Add a configurable limit to the number of active GSS contexts.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
index cb684a63ff1b29c7a701044045335eea6acdfe34..f3a6645bcad7652d2709e20913016d12048d721c 100644 (file)
--- a/pdns/auth-main.cc
+++ b/pdns/auth-main.cc
@@ -353,6 +353,7 @@ static void declareArguments()
 
 #ifdef ENABLE_GSS_TSIG
   ::arg().setSwitch("enable-gss-tsig", "Enable GSS TSIG processing") = "no";
+  ::arg().set("gss-max-contexts", "The maximum number of simultaneous GSS contexts allowed") = "1000";
 #endif
 
   ::arg().setSwitch("views", "Enable views (variants) of zones, for backends which support them") = "no";
@@ -786,6 +787,9 @@ static void mainthread()
 #endif
 #ifdef ENABLE_GSS_TSIG
   g_doGssTSIG = ::arg().mustDo("enable-gss-tsig");
+  if (g_doGssTSIG) {
+    GssContext::s_maxGssContexts = ::arg().asNum("gss-max-contexts");
+  }
 #endif
   g_views = ::arg().mustDo("views");
   g_memberCatalogGroup = ::arg()["member-catalog-group"];

diff --git a/pdns/gss_context.cc b/pdns/gss_context.cc
index 6c714458758537734b6304a7e6704a4d0c97e183..c1945b27246fa255b87b2376a0939fcf94b1f221 100644 (file)
--- a/pdns/gss_context.cc
+++ b/pdns/gss_context.cc
@@ -55,6 +55,8 @@ GssContextError GssContext::getError() { return GSS_CONTEXT_UNSUPPORTED; }
 
 #define TSIG_GSS_EXPIRE_INTERVAL 60
 
+unsigned int GssContext::s_maxGssContexts{1000};
+
 class GssCredential : boost::noncopyable
 {
 public:
@@ -294,6 +296,11 @@ bool GssContext::createOrReuseContext(std::shared_ptr<GssCredential> cred)
   else {
     // make context
     auto lock = s_gss_sec_context.lock();
+    if (lock->size() == s_maxGssContexts) {
+      d_error = GSS_CONTEXT_LIMIT_REACHED;
+      d_gss_errors.push_back("Limit of concurrent GSS contexts reached");
+      return false;
+    }
     d_secctx = std::make_shared<LockGuarded<GssSecContext>>(cred);
     {
       auto ctx = d_secctx->lock();

diff --git a/pdns/gss_context.hh b/pdns/gss_context.hh
index fc37ff7820b46686b74e34a016e5b8bc8c58df10..e2f4f28815cba7da22409b129497085b9c528e12 100644 (file)
--- a/pdns/gss_context.hh
+++ b/pdns/gss_context.hh
@@ -46,7 +46,8 @@ enum GssContextError
   GSS_CONTEXT_NOT_INITIALIZED,
   GSS_CONTEXT_INVALID,
   GSS_CONTEXT_EXPIRED,
-  GSS_CONTEXT_ALREADY_INITIALIZED
+  GSS_CONTEXT_ALREADY_INITIALIZED,
+  GSS_CONTEXT_LIMIT_REACHED,
 };
 
 //! GSS context types
@@ -196,6 +197,9 @@ public:
 
   GssContextError getError(); //<! Get error
   const std::vector<std::string> getErrorStrings() { return d_gss_errors; } //<! Get native error texts
+
+  static unsigned int s_maxGssContexts; //<! Maximum number of simultaneous Gss contexts allowed
+
 private:
   void release(); //<! Release context
   void initialize(); //<! Initialize context