) keystring++;
7bb56e1f PH	164	if (*keystring == '>')
0756eb3c	165	{
7bb56e1f	166	outsep = keystring + 1;
8e669ac1	167	keystring += 2;
0d0c6357 NM	168	if (*keystring == ',')
	169	{
	170	outsep2 = keystring + 1;
	171	keystring += 2;
	172	}
	173	else if (*keystring == ';')
	174	{
	175	outsep2 = US"";
	176	keystring++;
	177	}
7bb56e1f	178	while (isspace(*keystring)) keystring++;
8e669ac1	179	}
7bb56e1f	180
fd3b6a4a	181	/* Check for a modifier keyword. */
ff4dbb19	182
fd3b6a4a JH	183	while ( strncmpic(keystring, US"defer_", 6) == 0
	184	\|\| strncmpic(keystring, US"dnssec_", 7) == 0
	185	)
ff4dbb19	186	{
fd3b6a4a	187	if (strncmpic(keystring, US"defer_", 6) == 0)
ff4dbb19	188	{
ff4dbb19	189	keystring += 6;
fd3b6a4a JH	190	if (strncmpic(keystring, US"strict", 6) == 0)
	191	{
	192	defer_mode = DEFER;
	193	keystring += 6;
	194	}
	195	else if (strncmpic(keystring, US"lax", 3) == 0)
	196	{
	197	defer_mode = PASS;
	198	keystring += 3;
	199	}
	200	else if (strncmpic(keystring, US"never", 5) == 0)
	201	{
	202	defer_mode = OK;
	203	keystring += 5;
	204	}
	205	else
	206	{
	207	*errmsg = US"unsupported dnsdb defer behaviour";
	208	return DEFER;
	209	}
ff4dbb19 PH	210	}
	211	else
	212	{
fd3b6a4a JH	213	keystring += 7;
	214	if (strncmpic(keystring, US"strict", 6) == 0)
	215	{
	216	dnssec_mode = DEFER;
	217	keystring += 6;
	218	}
	219	else if (strncmpic(keystring, US"lax", 3) == 0)
	220	{
	221	dnssec_mode = PASS;
	222	keystring += 3;
	223	}
	224	else if (strncmpic(keystring, US"never", 5) == 0)
	225	{
	226	dnssec_mode = OK;
	227	keystring += 5;
	228	}
	229	else
	230	{
	231	*errmsg = US"unsupported dnsdb dnssec behaviour";
	232	return DEFER;
	233	}
ff4dbb19 PH	234	}
	235	while (isspace(*keystring)) keystring++;
	236	if (*keystring++ != ',')
	237	{
fd3b6a4a	238	*errmsg = US"dnsdb modifier syntax error";
ff4dbb19 PH	239	return DEFER;
	240	}
	241	while (isspace(*keystring)) keystring++;
	242	}
	243
542bc632 PP	244	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	245	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	246
542bc632	247	type = T_TXT;
7bb56e1f PH	248	if ((equals = Ustrchr(keystring, '=')) != NULL)
	249	{
	250	int i, len;
	251	uschar *tend = equals;
8e669ac1 PH	252
	253	while (tend > keystring && isspace(tend[-1])) tend--;
	254	len = tend - keystring;
	255
0756eb3c PH	256	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	257	{
	258	if (len == Ustrlen(type_names[i]) &&
	259	strncmpic(keystring, US type_names[i], len) == 0)
	260	{
	261	type = type_values[i];
	262	break;
	263	}
	264	}
8e669ac1	265
0756eb3c PH	266	if (i >= sizeof(type_names)/sizeof(uschar *))
	267	{
	268	*errmsg = US"unsupported DNS record type";
	269	return DEFER;
	270	}
8e669ac1	271
7bb56e1f PH	272	keystring = equals + 1;
7bb56e1f PH	273	while (isspace(*keystring)) keystring++;
0756eb3c	274	}
8e669ac1	275
7bb56e1f	276	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	277
fd3b6a4a	278	dns_init(FALSE, FALSE, dnssec_mode != OK);
0756eb3c	279
8e669ac1 PH	280	/* The remainder of the string must be a list of domains. As long as the lookup
	281	for at least one of them succeeds, we return success. Failure means that none
	282	of them were found.
0756eb3c	283
8e669ac1 PH	284	The original implementation did not support a list of domains. Adding the list
	285	feature is compatible, except in one case: when PTR records are being looked up
	286	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	287	here: If the type is PTR and no list separator is specified, and the entire
	288	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	289	it is treated as one item. */
33397d19	290
7bb56e1f	291	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	292	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	293	sep = -1;
0756eb3c	294
542bc632 PP	295	/* SPF strings should be concatenated without a separator, thus make
	296	it the default if not defined (see RFC 4408 section 3.1.3).
	297	Multiple SPF records are forbidden (section 3.1.2) but are currently
	298	not handled specially, thus they are concatenated with \n by default. */
	299
	300	if (type == T_SPF && outsep2 == NULL)
	301	outsep2 = US"";
	302
7bb56e1f	303	/* Now scan the list and do a lookup for each item */
0756eb3c	304
8e669ac1	305	while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
7bb56e1f	306	!= NULL)
8e669ac1	307	{
7bb56e1f	308	uschar rbuffer[256];
e5a9dba6 PH	309	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	310	(type == T_MXH)? T_MX :
	311	(type == T_ZNS)? T_NS : type;
	312
	313	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	314	key if the original is an IP address (some experimental protocols are using
	315	PTR records for different purposes where the key string is a host name, and
	316	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	317	doing the reversal is now in a separate function. */
	318
	319	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	320	string_is_ip_address(domain, NULL) != 0)
0756eb3c	321	{
7bb56e1f PH	322	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	323	domain = rbuffer;
0756eb3c	324	}
8e669ac1	325
3a796370	326	do
c38d6da9	327	{
3a796370 JH	328	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	329
	330	/* Do the lookup and sort out the result. There are four special types that
	331	are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
	332	The first two are handled in a special lookup function so that the facility
	333	could be used from other parts of the Exim code. T_APL is handled by looping
	334	over the types of A lookup. T_MXH affects only what happens later on in
	335	this function, but for tidiness it is handled by the "special". If the
	336	lookup fails, continue with the next domain. In the case of DEFER, adjust
	337	the final "nothing found" result, but carry on to the next domain. */
	338
	339	found = domain;
6abc190a	340	#if HAVE_IPV6
3a796370 JH	341	if (type == T_APL) /* NB cannot happen unless HAVE_IPV6 */
3a796370 JH	342	{
6abc190a JH	343	if (searchtype == T_APL)
	344	# if defined(SUPPORT_A6)
	345	searchtype = T_A6;
	346	# else
	347	searchtype = T_AAAA;
	348	# endif
3a796370 JH	349	else if (searchtype == T_A6) searchtype = T_AAAA;
	350	else if (searchtype == T_AAAA) searchtype = T_A;
	351	rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
	352	}
	353	else
6abc190a	354	#endif
3a796370	355	rc = dns_special_lookup(&dnsa, domain, type, &found);
ea3bc19b	356
4e0983dc JH	357	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	358	: dns_is_secure(&dnsa) ? US"yes" : US"no";
	359
3a796370 JH	360	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
	361	if (rc != DNS_SUCCEED)
	362	{
fd3b6a4a JH	363	if (defer_mode == DEFER)
	364	{
	365	dns_init(FALSE, FALSE, FALSE);
	366	return DEFER; /* always defer */
	367	}
3a796370 JH	368	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	369	continue; /* treat defer as fail */
	370	}
fd3b6a4a JH	371	if (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
	372	{
	373	failrc = DEFER;
	374	continue;
	375	}
	376
8e669ac1	377
3a796370	378	/* Search the returned records */
8e669ac1	379
3a796370 JH	380	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	381	rr != NULL;
	382	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	383	{
3a796370 JH	384	if (rr->type != searchtype) continue;
	385
	386	/* There may be several addresses from an A6 record. Put the configured
	387	separator between them, just as for between several records. However, A6
	388	support is not normally configured these days. */
	389
	390	if (type == T_A \|\|
	391	#ifdef SUPPORT_A6
	392	type == T_A6 \|\|
	393	#endif
	394	type == T_AAAA \|\|
	395	type == T_APL)
7bb56e1f	396	{
3a796370 JH	397	dns_address *da;
	398	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	399	{
	400	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	401	yield = string_cat(yield, &size, &ptr, da->address,
	402	Ustrlen(da->address));
	403	}
	404	continue;
7bb56e1f	405	}
8e669ac1	406
3a796370 JH	407	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	408	several of them, of course. */
8e669ac1	409
3a796370	410	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	411
3a796370	412	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	413	{
3a796370	414	if (outsep2 == NULL)
0d0c6357	415	{
3a796370 JH	416	/* output only the first item of data */
	417	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	418	(rr->data)[0]);
	419	}
	420	else
	421	{
	422	/* output all items */
	423	int data_offset = 0;
	424	while (data_offset < rr->size)
	425	{
	426	uschar chunk_len = (rr->data)[data_offset++];
	427	if (outsep2[0] != '\0' && data_offset != 1)
	428	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	429	yield = string_cat(yield, &size, &ptr,
0d0c6357	430	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	431	data_offset += chunk_len;
3a796370 JH	432	}
0d0c6357	433	}
80a47a2c	434	}
1e06383a TL	435	else if (type == T_TLSA)
	436	{
	437	uint8_t usage, selector, matching_type;
	438	uint16_t i, payload_length;
	439	uschar s[MAX_TLSA_EXPANDED_SIZE];
	440	uschar * sp = s;
	441	uschar p = (uschar )(rr->data);
	442
	443	usage = *p++;
	444	selector = *p++;
	445	matching_type = *p++;
	446	/* What's left after removing the first 3 bytes above */
	447	payload_length = rr->size - 3;
	448	sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
	449	/* Now append the cert/identifier, one hex char at a time */
	450	for (i=0;
	451	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	452	i++)
	453	{
	454	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	455	}
	456	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	457	}
3a796370	458	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	459	{
3a796370 JH	460	int priority, weight, port;
	461	uschar s[264];
	462	uschar p = (uschar )(rr->data);
e5a9dba6	463
3a796370	464	if (type == T_MXH)
e5a9dba6	465	{
3a796370 JH	466	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	467	GETSHORT(priority, p);
e5a9dba6	468	}
3a796370	469	else if (type == T_MX)
e5a9dba6	470	{
3a796370 JH	471	GETSHORT(priority, p);
	472	sprintf(CS s, "%d ", priority);
	473	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	474	}
	475	else if (type == T_SRV)
	476	{
	477	GETSHORT(priority, p);
	478	GETSHORT(weight, p);
	479	GETSHORT(port, p);
	480	sprintf(CS s, "%d %d %d ", priority, weight, port);
	481	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	482	}
	483	else if (type == T_CSA)
	484	{
	485	/* See acl_verify_csa() for more comments about CSA. */
	486
	487	GETSHORT(priority, p);
	488	GETSHORT(weight, p);
	489	GETSHORT(port, p);
	490
	491	if (priority != 1) continue; /* CSA version must be 1 */
	492
	493	/* If the CSA record we found is not the one we asked for, analyse
	494	the subdomain assertions in the port field, else analyse the direct
	495	authorization status in the weight field. */
	496
	497	if (found != domain)
	498	{
	499	if (port & 1) s = 'X'; / explicit authorization required */
	500	else s = '?'; / no subdomain assertions here */
	501	}
	502	else
	503	{
	504	if (weight < 2) s = 'N'; / not authorized */
	505	else if (weight == 2) s = 'Y'; / authorized */
	506	else if (weight == 3) s = '?'; / unauthorizable */
	507	else continue; /* invalid */
	508	}
	509
	510	s[1] = ' ';
	511	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	512	}
e5a9dba6 PH	513
3a796370	514	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	515
3a796370 JH	516	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	517	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	518
3a796370 JH	519	/* If an overlong response was received, the data will have been
3a796370 JH	520	truncated and dn_expand may fail. */
8e669ac1	521
3a796370 JH	522	if (rc < 0)
	523	{
	524	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	525	"domain=%s", dns_text_type(type), domain);
	526	break;
	527	}
	528	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	529	}
3a796370 JH	530	} /* Loop for list of returned records */
	531
	532	/* Loop for set of A-lookupu types */
	533	} while (type == T_APL && searchtype != T_A);
	534
	535	} /* Loop for list of domains */
7bb56e1f PH	536
7bb56e1f PH	537	/* Reclaim unused memory */
0756eb3c	538
7bb56e1f PH	539	store_reset(yield + ptr + 1);
7bb56e1f PH	540
8e669ac1	541	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	542	zero and return the result. */
7bb56e1f PH	543
fd3b6a4a JH	544	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
fd3b6a4a JH	545
c38d6da9	546	if (ptr == 0) return failrc;
0756eb3c	547	yield[ptr] = 0;
0756eb3c	548	*result = yield;
0756eb3c PH	549	return OK;
	550	}
	551
6545de78 PP	552
	553
	554	/*************************************************
	555	* Version reporting entry point *
	556	*************************************************/
	557
	558	/* See local README for interface description. */
	559
	560	#include "../version.h"
	561
	562	void
	563	dnsdb_version_report(FILE *f)
	564	{
	565	#ifdef DYNLOOKUP
	566	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	567	#endif
	568	}
	569
	570
e6d225ae DW	571	static lookup_info _lookup_info = {
	572	US"dnsdb", /* lookup name */
	573	lookup_querystyle, /* query style */
	574	dnsdb_open, /* open function */
	575	NULL, /* check function */
	576	dnsdb_find, /* find function */
	577	NULL, /* no close function */
	578	NULL, /* no tidy function */
6545de78 PP	579	NULL, /* no quoting function */
6545de78 PP	580	dnsdb_version_report /* version reporting */
e6d225ae DW	581	};
	582
	583	#ifdef DYNLOOKUP
	584	#define dnsdb_lookup_module_info _lookup_module_info
	585	#endif
	586
	587	static lookup_info *_lookup_list[] = { &_lookup_info };
	588	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	589
fd3b6a4a JH	590	/* vi: aw ai sw=2
fd3b6a4a JH	591	*/
0756eb3c	592	/* End of lookups/dnsdb.c */