projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
dnsdb tlsa lookup
[exim.git] / src / src / lookups / dnsdb.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 #include "../exim.h"
9 #include "lf_functions.h"
10
11
12
13 /* Ancient systems (e.g. SunOS4) don't appear to have T_TXT defined in their
14 header files. */
15
16 #ifndef T_TXT
17 #define T_TXT 16
18 #endif
19
20 /* Many systems do not have T_SPF. */
21 #ifndef T_SPF
22 #define T_SPF 99
23 #endif
24
25 /* New TLSA record for DANE */
26 #ifndef T_TLSA
27 #define T_TLSA 52
28 #endif
29
30 /* Table of recognized DNS record types and their integer values. */
31
32 static const char *type_names[] = {
33 "a",
34 #if HAVE_IPV6
35 "a+",
36 "aaaa",
37 #ifdef SUPPORT_A6
38 "a6",
39 #endif
40 #endif
41 "cname",
42 "csa",
43 "mx",
44 "mxh",
45 "ns",
46 "ptr",
47 "spf",
48 "srv",
49 "tlsa",
50 "txt",
51 "zns"
52 };
53
54 static int type_values[] = {
55 T_A,
56 #if HAVE_IPV6
57 T_APL, /* Private type for AAAA + A */
58 T_AAAA,
59 #ifdef SUPPORT_A6
60 T_A6,
61 #endif
62 #endif
63 T_CNAME,
64 T_CSA, /* Private type for "Client SMTP Authorization". */
65 T_MX,
66 T_MXH, /* Private type for "MX hostnames" */
67 T_NS,
68 T_PTR,
69 T_SPF,
70 T_SRV,
71 T_TLSA,
72 T_TXT,
73 T_ZNS /* Private type for "zone nameservers" */
74 };
75
76
77 /*************************************************
78 * Open entry point *
79 *************************************************/
80
81 /* See local README for interface description. */
82
83 static void *
84 dnsdb_open(uschar *filename, uschar **errmsg)
85 {
86 filename = filename; /* Keep picky compilers happy */
87 errmsg = errmsg; /* Ditto */
88 return (void *)(-1); /* Any non-0 value */
89 }
90
91
92
93 /*************************************************
94 * Find entry point for dnsdb *
95 *************************************************/
96
97 /* See local README for interface description. The query in the "keystring" may
98 consist of a number of parts.
99
100 (a) If the first significant character is '>' then the next character is the
101 separator character that is used when multiple records are found. The default
102 separator is newline.
103
104 (b) If the next character is ',' then the next character is the separator
105 character used for multiple items of text in "TXT" records. Alternatively,
106 if the next character is ';' then these multiple items are concatenated with
107 no separator. With neither of these options specified, only the first item
108 is output. Similarly for "SPF" records, but the default for joining multiple
109 items in one SPF record is the empty string, for direct concatenation.
110
111 (c) If the next sequence of characters is 'defer_FOO' followed by a comma,
112 the defer behaviour is set to FOO. The possible behaviours are: 'strict', where
113 any defer causes the whole lookup to defer; 'lax', where a defer causes the
114 whole lookup to defer only if none of the DNS queries succeeds; and 'never',
115 where all defers are as if the lookup failed. The default is 'lax'.
116
117 (d) If the next sequence of characters is a sequence of letters and digits
118 followed by '=', it is interpreted as the name of the DNS record type. The
119 default is "TXT".
120
121 (e) Then there follows list of domain names. This is a generalized Exim list,
122 which may start with '<' in order to set a specific separator. The default
123 separator, as always, is colon. */
124
125 static int
126 dnsdb_find(void *handle, uschar *filename, uschar *keystring, int length,
127 uschar **result, uschar **errmsg, BOOL *do_cache)
128 {
129 int rc;
130 int size = 256;
131 int ptr = 0;
132 int sep = 0;
133 int defer_mode = PASS;
134 int type;
135 int failrc = FAIL;
136 uschar *outsep = US"\n";
137 uschar *outsep2 = NULL;
138 uschar *equals, *domain, *found;
139 uschar buffer[256];
140
141 /* Because we're the working in the search pool, we try to reclaim as much
142 store as possible later, so we preallocate the result here */
143
144 uschar *yield = store_get(size);
145
146 dns_record *rr;
147 dns_answer dnsa;
148 dns_scan dnss;
149
150 handle = handle; /* Keep picky compilers happy */
151 filename = filename;
152 length = length;
153 do_cache = do_cache;
154
155 /* If the string starts with '>' we change the output separator.
156 If it's followed by ';' or ',' we set the TXT output separator. */
157
158 while (isspace(*keystring)) keystring++;
159 if (*keystring == '>')
160 {
161 outsep = keystring + 1;
162 keystring += 2;
163 if (*keystring == ',')
164 {
165 outsep2 = keystring + 1;
166 keystring += 2;
167 }
168 else if (*keystring == ';')
169 {
170 outsep2 = US"";
171 keystring++;
172 }
173 while (isspace(*keystring)) keystring++;
174 }
175
176 /* Check for a defer behaviour keyword. */
177
178 if (strncmpic(keystring, US"defer_", 6) == 0)
179 {
180 keystring += 6;
181 if (strncmpic(keystring, US"strict", 6) == 0)
182 {
183 defer_mode = DEFER;
184 keystring += 6;
185 }
186 else if (strncmpic(keystring, US"lax", 3) == 0)
187 {
188 defer_mode = PASS;
189 keystring += 3;
190 }
191 else if (strncmpic(keystring, US"never", 5) == 0)
192 {
193 defer_mode = OK;
194 keystring += 5;
195 }
196 else
197 {
198 *errmsg = US"unsupported dnsdb defer behaviour";
199 return DEFER;
200 }
201 while (isspace(*keystring)) keystring++;
202 if (*keystring++ != ',')
203 {
204 *errmsg = US"dnsdb defer behaviour syntax error";
205 return DEFER;
206 }
207 while (isspace(*keystring)) keystring++;
208 }
209
210 /* Figure out the "type" value if it is not T_TXT.
211 If the keystring contains an = this must be preceded by a valid type name. */
212
213 type = T_TXT;
214 if ((equals = Ustrchr(keystring, '=')) != NULL)
215 {
216 int i, len;
217 uschar *tend = equals;
218
219 while (tend > keystring && isspace(tend[-1])) tend--;
220 len = tend - keystring;
221
222 for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
223 {
224 if (len == Ustrlen(type_names[i]) &&
225 strncmpic(keystring, US type_names[i], len) == 0)
226 {
227 type = type_values[i];
228 break;
229 }
230 }
231
232 if (i >= sizeof(type_names)/sizeof(uschar *))
233 {
234 *errmsg = US"unsupported DNS record type";
235 return DEFER;
236 }
237
238 keystring = equals + 1;
239 while (isspace(*keystring)) keystring++;
240 }
241
242 /* Initialize the resolver in case this is the first time it has been used. */
243
244 dns_init(FALSE, FALSE);
245
246 /* The remainder of the string must be a list of domains. As long as the lookup
247 for at least one of them succeeds, we return success. Failure means that none
248 of them were found.
249
250 The original implementation did not support a list of domains. Adding the list
251 feature is compatible, except in one case: when PTR records are being looked up
252 for a single IPv6 address. Fortunately, we can hack in a compatibility feature
253 here: If the type is PTR and no list separator is specified, and the entire
254 remaining string is valid as an IP address, set an impossible separator so that
255 it is treated as one item. */
256
257 if (type == T_PTR && keystring[0] != '<' &&
258 string_is_ip_address(keystring, NULL) != 0)
259 sep = -1;
260
261 /* SPF strings should be concatenated without a separator, thus make
262 it the default if not defined (see RFC 4408 section 3.1.3).
263 Multiple SPF records are forbidden (section 3.1.2) but are currently
264 not handled specially, thus they are concatenated with \n by default. */
265
266 if (type == T_SPF && outsep2 == NULL)
267 outsep2 = US"";
268
269 /* Now scan the list and do a lookup for each item */
270
271 while ((domain = string_nextinlist(&keystring, &sep, buffer, sizeof(buffer)))
272 != NULL)
273 {
274 uschar rbuffer[256];
275 int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
276 (type == T_MXH)? T_MX :
277 (type == T_ZNS)? T_NS : type;
278
279 /* If the type is PTR or CSA, we have to construct the relevant magic lookup
280 key if the original is an IP address (some experimental protocols are using
281 PTR records for different purposes where the key string is a host name, and
282 Exim's extended CSA can be keyed by domains or IP addresses). This code for
283 doing the reversal is now in a separate function. */
284
285 if ((type == T_PTR || type == T_CSA) &&
286 string_is_ip_address(domain, NULL) != 0)
287 {
288 dns_build_reverse(domain, rbuffer);
289 domain = rbuffer;
290 }
291
292 do
293 {
294 DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
295
296 /* Do the lookup and sort out the result. There are four special types that
297 are handled specially: T_CSA, T_ZNS, T_APL and T_MXH.
298 The first two are handled in a special lookup function so that the facility
299 could be used from other parts of the Exim code. T_APL is handled by looping
300 over the types of A lookup. T_MXH affects only what happens later on in
301 this function, but for tidiness it is handled by the "special". If the
302 lookup fails, continue with the next domain. In the case of DEFER, adjust
303 the final "nothing found" result, but carry on to the next domain. */
304
305 found = domain;
306 #if HAVE_IPV6
307 if (type == T_APL) /* NB cannot happen unless HAVE_IPV6 */
308 {
309 if (searchtype == T_APL)
310 # if defined(SUPPORT_A6)
311 searchtype = T_A6;
312 # else
313 searchtype = T_AAAA;
314 # endif
315 else if (searchtype == T_A6) searchtype = T_AAAA;
316 else if (searchtype == T_AAAA) searchtype = T_A;
317 rc = dns_special_lookup(&dnsa, domain, searchtype, &found);
318 }
319 else
320 #endif
321 rc = dns_special_lookup(&dnsa, domain, type, &found);
322
323 if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
324 if (rc != DNS_SUCCEED)
325 {
326 if (defer_mode == DEFER) return DEFER; /* always defer */
327 if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
328 continue; /* treat defer as fail */
329 }
330
331 /* Search the returned records */
332
333 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
334 rr != NULL;
335 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
336 {
337 if (rr->type != searchtype) continue;
338
339 /* There may be several addresses from an A6 record. Put the configured
340 separator between them, just as for between several records. However, A6
341 support is not normally configured these days. */
342
343 if (type == T_A ||
344 #ifdef SUPPORT_A6
345 type == T_A6 ||
346 #endif
347 type == T_AAAA ||
348 type == T_APL)
349 {
350 dns_address *da;
351 for (da = dns_address_from_rr(&dnsa, rr); da != NULL; da = da->next)
352 {
353 if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
354 yield = string_cat(yield, &size, &ptr, da->address,
355 Ustrlen(da->address));
356 }
357 continue;
358 }
359
360 /* Other kinds of record just have one piece of data each, but there may be
361 several of them, of course. */
362
363 if (ptr != 0) yield = string_cat(yield, &size, &ptr, outsep, 1);
364
365 if (type == T_TXT || type == T_SPF)
366 {
367 if (outsep2 == NULL)
368 {
369 /* output only the first item of data */
370 yield = string_cat(yield, &size, &ptr, (uschar *)(rr->data+1),
371 (rr->data)[0]);
372 }
373 else
374 {
375 /* output all items */
376 int data_offset = 0;
377 while (data_offset < rr->size)
378 {
379 uschar chunk_len = (rr->data)[data_offset++];
380 if (outsep2[0] != '\0' && data_offset != 1)
381 yield = string_cat(yield, &size, &ptr, outsep2, 1);
382 yield = string_cat(yield, &size, &ptr,
383 (uschar *)((rr->data)+data_offset), chunk_len);
384 data_offset += chunk_len;
385 }
386 }
387 }
388 else if (type == T_TLSA)
389 {
390 uint8_t usage, selector, matching_type;
391 uint16_t i, payload_length;
392 uschar s[MAX_TLSA_EXPANDED_SIZE];
393 uschar * sp = s;
394 uschar *p = (uschar *)(rr->data);
395
396 usage = *p++;
397 selector = *p++;
398 matching_type = *p++;
399 /* What's left after removing the first 3 bytes above */
400 payload_length = rr->size - 3;
401 sp += sprintf(CS s, "%d %d %d ", usage, selector, matching_type);
402 /* Now append the cert/identifier, one hex char at a time */
403 for (i=0;
404 i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
405 i++)
406 {
407 sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
408 }
409 yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
410 }
411 else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SRV */
412 {
413 int priority, weight, port;
414 uschar s[264];
415 uschar *p = (uschar *)(rr->data);
416
417 if (type == T_MXH)
418 {
419 /* mxh ignores the priority number and includes only the hostnames */
420 GETSHORT(priority, p);
421 }
422 else if (type == T_MX)
423 {
424 GETSHORT(priority, p);
425 sprintf(CS s, "%d ", priority);
426 yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
427 }
428 else if (type == T_SRV)
429 {
430 GETSHORT(priority, p);
431 GETSHORT(weight, p);
432 GETSHORT(port, p);
433 sprintf(CS s, "%d %d %d ", priority, weight, port);
434 yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
435 }
436 else if (type == T_CSA)
437 {
438 /* See acl_verify_csa() for more comments about CSA. */
439
440 GETSHORT(priority, p);
441 GETSHORT(weight, p);
442 GETSHORT(port, p);
443
444 if (priority != 1) continue; /* CSA version must be 1 */
445
446 /* If the CSA record we found is not the one we asked for, analyse
447 the subdomain assertions in the port field, else analyse the direct
448 authorization status in the weight field. */
449
450 if (found != domain)
451 {
452 if (port & 1) *s = 'X'; /* explicit authorization required */
453 else *s = '?'; /* no subdomain assertions here */
454 }
455 else
456 {
457 if (weight < 2) *s = 'N'; /* not authorized */
458 else if (weight == 2) *s = 'Y'; /* authorized */
459 else if (weight == 3) *s = '?'; /* unauthorizable */
460 else continue; /* invalid */
461 }
462
463 s[1] = ' ';
464 yield = string_cat(yield, &size, &ptr, s, 2);
465 }
466
467 /* GETSHORT() has advanced the pointer to the target domain. */
468
469 rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
470 (DN_EXPAND_ARG4_TYPE)(s), sizeof(s));
471
472 /* If an overlong response was received, the data will have been
473 truncated and dn_expand may fail. */
474
475 if (rc < 0)
476 {
477 log_write(0, LOG_MAIN, "host name alias list truncated: type=%s "
478 "domain=%s", dns_text_type(type), domain);
479 break;
480 }
481 else yield = string_cat(yield, &size, &ptr, s, Ustrlen(s));
482 }
483 } /* Loop for list of returned records */
484
485 /* Loop for set of A-lookupu types */
486 } while (type == T_APL && searchtype != T_A);
487
488 } /* Loop for list of domains */
489
490 /* Reclaim unused memory */
491
492 store_reset(yield + ptr + 1);
493
494 /* If ptr == 0 we have not found anything. Otherwise, insert the terminating
495 zero and return the result. */
496
497 if (ptr == 0) return failrc;
498 yield[ptr] = 0;
499 *result = yield;
500 return OK;
501 }
502
503
504
505 /*************************************************
506 * Version reporting entry point *
507 *************************************************/
508
509 /* See local README for interface description. */
510
511 #include "../version.h"
512
513 void
514 dnsdb_version_report(FILE *f)
515 {
516 #ifdef DYNLOOKUP
517 fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
518 #endif
519 }
520
521
522 static lookup_info _lookup_info = {
523 US"dnsdb", /* lookup name */
524 lookup_querystyle, /* query style */
525 dnsdb_open, /* open function */
526 NULL, /* check function */
527 dnsdb_find, /* find function */
528 NULL, /* no close function */
529 NULL, /* no tidy function */
530 NULL, /* no quoting function */
531 dnsdb_version_report /* version reporting */
532 };
533
534 #ifdef DYNLOOKUP
535 #define dnsdb_lookup_module_info _lookup_module_info
536 #endif
537
538 static lookup_info *_lookup_list[] = { &_lookup_info };
539 lookup_module_info dnsdb_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
540
541 /* End of lookups/dnsdb.c */
Unnamed repository; edit this file 'description' to name the repository.