aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/daemon
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--external/unbound/daemon/daemon.c8
-rw-r--r--external/unbound/daemon/remote.c22
-rw-r--r--external/unbound/daemon/worker.c2
3 files changed, 28 insertions, 4 deletions
diff --git a/external/unbound/daemon/daemon.c b/external/unbound/daemon/daemon.c
index 0cd37ae82..e763f724e 100644
--- a/external/unbound/daemon/daemon.c
+++ b/external/unbound/daemon/daemon.c
@@ -399,6 +399,12 @@ daemon_create_workers(struct daemon* daemon)
verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+ if(daemon->reuseport && (int)daemon->num < (int)daemon->num_ports) {
+ log_warn("cannot reduce num-threads to %d because so-reuseport "
+ "so continuing with %d threads.", (int)daemon->num,
+ (int)daemon->num_ports);
+ daemon->num = (int)daemon->num_ports;
+ }
daemon->workers = (struct worker**)calloc((size_t)daemon->num,
sizeof(struct worker*));
if(daemon->cfg->dnstap) {
@@ -464,7 +470,7 @@ thread_start(void* arg)
#endif
#ifdef SO_REUSEPORT
if(worker->daemon->cfg->so_reuseport)
- port_num = worker->thread_num;
+ port_num = worker->thread_num % worker->daemon->num_ports;
else
port_num = 0;
#endif
diff --git a/external/unbound/daemon/remote.c b/external/unbound/daemon/remote.c
index 93d0eda28..300948b32 100644
--- a/external/unbound/daemon/remote.c
+++ b/external/unbound/daemon/remote.c
@@ -243,9 +243,9 @@ daemon_remote_create(struct config_file* cfg)
goto setup_error;
}
verbose(VERB_ALGO, "setup SSL certificates");
- if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+ if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
log_err("Error for server-cert-file: %s", s_cert);
- log_crypto_err("Error in SSL_CTX use_certificate_file");
+ log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
goto setup_error;
}
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
@@ -258,6 +258,23 @@ daemon_remote_create(struct config_file* cfg)
log_crypto_err("Error in SSL_CTX check_private_key");
goto setup_error;
}
+#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+ if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
+ log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
+ }
+#elif defined(USE_ECDSA)
+ if(1) {
+ EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (!ecdh) {
+ log_crypto_err("could not find p256, not enabling ECDHE");
+ } else {
+ if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
+ log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
+ }
+ EC_KEY_free (ecdh);
+ }
+ }
+#endif
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
log_crypto_err("Error setting up SSL_CTX verify locations");
setup_error:
@@ -1683,6 +1700,7 @@ parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
}
}
}
+ dp->has_parent_side_NS = 1;
return dp;
}
diff --git a/external/unbound/daemon/worker.c b/external/unbound/daemon/worker.c
index f4e87289a..79aec4d3a 100644
--- a/external/unbound/daemon/worker.c
+++ b/external/unbound/daemon/worker.c
@@ -568,7 +568,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
if(rep->an_numrrsets > 0 && (rep->rrsets[0]->rk.type ==
htons(LDNS_RR_TYPE_CNAME) || rep->rrsets[0]->rk.type ==
htons(LDNS_RR_TYPE_DNAME))) {
- if(!reply_check_cname_chain(rep)) {
+ if(!reply_check_cname_chain(qinfo, rep)) {
/* cname chain invalid, redo iterator steps */
verbose(VERB_ALGO, "Cache reply: cname chain broken");
bail_out: