[exim.git] / src / src / lookups / dnsdb.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */

#include "../exim.h"
#include "lf_functions.h"


/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
header files. */

#ifndef T_TXT
#define T_TXT 16
#endif

/* Many systems do not have T_SPF. */
#ifndef T_SPF
#define T_SPF 99
#endif

/* New TLSA record for DANE */
#ifndef T_TLSA
#define T_TLSA 52
#endif

/* Table of recognized DNS record types and their integer values. */

static const char *type_names[] = {
  "a",
#if HAVE_IPV6
  "a+",
  "aaaa",
#endif
  "cname",
  "csa",
  "mx",
  "mxh",
  "ns",
  "ptr",
  "spf",
  "srv",
  "tlsa",
  "txt",
  "zns"
};

static int type_values[] = {
  T_A,
#if HAVE_IPV6
  T_ADDRESSES,     /* Private type for AAAA + A */
  T_AAAA,
#endif
  T_CNAME,
  T_CSA,     /* Private type for "Client SMTP Authorization". */
  T_MX,
  T_MXH,     /* Private type for "MX hostnames" */
  T_NS,
  T_PTR,
  T_SPF,
  T_SRV,
  T_TLSA,
  T_TXT,
  T_ZNS      /* Private type for "zone nameservers" */
};


/*************************************************
*              Open entry point                  *
*************************************************/

/* See local README for interface description. */

static void *
dnsdb_open(uschar *filename, uschar **errmsg)
{
filename = filename;   /* Keep picky compilers happy */
errmsg = errmsg;       /* Ditto */
return (void *)(-1);   /* Any non-0 value */
}


/*************************************************
*           Find entry point for dnsdb           *
*************************************************/

/* See local README for interface description. The query in the "keystring" may
consist of a number of parts.

(a) If the first significant character is '>' then the next character is the
separator character that is used when multiple records are found. The default
separator is newline.

(b) If the next character is ',' then the next character is the separator
character used for multiple items of text in "TXT" records. Alternatively,
if the next character is ';' then these multiple items are concatenated with
no separator. With neither of these options specified, only the first item
is output.  Similarly for "SPF" records, but the default for joining multiple
items in one SPF record is the empty string, for direct concatenation.

(c) Options, all comma-terminated, in any order.  Any unrecognised option
terminates option processing.  Recognised options are:

- 'defer_FOO':  set the defer behaviour to FOO.  The possible behaviours are:
'strict', where any defer causes the whole lookup to defer; 'lax', where a defer
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.

- 'dnssec_FOO', with 'strict', 'lax' and 'never' (default).  The meanings are
require, try and don't-try dnssec respectively.

- 'retrans_VAL', set the timeout value.  VAL is an Exim time specification
(eg "5s").  The default is set by the main configuration option 'dns_retrans'.

- 'retry_VAL', set the retry count on timeouts.  VAL is an integer.  The
default is set by the main configuration option "dns_retry".

(d) If the next sequence of characters is a sequence of letters and digits
followed by '=', it is interpreted as the name of the DNS record type. The
default is "TXT".

(e) Then there follows list of domain names. This is a generalized Exim list,
which may start with '<' in order to set a specific separator. The default
separator, as always, is colon. */

static int
dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
  uschar **result, uschar **errmsg, BOOL *do_cache)
{
int rc;
int size = 256;
int ptr = 0;
int sep = 0;
int defer_mode = PASS;
int dnssec_mode = OK;
int save_retrans = dns_retrans;
int save_retry =   dns_retry;
int type;
int failrc = FAIL;
const uschar *outsep = CUS"\n";
const uschar *outsep2 = NULL;
uschar *equals, *domain, *found;

/* Because we're the working in the search pool, we try to reclaim as much
store as possible later, so we preallocate the result here */

uschar *yield = store_get(size);

dns_record *rr;
dns_answer dnsa;
dns_scan dnss;

handle = handle;           /* Keep picky compilers happy */
filename = filename;
length = length;
do_cache = do_cache;

/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */

while (isspace(*keystring)) keystring++;
if (*keystring == '>')
  {
  outsep = keystring + 1;
  keystring += 2;
  if (*keystring == ',')
    {
    outsep2 = keystring + 1;
    keystring += 2;
    }
  else if (*keystring == ';')
    {
    outsep2 = US"";
    keystring++;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Check for a modifier keyword. */

for (;;)
  {
  if (strncmpic(keystring, US"defer_", 6) == 0)
    {
    keystring += 6;
    if (strncmpic(keystring, US"strict", 6) == 0)
      { defer_mode = DEFER; keystring += 6; }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      { defer_mode = PASS; keystring += 3; }
    else if (strncmpic(keystring, US"never", 5) == 0)
      { defer_mode = OK; keystring += 5; }
    else
      {
      *errmsg = US"unsupported dnsdb defer behaviour";
      return DEFER;
      }
    }
  else if (strncmpic(keystring, US"dnssec_", 7) == 0)
    {
    keystring += 7;
    if (strncmpic(keystring, US"strict", 6) == 0)
      { dnssec_mode = DEFER; keystring += 6; }
    else if (strncmpic(keystring, US"lax", 3) == 0)
      { dnssec_mode = PASS; keystring += 3; }
    else if (strncmpic(keystring, US"never", 5) == 0)
      { dnssec_mode = OK; keystring += 5; }
    else
      {
      *errmsg = US"unsupported dnsdb dnssec behaviour";
      return DEFER;
      }
    }
  else if (strncmpic(keystring, US"retrans_", 8) == 0)
    {
    int timeout_sec;
    if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
      {
      *errmsg = US"unsupported dnsdb timeout value";
      return DEFER;
      }
    dns_retrans = timeout_sec;
    while (*keystring != ',') keystring++;
    }
  else if (strncmpic(keystring, US"retry_", 6) == 0)
    {
    int retries;
    if ((retries = (int)strtol(keystring + 6, CSS &keystring, 0)) < 0)
      {
      *errmsg = US"unsupported dnsdb retry count";
      return DEFER;
      }
    dns_retry = retries;
    }
  else
    break;

  while (isspace(*keystring)) keystring++;
  if (*keystring++ != ',')
    {
    *errmsg = US"dnsdb modifier syntax error";
    return DEFER;
    }
  while (isspace(*keystring)) keystring++;
  }

/* Figure out the "type" value if it is not T_TXT.
If the keystring contains an = this must be preceded by a valid type name. */

type = T_TXT;
if ((equals = Ustrchr(keystring, '=')) != NULL)
  {
  int i, len;
  uschar *tend = equals;

  while (tend > keystring && isspace(tend[-1])) tend--;
  len = tend - keystring;

  for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
    {
    if (len == Ustrlen(type_names[i]) &&
        strncmpic(keystring, US type_names[i], len) == 0)
      {
      type = type_values[i];
      break;
      }
    }

  if (i >= sizeof(type_names)/sizeof(uschar *))
    {
    *errmsg = US"unsupported DNS record type";
    return DEFER;
    }

  keystring = equals + 1;
  while (isspace(*keystring)) keystring++;
  }

/* Initialize the resolver in case this is the first time it has been used. */

dns_init(FALSE, FALSE, dnssec_mode != OK);

/* The remainder of the string must be a list of domains. As long as the lookup
for at least one of them succeeds, we return success. Failure means that none
of them were found.

The original implementation did not support a list of domains. Adding the list
feature is compatible, except in one case: when PTR records are being looked up
for a single IPv6 address. Fortunately, we can hack in a compatibility feature
here: If the type is PTR and no list separator is specified, and the entire
remaining string is valid as an IP address, set an impossible separator so that
it is treated as one item. */

if (type == T_PTR && keystring[0] != '<' &&
    string_is_ip_address(keystring, NULL) != 0)
  sep = -1;

/* SPF strings should be concatenated without a separator, thus make
it the default if not defined (see RFC 4408 section 3.1.3).
Multiple SPF records are forbidden (section 3.1.2) but are currently
not handled specially, thus they are concatenated with \n by default.
MX priority and value are space-separated by default.
SRV and TLSA record parts are space-separated by default. */

if (!outsep2) switch(type)
  {
  case T_SPF:                         outsep2 = US"";  break;
  case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
  }

/* Now scan the list and do a lookup for each item */

while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
  {
  uschar rbuffer[256];
  int searchtype = (type == T_CSA)? T_SRV :         /* record type we want */
                   (type == T_MXH)? T_MX :
                   (type == T_ZNS)? T_NS : type;

  /* If the type is PTR or CSA, we have to construct the relevant magic lookup
  key if the original is an IP address (some experimental protocols are using
  PTR records for different purposes where the key string is a host name, and
  Exim's extended CSA can be keyed by domains or IP addresses). This code for
  doing the reversal is now in a separate function. */

  if ((type == T_PTR || type == T_CSA) &&
      string_is_ip_address(domain, NULL) != 0)
    {
    dns_build_reverse(domain, rbuffer);
    domain = rbuffer;
    }

  do
    {
    DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);

    /* Do the lookup and sort out the result. There are four special types that
    are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
    The first two are handled in a special lookup function so that the facility
    could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
    over the types of A lookup.  T_MXH affects only what happens later on in
    this function, but for tidiness it is handled by the "special". If the
    lookup fails, continue with the next domain. In the case of DEFER, adjust
    the final "nothing found" result, but carry on to the next domain. */

    found = domain;
#if HAVE_IPV6
    if (type == T_ADDRESSES)		/* NB cannot happen unless HAVE_IPV6 */
      {
      if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
      else if (searchtype == T_AAAA) searchtype = T_A;
      rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
      }
    else
#endif
      rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);

    lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
      : dns_is_secure(&dnsa) ? US"yes" : US"no";

    if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
    if (  rc != DNS_SUCCEED
       || (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
       )
      {
      if (defer_mode == DEFER)
	{
	dns_retrans = save_retrans;
	dns_retry = save_retry;
	dns_init(FALSE, FALSE, FALSE);			/* clr dnssec bit */
	return DEFER;					/* always defer */
	}
      if (defer_mode == PASS) failrc = DEFER;         /* defer only if all do */
      continue;                                       /* treat defer as fail */
      }


    /* Search the returned records */

    for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
         rr != NULL;
         rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
      {
      if (rr->type != searchtype) continue;

      /* There may be several addresses from an A6 record. Put the configured
      separator between them, just as for between several records. However, A6
      support is not normally configured these days. */

      if (type == T_A || type == T_AAAA || type == T_ADDRESSES)
        {
        dns_address *da;
        for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
          {
          if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
          yield = string_cat(yield, &size, &ptr, da->address,
            Ustrlen(da->address));
          }
        continue;
        }

      /* Other kinds of record just have one piece of data each, but there may be
      several of them, of course. */

      if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);

      if (type == T_TXT || type == T_SPF)
        {
        if (outsep2 == NULL)
          {
          /* output only the first item of data */
          yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
            (rr->data)[0]);
          }
        else
          {
          /* output all items */
          int data_offset = 0;
          while (data_offset < rr->size)
            {
            uschar chunk_len = (rr->data)[data_offset++];
            if (outsep2[0] != '\0' && data_offset != 1)
              yield = string_cat(yield, &size, &ptr, outsep2, 1);
            yield = string_cat(yield, &size, &ptr,
                             (uschar *)((rr->data)+data_offset), chunk_len);
            data_offset += chunk_len;
            }
          }
        }
      else if (type == T_TLSA)
        {
        uint8_t usage, selector, matching_type;
        uint16_t i, payload_length;
        uschar s[MAX_TLSA_EXPANDED_SIZE];
	uschar * sp = s;
        uschar *p = (uschar *)(rr->data);

        usage = *p++;
        selector = *p++;
        matching_type = *p++;
        /* What's left after removing the first 3 bytes above */
        payload_length = rr->size - 3;
        sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
		selector, *outsep2, matching_type, *outsep2);
        /* Now append the cert/identifier, one hex char at a time */
        for (i=0;
             i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
             i++)
          {
          sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
          }
        yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      else   /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
        {
        int priority, weight, port;
        uschar s[264];
        uschar *p = (uschar *)(rr->data);

        if (type == T_MXH)
          {
          /* mxh ignores the priority number and includes only the hostnames */
          GETSHORT(priority, p);
          }
        else if (type == T_MX)
          {
          GETSHORT(priority, p);
          sprintf(CS s, "%d%c", priority, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_SRV)
          {
          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);
          sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
					weight, *outsep2, port, *outsep2);
          yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
          }
        else if (type == T_CSA)
          {
          /* See acl_verify_csa() for more comments about CSA. */

          GETSHORT(priority, p);
          GETSHORT(weight, p);
          GETSHORT(port, p);

          if (priority != 1) continue;      /* CSA version must be 1 */

          /* If the CSA record we found is not the one we asked for, analyse
          the subdomain assertions in the port field, else analyse the direct
          authorization status in the weight field. */

          if (Ustrcmp(found, domain) != 0)
            {
            if (port & 1) *s = 'X';         /* explicit authorization required */
            else *s = '?';                  /* no subdomain assertions here */
            }
          else
            {
            if (weight < 2) *s = 'N';       /* not authorized */
            else if (weight == 2) *s = 'Y'; /* authorized */
            else if (weight == 3) *s = '?'; /* unauthorizable */
            else continue;                  /* invalid */
            }

          s[1] = ' ';
          yield = string_cat(yield, &size, &ptr, s, 2);
          }

        /* GETSHORT() has advanced the pointer to the target domain. */

        rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
          (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));

        /* If an overlong response was received, the data will have been
        truncated and dn_expand may fail. */

        if (rc < 0)
          {
          log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
            "domain=%s", dns_text_type(type), domain);
          break;
          }
        else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
        }
      }    /* Loop for list of returned records */

           /* Loop for set of A-lookupu types */
    } while (type == T_ADDRESSES && searchtype != T_A);

  }        /* Loop for list of domains */

/* Reclaim unused memory */

store_reset(yield + ptr + 1);

/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
zero and return the result. */

dns_retrans = save_retrans;
dns_retry = save_retry;
dns_init(FALSE, FALSE, FALSE);	/* clear the dnssec bit for getaddrbyname */

if (ptr == 0) return failrc;
yield[ptr] = 0;
*result = yield;
return OK;
}


/*************************************************
*         Version reporting entry point          *
*************************************************/

/* See local README for interface description. */

#include "../version.h"

void
dnsdb_version_report(FILE *f)
{
#ifdef DYNLOOKUP
fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
}


static lookup_info _lookup_info = {
  US"dnsdb",                     /* lookup name */
  lookup_querystyle,             /* query style */
  dnsdb_open,                    /* open function */
  NULL,                          /* check function */
  dnsdb_find,                    /* find function */
  NULL,                          /* no close function */
  NULL,                          /* no tidy function */
  NULL,                          /* no quoting function */
  dnsdb_version_report           /* version reporting */
};

#ifdef DYNLOOKUP
#define dnsdb_lookup_module_info _lookup_module_info
#endif

static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

/* vi: aw ai sw=2
*/
/* End of lookups/dnsdb.c */
Commit	Line	Data
0756eb3c PH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
5a66c31b	5	/* Copyright (c) University of Cambridge 1995 - 2014 */
0756eb3c PH	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	#include "../exim.h"
	9	#include "lf_functions.h"
0756eb3c PH	10
	11
	12
	13	/* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
	14	header files. */
	15
	16	#ifndef T_TXT
	17	#define T_TXT 16
	18	#endif
	19
eae0036b PP	20	/* Many systems do not have T_SPF. */
	21	#ifndef T_SPF
	22	#define T_SPF 99
	23	#endif
	24
1e06383a TL	25	/* New TLSA record for DANE */
	26	#ifndef T_TLSA
	27	#define T_TLSA 52
	28	#endif
	29
0756eb3c PH	30	/* Table of recognized DNS record types and their integer values. */
0756eb3c PH	31
1ba28e2b	32	static const char *type_names[] = {
0756eb3c PH	33	"a",
0756eb3c PH	34	#if HAVE_IPV6
3a796370	35	"a+",
0756eb3c	36	"aaaa",
0756eb3c PH	37	#endif
0756eb3c PH	38	"cname",
e5a9dba6	39	"csa",
0756eb3c	40	"mx",
ea3bc19b	41	"mxh",
0756eb3c PH	42	"ns",
0756eb3c PH	43	"ptr",
eae0036b	44	"spf",
0756eb3c	45	"srv",
1e06383a	46	"tlsa",
33397d19	47	"txt",
8e669ac1	48	"zns"
33397d19	49	};
0756eb3c PH	50
	51	static int type_values[] = {
	52	T_A,
	53	#if HAVE_IPV6
66be95e0	54	T_ADDRESSES, /* Private type for AAAA + A */
0756eb3c	55	T_AAAA,
0756eb3c PH	56	#endif
0756eb3c PH	57	T_CNAME,
e5a9dba6	58	T_CSA, /* Private type for "Client SMTP Authorization". */
0756eb3c	59	T_MX,
ea3bc19b	60	T_MXH, /* Private type for "MX hostnames" */
0756eb3c PH	61	T_NS,
0756eb3c PH	62	T_PTR,
eae0036b	63	T_SPF,
0756eb3c	64	T_SRV,
1e06383a	65	T_TLSA,
33397d19 PH	66	T_TXT,
	67	T_ZNS /* Private type for "zone nameservers" */
	68	};
0756eb3c PH	69
	70
	71	/*************************************************
	72	* Open entry point *
	73	*************************************************/
	74
	75	/* See local README for interface description. */
	76
e6d225ae	77	static void *
0756eb3c PH	78	dnsdb_open(uschar filename, uschar *errmsg)
	79	{
	80	filename = filename; /* Keep picky compilers happy */
	81	errmsg = errmsg; /* Ditto */
	82	return (void )(-1); / Any non-0 value */
	83	}
	84
	85
	86
	87	/*************************************************
	88	* Find entry point for dnsdb *
	89	*************************************************/
	90
7bb56e1f PH	91	/* See local README for interface description. The query in the "keystring" may
	92	consist of a number of parts.
	93
8e669ac1 PH	94	(a) If the first significant character is '>' then the next character is the
8e669ac1 PH	95	separator character that is used when multiple records are found. The default
7bb56e1f PH	96	separator is newline.
7bb56e1f PH	97
0d0c6357 NM	98	(b) If the next character is ',' then the next character is the separator
	99	character used for multiple items of text in "TXT" records. Alternatively,
	100	if the next character is ';' then these multiple items are concatenated with
	101	no separator. With neither of these options specified, only the first item
8ee4b30e PP	102	is output. Similarly for "SPF" records, but the default for joining multiple
8ee4b30e PP	103	items in one SPF record is the empty string, for direct concatenation.
0d0c6357	104
fd7f7910 JH	105	(c) Options, all comma-terminated, in any order. Any unrecognised option
	106	terminates option processing. Recognised options are:
	107
	108	- 'defer_FOO': set the defer behaviour to FOO. The possible behaviours are:
	109	'strict', where any defer causes the whole lookup to defer; 'lax', where a defer
	110	causes the whole lookup to defer only if none of the DNS queries succeeds; and
	111	'never', where all defers are as if the lookup failed. The default is 'lax'.
	112
	113	- 'dnssec_FOO', with 'strict', 'lax' and 'never' (default). The meanings are
fd3b6a4a JH	114	require, try and don't-try dnssec respectively.
fd3b6a4a JH	115
fd7f7910 JH	116	- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
	117	(eg "5s"). The default is set by the main configuration option 'dns_retrans'.
	118
	119	- 'retry_VAL', set the retry count on timeouts. VAL is an integer. The
	120	default is set by the main configuration option "dns_retry".
	121
	122	(d) If the next sequence of characters is a sequence of letters and digits
8e669ac1	123	followed by '=', it is interpreted as the name of the DNS record type. The
ff4dbb19	124	default is "TXT".
7bb56e1f	125
fd7f7910	126	(e) Then there follows list of domain names. This is a generalized Exim list,
8e669ac1	127	which may start with '<' in order to set a specific separator. The default
7bb56e1f	128	separator, as always, is colon. */
0756eb3c	129
e6d225ae	130	static int
55414b25	131	dnsdb_find(void handle, uschar filename, const uschar *keystring, int length,
0756eb3c PH	132	uschar result, uschar errmsg, BOOL *do_cache)
	133	{
	134	int rc;
	135	int size = 256;
	136	int ptr = 0;
7bb56e1f	137	int sep = 0;
ff4dbb19	138	int defer_mode = PASS;
fd3b6a4a	139	int dnssec_mode = OK;
fd7f7910 JH	140	int save_retrans = dns_retrans;
fd7f7910 JH	141	int save_retry = dns_retry;
542bc632	142	int type;
c38d6da9	143	int failrc = FAIL;
55414b25 JH	144	const uschar *outsep = CUS"\n";
55414b25 JH	145	const uschar *outsep2 = NULL;
e5a9dba6	146	uschar equals, domain, *found;
0756eb3c PH	147
	148	/* Because we're the working in the search pool, we try to reclaim as much
	149	store as possible later, so we preallocate the result here */
	150
	151	uschar *yield = store_get(size);
	152
	153	dns_record *rr;
	154	dns_answer dnsa;
	155	dns_scan dnss;
	156
	157	handle = handle; /* Keep picky compilers happy */
	158	filename = filename;
	159	length = length;
	160	do_cache = do_cache;
	161
0d0c6357 NM	162	/* If the string starts with '>' we change the output separator.
0d0c6357 NM	163	If it's followed by ';' or ',' we set the TXT output separator. */
0756eb3c	164
7bb56e1f PH	165	while (isspace(*keystring)) keystring++;
7bb56e1f PH	166	if (*keystring == '>')
0756eb3c	167	{
7bb56e1f	168	outsep = keystring + 1;
8e669ac1	169	keystring += 2;
0d0c6357 NM	170	if (*keystring == ',')
	171	{
	172	outsep2 = keystring + 1;
	173	keystring += 2;
	174	}
	175	else if (*keystring == ';')
	176	{
	177	outsep2 = US"";
	178	keystring++;
	179	}
7bb56e1f	180	while (isspace(*keystring)) keystring++;
8e669ac1	181	}
7bb56e1f	182
fd3b6a4a	183	/* Check for a modifier keyword. */
ff4dbb19	184
fd7f7910	185	for (;;)
ff4dbb19	186	{
fd3b6a4a	187	if (strncmpic(keystring, US"defer_", 6) == 0)
ff4dbb19	188	{
ff4dbb19	189	keystring += 6;
fd3b6a4a	190	if (strncmpic(keystring, US"strict", 6) == 0)
fd7f7910	191	{ defer_mode = DEFER; keystring += 6; }
fd3b6a4a	192	else if (strncmpic(keystring, US"lax", 3) == 0)
fd7f7910	193	{ defer_mode = PASS; keystring += 3; }
fd3b6a4a	194	else if (strncmpic(keystring, US"never", 5) == 0)
fd7f7910	195	{ defer_mode = OK; keystring += 5; }
fd3b6a4a JH	196	else
	197	{
	198	*errmsg = US"unsupported dnsdb defer behaviour";
	199	return DEFER;
	200	}
ff4dbb19	201	}
fd7f7910	202	else if (strncmpic(keystring, US"dnssec_", 7) == 0)
ff4dbb19	203	{
fd3b6a4a JH	204	keystring += 7;
fd3b6a4a JH	205	if (strncmpic(keystring, US"strict", 6) == 0)
fd7f7910	206	{ dnssec_mode = DEFER; keystring += 6; }
fd3b6a4a	207	else if (strncmpic(keystring, US"lax", 3) == 0)
fd7f7910 JH	208	{ dnssec_mode = PASS; keystring += 3; }
	209	else if (strncmpic(keystring, US"never", 5) == 0)
	210	{ dnssec_mode = OK; keystring += 5; }
	211	else
fd3b6a4a	212	{
fd7f7910 JH	213	*errmsg = US"unsupported dnsdb dnssec behaviour";
fd7f7910 JH	214	return DEFER;
fd3b6a4a	215	}
fd7f7910 JH	216	}
	217	else if (strncmpic(keystring, US"retrans_", 8) == 0)
	218	{
	219	int timeout_sec;
	220	if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
fd3b6a4a	221	{
fd7f7910 JH	222	*errmsg = US"unsupported dnsdb timeout value";
fd7f7910 JH	223	return DEFER;
fd3b6a4a	224	}
fd7f7910 JH	225	dns_retrans = timeout_sec;
	226	while (*keystring != ',') keystring++;
	227	}
	228	else if (strncmpic(keystring, US"retry_", 6) == 0)
	229	{
	230	int retries;
	231	if ((retries = (int)strtol(keystring + 6, CSS &keystring, 0)) < 0)
fd3b6a4a	232	{
fd7f7910	233	*errmsg = US"unsupported dnsdb retry count";
fd3b6a4a JH	234	return DEFER;
fd3b6a4a JH	235	}
fd7f7910	236	dns_retry = retries;
ff4dbb19	237	}
fd7f7910 JH	238	else
	239	break;
	240
ff4dbb19 PH	241	while (isspace(*keystring)) keystring++;
	242	if (*keystring++ != ',')
	243	{
fd3b6a4a	244	*errmsg = US"dnsdb modifier syntax error";
ff4dbb19 PH	245	return DEFER;
	246	}
	247	while (isspace(*keystring)) keystring++;
	248	}
	249
542bc632 PP	250	/* Figure out the "type" value if it is not T_TXT.
542bc632 PP	251	If the keystring contains an = this must be preceded by a valid type name. */
7bb56e1f	252
542bc632	253	type = T_TXT;
7bb56e1f PH	254	if ((equals = Ustrchr(keystring, '=')) != NULL)
	255	{
	256	int i, len;
	257	uschar *tend = equals;
8e669ac1 PH	258
	259	while (tend > keystring && isspace(tend[-1])) tend--;
	260	len = tend - keystring;
	261
0756eb3c PH	262	for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
	263	{
	264	if (len == Ustrlen(type_names[i]) &&
	265	strncmpic(keystring, US type_names[i], len) == 0)
	266	{
	267	type = type_values[i];
	268	break;
	269	}
	270	}
8e669ac1	271
0756eb3c PH	272	if (i >= sizeof(type_names)/sizeof(uschar *))
	273	{
	274	*errmsg = US"unsupported DNS record type";
	275	return DEFER;
	276	}
8e669ac1	277
7bb56e1f PH	278	keystring = equals + 1;
7bb56e1f PH	279	while (isspace(*keystring)) keystring++;
0756eb3c	280	}
8e669ac1	281
7bb56e1f	282	/* Initialize the resolver in case this is the first time it has been used. */
0756eb3c	283
fd3b6a4a	284	dns_init(FALSE, FALSE, dnssec_mode != OK);
0756eb3c	285
8e669ac1 PH	286	/* The remainder of the string must be a list of domains. As long as the lookup
	287	for at least one of them succeeds, we return success. Failure means that none
	288	of them were found.
0756eb3c	289
8e669ac1 PH	290	The original implementation did not support a list of domains. Adding the list
	291	feature is compatible, except in one case: when PTR records are being looked up
	292	for a single IPv6 address. Fortunately, we can hack in a compatibility feature
	293	here: If the type is PTR and no list separator is specified, and the entire
	294	remaining string is valid as an IP address, set an impossible separator so that
7bb56e1f	295	it is treated as one item. */
33397d19	296
7bb56e1f	297	if (type == T_PTR && keystring[0] != '<' &&
7e66e54d	298	string_is_ip_address(keystring, NULL) != 0)
7bb56e1f	299	sep = -1;
0756eb3c	300
542bc632 PP	301	/* SPF strings should be concatenated without a separator, thus make
	302	it the default if not defined (see RFC 4408 section 3.1.3).
	303	Multiple SPF records are forbidden (section 3.1.2) but are currently
be36e572 JH	304	not handled specially, thus they are concatenated with \n by default.
	305	MX priority and value are space-separated by default.
	306	SRV and TLSA record parts are space-separated by default. */
542bc632	307
be36e572 JH	308	if (!outsep2) switch(type)
	309	{
	310	case T_SPF: outsep2 = US""; break;
	311	case T_SRV: case T_MX: case T_TLSA: outsep2 = US" "; break;
	312	}
542bc632	313
7bb56e1f	314	/* Now scan the list and do a lookup for each item */
0756eb3c	315
fd7f7910	316	while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
8e669ac1	317	{
7bb56e1f	318	uschar rbuffer[256];
e5a9dba6 PH	319	int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
	320	(type == T_MXH)? T_MX :
	321	(type == T_ZNS)? T_NS : type;
	322
	323	/* If the type is PTR or CSA, we have to construct the relevant magic lookup
	324	key if the original is an IP address (some experimental protocols are using
	325	PTR records for different purposes where the key string is a host name, and
	326	Exim's extended CSA can be keyed by domains or IP addresses). This code for
	327	doing the reversal is now in a separate function. */
	328
	329	if ((type == T_PTR \|\| type == T_CSA) &&
7e66e54d	330	string_is_ip_address(domain, NULL) != 0)
0756eb3c	331	{
7bb56e1f PH	332	dns_build_reverse(domain, rbuffer);
7bb56e1f PH	333	domain = rbuffer;
0756eb3c	334	}
8e669ac1	335
3a796370	336	do
c38d6da9	337	{
3a796370 JH	338	DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
	339
	340	/* Do the lookup and sort out the result. There are four special types that
66be95e0	341	are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
3a796370	342	The first two are handled in a special lookup function so that the facility
66be95e0	343	could be used from other parts of the Exim code. T_ADDRESSES is handled by looping
3a796370 JH	344	over the types of A lookup. T_MXH affects only what happens later on in
	345	this function, but for tidiness it is handled by the "special". If the
	346	lookup fails, continue with the next domain. In the case of DEFER, adjust
	347	the final "nothing found" result, but carry on to the next domain. */
	348
	349	found = domain;
6abc190a	350	#if HAVE_IPV6
66be95e0	351	if (type == T_ADDRESSES) /* NB cannot happen unless HAVE_IPV6 */
3a796370	352	{
cc00f4af	353	if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
3a796370	354	else if (searchtype == T_AAAA) searchtype = T_A;
55414b25	355	rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
3a796370 JH	356	}
3a796370 JH	357	else
6abc190a	358	#endif
55414b25	359	rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);
ea3bc19b	360
4e0983dc JH	361	lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
	362	: dns_is_secure(&dnsa) ? US"yes" : US"no";
	363
3a796370	364	if (rc == DNS_NOMATCH \|\| rc == DNS_NODATA) continue;
91f40ccd	365	if ( rc != DNS_SUCCEED
9852336a	366	\|\| (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
91f40ccd	367	)
3a796370	368	{
fd3b6a4a JH	369	if (defer_mode == DEFER)
fd3b6a4a JH	370	{
fd7f7910 JH	371	dns_retrans = save_retrans;
fd7f7910 JH	372	dns_retry = save_retry;
9d9c3746	373	dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
fd3b6a4a JH	374	return DEFER; /* always defer */
fd3b6a4a JH	375	}
3a796370 JH	376	if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
	377	continue; /* treat defer as fail */
	378	}
fd3b6a4a	379
8e669ac1	380
3a796370	381	/* Search the returned records */
8e669ac1	382
3a796370 JH	383	for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
	384	rr != NULL;
	385	rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
0756eb3c	386	{
3a796370 JH	387	if (rr->type != searchtype) continue;
	388
	389	/* There may be several addresses from an A6 record. Put the configured
	390	separator between them, just as for between several records. However, A6
	391	support is not normally configured these days. */
	392
cc00f4af	393	if (type == T_A \|\| type == T_AAAA \|\| type == T_ADDRESSES)
7bb56e1f	394	{
3a796370 JH	395	dns_address *da;
	396	for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
	397	{
	398	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
	399	yield = string_cat(yield, &size, &ptr, da->address,
	400	Ustrlen(da->address));
	401	}
	402	continue;
7bb56e1f	403	}
8e669ac1	404
3a796370 JH	405	/* Other kinds of record just have one piece of data each, but there may be
3a796370 JH	406	several of them, of course. */
8e669ac1	407
3a796370	408	if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
8e669ac1	409
3a796370	410	if (type == T_TXT \|\| type == T_SPF)
80a47a2c	411	{
3a796370	412	if (outsep2 == NULL)
0d0c6357	413	{
3a796370 JH	414	/* output only the first item of data */
	415	yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
	416	(rr->data)[0]);
	417	}
	418	else
	419	{
	420	/* output all items */
	421	int data_offset = 0;
	422	while (data_offset < rr->size)
	423	{
	424	uschar chunk_len = (rr->data)[data_offset++];
	425	if (outsep2[0] != '\0' && data_offset != 1)
	426	yield = string_cat(yield, &size, &ptr, outsep2, 1);
	427	yield = string_cat(yield, &size, &ptr,
0d0c6357	428	(uschar *)((rr->data)+data_offset), chunk_len);
3a796370 JH	429	data_offset += chunk_len;
3a796370 JH	430	}
0d0c6357	431	}
80a47a2c	432	}
1e06383a TL	433	else if (type == T_TLSA)
	434	{
	435	uint8_t usage, selector, matching_type;
	436	uint16_t i, payload_length;
	437	uschar s[MAX_TLSA_EXPANDED_SIZE];
	438	uschar * sp = s;
	439	uschar p = (uschar )(rr->data);
	440
	441	usage = *p++;
	442	selector = *p++;
	443	matching_type = *p++;
	444	/* What's left after removing the first 3 bytes above */
	445	payload_length = rr->size - 3;
be36e572 JH	446	sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
be36e572 JH	447	selector, outsep2, matching_type, outsep2);
1e06383a TL	448	/* Now append the cert/identifier, one hex char at a time */
	449	for (i=0;
	450	i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
	451	i++)
	452	{
	453	sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
	454	}
	455	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	456	}
3a796370	457	else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
e5a9dba6	458	{
3a796370 JH	459	int priority, weight, port;
	460	uschar s[264];
	461	uschar p = (uschar )(rr->data);
e5a9dba6	462
3a796370	463	if (type == T_MXH)
e5a9dba6	464	{
3a796370 JH	465	/* mxh ignores the priority number and includes only the hostnames */
3a796370 JH	466	GETSHORT(priority, p);
e5a9dba6	467	}
3a796370	468	else if (type == T_MX)
e5a9dba6	469	{
3a796370	470	GETSHORT(priority, p);
be36e572	471	sprintf(CS s, "%d%c", priority, *outsep2);
3a796370 JH	472	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	473	}
	474	else if (type == T_SRV)
	475	{
	476	GETSHORT(priority, p);
	477	GETSHORT(weight, p);
	478	GETSHORT(port, p);
be36e572 JH	479	sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
be36e572 JH	480	weight, outsep2, port, outsep2);
3a796370 JH	481	yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
	482	}
	483	else if (type == T_CSA)
	484	{
	485	/* See acl_verify_csa() for more comments about CSA. */
	486
	487	GETSHORT(priority, p);
	488	GETSHORT(weight, p);
	489	GETSHORT(port, p);
	490
	491	if (priority != 1) continue; /* CSA version must be 1 */
	492
	493	/* If the CSA record we found is not the one we asked for, analyse
	494	the subdomain assertions in the port field, else analyse the direct
	495	authorization status in the weight field. */
	496
1dc92d5a	497	if (Ustrcmp(found, domain) != 0)
3a796370 JH	498	{
	499	if (port & 1) s = 'X'; / explicit authorization required */
	500	else s = '?'; / no subdomain assertions here */
	501	}
	502	else
	503	{
	504	if (weight < 2) s = 'N'; / not authorized */
	505	else if (weight == 2) s = 'Y'; / authorized */
	506	else if (weight == 3) s = '?'; / unauthorizable */
	507	else continue; /* invalid */
	508	}
	509
	510	s[1] = ' ';
	511	yield = string_cat(yield, &size, &ptr, s, 2);
e5a9dba6 PH	512	}
e5a9dba6 PH	513
3a796370	514	/* GETSHORT() has advanced the pointer to the target domain. */
8e669ac1	515
3a796370 JH	516	rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
3a796370 JH	517	(DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
8e669ac1	518
3a796370 JH	519	/* If an overlong response was received, the data will have been
3a796370 JH	520	truncated and dn_expand may fail. */
8e669ac1	521
3a796370 JH	522	if (rc < 0)
	523	{
	524	log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
	525	"domain=%s", dns_text_type(type), domain);
	526	break;
	527	}
	528	else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
7bb56e1f	529	}
3a796370 JH	530	} /* Loop for list of returned records */
	531
	532	/* Loop for set of A-lookupu types */
66be95e0	533	} while (type == T_ADDRESSES && searchtype != T_A);
3a796370 JH	534
3a796370 JH	535	} /* Loop for list of domains */
7bb56e1f PH	536
7bb56e1f PH	537	/* Reclaim unused memory */
0756eb3c	538
7bb56e1f PH	539	store_reset(yield + ptr + 1);
7bb56e1f PH	540
8e669ac1	541	/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
7bb56e1f PH	542	zero and return the result. */
7bb56e1f PH	543
fd7f7910 JH	544	dns_retrans = save_retrans;
fd7f7910 JH	545	dns_retry = save_retry;
fd3b6a4a JH	546	dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
fd3b6a4a JH	547
c38d6da9	548	if (ptr == 0) return failrc;
0756eb3c	549	yield[ptr] = 0;
0756eb3c	550	*result = yield;
0756eb3c PH	551	return OK;
	552	}
	553
6545de78 PP	554
	555
	556	/*************************************************
	557	* Version reporting entry point *
	558	*************************************************/
	559
	560	/* See local README for interface description. */
	561
	562	#include "../version.h"
	563
	564	void
	565	dnsdb_version_report(FILE *f)
	566	{
	567	#ifdef DYNLOOKUP
	568	fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
	569	#endif
	570	}
	571
	572
e6d225ae DW	573	static lookup_info _lookup_info = {
	574	US"dnsdb", /* lookup name */
	575	lookup_querystyle, /* query style */
	576	dnsdb_open, /* open function */
	577	NULL, /* check function */
	578	dnsdb_find, /* find function */
	579	NULL, /* no close function */
	580	NULL, /* no tidy function */
6545de78 PP	581	NULL, /* no quoting function */
6545de78 PP	582	dnsdb_version_report /* version reporting */
e6d225ae DW	583	};
	584
	585	#ifdef DYNLOOKUP
	586	#define dnsdb_lookup_module_info _lookup_module_info
	587	#endif
	588
	589	static lookup_info *_lookup_list[] = { &_lookup_info };
	590	lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
	591
fd3b6a4a JH	592	/* vi: aw ai sw=2
fd3b6a4a JH	593	*/
0756eb3c	594	/* End of lookups/dnsdb.c */