Use hostname, not reverse DNS, for address comparison.

This changes XrdSecgsi to prefer to use the hostname for the purpose of matching a certificate to a hostname (as opposed to the prior behavior of a reverse DNS lookup). Relying on reverse DNS is considered insecure; note that all the other security mechanisms use the hostname. With the SAN changes allowing multiple potential patterns in the certificate, admins should be able to handle all the potential use cases.
xrootd · Jun 3, 2018 · 47eb688 · 47eb688
1 parent cd8762f
commit 47eb688
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -48,6 +48,7 @@
 #include "XrdOuc/XrdOucStream.hh"
 #include "XrdOuc/XrdOucEnv.hh"
 
+#include "XrdNet/XrdNetAddr.hh"
 #include "XrdSut/XrdSutAux.hh"
 
 #include "XrdCrypto/XrdCryptoMsgDigest.hh"
@@ -293,7 +294,15 @@ XrdSecProtocolgsi::XrdSecProtocolgsi(int opts, const char *hname,
    }
 
    // Set host name and address
-      Entity.host = strdup(endPoint.Name("*unknown*"));
+   // The hostname is critical for the GSI protocol; it must match the potential
+   // names on the remote EEC.  However, as we may have been redirected to an IP
+   // address instead of an actual hostname, we must fallback to a reverse DNS lookup.
+      XrdNetAddr testAddr;
+      if (!hname || testAddr.Set(hname) == NULL) {
+         Entity.host = strdup(endPoint.Name(""));
+      } else {
+         Entity.host = strdup(hname);
+      }
       epAddr = endPoint;
       Entity.addrInfo = &epAddr;