View | Details | Raw Unified | Return to bug 1417 | Differences between
and this patch

Collapse All | Expand All

(-)b/dnscrypt/dnscrypt.c (-2 / +2 lines)
 Lines 784-792   dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg) Link Here 
784
        fatal_exit("dnsc_apply_cfg: could not load local data");
784
        fatal_exit("dnsc_apply_cfg: could not load local data");
785
    }
785
    }
786
    env->shared_secrets_cache = slabhash_create(
786
    env->shared_secrets_cache = slabhash_create(
787
        cfg->msg_cache_slabs,
787
        cfg->dnscrypt_shared_secret_cache_slabs,
788
        HASH_DEFAULT_STARTARRAY,
788
        HASH_DEFAULT_STARTARRAY,
789
        4000000,
789
        cfg->dnscrypt_shared_secret_cache_size,
790
        dnsc_shared_secrets_sizefunc,
790
        dnsc_shared_secrets_sizefunc,
791
        dnsc_shared_secrets_compfunc,
791
        dnsc_shared_secrets_compfunc,
792
        dnsc_shared_secrets_delkeyfunc,
792
        dnsc_shared_secrets_delkeyfunc,
(-)b/doc/unbound.conf.5.in (+11 lines)
 Lines 1507-1512   times. Link Here 
1507
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
1507
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
1508
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
1508
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
1509
This option may be specified multiple times.
1509
This option may be specified multiple times.
1510
.TP
1511
.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
1512
Give the size of the data structure in which the shared secret keys are kept
1513
in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).
1514
The shared secret cache is used when a same client is making multiple queries
1515
using the same public key. It saves substancial amount of CPU.
1516
.TP
1517
.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
1518
Give power of 2 number of slabs, this is used to reduce lock contention
1519
in the dnscrypt shared secrets cache.  Close to the number of cpus is
1520
a fairly good setting.
1510
.SS "EDNS Client Subnet Module Options"
1521
.SS "EDNS Client Subnet Module Options"
1511
.LP
1522
.LP
1512
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
1523
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
(-)b/util/config_file.c (+10 lines)
 Lines 282-287   config_create(void) Link Here 
282
	cfg->dnscrypt_provider = NULL;
282
	cfg->dnscrypt_provider = NULL;
283
	cfg->dnscrypt_provider_cert = NULL;
283
	cfg->dnscrypt_provider_cert = NULL;
284
	cfg->dnscrypt_secret_key = NULL;
284
	cfg->dnscrypt_secret_key = NULL;
285
	cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
286
	cfg->dnscrypt_shared_secret_cache_slabs = 4;
285
#ifdef USE_IPSECMOD
287
#ifdef USE_IPSECMOD
286
	cfg->ipsecmod_enabled = 1;
288
	cfg->ipsecmod_enabled = 1;
287
	cfg->ipsecmod_ignore_bogus = 0;
289
	cfg->ipsecmod_ignore_bogus = 0;
 Lines 565-570   int config_set_option(struct config_file* cfg, const char* opt, Link Here 
565
	else S_STR("dnscrypt-provider:", dnscrypt_provider)
567
	else S_STR("dnscrypt-provider:", dnscrypt_provider)
566
	else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
568
	else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
567
	else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
569
	else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
570
	else S_MEMSIZE("dnscrypt-shared-secret-cache-size:",
571
		dnscrypt_shared_secret_cache_size)
572
	else S_POW2("dnscrypt-shared-secret-cache-slabs:",
573
		dnscrypt_shared_secret_cache_slabs)
568
#endif
574
#endif
569
	else if(strcmp(opt, "ip-ratelimit:") == 0) {
575
	else if(strcmp(opt, "ip-ratelimit:") == 0) {
570
	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
576
	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
 Lines 926-931   config_get_option(struct config_file* cfg, const char* opt, Link Here 
926
	else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
932
	else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
927
	else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
933
	else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
928
	else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
934
	else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
935
	else O_MEM(opt, "dnscrypt-shared-secret-cache-size",
936
		dnscrypt_shared_secret_cache_size)
937
	else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
938
		dnscrypt_shared_secret_cache_slabs)
929
#endif
939
#endif
930
	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
940
	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
931
	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
941
	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
(-)b/util/config_file.h (+4 lines)
 Lines 464-469   struct config_file { Link Here 
464
	struct config_strlist* dnscrypt_secret_key;
464
	struct config_strlist* dnscrypt_secret_key;
465
	/** dnscrypt provider certs 1.cert */
465
	/** dnscrypt provider certs 1.cert */
466
	struct config_strlist* dnscrypt_provider_cert;
466
	struct config_strlist* dnscrypt_provider_cert;
467
	/** memory size in bytes for dnscrypt shared secrets cache */
468
	size_t dnscrypt_shared_secret_cache_size;
469
	/** number of slabs for dnscrypt shared secrets cache */
470
	size_t dnscrypt_shared_secret_cache_slabs;
467
471
468
	/** IPsec module */
472
	/** IPsec module */
469
#ifdef USE_IPSECMOD
473
#ifdef USE_IPSECMOD
(-)b/util/configlexer.lex (+4 lines)
 Lines 417-422   dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) } Link Here 
417
dnscrypt-provider{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
417
dnscrypt-provider{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
418
dnscrypt-secret-key{COLON}	{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
418
dnscrypt-secret-key{COLON}	{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
419
dnscrypt-provider-cert{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
419
dnscrypt-provider-cert{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
420
dnscrypt-shared-secret-cache-size{COLON}	{
421
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
422
dnscrypt-shared-secret-cache-slabs{COLON}	{
423
		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
420
ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
424
ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
421
ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
425
ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
422
ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
426
ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
(-)b/util/configparser.y (-2 / +26 lines)
 Lines 144-149   extern struct config_parser_state* cfg_parser; Link Here 
144
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
144
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
145
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
145
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
146
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
146
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
147
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
148
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
147
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
149
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
148
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
150
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
149
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
151
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
 Lines 2323-2329   contents_dnsc: contents_dnsc content_dnsc Link Here 
2323
	| ;
2325
	| ;
2324
content_dnsc:
2326
content_dnsc:
2325
	dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
2327
	dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
2326
	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert
2328
	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
2329
	dnsc_dnscrypt_shared_secret_cache_size |
2330
    dnsc_dnscrypt_shared_secret_cache_slabs
2327
	;
2331
	;
2328
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
2332
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
2329
	{
2333
	{
 Lines 2366-2372   dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG Link Here 
2366
			fatal_exit("out of memory adding dnscrypt-secret-key");
2370
			fatal_exit("out of memory adding dnscrypt-secret-key");
2367
	}
2371
	}
2368
	;
2372
	;
2369
2373
dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
2374
  {
2375
  	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
2376
  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
2377
  		yyerror("memory size expected");
2378
  	free($2);
2379
  }
2380
  ;
2381
dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
2382
  {
2383
  	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
2384
  	if(atoi($2) == 0)
2385
  		yyerror("number expected");
2386
  	else {
2387
  		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
2388
  		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
2389
  			yyerror("must be a power of 2");
2390
  	}
2391
  	free($2);
2392
  }
2393
  ;
2370
cachedbstart: VAR_CACHEDB
2394
cachedbstart: VAR_CACHEDB
2371
	{
2395
	{
2372
		OUTYY(("\nP(cachedb:)\n"));
2396
		OUTYY(("\nP(cachedb:)\n"));

Return to bug 1417