X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/accf9211ea33262b8865805a4f61155f26320444..995e599afd3e6468d3396fb351ed0cd0ea212779:/src/src/host.c

diff --git a/src/src/host.c b/src/src/host.c
index 456365c8f..6b9f674b8 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -3,6 +3,7 @@
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */
+/* Copyright (c) The Exim Maintainers 2020 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or
@@ -814,7 +815,7 @@ host_find_interfaces(void)
 {
 ip_address_item *running_interfaces = NULL;
 
-if (local_interface_data == NULL)
+if (!local_interface_data)
   {
   void *reset_item = store_mark();
   ip_address_item *dlist = host_build_ifacelist(CUS local_interfaces,
@@ -1231,14 +1232,11 @@ BOOL
 host_is_tls_on_connect_port(int port)
 {
 int sep = 0;
-uschar buffer[32];
-const uschar *list = tls_in.on_connect_ports;
-uschar *s;
-uschar *end;
+const uschar * list = tls_in.on_connect_ports;
 
 if (tls_in.on_connect) return TRUE;
 
-while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
+for (uschar * s, * end; s = string_nextinlist(&list, &sep, NULL, 0); )
   if (Ustrtol(s, &end, 10) == port)
     return TRUE;
 
@@ -1945,8 +1943,13 @@ host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags,
 int yield, times;
 host_item *last = NULL;
 BOOL temp_error = FALSE;
-#if HAVE_IPV6
 int af;
+
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it.  */
+
+host->certname = host->name;
 #endif
 
 /* Make sure DNS options are set as required. This appears to be necessary in
@@ -1966,10 +1969,10 @@ lookups here (except when testing standalone). */
   #ifdef STAND_ALONE
   if (disable_ipv6)
   #else
-  if (disable_ipv6 ||
-    (dns_ipv4_lookup != NULL &&
-        match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL,
-	  MCL_DOMAIN, TRUE, NULL) == OK))
+  if (  disable_ipv6
+     ||    dns_ipv4_lookup
+	&& match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
+	    &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
   #endif
 
     { af = AF_INET; times = 1; }
@@ -1979,7 +1982,7 @@ lookups here (except when testing standalone). */
 /* No IPv6 support */
 
 #else   /* HAVE_IPV6 */
-  times = 1;
+  af = AF_INET; times = 1;
 #endif  /* HAVE_IPV6 */
 
 /* Initialize the flag that gets set for DNS syntax check errors, so that the
@@ -2021,7 +2024,7 @@ for (int i = 1; i <= times;
 
   #else    /* not HAVE_IPV6 */
   if (f.running_in_test_harness)
-    hostdata = host_fake_gethostbyname(host->name, AF_INET, &error_num);
+    hostdata = host_fake_gethostbyname(host->name, af, &error_num);
   else
     {
     hostdata = gethostbyname(CS host->name);
@@ -2035,44 +2038,42 @@ for (int i = 1; i <= times;
 
   if (!hostdata)
     {
-    uschar *error;
+    uschar * error;
     switch (error_num)
       {
-      case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND"; break;
-      case TRY_AGAIN:      error = US"TRY_AGAIN"; break;
-      case NO_RECOVERY:    error = US"NO_RECOVERY"; break;
-      case NO_DATA:        error = US"NO_DATA"; break;
+      case HOST_NOT_FOUND: error = US"HOST_NOT_FOUND";	break;
+      case TRY_AGAIN:      error = US"TRY_AGAIN";   temp_error = TRUE; break;
+      case NO_RECOVERY:    error = US"NO_RECOVERY"; temp_error = TRUE; break;
+      case NO_DATA:        error = US"NO_DATA";		break;
     #if NO_DATA != NO_ADDRESS
-      case NO_ADDRESS:     error = US"NO_ADDRESS"; break;
+      case NO_ADDRESS:     error = US"NO_ADDRESS";	break;
     #endif
       default: error = US"?"; break;
       }
 
-    DEBUG(D_host_lookup) debug_printf("%s returned %d (%s)\n",
+    DEBUG(D_host_lookup) debug_printf("%s(af=%s) returned %d (%s)\n",
       f.running_in_test_harness ? "host_fake_gethostbyname" :
-      #if HAVE_IPV6
-        #if HAVE_GETIPNODEBYNAME
-        af == AF_INET6 ? "getipnodebyname(af=inet6)" : "getipnodebyname(af=inet)",
-        #else
-        af == AF_INET6 ? "gethostbyname2(af=inet6)" : "gethostbyname2(af=inet)",
-        #endif
-      #else
-      "gethostbyname",
-      #endif
-      error_num, error);
+#if HAVE_IPV6
+# if HAVE_GETIPNODEBYNAME
+        "getipnodebyname",
+# else
+        "gethostbyname2",
+# endif
+#else
+	"gethostbyname",
+#endif
+      af == AF_INET ? "inet" : "inet6", error_num, error);
 
-    if (error_num == TRY_AGAIN || error_num == NO_RECOVERY) temp_error = TRUE;
     continue;
     }
-  if ((hostdata->h_addr_list)[0] == NULL) continue;
+  if (!(hostdata->h_addr_list)[0]) continue;
 
   /* Replace the name with the fully qualified one if necessary, and fill in
   the fully_qualified_name pointer. */
 
-  if (hostdata->h_name[0] != 0 &&
-      Ustrcmp(host->name, hostdata->h_name) != 0)
+  if (hostdata->h_name[0] && Ustrcmp(host->name, hostdata->h_name) != 0)
     host->name = string_copy_dnsdomain(US hostdata->h_name);
-  if (fully_qualified_name != NULL) *fully_qualified_name = host->name;
+  if (fully_qualified_name) *fully_qualified_name = host->name;
 
   /* Get the list of addresses. IPv4 and IPv6 addresses can be distinguished
   by their different lengths. Scan the list, ignoring any that are to be
@@ -2086,9 +2087,9 @@ for (int i = 1; i <= times;
       host_ntoa(ipv4_addr? AF_INET:AF_INET6, *addrlist, NULL, NULL);
 
     #ifndef STAND_ALONE
-    if (ignore_target_hosts != NULL &&
-        verify_check_this_host(&ignore_target_hosts, NULL, host->name,
-          text_address, NULL) == OK)
+    if (  ignore_target_hosts
+       && verify_check_this_host(&ignore_target_hosts, NULL, host->name,
+	    text_address, NULL) == OK)
       {
       DEBUG(D_host_lookup)
         debug_printf("ignored host %s [%s]\n", host->name, text_address);
@@ -2096,10 +2097,10 @@ for (int i = 1; i <= times;
       }
     #endif
 
-    /* If this is the first address, last == NULL and we put the data in the
+    /* If this is the first address, last is NULL and we put the data in the
     original block. */
 
-    if (last == NULL)
+    if (!last)
       {
       host->address = text_address;
       host->port = PORT_NONE;
@@ -2116,6 +2117,9 @@ for (int i = 1; i <= times;
       {
       host_item *next = store_get(sizeof(host_item), FALSE);
       next->name = host->name;
+#ifndef DISABLE_TLS
+      next->certname = host->certname;
+#endif
       next->mx = host->mx;
       next->address = text_address;
       next->port = PORT_NONE;
@@ -2134,12 +2138,12 @@ for (int i = 1; i <= times;
 NULL. If temp_error is set, at least one of the lookups gave a temporary error,
 so we pass that back. */
 
-if (host->address == NULL)
+if (!host->address)
   {
   uschar *msg =
     #ifndef STAND_ALONE
-    (message_id[0] == 0 && smtp_in != NULL)?
-      string_sprintf("no IP address found for host %s (during %s)", host->name,
+    !message_id[0] && smtp_in
+      ? string_sprintf("no IP address found for host %s (during %s)", host->name,
           smtp_get_connection_info()) :
     #endif
     string_sprintf("no IP address found for host %s", host->name);
@@ -2187,12 +2191,12 @@ dns_again_means_nonexist, return permanent rather than temporary failure. */
 
 RETURN_AGAIN:
   {
-  #ifndef STAND_ALONE
+#ifndef STAND_ALONE
   int rc;
   const uschar *save = deliver_domain;
   deliver_domain = host->name;  /* set $domain */
-  rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0, NULL, NULL,
-    MCL_DOMAIN, TRUE, NULL);
+  rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0,
+    &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
   deliver_domain = save;
   if (rc == OK)
     {
@@ -2200,7 +2204,7 @@ RETURN_AGAIN:
       "returning HOST_FIND_FAILED\n", host->name);
     return HOST_FIND_FAILED;
     }
-  #endif
+#endif
   return HOST_FIND_AGAIN;
   }
 }
@@ -2259,6 +2263,13 @@ BOOL v6_find_again = FALSE;
 BOOL dnssec_fail = FALSE;
 int i;
 
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it.  */
+
+host->certname = host->name;
+#endif
+
 /* If allow_ip is set, a name which is an IP address returns that value
 as its address. This is used for MX records when allow_mx_to_ip is set, for
 those sites that feel they have to flaunt the RFC rules. */
@@ -2285,9 +2296,9 @@ On an IPv4 system, go round the loop once only, looking only for A records. */
   #ifndef STAND_ALONE
     if (  disable_ipv6
        || !(whichrrs & HOST_FIND_BY_AAAA)
-       || (dns_ipv4_lookup
-          && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL,
-	      MCL_DOMAIN, TRUE, NULL) == OK)
+       ||    dns_ipv4_lookup
+          && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
+	      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK
        )
       i = 0;    /* look up A records only */
     else
@@ -2545,12 +2556,12 @@ int yield;
 dns_answer * dnsa = store_get_dns_answer();
 dns_scan dnss;
 BOOL dnssec_require = dnssec_d
-		    && match_isinlist(host->name, CUSS &dnssec_d->require,
-				    0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+  && match_isinlist(host->name, CUSS &dnssec_d->require,
+		  0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
 BOOL dnssec_request = dnssec_require
-		    || (  dnssec_d
-		       && match_isinlist(host->name, CUSS &dnssec_d->request,
-				    0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
+    || (  dnssec_d
+       && match_isinlist(host->name, CUSS &dnssec_d->request,
+		    0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
 dnssec_status_t dnssec;
 
 /* Set the default fully qualified name to the incoming name, initialize the
@@ -2615,13 +2626,13 @@ if (whichrrs & HOST_FIND_BY_SRV)
     }
   if (rc == DNS_FAIL || rc == DNS_AGAIN)
     {
-    #ifndef STAND_ALONE
-    if (match_isinlist(host->name, CUSS &srv_fail_domains, 0, NULL, NULL,
-	MCL_DOMAIN, TRUE, NULL) != OK)
-    #endif
+#ifndef STAND_ALONE
+    if (match_isinlist(host->name, CUSS &srv_fail_domains, 0,
+	&domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+#endif
       { yield = HOST_FIND_AGAIN; goto out; }
     DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
-      "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+      "(domain in srv_fail_domains)\n", rc == DNS_FAIL ? "FAIL":"AGAIN");
     }
   }
 
@@ -2667,8 +2678,8 @@ if (rc != DNS_SUCCEED  &&  whichrrs & HOST_FIND_BY_MX)
       DEBUG(D_host_lookup)
 	debug_printf("dnssec fail on MX for %.256s", host->name);
 #ifndef STAND_ALONE
-      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL,
-	  MCL_DOMAIN, TRUE, NULL) != OK)
+      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
+	  &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
 	{ yield = HOST_FIND_SECURITY; goto out; }
 #endif
       rc = DNS_FAIL;
@@ -2677,8 +2688,8 @@ if (rc != DNS_SUCCEED  &&  whichrrs & HOST_FIND_BY_MX)
     case DNS_FAIL:
     case DNS_AGAIN:
 #ifndef STAND_ALONE
-      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL,
-	  MCL_DOMAIN, TRUE, NULL) != OK)
+      if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
+	  &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
 #endif
 	{ yield = HOST_FIND_AGAIN; goto out; }
       DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
@@ -3179,7 +3190,7 @@ BOOL sec;
 rc = dns_lookup_timerwrap(dnsa, buffer, T_TLSA, &fullname);
 sec = dns_is_secure(dnsa);
 DEBUG(D_transport)
-  debug_printf("TLSA lookup ret %d %sDNSSEC\n", rc, sec ? "" : "not ");
+  debug_printf("TLSA lookup ret %s %sDNSSEC\n", dns_rc_names[rc], sec ? "" : "not ");
 
 switch (rc)
   {