[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
  #ifdef SUPPORT_A6
  "a6",
  #endif
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_APL,     /* Private type for AAAA + A */
  T_AAAA,
  #ifdef SUPPORT_A6
  T_A6,
  #endif
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
any defer causes the whole lookup to defer; 'lax', where a defer causes the
whole lookup to defer only if none of the DNS queries succeeds; and 'never',
where all defers are as if the lookup failed. The default is 'lax'.

(d) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(e) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int type;
int failrc = FAIL;
uschar *outsep = US"\n";
uschar *outsep2 = NULL;
uschar *equals, *domain, *found;
uschar buffer[256];

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a defer behaviour keyword. */

if (strncmpic(keystring, US"defer_", 6) == 0)
  {
  keystring += 6;
  if (strncmpic(keystring, US"strict", 6) == 0)
    {
    defer_mode = DEFER;
    keystring += 6;
    }
  else if (strncmpic(keystring, US"lax", 3) == 0)
    {
    defer_mode = PASS;
    keystring += 3;
    }
  else if (strncmpic(keystring, US"never", 5) == 0)
    {
    defer_mode = OK;
    keystring += 5;
    }
  else
    {
    *errmsg = US"unsupported dnsdb defer behaviour";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb defer behaviour syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, FALSE);	/*XXX dnssec? */

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default. */

if (type == T_SPF && outsep2 == NULL)
  outsep2 = US"";

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
        != NULL)
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_APL is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_APL)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_APL)
# if defined(SUPPORT_A6)
                                     searchtype = T_A6;
# else
                                     searchtype = T_AAAA;
# endif
      else if (searchtype == T_A6)   searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, &found);

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (rc != DNS_SUCCEED)
      {
      if (defer_mode == DEFER) return DEFER;          /* always defer */
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }

    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A ||
          #ifdef SUPPORT_A6
          type == T_A6 ||
          #endif
          type == T_AAAA ||
	  type == T_APL)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d ", priority);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d %d %d ", priority, weight, port);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (found != domain)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_APL && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c PH	36	"aaaa",
	37	#ifdef SUPPORT_A6
	38	"a6",
	39	#endif
	40	#endif
	41	"cname",
e5a9dba6	42	"csa",
0756eb3c	43	"mx",
ea3bc19b	44	"mxh",
0756eb3c PH	45	"ns",
0756eb3c PH	46	"ptr",
eae0036b	47	"spf",
0756eb3c	48	"srv",
1e06383a	49	"tlsa",
33397d19	50	"txt",
8e669ac1	51	"zns"
33397d19	52	};
0756eb3c PH	53
	54	static int type_values[] = {
	55	T_A,
	56	#if HAVE_IPV6
3a796370	57	T_APL, /* Private type for AAAA + A */
0756eb3c PH	58	T_AAAA,
	59	#ifdef SUPPORT_A6
	60	T_A6,
	61	#endif
	62	#endif
	63	T_CNAME,
e5a9dba6	64	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	65	T_MX,
ea3bc19b	66	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	67	T_NS,
0756eb3c PH	68	T_PTR,
eae0036b	69	T_SPF,
0756eb3c	70	T_SRV,
1e06383a	71	T_TLSA,
33397d19 PH	72	T_TXT,
	73	T_ZNS /* Private type for "zone nameservers" */
	74	};
0756eb3c PH	75
	76
	77	/*************************************************
	78	* Open entry point *
	79	*************************************************/
	80
	81	/* See local README for interface description. */
	82
e6d225ae	83	static void *
0756eb3c PH	84	dnsdb_open(uschar filename, uschar *errmsg)
	85	{
	86	filename = filename; /* Keep picky compilers happy */
	87	errmsg = errmsg; /* Ditto */
	88	return (void )(-1); / Any non-0 value */
	89	}
	90
	91
	92
	93	/*************************************************
	94	* Find entry point for dnsdb *
	95	*************************************************/
	96
7bb56e1f PH	97	/* See local README for interface description. The query in the "keystring" may
	98	consist of a number of parts.
	99
8e669ac1 PH	100	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	101	separator character that is used when multiple records are found. The default
7bb56e1f PH	102	separator is newline.
7bb56e1f PH	103
0d0c6357 NM	104	(b) If the next character is ',' then the next character is the separator
	105	character used for multiple items of text in "TXT" records. Alternatively,
	106	if the next character is ';' then these multiple items are concatenated with
	107	no separator. With neither of these options specified, only the first item
8ee4b30e PP	108	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	109	items in one SPF record is the empty string, for direct concatenation.
0d0c6357 NM	110
0d0c6357 NM	111	(c) If the next sequence of characters is 'defer_FOO' followed by a comma,
ff4dbb19 PH	112	the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
	113	any defer causes the whole lookup to defer; 'lax', where a defer causes the
	114	whole lookup to defer only if none of the DNS queries succeeds; and 'never',
	115	where all defers are as if the lookup failed. The default is 'lax'.
	116
0d0c6357	117	(d) If the next sequence of characters is a sequence of letters and digits
8e669ac1	118	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	119	default is "TXT".
7bb56e1f	120
0d0c6357	121	(e) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	122	which may start with '<' in order to set a specific separator. The default
7bb56e1f	123	separator, as always, is colon. */
0756eb3c	124
e6d225ae	125	static int
0756eb3c PH	126	dnsdb_find(void handle, uschar filename, uschar *keystring, int length,
	127	uschar result, uschar errmsg, BOOL *do_cache)
	128	{
	129	int rc;
	130	int size = 256;
	131	int ptr = 0;
7bb56e1f	132	int sep = 0;
ff4dbb19	133	int defer_mode = PASS;
542bc632	134	int type;
c38d6da9	135	int failrc = FAIL;
7bb56e1f	136	uschar *outsep = US"\n";
0d0c6357	137	uschar *outsep2 = NULL;
e5a9dba6	138	uschar equals, domain, *found;
0756eb3c PH	139	uschar buffer[256];
	140
	141	/* Because we're the working in the search pool, we try to reclaim as much
	142	store as possible later, so we preallocate the result here */
	143
	144	uschar *yield = store_get(size);
	145
	146	dns_record *rr;
	147	dns_answer dnsa;
	148	dns_scan dnss;
	149
	150	handle = handle; /* Keep picky compilers happy */
	151	filename = filename;
	152	length = length;
	153	do_cache = do_cache;
	154
0d0c6357 NM	155	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	156	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	157
7bb56e1f PH	158	while (isspace(*keystring)) keystring++;
7bb56e1f PH	159	if (*keystring == '>')
0756eb3c	160	{
7bb56e1f	161	outsep = keystring + 1;
8e669ac1	162	keystring += 2;
0d0c6357 NM	163	if (*keystring == ',')
	164	{
	165	outsep2 = keystring + 1;
	166	keystring += 2;
	167	}
	168	else if (*keystring == ';')
	169	{
	170	outsep2 = US"";
	171	keystring++;
	172	}
7bb56e1f	173	while (isspace(*keystring)) keystring++;
8e669ac1	174	}
7bb56e1f	175
ff4dbb19 PH	176	/* Check for a defer behaviour keyword. */
	177
	178	if (strncmpic(keystring, US"defer_", 6) == 0)
	179	{
	180	keystring += 6;
	181	if (strncmpic(keystring, US"strict", 6) == 0)
	182	{
	183	defer_mode = DEFER;
	184	keystring += 6;
	185	}
	186	else if (strncmpic(keystring, US"lax", 3) == 0)
	187	{
	188	defer_mode = PASS;
	189	keystring += 3;
	190	}
	191	else if (strncmpic(keystring, US"never", 5) == 0)
	192	{
	193	defer_mode = OK;
	194	keystring += 5;
	195	}
	196	else
	197	{
	198	*errmsg = US"unsupported dnsdb defer behaviour";
	199	return DEFER;
	200	}
	201	while (isspace(*keystring)) keystring++;
	202	if (*keystring++ != ',')
	203	{
	204	*errmsg = US"dnsdb defer behaviour syntax error";
	205	return DEFER;
	206	}
	207	while (isspace(*keystring)) keystring++;
	208	}
	209
542bc632 PP	210	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	211	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	212
542bc632	213	type = T_TXT;
7bb56e1f PH	214	if ((equals = Ustrchr(keystring, '=')) != NULL)
	215	{
	216	int i, len;
	217	uschar *tend = equals;
8e669ac1 PH	218
	219	while (tend > keystring && isspace(tend[-1])) tend--;
	220	len = tend - keystring;
	221
0756eb3c PH	222	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	223	{
	224	if (len == Ustrlen(type_names[i]) &&
	225	strncmpic(keystring, US type_names[i], len) == 0)
	226	{
	227	type = type_values[i];
	228	break;
	229	}
	230	}
8e669ac1	231
0756eb3c PH	232	if (i >= sizeof(type_names)/sizeof(uschar *))
	233	{
	234	*errmsg = US"unsupported DNS record type";
	235	return DEFER;
	236	}
8e669ac1	237
7bb56e1f PH	238	keystring = equals + 1;
7bb56e1f PH	239	while (isspace(*keystring)) keystring++;
0756eb3c	240	}
8e669ac1	241
7bb56e1f	242	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	243
8c51eead	244	dns_init(FALSE, FALSE, FALSE); /XXX dnssec? /
0756eb3c	245
8e669ac1 PH	246	/* The remainder of the string must be a list of domains. As long as the lookup
	247	for at least one of them succeeds, we return success. Failure means that none
	248	of them were found.
0756eb3c	249
8e669ac1 PH	250	The original implementation did not support a list of domains. Adding the list
	251	feature is compatible, except in one case: when PTR records are being looked up
	252	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	253	here: If the type is PTR and no list separator is specified, and the entire
	254	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	255	it is treated as one item. */
33397d19	256
7bb56e1f	257	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	258	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	259	sep = -1;
0756eb3c	260
542bc632 PP	261	/* SPF strings should be concatenated without a separator, thus make
	262	it the default if not defined (see RFC 4408 section 3.1.3).
	263	Multiple SPF records are forbidden (section 3.1.2) but are currently
	264	not handled specially, thus they are concatenated with \n by default. */
	265
	266	if (type == T_SPF && outsep2 == NULL)
	267	outsep2 = US"";
	268
7bb56e1f	269	/* Now scan the list and do a lookup for each item */
0756eb3c	270
8e669ac1	271	while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
7bb56e1f	272	!= NULL)
8e669ac1	273	{
7bb56e1f	274	uschar rbuffer[256];
e5a9dba6 PH	275	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	276	(type == T_MXH)? T_MX :
	277	(type == T_ZNS)? T_NS : type;
	278
	279	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	280	key if the original is an IP address (some experimental protocols are using
	281	PTR records for different purposes where the key string is a host name, and
	282	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	283	doing the reversal is now in a separate function. */
	284
	285	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	286	string_is_ip_address(domain, NULL) != 0)
0756eb3c	287	{
7bb56e1f PH	288	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	289	domain = rbuffer;
0756eb3c	290	}
8e669ac1	291
3a796370	292	do
c38d6da9	293	{
3a796370 JH	294	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	295
	296	/* Do the lookup and sort out the result. There are four special types that
	297	are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
	298	The first two are handled in a special lookup function so that the facility
	299	could be used from other parts of the Exim code. T_APL is handled by looping
	300	over the types of A lookup. T_MXH affects only what happens later on in
	301	this function, but for tidiness it is handled by the "special". If the
	302	lookup fails, continue with the next domain. In the case of DEFER, adjust
	303	the final "nothing found" result, but carry on to the next domain. */
	304
	305	found = domain;
6abc190a	306	#if HAVE_IPV6
3a796370 JH	307	if (type == T_APL) /* NB cannot happen unless HAVE_IPV6 */
3a796370 JH	308	{
6abc190a JH	309	if (searchtype == T_APL)
	310	# if defined(SUPPORT_A6)
	311	searchtype = T_A6;
	312	# else
	313	searchtype = T_AAAA;
	314	# endif
3a796370 JH	315	else if (searchtype == T_A6) searchtype = T_AAAA;
	316	else if (searchtype == T_AAAA) searchtype = T_A;
	317	rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
	318	}
	319	else
6abc190a	320	#endif
3a796370	321	rc = dns_special_lookup(&dnsa, domain, type, &found);
ea3bc19b	322
3a796370 JH	323	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
	324	if (rc != DNS_SUCCEED)
	325	{
	326	if (defer_mode == DEFER) return DEFER; /* always defer */
	327	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	328	continue; /* treat defer as fail */
	329	}
8e669ac1	330
3a796370	331	/* Search the returned records */
8e669ac1	332
3a796370 JH	333	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	334	rr != NULL;
	335	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	336	{
3a796370 JH	337	if (rr->type != searchtype) continue;
	338
	339	/* There may be several addresses from an A6 record. Put the configured
	340	separator between them, just as for between several records. However, A6
	341	support is not normally configured these days. */
	342
	343	if (type == T_A \|\|
	344	#ifdef SUPPORT_A6
	345	type == T_A6 \|\|
	346	#endif
	347	type == T_AAAA \|\|
	348	type == T_APL)
7bb56e1f	349	{
3a796370 JH	350	dns_address *da;
	351	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	352	{
	353	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	354	yield = string_cat(yield, &size, &ptr, da->address,
	355	Ustrlen(da->address));
	356	}
	357	continue;
7bb56e1f	358	}
8e669ac1	359
3a796370 JH	360	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	361	several of them, of course. */
8e669ac1	362
3a796370	363	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	364
3a796370	365	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	366	{
3a796370	367	if (outsep2 == NULL)
0d0c6357	368	{
3a796370 JH	369	/* output only the first item of data */
	370	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	371	(rr->data)[0]);
	372	}
	373	else
	374	{
	375	/* output all items */
	376	int data_offset = 0;
	377	while (data_offset < rr->size)
	378	{
	379	uschar chunk_len = (rr->data)[data_offset++];
	380	if (outsep2[0] != '\0' && data_offset != 1)
	381	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	382	yield = string_cat(yield, &size, &ptr,
0d0c6357	383	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	384	data_offset += chunk_len;
3a796370 JH	385	}
0d0c6357	386	}
80a47a2c	387	}
1e06383a TL	388	else if (type == T_TLSA)
	389	{
	390	uint8_t usage, selector, matching_type;
	391	uint16_t i, payload_length;
	392	uschar s[MAX_TLSA_EXPANDED_SIZE];
	393	uschar * sp = s;
	394	uschar p = (uschar )(rr->data);
	395
	396	usage = *p++;
	397	selector = *p++;
	398	matching_type = *p++;
	399	/* What's left after removing the first 3 bytes above */
	400	payload_length = rr->size - 3;
	401	sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
	402	/* Now append the cert/identifier, one hex char at a time */
	403	for (i=0;
	404	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	405	i++)
	406	{
	407	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	408	}
	409	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	410	}
3a796370	411	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	412	{
3a796370 JH	413	int priority, weight, port;
	414	uschar s[264];
	415	uschar p = (uschar )(rr->data);
e5a9dba6	416
3a796370	417	if (type == T_MXH)
e5a9dba6	418	{
3a796370 JH	419	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	420	GETSHORT(priority, p);
e5a9dba6	421	}
3a796370	422	else if (type == T_MX)
e5a9dba6	423	{
3a796370 JH	424	GETSHORT(priority, p);
	425	sprintf(CS s, "%d ", priority);
	426	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	427	}
	428	else if (type == T_SRV)
	429	{
	430	GETSHORT(priority, p);
	431	GETSHORT(weight, p);
	432	GETSHORT(port, p);
	433	sprintf(CS s, "%d %d %d ", priority, weight, port);
	434	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	435	}
	436	else if (type == T_CSA)
	437	{
	438	/* See acl_verify_csa() for more comments about CSA. */
	439
	440	GETSHORT(priority, p);
	441	GETSHORT(weight, p);
	442	GETSHORT(port, p);
	443
	444	if (priority != 1) continue; /* CSA version must be 1 */
	445
	446	/* If the CSA record we found is not the one we asked for, analyse
	447	the subdomain assertions in the port field, else analyse the direct
	448	authorization status in the weight field. */
	449
	450	if (found != domain)
	451	{
	452	if (port & 1) s = 'X'; / explicit authorization required */
	453	else s = '?'; / no subdomain assertions here */
	454	}
	455	else
	456	{
	457	if (weight < 2) s = 'N'; / not authorized */
	458	else if (weight == 2) s = 'Y'; / authorized */
	459	else if (weight == 3) s = '?'; / unauthorizable */
	460	else continue; /* invalid */
	461	}
	462
	463	s[1] = ' ';
	464	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	465	}
e5a9dba6 PH	466
3a796370	467	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	468
3a796370 JH	469	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	470	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	471
3a796370 JH	472	/* If an overlong response was received, the data will have been
3a796370 JH	473	truncated and dn_expand may fail. */
8e669ac1	474
3a796370 JH	475	if (rc < 0)
	476	{
	477	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	478	"domain=%s", dns_text_type(type), domain);
	479	break;
	480	}
	481	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	482	}
3a796370 JH	483	} /* Loop for list of returned records */
	484
	485	/* Loop for set of A-lookupu types */
	486	} while (type == T_APL && searchtype != T_A);
	487
	488	} /* Loop for list of domains */
7bb56e1f PH	489
7bb56e1f PH	490	/* Reclaim unused memory */
0756eb3c	491
7bb56e1f PH	492	store_reset(yield + ptr + 1);
7bb56e1f PH	493
8e669ac1	494	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	495	zero and return the result. */
7bb56e1f PH	496
c38d6da9	497	if (ptr == 0) return failrc;
0756eb3c	498	yield[ptr] = 0;
0756eb3c	499	*result = yield;
0756eb3c PH	500	return OK;
	501	}
	502
6545de78 PP	503
	504
	505	/*************************************************
	506	* Version reporting entry point *
	507	*************************************************/
	508
	509	/* See local README for interface description. */
	510
	511	#include "../version.h"
	512
	513	void
	514	dnsdb_version_report(FILE *f)
	515	{
	516	#ifdef DYNLOOKUP
	517	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	518	#endif
	519	}
	520
	521
e6d225ae DW	522	static lookup_info _lookup_info = {
	523	US"dnsdb", /* lookup name */
	524	lookup_querystyle, /* query style */
	525	dnsdb_open, /* open function */
	526	NULL, /* check function */
	527	dnsdb_find, /* find function */
	528	NULL, /* no close function */
	529	NULL, /* no tidy function */
6545de78 PP	530	NULL, /* no quoting function */
6545de78 PP	531	dnsdb_version_report /* version reporting */
e6d225ae DW	532	};
	533
	534	#ifdef DYNLOOKUP
	535	#define dnsdb_lookup_module_info _lookup_module_info
	536	#endif
	537
	538	static lookup_info *_lookup_list[] = { &_lookup_info };
	539	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	540
0756eb3c	541	/* End of lookups/dnsdb.c */