Use DNS lookups to expand non-FQDNs

src/XrdSecgsi/XrdSecProtocolgsi.cc

@@ -41,6 +41,7 @@
 
 #include "XrdVersion.hh"
 
+#include "XrdNet/XrdNetAddr.hh"
 #include "XrdSys/XrdSysHeaders.hh"
 #include "XrdSys/XrdSysLogger.hh"
 #include "XrdSys/XrdSysError.hh"
@@ -162,6 +163,7 @@ XrdSecgsiAuthz_t XrdSecProtocolgsi::VOMSFun = 0;
 int    XrdSecProtocolgsi::VOMSCertFmt = -1;
 int    XrdSecProtocolgsi::MonInfoOpt = 0;
 bool   XrdSecProtocolgsi::HashCompatibility = 1;
+bool   XrdSecProtocolgsi::TrustDNS = true;
 //
 // Crypto related info
 int  XrdSecProtocolgsi::ncrypt    = 0;                 // Number of factories
@@ -300,13 +302,43 @@ XrdSecProtocolgsi::XrdSecProtocolgsi(int opts, const char *hname,
    // As of time of testing (June 2018), EOS will redirect to an IP address to handle
    // metadata commands and rely on the reverse DNS lookup for GSI security to function.
    // Hence, this fallback likely needs to be kept for some time.
+   //
+   // We provide servers a switch and clients an environment variable to override all
+   // usage of DNS (processed on XrdSecProtocolgsiInit).
+   // Default is to fallback to DNS lookups in limited
+   // cases for backward compatibility.
+   if (TrustDNS) {
       if (!hname || !XrdNetAddrInfo::isHostName(hname)) {
          Entity.host = strdup(endPoint.Name(""));
       } else {
-         Entity.host = strdup(hname);
+         // At this point, hname still may possibly be a non-qualified domain name.
+         // If there is a '.' character, then we assume it is a qualified domain name --
+         // otherwise, we use DNS.
+         //
+         // NOTE: We can definitively test whether this is a qualified domain name by
+         // simply appending a '.' to `hname` and performing a lookup.  However, this
+         // causes DNS to be used by every lookup - meaning we rely on the security
+         // of DNS for all cases; we want to avoid this.
+         if (strchr(hname, '.')) {
+             // We have a valid hostname; proceed.
+             Entity.host = strdup(hname);
+         } else {
+             XrdNetAddr xrd_addr;
+             char canonname[256];
+             if (!xrd_addr.Set(hname) || (xrd_addr.Format(canonname, 256, XrdNetAddrInfo::fmtName, XrdNetAddrInfo::noPort) <= 0)) {
+                 Entity.host = strdup(hname);
+             } else {
+                 Entity.host = strdup(canonname);
+             }
+         }
       }
-      epAddr = endPoint;
-      Entity.addrInfo = &epAddr;
+   } else {
+      // We have been told via environment variable to not trust DNS; use the exact
+      // hostname provided by the user.
+      Entity.host = strdup(hname);
+   }
+   epAddr = endPoint;
+   Entity.addrInfo = &epAddr;
 
    // Init session variables
    sessionCF = 0;
@@ -2250,6 +2282,11 @@ void gsiOptions::Print(XrdOucTrace *t)
    POPTS(t, " Crypto modules: "<< (clist ? clist : XrdSecProtocolgsi::DefCrypto));
    POPTS(t, " Ciphers: "<< (cipher ? cipher : XrdSecProtocolgsi::DefCipher));
    POPTS(t, " MDigests: "<< (md ? md : XrdSecProtocolgsi::DefMD));
+   if (trustdns) {
+      POPTS(t, " Trusting DNS for hostname checking");
+   } else {
+      POPTS(t, " Untrusting DNS for hostname checking");
+   }
    POPTS(t, "*** ------------------------------------------------------------ ***");
 }
 
@@ -2423,6 +2460,10 @@ char *XrdSecProtocolgsiInit(const char mode,
       if (cenv)
          opts.hashcomp = 0;
 
+      // DNS trusting control
+      if ((cenv = getenv("XrdSecGSITRUSTDNS")))
+         opts.trustdns = (!strcmp(cenv, "0")) ? false : true;
+
       //
       // Setup the object with the chosen options
       rc = XrdSecProtocolgsi::Init(opts,erp);
@@ -2489,6 +2530,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       //              [-vomsfun:<voms_function>]
       //              [-vomsfunparms:<voms_function_init_parameters>]
       //              [-defaulthash]
+      //              [-trustdns:<0|1>]
       //
       int debug = -1;
       String clist = "";
@@ -2518,6 +2560,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       int vomsat = 1;
       int moninfo = 0;
       int hashcomp = 1;
+      int trustdns = 1;
       char *op = 0;
       while (inParms.GetLine()) { 
          while ((op = inParms.GetToken())) {
@@ -2581,6 +2624,8 @@ char *XrdSecProtocolgsiInit(const char mode,
                moninfo = atoi(op+9);
             } else if (!strcmp(op, "-defaulthash")) {
                hashcomp = 0;
+            } else if (!strncmp(op, "-trustdns:",10)) {
+               trustdns = atoi(op+10);
             } else {
                PRINT("ignoring unknown switch: "<<op);
             }
@@ -2602,6 +2647,7 @@ char *XrdSecProtocolgsiInit(const char mode,
       opts.vomsat = vomsat;
       opts.moninfo = moninfo;
       opts.hashcomp = hashcomp;
+      opts.trustdns = (trustdns <= 0) ? false : true;
       if (clist.length() > 0)
          opts.clist = (char *)clist.c_str();
       if (certdir.length() > 0)

src/XrdSecgsi/XrdSecProtocolgsi.hh

@@ -200,6 +200,8 @@ public:
    int    moninfo; // [s] 0 do not look for; 1 use DN as default
    int    hashcomp; // [cs] 1 send hash names with both algorithms; 0 send only the default [1]
 
+   bool   trustdns; // [cs] 'true' if DNS is trusted [true]
+
    gsiOptions() { debug = -1; mode = 's'; clist = 0; 
                   certdir = 0; crldir = 0; crlext = 0; cert = 0; key = 0;
                   cipher = 0; md = 0; ca = 1 ; crl = 1; crlrefresh = 86400;
@@ -208,7 +210,7 @@ public:
                   gmapfun = 0; gmapfunparms = 0; authzfun = 0; authzfunparms = 0; authzto = -1;
                   ogmap = 1; dlgpxy = 0; sigpxy = 1; srvnames = 0;
                   exppxy = 0; authzpxy = 0;
-                  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; }
+                  vomsat = 1; vomsfun = 0; vomsfunparms = 0; moninfo = 0; hashcomp = 1; trustdns = true; }
    virtual ~gsiOptions() { } // Cleanup inside XrdSecProtocolgsiInit
    void Print(XrdOucTrace *t); // Print summary of gsi option status
 };
@@ -341,6 +343,7 @@ private:
    static int              VOMSCertFmt; 
    static int              MonInfoOpt;
    static bool             HashCompatibility;
+   static bool             TrustDNS;
    //
    // Crypto related info
    static int              ncrypt;                  // Number of factories