update to unbound 1.6.8, testing millert, OK sthen

1 files changed, 32 insertions, 0 deletions

diff --git a/usr.sbin/unbound/dnscrypt/dnscrypt.h b/usr.sbin/unbound/dnscrypt/dnscrypt.h
index dde36d6675d..666f54e62aa 100644
--- a/usr.sbin/unbound/dnscrypt/dnscrypt.h
+++ b/usr.sbin/unbound/dnscrypt/dnscrypt.h
@@ -54,8 +54,10 @@ typedef struct cert_ {
 
 struct dnsc_env {
 	struct SignedCert *signed_certs;
+	struct SignedCert **rotated_certs;
 	dnsccert *certs;
 	size_t signed_certs_count;
+	size_t rotated_certs_count;
 	uint8_t provider_publickey[crypto_sign_ed25519_PUBLICKEYBYTES];
 	uint8_t provider_secretkey[crypto_sign_ed25519_SECRETKEYBYTES];
 	KeyPair *keypairs;
@@ -63,11 +65,20 @@ struct dnsc_env {
 	uint64_t nonce_ts_last;
 	unsigned char hash_key[crypto_shorthash_KEYBYTES];
 	char * provider_name;
+
+    /** Caches */
 	struct slabhash *shared_secrets_cache;
 	/** lock on shared secret cache counters */
 	lock_basic_type shared_secrets_cache_lock;
 	/** number of misses from shared_secrets_cache */
 	size_t num_query_dnscrypt_secret_missed_cache;
+
+	/** slabhash keeping track of nonce/cient pk/server sk pairs. */
+	struct slabhash *nonces_cache;
+	/** lock on nonces_cache, used to avoid race condition in updating the hash */
+	lock_basic_type nonces_cache_lock;
+	/** number of replayed queries */
+	size_t num_query_dnscrypt_replay;
 };
 
 struct dnscrypt_query_header {
@@ -139,5 +150,26 @@ void dnsc_shared_secrets_delkeyfunc(void *k, void* arg);
  */
 void dnsc_shared_secrets_deldatafunc(void* d, void* arg);
 
+/**
+ * Computes the size of the nonce cache entry.
+ */
+size_t dnsc_nonces_sizefunc(void *k, void *d);
+
+/**
+ * Compares two nonce cache keys.
+ */
+int dnsc_nonces_compfunc(void *m1, void *m2);
+
+/**
+ * Function to delete a nonce cache key.
+ */
+void dnsc_nonces_delkeyfunc(void *k, void* arg);
+
+/**
+ * Function to delete a nonce cache value.
+ */
+void dnsc_nonces_deldatafunc(void* d, void* arg);
+
+
 #endif /* USE_DNSCRYPT */
 #endif