[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
  #ifdef SUPPORT_A6
  "a6",
  #endif
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_ADDRESSES,     /* Private type for AAAA + A */
  T_AAAA,
  #ifdef SUPPORT_A6
  T_A6,
  #endif
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
any defer causes the whole lookup to defer; 'lax', where a defer causes the
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.

(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
and 'never' (default); can appear before or after (c).  The meanings are
require, try and don't-try dnssec respectively.

(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = OK;
int type;
int failrc = FAIL;
const uschar *outsep = CUS"\n";
const uschar *outsep2 = NULL;
uschar *equals, *domain, *found;
uschar buffer[256];

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

while (  strncmpic(keystring, US"defer_", 6) == 0
      || strncmpic(keystring, US"dnssec_", 7) == 0
      )
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      defer_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      defer_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      defer_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      dnssec_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      dnssec_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      dnssec_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default.
MX priority and value are space-separated by default.
SRV and TLSA record parts are space-separated by default. */

if (!outsep2) switch(type)
  {
  case T_SPF:                         outsep2 = US"";  break;
  case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
  }

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
        != NULL)
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_ADDRESSES)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_ADDRESSES)
# if defined(SUPPORT_A6)
                                     searchtype = T_A6;
# else
                                     searchtype = T_AAAA;
# endif
      else if (searchtype == T_A6)   searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(&dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (  rc != DNS_SUCCEED
       || (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
       )
      {
      if (defer_mode == DEFER)
	{
	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }


    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A ||
          #ifdef SUPPORT_A6
          type == T_A6 ||
          #endif
          type == T_AAAA ||
          type == T_ADDRESSES)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
		selector, *outsep2, matching_type, *outsep2);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d%c", priority, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
					weight, *outsep2, port, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (Ustrcmp(found, domain) != 0)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_ADDRESSES && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c PH	36	"aaaa",
	37	#ifdef SUPPORT_A6
	38	"a6",
	39	#endif
	40	#endif
	41	"cname",
e5a9dba6	42	"csa",
0756eb3c	43	"mx",
ea3bc19b	44	"mxh",
0756eb3c PH	45	"ns",
0756eb3c PH	46	"ptr",
eae0036b	47	"spf",
0756eb3c	48	"srv",
1e06383a	49	"tlsa",
33397d19	50	"txt",
8e669ac1	51	"zns"
33397d19	52	};
0756eb3c PH	53
	54	static int type_values[] = {
	55	T_A,
	56	#if HAVE_IPV6
66be95e0	57	T_ADDRESSES, /* Private type for AAAA + A */
0756eb3c PH	58	T_AAAA,
	59	#ifdef SUPPORT_A6
	60	T_A6,
	61	#endif
	62	#endif
	63	T_CNAME,
e5a9dba6	64	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	65	T_MX,
ea3bc19b	66	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	67	T_NS,
0756eb3c PH	68	T_PTR,
eae0036b	69	T_SPF,
0756eb3c	70	T_SRV,
1e06383a	71	T_TLSA,
33397d19 PH	72	T_TXT,
	73	T_ZNS /* Private type for "zone nameservers" */
	74	};
0756eb3c PH	75
	76
	77	/*************************************************
	78	* Open entry point *
	79	*************************************************/
	80
	81	/* See local README for interface description. */
	82
e6d225ae	83	static void *
0756eb3c PH	84	dnsdb_open(uschar filename, uschar *errmsg)
	85	{
	86	filename = filename; /* Keep picky compilers happy */
	87	errmsg = errmsg; /* Ditto */
	88	return (void )(-1); / Any non-0 value */
	89	}
	90
	91
	92
	93	/*************************************************
	94	* Find entry point for dnsdb *
	95	*************************************************/
	96
7bb56e1f PH	97	/* See local README for interface description. The query in the "keystring" may
	98	consist of a number of parts.
	99
8e669ac1 PH	100	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	101	separator character that is used when multiple records are found. The default
7bb56e1f PH	102	separator is newline.
7bb56e1f PH	103
0d0c6357 NM	104	(b) If the next character is ',' then the next character is the separator
	105	character used for multiple items of text in "TXT" records. Alternatively,
	106	if the next character is ';' then these multiple items are concatenated with
	107	no separator. With neither of these options specified, only the first item
8ee4b30e PP	108	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	109	items in one SPF record is the empty string, for direct concatenation.
0d0c6357 NM	110
0d0c6357 NM	111	(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
ff4dbb19 PH	112	the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
	113	any defer causes the whole lookup to defer; 'lax', where a defer causes the
	114	whole lookup to defer only if none of the DNS queries succeeds; and 'never',
	115	where all defers are as if the lookup failed. The default is 'lax'.
	116
fd3b6a4a JH	117	(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
	118	and 'never' (default); can appear before or after (c). The meanings are
	119	require, try and don't-try dnssec respectively.
	120
	121	(e) If the next sequence of characters is a sequence of letters and digits
8e669ac1	122	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	123	default is "TXT".
7bb56e1f	124
fd3b6a4a	125	(f) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	126	which may start with '<' in order to set a specific separator. The default
7bb56e1f	127	separator, as always, is colon. */
0756eb3c	128
e6d225ae	129	static int
55414b25	130	dnsdb_find(void handle, uschar filename, const uschar *keystring, int length,
0756eb3c PH	131	uschar result, uschar errmsg, BOOL *do_cache)
	132	{
	133	int rc;
	134	int size = 256;
	135	int ptr = 0;
7bb56e1f	136	int sep = 0;
ff4dbb19	137	int defer_mode = PASS;
fd3b6a4a	138	int dnssec_mode = OK;
542bc632	139	int type;
c38d6da9	140	int failrc = FAIL;
55414b25 JH	141	const uschar *outsep = CUS"\n";
55414b25 JH	142	const uschar *outsep2 = NULL;
e5a9dba6	143	uschar equals, domain, *found;
0756eb3c PH	144	uschar buffer[256];
	145
	146	/* Because we're the working in the search pool, we try to reclaim as much
	147	store as possible later, so we preallocate the result here */
	148
	149	uschar *yield = store_get(size);
	150
	151	dns_record *rr;
	152	dns_answer dnsa;
	153	dns_scan dnss;
	154
	155	handle = handle; /* Keep picky compilers happy */
	156	filename = filename;
	157	length = length;
	158	do_cache = do_cache;
	159
0d0c6357 NM	160	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	161	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	162
7bb56e1f PH	163	while (isspace(*keystring)) keystring++;
7bb56e1f PH	164	if (*keystring == '>')
0756eb3c	165	{
7bb56e1f	166	outsep = keystring + 1;
8e669ac1	167	keystring += 2;
0d0c6357 NM	168	if (*keystring == ',')
	169	{
	170	outsep2 = keystring + 1;
	171	keystring += 2;
	172	}
	173	else if (*keystring == ';')
	174	{
	175	outsep2 = US"";
	176	keystring++;
	177	}
7bb56e1f	178	while (isspace(*keystring)) keystring++;
8e669ac1	179	}
7bb56e1f	180
fd3b6a4a	181	/* Check for a modifier keyword. */
ff4dbb19	182
fd3b6a4a JH	183	while ( strncmpic(keystring, US"defer_", 6) == 0
	184	\|\| strncmpic(keystring, US"dnssec_", 7) == 0
	185	)
ff4dbb19	186	{
fd3b6a4a	187	if (strncmpic(keystring, US"defer_", 6) == 0)
ff4dbb19	188	{
ff4dbb19	189	keystring += 6;
fd3b6a4a JH	190	if (strncmpic(keystring, US"strict", 6) == 0)
	191	{
	192	defer_mode = DEFER;
	193	keystring += 6;
	194	}
	195	else if (strncmpic(keystring, US"lax", 3) == 0)
	196	{
	197	defer_mode = PASS;
	198	keystring += 3;
	199	}
	200	else if (strncmpic(keystring, US"never", 5) == 0)
	201	{
	202	defer_mode = OK;
	203	keystring += 5;
	204	}
	205	else
	206	{
	207	*errmsg = US"unsupported dnsdb defer behaviour";
	208	return DEFER;
	209	}
ff4dbb19 PH	210	}
	211	else
	212	{
fd3b6a4a JH	213	keystring += 7;
	214	if (strncmpic(keystring, US"strict", 6) == 0)
	215	{
	216	dnssec_mode = DEFER;
	217	keystring += 6;
	218	}
	219	else if (strncmpic(keystring, US"lax", 3) == 0)
	220	{
	221	dnssec_mode = PASS;
	222	keystring += 3;
	223	}
	224	else if (strncmpic(keystring, US"never", 5) == 0)
	225	{
	226	dnssec_mode = OK;
	227	keystring += 5;
	228	}
	229	else
	230	{
	231	*errmsg = US"unsupported dnsdb dnssec behaviour";
	232	return DEFER;
	233	}
ff4dbb19 PH	234	}
	235	while (isspace(*keystring)) keystring++;
	236	if (*keystring++ != ',')
	237	{
fd3b6a4a	238	*errmsg = US"dnsdb modifier syntax error";
ff4dbb19 PH	239	return DEFER;
	240	}
	241	while (isspace(*keystring)) keystring++;
	242	}
	243
542bc632 PP	244	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	245	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	246
542bc632	247	type = T_TXT;
7bb56e1f PH	248	if ((equals = Ustrchr(keystring, '=')) != NULL)
	249	{
	250	int i, len;
	251	uschar *tend = equals;
8e669ac1 PH	252
	253	while (tend > keystring && isspace(tend[-1])) tend--;
	254	len = tend - keystring;
	255
0756eb3c PH	256	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	257	{
	258	if (len == Ustrlen(type_names[i]) &&
	259	strncmpic(keystring, US type_names[i], len) == 0)
	260	{
	261	type = type_values[i];
	262	break;
	263	}
	264	}
8e669ac1	265
0756eb3c PH	266	if (i >= sizeof(type_names)/sizeof(uschar *))
	267	{
	268	*errmsg = US"unsupported DNS record type";
	269	return DEFER;
	270	}
8e669ac1	271
7bb56e1f PH	272	keystring = equals + 1;
7bb56e1f PH	273	while (isspace(*keystring)) keystring++;
0756eb3c	274	}
8e669ac1	275
7bb56e1f	276	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	277
fd3b6a4a	278	dns_init(FALSE, FALSE, dnssec_mode != OK);
0756eb3c	279
8e669ac1 PH	280	/* The remainder of the string must be a list of domains. As long as the lookup
	281	for at least one of them succeeds, we return success. Failure means that none
	282	of them were found.
0756eb3c	283
8e669ac1 PH	284	The original implementation did not support a list of domains. Adding the list
	285	feature is compatible, except in one case: when PTR records are being looked up
	286	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	287	here: If the type is PTR and no list separator is specified, and the entire
	288	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	289	it is treated as one item. */
33397d19	290
7bb56e1f	291	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	292	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	293	sep = -1;
0756eb3c	294
542bc632 PP	295	/* SPF strings should be concatenated without a separator, thus make
	296	it the default if not defined (see RFC 4408 section 3.1.3).
	297	Multiple SPF records are forbidden (section 3.1.2) but are currently
be36e572 JH	298	not handled specially, thus they are concatenated with \n by default.
	299	MX priority and value are space-separated by default.
	300	SRV and TLSA record parts are space-separated by default. */
542bc632	301
be36e572 JH	302	if (!outsep2) switch(type)
	303	{
	304	case T_SPF: outsep2 = US""; break;
	305	case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
	306	}
542bc632	307
7bb56e1f	308	/* Now scan the list and do a lookup for each item */
0756eb3c	309
8e669ac1	310	while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
7bb56e1f	311	!= NULL)
8e669ac1	312	{
7bb56e1f	313	uschar rbuffer[256];
e5a9dba6 PH	314	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	315	(type == T_MXH)? T_MX :
	316	(type == T_ZNS)? T_NS : type;
	317
	318	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	319	key if the original is an IP address (some experimental protocols are using
	320	PTR records for different purposes where the key string is a host name, and
	321	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	322	doing the reversal is now in a separate function. */
	323
	324	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	325	string_is_ip_address(domain, NULL) != 0)
0756eb3c	326	{
7bb56e1f PH	327	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	328	domain = rbuffer;
0756eb3c	329	}
8e669ac1	330
3a796370	331	do
c38d6da9	332	{
3a796370 JH	333	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	334
	335	/* Do the lookup and sort out the result. There are four special types that
66be95e0	336	are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
3a796370	337	The first two are handled in a special lookup function so that the facility
66be95e0	338	could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
3a796370 JH	339	over the types of A lookup. T_MXH affects only what happens later on in
	340	this function, but for tidiness it is handled by the "special". If the
	341	lookup fails, continue with the next domain. In the case of DEFER, adjust
	342	the final "nothing found" result, but carry on to the next domain. */
	343
	344	found = domain;
6abc190a	345	#if HAVE_IPV6
66be95e0	346	if (type == T_ADDRESSES) /* NB cannot happen unless HAVE_IPV6 */
3a796370	347	{
66be95e0	348	if (searchtype == T_ADDRESSES)
6abc190a JH	349	# if defined(SUPPORT_A6)
	350	searchtype = T_A6;
	351	# else
	352	searchtype = T_AAAA;
	353	# endif
3a796370 JH	354	else if (searchtype == T_A6) searchtype = T_AAAA;
3a796370 JH	355	else if (searchtype == T_AAAA) searchtype = T_A;
55414b25	356	rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
3a796370 JH	357	}
3a796370 JH	358	else
6abc190a	359	#endif
55414b25	360	rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);
ea3bc19b	361
4e0983dc JH	362	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	363	: dns_is_secure(&dnsa) ? US"yes" : US"no";
	364
3a796370	365	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
91f40ccd	366	if ( rc != DNS_SUCCEED
9852336a	367	\|\| (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
91f40ccd	368	)
3a796370	369	{
fd3b6a4a JH	370	if (defer_mode == DEFER)
fd3b6a4a JH	371	{
9d9c3746	372	dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
fd3b6a4a JH	373	return DEFER; /* always defer */
fd3b6a4a JH	374	}
3a796370 JH	375	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	376	continue; /* treat defer as fail */
	377	}
fd3b6a4a	378
8e669ac1	379
3a796370	380	/* Search the returned records */
8e669ac1	381
3a796370 JH	382	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	383	rr != NULL;
	384	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	385	{
3a796370 JH	386	if (rr->type != searchtype) continue;
	387
	388	/* There may be several addresses from an A6 record. Put the configured
	389	separator between them, just as for between several records. However, A6
	390	support is not normally configured these days. */
	391
	392	if (type == T_A \|\|
	393	#ifdef SUPPORT_A6
	394	type == T_A6 \|\|
	395	#endif
	396	type == T_AAAA \|\|
66be95e0	397	type == T_ADDRESSES)
7bb56e1f	398	{
3a796370 JH	399	dns_address *da;
	400	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	401	{
	402	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	403	yield = string_cat(yield, &size, &ptr, da->address,
	404	Ustrlen(da->address));
	405	}
	406	continue;
7bb56e1f	407	}
8e669ac1	408
3a796370 JH	409	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	410	several of them, of course. */
8e669ac1	411
3a796370	412	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	413
3a796370	414	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	415	{
3a796370	416	if (outsep2 == NULL)
0d0c6357	417	{
3a796370 JH	418	/* output only the first item of data */
	419	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	420	(rr->data)[0]);
	421	}
	422	else
	423	{
	424	/* output all items */
	425	int data_offset = 0;
	426	while (data_offset < rr->size)
	427	{
	428	uschar chunk_len = (rr->data)[data_offset++];
	429	if (outsep2[0] != '\0' && data_offset != 1)
	430	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	431	yield = string_cat(yield, &size, &ptr,
0d0c6357	432	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	433	data_offset += chunk_len;
3a796370 JH	434	}
0d0c6357	435	}
80a47a2c	436	}
1e06383a TL	437	else if (type == T_TLSA)
	438	{
	439	uint8_t usage, selector, matching_type;
	440	uint16_t i, payload_length;
	441	uschar s[MAX_TLSA_EXPANDED_SIZE];
	442	uschar * sp = s;
	443	uschar p = (uschar )(rr->data);
	444
	445	usage = *p++;
	446	selector = *p++;
	447	matching_type = *p++;
	448	/* What's left after removing the first 3 bytes above */
	449	payload_length = rr->size - 3;
be36e572 JH	450	sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
be36e572 JH	451	selector, outsep2, matching_type, outsep2);
1e06383a TL	452	/* Now append the cert/identifier, one hex char at a time */
	453	for (i=0;
	454	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	455	i++)
	456	{
	457	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	458	}
	459	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	460	}
3a796370	461	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	462	{
3a796370 JH	463	int priority, weight, port;
	464	uschar s[264];
	465	uschar p = (uschar )(rr->data);
e5a9dba6	466
3a796370	467	if (type == T_MXH)
e5a9dba6	468	{
3a796370 JH	469	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	470	GETSHORT(priority, p);
e5a9dba6	471	}
3a796370	472	else if (type == T_MX)
e5a9dba6	473	{
3a796370	474	GETSHORT(priority, p);
be36e572	475	sprintf(CS s, "%d%c", priority, *outsep2);
3a796370 JH	476	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	477	}
	478	else if (type == T_SRV)
	479	{
	480	GETSHORT(priority, p);
	481	GETSHORT(weight, p);
	482	GETSHORT(port, p);
be36e572 JH	483	sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
be36e572 JH	484	weight, outsep2, port, outsep2);
3a796370 JH	485	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	486	}
	487	else if (type == T_CSA)
	488	{
	489	/* See acl_verify_csa() for more comments about CSA. */
	490
	491	GETSHORT(priority, p);
	492	GETSHORT(weight, p);
	493	GETSHORT(port, p);
	494
	495	if (priority != 1) continue; /* CSA version must be 1 */
	496
	497	/* If the CSA record we found is not the one we asked for, analyse
	498	the subdomain assertions in the port field, else analyse the direct
	499	authorization status in the weight field. */
	500
1dc92d5a	501	if (Ustrcmp(found, domain) != 0)
3a796370 JH	502	{
	503	if (port & 1) s = 'X'; / explicit authorization required */
	504	else s = '?'; / no subdomain assertions here */
	505	}
	506	else
	507	{
	508	if (weight < 2) s = 'N'; / not authorized */
	509	else if (weight == 2) s = 'Y'; / authorized */
	510	else if (weight == 3) s = '?'; / unauthorizable */
	511	else continue; /* invalid */
	512	}
	513
	514	s[1] = ' ';
	515	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	516	}
e5a9dba6 PH	517
3a796370	518	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	519
3a796370 JH	520	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	521	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	522
3a796370 JH	523	/* If an overlong response was received, the data will have been
3a796370 JH	524	truncated and dn_expand may fail. */
8e669ac1	525
3a796370 JH	526	if (rc < 0)
	527	{
	528	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	529	"domain=%s", dns_text_type(type), domain);
	530	break;
	531	}
	532	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	533	}
3a796370 JH	534	} /* Loop for list of returned records */
	535
	536	/* Loop for set of A-lookupu types */
66be95e0	537	} while (type == T_ADDRESSES && searchtype != T_A);
3a796370 JH	538
3a796370 JH	539	} /* Loop for list of domains */
7bb56e1f PH	540
7bb56e1f PH	541	/* Reclaim unused memory */
0756eb3c	542
7bb56e1f PH	543	store_reset(yield + ptr + 1);
7bb56e1f PH	544
8e669ac1	545	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	546	zero and return the result. */
7bb56e1f PH	547
fd3b6a4a JH	548	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
fd3b6a4a JH	549
c38d6da9	550	if (ptr == 0) return failrc;
0756eb3c	551	yield[ptr] = 0;
0756eb3c	552	*result = yield;
0756eb3c PH	553	return OK;
	554	}
	555
6545de78 PP	556
	557
	558	/*************************************************
	559	* Version reporting entry point *
	560	*************************************************/
	561
	562	/* See local README for interface description. */
	563
	564	#include "../version.h"
	565
	566	void
	567	dnsdb_version_report(FILE *f)
	568	{
	569	#ifdef DYNLOOKUP
	570	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	571	#endif
	572	}
	573
	574
e6d225ae DW	575	static lookup_info _lookup_info = {
	576	US"dnsdb", /* lookup name */
	577	lookup_querystyle, /* query style */
	578	dnsdb_open, /* open function */
	579	NULL, /* check function */
	580	dnsdb_find, /* find function */
	581	NULL, /* no close function */
	582	NULL, /* no tidy function */
6545de78 PP	583	NULL, /* no quoting function */
6545de78 PP	584	dnsdb_version_report /* version reporting */
e6d225ae DW	585	};
	586
	587	#ifdef DYNLOOKUP
	588	#define dnsdb_lookup_module_info _lookup_module_info
	589	#endif
	590
	591	static lookup_info *_lookup_list[] = { &_lookup_info };
	592	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	593
fd3b6a4a JH	594	/* vi: aw ai sw=2
fd3b6a4a JH	595	*/
0756eb3c	596	/* End of lookups/dnsdb.c */