From 29b6e8b053d21f0a1e722e1c3be38371e7efaf10 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Thu, 10 Aug 2023 01:10:02 +0200
Subject: add support for querying DNSSEC ad (validated) flag

also migrate from deprecated resolver functions
---
 dns.c         | 44 ++++++++++++++++++++++++++------------------
 dns.h         | 12 +++++++-----
 dnscname.c    |  1 -
 dnsfq.c       |  2 +-
 dnsip.c       |  1 -
 dnsmxip.c     |  4 +++-
 dnsptr.c      |  1 -
 dnstlsa.c     |  3 ++-
 ipalloc.h     | 13 ++++++-------
 qmail-smtpd.c |  1 -
 10 files changed, 45 insertions(+), 37 deletions(-)

diff --git a/dns.c b/dns.c
index b4d106c..d43e946 100644
--- a/dns.c
+++ b/dns.c
@@ -5,8 +5,6 @@
 #include <arpa/nameser.h>
 #include <resolv.h>
 #include <errno.h>
-extern int res_query();
-extern int res_search();
 #include "ip.h"
 #include "ipalloc.h"
 #include "fmt.h"
@@ -24,7 +22,6 @@ static int responsebuflen = 0;
 static int responselen;
 static unsigned char *responseend;
 static unsigned char *responsepos;
-static u_long saveresoptions;
 
 static int numanswers;
 static char name[MAXDNAME];
@@ -33,16 +30,21 @@ unsigned short pref;
 
 static stralloc glue = {0};
 
-static int (*lookup)() = res_query;
+static struct __res_state dns_res_state;
+static unsigned short dns_res_ad_flag = 0;
 
-static int resolve(domain,type)
-stralloc *domain;
-int type;
+static int (*lookup)(res_state statep, const char *dname, int class, int type, unsigned char *answer, int anslen) = res_nquery;
+
+static int resolve(stralloc *domain, int type)
 {
  int n;
  int i;
 
  errno = 0;
+
+ if ((dns_res_state.options & RES_INIT) == 0 && res_ninit(&dns_res_state) < 0)
+  return DNS_MEM;
+
  if (!stralloc_copy(&glue,domain)) return DNS_MEM;
  if (!stralloc_0(&glue)) return DNS_MEM;
  if (!responsebuflen)
@@ -50,7 +52,8 @@ int type;
    responsebuflen = PACKETSZ+1;
   else return DNS_MEM;
 
- responselen = lookup(glue.s,C_IN,type,response.buf,responsebuflen);
+ dns_res_ad_flag = 0;
+ responselen = lookup(&dns_res_state, glue.s, C_IN, type, response.buf, responsebuflen);
  if ((responselen >= responsebuflen) ||
      (responselen > 0 && (((HEADER *)response.buf)->tc)))
   {
@@ -58,10 +61,10 @@ int type;
     if (alloc_re(&response.buf, responsebuflen, 65536))
      responsebuflen = 65536;
     else return DNS_MEM;
-    saveresoptions = _res.options;
-    _res.options |= RES_USEVC;
-    responselen = lookup(glue.s,C_IN,type,response.buf,responsebuflen);
-    _res.options = saveresoptions;
+    u_long saveresoptions = dns_res_state.options;
+    dns_res_state.options |= RES_USEVC;
+    responselen = lookup(&dns_res_state, glue.s, C_IN, type, response.buf, responsebuflen);
+    dns_res_state.options = saveresoptions;
   }
  if (responselen <= 0)
   {
@@ -82,9 +85,15 @@ int type;
    responsepos += QFIXEDSZ;
   }
  numanswers = ntohs(((HEADER *)response.buf)->ancount);
+ dns_res_ad_flag = ((HEADER *)response.buf)->ad;
  return 0;
 }
 
+short dns_last_query_validated()
+{
+  return dns_res_ad_flag;
+}
+
 static int findname(wanttype)
 int wanttype;
 {
@@ -194,11 +203,9 @@ int wanttype;
  return 0;
 }
 
-void dns_init(flagsearch)
-int flagsearch;
+void dns_use_search(int use_search)
 {
- res_init();
- if (flagsearch) lookup = res_search;
+ lookup = (use_search) ? res_nsearch : res_nquery;
 }
 
 int dns_cname(sa)
@@ -308,13 +315,14 @@ int pref;
    ix.pref = pref;
    if (r == DNS_SOFT) return DNS_SOFT;
    if (r == 1) {
-#ifdef IX_FQDN
+#ifdef TLS
      ix.fqdn = glue.s;
+     ix.validated = dns_last_query_validated();
 #endif
      if (!ipalloc_append(ia,&ix)) return DNS_MEM;
   }
   }
-#ifdef IX_FQDN
+#ifdef TLS
  glue.s = 0;
 #endif
  return 0;
diff --git a/dns.h b/dns.h
index 08534a2..615162d 100644
--- a/dns.h
+++ b/dns.h
@@ -2,16 +2,18 @@
 #define DNS_H
 
 #include "stralloc.h"
+#include "ipalloc.h"
 
 #define DNS_SOFT -1
 #define DNS_HARD -2
 #define DNS_MEM -3
 
-void dns_init();
-int dns_cname();
-int dns_mxip();
-int dns_ip();
-int dns_ptr();
+short dns_last_query_validated();
+void dns_use_search(int use_search);
+int dns_cname(stralloc *sa);
+int dns_mxip(ipalloc *ia, stralloc *sa, unsigned long random);
+int dns_ip(ipalloc *ia, stralloc *sa);
+int dns_ptr(stralloc *sa, struct ip_address *ip);
 int dns_tlsa(stralloc *out, const stralloc *fqdn);
 
 #endif
diff --git a/dnscname.c b/dnscname.c
index 37a95c5..16e6553 100644
--- a/dnscname.c
+++ b/dnscname.c
@@ -17,7 +17,6 @@ char **argv;
  if (!stralloc_copys(&sa,argv[1]))
   { substdio_putsflush(subfderr,"out of memory\n"); _exit(111); }
 
- dns_init(0);
  dnsdoe(dns_cname(&sa));
  substdio_putflush(subfdout,sa.s,sa.len);
  substdio_putsflush(subfdout,"\n");
diff --git a/dnsfq.c b/dnsfq.c
index b7619b9..e93a9c6 100644
--- a/dnsfq.c
+++ b/dnsfq.c
@@ -19,7 +19,7 @@ char **argv;
  if (!stralloc_copys(&sa,argv[1]))
   { substdio_putsflush(subfderr,"out of memory\n"); _exit(111); }
 
- dns_init(1);
+ dns_use_search(1);
  dnsdoe(dns_ip(&ia,&sa));
  if (ia.len <= 0)
   {
diff --git a/dnsip.c b/dnsip.c
index e7b671c..81f02f7 100644
--- a/dnsip.c
+++ b/dnsip.c
@@ -23,7 +23,6 @@ char **argv;
  if (!stralloc_copys(&sa,argv[1]))
   { substdio_putsflush(subfderr,"out of memory\n"); _exit(111); }
 
- dns_init(0);
  dnsdoe(dns_ip(&ia,&sa));
  for (j = 0;j < ia.len;++j)
   {
diff --git a/dnsmxip.c b/dnsmxip.c
index de40aa5..a58d6b3 100644
--- a/dnsmxip.c
+++ b/dnsmxip.c
@@ -28,13 +28,15 @@ char **argv;
   { substdio_putsflush(subfderr,"out of memory\n"); _exit(111); }
 
  r = now() + getpid();
- dns_init(0);
  dnsdoe(dns_mxip(&ia,&sa,r));
  for (j = 0;j < ia.len;++j)
   {
    substdio_put(subfdout,temp,ip_fmt(temp,&ia.ix[j].ip));
    substdio_puts(subfdout," ");
    substdio_put(subfdout,temp,fmt_ulong(temp,(unsigned long) ia.ix[j].pref));
+#ifdef TLS
+   substdio_puts(subfdout,ia.ix[j].validated ? " validated" : "");
+#endif
    substdio_putsflush(subfdout,"\n");
   }
  _exit(0);
diff --git a/dnsptr.c b/dnsptr.c
index 6a92fe0..d23bf3a 100644
--- a/dnsptr.c
+++ b/dnsptr.c
@@ -19,7 +19,6 @@ char **argv;
 
  ip_scan(argv[1],&ip);
 
- dns_init(0);
  dnsdoe(dns_ptr(&sa,&ip));
  substdio_putflush(subfdout,sa.s,sa.len);
  substdio_putsflush(subfdout,"\n");
diff --git a/dnstlsa.c b/dnstlsa.c
index ef4235e..2ea99e4 100644
--- a/dnstlsa.c
+++ b/dnstlsa.c
@@ -58,7 +58,6 @@ void main(int argc, char **argv)
     substdio_putsflush(subfdout, "\n");
   }
 
-  dns_init(0);
   dnsdoe(dns_tlsa(&out, &sa));
 
   int pos = 0;
@@ -90,6 +89,8 @@ void main(int argc, char **argv)
       substdio_put(subfdout, "0123456789abcdef" + (ch >> 4), 1);
       substdio_put(subfdout, "0123456789abcdef" + (ch & 0x0F), 1);
     }
+
+    substdio_puts(subfdout, dns_last_query_validated() ? " [dnssec validated]" : " [no dnssec validated]");
     substdio_putsflush(subfdout, "\n");
     pos += rrlen;
   }
diff --git a/ipalloc.h b/ipalloc.h
index bf9d060..641c3db 100644
--- a/ipalloc.h
+++ b/ipalloc.h
@@ -3,15 +3,14 @@
 
 #include "ip.h"
 
+struct ip_mx {
+  struct ip_address ip;
+  int pref;
 #ifdef TLS
-# define IX_FQDN 1
-#endif
-
-#ifdef IX_FQDN
-struct ip_mx { struct ip_address ip; int pref; char *fqdn; } ;
-#else
-struct ip_mx { struct ip_address ip; int pref; } ;
+  char *fqdn;
+  unsigned short validated;
 #endif
+};
 
 #include "gen_alloc.h"
 
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 0d3b16d..c4b498e 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -522,7 +522,6 @@ int mfcheck()
   j = byte_rchr(addr.s,addr.len,'@') + 1;
   if (j < addr.len) {
     stralloc_copys(&sa, addr.s + j);
-    dns_init(0);
     j = dns_mxip(&ia,&sa,random);
     if (j < 0) return j;
   }
-- 
cgit v1.2.3