Upgrade NTP to 4.2.8p4.

Security:	FreeBSD-SA-15:25.ntp
Security:	CVE-2015-7871
Security:	CVE-2015-7855
Security:	CVE-2015-7854
Security:	CVE-2015-7853
Security:	CVE-2015-7852
Security:	CVE-2015-7851
Security:	CVE-2015-7850
Security:	CVE-2015-7849
Security:	CVE-2015-7848
Security:	CVE-2015-7701
Security:	CVE-2015-7703
Security:	CVE-2015-7704, CVE-2015-7705
Security:	CVE-2015-7691, CVE-2015-7692, CVE-2015-7702

1 files changed, 199 insertions, 98 deletions

diff --git a/contrib/ntp/ntpd/ntp_proto.c b/contrib/ntp/ntpd/ntp_proto.c
index 4062406..2a15d72 100644
--- a/contrib/ntp/ntpd/ntp_proto.c
+++ b/contrib/ntp/ntpd/ntp_proto.c
@@ -28,8 +28,8 @@
  * This macro defines the authentication state. If x is 1 authentication
  * is required; othewise it is optional.
  */
-#define	AUTH(x, y)	((x) ? (y) == AUTH_OK : (y) == AUTH_OK || \
-			    (y) == AUTH_NONE)
+#define	AUTH(x, y)	((x) ? (y) == AUTH_OK \
+			     : (y) == AUTH_OK || (y) == AUTH_NONE)
 
 #define	AUTH_NONE	0	/* authentication not required */
 #define	AUTH_OK		1	/* authentication OK */
@@ -37,6 +37,19 @@
 #define	AUTH_CRYPTO	3	/* crypto_NAK */
 
 /*
+ * Set up Kiss Code values
+ */
+
+enum kiss_codes {
+	NOKISS,				/* No Kiss Code */
+	RATEKISS,			/* Rate limit Kiss Code */
+	DENYKISS,			/* Deny Kiss */
+	RSTRKISS,			/* Restricted Kiss */
+	XKISS,				/* Experimental Kiss */
+	UNKNOWNKISS			/* Unknown Kiss Code */
+};
+
+/*
  * traffic shaping parameters
  */
 #define	NTP_IBURST	6	/* packets in iburst */
@@ -139,6 +152,7 @@ u_long	sys_declined;		/* declined */
 u_long	sys_limitrejected;	/* rate exceeded */
 u_long	sys_kodsent;		/* KoD sent */
 
+static int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
 static	double	root_distance	(struct peer *);
 static	void	clock_combine	(peer_select *, int, int);
 static	void	peer_xmit	(struct peer *);
@@ -185,7 +199,34 @@ set_sys_leap(u_char new_sys_leap) {
 	}
 }
 
+/*
+ * Kiss Code check
+ */
+int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid) {
 
+		if (   hismode == MODE_SERVER
+		    && hisleap == LEAP_NOTINSYNC
+		    && hisstratum == STRATUM_UNSPEC) {
+				if(memcmp(&refid,"RATE", 4) == 0) {
+					return (RATEKISS);	
+				}
+				else if(memcmp(&refid,"DENY", 4) == 0) {
+					return (DENYKISS);	
+				}
+				else if(memcmp(&refid,"RSTR", 4) == 0) {
+					return (RSTRKISS);	
+				}
+				else if(memcmp(&refid,"X", 1) == 0) {
+					return (XKISS);	
+				}
+				else {
+					return (UNKNOWNKISS);
+				}
+		}
+		else {
+			return (NOKISS);
+		}
+}
 /*
  * transmit - transmit procedure called by poll timeout
  */
@@ -235,8 +276,8 @@ transmit(
 			peer->unreach = 0;
 			peer->ttl = 0;
 			peer_xmit(peer);
-		} else if (sys_survivors < sys_minclock ||
-		    peer_associations < sys_maxclock) {
+		} else if (   sys_survivors < sys_minclock
+			   || peer_associations < sys_maxclock) {
 			if (peer->ttl < (u_int32)sys_ttlmax)
 				peer->ttl++;
 			peer_xmit(peer);
@@ -260,9 +301,9 @@ transmit(
 	 */
 	if (peer->cast_flags & MDF_POOL) {
 		peer->outdate = current_time;
-		if ((peer_associations <= 2 * sys_maxclock) &&
-		    (peer_associations < sys_maxclock ||
-		     sys_survivors < sys_minclock))
+		if (   (peer_associations <= 2 * sys_maxclock)
+		    && (   peer_associations < sys_maxclock
+		    	|| sys_survivors < sys_minclock))
 			pool_xmit(peer);
 		poll_update(peer, hpoll);
 		return;
@@ -297,8 +338,8 @@ transmit(
 				peer_unfit(peer);
 				report_event(PEVNT_UNREACH, peer, NULL);
 			}
-			if ((peer->flags & FLAG_IBURST) &&
-			    peer->retry == 0)
+			if (   (peer->flags & FLAG_IBURST)
+			    && peer->retry == 0)
 				peer->retry = NTP_RETRY;
 		} else {
 
@@ -312,8 +353,9 @@ transmit(
 			hpoll = sys_poll;
 			if (!(peer->flags & FLAG_PREEMPT))
 				peer->unreach = 0;
-			if ((peer->flags & FLAG_BURST) && peer->retry ==
-			    0 && !peer_unfit(peer))
+			if (   (peer->flags & FLAG_BURST)
+			    && peer->retry == 0
+			    && !peer_unfit(peer))
 				peer->retry = NTP_RETRY;
 		}
 
@@ -334,9 +376,9 @@ transmit(
 				unpeer(peer);
 				return;
 			}
-			if ((peer->flags & FLAG_PREEMPT) &&
-			    (peer_associations > sys_maxclock) &&
-			    score_all(peer)) {
+			if (   (peer->flags & FLAG_PREEMPT)
+			    && (peer_associations > sys_maxclock)
+			    && score_all(peer)) {
 				report_event(PEVNT_RESTART, peer, "timeout");
 				peer_clear(peer, "TIME");
 				unpeer(peer);
@@ -392,6 +434,7 @@ receive(
 	u_char	hismode;		/* packet mode */
 	u_char	hisstratum;		/* packet stratum */
 	u_short	restrict_mask;		/* restrict bits */
+	int kissCode = NOKISS;	/* Kiss Code */
 	int	has_mac;		/* length of MAC field */
 	int	authlen;		/* offset of MAC field */
 	int	is_authentic = 0;	/* cryptosum ok */
@@ -483,8 +526,8 @@ receive(
 	 */
 	if (hisversion == NTP_VERSION) {
 		sys_newversion++;		/* new version */
-	} else if (!(restrict_mask & RES_VERSION) && hisversion >=
-	    NTP_OLDVERSION) {
+	} else if (   !(restrict_mask & RES_VERSION)
+		   && hisversion >= NTP_OLDVERSION) {
 		sys_oldversion++;		/* previous version */
 	} else {
 		sys_badlength++;
@@ -538,8 +581,9 @@ receive(
 		} else {
 			opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
 			len = opcode & 0xffff;
-			if (len % 4 != 0 || len < 4 || (int)len +
-			    authlen > rbufp->recv_length) {
+			if (   len % 4 != 0
+			    || len < 4
+			    || (int)len + authlen > rbufp->recv_length) {
 				sys_badlength++;
 				return;		/* bad length */
 			}
@@ -549,13 +593,13 @@ receive(
 			 * sys_groupname is non-NULL, there must be
 			 * a group name provided to elicit a response.
 			 */
-			if ((opcode & 0x3fff0000) == CRYPTO_ASSOC &&
-			    sys_groupname != NULL) {
+			if (   (opcode & 0x3fff0000) == CRYPTO_ASSOC
+			    && sys_groupname != NULL) {
 				ep = (struct exten *)&((u_int32 *)pkt)[authlen / 4];
 				hostlen = ntohl(ep->vallen);
-				if (hostlen >= sizeof(hostname) ||
-				    hostlen > len -
-				    offsetof(struct exten, pkt)) {
+				if (   hostlen >= sizeof(hostname)
+				    || hostlen > len -
+						offsetof(struct exten, pkt)) {
 					sys_badlength++;
 					return;		/* bad length */
 				}
@@ -599,8 +643,9 @@ receive(
 	restrict_mask = ntp_monitor(rbufp, restrict_mask);
 	if (restrict_mask & RES_LIMITED) {
 		sys_limitrejected++;
-		if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
-		    hismode || MODE_SERVER == hismode) {
+		if (   !(restrict_mask & RES_KOD)
+		    || MODE_BROADCAST == hismode
+		    || MODE_SERVER == hismode) {
 			if (MODE_SERVER == hismode)
 				DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n",
 					stoa(&rbufp->recv_srcadr)));
@@ -698,10 +743,11 @@ receive(
 		 * This is described in Microsoft's WSPP docs, in MS-SNTP:
 		 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
 		 */
-	} else if (has_mac == MAX_MD5_LEN && (restrict_mask & RES_MSSNTP) &&
-	   (retcode == AM_FXMIT || retcode == AM_NEWPASS) &&
-	   (memcmp(zero_key, (char *)pkt + authlen + 4, MAX_MD5_LEN - 4) ==
-	   0)) {
+	} else if (   has_mac == MAX_MD5_LEN
+		   && (restrict_mask & RES_MSSNTP)
+		   && (retcode == AM_FXMIT || retcode == AM_NEWPASS)
+		   && (memcmp(zero_key, (char *)pkt + authlen + 4,
+		   	      MAX_MD5_LEN - 4) == 0)) {
 		is_authentic = AUTH_NONE;
 #endif /* HAVE_NTP_SIGND */
 
@@ -754,8 +800,9 @@ receive(
 				 * mobilized. However, if this is from
 				 * the wildcard interface, game over.
 				 */
-				if (crypto_flags && rbufp->dstadr ==
-				    ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
+				if (   crypto_flags
+				    && rbufp->dstadr ==
+				       ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
 					sys_restricted++;
 					return;	     /* no wildcard */
 				}
@@ -882,10 +929,10 @@ receive(
 		 * stratum is greater than the manycaster or the
 		 * manycaster has already synchronized to us.
 		 */
-		if (sys_leap == LEAP_NOTINSYNC || sys_stratum >=
-		    hisstratum || (!sys_cohort && sys_stratum ==
-		    hisstratum + 1) || rbufp->dstadr->addr_refid ==
-		    pkt->refid) {
+		if (   sys_leap == LEAP_NOTINSYNC
+		    || sys_stratum >= hisstratum
+		    || (!sys_cohort && sys_stratum == hisstratum + 1)
+		    || rbufp->dstadr->addr_refid == pkt->refid) {
 			sys_declined++;
 			return;			/* no help */
 		}
@@ -933,9 +980,10 @@ receive(
 			sys_restricted++;
 			return;			/* not enabled */
 		}
-		if (!AUTH((!(peer2->cast_flags & MDF_POOL) &&
-		    sys_authenticate) | (restrict_mask & (RES_NOPEER |
-		    RES_DONTTRUST)), is_authentic)) {
+		if (!AUTH(  (!(peer2->cast_flags & MDF_POOL)
+			     && sys_authenticate)
+			  || (restrict_mask & (RES_NOPEER |
+			      RES_DONTTRUST)), is_authentic)) {
 			sys_restricted++;
 			return;			/* access denied */
 		}
@@ -944,8 +992,9 @@ receive(
 		 * Do not respond if unsynchronized or stratum is below
 		 * the floor or at or above the ceiling.
 		 */
-		if (hisleap == LEAP_NOTINSYNC || hisstratum <
-		    sys_floor || hisstratum >= sys_ceiling) {
+		if (   hisleap == LEAP_NOTINSYNC
+		    || hisstratum < sys_floor
+		    || hisstratum >= sys_ceiling) {
 			sys_declined++;
 			return;			/* no help */
 		}
@@ -1007,8 +1056,9 @@ receive(
 		 * Do not respond if unsynchronized or stratum is below
 		 * the floor or at or above the ceiling.
 		 */
-		if (hisleap == LEAP_NOTINSYNC || hisstratum <
-		    sys_floor || hisstratum >= sys_ceiling) {
+		if (   hisleap == LEAP_NOTINSYNC
+		    || hisstratum < sys_floor
+		    || hisstratum >= sys_ceiling) {
 			sys_declined++;
 			return;			/* no help */
 		}
@@ -1018,8 +1068,8 @@ receive(
 		 * Do not respond if Autokey and the opcode is not a
 		 * CRYPTO_ASSOC response with association ID.
 		 */
-		if (crypto_flags && skeyid > NTP_MAXKEY && (opcode &
-		    0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
+		if (   crypto_flags && skeyid > NTP_MAXKEY
+		    && (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
 			sys_declined++;
 			return;			/* protocol error */
 		}
@@ -1133,6 +1183,24 @@ receive(
 				sys_restricted++;
 				return;
 			}
+			/* [Bug 2941]
+			 * If we got here, the packet isn't part of an
+			 * existing association, it isn't correctly
+			 * authenticated, and it didn't meet either of
+			 * the previous two special cases so we should
+			 * just drop it on the floor.  For example,
+			 * crypto-NAKs (is_authentic == AUTH_CRYPTO)
+			 * will make it this far.  This is just
+			 * debug-printed and not logged to avoid log
+			 * flooding.
+			 */
+			DPRINTF(1, ("receive: at %ld refusing to mobilize passive association"
+				    " with unknown peer %s mode %d keyid %08x len %d auth %d\n",
+				    current_time, stoa(&rbufp->recv_srcadr),
+				    hismode, skeyid, (authlen + has_mac),
+				    is_authentic));
+			sys_declined++;
+			return;
 		}
 
 		/*
@@ -1145,8 +1213,8 @@ receive(
 		 * we will spin an ephemeral association in response to
 		 * MODE_ACTIVE KoDs, which will time out eventually.
 		 */
-		if (hisleap != LEAP_NOTINSYNC && (hisstratum <
-		    sys_floor || hisstratum >= sys_ceiling)) {
+		if (   hisleap != LEAP_NOTINSYNC
+		    && (hisstratum < sys_floor || hisstratum >= sys_ceiling)) {
 			sys_declined++;
 			return;			/* no help */
 		}
@@ -1205,9 +1273,9 @@ receive(
 	 * have a public key ID; if not, the packet must have a
 	 * symmetric key ID.
 	 */
-	if (is_authentic != AUTH_CRYPTO && (((peer->flags &
-	    FLAG_SKEY) && skeyid <= NTP_MAXKEY) || (!(peer->flags &
-	    FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
+	if (   is_authentic != AUTH_CRYPTO
+	    && (   ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY)
+	        || (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
 		sys_badauth++;
 		return;
 	}
@@ -1256,16 +1324,23 @@ receive(
 	 * Check for bogus packet in basic mode. If found, switch to
 	 * interleaved mode and resynchronize, but only after confirming
 	 * the packet is not bogus in symmetric interleaved mode.
+	 *
+	 * This could also mean somebody is forging packets claiming to
+	 * be from us, attempting to cause our server to KoD us.
 	 */
 	} else if (peer->flip == 0) {
 		if (!L_ISEQU(&p_org, &peer->aorg)) {
 			peer->bogusorg++;
 			peer->flash |= TEST2;	/* bogus */
-			if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
-			    &peer->dst)) {
+			msyslog(LOG_INFO,
+				"receive: Unexpected origin timestamp from %s",
+				ntoa(&peer->srcadr));
+			if (  !L_ISZERO(&peer->dst)
+			    && L_ISEQU(&p_org, &peer->dst)) {
 				peer->flip = 1;
 				report_event(PEVNT_XLEAVE, peer, NULL);
 			}
+			return; /* Bogus packet, we are done */
 		} else {
 			L_CLR(&peer->aorg);
 		}
@@ -1282,11 +1357,12 @@ receive(
 	 * can happen if a packet is lost, duplicated or crossed. If
 	 * found, flip and resynchronize.
 	 */
-	} else if (!L_ISZERO(&peer->dst) && !L_ISEQU(&p_org,
-	    &peer->dst)) {
+	} else if (   !L_ISZERO(&peer->dst)
+		   && !L_ISEQU(&p_org, &peer->dst)) {
 		peer->bogusorg++;
 		peer->flags |= FLAG_XBOGUS;
 		peer->flash |= TEST2;		/* bogus */
+		return; /* Bogus packet, we are done */
 	}
 
 	/*
@@ -1321,8 +1397,8 @@ receive(
 		report_event(PEVNT_AUTH, peer, "digest");
 		peer->flash |= TEST5;		/* bad auth */
 		peer->badauth++;
-		if (has_mac &&
-		    (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+		if (   has_mac
+		    && (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
 		if (peer->flags & FLAG_PREEMPT) {
 			unpeer(peer);
@@ -1351,11 +1427,22 @@ receive(
 	 * this maximum and advance the headway to give the sender some
 	 * headroom. Very intricate.
 	 */
+
+	/*
+	 * Check for any kiss codes. Note this is only used when a server
+	 * responds to a packet request
+	 */
+
+	kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
+
+	/*
+	 * Check to see if this is a RATE Kiss Code
+	 * Currently this kiss code will accept whatever poll
+	 * rate that the server sends
+	 */
 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
-	if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
-	    hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
-	    "RATE", 4) == 0) {
-		peer->selbroken++;
+	if (kissCode == RATEKISS) {
+		peer->selbroken++;	/* Increment the KoD count */
 		report_event(PEVNT_RATE, peer, NULL);
 		if (pkt->ppoll > peer->minpoll)
 			peer->minpoll = peer->ppoll;
@@ -1364,6 +1451,11 @@ receive(
 		poll_update(peer, pkt->ppoll);
 		return;				/* kiss-o'-death */
 	}
+	if (kissCode != NOKISS) {
+		peer->selbroken++;	/* Increment the KoD count */
+		return;		/* Drop any other kiss code packets */
+	}
+
 
 	/*
 	 * That was hard and I am sweaty, but the packet is squeaky
@@ -1455,8 +1547,8 @@ receive(
 			int i;
 
 			for (i = 0; ; i++) {
-				if (tkeyid == peer->pkeyid ||
-				    tkeyid == ap->key) {
+				if (   tkeyid == peer->pkeyid
+				    || tkeyid == ap->key) {
 					peer->flash &= ~TEST8;
 					peer->pkeyid = skeyid;
 					ap->seq -= i;
@@ -1589,8 +1681,8 @@ process_packet(
 	 * Verify the server is synchronized; that is, the leap bits,
 	 * stratum and root distance are valid.
 	 */
-	if (pleap == LEAP_NOTINSYNC ||		/* test 6 */
-	    pstratum < sys_floor || pstratum >= sys_ceiling)
+	if (   pleap == LEAP_NOTINSYNC		/* test 6 */
+	    || pstratum < sys_floor || pstratum >= sys_ceiling)
 		peer->flash |= TEST6;		/* bad synch or strat */
 	if (p_del / 2 + p_disp >= MAXDISPERSE)	/* test 7 */
 		peer->flash |= TEST7;		/* bad header */
@@ -1823,8 +1915,9 @@ process_packet(
 	 * client mode when the client is fit and the autokey dance is
 	 * complete.
 	 */
-	if ((FLAG_BC_VOL & peer->flags) && MODE_CLIENT == peer->hmode &&
-	    !(TEST11 & peer_unfit(peer))) {	/* distance exceeded */
+	if (   (FLAG_BC_VOL & peer->flags)
+	    && MODE_CLIENT == peer->hmode
+	    && !(TEST11 & peer_unfit(peer))) {	/* distance exceeded */
 #ifdef AUTOKEY
 		if (peer->flags & FLAG_SKEY) {
 			if (!(~peer->crypto & CRYPTO_FLAG_ALL))
@@ -1865,8 +1958,8 @@ clock_update(
 		sys_poll = peer->maxpoll;
 	poll_update(peer, sys_poll);
 	sys_stratum = min(peer->stratum + 1, STRATUM_UNSPEC);
-	if (peer->stratum == STRATUM_REFCLOCK ||
-	    peer->stratum == STRATUM_UNSPEC)
+	if (   peer->stratum == STRATUM_REFCLOCK
+	    || peer->stratum == STRATUM_UNSPEC)
 		sys_refid = peer->refid;
 	else
 		sys_refid = addr2refid(&peer->srcadr);
@@ -1992,12 +2085,12 @@ clock_update(
 		 * once is mostly harmless.)
 		 */
 		if (leapsec == LSPROX_NOWARN) {
-			if (leap_vote_ins > leap_vote_del
+			if (   leap_vote_ins > leap_vote_del
 			    && leap_vote_ins > sys_survivors / 2) {
 				get_systime(&now);
 				leapsec_add_dyn(TRUE, now.l_ui, NULL);
 			}
-			if (leap_vote_del > leap_vote_ins
+			if (   leap_vote_del > leap_vote_ins
 			    && leap_vote_del > sys_survivors / 2) {
 				get_systime(&now);
 				leapsec_add_dyn(FALSE, now.l_ui, NULL);
@@ -2320,8 +2413,8 @@ clock_filter(
 	m = 0;
 	for (i = 0; i < NTP_SHIFT; i++) {
 		peer->filter_order[i] = (u_char) ord[i];
-		if (dst[i] >= MAXDISPERSE || (m >= 2 && dst[i] >=
-		    sys_maxdist))
+		if (   dst[i] >= MAXDISPERSE
+		    || (m >= 2 && dst[i] >= sys_maxdist))
 			continue;
 		m++;
 	}
@@ -2367,10 +2460,11 @@ clock_filter(
 	 * than twice the host poll interval, consider the new sample
 	 * a popcorn spike and ignore it.
 	 */
-	if (peer->disp < sys_maxdist && peer->filter_disp[k] <
-	    sys_maxdist && etemp > CLOCK_SGATE * peer->jitter &&
-	    peer->filter_epoch[k] - peer->epoch < 2. *
-	    ULOGTOD(peer->hpoll)) {
+	if (   peer->disp < sys_maxdist
+	    && peer->filter_disp[k] < sys_maxdist
+	    && etemp > CLOCK_SGATE * peer->jitter
+	    && peer->filter_epoch[k] - peer->epoch
+	       < 2. * ULOGTOD(peer->hpoll)) {
 		snprintf(tbuf, sizeof(tbuf), "%.6f s", etemp);
 		report_event(PEVNT_POPCORN, peer, tbuf);
 		return;
@@ -2547,14 +2641,14 @@ clock_select(void)
 		if (!(peer->flags & FLAG_PREFER)) {
 			switch (peer->refclktype) {
 			case REFCLK_LOCALCLOCK:
-				if (current_time > orphwait &&
-				    typelocal == NULL)
+				if (   current_time > orphwait
+				    && typelocal == NULL)
 					typelocal = peer;
 				continue;
 
 			case REFCLK_ACTS:
-				if (current_time > orphwait &&
-				    typeacts == NULL)
+				if (   current_time > orphwait
+				    && typeacts == NULL)
 					typeacts = peer;
 				continue;
 			}
@@ -2684,8 +2778,10 @@ clock_select(void)
 
 		peer = peers[i].peer;
 		h = peers[i].synch;
-		if ((high <= low || peer->offset + h < low ||
-		    peer->offset - h > high) && !(peer->flags & FLAG_TRUE))
+		if ((   high <= low
+		     || peer->offset + h < low
+		     || peer->offset - h > high
+		    ) && !(peer->flags & FLAG_TRUE))
 			continue;
 
 #ifdef REFCLOCK
@@ -2742,7 +2838,7 @@ clock_select(void)
 	}
 
 	/*
-	 * Now, vote outlyers off the island by select jitter weighted
+	 * Now, vote outliers off the island by select jitter weighted
 	 * by root distance. Continue voting as long as there are more
 	 * than sys_minclock survivors and the select jitter of the peer
 	 * with the worst metric is greater than the minimum peer
@@ -2772,8 +2868,9 @@ clock_select(void)
 			}
 		}
 		g = max(g, LOGTOD(sys_precision));
-		if (nlist <= max(1, sys_minclock) || g <= d ||
-		    ((FLAG_TRUE | FLAG_PREFER) & peers[k].peer->flags))
+		if (   nlist <= max(1, sys_minclock)
+		    || g <= d
+		    || ((FLAG_TRUE | FLAG_PREFER) & peers[k].peer->flags))
 			break;
 
 		DPRINTF(3, ("select: drop %s seljit %.6f jit %.6f\n",
@@ -2898,10 +2995,12 @@ clock_select(void)
 	 * if there is a prefer peer or there are no survivors and none
 	 * are required.
 	 */
-	if (typepps != NULL && fabs(sys_offset) < 0.4 &&
-	    (typepps->refclktype != REFCLK_ATOM_PPS ||
-	    (typepps->refclktype == REFCLK_ATOM_PPS && (sys_prefer !=
-	    NULL || (typesystem == NULL && sys_minsane == 0))))) {
+	if (   typepps != NULL
+	    && fabs(sys_offset) < 0.4
+	    && (   typepps->refclktype != REFCLK_ATOM_PPS
+		|| (   typepps->refclktype == REFCLK_ATOM_PPS
+		    && (   sys_prefer != NULL
+			|| (typesystem == NULL && sys_minsane == 0))))) {
 		typesystem = typepps;
 		sys_clockhop = 0;
 		typesystem->new_status = CTL_PST_SEL_PPS;
@@ -3240,16 +3339,16 @@ peer_xmit(
 			 * autokey sequence, the autokey exchange is
 			 * used to retrieve the autokey values.
 			 */
-			else if (sys_leap != LEAP_NOTINSYNC &&
-			    peer->leap != LEAP_NOTINSYNC &&
-			    !(peer->crypto & CRYPTO_FLAG_COOK))
+			else if (   sys_leap != LEAP_NOTINSYNC
+				 && peer->leap != LEAP_NOTINSYNC
+				 && !(peer->crypto & CRYPTO_FLAG_COOK))
 				exten = crypto_args(peer, CRYPTO_COOK,
 				    peer->associd, NULL);
 			else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
 				exten = crypto_args(peer, CRYPTO_AUTO,
 				    peer->associd, NULL);
-			else if (peer->flags & FLAG_ASSOC &&
-			    peer->crypto & CRYPTO_FLAG_SIGN)
+			else if (   peer->flags & FLAG_ASSOC
+				 && peer->crypto & CRYPTO_FLAG_SIGN)
 				exten = crypto_args(peer, CRYPTO_AUTO |
 				    CRYPTO_RESP, peer->assoc, NULL);
 
@@ -3693,7 +3792,7 @@ pool_xmit(
 				pool->hostname));
 		else
 			msyslog(LOG_ERR,
-				"unable to start pool DNS %s %m",
+				"unable to start pool DNS %s: %m",
 				pool->hostname);
 		return;
 	}
@@ -3883,8 +3982,9 @@ peer_unfit(
 	 * synchronized, (2) the server stratum is below the floor or
 	 * greater than or equal to the ceiling.
 	 */
-	if (peer->leap == LEAP_NOTINSYNC || peer->stratum < sys_floor ||
-	    peer->stratum >= sys_ceiling)
+	if (   peer->leap == LEAP_NOTINSYNC
+	    || peer->stratum < sys_floor
+	    || peer->stratum >= sys_ceiling)
 		rval |= TEST10;		/* bad synch or stratum */
 
 	/*
@@ -3892,8 +3992,9 @@ peer_unfit(
 	 * distance is greater than or equal to the distance threshold
 	 * plus the increment due to one host poll interval.
 	 */
-	if (!(peer->flags & FLAG_REFCLOCK) && root_distance(peer) >=
-	    sys_maxdist + clock_phi * ULOGTOD(peer->hpoll))
+	if (   !(peer->flags & FLAG_REFCLOCK)
+	    && root_distance(peer) >= sys_maxdist
+				      + clock_phi * ULOGTOD(peer->hpoll))
 		rval |= TEST11;		/* distance exceeded */
 
 	/*