doc: update NEWS and README

FreeBSD allows switching the receive timestamp format to struct timespec by
setting the SO_TS_CLOCK socket option to SO_TS_REALTIME after enabling
SO_TIMESTAMP.  If successful, the kernel then starts adding SCM_REALTIME
control messages instead of SCM_TIMESTAMP.

Makefile.in

@@ -33,6 +33,8 @@ CFLAGS = @CFLAGS@
 CPPFLAGS = @CPPFLAGS@
 LDFLAGS = @LDFLAGS@
 
+GETDATE_CFLAGS = @GETDATE_CFLAGS@
+
 EXTRA_OBJS = @EXTRA_OBJS@
 
 OBJS = array.o cmdparse.o conf.o local.o logging.o main.o memory.o quantiles.o \
@@ -61,6 +63,8 @@ chronyd : $(OBJS)
 chronyc : $(CLI_OBJS)
 	$(CC) $(CFLAGS) -o chronyc $(CLI_OBJS) $(LDFLAGS) $(LIBS) $(EXTRA_CLI_LIBS)
 
+getdate.o: CFLAGS += $(GETDATE_CFLAGS)
+
 distclean : clean
 	$(MAKE) -C doc distclean
 	$(MAKE) -C test/unit distclean

NEWS

@@ -11,9 +11,13 @@ Enhancements
 * Add hwtstimeout directive to configure timeout for late timestamps
 * Handle late hardware transmit timestamps of NTP requests on all sockets
 * Handle mismatched 32/64-bit time_t in SOCK refclock samples
+* Improve source replacement
 * Log important changes made by command requests (chronyc)
+* Refresh address of NTP sources periodically
+* Request nanosecond kernel RX timestamping on FreeBSD
 * Set DSCP for IPv6 packets
 * Shorten NTS-KE retry interval when network is down
+* Update seccomp filter for musl
 * Warn if loading keys from file with unexpected permissions
 * Warn if source selection fails or falseticker is detected
 * Add selectopts command to modify source-specific selection options

README

@@ -47,32 +47,7 @@ Frequently Asked Questions (FAQ).
 The documentation is also available on the chrony web pages, accessible
 through the URL 
 
-    https://chrony.tuxfamily.org/
-
-Where are new versions announced?
-=================================
-
-There is a low volume mailing list where new versions and other
-important news relating to chrony are announced.  You can join this list
-by sending mail with the subject "subscribe" to
-
-chrony-announce-request@chrony.tuxfamily.org
-
-How can I get support for chrony?
-=================================
-
-There are two other mailing lists relating to chrony.  chrony-users is a
-discussion list for users, e.g. for questions about chrony configuration
-and bug reports.  chrony-dev is a more technical list for developers,
-e.g. for submitting patches and discussing how new features should be
-implemented.  To subscribe to either of these lists, send a message with
-the subject "subscribe" to
-
-chrony-users-request@chrony.tuxfamily.org
-or
-chrony-dev-request@chrony.tuxfamily.org
-
-as applicable.
+    https://chrony-project.org/
 
 License
 =======
@@ -144,6 +119,7 @@ Gautier PHILIPPON <gautier.philippon@ensimag.grenoble-inp.fr>
 Andreas Piesk <apiesk@virbus.de>
 Mike Ryan <msr@hsilop.net>
 Baruch Siach <baruch@tkos.co.il>
+Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
 Foster Snowhill <forst@forstwoof.ru>
 Andreas Steinmetz <ast@domdv.de>
 NAKAMURA Takumi <takumi@ps.sakura.ne.jp>

client.c

@@ -4,7 +4,7 @@
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
  * Copyright (C) Lonnie Abelbeck  2016, 2018
- * Copyright (C) Miroslav Lichvar  2009-2021
+ * Copyright (C) Miroslav Lichvar  2009-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -1167,7 +1167,7 @@ command_name_generator(const char *text, int state)
 
   while ((name = names[tab_complete_index][list_index++])) {
     if (strncmp(name, text, len) == 0) {
-      return strdup(name);
+      return Strdup(name);
     }
   }
 
@@ -1979,7 +1979,7 @@ process_cmd_sources(char *line)
   IPAddr ip_addr;
   uint32_t i, mode, n_sources;
   char name[256], mode_ch, state_ch;
-  int all, verbose;
+  int all, verbose, ref;
 
   parse_sources_options(line, &all, &verbose);
   
@@ -2016,9 +2016,8 @@ process_cmd_sources(char *line)
     if (!all && ip_addr.family == IPADDR_ID)
       continue;
 
-    format_name(name, sizeof (name), 25,
-                mode == RPY_SD_MD_REF && ip_addr.family == IPADDR_INET4,
-                ip_addr.addr.in4, 1, &ip_addr);
+    ref = mode == RPY_SD_MD_REF && ip_addr.family == IPADDR_INET4;
+    format_name(name, sizeof (name), 25, ref, ref ? ip_addr.addr.in4 : 0, 1, &ip_addr);
 
     switch (mode) {
       case RPY_SD_MD_CLIENT:
@@ -3381,7 +3380,7 @@ static void
 display_gpl(void)
 {
     printf("chrony version %s\n"
-           "Copyright (C) 1997-2003, 2007, 2009-2022 Richard P. Curnow and others\n"
+           "Copyright (C) 1997-2003, 2007, 2009-2023 Richard P. Curnow and others\n"
            "chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and\n"
            "you are welcome to redistribute it under certain conditions.  See the\n"
            "GNU General Public License version 2 for details.\n\n",

cmdmon.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2016, 2018-2021
+ * Copyright (C) Miroslav Lichvar  2009-2016, 2018-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

conf.c

@@ -252,6 +252,9 @@ static char *leapsec_tz = NULL;
 /* Name of the user to which will be dropped root privileges. */
 static char *user;
 
+/* Address refresh interval */
+static int refresh = 1209600; /* 2 weeks */
+
 /* NTS server and client configuration */
 static char *nts_dump_dir = NULL;
 static char *nts_ntp_server = NULL;
@@ -702,6 +705,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
                     &ntp_ratelimit_burst, &ntp_ratelimit_leak);
   } else if (!strcasecmp(command, "refclock")) {
     parse_refclock(p);
+  } else if (!strcasecmp(command, "refresh")) {
+    parse_int(p, &refresh);
   } else if (!strcasecmp(command, "reselectdist")) {
     parse_double(p, &reselect_distance);
   } else if (!strcasecmp(command, "rtcautotrim")) {
@@ -2533,6 +2538,14 @@ CNF_GetPtpPort(void)
 
 /* ================================================== */
 
+int
+CNF_GetRefresh(void)
+{
+  return refresh;
+}
+
+/* ================================================== */
+
 char *
 CNF_GetNtsDumpDir(void)
 {

conf.h

@@ -159,6 +159,8 @@ extern double CNF_GetHwTsTimeout(void);
 
 extern int CNF_GetPtpPort(void);
 
+extern int CNF_GetRefresh(void);
+
 extern char *CNF_GetNtsDumpDir(void);
 extern char *CNF_GetNtsNtpServer(void);
 extern int CNF_GetNtsServerCertAndKeyFiles(const char ***certs, const char ***keys);

configure

@@ -5,7 +5,7 @@
 #
 # Copyright (C) Richard P. Curnow  1997-2003
 # Copyright (C) Bryan Christianson  2016
-# Copyright (C) Miroslav Lichvar  2009, 2012-2021
+# Copyright (C) Miroslav Lichvar  2009, 2012-2022
 # Copyright (C) Stefan R. Filipek  2019
 #
 # =======================================================================
@@ -128,6 +128,7 @@ For better control, use the options below.
   --without-seccomp      Don't use seccomp even if it is available
   --disable-asyncdns     Disable asynchronous name resolving
   --disable-forcednsretry Don't retry on permanent DNS error
+  --without-aes-gcm-siv  Don't use AES-GCM-SIV for NTS even if it is available
   --without-clock-gettime Don't use clock_gettime() even if it is available
   --disable-timestamping Disable support for SW/HW timestamping
   --enable-ntp-signd     Enable support for MS-SNTP authentication in Samba
@@ -244,6 +245,7 @@ try_setsched=0
 try_lockmem=0
 feat_asyncdns=1
 feat_forcednsretry=1
+try_aes_gcm_siv=1
 try_clock_gettime=1
 try_arc4random=1
 try_recvmmsg=1
@@ -345,6 +347,9 @@ do
     --disable-forcednsretry)
       feat_forcednsretry=0
     ;;
+    --without-aes-gcm-siv)
+      try_aes_gcm_siv=0
+    ;;
     --without-clock-gettime)
       try_clock_gettime=0
     ;;
@@ -565,6 +570,13 @@ if [ "x$MYCFLAGS" = "x" ]; then
   fi
 fi
 
+TESTCFLAGS="-fwrapv"
+if test_code '-fwrapv' '' "$TESTCFLAGS" '' ''; then
+  GETDATE_CFLAGS="-fwrapv"
+else
+  GETDATE_CFLAGS=""
+fi
+
 if [ "x$MYCC" = "xgcc" ] || [ "x$MYCC" = "xclang" ]; then
   MYCFLAGS="$MYCFLAGS -Wmissing-prototypes -Wall"
 fi
@@ -986,7 +998,7 @@ if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then
       EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o"
       add_def HAVE_SIV
       add_def HAVE_NETTLE_SIV_CMAC
-      if test_code 'AES-GCM-SIV in nettle' \
+      if [ $try_aes_gcm_siv = "1" ] && test_code 'AES-GCM-SIV in nettle' \
         'nettle/siv-gcm.h' "" "$LIBS" \
         'siv_gcm_aes128_encrypt_message((void *)1, 0, NULL, 0, (void *)2, 16, (void *)3,
                                         (void *)4);'
@@ -1117,6 +1129,7 @@ do
           s%@CFLAGS@%${MYCFLAGS}%;\
           s%@CPPFLAGS@%${MYCPPFLAGS}%;\
           s%@LDFLAGS@%${MYLDFLAGS}%;\
+          s%@GETDATE_CFLAGS@%${GETDATE_CFLAGS}%;\
           s%@LIBS@%${LIBS}%;\
           s%@EXTRA_LIBS@%${EXTRA_LIBS}%;\
           s%@EXTRA_CLI_LIBS@%${EXTRA_CLI_LIBS}%;\

contrib/bryan_christianson_1/README.txt

@@ -60,8 +60,8 @@ Support files
 Dates and sizes may differ
 -rw-r--r--  1 yourname  staff  2084  4 Aug 22:54 README.txt
 -rwxr-xr-x  1 yourname  staff   676  4 Aug 21:18 chronylogrotate.sh
--rw-r--r--  1 yourname  staff   543 18 Jul 20:10 org.tuxfamily.chronyc.plist
--rw-r--r--  1 yourname  staff   511 19 Jun 18:30 org.tuxfamily.chronyd.plist
+-rw-r--r--  1 yourname  staff   543 18 Jul 20:10 org.chrony-project.chronyc.plist
+-rw-r--r--  1 yourname  staff   511 19 Jun 18:30 org.chrony-project.chronyd.plist
 
 If you have used chrony support directories other than those suggested, you
 will need to edit each file and make the appropriate changes.
@@ -83,21 +83,21 @@ sudo chmod +x /usr/local/bin/chronylogrotate.sh
 sudo chown root:wheel /usr/local/bin/chronylogrotate.sh
 
 
-2. org.tuxfamily.chronyc.plist
+2. org.chrony-project.chronyc.plist
 This file is the launchd plist that runs logrotation each day. You may
 wish to edit this file to change the time of day at which the rotation
 will run, currently 04:05 am
 
-sudo cp org.tuxfamily.chronyc.plist /Library/LaunchDaemons
-sudo chown root:wheel /Library/LaunchDaemons/org.tuxfamily.chronyc.plist
-sudo chmod 0644 /Library/LaunchDaemons/org.tuxfamily.chronyc.plist
-sudo launchctl load -w /Library/LaunchDaemons/org.tuxfamily.chronyc.plist
+sudo cp org.chrony-project.chronyc.plist /Library/LaunchDaemons
+sudo chown root:wheel /Library/LaunchDaemons/org.chrony-project.chronyc.plist
+sudo chmod 0644 /Library/LaunchDaemons/org.chrony-project.chronyc.plist
+sudo launchctl load -w /Library/LaunchDaemons/org.chrony-project.chronyc.plist
 
 
-3. org.tuxfamily.chronyd.plist
+3. org.chrony-project.chronyd.plist
 This file is the launchd plist that runs chronyd when the Macintosh starts.
 
-sudo cp org.tuxfamily.chronyd.plist /Library/LaunchDaemons
-sudo chown root:wheel /Library/LaunchDaemons/org.tuxfamily.chronyd.plist
-sudo chmod 0644 /Library/LaunchDaemons/org.tuxfamily.chronyd.plist
-sudo launchctl load -w /Library/LaunchDaemons/org.tuxfamily.chronyd.plist
+sudo cp org.chrony-project.chronyd.plist /Library/LaunchDaemons
+sudo chown root:wheel /Library/LaunchDaemons/org.chrony-project.chronyd.plist
+sudo chmod 0644 /Library/LaunchDaemons/org.chrony-project.chronyd.plist
+sudo launchctl load -w /Library/LaunchDaemons/org.chrony-project.chronyd.plist

contrib/bryan_christianson_1/org.chrony-project.chronyc.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>Label</key>
-	<string>org.tuxfamily.logrotate</string>
+	<string>org.chrony-project.logrotate</string>
 	<key>KeepAlive</key>
 	<false/>
 	<key>ProgramArguments</key>

contrib/bryan_christianson_1/org.chrony-project.chronyd.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>Label</key>
-	<string>org.tuxfamily.chronyd</string>
+	<string>org.chrony-project.chronyd</string>
 	<key>Program</key>
 	<string>/usr/local/sbin/chronyd</string>
 	<key>ProgramArguments</key>

doc/chrony.conf.adoc

@@ -3,7 +3,7 @@
 // Copyright (C) Richard P. Curnow  1997-2003
 // Copyright (C) Stephen Wadeley  2016
 // Copyright (C) Bryan Christianson  2017
-// Copyright (C) Miroslav Lichvar  2009-2022
+// Copyright (C) Miroslav Lichvar  2009-2023
 //
 // This program is free software; you can redistribute it and/or modify
 // it under the terms of version 2 of the GNU General Public License as
@@ -72,9 +72,7 @@ newly resolved address when the server becomes unreachable (i.e. no valid
 response to last 8 requests), unsynchronised, a falseticker (i.e. does not
 agree with a majority of other sources), or the root distance is too large (the
 limit can be configured by the <<maxdistance,*maxdistance*>> directive). The
-automatic replacement happens at most once per 30 minutes. It can also be
-triggered manually for all sources by the <<chronyc.adoc#refresh,*refresh*>>
-command in *chronyc*.
+automatic replacement happens at most once per 30 minutes.
 +
 This directive can be used multiple times to specify multiple servers.
 +
@@ -886,6 +884,19 @@ This would disable the time checks until the clock is updated for the first
 time, assuming the first update corrects the clock and later checks can work
 with correct time.
 
+[[refresh]]*refresh* _interval_::
+This directive specifies the interval (in seconds) between refreshing IP
+addresses of NTP sources specified by hostname. If the hostname no longer
+resolves to the currently used address, it will be replaced with one of the new
+addresses to avoid using a server which is no longer intended for service, even
+if it is still responding correctly and would not be replaced as unreachable.
+Only one source is refreshed at a time. The default value is 1209600 (2 weeks)
+and the maximum value is 2^31-1 (68 years). A value of 0 disables the periodic
+refreshment.
++
+The <<chronyc.adoc#refresh,*refresh*>> command can be used to refresh all
+sources immediately.
+
 === Source selection
 
 [[authselectmode]]*authselectmode* _mode_::
@@ -3126,7 +3137,7 @@ dumpdir @CHRONYRUNDIR@
 == BUGS
 
 For instructions on how to report bugs, please visit
-https://chrony.tuxfamily.org/.
+https://chrony-project.org/.
 
 == AUTHORS
 

doc/chronyc.adoc

@@ -2,7 +2,7 @@
 //
 // Copyright (C) Richard P. Curnow  1997-2003
 // Copyright (C) Stephen Wadeley  2016
-// Copyright (C) Miroslav Lichvar  2009-2017, 2019-2022
+// Copyright (C) Miroslav Lichvar  2009-2017, 2019-2023
 //
 // This program is free software; you can redistribute it and/or modify
 // it under the terms of version 2 of the GNU General Public License as
@@ -379,9 +379,9 @@ offset. This can be suffixed by _ns_ (indicating nanoseconds), _us_
 (indicating microseconds), _ms_ (indicating milliseconds), or _s_ (indicating
 seconds). The number to the left of the square brackets shows the original
 measurement, adjusted to allow for any slews applied to the local clock
-since. The number following the _+/-_ indicator shows the margin of error in
-the measurement. Positive offsets indicate that the local clock is ahead of
-the source.
+since. Positive offsets indicate that the local clock is ahead of the source.
+The number following the _+/-_ indicator shows the margin of error in the
+measurement (NTP root distance).
 
 [[sourcestats]]*sourcestats* [*-a*] [*-v*]::
 The *sourcestats* command displays information about the drift rate and offset
@@ -970,12 +970,17 @@ current set of sources. It is equivalent to the *polltarget* option in the
 
 [[refresh]]*refresh*::
 The *refresh* command can be used to force *chronyd* to resolve the names of
-configured sources to IP addresses again, e.g. after suspending and resuming
-the machine in a different network.
+configured NTP sources to IP addresses again and replace any addresses missing
+in the list of resolved addresses.
 +
-Sources that stop responding will be replaced with newly resolved addresses
-automatically after 8 polling intervals, but this command can still be useful
-to replace them immediately and not wait until they are marked as unreachable.
+Sources that stop responding are replaced with newly resolved addresses
+automatically after 8 polling intervals. This command can be used to replace
+them immediately, e.g. after suspending and resuming the machine in a different
+network.
++
+Note that with pools which have more than 16 addresses, or not all IPv4 or IPv6
+addresses are included in a single DNS response (e.g. pool.ntp.org), this
+command might replace the addresses even if they are still in the pool.
 
 [[reload]]*reload* *sources*::
 The *reload sources* command causes *chronyd* to re-read all _*.sources_ files
@@ -1543,7 +1548,7 @@ The *help* command displays a summary of the commands and their arguments.
 == BUGS
 
 For instructions on how to report bugs, please visit
-https://chrony.tuxfamily.org/.
+https://chrony-project.org/.
 
 == AUTHORS
 

doc/chronyd.adoc

@@ -217,7 +217,7 @@ _@SYSCONFDIR@/chrony.conf_
 == BUGS
 
 For instructions on how to report bugs, please visit
-https://chrony.tuxfamily.org/.
+https://chrony-project.org/.
 
 == AUTHORS
 

doc/faq.adoc

@@ -1,7 +1,7 @@
 // This file is part of chrony
 //
 // Copyright (C) Richard P. Curnow  1997-2003
-// Copyright (C) Miroslav Lichvar  2014-2016, 2020-2022
+// Copyright (C) Miroslav Lichvar  2014-2016, 2020-2023
 //
 // This program is free software; you can redistribute it and/or modify
 // it under the terms of version 2 of the GNU General Public License as
@@ -40,9 +40,36 @@ on an isolated network with no hardware reference clocks in sight, `chrony`
 will probably work better for you.
 
 For a more detailed comparison of features and performance, see the
-https://chrony.tuxfamily.org/comparison.html[comparison page] on the `chrony`
+https://chrony-project.org/comparison.html[comparison page] on the `chrony`
 website.
 
+=== Should I prefer `chrony` over `timesyncd` if I do not need to run a server?
+
+Generally, yes.
+
+`systemd-timesyncd` is a very simple NTP client included in the `systemd`
+suite. It lacks almost all features of `chrony` and other advanced client
+implementations listed on the
+https://chrony-project.org/comparison.html[comparison page]. One of its main
+limitations is that it cannot poll multiple servers at the same time and detect
+servers having incorrect time (falsetickers in the NTP terminology). It should
+be used only with trusted reliable servers, ideally in local network.
+
+Using `timesyncd` with `pool.ntp.org` is problematic. The pool is very
+robust as a whole, but the individual servers run by volunteers cannot be
+relied on. Occasionally, servers drift away or make a step to distant past or
+future due to misconfiguration, problematic implementation, and other bugs
+(e.g. in firmware of a GPS receiver). The pool monitoring system detects such
+servers and quickly removes them from the pool DNS, but clients like
+`timesyncd` cannot recover from that. They follow the server as long as it
+claims to be synchronised. They need to be restarted in order to get a new
+address from the pool DNS.
+
+Note that the complexity of NTP and clock synchronisation is on the client
+side. The amount of code in `chrony` specific to NTP server is very small and
+it is disabled by default. If it was removed, it would not significantly reduce
+the amount of memory or storage needed.
+
 == Configuration issues
 
 === What is the minimum recommended configuration for an NTP client?
@@ -484,7 +511,7 @@ identically configured leap-smearing servers. Note that some clients can get
 leap seconds from other sources (e.g. with the `leapsectz` directive in
 `chrony`) and they will not work correctly with a leap smearing server.
 
-=== How should `chronyd` be configuration with `gpsd`?
+=== How should `chronyd` be configured with `gpsd`?
 
 A GPS or other GNSS receiver can be used as a reference clock with `gpsd`. It
 can work as one or two separate time sources for each connected receiver. The
@@ -573,6 +600,24 @@ transport for NTP messages (NTP over PTP) to enable hardware timestamping on
 hardware which can timestamp PTP packets only. It can be enabled by the
 `ptpport` directive.
 
+=== How can I avoid using wrong PHC refclock?
+
+If your system has multiple PHC devices, normally named by `udev` as
+_/dev/ptp0_, _/dev/ptp1_, and so on, their order can change randomly across
+reboots depending on the order of initialisation of their drivers. If a PHC
+refclock is specified by this name, `chronyd` could be using a wrong refclock
+after reboot. To prevent that, you can configure `udev` to create a stable
+symlink for `chronyd` with a rule like this (e.g. written to
+_/etc/udev/rules.d/80-phc.rules_):
+
+----
+KERNEL=="ptp[0-9]*", DEVPATH=="/devices/pci0000:00/0000:00:01.2/0000:02:00.0/ptp/*", SYMLINK+="ptp-i350-1"
+----
+
+You can get the full _DEVPATH_ of an existing PHC device with the `udevadm
+info` command. You will need to execute the `udevadm trigger` command, or
+reboot the system, for these changes to take effect.
+
 === Why are client log records dropped before reaching `clientloglimit`?
 
 The number of dropped client log records reported by the `serverstats` command

examples/chrony-wait.service

@@ -25,7 +25,6 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 PrivateDevices=yes
 PrivateUsers=yes
-ProcSubset=pid
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes

examples/chronyd-restricted.service

@@ -36,7 +36,6 @@ PrivateDevices=yes
 PrivateTmp=yes
 # This breaks adjtimex()
 #PrivateUsers=yes
-ProcSubset=pid
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

examples/chronyd.service

@@ -24,7 +24,6 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
-ProcSubset=pid
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes

main.c

@@ -331,6 +331,9 @@ go_daemon(void)
     char message[1024];
     int r;
 
+    /* Don't exit before the 'parent' */
+    waitpid(pid, NULL, 0);
+
     close(pipefd[1]);
     r = read(pipefd[0], message, sizeof (message));
     if (r) {
@@ -353,7 +356,9 @@ go_daemon(void)
     if (pid < 0) {
       LOG_FATAL("fork() failed : %s", strerror(errno));
     } else if (pid > 0) {
-      exit(0); /* In the 'parent' */
+      /* In the 'parent' */
+      close(pipefd[1]);
+      exit(0);
     } else {
       /* In the child we want to leave running as the daemon */
 

memory.c

@@ -47,8 +47,13 @@ Realloc(void *ptr, size_t size)
 {
   void *r;
 
+  if (size == 0) {
+    Free(ptr);
+    return NULL;
+  }
+
   r = realloc(ptr, size);
-  if (!r && size)
+  if (!r)
     LOG_FATAL("Could not allocate memory");
 
   return r;

ntp_core.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009-2022
+ * Copyright (C) Miroslav Lichvar  2009-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -215,9 +215,6 @@ struct NCR_Instance_Record {
   SPF_Instance filter;
   int filter_count;
 
-  /* Flag indicating HW transmit timestamps are expected */
-  int had_hw_tx_timestamp;
-
   /* Response waiting for a HW transmit timestamp of the request */
   struct SavedResponse *saved_response;
 
@@ -647,7 +644,7 @@ NCR_CreateInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type,
   result->auto_burst = params->burst;
   result->auto_offline = params->auto_offline;
   result->copy = params->copy && result->mode == MODE_CLIENT;
-  result->poll_target = params->poll_target;
+  result->poll_target = MAX(1, params->poll_target);
   result->ext_field_flags = params->ext_fields;
 
   if (params->nts) {
@@ -794,8 +791,6 @@ NCR_ResetInstance(NCR_Instance instance)
   if (instance->filter)
     SPF_DropSamples(instance->filter);
   instance->filter_count = 0;
-
-  instance->had_hw_tx_timestamp = 0;
 }
 
 /* ================================================== */
@@ -803,6 +798,8 @@ NCR_ResetInstance(NCR_Instance instance)
 void
 NCR_ResetPoll(NCR_Instance instance)
 {
+  instance->poll_score = 0.0;
+
   if (instance->local_poll != instance->minpoll) {
     instance->local_poll = instance->minpoll;
 
@@ -833,6 +830,12 @@ NCR_ChangeRemoteAddress(NCR_Instance inst, NTP_Remote_Address *remote_addr, int
     inst->local_addr.sock_fd = NIO_OpenServerSocket(remote_addr);
   }
 
+  /* Reset the polling interval only if the source wasn't unreachable to
+     avoid increasing server/network load in case that is what caused
+     the source to be unreachable */
+  if (SRC_IsReachable(inst->source))
+    NCR_ResetPoll(inst);
+
   /* Update the reference ID and reset the source/sourcestats instances */
   SRC_SetRefid(inst->source, UTI_IPToRefid(&remote_addr->ip_addr),
                &inst->remote_addr.ip_addr);
@@ -1958,7 +1961,7 @@ process_response(NCR_Instance inst, int saved, NTP_Local_Address *local_addr,
      response to the request, when at least one good response has already been
      accepted to avoid incorrectly confirming a tentative source. */
   if (valid_packet && synced_packet && !saved && !inst->valid_rx &&
-      inst->had_hw_tx_timestamp && inst->local_tx.source != NTP_TS_HARDWARE &&
+      NIO_IsHwTsEnabled() && inst->local_tx.source != NTP_TS_HARDWARE &&
       inst->report.total_good_count > 0) {
     if (save_response(inst, local_addr, rx_ts, message, info))
       return 1;
@@ -2684,8 +2687,6 @@ NCR_ProcessTxKnown(NCR_Instance inst, NTP_Local_Address *local_addr,
                       message);
 
   if (tx_ts->source == NTP_TS_HARDWARE) {
-    inst->had_hw_tx_timestamp = 1;
-
     if (has_saved_response(inst))
       process_saved_response(inst);
   }
@@ -2894,7 +2895,7 @@ NCR_ModifyMinstratum(NCR_Instance inst, int new_min_stratum)
 void
 NCR_ModifyPolltarget(NCR_Instance inst, int new_poll_target)
 {
-  inst->poll_target = new_poll_target;
+  inst->poll_target = MAX(1, new_poll_target);
   LOG(LOGS_INFO, "Source %s new polltarget %d",
       UTI_IPToString(&inst->remote_addr.ip_addr), new_poll_target);
 }

ntp_io.c

@@ -278,6 +278,18 @@ NIO_Finalise(void)
 
 /* ================================================== */
 
+int
+NIO_IsHwTsEnabled(void)
+{
+#ifdef HAVE_LINUX_TIMESTAMPING
+  return NIO_Linux_IsHwTsEnabled();
+#else
+  return 0;
+#endif
+}
+
+/* ================================================== */
+
 int
 NIO_OpenClientSocket(NTP_Remote_Address *remote_addr)
 {

ntp_io.h

@@ -39,6 +39,9 @@ extern void NIO_Initialise(void);
 /* Function to finalise the module */
 extern void NIO_Finalise(void);
 
+/* Function to check if HW timestamping is enabled on any interface */
+extern int NIO_IsHwTsEnabled(void);
+
 /* Function to obtain a socket for sending client packets */
 extern int NIO_OpenClientSocket(NTP_Remote_Address *remote_addr);
 

ntp_io_linux.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2016-2019, 2021-2022
+ * Copyright (C) Miroslav Lichvar  2016-2019, 2021-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -439,6 +439,14 @@ NIO_Linux_Finalise(void)
 
 /* ================================================== */
 
+int
+NIO_Linux_IsHwTsEnabled(void)
+{
+  return ARR_GetSize(interfaces) > 0;
+}
+
+/* ================================================== */
+
 int
 NIO_Linux_SetTimestampSocketOptions(int sock_fd, int client_only, int *events)
 {

ntp_io_linux.h

@@ -33,6 +33,8 @@ extern void NIO_Linux_Initialise(void);
 
 extern void NIO_Linux_Finalise(void);
 
+extern int NIO_Linux_IsHwTsEnabled(void);
+
 extern int NIO_Linux_SetTimestampSocketOptions(int sock_fd, int client_only, int *events);
 
 extern int NIO_Linux_ProcessMessage(SCK_Message *message, NTP_Local_Address *local_addr,

ntp_sources.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2011-2012, 2014, 2016, 2020-2021
+ * Copyright (C) Miroslav Lichvar  2011-2012, 2014, 2016, 2020-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -32,6 +32,7 @@
 #include "sysincl.h"
 
 #include "array.h"
+#include "conf.h"
 #include "ntp_sources.h"
 #include "ntp_core.h"
 #include "ntp_io.h"
@@ -58,12 +59,15 @@ typedef struct {
   NCR_Instance data;            /* Data for the protocol engine for this source */
   char *name;                   /* Name of the source as it was specified
                                    (may be an IP address) */
+  IPAddr resolved_addr;         /* Address resolved from the name, which can be
+                                   different from remote_addr (e.g. NTS-KE) */
   int pool_id;                  /* ID of the pool from which was this source
                                    added or INVALID_POOL */
   int tentative;                /* Flag indicating there was no valid response
                                    received from the source yet */
   uint32_t conf_id;             /* Configuration ID, which can be shared with
                                    different sources in case of a pool */
+  double last_resolving;        /* Time of last name resolving (monotonic) */
 } SourceRecord;
 
 /* Hash table of SourceRecord, its size is a power of two and it's never
@@ -96,6 +100,9 @@ struct UnresolvedSource {
   char *name;
   /* Flag indicating addresses should be used in a random order */
   int random_order;
+  /* Flag indicating current address should be replaced only if it is
+     no longer returned by the resolver */
+  int refreshment;
   /* Next unresolved source in the list */
   struct UnresolvedSource *next;
 };
@@ -103,7 +110,7 @@ struct UnresolvedSource {
 #define RESOLVE_INTERVAL_UNIT 7
 #define MIN_RESOLVE_INTERVAL 2
 #define MAX_RESOLVE_INTERVAL 9
-#define MIN_REPLACEMENT_INTERVAL 8
+#define MAX_REPLACEMENT_INTERVAL 9
 
 static struct UnresolvedSource *unresolved_sources = NULL;
 static int resolving_interval = 0;
@@ -184,6 +191,7 @@ void
 NSR_Initialise(void)
 {
   n_sources = 0;
+  resolving_id = 0;
   initialised = 1;
 
   records = ARR_CreateInstance(sizeof (SourceRecord));
@@ -206,6 +214,7 @@ NSR_Finalise(void)
   ARR_DestroyInstance(records);
   ARR_DestroyInstance(pools);
 
+  SCH_RemoveTimeout(resolving_id);
   while (unresolved_sources)
     remove_unresolved_source(unresolved_sources);
 
@@ -381,9 +390,11 @@ add_source(NTP_Remote_Address *remote_addr, char *name, NTP_Source_Type type,
       record->name = Strdup(name ? name : UTI_IPToString(&remote_addr->ip_addr));
       record->data = NCR_CreateInstance(remote_addr, type, params, record->name);
       record->remote_addr = NCR_GetRemoteAddress(record->data);
+      record->resolved_addr = remote_addr->ip_addr;
       record->pool_id = pool_id;
       record->tentative = 1;
       record->conf_id = conf_id;
+      record->last_resolving = SCH_GetLastEventMonoTime();
 
       record_lock = 0;
 
@@ -432,6 +443,8 @@ change_source_address(NTP_Remote_Address *old_addr, NTP_Remote_Address *new_addr
 
   record = get_record(slot1);
   NCR_ChangeRemoteAddress(record->data, new_addr, !replacement);
+  if (replacement)
+    record->resolved_addr = new_addr->ip_addr;
 
   if (record->remote_addr != NCR_GetRemoteAddress(record->data) ||
       UTI_CompareIPs(&record->remote_addr->ip_addr, &new_addr->ip_addr, NULL) != 0)
@@ -515,7 +528,21 @@ process_resolved_name(struct UnresolvedSource *us, IPAddr *ip_addrs, int n_addrs
   NTP_Remote_Address old_addr, new_addr;
   SourceRecord *record;
   unsigned short first = 0;
-  int i, j;
+  int i, j, slot;
+
+  /* Keep using the current address if it is being refreshed and it is
+     still included in the resolved addresses */
+  if (us->refreshment) {
+    assert(us->pool_id == INVALID_POOL);
+
+    for (i = 0; i < n_addrs; i++) {
+      if (find_slot2(&us->address, &slot) == 2 &&
+          UTI_CompareIPs(&get_record(slot)->resolved_addr, &ip_addrs[i], NULL) == 0) {
+        DEBUG_LOG("%s still fresh", UTI_IPToString(&us->address.ip_addr));
+        return;
+      }
+    }
+  }
 
   if (us->random_order)
     UTI_GetRandomBytes(&first, sizeof (first));
@@ -773,6 +800,7 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type,
   us = MallocNew(struct UnresolvedSource);
   us->name = Strdup(name);
   us->random_order = 0;
+  us->refreshment = 0;
 
   remote_addr.ip_addr.family = IPADDR_ID;
   remote_addr.ip_addr.addr.id = ++last_address_id;
@@ -962,20 +990,23 @@ NSR_RemoveAllSources(void)
 /* ================================================== */
 
 static void
-resolve_source_replacement(SourceRecord *record)
+resolve_source_replacement(SourceRecord *record, int refreshment)
 {
   struct UnresolvedSource *us;
 
-  DEBUG_LOG("trying to replace %s (%s)",
+  DEBUG_LOG("%s %s (%s)", refreshment ? "refreshing" : "trying to replace",
             UTI_IPToString(&record->remote_addr->ip_addr), record->name);
 
+  record->last_resolving = SCH_GetLastEventMonoTime();
+
   us = MallocNew(struct UnresolvedSource);
   us->name = Strdup(record->name);
-  /* If there never was a valid reply from this source (e.g. it was a bad
-     replacement), ignore the order of addresses from the resolver to not get
-     stuck to a pair of addresses if the order doesn't change, or a group of
-     IPv4/IPv6 addresses if the resolver prefers inaccessible IP family */
-  us->random_order = record->tentative;
+  /* Ignore the order of addresses from the resolver to not get
+     stuck with a pair of unreachable or otherwise unusable servers
+     (e.g. falsetickers) in case the order doesn't change, or a group
+     of servers if they are ordered by IP family */
+  us->random_order = 1;
+  us->refreshment = refreshment;
   us->pool_id = INVALID_POOL;
   us->address = *record->remote_addr;
 
@@ -988,11 +1019,11 @@ resolve_source_replacement(SourceRecord *record)
 void
 NSR_HandleBadSource(IPAddr *address)
 {
-  static struct timespec last_replacement;
-  struct timespec now;
+  static double next_replacement = 0.0;
   SourceRecord *record;
   IPAddr ip_addr;
-  double diff;
+  uint32_t rnd;
+  double now;
   int slot;
 
   if (!find_slot(address, &slot))
@@ -1007,15 +1038,56 @@ NSR_HandleBadSource(IPAddr *address)
     return;
 
   /* Don't resolve names too frequently */
-  SCH_GetLastEventTime(NULL, NULL, &now);
-  diff = UTI_DiffTimespecsToDouble(&now, &last_replacement);
-  if (fabs(diff) < RESOLVE_INTERVAL_UNIT * (1 << MIN_REPLACEMENT_INTERVAL)) {
+  now = SCH_GetLastEventMonoTime();
+  if (now < next_replacement) {
     DEBUG_LOG("replacement postponed");
     return;
   }
-  last_replacement = now;
 
-  resolve_source_replacement(record);
+  UTI_GetRandomBytes(&rnd, sizeof (rnd));
+  next_replacement = now + ((double)rnd / (uint32_t)-1) *
+                     (RESOLVE_INTERVAL_UNIT * (1 << MAX_REPLACEMENT_INTERVAL));
+
+  resolve_source_replacement(record, 0);
+}
+
+/* ================================================== */
+
+static void
+maybe_refresh_source(void)
+{
+  static double last_refreshment = 0.0;
+  SourceRecord *record, *oldest_record;
+  int i, min_interval;
+  double now;
+
+  min_interval = CNF_GetRefresh();
+
+  now = SCH_GetLastEventMonoTime();
+  if (min_interval <= 0 || now < last_refreshment + min_interval)
+    return;
+
+  last_refreshment = now;
+
+  for (i = 0, oldest_record = NULL; i < ARR_GetSize(records); i++) {
+    record = get_record(i);
+    if (!record->remote_addr || UTI_IsStringIP(record->name))
+      continue;
+
+    if (!oldest_record || oldest_record->last_resolving > record->last_resolving)
+      oldest_record = record;
+  }
+
+  if (!oldest_record)
+    return;
+
+  /* Check if the name wasn't already resolved in the last interval */
+  if (now < oldest_record->last_resolving + min_interval) {
+    last_refreshment = oldest_record->last_resolving;
+    return;
+  }
+
+  resolve_source_replacement(oldest_record, 1);
 }
 
 /* ================================================== */
@@ -1031,7 +1103,7 @@ NSR_RefreshAddresses(void)
     if (!record->remote_addr)
       continue;
 
-    resolve_source_replacement(record);
+    resolve_source_replacement(record, 1);
   }
 }
 
@@ -1157,6 +1229,8 @@ NSR_ProcessRx(NTP_Remote_Address *remote_addr, NTP_Local_Address *local_addr,
           remove_pool_sources(record->pool_id, 1, 0);
       }
     }
+
+    maybe_refresh_source();
   } else {
     NCR_ProcessRxUnknown(remote_addr, local_addr, rx_ts, message, length);
   }

nts_ke_server.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2020
+ * Copyright (C) Miroslav Lichvar  2020, 2022
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -448,7 +448,7 @@ process_request(NKSN_Instance session)
           aead_algorithm_values++;
           /* Use the first supported algorithm */
           if (aead_algorithm < 0 && SIV_GetKeyLength(ntohs(data[i])) > 0)
-            aead_algorithm = ntohs(data[i]);;
+            aead_algorithm = ntohs(data[i]);
         }
         break;
       case NKE_RECORD_ERROR:
@@ -512,6 +512,7 @@ generate_key(int index)
     assert(0);
 
   UTI_GetRandomBytesUrandom(key->key, key_length);
+  memset(key->key + key_length, 0, sizeof (key->key) - key_length);
   UTI_GetRandomBytes(&key->id, sizeof (key->id));
 
   /* Encode the index in the lowest bits of the ID */
@@ -628,6 +629,7 @@ load_keys(void)
         key_length <= 0 ||
         UTI_HexToBytes(words[1], new_keys[i].key, sizeof (new_keys[i].key)) != key_length)
       goto error;
+    memset(new_keys[i].key + key_length, 0, sizeof (new_keys[i].key) - key_length);
   }
 
   if (i < MAX_SERVER_KEYS)
@@ -649,7 +651,7 @@ load_keys(void)
 
   fclose(f);
 
-  LOG(LOGS_ERR, "Loaded %s", "server NTS keys");
+  LOG(LOGS_INFO, "Loaded %s", "server NTS keys");
   return 1;
 
 error:

nts_ntp_client.c

@@ -650,6 +650,7 @@ load_cookies(NNC_Instance inst)
                                             sizeof (inst->context.c2s.key));
 
   if (inst->context.s2c.length != SIV_GetKeyLength(algorithm) ||
+      inst->context.s2c.length <= 0 ||
       inst->context.c2s.length != inst->context.s2c.length)
     goto error;
 

nts_ntp_server.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2020
+ * Copyright (C) Miroslav Lichvar  2020, 2022
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

refclock_phc.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2013, 2017
+ * Copyright (C) Miroslav Lichvar  2013, 2017, 2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

sched.c

@@ -163,6 +163,8 @@ SCH_Finalise(void) {
 
   ARR_DestroyInstance(file_handlers);
 
+  timer_queue.next = &timer_queue;
+  timer_queue.prev = &timer_queue;
   for (i = 0; i < ARR_GetSize(tqe_blocks); i++)
     Free(*(TimerQueueEntry **)ARR_GetElement(tqe_blocks, i));
   ARR_DestroyInstance(tqe_blocks);

siv_nettle.c

@@ -2,7 +2,7 @@
   chronyd/chronyc - Programs for keeping computer clocks accurate.
 
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2019
+ * Copyright (C) Miroslav Lichvar  2019, 2022
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as

socket.c

@@ -869,6 +869,11 @@ process_header(struct msghdr *msg, int msg_length, int sock_fd, int flags,
       memcpy(&message->timestamp.kernel, CMSG_DATA(cmsg), sizeof (message->timestamp.kernel));
     }
 #endif
+#ifdef SCM_REALTIME
+    else if (match_cmsg(cmsg, SOL_SOCKET, SCM_REALTIME, sizeof (message->timestamp.kernel))) {
+      memcpy(&message->timestamp.kernel, CMSG_DATA(cmsg), sizeof (message->timestamp.kernel));
+    }
+#endif
 #ifdef HAVE_LINUX_TIMESTAMPING
 #ifdef HAVE_LINUX_TIMESTAMPING_OPT_PKTINFO
     else if (match_cmsg(cmsg, SOL_SOCKET, SCM_TIMESTAMPING_PKTINFO,
@@ -1386,8 +1391,15 @@ SCK_EnableKernelRxTimestamping(int sock_fd)
     return 1;
 #endif
 #ifdef SO_TIMESTAMP
-  if (SCK_SetIntOption(sock_fd, SOL_SOCKET, SO_TIMESTAMP, 1))
+  if (SCK_SetIntOption(sock_fd, SOL_SOCKET, SO_TIMESTAMP, 1)) {
+#if defined(SO_TS_CLOCK) && defined(SO_TS_REALTIME)
+    /* We don't care about the return value - we'll get either a
+       SCM_REALTIME (if we succeded) or a SCM_TIMESTAMP (if we failed) */
+    if (!SCK_SetIntOption(sock_fd, SOL_SOCKET, SO_TS_CLOCK, SO_TS_REALTIME))
+      ;
+#endif
     return 1;
+  }
 #endif
 
   return 0;

sources.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2011-2016, 2018, 2020-2021
+ * Copyright (C) Miroslav Lichvar  2011-2016, 2018, 2020-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -112,6 +112,9 @@ struct SRC_Instance_Record {
   /* Updates left before allowing combining */
   int distant;
 
+  /* Updates with a status requiring source replacement */
+  int bad;
+
   /* Flag indicating the status of the source */
   SRC_Status status;
 
@@ -178,12 +181,17 @@ static int reported_no_majority;  /* Flag to avoid repeated log message
 /* Number of updates needed to reset the distant status */
 #define DISTANT_PENALTY 32
 
+/* Number of updates needed to trigger handling of bad sources */
+#define BAD_HANDLE_THRESHOLD 4
+
 static double max_distance;
 static double max_jitter;
 static double reselect_distance;
 static double stratum_weight;
 static double combine_limit;
 
+static SRC_Instance last_updated_inst;
+
 static LOG_FileID logfileid;
 
 /* Identifier of the dump file */
@@ -218,6 +226,8 @@ void SRC_Initialise(void) {
   LCL_AddParameterChangeHandler(slew_sources, NULL);
   LCL_AddDispersionNotifyHandler(add_dispersion, NULL);
 
+  last_updated_inst = NULL;
+
   logfileid = CNF_GetLogSelection() ? LOG_FileOpen("selection",
               "   Date (UTC) Time     IP Address   S EOpts Reach Score Last sample  Low end   High end")
               : -1;
@@ -301,6 +311,9 @@ void SRC_DestroyInstance(SRC_Instance instance)
 {
   int dead_index, i;
 
+  if (last_updated_inst == instance)
+    last_updated_inst = NULL;
+
   assert(initialised);
   if (instance->index < 0 || instance->index >= n_sources ||
       instance != sources[instance->index])
@@ -333,6 +346,7 @@ SRC_ResetInstance(SRC_Instance instance)
   instance->reachability = 0;
   instance->reachability_size = 0;
   instance->distant = 0;
+  instance->bad = 0;
   instance->status = SRC_BAD_STATS;
   instance->sel_score = 1.0;
   instance->stratum = 0;
@@ -478,6 +492,19 @@ special_mode_end(void)
     return 1;
 }
 
+/* ================================================== */
+
+static void
+handle_bad_source(SRC_Instance inst)
+{
+  if (inst->type == SRC_NTP) {
+    DEBUG_LOG("Bad source status=%c", get_status_char(inst->status));
+    NSR_HandleBadSource(inst->ip_addr);
+  }
+}
+
+/* ================================================== */
+
 void
 SRC_UpdateReachability(SRC_Instance inst, int reachable)
 {
@@ -498,14 +525,9 @@ SRC_UpdateReachability(SRC_Instance inst, int reachable)
     REF_SetUnsynchronised();
   }
 
-  /* Try to replace NTP sources that are unreachable, falsetickers, or
-     have root distance or jitter larger than the allowed maximums */
-  if (inst->type == SRC_NTP &&
-      ((!inst->reachability && inst->reachability_size == SOURCE_REACH_BITS) ||
-       inst->status == SRC_BAD_DISTANCE || inst->status == SRC_JITTERY ||
-       inst->status == SRC_FALSETICKER)) {
-    NSR_HandleBadSource(inst->ip_addr);
-  }
+  /* Try to replace unreachable NTP sources */
+  if (inst->reachability == 0 && inst->reachability_size == SOURCE_REACH_BITS)
+    handle_bad_source(inst);
 }
 
 /* ================================================== */
@@ -565,18 +587,17 @@ update_sel_options(void)
   for (i = 0; i < n_sources; i++) {
     options = sources[i]->conf_sel_options;
 
-    if (options & SRC_SELECT_NOSELECT)
-      continue;
-
-    switch (sources[i]->type) {
-      case SRC_NTP:
-        options |= sources[i]->authenticated ? auth_ntp_options : unauth_ntp_options;
-        break;
-      case SRC_REFCLOCK:
-        options |= refclk_options;
-        break;
-      default:
-        assert(0);
+    if (!(options & SRC_SELECT_NOSELECT)) {
+      switch (sources[i]->type) {
+        case SRC_NTP:
+          options |= sources[i]->authenticated ? auth_ntp_options : unauth_ntp_options;
+          break;
+        case SRC_REFCLOCK:
+          options |= refclk_options;
+          break;
+        default:
+          assert(0);
+      }
     }
 
     if (sources[i]->sel_options != options) {
@@ -661,11 +682,23 @@ mark_source(SRC_Instance inst, SRC_Status status)
 
   inst->status = status;
 
-  DEBUG_LOG("%s status=%c options=%x reach=%o/%d updates=%d distant=%d leap=%d vote=%d lo=%f hi=%f",
+  /* Try to replace NTP sources that are falsetickers, or have a root
+     distance or jitter larger than the allowed maximums */
+  if (inst == last_updated_inst) {
+    if (inst->bad < INT_MAX &&
+        (status == SRC_FALSETICKER || status == SRC_BAD_DISTANCE || status == SRC_JITTERY))
+      inst->bad++;
+    else
+      inst->bad = 0;
+    if (inst->bad >= BAD_HANDLE_THRESHOLD)
+      handle_bad_source(inst);
+  }
+
+  DEBUG_LOG("%s status=%c options=%x reach=%o/%d updates=%d distant=%d bad=%d leap=%d vote=%d lo=%f hi=%f",
             source_to_string(inst), get_status_char(inst->status),
             (unsigned int)inst->sel_options, (unsigned int)inst->reachability,
             inst->reachability_size, inst->updates,
-            inst->distant, (int)inst->leap, inst->leap_vote,
+            inst->distant, inst->bad, (int)inst->leap, inst->leap_vote,
             inst->sel_info.lo_limit, inst->sel_info.hi_limit);
 
   if (logfileid == -1)
@@ -811,8 +844,10 @@ SRC_SelectSource(SRC_Instance updated_inst)
   double first_sample_ago, max_reach_sample_ago;
   NTP_Leap leap_status;
 
-  if (updated_inst)
+  if (updated_inst) {
     updated_inst->updates++;
+    last_updated_inst = updated_inst;
+  }
 
   if (n_sources == 0) {
     /* In this case, we clearly cannot synchronise to anything */

sys_linux.c

@@ -498,6 +498,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
     SCMP_SYS(getrlimit),
     SCMP_SYS(getuid),
     SCMP_SYS(getuid32),
+#ifdef __NR_membarrier
+    SCMP_SYS(membarrier),
+#endif
 #ifdef __NR_rseq
     SCMP_SYS(rseq),
 #endif
@@ -600,6 +603,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
     SCMP_SYS(select),
     SCMP_SYS(set_robust_list),
     SCMP_SYS(write),
+    SCMP_SYS(writev),
 
     /* Miscellaneous */
     SCMP_SYS(getrandom),
@@ -654,7 +658,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
   const static int fcntls[] = { F_GETFD, F_SETFD, F_GETFL, F_SETFL };
 
   const static unsigned long ioctls[] = {
-    FIONREAD, TCGETS,
+    FIONREAD, TCGETS, TIOCGWINSZ,
 #if defined(FEAT_PHC) || defined(HAVE_LINUX_TIMESTAMPING)
     PTP_EXTTS_REQUEST, PTP_SYS_OFFSET,
 #ifdef PTP_PIN_SETFUNC

test/compilation/003-sanitizers

@@ -26,6 +26,7 @@ for extra_config_opts in \
   "--all-privops" \
   "--disable-ipv6" \
   "--disable-scfilter" \
+  "--without-aes-gcm-siv" \
   "--without-gnutls" \
   "--without-nettle" \
   "--without-nettle --without-nss" \

test/simulation/110-chronyc

@@ -350,6 +350,8 @@ minstratum 192.168.123.1 1
 polltarget 192.168.123.1 10
 selectopts 192.168.123.1 +trust +prefer -require
 selectdata
+selectopts 192.168.123.1 +noselect -prefer -trust +require
+selectdata
 delete 192.168.123.1"
 
 run_test || test_fail
@@ -372,6 +374,10 @@ check_chronyc_output "^200 OK
 S Name/IP Address        Auth COpts EOpts Last Score     Interval  Leap
 =======================================================================
 M node1\.net1\.clk            N \-PT\-\- \-PT\-\-    0   1\.0    \+0ns    \+0ns  \?
+200 OK
+S Name/IP Address        Auth COpts EOpts Last Score     Interval  Leap
+=======================================================================
+M node1\.net1\.clk            N N\-\-R\- N\-\-R\-    0   1\.0    \+0ns    \+0ns  \?
 200 OK$" || test_fail
 
 chronyc_conf="

test/simulation/114-presend

@@ -3,6 +3,7 @@
 . ./test.common
 test_start "presend option"
 
+limit=9900
 min_sync_time=136
 max_sync_time=260
 client_server_options="presend 6 maxdelay 16"

test/simulation/132-logchange

@@ -16,6 +16,6 @@ check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_packet_interval || test_fail
 check_sync || test_fail
-check_log_messages "clock wrong by" 4 8 || test_fail
+check_log_messages "clock wrong by" 3 8 || test_fail
 
 test_pass

test/simulation/139-nts

@@ -158,10 +158,10 @@ for dns in 1 0; do
 	check_source_selection && test_fail
 	check_sync && test_fail
 
-	check_file_messages "	2	1	.*	4460	" 50 100 log.packets || test_fail
+	check_file_messages "	2	1	.*	4460	" 45 100 log.packets || test_fail
 	check_file_messages "	2	2	.*	4460	" 0 0 log.packets || test_fail
-	check_log_messages "Source 192.168.123.1 changed to 192.168.123.2" 6 8 || test_fail
-	check_log_messages "Source 192.168.123.2 replaced with 192.168.123.1" 6 8 || test_fail
+	check_log_messages "Source 192.168.123.1 changed to 192.168.123.2" 4 10 || test_fail
+	check_log_messages "Source 192.168.123.2 replaced with 192.168.123.1" 3 10 || test_fail
 
 	servers=2
 
@@ -225,6 +225,8 @@ for dns in 1 0; do
 	check_file_messages "	3	2	.*	4460	" 0 0 log.packets || test_fail
 done
 
+min_sync_time=$[default_min_sync_time + 200]
+max_sync_time=600
 server_conf="
 ntsserverkey tmp/server1.key
 ntsservercert tmp/server1.crt
@@ -248,6 +250,8 @@ check_file_messages "	3	2	.*	123	" 0 0 log.packets || test_fail
 check_file_messages "	3	2	.*	11123	" 3 3 log.packets || test_fail
 
 dns=1
+min_sync_time=$default_min_sync_time
+max_sync_time=400
 server_conf="
 ntsserverkey tmp/server1.key
 ntsservercert tmp/server1.crt

test/simulation/147-refresh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+. ./test.common
+
+test_start "address refreshment"
+
+limit=1000
+servers=5
+client_conf="logdir tmp
+log measurements"
+client_server_conf="server nodes-1-2.net1.clk maxpoll 6
+pool nodes-3-4-5.net1.clk maxpoll 6 maxsources 2"
+client_chronyd_options="-d"
+chronyc_conf="refresh"
+chronyc_start=500
+
+run_test || test_fail
+check_chronyd_exit || test_fail
+check_source_selection || test_fail
+check_packet_interval || test_fail
+check_sync || test_fail
+
+check_file_messages "20.*192.168.123.1" 0 0 measurements.log || test_fail
+check_file_messages "20.*192.168.123.2" 15 17 measurements.log || test_fail
+check_file_messages "20.*192.168.123.[345]" 31 33 measurements.log || test_fail
+rm -f tmp/measurements.log
+if check_config_h 'FEAT_DEBUG 1'; then
+	check_log_messages "refreshing 192.168.123" 3 3 || test_fail
+	check_log_messages "resolved_name.*still fresh" 3 3 || test_fail
+fi
+
+limit=1100
+client_server_conf="
+server nodes-1-2.net1.clk maxpoll 6
+pool nodes-3-4-5.net1.clk maxpoll 6 maxsources 3"
+client_conf+="
+refresh 128"
+chronyc_conf=""
+
+run_test || test_fail
+check_chronyd_exit || test_fail
+check_source_selection || test_fail
+check_packet_interval || test_fail
+check_sync || test_fail
+
+check_file_messages "20.*192.168.123.1" 0 0 measurements.log || test_fail
+check_file_messages "20.*192.168.123.2" 16 18 measurements.log || test_fail
+check_file_messages "20.*192.168.123.[345]" 50 55 measurements.log || test_fail
+rm -f tmp/measurements.log
+if check_config_h 'FEAT_DEBUG 1'; then
+	check_log_messages "refreshing 192.168.123" 8 8 || test_fail
+	check_log_messages "resolved_name.*still fresh" 8 8 || test_fail
+	check_log_messages "refreshing 192.168.123.2" 2 2 || test_fail
+	check_log_messages "refreshing 192.168.123.3" 2 2 || test_fail
+	check_log_messages "refreshing 192.168.123.4" 2 2 || test_fail
+	check_log_messages "refreshing 192.168.123.5" 2 2 || test_fail
+fi
+
+test_pass

test/simulation/148-replacement

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+. ./test.common
+
+test_start "source replacement"
+
+limit=5000
+client_conf="logdir tmp
+log measurements"
+
+servers=6
+falsetickers=2
+client_server_conf="pool nodes-1-2-3-4-5-6.net1.clk maxsources 5 polltarget 1 iburst"
+wander=1e-12
+jitter=1e-6
+min_sync_time=7
+
+run_test || test_fail
+check_chronyd_exit || test_fail
+check_source_selection || test_fail
+check_packet_interval || test_fail
+check_sync || test_fail
+
+check_log_messages "Detected falseticker" 2 10 || test_fail
+check_log_messages "Source 192.168.123.. replaced with" 1 3 || test_fail
+check_file_messages "20.*192.168.123.* 11.1   6  6 " 15 18 measurements.log || test_fail
+check_file_messages "20.*00:[1-5].:.. 192.168.123.* 11.1   6  6 " 1 4 measurements.log || test_fail
+rm -f tmp/measurements.log
+
+# 1 unreplaceable falseticker against 2 replaceable unreachable servers
+servers=5
+falsetickers=1
+limit=200000
+base_delay="(+ 1e-4 (* -1 (equal 0.6 to 4.5)))"
+client_conf+="
+minsources 2"
+client_server_conf="
+server 192.168.123.1
+server nodes-2-4.net1.clk
+server nodes-3-5.net1.clk"
+max_sync_time=150000
+
+run_test || test_fail
+check_chronyd_exit || test_fail
+check_source_selection && test_fail
+check_packet_interval || test_fail
+check_sync || test_fail
+
+check_log_messages "Detected falseticker" 2 10 || test_fail
+check_log_messages "Source 192.168.123.. replaced with" 2 70 || test_fail
+check_log_messages "2010-01-01T0[0-4]:.*Source 192.168.123.. replaced with" 2 15 || test_fail
+check_log_messages "2010-01-01T0[5-9]:.*Source 192.168.123.. replaced with" 0 15 || test_fail
+check_file_messages "20.*192.168.123.* 11.1   6  6 " 20 500 measurements.log || test_fail
+rm -f tmp/measurements.log
+
+test_pass

test/system/010-nts

@@ -43,7 +43,7 @@ wait_for_sync || test_fail
 run_chronyc "authdata" || test_fail
 check_chronyc_output "^Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
 =========================================================================
-127\.0\.0\.1                    NTS     1   15  256    [0-9]    0    0    [78]  100$" || test_fail
+127\.0\.0\.1                    NTS     1   (30|15)  (128|256)    [0-9]    0    0    [78]  ( 64|100)$" || test_fail
 
 stop_chronyd || test_fail
 check_chronyd_messages || test_fail
@@ -57,7 +57,7 @@ wait_for_sync || test_fail
 run_chronyc "authdata" || test_fail
 check_chronyc_output "^Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
 =========================================================================
-127\.0\.0\.1                    NTS     1   15  256    [0-9]    0    0    [78]  100$" || test_fail
+127\.0\.0\.1                    NTS     1   (30|15)  (128|256)    [0-9]    0    0    [78]  ( 64|100)$" || test_fail
 
 stop_chronyd || test_fail
 check_chronyd_messages || test_fail

test/system/099-scfilter

@@ -6,7 +6,7 @@ check_chronyd_features SCFILTER || test_skip "SCFILTER support disabled"
 
 test_start "system call filter in non-destructive tests"
 
-for level in "-1" "1" "-2" "2"; do
+for level in 1 2 -1 -2; do
 	test_message 1 1 "level $level:"
 	for test in 0[0-8][0-9]-*[^_]; do
 		test_message 2 0 "$test"

test/system/199-scfilter

@@ -6,7 +6,7 @@ check_chronyd_features SCFILTER || test_skip "SCFILTER support disabled"
 
 test_start "system call filter in destructive tests"
 
-for level in "-1" "1" "-2" "2"; do
+for level in 1 2 -1 -2; do
 	test_message 1 1 "level $level:"
 	for test in 1[0-8][0-9]-*[^_]; do
 		test_message 2 0 "$test"

test/system/test.common

@@ -42,6 +42,8 @@ test_start() {
 		su "$user" -s /bin/sh -c "touch $TEST_DIR/test" 2> /dev/null || \
 			test_skip "$user cannot access $TEST_DIR"
 		rm "$TEST_DIR/test"
+	else
+		chown 0:0 "$TEST_DIR" || test_skip "could not chown $TEST_DIR"
 	fi
 
 	echo "Testing $*:"

test/unit/ntp_core.c

@@ -1,6 +1,6 @@
 /*
  **********************************************************************
- * Copyright (C) Miroslav Lichvar  2017-2018
+ * Copyright (C) Miroslav Lichvar  2017-2018, 2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -35,6 +35,7 @@ static struct timespec current_time;
 static NTP_Packet req_buffer, res_buffer;
 static int req_length, res_length;
 
+#define NIO_IsHwTsEnabled() 1
 #define NIO_OpenServerSocket(addr) ((addr)->ip_addr.family != IPADDR_UNSPEC ? 100 : 0)
 #define NIO_CloseServerSocket(fd) assert(fd == 100)
 #define NIO_OpenClientSocket(addr) ((addr)->ip_addr.family != IPADDR_UNSPEC ? 101 : 0)
@@ -106,13 +107,9 @@ send_request(NCR_Instance inst, int late_hwts)
   }
 
   if (late_hwts) {
-    inst->had_hw_tx_timestamp = 1;
     inst->report.total_good_count++;
   } else {
-    if (random() % 2)
-      inst->had_hw_tx_timestamp = 0;
-    else
-      inst->report.total_good_count = 0;
+    inst->report.total_good_count = 0;
   }
 }
 

test/unit/ntp_sources.c

@@ -28,6 +28,7 @@
 #include <nameserv_async.h>
 #include <ntp_core.h>
 #include <ntp_io.h>
+#include <sched.h>
 
 static char *requested_name = NULL;
 static DNS_NameResolveHandler resolve_handler = NULL;
@@ -41,9 +42,11 @@ static void *resolve_handler_arg = NULL;
   change_remote_address(inst, remote_addr, ntp_only)
 #define NCR_ProcessRxKnown(remote_addr, local_addr, ts, msg, len) (random() % 2)
 #define NIO_IsServerConnectable(addr) (random() % 2)
+#define SCH_GetLastEventMonoTime() get_mono_time()
 
 static void change_remote_address(NCR_Instance inst, NTP_Remote_Address *remote_addr,
                                   int ntp_only);
+static double get_mono_time(void);
 
 #include <ntp_sources.c>
 
@@ -96,17 +99,26 @@ change_remote_address(NCR_Instance inst, NTP_Remote_Address *remote_addr, int nt
   TEST_CHECK(record_lock);
 
   if (update && update_pos == 0)
-    r = update_random_address(remote_addr, 4);
+    r = update_random_address(random() % 2 ? remote_addr : NCR_GetRemoteAddress(inst), 4);
 
   NCR_ChangeRemoteAddress(inst, remote_addr, ntp_only);
 
   if (update && update_pos == 1)
-    r = update_random_address(remote_addr, 4);
+    r = update_random_address(random() % 2 ? remote_addr : NCR_GetRemoteAddress(inst), 4);
 
   if (r)
     TEST_CHECK(UTI_IsIPReal(&saved_address_update.old_address.ip_addr));
 }
 
+static double get_mono_time(void) {
+  static double t = 0.0;
+
+  if (random() % 2)
+    t += TST_GetRandomDouble(0.0, 100.0);
+
+  return t;
+}
+
 void
 test_unit(void)
 {

test/unit/nts_ke_server.c

@@ -139,7 +139,7 @@ test_unit(void)
   NKSN_Instance session;
   NKE_Context context, context2;
   NKE_Cookie cookie;
-  int i, valid, l;
+  int i, j, valid, l;
   uint32_t sum, sum2;
 
   char conf[][100] = {
@@ -200,7 +200,9 @@ test_unit(void)
   save_keys();
 
   for (i = 0, sum = 0; i < MAX_SERVER_KEYS; i++) {
-    sum += server_keys[i].id + server_keys[i].key[0];
+    sum += server_keys[i].id;
+    for (j = 0; j < sizeof (server_keys[i].key); j++)
+      sum += server_keys[i].key[j];
     generate_key(i);
   }
 
@@ -208,7 +210,9 @@ test_unit(void)
   TEST_CHECK(unlink("ntskeys") == 0);
 
   for (i = 0, sum2 = 0; i < MAX_SERVER_KEYS; i++) {
-    sum2 += server_keys[i].id + server_keys[i].key[0];
+    sum2 += server_keys[i].id;
+    for (j = 0; j < sizeof (server_keys[i].key); j++)
+      sum2 += server_keys[i].key[j];
   }
 
   TEST_CHECK(sum == sum2);

util.c

@@ -3,7 +3,7 @@
 
  **********************************************************************
  * Copyright (C) Richard P. Curnow  1997-2003
- * Copyright (C) Miroslav Lichvar  2009, 2012-2021
+ * Copyright (C) Miroslav Lichvar  2009, 2012-2023
  * 
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as