1 /* 2 * systime -- routines to fiddle a UNIX clock. 3 * 4 * ATTENTION: Get approval from Dave Mills on all changes to this file! 5 * 6 */ 7 #include <config.h> 8 9 #include "ntp.h" 10 #include "ntp_syslog.h" 11 #include "ntp_stdlib.h" 12 #include "ntp_random.h" 13 #include "iosignal.h" 14 #include "timevalops.h" 15 #include "timespecops.h" 16 #include "ntp_calendar.h" 17 18 #ifdef HAVE_SYS_PARAM_H 19 # include <sys/param.h> 20 #endif 21 #ifdef HAVE_UTMP_H 22 # include <utmp.h> 23 #endif /* HAVE_UTMP_H */ 24 #ifdef HAVE_UTMPX_H 25 # include <utmpx.h> 26 #endif /* HAVE_UTMPX_H */ 27 28 int allow_panic = FALSE; /* allow panic correction (-g) */ 29 int enable_panic_check = TRUE; /* Can we check allow_panic's state? */ 30 31 #ifndef USE_COMPILETIME_PIVOT 32 # define USE_COMPILETIME_PIVOT 1 33 #endif 34 35 /* 36 * These routines (get_systime, step_systime, adj_systime) implement an 37 * interface between the system independent NTP clock and the Unix 38 * system clock in various architectures and operating systems. Time is 39 * a precious quantity in these routines and every effort is made to 40 * minimize errors by unbiased rounding and amortizing adjustment 41 * residues. 42 * 43 * In order to improve the apparent resolution, provide unbiased 44 * rounding and most importantly ensure that the readings cannot be 45 * predicted, the low-order unused portion of the time below the minimum 46 * time to read the clock is filled with an unbiased random fuzz. 47 * 48 * The sys_tick variable specifies the system clock tick interval in 49 * seconds, for stepping clocks, defined as those which return times 50 * less than MINSTEP greater than the previous reading. For systems that 51 * use a high-resolution counter such that each clock reading is always 52 * at least MINSTEP greater than the prior, sys_tick is the time to read 53 * the system clock. 54 * 55 * The sys_fuzz variable measures the minimum time to read the system 56 * clock, regardless of its precision. When reading the system clock 57 * using get_systime() after sys_tick and sys_fuzz have been determined, 58 * ntpd ensures each unprocessed clock reading is no less than sys_fuzz 59 * later than the prior unprocessed reading, and then fuzzes the bits 60 * below sys_fuzz in the timestamp returned, ensuring each of its 61 * resulting readings is strictly later than the previous. 62 * 63 * When slewing the system clock using adj_systime() (with the kernel 64 * loop discipline unavailable or disabled), adjtime() offsets are 65 * quantized to sys_tick, if sys_tick is greater than sys_fuzz, which 66 * is to say if the OS presents a stepping clock. Otherwise, offsets 67 * are quantized to the microsecond resolution of adjtime()'s timeval 68 * input. The remaining correction sys_residual is carried into the 69 * next adjtime() and meanwhile is also factored into get_systime() 70 * readings. 71 */ 72 double sys_tick = 0; /* tick size or time to read (s) */ 73 double sys_fuzz = 0; /* min. time to read the clock (s) */ 74 long sys_fuzz_nsec = 0; /* min. time to read the clock (ns) */ 75 double measured_tick; /* non-overridable sys_tick (s) */ 76 double sys_residual = 0; /* adjustment residue (s) */ 77 int trunc_os_clock; /* sys_tick > measured_tick */ 78 time_stepped_callback step_callback; 79 80 #ifndef SIM 81 /* perlinger@ntp.org: As 'get_sysime()' does it's own check for clock 82 * backstepping, this could probably become a local variable in 83 * 'get_systime()' and the cruft associated with communicating via a 84 * static value could be removed after the v4.2.8 release. 85 */ 86 static int lamport_violated; /* clock was stepped back */ 87 #endif /* !SIM */ 88 89 #ifdef DEBUG 90 static int systime_init_done; 91 # define DONE_SYSTIME_INIT() systime_init_done = TRUE 92 #else 93 # define DONE_SYSTIME_INIT() do {} while (FALSE) 94 #endif 95 96 #ifdef HAVE_SIGNALED_IO 97 int using_sigio; 98 #endif 99 100 #ifdef SYS_WINNT 101 CRITICAL_SECTION get_systime_cs; 102 #endif 103 104 105 void 106 set_sys_fuzz( 107 double fuzz_val 108 ) 109 { 110 sys_fuzz = fuzz_val; 111 INSIST(sys_fuzz >= 0); 112 INSIST(sys_fuzz <= 1.0); 113 sys_fuzz_nsec = (long)(sys_fuzz * 1e9 + 0.5); 114 } 115 116 117 void 118 init_systime(void) 119 { 120 INIT_GET_SYSTIME_CRITSEC(); 121 INIT_WIN_PRECISE_TIME(); 122 DONE_SYSTIME_INIT(); 123 } 124 125 126 #ifndef SIM /* ntpsim.c has get_systime() and friends for sim */ 127 128 static inline void 129 get_ostime( 130 struct timespec * tsp 131 ) 132 { 133 int rc; 134 long ticks; 135 136 #if defined(HAVE_CLOCK_GETTIME) 137 rc = clock_gettime(CLOCK_REALTIME, tsp); 138 #elif defined(HAVE_GETCLOCK) 139 rc = getclock(TIMEOFDAY, tsp); 140 #else 141 struct timeval tv; 142 143 rc = GETTIMEOFDAY(&tv, NULL); 144 tsp->tv_sec = tv.tv_sec; 145 tsp->tv_nsec = tv.tv_usec * 1000; 146 #endif 147 if (rc < 0) { 148 msyslog(LOG_ERR, "read system clock failed: %m (%d)", 149 errno); 150 exit(1); 151 } 152 153 if (trunc_os_clock) { 154 ticks = (long)((tsp->tv_nsec * 1e-9) / sys_tick); 155 tsp->tv_nsec = (long)(ticks * 1e9 * sys_tick); 156 } 157 } 158 159 160 /* 161 * get_systime - return system time in NTP timestamp format. 162 */ 163 void 164 get_systime( 165 l_fp *now /* system time */ 166 ) 167 { 168 static struct timespec ts_last; /* last sampled os time */ 169 static struct timespec ts_prev; /* prior os time */ 170 static l_fp lfp_prev; /* prior result */ 171 static double dfuzz_prev; /* prior fuzz */ 172 struct timespec ts; /* seconds and nanoseconds */ 173 struct timespec ts_min; /* earliest permissible */ 174 struct timespec ts_lam; /* lamport fictional increment */ 175 struct timespec ts_prev_log; /* for msyslog only */ 176 double dfuzz; 177 double ddelta; 178 l_fp result; 179 l_fp lfpfuzz; 180 l_fp lfpdelta; 181 182 get_ostime(&ts); 183 DEBUG_REQUIRE(systime_init_done); 184 ENTER_GET_SYSTIME_CRITSEC(); 185 186 /* First check if here was a Lamport violation, that is, two 187 * successive calls to 'get_ostime()' resulted in negative 188 * time difference. Use a few milliseconds of permissible 189 * tolerance -- being too sharp can hurt here. (This is intented 190 * for the Win32 target, where the HPC interpolation might 191 * introduce small steps backward. It should not be an issue on 192 * systems where get_ostime() results in a true syscall.) 193 */ 194 if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0) 195 lamport_violated = 1; 196 ts_last = ts; 197 198 /* 199 * After default_get_precision() has set a nonzero sys_fuzz, 200 * ensure every reading of the OS clock advances by at least 201 * sys_fuzz over the prior reading, thereby assuring each 202 * fuzzed result is strictly later than the prior. Limit the 203 * necessary fiction to 1 second. 204 */ 205 if (!USING_SIGIO()) { 206 ts_min = add_tspec_ns(ts_prev, sys_fuzz_nsec); 207 if (cmp_tspec(ts, ts_min) < 0) { 208 ts_lam = sub_tspec(ts_min, ts); 209 if (ts_lam.tv_sec > 0 && !lamport_violated) { 210 msyslog(LOG_ERR, 211 "get_systime Lamport advance exceeds one second (%.9f)", 212 ts_lam.tv_sec + 213 1e-9 * ts_lam.tv_nsec); 214 exit(1); 215 } 216 if (!lamport_violated) 217 ts = ts_min; 218 } 219 ts_prev_log = ts_prev; 220 ts_prev = ts; 221 } else { 222 /* 223 * Quiet "ts_prev_log.tv_sec may be used uninitialized" 224 * warning from x86 gcc 4.5.2. 225 */ 226 ZERO(ts_prev_log); 227 } 228 229 /* convert from timespec to l_fp fixed-point */ 230 result = tspec_stamp_to_lfp(ts); 231 232 /* 233 * Add in the fuzz. 234 */ 235 dfuzz = ntp_random() * 2. / FRAC * sys_fuzz; 236 DTOLFP(dfuzz, &lfpfuzz); 237 L_ADD(&result, &lfpfuzz); 238 239 /* 240 * Ensure result is strictly greater than prior result (ignoring 241 * sys_residual's effect for now) once sys_fuzz has been 242 * determined. 243 */ 244 if (!USING_SIGIO()) { 245 if (!L_ISZERO(&lfp_prev) && !lamport_violated) { 246 if (!L_ISGTU(&result, &lfp_prev) && 247 sys_fuzz > 0.) { 248 msyslog(LOG_ERR, "ts_prev %s ts_min %s", 249 tspectoa(ts_prev_log), 250 tspectoa(ts_min)); 251 msyslog(LOG_ERR, "ts %s", tspectoa(ts)); 252 msyslog(LOG_ERR, "sys_fuzz %ld nsec, prior fuzz %.9f", 253 sys_fuzz_nsec, dfuzz_prev); 254 msyslog(LOG_ERR, "this fuzz %.9f", 255 dfuzz); 256 lfpdelta = lfp_prev; 257 L_SUB(&lfpdelta, &result); 258 LFPTOD(&lfpdelta, ddelta); 259 msyslog(LOG_ERR, 260 "prev get_systime 0x%x.%08x is %.9f later than 0x%x.%08x", 261 lfp_prev.l_ui, lfp_prev.l_uf, 262 ddelta, result.l_ui, result.l_uf); 263 } 264 } 265 lfp_prev = result; 266 dfuzz_prev = dfuzz; 267 if (lamport_violated) 268 lamport_violated = FALSE; 269 } 270 LEAVE_GET_SYSTIME_CRITSEC(); 271 *now = result; 272 } 273 274 275 /* 276 * adj_systime - adjust system time by the argument. 277 */ 278 #if !defined SYS_WINNT 279 int /* 0 okay, 1 error */ 280 adj_systime( 281 double now /* adjustment (s) */ 282 ) 283 { 284 struct timeval adjtv; /* new adjustment */ 285 struct timeval oadjtv; /* residual adjustment */ 286 double quant; /* quantize to multiples of */ 287 double dtemp; 288 long ticks; 289 int isneg = 0; 290 291 /* 292 * The Windows port adj_systime() depends on being called each 293 * second even when there's no additional correction, to allow 294 * emulation of adjtime() behavior on top of an API that simply 295 * sets the current rate. This POSIX implementation needs to 296 * ignore invocations with zero correction, otherwise ongoing 297 * EVNT_NSET adjtime() can be aborted by a tiny adjtime() 298 * triggered by sys_residual. 299 */ 300 if (0. == now) { 301 if (enable_panic_check && allow_panic) { 302 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!"); 303 INSIST(!allow_panic); 304 } 305 return TRUE; 306 } 307 308 /* 309 * Most Unix adjtime() implementations adjust the system clock 310 * in microsecond quanta, but some adjust in 10-ms quanta. We 311 * carefully round the adjustment to the nearest quantum, then 312 * adjust in quanta and keep the residue for later. 313 */ 314 dtemp = now + sys_residual; 315 if (dtemp < 0) { 316 isneg = 1; 317 dtemp = -dtemp; 318 } 319 adjtv.tv_sec = (long)dtemp; 320 dtemp -= adjtv.tv_sec; 321 if (sys_tick > sys_fuzz) 322 quant = sys_tick; 323 else 324 quant = 1e-6; 325 ticks = (long)(dtemp / quant + .5); 326 adjtv.tv_usec = (long)(ticks * quant * 1.e6 + .5); 327 /* The rounding in the conversions could us push over the 328 * limits: make sure the result is properly normalised! 329 * note: sign comes later, all numbers non-negative here. 330 */ 331 if (adjtv.tv_usec >= 1000000) { 332 adjtv.tv_sec += 1; 333 adjtv.tv_usec -= 1000000; 334 dtemp -= 1.; 335 } 336 /* set the new residual with leftover from correction */ 337 sys_residual = dtemp - adjtv.tv_usec * 1.e-6; 338 339 /* 340 * Convert to signed seconds and microseconds for the Unix 341 * adjtime() system call. Note we purposely lose the adjtime() 342 * leftover. 343 */ 344 if (isneg) { 345 adjtv.tv_sec = -adjtv.tv_sec; 346 adjtv.tv_usec = -adjtv.tv_usec; 347 sys_residual = -sys_residual; 348 } 349 if (adjtv.tv_sec != 0 || adjtv.tv_usec != 0) { 350 if (adjtime(&adjtv, &oadjtv) < 0) { 351 msyslog(LOG_ERR, "adj_systime: %m"); 352 if (enable_panic_check && allow_panic) { 353 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!"); 354 } 355 return FALSE; 356 } 357 } 358 if (enable_panic_check && allow_panic) { 359 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!"); 360 } 361 return TRUE; 362 } 363 #endif 364 365 366 /* 367 * step_systime - step the system clock. 368 */ 369 370 int 371 step_systime( 372 double step 373 ) 374 { 375 time_t pivot; /* for ntp era unfolding */ 376 struct timeval timetv, tvlast, tvdiff; 377 struct timespec timets; 378 struct calendar jd; 379 l_fp fp_ofs, fp_sys; /* offset and target system time in FP */ 380 381 /* 382 * Get pivot time for NTP era unfolding. Since we don't step 383 * very often, we can afford to do the whole calculation from 384 * scratch. And we're not in the time-critical path yet. 385 */ 386 #if SIZEOF_TIME_T > 4 387 /* 388 * This code makes sure the resulting time stamp for the new 389 * system time is in the 2^32 seconds starting at 1970-01-01, 390 * 00:00:00 UTC. 391 */ 392 pivot = 0x80000000; 393 #if USE_COMPILETIME_PIVOT 394 /* 395 * Add the compile time minus 10 years to get a possible target 396 * area of (compile time - 10 years) to (compile time + 126 397 * years). This should be sufficient for a given binary of 398 * NTPD. 399 */ 400 if (ntpcal_get_build_date(&jd)) { 401 jd.year -= 10; 402 pivot += ntpcal_date_to_time(&jd); 403 } else { 404 msyslog(LOG_ERR, 405 "step-systime: assume 1970-01-01 as build date"); 406 } 407 #else 408 UNUSED_LOCAL(jd); 409 #endif /* USE_COMPILETIME_PIVOT */ 410 #else 411 UNUSED_LOCAL(jd); 412 /* This makes sure the resulting time stamp is on or after 413 * 1969-12-31/23:59:59 UTC and gives us additional two years, 414 * from the change of NTP era in 2036 to the UNIX rollover in 415 * 2038. (Minus one second, but that won't hurt.) We *really* 416 * need a longer 'time_t' after that! Or a different baseline, 417 * but that would cause other serious trouble, too. 418 */ 419 pivot = 0x7FFFFFFF; 420 #endif 421 422 /* get the complete jump distance as l_fp */ 423 DTOLFP(sys_residual, &fp_sys); 424 DTOLFP(step, &fp_ofs); 425 L_ADD(&fp_ofs, &fp_sys); 426 427 /* ---> time-critical path starts ---> */ 428 429 /* get the current time as l_fp (without fuzz) and as struct timeval */ 430 get_ostime(&timets); 431 fp_sys = tspec_stamp_to_lfp(timets); 432 tvlast.tv_sec = timets.tv_sec; 433 tvlast.tv_usec = (timets.tv_nsec + 500) / 1000; 434 435 /* get the target time as l_fp */ 436 L_ADD(&fp_sys, &fp_ofs); 437 438 /* unfold the new system time */ 439 timetv = lfp_stamp_to_tval(fp_sys, &pivot); 440 441 /* now set new system time */ 442 if (ntp_set_tod(&timetv, NULL) != 0) { 443 msyslog(LOG_ERR, "step-systime: %m"); 444 if (enable_panic_check && allow_panic) { 445 msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!"); 446 } 447 return FALSE; 448 } 449 450 /* <--- time-critical path ended with 'ntp_set_tod()' <--- */ 451 452 sys_residual = 0; 453 lamport_violated = (step < 0); 454 if (step_callback) 455 (*step_callback)(); 456 457 #ifdef NEED_HPUX_ADJTIME 458 /* 459 * CHECKME: is this correct when called by ntpdate????? 460 */ 461 _clear_adjtime(); 462 #endif 463 464 /* 465 * FreeBSD, for example, has: 466 * struct utmp { 467 * char ut_line[UT_LINESIZE]; 468 * char ut_name[UT_NAMESIZE]; 469 * char ut_host[UT_HOSTSIZE]; 470 * long ut_time; 471 * }; 472 * and appends line="|", name="date", host="", time for the OLD 473 * and appends line="{", name="date", host="", time for the NEW // } 474 * to _PATH_WTMP . 475 * 476 * Some OSes have utmp, some have utmpx. 477 */ 478 479 /* 480 * Write old and new time entries in utmp and wtmp if step 481 * adjustment is greater than one second. 482 * 483 * This might become even Uglier... 484 */ 485 tvdiff = abs_tval(sub_tval(timetv, tvlast)); 486 if (tvdiff.tv_sec > 0) { 487 #ifdef HAVE_UTMP_H 488 struct utmp ut; 489 #endif 490 #ifdef HAVE_UTMPX_H 491 struct utmpx utx; 492 #endif 493 494 #ifdef HAVE_UTMP_H 495 ZERO(ut); 496 #endif 497 #ifdef HAVE_UTMPX_H 498 ZERO(utx); 499 #endif 500 501 /* UTMP */ 502 503 #ifdef UPDATE_UTMP 504 # ifdef HAVE_PUTUTLINE 505 # ifndef _PATH_UTMP 506 # define _PATH_UTMP UTMP_FILE 507 # endif 508 utmpname(_PATH_UTMP); 509 ut.ut_type = OLD_TIME; 510 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line)); 511 ut.ut_time = tvlast.tv_sec; 512 setutent(); 513 pututline(&ut); 514 ut.ut_type = NEW_TIME; 515 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line)); 516 ut.ut_time = timetv.tv_sec; 517 setutent(); 518 pututline(&ut); 519 endutent(); 520 # else /* not HAVE_PUTUTLINE */ 521 # endif /* not HAVE_PUTUTLINE */ 522 #endif /* UPDATE_UTMP */ 523 524 /* UTMPX */ 525 526 #ifdef UPDATE_UTMPX 527 # ifdef HAVE_PUTUTXLINE 528 utx.ut_type = OLD_TIME; 529 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line)); 530 utx.ut_tv = tvlast; 531 setutxent(); 532 pututxline(&utx); 533 utx.ut_type = NEW_TIME; 534 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line)); 535 utx.ut_tv = timetv; 536 setutxent(); 537 pututxline(&utx); 538 endutxent(); 539 # else /* not HAVE_PUTUTXLINE */ 540 # endif /* not HAVE_PUTUTXLINE */ 541 #endif /* UPDATE_UTMPX */ 542 543 /* WTMP */ 544 545 #ifdef UPDATE_WTMP 546 # ifdef HAVE_PUTUTLINE 547 # ifndef _PATH_WTMP 548 # define _PATH_WTMP WTMP_FILE 549 # endif 550 utmpname(_PATH_WTMP); 551 ut.ut_type = OLD_TIME; 552 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line)); 553 ut.ut_time = tvlast.tv_sec; 554 setutent(); 555 pututline(&ut); 556 ut.ut_type = NEW_TIME; 557 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line)); 558 ut.ut_time = timetv.tv_sec; 559 setutent(); 560 pututline(&ut); 561 endutent(); 562 # else /* not HAVE_PUTUTLINE */ 563 # endif /* not HAVE_PUTUTLINE */ 564 #endif /* UPDATE_WTMP */ 565 566 /* WTMPX */ 567 568 #ifdef UPDATE_WTMPX 569 # ifdef HAVE_PUTUTXLINE 570 utx.ut_type = OLD_TIME; 571 utx.ut_tv = tvlast; 572 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line)); 573 # ifdef HAVE_UPDWTMPX 574 updwtmpx(WTMPX_FILE, &utx); 575 # else /* not HAVE_UPDWTMPX */ 576 # endif /* not HAVE_UPDWTMPX */ 577 # else /* not HAVE_PUTUTXLINE */ 578 # endif /* not HAVE_PUTUTXLINE */ 579 # ifdef HAVE_PUTUTXLINE 580 utx.ut_type = NEW_TIME; 581 utx.ut_tv = timetv; 582 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line)); 583 # ifdef HAVE_UPDWTMPX 584 updwtmpx(WTMPX_FILE, &utx); 585 # else /* not HAVE_UPDWTMPX */ 586 # endif /* not HAVE_UPDWTMPX */ 587 # else /* not HAVE_PUTUTXLINE */ 588 # endif /* not HAVE_PUTUTXLINE */ 589 #endif /* UPDATE_WTMPX */ 590 591 } 592 if (enable_panic_check && allow_panic) { 593 msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!"); 594 INSIST(!allow_panic); 595 } 596 return TRUE; 597 } 598 599 #endif /* !SIM */ 600