[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_ADDRESSES,     /* Private type for AAAA + A */
  T_AAAA,
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
any defer causes the whole lookup to defer; 'lax', where a defer causes the
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.

(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
and 'never' (default); can appear before or after (c).  The meanings are
require, try and don't-try dnssec respectively.

(e) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(f) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = OK;
int type;
int failrc = FAIL;
const uschar *outsep = CUS"\n";
const uschar *outsep2 = NULL;
uschar *equals, *domain, *found;
uschar buffer[256];

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

while (  strncmpic(keystring, US"defer_", 6) == 0
      || strncmpic(keystring, US"dnssec_", 7) == 0
      )
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      defer_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      defer_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      defer_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      {
      dnssec_mode = DEFER;
      keystring += 6;
      }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      {
      dnssec_mode = PASS;
      keystring += 3;
      }
    else if (strncmpic(keystring, US"never", 5) == 0)
      {
      dnssec_mode = OK;
      keystring += 5;
      }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default.
MX priority and value are space-separated by default.
SRV and TLSA record parts are space-separated by default. */

if (!outsep2) switch(type)
  {
  case T_SPF:                         outsep2 = US"";  break;
  case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
  }

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
        != NULL)
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_ADDRESSES)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(&dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (  rc != DNS_SUCCEED
       || (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
       )
      {
      if (defer_mode == DEFER)
	{
	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }


    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A || type == T_AAAA || type == T_ADDRESSES)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
		selector, *outsep2, matching_type, *outsep2);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d%c", priority, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
					weight, *outsep2, port, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (Ustrcmp(found, domain) != 0)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_ADDRESSES && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c	36	"aaaa",
0756eb3c PH	37	#endif
0756eb3c PH	38	"cname",
e5a9dba6	39	"csa",
0756eb3c	40	"mx",
ea3bc19b	41	"mxh",
0756eb3c PH	42	"ns",
0756eb3c PH	43	"ptr",
eae0036b	44	"spf",
0756eb3c	45	"srv",
1e06383a	46	"tlsa",
33397d19	47	"txt",
8e669ac1	48	"zns"
33397d19	49	};
0756eb3c PH	50
	51	static int type_values[] = {
	52	T_A,
	53	#if HAVE_IPV6
66be95e0	54	T_ADDRESSES, /* Private type for AAAA + A */
0756eb3c	55	T_AAAA,
0756eb3c PH	56	#endif
0756eb3c PH	57	T_CNAME,
e5a9dba6	58	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	59	T_MX,
ea3bc19b	60	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	61	T_NS,
0756eb3c PH	62	T_PTR,
eae0036b	63	T_SPF,
0756eb3c	64	T_SRV,
1e06383a	65	T_TLSA,
33397d19 PH	66	T_TXT,
	67	T_ZNS /* Private type for "zone nameservers" */
	68	};
0756eb3c PH	69
	70
	71	/*************************************************
	72	* Open entry point *
	73	*************************************************/
	74
	75	/* See local README for interface description. */
	76
e6d225ae	77	static void *
0756eb3c PH	78	dnsdb_open(uschar filename, uschar *errmsg)
	79	{
	80	filename = filename; /* Keep picky compilers happy */
	81	errmsg = errmsg; /* Ditto */
	82	return (void )(-1); / Any non-0 value */
	83	}
	84
	85
	86
	87	/*************************************************
	88	* Find entry point for dnsdb *
	89	*************************************************/
	90
7bb56e1f PH	91	/* See local README for interface description. The query in the "keystring" may
	92	consist of a number of parts.
	93
8e669ac1 PH	94	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	95	separator character that is used when multiple records are found. The default
7bb56e1f PH	96	separator is newline.
7bb56e1f PH	97
0d0c6357 NM	98	(b) If the next character is ',' then the next character is the separator
	99	character used for multiple items of text in "TXT" records. Alternatively,
	100	if the next character is ';' then these multiple items are concatenated with
	101	no separator. With neither of these options specified, only the first item
8ee4b30e PP	102	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	103	items in one SPF record is the empty string, for direct concatenation.
0d0c6357 NM	104
0d0c6357 NM	105	(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
ff4dbb19 PH	106	the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
	107	any defer causes the whole lookup to defer; 'lax', where a defer causes the
	108	whole lookup to defer only if none of the DNS queries succeeds; and 'never',
	109	where all defers are as if the lookup failed. The default is 'lax'.
	110
fd3b6a4a JH	111	(d) Another optional comma-sep field: 'dnssec_FOO', with 'strict', 'lax'
	112	and 'never' (default); can appear before or after (c). The meanings are
	113	require, try and don't-try dnssec respectively.
	114
	115	(e) If the next sequence of characters is a sequence of letters and digits
8e669ac1	116	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	117	default is "TXT".
7bb56e1f	118
fd3b6a4a	119	(f) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	120	which may start with '<' in order to set a specific separator. The default
7bb56e1f	121	separator, as always, is colon. */
0756eb3c	122
e6d225ae	123	static int
55414b25	124	dnsdb_find(void handle, uschar filename, const uschar *keystring, int length,
0756eb3c PH	125	uschar result, uschar errmsg, BOOL *do_cache)
	126	{
	127	int rc;
	128	int size = 256;
	129	int ptr = 0;
7bb56e1f	130	int sep = 0;
ff4dbb19	131	int defer_mode = PASS;
fd3b6a4a	132	int dnssec_mode = OK;
542bc632	133	int type;
c38d6da9	134	int failrc = FAIL;
55414b25 JH	135	const uschar *outsep = CUS"\n";
55414b25 JH	136	const uschar *outsep2 = NULL;
e5a9dba6	137	uschar equals, domain, *found;
0756eb3c PH	138	uschar buffer[256];
	139
	140	/* Because we're the working in the search pool, we try to reclaim as much
	141	store as possible later, so we preallocate the result here */
	142
	143	uschar *yield = store_get(size);
	144
	145	dns_record *rr;
	146	dns_answer dnsa;
	147	dns_scan dnss;
	148
	149	handle = handle; /* Keep picky compilers happy */
	150	filename = filename;
	151	length = length;
	152	do_cache = do_cache;
	153
0d0c6357 NM	154	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	155	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	156
7bb56e1f PH	157	while (isspace(*keystring)) keystring++;
7bb56e1f PH	158	if (*keystring == '>')
0756eb3c	159	{
7bb56e1f	160	outsep = keystring + 1;
8e669ac1	161	keystring += 2;
0d0c6357 NM	162	if (*keystring == ',')
	163	{
	164	outsep2 = keystring + 1;
	165	keystring += 2;
	166	}
	167	else if (*keystring == ';')
	168	{
	169	outsep2 = US"";
	170	keystring++;
	171	}
7bb56e1f	172	while (isspace(*keystring)) keystring++;
8e669ac1	173	}
7bb56e1f	174
fd3b6a4a	175	/* Check for a modifier keyword. */
ff4dbb19	176
fd3b6a4a JH	177	while ( strncmpic(keystring, US"defer_", 6) == 0
	178	\|\| strncmpic(keystring, US"dnssec_", 7) == 0
	179	)
ff4dbb19	180	{
fd3b6a4a	181	if (strncmpic(keystring, US"defer_", 6) == 0)
ff4dbb19	182	{
ff4dbb19	183	keystring += 6;
fd3b6a4a JH	184	if (strncmpic(keystring, US"strict", 6) == 0)
	185	{
	186	defer_mode = DEFER;
	187	keystring += 6;
	188	}
	189	else if (strncmpic(keystring, US"lax", 3) == 0)
	190	{
	191	defer_mode = PASS;
	192	keystring += 3;
	193	}
	194	else if (strncmpic(keystring, US"never", 5) == 0)
	195	{
	196	defer_mode = OK;
	197	keystring += 5;
	198	}
	199	else
	200	{
	201	*errmsg = US"unsupported dnsdb defer behaviour";
	202	return DEFER;
	203	}
ff4dbb19 PH	204	}
	205	else
	206	{
fd3b6a4a JH	207	keystring += 7;
	208	if (strncmpic(keystring, US"strict", 6) == 0)
	209	{
	210	dnssec_mode = DEFER;
	211	keystring += 6;
	212	}
	213	else if (strncmpic(keystring, US"lax", 3) == 0)
	214	{
	215	dnssec_mode = PASS;
	216	keystring += 3;
	217	}
	218	else if (strncmpic(keystring, US"never", 5) == 0)
	219	{
	220	dnssec_mode = OK;
	221	keystring += 5;
	222	}
	223	else
	224	{
	225	*errmsg = US"unsupported dnsdb dnssec behaviour";
	226	return DEFER;
	227	}
ff4dbb19 PH	228	}
	229	while (isspace(*keystring)) keystring++;
	230	if (*keystring++ != ',')
	231	{
fd3b6a4a	232	*errmsg = US"dnsdb modifier syntax error";
ff4dbb19 PH	233	return DEFER;
	234	}
	235	while (isspace(*keystring)) keystring++;
	236	}
	237
542bc632 PP	238	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	239	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	240
542bc632	241	type = T_TXT;
7bb56e1f PH	242	if ((equals = Ustrchr(keystring, '=')) != NULL)
	243	{
	244	int i, len;
	245	uschar *tend = equals;
8e669ac1 PH	246
	247	while (tend > keystring && isspace(tend[-1])) tend--;
	248	len = tend - keystring;
	249
0756eb3c PH	250	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	251	{
	252	if (len == Ustrlen(type_names[i]) &&
	253	strncmpic(keystring, US type_names[i], len) == 0)
	254	{
	255	type = type_values[i];
	256	break;
	257	}
	258	}
8e669ac1	259
0756eb3c PH	260	if (i >= sizeof(type_names)/sizeof(uschar *))
	261	{
	262	*errmsg = US"unsupported DNS record type";
	263	return DEFER;
	264	}
8e669ac1	265
7bb56e1f PH	266	keystring = equals + 1;
7bb56e1f PH	267	while (isspace(*keystring)) keystring++;
0756eb3c	268	}
8e669ac1	269
7bb56e1f	270	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	271
fd3b6a4a	272	dns_init(FALSE, FALSE, dnssec_mode != OK);
0756eb3c	273
8e669ac1 PH	274	/* The remainder of the string must be a list of domains. As long as the lookup
	275	for at least one of them succeeds, we return success. Failure means that none
	276	of them were found.
0756eb3c	277
8e669ac1 PH	278	The original implementation did not support a list of domains. Adding the list
	279	feature is compatible, except in one case: when PTR records are being looked up
	280	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	281	here: If the type is PTR and no list separator is specified, and the entire
	282	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	283	it is treated as one item. */
33397d19	284
7bb56e1f	285	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	286	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	287	sep = -1;
0756eb3c	288
542bc632 PP	289	/* SPF strings should be concatenated without a separator, thus make
	290	it the default if not defined (see RFC 4408 section 3.1.3).
	291	Multiple SPF records are forbidden (section 3.1.2) but are currently
be36e572 JH	292	not handled specially, thus they are concatenated with \n by default.
	293	MX priority and value are space-separated by default.
	294	SRV and TLSA record parts are space-separated by default. */
542bc632	295
be36e572 JH	296	if (!outsep2) switch(type)
	297	{
	298	case T_SPF: outsep2 = US""; break;
	299	case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
	300	}
542bc632	301
7bb56e1f	302	/* Now scan the list and do a lookup for each item */
0756eb3c	303
8e669ac1	304	while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
7bb56e1f	305	!= NULL)
8e669ac1	306	{
7bb56e1f	307	uschar rbuffer[256];
e5a9dba6 PH	308	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	309	(type == T_MXH)? T_MX :
	310	(type == T_ZNS)? T_NS : type;
	311
	312	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	313	key if the original is an IP address (some experimental protocols are using
	314	PTR records for different purposes where the key string is a host name, and
	315	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	316	doing the reversal is now in a separate function. */
	317
	318	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	319	string_is_ip_address(domain, NULL) != 0)
0756eb3c	320	{
7bb56e1f PH	321	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	322	domain = rbuffer;
0756eb3c	323	}
8e669ac1	324
3a796370	325	do
c38d6da9	326	{
3a796370 JH	327	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	328
	329	/* Do the lookup and sort out the result. There are four special types that
66be95e0	330	are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
3a796370	331	The first two are handled in a special lookup function so that the facility
66be95e0	332	could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
3a796370 JH	333	over the types of A lookup. T_MXH affects only what happens later on in
	334	this function, but for tidiness it is handled by the "special". If the
	335	lookup fails, continue with the next domain. In the case of DEFER, adjust
	336	the final "nothing found" result, but carry on to the next domain. */
	337
	338	found = domain;
6abc190a	339	#if HAVE_IPV6
66be95e0	340	if (type == T_ADDRESSES) /* NB cannot happen unless HAVE_IPV6 */
3a796370	341	{
cc00f4af	342	if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
3a796370	343	else if (searchtype == T_AAAA) searchtype = T_A;
55414b25	344	rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
3a796370 JH	345	}
3a796370 JH	346	else
6abc190a	347	#endif
55414b25	348	rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);
ea3bc19b	349
4e0983dc JH	350	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	351	: dns_is_secure(&dnsa) ? US"yes" : US"no";
	352
3a796370	353	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
91f40ccd	354	if ( rc != DNS_SUCCEED
9852336a	355	\|\| (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
91f40ccd	356	)
3a796370	357	{
fd3b6a4a JH	358	if (defer_mode == DEFER)
fd3b6a4a JH	359	{
9d9c3746	360	dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
fd3b6a4a JH	361	return DEFER; /* always defer */
fd3b6a4a JH	362	}
3a796370 JH	363	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	364	continue; /* treat defer as fail */
	365	}
fd3b6a4a	366
8e669ac1	367
3a796370	368	/* Search the returned records */
8e669ac1	369
3a796370 JH	370	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	371	rr != NULL;
	372	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	373	{
3a796370 JH	374	if (rr->type != searchtype) continue;
	375
	376	/* There may be several addresses from an A6 record. Put the configured
	377	separator between them, just as for between several records. However, A6
	378	support is not normally configured these days. */
	379
cc00f4af	380	if (type == T_A \|\| type == T_AAAA \|\| type == T_ADDRESSES)
7bb56e1f	381	{
3a796370 JH	382	dns_address *da;
	383	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	384	{
	385	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	386	yield = string_cat(yield, &size, &ptr, da->address,
	387	Ustrlen(da->address));
	388	}
	389	continue;
7bb56e1f	390	}
8e669ac1	391
3a796370 JH	392	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	393	several of them, of course. */
8e669ac1	394
3a796370	395	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	396
3a796370	397	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	398	{
3a796370	399	if (outsep2 == NULL)
0d0c6357	400	{
3a796370 JH	401	/* output only the first item of data */
	402	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	403	(rr->data)[0]);
	404	}
	405	else
	406	{
	407	/* output all items */
	408	int data_offset = 0;
	409	while (data_offset < rr->size)
	410	{
	411	uschar chunk_len = (rr->data)[data_offset++];
	412	if (outsep2[0] != '\0' && data_offset != 1)
	413	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	414	yield = string_cat(yield, &size, &ptr,
0d0c6357	415	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	416	data_offset += chunk_len;
3a796370 JH	417	}
0d0c6357	418	}
80a47a2c	419	}
1e06383a TL	420	else if (type == T_TLSA)
	421	{
	422	uint8_t usage, selector, matching_type;
	423	uint16_t i, payload_length;
	424	uschar s[MAX_TLSA_EXPANDED_SIZE];
	425	uschar * sp = s;
	426	uschar p = (uschar )(rr->data);
	427
	428	usage = *p++;
	429	selector = *p++;
	430	matching_type = *p++;
	431	/* What's left after removing the first 3 bytes above */
	432	payload_length = rr->size - 3;
be36e572 JH	433	sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
be36e572 JH	434	selector, outsep2, matching_type, outsep2);
1e06383a TL	435	/* Now append the cert/identifier, one hex char at a time */
	436	for (i=0;
	437	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	438	i++)
	439	{
	440	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	441	}
	442	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	443	}
3a796370	444	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	445	{
3a796370 JH	446	int priority, weight, port;
	447	uschar s[264];
	448	uschar p = (uschar )(rr->data);
e5a9dba6	449
3a796370	450	if (type == T_MXH)
e5a9dba6	451	{
3a796370 JH	452	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	453	GETSHORT(priority, p);
e5a9dba6	454	}
3a796370	455	else if (type == T_MX)
e5a9dba6	456	{
3a796370	457	GETSHORT(priority, p);
be36e572	458	sprintf(CS s, "%d%c", priority, *outsep2);
3a796370 JH	459	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	460	}
	461	else if (type == T_SRV)
	462	{
	463	GETSHORT(priority, p);
	464	GETSHORT(weight, p);
	465	GETSHORT(port, p);
be36e572 JH	466	sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
be36e572 JH	467	weight, outsep2, port, outsep2);
3a796370 JH	468	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	469	}
	470	else if (type == T_CSA)
	471	{
	472	/* See acl_verify_csa() for more comments about CSA. */
	473
	474	GETSHORT(priority, p);
	475	GETSHORT(weight, p);
	476	GETSHORT(port, p);
	477
	478	if (priority != 1) continue; /* CSA version must be 1 */
	479
	480	/* If the CSA record we found is not the one we asked for, analyse
	481	the subdomain assertions in the port field, else analyse the direct
	482	authorization status in the weight field. */
	483
1dc92d5a	484	if (Ustrcmp(found, domain) != 0)
3a796370 JH	485	{
	486	if (port & 1) s = 'X'; / explicit authorization required */
	487	else s = '?'; / no subdomain assertions here */
	488	}
	489	else
	490	{
	491	if (weight < 2) s = 'N'; / not authorized */
	492	else if (weight == 2) s = 'Y'; / authorized */
	493	else if (weight == 3) s = '?'; / unauthorizable */
	494	else continue; /* invalid */
	495	}
	496
	497	s[1] = ' ';
	498	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	499	}
e5a9dba6 PH	500
3a796370	501	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	502
3a796370 JH	503	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	504	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	505
3a796370 JH	506	/* If an overlong response was received, the data will have been
3a796370 JH	507	truncated and dn_expand may fail. */
8e669ac1	508
3a796370 JH	509	if (rc < 0)
	510	{
	511	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	512	"domain=%s", dns_text_type(type), domain);
	513	break;
	514	}
	515	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	516	}
3a796370 JH	517	} /* Loop for list of returned records */
	518
	519	/* Loop for set of A-lookupu types */
66be95e0	520	} while (type == T_ADDRESSES && searchtype != T_A);
3a796370 JH	521
3a796370 JH	522	} /* Loop for list of domains */
7bb56e1f PH	523
7bb56e1f PH	524	/* Reclaim unused memory */
0756eb3c	525
7bb56e1f PH	526	store_reset(yield + ptr + 1);
7bb56e1f PH	527
8e669ac1	528	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	529	zero and return the result. */
7bb56e1f PH	530
fd3b6a4a JH	531	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
fd3b6a4a JH	532
c38d6da9	533	if (ptr == 0) return failrc;
0756eb3c	534	yield[ptr] = 0;
0756eb3c	535	*result = yield;
0756eb3c PH	536	return OK;
	537	}
	538
6545de78 PP	539
	540
	541	/*************************************************
	542	* Version reporting entry point *
	543	*************************************************/
	544
	545	/* See local README for interface description. */
	546
	547	#include "../version.h"
	548
	549	void
	550	dnsdb_version_report(FILE *f)
	551	{
	552	#ifdef DYNLOOKUP
	553	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	554	#endif
	555	}
	556
	557
e6d225ae DW	558	static lookup_info _lookup_info = {
	559	US"dnsdb", /* lookup name */
	560	lookup_querystyle, /* query style */
	561	dnsdb_open, /* open function */
	562	NULL, /* check function */
	563	dnsdb_find, /* find function */
	564	NULL, /* no close function */
	565	NULL, /* no tidy function */
6545de78 PP	566	NULL, /* no quoting function */
6545de78 PP	567	dnsdb_version_report /* version reporting */
e6d225ae DW	568	};
	569
	570	#ifdef DYNLOOKUP
	571	#define dnsdb_lookup_module_info _lookup_module_info
	572	#endif
	573
	574	static lookup_info *_lookup_list[] = { &_lookup_info };
	575	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	576
fd3b6a4a JH	577	/* vi: aw ai sw=2
fd3b6a4a JH	578	*/
0756eb3c	579	/* End of lookups/dnsdb.c */