X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fhost.c;h=03d944334d563a074062ac46b43076c43f579dc1;hb=1f4a55daf88541563ceaa66959acb9127604b15a;hp=18821035c5e73a7cd268b3f1e307d3b5530a3c80;hpb=8ad076b280659245702f943b00188589820aafeb;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/host.c b/src/src/host.c
index 18821035c..03d944334 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -1,10 +1,8 @@
-/* $Cambridge: exim/src/src/host.c,v 1.29 2007/10/18 12:01:00 nm4 Exp $ */
-
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2012 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions for finding hosts, either by gethostbyname(), gethostbyaddr(), or
@@ -70,6 +68,9 @@ sprintf(addr, "%d.%d.%d.%d",
 very good for the uses to which it is put. When running the regression tests,
 start with a fixed seed.
 
+If you need better, see vaguely_random_number() which is potentially stronger,
+if a crypto library is available, but might end up just calling this instead.
+
 Arguments:
   limit:    one more than the largest number required
 
@@ -79,6 +80,8 @@ Returns:    a pseudo-random number in the range 0 to limit-1
 int
 random_number(int limit)
 {
+if (limit < 1)
+  return 0;
 if (random_seed == 0)
   {
   if (running_in_test_harness) random_seed = 42; else
@@ -1594,7 +1597,7 @@ dns_record *rr;
 dns_answer dnsa;
 dns_scan dnss;
 
-host_lookup_deferred = host_lookup_failed = FALSE;
+sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE;
 
 HDEBUG(D_host_lookup)
   debug_printf("looking up host name for %s\n", sender_host_address);
@@ -1636,6 +1639,13 @@ while ((ordername = string_nextinlist(&list, &sep, buffer, sizeof(buffer)))
       int count = 0;
       int old_pool = store_pool;
 
+      /* Ideally we'd check DNSSEC both forward and reverse, but we use the
+      gethost* routines for forward, so can't do that unless/until we rewrite. */
+      sender_host_dnssec = dns_is_secure(&dnsa);
+      DEBUG(D_dns)
+        debug_printf("Reverse DNS security status: %s\n",
+            sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified");
+
       store_pool = POOL_PERM;        /* Save names in permanent storage */
 
       for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);