secgsi: improve control of new option 'Trust DNS'

For consistency the variable should be called XrdSecGSITRUSTDNS and, server side, the new option should be controlled by switch -trustdns:[0|1] (default 1) . The switch and the env are processed in XrdSecProtocolgsiInit() . Signed-off-by: Brian Bockelman <bbockelm@cse.unl.edu>
xrootd · Jun 14, 2018 · 6d714ef · 6d714ef
1 parent ef67724
commit 6d714ef
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 5 deletions.
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -163,6 +163,7 @@ XrdSecgsiAuthz_t XrdSecProtocolgsi::VOMSFun = 0;
 int    XrdSecProtocolgsi::VOMSCertFmt = -1;
 int    XrdSecProtocolgsi::MonInfoOpt = 0;
 bool   XrdSecProtocolgsi::HashCompatibility = 1;
+bool   XrdSecProtocolgsi::TrustDNS = true;
 //
 // Crypto related info
 int  XrdSecProtocolgsi::ncrypt    = 0;                 // Number of factories
@@ -302,10 +303,11 @@ XrdSecProtocolgsi::XrdSecProtocolgsi(int opts, const char *hname,
    // metadata commands and rely on the reverse DNS lookup for GSI security to function.
    // Hence, this fallback likely needs to be kept for some time.
    //
-   // We allow an environment variable to override all usage of DNS; default is to fallback
-   // to DNS lookups in limited cases for backward compatibility.
-   const char *trust_dns = getenv("XrdSecGSITrustDNS");
-   if (trust_dns == NULL || !strcmp(trust_dns, "1")) {
+   // We provide servers a switch and clients an environment variable to override all
+   // usage of DNS (processed on XrdSecProtocolgsiInit).
+   // Default is to fallback to DNS lookups in limited
+   // cases for backward compatibility.
+   if (TrustDNS) {
       if (!hname || !XrdNetAddrInfo::isHostName(hname)) {
          Entity.host = strdup(endPoint.Name(""));
       } else {
@@ -2280,6 +2282,11 @@ void gsiOptions::Print(XrdOucTrace *t)
    POPTS(t, " Crypto modules: "<< (clist ? clist : XrdSecProtocolgsi::DefCrypto));
    POPTS(t, " Ciphers: "<< (cipher ? cipher : XrdSecProtocolgsi::DefCipher));
    POPTS(t, " MDigests: "<< (md ? md : XrdSecProtocolgsi::DefMD));
+   if (trustdns) {
+      POPTS(t, " Trusting DNS for hostname checking");
+   } else {
+      POPTS(t, " Untrusting DNS for hostname checking");
+   }
    POPTS(t, "*** ------------------------------------------------------------ ***");
 }
 
@@ -2453,6 +2460,10 @@ char *XrdSecProtocolgsiInit(const char mode,
       if (cenv)
          opts.hashcomp = 0;
 
+      // DNS trusting control
+      if ((cenv = getenv("XrdSecGSITRUSTDNS")))
+         opts.trustdns = (!strcmp(cenv, "0")) ? false : true;
+
       //
       // Setup the object with the chosen options
       rc = XrdSecProtocolgsi::Init(opts,erp);
@@ -2519,6 +2530,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       //              [-vomsfun:<voms_function>]
       //              [-vomsfunparms:<voms_function_init_parameters>]
       //              [-defaulthash]
+      //              [-trustdns:<0|1>]
       //
       int debug = -1;
       String clist = "";
@@ -2548,6 +2560,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       int vomsat = 1;
       int moninfo = 0;
       int hashcomp = 1;
+      int trustdns = 1;
       char *op = 0;
       while (inParms.GetLine()) { 
          while ((op = inParms.GetToken())) {
@@ -2611,6 +2624,8 @@ char *XrdSecProtocolgsiInit(const char mode,
                moninfo = atoi(op+9);
             } else if (!strcmp(op, "-defaulthash")) {
                hashcomp = 0;
+            } else if (!strncmp(op, "-trustdns:",10)) {
+               trustdns = atoi(op+10);
             } else {
                PRINT("ignoring unknown switch: "<<op);
             }
@@ -2632,6 +2647,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       opts.vomsat = vomsat;
       opts.moninfo = moninfo;
       opts.hashcomp = hashcomp;
+      opts.trustdns = (trustdns <= 0) ? false : true;
       if (clist.length() > 0)
          opts.clist = (char *)clist.c_str();
       if (certdir.length() > 0)

diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.hh b/src/XrdSecgsi/XrdSecProtocolgsi.hh
@@ -200,6 +200,8 @@ public:
    int    moninfo; // [s] 0 do not look for; 1 use DN as default
    int    hashcomp; // [cs] 1 send hash names with both algorithms; 0 send only the default [1]
 
+   bool   trustdns; // [cs] 'true' if DNS is trusted [true]
+
    gsiOptions() { debug = -1; mode = 's'; clist = 0; 
                   certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
                   cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
@@ -208,7 +210,7 @@ public:
                   gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1;
                   ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
                   exppxy = 0; authzpxy = 0;
-                  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; }
+                  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; }
    virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
    void Print(XrdOucTrace *t); // Print summary of gsi option status
 };
@@ -341,6 +343,7 @@ private:
    static int              VOMSCertFmt; 
    static int              MonInfoOpt;
    static bool             HashCompatibility;
+   static bool             TrustDNS;
    //
    // Crypto related info
    static int              ncrypt;                  // Number of factories