Change the maximum accepted maxdrift from 500000 ppm to 100000 ppm to
match the Linux kernel and driver. The OpenBSD kernel can work with
larger offsets of up to 50%, but that would likely not be covered well
in testing (e.g. to make sure the loop doesn't become unstable).
This change prevents the drivers from getting larger frequencies from
the local module.
Change the number of records per slot from 16 to 8 to reduce the maximum
number of records that need to be inspected in the linear search for an
IP address in the hash table.
This improves the server performance when the clientlog limit is too
small for the expected number of clients (e.g. the default on a public
server).
With the improved IP address hashing this shouldn't have a significant
impact on the quality of rate limiting and client monitoring.
In the clientlog get_record() function use a simplified local version of
UTI_CompareIPs() to be inlined to minimize the overhead of searching in
the slot.
Revert commit 837323d687b9 ("clientlog: simplify code") and unroll the
first assignment in the search for the last hit to help the compiler to
produce faster code.
sys_openbsd: drop unnecessary read after setting frequency
In the OpenBSD set_frequency() function assume the clock frequency was
set exactly as requested instead of reading it back from the kernel.
This avoids an unnecessary privops helper call and system call.
sys_openbsd: allow late binding to privileged ports
Binding UDP sockets to ports below 1024 is a privileged operation on
OpenBSD, same as on other supported systems. If chronyd was started
without any allow directives (enabling NTP server sockets) and dropped
root privileges, but some access was allowed later by chronyc, it failed
to bind its server sockets.
Enable the BINDSOCKET privops function and modify the pledge filter to
allow passing of the socket and binding it in the helper.
sys_openbsd: simplify selection of pledge promises
Instead of switching between all needed combinations of promises passed
to pledge(), format the string in a buffer from parts added by
individual conditions. This will make it easier to add more conditions
and promises.
tls_gnutls: remove trailing dot for certificate verification
Although not documented, gnutls_session_set_verify_cert() doesn't work
correctly with hostnames specified with the trailing dot (FQDN). The
verification fails. Keep an additional copy of the hostname with the dot
removed in the TLS instance for the verification.
This allows NTS sources to be specified with the trailing dot.
main: add -N option for s6-style service readiness notification
In this notification scheme a service supervisor creates a pipe
and passes the write file descriptor to chronyd. When chronyd is
initialised it writes a newline to the descriptor and the
supervisor is informed that chronyd has successfully started and
is in a ready state.
Support for truncated digests was removed in Nettle 4.0. The digest
functions no longer accept the output length. Provide a full-length
buffer and copy the requested length of the digest, same as with the
other crypto providers.
Thomas Kupper [Sat, 14 Feb 2026 11:24:32 +0000 (12:24 +0100)]
chronyc: add wider output option
Add option '-w' which set the output width from 80 to 94. This allows
for all table-outputting operations to display IPv4 and IPv6 addresses
aligned with the headers.
Extend test/simulation/110-chronyc to test for the five commands which
support wide mode.
To set wide display, call `chronyc` with option `-w`.
Example of a `clients` list before and after:
chronyc -n clients -p 5
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
===============================================================================
2001:db8:1234:5678:90ab:cdef:1234:5678 952 0 7 - 75 0 0 - -
192.168.1.1 0 0 - - - 0 0 - -
chronyc -n -w clients -p 5
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
=============================================================================================
2001:db8:1234:5678:90ab:cdef:1234:5678 952 0 7 - 75 0 0 - -
192.168.1.1 0 0 - - - 0 0 - -
Thomas Kupper [Wed, 4 Feb 2026 21:09:09 +0000 (22:09 +0100)]
sys: add OpenBSD support
Add OpenBSD support, including pledge(2) support by implementing
SYS_EnableSystemCallFilter().
This commit depends on the addition of AdjustFreq() privops and the
addtion of invoking SYS_EnableSystemCallFilter() from PRV_StartHelper().
Only system call filter levels on/off' are supported. Setting level
to 0 disables the filter and setting it to 1 enables it.
Update the documentation to reflect that OpenBSD supports:
- the SCHED_FIFO real-time scheduler (option -P)
- locking chronyd into memory (option -m)
- reload sample history of servers and ref clocks (option -r)
- forking into two process when run as non-root user (option -u)
- maxdrift/maxslewrate of 100000.
Thomas Kupper [Wed, 4 Feb 2026 20:53:52 +0000 (21:53 +0100)]
privops: add method PRV_AdjustFreq()
In preparation of adding OpenBSD support:
OpenBSD doesn't support timex but adjusting frequency using the
adjfreq(2) system call. Add a privops method PRV_AdjustFreq() to allow
unprivileged processes to set the time.
Thomas Kupper [Wed, 11 Feb 2026 06:53:41 +0000 (07:53 +0100)]
privops: enable system call filter
In preparation of OpenBSD support, add SYS_EnableSystemCallFilter() call
to PRV_StartHelper().
In OpenBSD the privops helper will use a system call filter (pledge(2)),
whereas in Linux the privops helper doesn't use any system call filter
at the moment.
Modify Unit test ntp_sources call to PRV_Initialise() with parameter
scfilter_level set to 0.
Ingmar Stein [Sat, 7 Feb 2026 11:57:33 +0000 (12:57 +0100)]
doc: fix list of open commands enabled by default
`DEFAULT_OPEN_COMMANDS` is defined as `activity manual rtcdata smoothing
sourcename sources sourcestats tracking`, so it looks like `sourcestats`
and `serverstats` were swapped in the documentation.
Miroslav Lichvar [Thu, 29 Jan 2026 08:29:30 +0000 (09:29 +0100)]
privops: switch from settimeofday() to clock_settime()
Following the removal of gettimeofday() calls, change PRV_SetTime() to
use clock_settime() instead of settimeofday(). Only CLOCK_REALTIME is
supported for now.
Miroslav Lichvar [Wed, 26 Nov 2025 11:14:08 +0000 (12:14 +0100)]
ntp: update NTP-over-PTP support
Update the support for NTP over PTP to the latest specification
(currently in the RFC editor queue). Switch the NTP TLV to the
organization-specific TLV using the IANA OUI and assigned TLV
subtype 0x1. The Network Correction extension field has been
assigned type 0x10A. The extfield option accepts F324 as an alias
for 10A to not break existing configurations. Drop the experimental
status.
Miroslav Lichvar [Thu, 20 Nov 2025 08:53:49 +0000 (09:53 +0100)]
sys_linux: stop sticking ticks as workaround for old kernels
Drop the old workaround avoiding small changes in ticks needed to avoid
frequency steps due to inexact scaling of frequency vs ticks in kernels
before 2.6.18. chrony doesn't support such old kernels anymore.
Miroslav Lichvar [Wed, 19 Nov 2025 13:12:09 +0000 (14:12 +0100)]
cmdmon: refactor handling of sources report
The NSR_ReportSource() and RCL_ReportSource() functions assume that the
provided report already has some data prefilled by SRC_ReportSource()
and it's assumed these functions cannot fail.
Change them to accept the required data (refid and IP address) as
a parameter, remove unneeded parameters, and return an error status
(if the refid/address doesn't exist) to be handled in cmdmon
handle_source_data(). Also, catch unexpected values of the source state
and mode to make chronyc report an error instead of incorrect data.
Miroslav Lichvar [Thu, 13 Nov 2025 15:02:17 +0000 (16:02 +0100)]
ntp: add alternative method of retrieving transmitted messages
When chronyd gets a kernel or hardware transmit timestamp after sending
an NTP message to a server, peer, or client (using interleaved mode), it
needs the address and content of the message to be able to correctly
assign the timestamp to the server, peer, or client. The timestamps are
processed asynchronously. The kernel provides with each timestamp the
data-link frame that was timestamped, but chronyd can extract the
necessary data only from plain IPv4 and IPv6 packets in Ethernet frames,
possibly including VLAN tags. If the NTP packets are transmitted by a
non-Ethernet device, or they are encapsulated in another layer (e.g. a
WireGuard tunnel), chronyd is not able to extract the data and use the
kernel or hardware transmit timestamps, having to fall back to less
accurate daemon timestamps.
Add an alternative method using transmit IDs assigned to each message
(supported since Linux 6.13), which are provided by the kernel with the
timestamp in the error queue, and map them to messages, addresses and
ports saved in a ring buffer, whose size can be configured by the new
maxtxbuffers directive.
Fow now, set the default maxtxbuffers to 0 (disabled). If set to a
non-zero value, allocate the ring buffer to the maximum size on start.
As a future improvement, it could be allocated only when the extraction
of the UDP payload fails, or the extracted message is not the expected
NTP message. The size could grow dynamically when a transmit ID is
missed.
Miroslav Lichvar [Thu, 13 Nov 2025 10:14:35 +0000 (11:14 +0100)]
socket: add support for Linux timestamping transmit IDs
Add a new field to the SCK_Message structure to enable setting and
getting of the Linux timestamping transmit IDs enabled by the
SOF_TIMESTAMPING_OPT_ID socket option. The ID can be set for each packet
individually by the SCM_TS_OPT_ID control message (supported on Linux
6.13 and newer).
This will allow procesing of transmit timestamps without extracting data
from the data-link frames.
Add minstratum and maxstratum directives to specify the minimum and
maximum allowed stratum of sources to be selected. The default values
are 0 and 15 respectively, allowing all NTP sources and refclocks.
Sources that are rejected due to having too large or too small stratum
are marked with 'r' in the selection log and selectdata report.
This is similar to the "tos floor" and "tos ceiling" settings of ntpd,
except that maxstratum is interpreted as one below the ceiling.
There is no need to save the SST_GetSelectionData() "select_ok" status
as the source is immediately marked as SRC_BAD_STATS if it is not ok.
Nothing else is using this information.
Miroslav Lichvar [Wed, 22 Oct 2025 08:53:11 +0000 (10:53 +0200)]
sys_linux: fix building with older compilers and some archs
The recent replacement of <termios.h> with <linux/termios.h> to get
TCGETS2 seems to work only with compilers (or C standards) that allow
the same structure to be defined multiple times. There is a conflict
between <sys/ioctl.h> and <linux/termios.h>.
Another problem is that TCGETS2 is not used on some archs like ppc64.
Switch back to <termios.h> and move TCGETS2 to a list in a separate
file where it can be compiled without <sys/ioctl.h>.
Fixes: 03875f1ea5c4 ("sys_linux: allow ioctl(TCGETS2) in seccomp filter")
Miroslav Lichvar [Tue, 21 Oct 2025 12:06:38 +0000 (14:06 +0200)]
sys_linux: allow ioctl(TCGETS2) in seccomp filter
Add TCGETS2 to the list of allowed ioctls. It seems to be called by the
latest glibc version from isatty(), which is called from libpcsclite
used by gnutls in an NTS-KE session.
Include the linux termios header instead of glibc header to get a usable
definition of TCGETS2.
By default, the clock precision is set to the minimum measured time
needed to read the clock. This value is typically larger than the actual
resolution, which causes the NTP server to add more noise to NTP
timestamps than necessary. With HW timestamping and PTP corrections
enabled by the NTP-over-PTP transport that can be the limiting factor in
the stability of NTP measurements.
Try to determine the actual resolution of the clock. On non-Linux
systems use the clock_getres() function. On FreeBSD and NetBSD it seems
to provide expected values. On illumos it returns a large value (kernel
tick length?). On Linux it seems to be the internal timer resolution,
which is 1 ns with hrtimers, even when using a lower-resolution
clocksource like hpet or acpi_pm.
On Linux, try to measure the resolution as the minimum observed change
in differences between consecutive readings of the CLOCK_MONOTONIC_RAW
clock with a varying amount of busy work. Ignore 1ns changes due to
the kernel converting readings to timespec. This seems to work reliably.
In a test with the acpi_pm clocksource, differences of 3073, 3352, and
3631 ns were measured, which gives a resolution of 279 ns, matching the
clocksource frequency of ~3.58 MHz. With a tsc clocksource it gives
the minimum accepted resolution of 2 ns and with kvm-clock 10 ns.
As the final value of the precision, use the minimum value from the
measured or clock_getres() resolution and the original minimum time
needed to read the clock.
Miroslav Lichvar [Thu, 28 Aug 2025 07:33:34 +0000 (09:33 +0200)]
test: fix socket unit test to use non-blocking accepted sockets
SCK_AcceptConnection() always returns a non-blocking socket. Clear the
O_NONBLOCK flag in the socket unit test, which relies on blocking, to
avoid failures.
Miroslav Lichvar [Wed, 27 Aug 2025 10:22:48 +0000 (12:22 +0200)]
sys_linux: improve error message for failed PHC open
If the specified PHC device cannot be opened directly, an attempt is
made to open it as a network interface. When that fails, the error
"Could not open PHC of iface" is misleading the user that it was handled
only as an interface. Change the message to "Could not open PHC (of)" to
better cover both possibilities. Also remove the errno as it's not set
in all code paths.
Miroslav Lichvar [Tue, 26 Aug 2025 06:38:07 +0000 (08:38 +0200)]
util: switch create_dir() from chown() to lchown()
Use lchown(), the safer variant of chown() that does not follow
symlinks, when changing the ownership of a created directory (logdir,
dumpdir, ntsdumpdir, and the directory of bindcmdaddress) to the chrony
user.
Miroslav Lichvar [Mon, 11 Aug 2025 14:13:20 +0000 (16:13 +0200)]
refclock: rework update of reachability again
The recent rework of refclock reachability to better work with
driver-specific filtering (PHC driver dropping samples with unexpected
delay) introduced an issue that a PPS refclock is indicated as reachable
even when its "lock" refclock is permanently unreachable, or its samples
constistently fail in other sample checks, and no actual samples can be
accumulated. This breaks the new maxunreach option.
Rework the refclock code to provide samples from drivers together with
their quality level (all drivers except PHC provide samples with
constant quality of 1) and drop samples with quality 0 after passing
all checks, right before the actual accumulation in the median sample
filter. Increment the reachability counter only for samples that would
be accumulated.
This fixes the problem with refclocks indicated as reachable when their
samples would be dropped for other reasons than the PHC-specific delay
filter, and the maxunreach option can work as expected.
Fixes: b9b338a8df23 ("refclock: rework update of reachability")
Miroslav Lichvar [Mon, 11 Aug 2025 14:00:38 +0000 (16:00 +0200)]
hwclock: don't drop valid samples in HCL_ProcessReadings()
Modify the HCL_ProcessReadings() function to try to always provide
a valid sample. Instead of dropping a sample outside of the expected
delay, provide its assumed quality level as a small integer (relative to
already accumulated samples), and let the caller decide what quality is
acceptable.
refclock_phc: open device for writing with extpps option
In version 6.15 the Linux kernel started checking write access on the
PHC file descriptor in the PTP_PIN_SETFUNC and PTP_EXTTS_REQUEST ioctls.
chronyd opened the PHC device as readonly, which caused the PHC refclock
driver configured with the extpps option to fail with the
"Could not enable external PHC timestamping" error message.
To ensure compatibility with new kernel versions, add flags to the
SYS_Linux_OpenPHC() function and open the device with the O_RDWR flag
when the extpps option is enabled.
tls: don't accept NULL ALPN name in TLS_CreateInstance()
The TLS_CreateInstance() function handles a NULL alpn_name, but the
other session functions would crash if it was NULL. Change the function
to not handle the NULL for consistency and avoid potential confusion.
Fixes: 3e32e7e69412 ("tls: move gnutls code into tls_gnutls.c")
tls: fix server log messages to have client IP address
Add an additional parameter to TLS_CreateInstance() to save the label of
the connection (server name on the client side and client IP
address:port on the server side) instead of the server name (which is
NULL on the server side) to fix the log messages.
Fixes: 3e32e7e69412 ("tls: move gnutls code into tls_gnutls.c")
tls: don't call gnutls_deinit() after failed gnutls_init()
Don't assume gnutls_init() leaves the session pointer at NULL when it
returns with an error status. It might be a session that was already
allocated and then freed without resetting it to NULL after an error.
Fixes: 3e32e7e69412 ("tls: move gnutls code into tls_gnutls.c")
sources: add option to limit selection of unreachable sources
Add maxunreach option to NTP sources and refclocks to specify the
maximum number of polls that the source can stay selected for
synchronization when it is unreachable (i.e. no valid sample was
received in the last 8 polls).
It is an additional requirement to having at least one sample more
recent than the oldest sample of reachable sources.
The default value is 100000. Setting the option to 0 disables selection
of unreachable sources, which matches RFC 5905.
To minimize the impact of potential attacks targeting chronyc started
under root (e.g. performed by a local chronyd process running without
root privileges, a remote chronyd process, or a MITM attacker on the
network), add support for changing the effective UID/GID in chronyc
after start.
The user can be specified by the -u option, similarly to chronyd. The
default chronyc user can be changed by the --with-chronyc-user
configure option. The default value of the default chronyc user is
"root", i.e. chronyc doesn't try to change the identity by default.
The default chronyc user does not follow the default chronyd user
set by the configure --with-user option to avoid errors on systems where
chronyc is not allowed to change its UID/GID (e.g. by a SELinux policy).
Miroslav Lichvar [Wed, 16 Jul 2025 14:19:18 +0000 (16:19 +0200)]
socket: remove unused chmod() call
Drop the SCK_FLAG_ALL_PERMISSIONS support from the socket code.
chronyc is now calling chmod() on its socket itself in a hidden
directory to mitigate the unsafe operation.
Miroslav Lichvar [Wed, 16 Jul 2025 13:55:05 +0000 (15:55 +0200)]
client: mitigate unsafe permissions change on chronyc socket
When chronyc running under root binds its Unix domain socket, it needs
to change the socket permissions in order for chronyd running without
root privileges to be able to send a response to the socket.
There is a race condition between the bind() and chmod() calls. If an
attacker was able to execute arbitrary code in the chronyd process, it
might be able to wait for chronyc to be executed under root, replace the
socket with a symlink between the two calls, and cause the privileged
chronyc process to change permissions of something else, possibly
leading to a privilege escalation.
There doesn't seem to be a safe and portable way to change the socket
permissions directly. Changing the process umask could be problematic in
future with threads.
Hide the socket in two levels of subdirectories (the lower one having
a randomly generated name and not visible to the chronyd process) to
make the socket path unpredictable, and force the bind() or chmod() call
to fail if the visible upper directory is replaced.
When UTI_OpenFile() is removing an existing file to be replaced by a new
file, it could potentially get stuck in an infinite loop if something
was able to consistently win the race and create a new file before
chronyd.
Log a warning message after 100 failed attempts and repeat on each 10x
increase to make it more obvious to the admin, if it ever happens.
Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
After (re)loading symmetric NTP keys from the key file, there is an
attempt to erase the strings from the stack by calling memset() on the
buffer. However, compilers are free (and have been shown to do) optimize
this call out.
Remove the memset() call to not pretend the stack cannot not contain any
sensitive information. There is no such attempt made for the server and
client NTS keys.
Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Ahmad Fatoum [Fri, 27 Jun 2025 11:58:35 +0000 (13:58 +0200)]
leapdb: fix ordered comparison against NULL pointer
fgets returns either a valid pointer with the same value as its first
argument or NULL on error or EOF.
GCC 12.2.0 -Wextra warns against relational comparison of the return
value:
leapdb.c:127:38: warning: ordered comparison of pointer with integer zero [-Wextra]
For clarity, and because the C standard doesn't mandate that valid pointers
have to compare greater than the null pointer constant, replace the
relational expression with an equality expression
Anthony Brandon [Fri, 30 May 2025 14:47:21 +0000 (16:47 +0200)]
tls: move gnutls code into tls_gnutls.c
Currently nts_ke_session.c directly calls into gnutls.
This patch moves the calls to gnutls into tls_gnutls.c with an API
defined in tls.h. This way it becomes possible to use different TLS
implementations in future patches.
Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
Miroslav Lichvar [Tue, 24 Jun 2025 12:55:02 +0000 (14:55 +0200)]
sys_linux: drop support for kernels before 2.6.39
Linux 2.6.39 was released in 2011.
Refuse to start if a kernel version before 2.6.39 is detected. Assume
the ADJ_SETOFFSET adjtimex mode is always supported. Its verification
briefly reset the timex maxerror value to 0, which possibly confused
applications checking the value at that moment.
Drop the unneeded workaround for slow frequency updates in versions
2.6.27-2.6.32.
Miroslav Lichvar [Wed, 11 Jun 2025 12:53:47 +0000 (14:53 +0200)]
examples: improve chrony.conf examples
Add a note that three servers is the generally recommended minimum for
an NTP client to be able to detect a falseticker. Mention that the pool
directive uses four servers. Update the links to the pool join page and
list of public servers.
Miroslav Lichvar [Wed, 11 Jun 2025 11:30:57 +0000 (13:30 +0200)]
refclock_rtc: fix finalization with closed descriptor
If the RTC file descriptor was closed and removed after a read error,
don't try to close and remove it again in the driver finalization to
avoid an assertion failure on the negative descriptor.
Fixes: 4f22883f4e71 ("refclock: add new refclock for RTCs")
Miroslav Lichvar [Wed, 11 Jun 2025 07:03:48 +0000 (09:03 +0200)]
logging: don't close stderr in finalization
When logging to stderr, don't close it in finalization in case something
else still wanted to write to it. Leave it as it is together with stdin
and stdout.
conf: fix sourcedir reloading to not multiply sources
The sourcedir reload triggered by the chronyc "reload sources"
command incorrectly assumed that NSR_AddSourceByName() can return
only the NSR_Success status when a source is added. It ignored the
NSR_UnresolvedName status returned for a source whose name needs to
be resolved after the call (i.e. not specified with an IP address)
and added the source again, effectively multiplying it if the name
can be resolved to a different IP address.
Fix the code to check for the NSR_UnresolvedName status to correctly
determine whether the source was already added before and should not be
added again.
Reported-by: MichaelR <MichaelR42@runbox.com> Fixes: 916ed70c4a81 ("conf: save source status in sourcedir reload")
Miroslav Lichvar [Thu, 22 May 2025 07:17:42 +0000 (09:17 +0200)]
main: improve error message about failed notification
Mention the NOTIFY_SOCKET variable to make it more obvious what is
preventing chronyd from starting in case it's unexpectedly inherited in
a chroot etc.
projects / thirdparty / chrony.git / log
