doc: update NEWS

In the next Linux version the recvmmsg() system call will be probably
fixed to not return socket errors (e.g. due to ICMP) when reading from
the error queue.

The NTP I/O code assumed this was the correct behavior. When the system
call is fixed, a socket error on a client socket will cause chronyd to
enter a busy loop consuming the CPU until the receive timeout is reached
(8 seconds by default).

Use getsockopt(SO_ERROR) to clear the socket error when reading from the
error queue failed.

NEWS

@@ -19,6 +19,8 @@ Bug fixes
 ---------
 * Respond to NTPv1 client requests with zero mode
 * Fix -x option to not require CAP_SYS_TIME under non-root user
+* Fix acquisitionport directive to work with privilege separation
+* Fix handling of socket errors on Linux to avoid high CPU usage
 * Fix chronyc to not get stuck in infinite loop after clock step
 
 New in version 3.2

client.c

@@ -4,7 +4,7 @@
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
  * Copyright (C) Lonnie Abelbeck  2016
- * Copyright (C) Miroslav Lichvar  2009-2017
+ * Copyright (C) Miroslav Lichvar  2009-2018
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -3106,7 +3106,7 @@ static void
 display_gpl(void)
 {
     printf("chrony version %s\n"
-           "Copyright (C) 1997-2003, 2007, 2009-2017 Richard P. Curnow and others\n"
+           "Copyright (C) 1997-2003, 2007, 2009-2018 Richard P. Curnow and others\n"
            "chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and\n"
            "you are welcome to redistribute it under certain conditions.  See the\n"
            "GNU General Public License version 2 for details.\n\n",

configure

@@ -5,7 +5,7 @@
 #
 # Copyright (C) Richard P. Curnow  1997-2003
 # Copyright (C) Bryan Christianson  2016
-# Copyright (C) Miroslav Lichvar  2009, 2012-2016
+# Copyright (C) Miroslav Lichvar  2009, 2012-2018
 #
 # =======================================================================
 
@@ -967,9 +967,9 @@ add_def DEFAULT_USER "\"$default_user\""
 add_def DEFAULT_COMMAND_SOCKET "\"$CHRONYRUNDIR/chronyd.sock\""
 add_def MAIL_PROGRAM "\"$mail_program\""
 
-common_features="`get_features IPV6 DEBUG`"
+common_features="`get_features SECHASH IPV6 DEBUG`"
 chronyc_features="`get_features READLINE`"
-chronyd_features="`get_features CMDMON NTP REFCLOCK RTC PRIVDROP SCFILTER SECHASH SIGND ASYNCDNS`"
+chronyd_features="`get_features CMDMON NTP REFCLOCK RTC PRIVDROP SCFILTER SIGND ASYNCDNS`"
 add_def CHRONYC_FEATURES "\"$chronyc_features $common_features\""
 add_def CHRONYD_FEATURES "\"$chronyd_features $common_features\""
 echo "Features : $chronyd_features $chronyc_features $common_features"

doc/chrony.conf.adoc

@@ -91,16 +91,19 @@ to keep the average interval at or above the minimum interval, i.e. the current
 interval needs to be at least two times longer than the minimum interval in
 order to allow a burst with two requests.
 *key* _ID_:::
-The NTP protocol supports the inclusion of checksums in the packets, to prevent
+The NTP protocol supports a message authentication code (MAC) to prevent
 computers having their system time upset by rogue packets being sent to them.
-The checksums are generated as a function of a password, using the
-cryptographic hash function set in the key file, which is specified by the
-<<keyfile,*keyfile*>> directive.
+The MAC is generated as a function of a password specified in the key file,
+which is specified by the <<keyfile,*keyfile*>> directive.
 +
 The *key* option specifies which key (with an ID in the range 1 through 2^32-1)
 should *chronyd* use to authenticate requests sent to the server and verify its
 responses. The server must have the same key for this number configured,
 otherwise no relationship between the computers will be possible.
++
+If the server is running *ntpd* and the output size of the hash function used
+by the key is longer than 160 bits (e.g. SHA256), the *version* option needs to
+be set to 4 for compatibility.
 *maxdelay* _delay_:::
 *chronyd* uses the network round-trip delay to the server to determine how
 accurate a particular measurement is likely to be. Long round-trip delays
@@ -768,9 +771,10 @@ driftfile @CHRONYVARDIR@/drift
 
 [[fallbackdrift]]*fallbackdrift* _min-interval_ _max-interval_::
 Fallback drifts are long-term averages of the system clock drift calculated
-over exponentially increasing intervals. They are used when the clock is no
-longer synchronised to avoid quickly drifting away from true time if there was
-a short-term deviation in the drift before the synchronisation was lost.
+over exponentially increasing intervals. They are used to avoid quickly
+drifting away from true time when the clock was not updated for a longer period
+of time and there was a short-term deviation in the drift before the updates
+stopped.
 +
 The directive specifies the minimum and maximum interval since the last clock
 update to switch between fallback drifts. They are defined as a power of 2 (in
@@ -782,8 +786,10 @@ fallbackdrift 16 19
 +
 In this example, the minimum interval is 16 (18 hours) and the maximum interval is
 19 (6 days). The system clock frequency will be set to the first fallback 18
-hours after last clock update, to the second after 36 hours, etc. This might be
-a good setting to cover daily and weekly temperature fluctuations.
+hours after last clock update, to the second after 36 hours, and so on. This
+might be a good setting to cover frequency changes due to daily and weekly
+temperature fluctuations. When the frequency is set to a fallback, the state of
+the clock will change to '`Not synchronised`'.
 +
 By default (or if the specified maximum or minimum is 0), no fallbacks are used
 and the clock frequency changes only with new measurements from NTP sources,

doc/faq.adoc

@@ -393,16 +393,31 @@ things
 
 Some other program running on the system may be using the device.
 
+=== What if my computer does not have an RTC or backup battery?
+
+In this case you can still use the `-s` option to set the system clock to the
+last modification time of the drift file, which should correspond to the system
+time when `chronyd` was previously stopped. The initial system time will be
+increasing across reboots and applications started after `chronyd` will not
+observe backward steps.
+
 == NTP-specific issues
 
-=== Can `chronyd` be driven from broadcast NTP servers?
+=== Can `chronyd` be driven from broadcast/multicast NTP servers?
 
-No, the broadcast client mode is not supported and there is currently no plan
-to implement it. The broadcast and multicast modes are inherently less
-accurate and less secure (even with authentication) than the ordinary
-server/client mode and they are not as useful as they used to be. Even with
-very modest hardware a single NTP server can serve time to hundreds of
-thousands of clients using the ordinary mode.
+No, the broadcast/multicast client mode is not supported and there is currently
+no plan to implement it. While the mode may be useful to simplify configuration
+of clients in large networks, it is inherently less accurate and less secure
+(even with authentication) than the ordinary client/server mode.
+
+When configuring a large number of clients in a network, it is recommended to
+use the `pool` directive with a DNS name which resolves to addresses of
+multiple NTP servers. The clients will automatically replace the servers when
+they become unreachable, or otherwise unsuitable for synchronisation, with new
+servers from the pool.
+
+Even with very modest hardware, an NTP server can serve time to hundreds of
+thousands of clients using the ordinary client/server mode.
 
 === Can `chronyd` transmit broadcast NTP packets?
 

doc/installation.adoc

@@ -29,8 +29,8 @@ After unpacking the source code, change directory into it, and type
 ----
 
 This is a shell script that automatically determines the system type. There is
-a single optional parameter, `--prefix` which indicates the directory tree
-where the software should be installed. For example,
+an optional parameter `--prefix`, which indicates the directory tree where the
+software should be installed. For example,
 
 ----
 ./configure --prefix=/opt/free
@@ -40,11 +40,11 @@ will install the `chronyd` daemon into `/opt/free/sbin` and the `chronyc`
 control program into `/opt/free/bin`. The default value for the prefix is
 `/usr/local`.
 
-The configure script assumes you want to use gcc as your compiler. If you want
-to use a different compiler, you can configure this way:
+The `configure` script assumes you want to use `gcc` as your compiler. If you
+want to use a different compiler, you can configure this way:
 
 ----
-CC=cc CFLAGS=-O ./configure --prefix=/opt/free
+CC=cc ./configure --prefix=/opt/free
 ----
 
 for Bourne-family shells, or
@@ -63,11 +63,26 @@ shown. Otherwise, `Makefile` will be generated.
 On Linux, if development files for the libcap library are available, `chronyd`
 will be built with support for dropping root privileges. On other systems no
 extra library is needed. The default user which `chronyd` should run as can be
-specified with the `--with-user` option of the configure script.
+specified with the `--with-user` option of the `configure` script.
+
+If development files for the POSIX threads library are available, `chronyd`
+will be built with support for asynchronous resolving of hostnames specified in
+the `server`, `peer`, and `pool` directives. This allows `chronyd` operating as
+a server to respond to client requests when resolving a hostname. If you don't
+want to enable the support, specify the `--disable-asyncdns` flag to
+`configure`.
+
+If development files for the https://www.lysator.liu.se/~nisse/nettle/[Nettle],
+https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS], or
+http://www.libtom.net/LibTomCrypt/[libtomcrypt] library are available,
+`chronyd` will be built with support for other cryptographic hash functions
+than MD5, which can be used for NTP authentication with a symmetric key. If you
+don't want to enable the support, specify the `--disable-sechash` flag to
+`configure`.
 
 If development files for the editline or readline library are available,
 `chronyc` will be built with line editing support. If you don't want this,
-specify the `--disable-readline` flag to configure.
+specify the `--disable-readline` flag to `configure`.
 
 If a `timepps.h` header is available (e.g. from the
 http://linuxpps.org[LinuxPPS project]), `chronyd` will be built with PPS API
@@ -75,6 +90,9 @@ reference clock driver. If the header is installed in a location that isn't
 normally searched by the compiler, you can add it to the searched locations by
 setting the `CPPFLAGS` variable to `-I/path/to/timepps`.
 
+The `--help` option can be specified to `configure` to print all options
+supported by the script.
+
 Now type
 
 ----
@@ -122,6 +140,16 @@ unprivileged user for `chronyd` and specify it with the `-u` command-line
 option or the `user` directive in the configuration file, or set the default
 user with the `--with-user` configure option before building.
 
+== Support for system call filtering
+
+`chronyd` can be built with support for the Linux secure computing (seccomp)
+facility. This requires development files for the
+https://github.com/seccomp/libseccomp[libseccomp] library and the
+`--enable-scfilter` option specified to `configure`. The `-F` option of
+`chronyd` will enable a system call filter, which should significantly reduce
+the kernel attack surface and possibly prevent kernel exploits from `chronyd`
+if it is compromised.
+
 == Support for line editing libraries
 
 `chronyc` can be built with support for line editing, this allows you to use
@@ -132,12 +160,12 @@ Please note that readline since version 6.0 is licensed under GPLv3+ which is
 incompatible with chrony's license GPLv2. You should use editline instead if
 you don't want to use older readline versions.
 
-The configure script will automatically enable the line editing support if one
-of the supported libraries is available. If they are both available, the
+The `configure` script will automatically enable the line editing support if
+one of the supported libraries is available. If they are both available, the
 editline library will be used.
 
-If you don't want to use it (in which case chronyc will use a minimal command
-line interface), invoke configure like this:
+If you don't want to use it (in which case `chronyc` will use a minimal command
+line interface), invoke `configure` like this:
 
 ----
 ./configure --disable-readline other-options...
@@ -161,12 +189,12 @@ normally searched by the compiler and linker, you need to use extra options:
 
 == Extra options for package builders
 
-The configure and make procedures have some extra options that may be useful if
-you are building a distribution package for chrony.
+The `configure` and `make` procedures have some extra options that may be
+useful if you are building a distribution package for `chrony`.
 
-The `--mandir=DIR` option to configure specifies an install directory for the
-man pages. This overrides the `man` subdirectory of the argument to the
---prefix option.
+The `--mandir=DIR` option to `configure` specifies an installation directory
+for the man pages. This overrides the `man` subdirectory of the argument to the
+`--prefix` option.
 
 ----
 ./configure --prefix=/usr --mandir=/usr/share/man
@@ -174,8 +202,8 @@ man pages. This overrides the `man` subdirectory of the argument to the
 
 to set both options together.
 
-The final option is the `DESTDIR` option to the make command. For example, you
-could use the commands
+The final option is the `DESTDIR` option to the `make` command. For example,
+you could use the commands
 
 ----
 ./configure --prefix=/usr --mandir=/usr/share/man

hash_nss.c

@@ -78,7 +78,7 @@ HSH_Hash(int id, const unsigned char *in1, unsigned int in1_len,
     const unsigned char *in2, unsigned int in2_len,
     unsigned char *out, unsigned int out_len)
 {
-  unsigned int ret;
+  unsigned int ret = 0;
 
   NSSLOWHASH_Begin(hashes[id].context);
   NSSLOWHASH_Update(hashes[id].context, in1, in1_len);

ntp_core.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2017
+ * Copyright (C) Miroslav Lichvar  2009-2018
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

ntp_io.c

@@ -717,6 +717,20 @@ read_from_socket(int sock_fd, int event, void *anything)
 #endif
 
   if (status < 0) {
+#ifdef HAVE_LINUX_TIMESTAMPING
+    /* If reading from the error queue failed, the exception should be
+       for a socket error.  Clear the error to avoid a busy loop. */
+    if (flags & MSG_ERRQUEUE) {
+      int error = 0;
+      socklen_t len = sizeof (error);
+
+      if (getsockopt(sock_fd, SOL_SOCKET, SO_ERROR, &error, &len))
+        DEBUG_LOG("Could not get SO_ERROR");
+      if (error)
+        errno = error;
+    }
+#endif
+
     DEBUG_LOG("Could not receive from fd %d : %s", sock_fd,
               strerror(errno));
     return;

ntp_io_linux.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2016-2017
+ * Copyright (C) Miroslav Lichvar  2016-2018
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

ntp_sources.c

@@ -207,11 +207,12 @@ find_slot(NTP_Remote_Address *remote_addr, int *slot, int *found)
 
   size = ARR_GetSize(records);
 
+  *slot = 0;
+  *found = 0;
+  
   if (remote_addr->ip_addr.family != IPADDR_INET4 &&
-      remote_addr->ip_addr.family != IPADDR_INET6) {
-    *found = *slot = 0;
+      remote_addr->ip_addr.family != IPADDR_INET6)
     return;
-  }
 
   hash = UTI_IPToHash(&remote_addr->ip_addr);
   port = remote_addr->port;
@@ -230,8 +231,6 @@ find_slot(NTP_Remote_Address *remote_addr, int *slot, int *found)
       return;
     }
   }
-
-  *found = 0;
 }
 
 /* ================================================== */

privops.c

@@ -268,7 +268,7 @@ do_bind_socket(ReqBindSocket *req, PrvResponse *res)
   sock_fd = req->sock;
 
   UTI_SockaddrToIPAndPort(sa, &ip, &port);
-  if (port && port != CNF_GetNTPPort()) {
+  if (port && port != CNF_GetNTPPort() && port != CNF_GetAcquisitionPort()) {
     close(sock_fd);
     res_fatal(res, "Invalid port %d", port);
     return;
@@ -579,7 +579,8 @@ PRV_BindSocket(int sock, struct sockaddr *address, socklen_t address_len)
   unsigned short port;
 
   UTI_SockaddrToIPAndPort(address, &ip, &port);
-  assert(!port || port == CNF_GetNTPPort());
+  if (port && port != CNF_GetNTPPort() && port != CNF_GetAcquisitionPort())
+    assert(0);
 
   if (!have_helper())
     return bind(sock, address, address_len);

sys_linux.c

@@ -497,7 +497,7 @@ SYS_Linux_EnableSystemCallFilter(int level)
     SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64),
     SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
     /* Socket */
-    SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
+    SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
     SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
     SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
     /* TODO: check socketcall arguments */

test/simulation/126-burst

@@ -26,4 +26,20 @@ check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
 
+# Add a significant delay to 70% of packets on the 2->1 path after 6th packet
+base_delay=$(cat <<-EOF | tr -d '\n'
+  (+ 1e-4
+     (* 0.15
+        (equal 0.1 from 2)
+        (equal 0.1 to 1)
+        (equal 0.1 (min (sum 1) 7) 7)
+        (equal 0.7 (uniform) 0.0)))
+EOF
+)
+
+run_test || test_fail
+check_chronyd_exit || test_fail
+check_source_selection || test_fail
+check_packet_interval || test_fail
+
 test_pass

test/unit/hash.c

@@ -106,7 +106,7 @@ test_unit(void)
       if (j >= tests[i].length)
         TEST_CHECK(length == tests[i].length);
       else
-        TEST_CHECK(length == 0 || length == j);
+        TEST_CHECK(length == 0 || length == j || length == tests[i].length);
 
       TEST_CHECK(!memcmp(out, tests[i].out, length));
     }

test/unit/hwclock.c

@@ -1,6 +1,6 @@
 /*
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2016
+ * Copyright (C) Miroslav Lichvar  2016-2017
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

test/unit/ntp_core.c

@@ -1,6 +1,6 @@
 /*
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2017
+ * Copyright (C) Miroslav Lichvar  2017-2018
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as