From a17400b45eb156e62cb36615e21756c738841cc3 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 31 Aug 2017 11:58:29 +0000
Subject: [PATCH] dnscrypt cache size configuration option.

git-svn-id: file:///svn/unbound/trunk@4328 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 dnscrypt/dnscrypt.c   |  4 ++--
 doc/Changelog         |  2 +-
 doc/unbound.conf.5.in | 11 +++++++++++
 util/config_file.c    | 10 ++++++++++
 util/config_file.h    |  4 ++++
 util/configlexer.lex  |  4 ++++
 util/configparser.y   | 28 ++++++++++++++++++++++++++--
 7 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index bc4a70bd7..db054df9d 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -791,9 +791,9 @@ dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
         fatal_exit("dnsc_apply_cfg: could not load local data");
     }
     env->shared_secrets_cache = slabhash_create(
-        cfg->msg_cache_slabs,
+        cfg->dnscrypt_shared_secret_cache_slabs,
         HASH_DEFAULT_STARTARRAY,
-        4000000,
+        cfg->dnscrypt_shared_secret_cache_size,
         dnsc_shared_secrets_sizefunc,
         dnsc_shared_secrets_compfunc,
         dnsc_shared_secrets_delkeyfunc,
diff --git a/doc/Changelog b/doc/Changelog
index 939c39d7a..1019c2c36 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,7 +3,7 @@
 	- For #1417: escape ; in dnscrypt tests.
 	- but reverted that, tests fails with that escape.
 	- Fix #1417: [dnscrypt] shared secret cache counters, and works when
-	  dnscrypt is not enabled.
+	  dnscrypt is not enabled.  And cache size configuration option.
 	- make depend
 
 30 August 2017: Wouter
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 0a3350bf0..02b9f8b63 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1507,6 +1507,17 @@ times.
 .B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
 Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
 This option may be specified multiple times.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
+Give the size of the data structure in which the shared secret keys are kept
+in.  Default 4m.  In bytes or use m(mega), k(kilo), g(giga).
+The shared secret cache is used when a same client is making multiple queries
+using the same public key. It saves a substantial amount of CPU.
+.TP
+.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
+Give power of 2 number of slabs, this is used to reduce lock contention
+in the dnscrypt shared secrets cache.  Close to the number of cpus is
+a fairly good setting.
 .SS "EDNS Client Subnet Module Options"
 .LP
 The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
diff --git a/util/config_file.c b/util/config_file.c
index 225cb75e5..796c1a61f 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -282,6 +282,8 @@ config_create(void)
 	cfg->dnscrypt_provider = NULL;
 	cfg->dnscrypt_provider_cert = NULL;
 	cfg->dnscrypt_secret_key = NULL;
+	cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
+	cfg->dnscrypt_shared_secret_cache_slabs = 4;
 #ifdef USE_IPSECMOD
 	cfg->ipsecmod_enabled = 1;
 	cfg->ipsecmod_ignore_bogus = 0;
@@ -565,6 +567,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("dnscrypt-provider:", dnscrypt_provider)
 	else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
 	else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
+	else S_MEMSIZE("dnscrypt-shared-secret-cache-size:",
+		dnscrypt_shared_secret_cache_size)
+	else S_POW2("dnscrypt-shared-secret-cache-slabs:",
+		dnscrypt_shared_secret_cache_slabs)
 #endif
 	else if(strcmp(opt, "ip-ratelimit:") == 0) {
 	    IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
@@ -926,6 +932,10 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
 	else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
 	else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
+	else O_MEM(opt, "dnscrypt-shared-secret-cache-size",
+		dnscrypt_shared_secret_cache_size)
+	else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
+		dnscrypt_shared_secret_cache_slabs)
 #endif
 	else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
 	else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
diff --git a/util/config_file.h b/util/config_file.h
index a36d0582c..fdc48111e 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -464,6 +464,10 @@ struct config_file {
 	struct config_strlist* dnscrypt_secret_key;
 	/** dnscrypt provider certs 1.cert */
 	struct config_strlist* dnscrypt_provider_cert;
+	/** memory size in bytes for dnscrypt shared secrets cache */
+	size_t dnscrypt_shared_secret_cache_size;
+	/** number of slabs for dnscrypt shared secrets cache */
+	size_t dnscrypt_shared_secret_cache_slabs;
 
 	/** IPsec module */
 #ifdef USE_IPSECMOD
diff --git a/util/configlexer.lex b/util/configlexer.lex
index 44b5d168b..0c9a4df04 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -417,6 +417,10 @@ dnscrypt-port{COLON}		{ YDVAR(1, VAR_DNSCRYPT_PORT) }
 dnscrypt-provider{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
 dnscrypt-secret-key{COLON}	{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
 dnscrypt-provider-cert{COLON}	{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+dnscrypt-shared-secret-cache-size{COLON}	{
+		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
+dnscrypt-shared-secret-cache-slabs{COLON}	{
+		YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
 ipsecmod-enabled{COLON}		{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
 ipsecmod-ignore-bogus{COLON}	{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
 ipsecmod-hook{COLON}		{ YDVAR(1, VAR_IPSECMOD_HOOK) }
diff --git a/util/configparser.y b/util/configparser.y
index a95d6e070..7b41b1d76 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -144,6 +144,8 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
 %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
 %token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
+%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
 %token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
 %token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
 %token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
@@ -2323,7 +2325,9 @@ contents_dnsc: contents_dnsc content_dnsc
 	| ;
 content_dnsc:
 	dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
-	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert
+	dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
+	dnsc_dnscrypt_shared_secret_cache_size |
+    dnsc_dnscrypt_shared_secret_cache_slabs
 	;
 dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
 	{
@@ -2366,7 +2370,27 @@ dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
 			fatal_exit("out of memory adding dnscrypt-secret-key");
 	}
 	;
-
+dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
+  {
+  	OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
+  	if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
+  		yyerror("memory size expected");
+  	free($2);
+  }
+  ;
+dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
+  {
+  	OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
+  	if(atoi($2) == 0)
+  		yyerror("number expected");
+  	else {
+  		cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
+  		if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
+  			yyerror("must be a power of 2");
+  	}
+  	free($2);
+  }
+  ;
 cachedbstart: VAR_CACHEDB
 	{
 		OUTYY(("\nP(cachedb:)\n"));
-- 
2.47.3