Skip to content

Commit

Permalink
Merge pull request #731 from bbockelm/reverse_dns_gsi_v3
Browse files Browse the repository at this point in the history 
Use DNS lookups to expand non-FQDNs
  • Loading branch information
@gganis
gganis committed Jun 14, 2018
2 parents caba6ea + 6d714ef commit 9aa9dad
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 4 deletions.
52 changes: 49 additions & 3 deletions src/XrdSecgsi/XrdSecProtocolgsi.cc
View file
Expand Up @@ -41,6 +41,7 @@

#include "XrdVersion.hh"

#include "XrdNet/XrdNetAddr.hh"
#include "XrdSys/XrdSysHeaders.hh"
#include "XrdSys/XrdSysLogger.hh"
#include "XrdSys/XrdSysError.hh"
Expand Down Expand Up @@ -163,6 +164,7 @@ XrdSecgsiAuthz_t XrdSecProtocolgsi::VOMSFun = 0;
int XrdSecProtocolgsi::VOMSCertFmt = -1;
int XrdSecProtocolgsi::MonInfoOpt = 0;
bool XrdSecProtocolgsi::HashCompatibility = 1;
bool XrdSecProtocolgsi::TrustDNS = true;
//
// Crypto related info
int XrdSecProtocolgsi::ncrypt = 0; // Number of factories
Expand Down Expand Up @@ -301,13 +303,43 @@ XrdSecProtocolgsi::XrdSecProtocolgsi(int opts, const char *hname,
// As of time of testing (June 2018), EOS will redirect to an IP address to handle
// metadata commands and rely on the reverse DNS lookup for GSI security to function.
// Hence, this fallback likely needs to be kept for some time.
//
// We provide servers a switch and clients an environment variable to override all
// usage of DNS (processed on XrdSecProtocolgsiInit).
// Default is to fallback to DNS lookups in limited
// cases for backward compatibility.
if (TrustDNS) {
if (!hname || !XrdNetAddrInfo::isHostName(hname)) {
Entity.host = strdup(endPoint.Name(""));
} else {
Entity.host = strdup(hname);
// At this point, hname still may possibly be a non-qualified domain name.
// If there is a '.' character, then we assume it is a qualified domain name --
// otherwise, we use DNS.
//
// NOTE: We can definitively test whether this is a qualified domain name by
// simply appending a '.' to `hname` and performing a lookup. However, this
// causes DNS to be used by every lookup - meaning we rely on the security
// of DNS for all cases; we want to avoid this.
if (strchr(hname, '.')) {
// We have a valid hostname; proceed.
Entity.host = strdup(hname);
} else {
XrdNetAddr xrd_addr;
char canonname[256];
if (!xrd_addr.Set(hname) || (xrd_addr.Format(canonname, 256, XrdNetAddrInfo::fmtName, XrdNetAddrInfo::noPort) <= 0)) {
Entity.host = strdup(hname);
} else {
Entity.host = strdup(canonname);
}
}
}
epAddr = endPoint;
Entity.addrInfo = &epAddr;
} else {
// We have been told via environment variable to not trust DNS; use the exact
// hostname provided by the user.
Entity.host = strdup(hname);
}
epAddr = endPoint;
Entity.addrInfo = &epAddr;

// Init session variables
sessionCF = 0;
Expand Down Expand Up @@ -2251,6 +2283,11 @@ void gsiOptions::Print(XrdOucTrace *t)
POPTS(t, " Crypto modules: "<< (clist ? clist : XrdSecProtocolgsi::DefCrypto));
POPTS(t, " Ciphers: "<< (cipher ? cipher : XrdSecProtocolgsi::DefCipher));
POPTS(t, " MDigests: "<< (md ? md : XrdSecProtocolgsi::DefMD));
if (trustdns) {
POPTS(t, " Trusting DNS for hostname checking");
} else {
POPTS(t, " Untrusting DNS for hostname checking");
}
POPTS(t, "*** ------------------------------------------------------------ ***");
}

Expand Down Expand Up @@ -2424,6 +2461,10 @@ char *XrdSecProtocolgsiInit(const char mode,
if (cenv)
opts.hashcomp = 0;

// DNS trusting control
if ((cenv = getenv("XrdSecGSITRUSTDNS")))
opts.trustdns = (!strcmp(cenv, "0")) ? false : true;

//
// Setup the object with the chosen options
rc = XrdSecProtocolgsi::Init(opts,erp);
Expand Down Expand Up @@ -2490,6 +2531,7 @@ char *XrdSecProtocolgsiInit(const char mode,
// [-vomsfun:<voms_function>]
// [-vomsfunparms:<voms_function_init_parameters>]
// [-defaulthash]
// [-trustdns:<0|1>]
//
int debug = -1;
String clist = "";
Expand Down Expand Up @@ -2519,6 +2561,7 @@ char *XrdSecProtocolgsiInit(const char mode,
int vomsat = 1;
int moninfo = 0;
int hashcomp = 1;
int trustdns = 1;
char *op = 0;
while (inParms.GetLine()) {
while ((op = inParms.GetToken())) {
Expand Down Expand Up @@ -2582,6 +2625,8 @@ char *XrdSecProtocolgsiInit(const char mode,
moninfo = atoi(op+9);
} else if (!strcmp(op, "-defaulthash")) {
hashcomp = 0;
} else if (!strncmp(op, "-trustdns:",10)) {
trustdns = atoi(op+10);
} else {
PRINT("ignoring unknown switch: "<<op);
}
Expand All @@ -2603,6 +2648,7 @@ char *XrdSecProtocolgsiInit(const char mode,
opts.vomsat = vomsat;
opts.moninfo = moninfo;
opts.hashcomp = hashcomp;
opts.trustdns = (trustdns <= 0) ? false : true;
if (clist.length() > 0)
opts.clist = (char *)clist.c_str();
if (certdir.length() > 0)
Expand Down
5 changes: 4 additions & 1 deletion src/XrdSecgsi/XrdSecProtocolgsi.hh
View file
Expand Up @@ -200,6 +200,8 @@ public:
int moninfo; // [s] 0 do not look for; 1 use DN as default
int hashcomp; // [cs] 1 send hash names with both algorithms; 0 send only the default [1]

bool trustdns; // [cs] 'true' if DNS is trusted [true]

gsiOptions() { debug = -1; mode = 's'; clist = 0;
certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
Expand All @@ -208,7 +210,7 @@ public:
gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1;
ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
exppxy = 0; authzpxy = 0;
vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; }
vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; }
virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
void Print(XrdOucTrace *t); // Print summary of gsi option status
};
Expand Down Expand Up @@ -341,6 +343,7 @@ private:
static int VOMSCertFmt;
static int MonInfoOpt;
static bool HashCompatibility;
static bool TrustDNS;
//
// Crypto related info
static int ncrypt; // Number of factories
Expand Down

0 comments on commit 9aa9dad

Please sign in to comment.