-
6e191d52
by Miroslav Lichvar at 2026-06-08T16:26:13+02:00
tls_gnutls: remove trailing dot for certificate verification
Although not documented, gnutls_session_set_verify_cert() doesn't work
correctly with hostnames specified with the trailing dot (FQDN). The
verification fails. Keep an additional copy of the hostname with the dot
removed in the TLS instance for the verification.
This allows NTS sources to be specified with the trailing dot.
-
0ea76073
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
sys_openbsd: simplify selection of pledge promises
Instead of switching between all needed combinations of promises passed
to pledge(), format the string in a buffer from parts added by
individual conditions. This will make it easier to add more conditions
and promises.
-
f97cee95
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
sys_openbsd: allow late binding to privileged ports
Binding UDP sockets to ports below 1024 is a privileged operation on
OpenBSD, same as on other supported systems. If chronyd was started
without any allow directives (enabling NTP server sockets) and dropped
root privileges, but some access was allowed later by chronyc, it failed
to bind its server sockets.
Enable the BINDSOCKET privops function and modify the pledge filter to
allow passing of the socket and binding it in the helper.
-
9dca17e0
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
sys_openbsd: drop unnecessary read after setting frequency
In the OpenBSD set_frequency() function assume the clock frequency was
set exactly as requested instead of reading it back from the kernel.
This avoids an unnecessary privops helper call and system call.
-
d66cbeec
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
test: verify loaded seccomp/pledge filter in system tests
-
79239410
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
test: add simple benchmark to clientlog unit test
-
8cd87bdf
by Miroslav Lichvar at 2026-06-08T16:26:21+02:00
clientlog: optimize get_record()
In the clientlog get_record() function use a simplified local version of
UTI_CompareIPs() to be inlined to minimize the overhead of searching in
the slot.
Revert commit 837323d687b9 ("clientlog: simplify code") and unroll the
first assignment in the search for the last hit to help the compiler to
produce faster code.
-
a0842b04
by Miroslav Lichvar at 2026-06-08T16:29:40+02:00
util: switch UTI_IPToHash() to FNV-1a
Use the 32-bit FNV prime and xor operation to improve the quality of
IP address hashing.
-
7e5b9511
by Miroslav Lichvar at 2026-06-08T16:39:31+02:00
clientlog: reduce number of records per slot
Change the number of records per slot from 16 to 8 to reduce the maximum
number of records that need to be inspected in the linear search for an
IP address in the hash table.
This improves the server performance when the clientlog limit is too
small for the expected number of clients (e.g. the default on a public
server).
With the improved IP address hashing this shouldn't have a significant
impact on the quality of rate limiting and client monitoring.
-
f537224d
by Miroslav Lichvar at 2026-06-08T16:39:31+02:00
local: limit maxdrift to 100000 ppm
Change the maximum accepted maxdrift from 500000 ppm to 100000 ppm to
match the Linux kernel and driver. The OpenBSD kernel can work with
larger offsets of up to 50%, but that would likely not be covered well
in testing (e.g. to make sure the loop doesn't become unstable).
This change prevents the drivers from getting larger frequencies from
the local module.