1 /*
2 * systime -- routines to fiddle a UNIX clock.
3 *
4 * ATTENTION: Get approval from Dave Mills on all changes to this file!
5 *
6 */
7 #include <config.h>
8
9 #include "ntp.h"
10 #include "ntp_syslog.h"
11 #include "ntp_stdlib.h"
12 #include "ntp_random.h"
13 #include "iosignal.h"
14 #include "timevalops.h"
15 #include "timespecops.h"
16 #include "ntp_calendar.h"
17
18 #ifdef HAVE_SYS_PARAM_H
19 # include <sys/param.h>
20 #endif
21 #ifdef HAVE_UTMP_H
22 # include <utmp.h>
23 #endif /* HAVE_UTMP_H */
24 #ifdef HAVE_UTMPX_H
25 # include <utmpx.h>
26 #endif /* HAVE_UTMPX_H */
27
28 int allow_panic = FALSE; /* allow panic correction (-g) */
29 int enable_panic_check = TRUE; /* Can we check allow_panic's state? */
30
31 #ifndef USE_COMPILETIME_PIVOT
32 # define USE_COMPILETIME_PIVOT 1
33 #endif
34
35 /*
36 * These routines (get_systime, step_systime, adj_systime) implement an
37 * interface between the system independent NTP clock and the Unix
38 * system clock in various architectures and operating systems. Time is
39 * a precious quantity in these routines and every effort is made to
40 * minimize errors by unbiased rounding and amortizing adjustment
41 * residues.
42 *
43 * In order to improve the apparent resolution, provide unbiased
44 * rounding and most importantly ensure that the readings cannot be
45 * predicted, the low-order unused portion of the time below the minimum
46 * time to read the clock is filled with an unbiased random fuzz.
47 *
48 * The sys_tick variable specifies the system clock tick interval in
49 * seconds, for stepping clocks, defined as those which return times
50 * less than MINSTEP greater than the previous reading. For systems that
51 * use a high-resolution counter such that each clock reading is always
52 * at least MINSTEP greater than the prior, sys_tick is the time to read
53 * the system clock.
54 *
55 * The sys_fuzz variable measures the minimum time to read the system
56 * clock, regardless of its precision. When reading the system clock
57 * using get_systime() after sys_tick and sys_fuzz have been determined,
58 * ntpd ensures each unprocessed clock reading is no less than sys_fuzz
59 * later than the prior unprocessed reading, and then fuzzes the bits
60 * below sys_fuzz in the timestamp returned, ensuring each of its
61 * resulting readings is strictly later than the previous.
62 *
63 * When slewing the system clock using adj_systime() (with the kernel
64 * loop discipline unavailable or disabled), adjtime() offsets are
65 * quantized to sys_tick, if sys_tick is greater than sys_fuzz, which
66 * is to say if the OS presents a stepping clock. Otherwise, offsets
67 * are quantized to the microsecond resolution of adjtime()'s timeval
68 * input. The remaining correction sys_residual is carried into the
69 * next adjtime() and meanwhile is also factored into get_systime()
70 * readings.
71 */
72 double sys_tick = 0; /* tick size or time to read (s) */
73 double sys_fuzz = 0; /* min. time to read the clock (s) */
74 long sys_fuzz_nsec = 0; /* min. time to read the clock (ns) */
75 double measured_tick; /* non-overridable sys_tick (s) */
76 double sys_residual = 0; /* adjustment residue (s) */
77 int trunc_os_clock; /* sys_tick > measured_tick */
78 time_stepped_callback step_callback;
79
80 #ifndef SIM
81 /* perlinger@ntp.org: As 'get_sysime()' does it's own check for clock
82 * backstepping, this could probably become a local variable in
83 * 'get_systime()' and the cruft associated with communicating via a
84 * static value could be removed after the v4.2.8 release.
85 */
86 static int lamport_violated; /* clock was stepped back */
87 #endif /* !SIM */
88
89 #ifdef DEBUG
90 static int systime_init_done;
91 # define DONE_SYSTIME_INIT() systime_init_done = TRUE
92 #else
93 # define DONE_SYSTIME_INIT() do {} while (FALSE)
94 #endif
95
96 #ifdef HAVE_SIGNALED_IO
97 int using_sigio;
98 #endif
99
100 #ifdef SYS_WINNT
101 CRITICAL_SECTION get_systime_cs;
102 #endif
103
104
105 void
set_sys_fuzz(double fuzz_val)106 set_sys_fuzz(
107 double fuzz_val
108 )
109 {
110 sys_fuzz = fuzz_val;
111 INSIST(sys_fuzz >= 0);
112 INSIST(sys_fuzz <= 1.0);
113 sys_fuzz_nsec = (long)(sys_fuzz * 1e9 + 0.5);
114 }
115
116
117 void
init_systime(void)118 init_systime(void)
119 {
120 INIT_GET_SYSTIME_CRITSEC();
121 INIT_WIN_PRECISE_TIME();
122 DONE_SYSTIME_INIT();
123 }
124
125
126 #ifndef SIM /* ntpsim.c has get_systime() and friends for sim */
127
128 static inline void
get_ostime(struct timespec * tsp)129 get_ostime(
130 struct timespec * tsp
131 )
132 {
133 int rc;
134 long ticks;
135
136 #if defined(HAVE_CLOCK_GETTIME)
137 rc = clock_gettime(CLOCK_REALTIME, tsp);
138 #elif defined(HAVE_GETCLOCK)
139 rc = getclock(TIMEOFDAY, tsp);
140 #else
141 struct timeval tv;
142
143 rc = GETTIMEOFDAY(&tv, NULL);
144 tsp->tv_sec = tv.tv_sec;
145 tsp->tv_nsec = tv.tv_usec * 1000;
146 #endif
147 if (rc < 0) {
148 msyslog(LOG_ERR, "read system clock failed: %m (%d)",
149 errno);
150 exit(1);
151 }
152
153 if (trunc_os_clock) {
154 ticks = (long)((tsp->tv_nsec * 1e-9) / sys_tick);
155 tsp->tv_nsec = (long)(ticks * 1e9 * sys_tick);
156 }
157 }
158
159
160 /*
161 * get_systime - return system time in NTP timestamp format.
162 */
163 void
get_systime(l_fp * now)164 get_systime(
165 l_fp *now /* system time */
166 )
167 {
168 static struct timespec ts_last; /* last sampled os time */
169 static struct timespec ts_prev; /* prior os time */
170 static l_fp lfp_prev; /* prior result */
171 static double dfuzz_prev; /* prior fuzz */
172 struct timespec ts; /* seconds and nanoseconds */
173 struct timespec ts_min; /* earliest permissible */
174 struct timespec ts_lam; /* lamport fictional increment */
175 struct timespec ts_prev_log; /* for msyslog only */
176 double dfuzz;
177 double ddelta;
178 l_fp result;
179 l_fp lfpfuzz;
180 l_fp lfpdelta;
181
182 get_ostime(&ts);
183 DEBUG_REQUIRE(systime_init_done);
184 ENTER_GET_SYSTIME_CRITSEC();
185
186 /* First check if here was a Lamport violation, that is, two
187 * successive calls to 'get_ostime()' resulted in negative
188 * time difference. Use a few milliseconds of permissible
189 * tolerance -- being too sharp can hurt here. (This is intented
190 * for the Win32 target, where the HPC interpolation might
191 * introduce small steps backward. It should not be an issue on
192 * systems where get_ostime() results in a true syscall.)
193 */
194 if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0)
195 lamport_violated = 1;
196 ts_last = ts;
197
198 /*
199 * After default_get_precision() has set a nonzero sys_fuzz,
200 * ensure every reading of the OS clock advances by at least
201 * sys_fuzz over the prior reading, thereby assuring each
202 * fuzzed result is strictly later than the prior. Limit the
203 * necessary fiction to 1 second.
204 */
205 if (!USING_SIGIO()) {
206 ts_min = add_tspec_ns(ts_prev, sys_fuzz_nsec);
207 if (cmp_tspec(ts, ts_min) < 0) {
208 ts_lam = sub_tspec(ts_min, ts);
209 if (ts_lam.tv_sec > 0 && !lamport_violated) {
210 msyslog(LOG_ERR,
211 "get_systime Lamport advance exceeds one second (%.9f)",
212 ts_lam.tv_sec +
213 1e-9 * ts_lam.tv_nsec);
214 exit(1);
215 }
216 if (!lamport_violated)
217 ts = ts_min;
218 }
219 ts_prev_log = ts_prev;
220 ts_prev = ts;
221 } else {
222 /*
223 * Quiet "ts_prev_log.tv_sec may be used uninitialized"
224 * warning from x86 gcc 4.5.2.
225 */
226 ZERO(ts_prev_log);
227 }
228
229 /* convert from timespec to l_fp fixed-point */
230 result = tspec_stamp_to_lfp(ts);
231
232 /*
233 * Add in the fuzz.
234 */
235 dfuzz = ntp_random() * 2. / FRAC * sys_fuzz;
236 DTOLFP(dfuzz, &lfpfuzz);
237 L_ADD(&result, &lfpfuzz);
238
239 /*
240 * Ensure result is strictly greater than prior result (ignoring
241 * sys_residual's effect for now) once sys_fuzz has been
242 * determined.
243 */
244 if (!USING_SIGIO()) {
245 if (!L_ISZERO(&lfp_prev) && !lamport_violated) {
246 if (!L_ISGTU(&result, &lfp_prev) &&
247 sys_fuzz > 0.) {
248 msyslog(LOG_ERR, "ts_prev %s ts_min %s",
249 tspectoa(ts_prev_log),
250 tspectoa(ts_min));
251 msyslog(LOG_ERR, "ts %s", tspectoa(ts));
252 msyslog(LOG_ERR, "sys_fuzz %ld nsec, prior fuzz %.9f",
253 sys_fuzz_nsec, dfuzz_prev);
254 msyslog(LOG_ERR, "this fuzz %.9f",
255 dfuzz);
256 lfpdelta = lfp_prev;
257 L_SUB(&lfpdelta, &result);
258 LFPTOD(&lfpdelta, ddelta);
259 msyslog(LOG_ERR,
260 "prev get_systime 0x%x.%08x is %.9f later than 0x%x.%08x",
261 lfp_prev.l_ui, lfp_prev.l_uf,
262 ddelta, result.l_ui, result.l_uf);
263 }
264 }
265 lfp_prev = result;
266 dfuzz_prev = dfuzz;
267 if (lamport_violated)
268 lamport_violated = FALSE;
269 }
270 LEAVE_GET_SYSTIME_CRITSEC();
271 *now = result;
272 }
273
274
275 /*
276 * adj_systime - adjust system time by the argument.
277 */
278 #if !defined SYS_WINNT
279 int /* 0 okay, 1 error */
adj_systime(double now)280 adj_systime(
281 double now /* adjustment (s) */
282 )
283 {
284 struct timeval adjtv; /* new adjustment */
285 struct timeval oadjtv; /* residual adjustment */
286 double quant; /* quantize to multiples of */
287 double dtemp;
288 long ticks;
289 int isneg = 0;
290
291 /*
292 * The Windows port adj_systime() depends on being called each
293 * second even when there's no additional correction, to allow
294 * emulation of adjtime() behavior on top of an API that simply
295 * sets the current rate. This POSIX implementation needs to
296 * ignore invocations with zero correction, otherwise ongoing
297 * EVNT_NSET adjtime() can be aborted by a tiny adjtime()
298 * triggered by sys_residual.
299 */
300 if (0. == now) {
301 if (enable_panic_check && allow_panic) {
302 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
303 INSIST(!allow_panic);
304 }
305 return TRUE;
306 }
307
308 /*
309 * Most Unix adjtime() implementations adjust the system clock
310 * in microsecond quanta, but some adjust in 10-ms quanta. We
311 * carefully round the adjustment to the nearest quantum, then
312 * adjust in quanta and keep the residue for later.
313 */
314 dtemp = now + sys_residual;
315 if (dtemp < 0) {
316 isneg = 1;
317 dtemp = -dtemp;
318 }
319 adjtv.tv_sec = (long)dtemp;
320 dtemp -= adjtv.tv_sec;
321 if (sys_tick > sys_fuzz)
322 quant = sys_tick;
323 else
324 quant = 1e-6;
325 ticks = (long)(dtemp / quant + .5);
326 adjtv.tv_usec = (long)(ticks * quant * 1.e6 + .5);
327 /* The rounding in the conversions could us push over the
328 * limits: make sure the result is properly normalised!
329 * note: sign comes later, all numbers non-negative here.
330 */
331 if (adjtv.tv_usec >= 1000000) {
332 adjtv.tv_sec += 1;
333 adjtv.tv_usec -= 1000000;
334 dtemp -= 1.;
335 }
336 /* set the new residual with leftover from correction */
337 sys_residual = dtemp - adjtv.tv_usec * 1.e-6;
338
339 /*
340 * Convert to signed seconds and microseconds for the Unix
341 * adjtime() system call. Note we purposely lose the adjtime()
342 * leftover.
343 */
344 if (isneg) {
345 adjtv.tv_sec = -adjtv.tv_sec;
346 adjtv.tv_usec = -adjtv.tv_usec;
347 sys_residual = -sys_residual;
348 }
349 if (adjtv.tv_sec != 0 || adjtv.tv_usec != 0) {
350 if (adjtime(&adjtv, &oadjtv) < 0) {
351 msyslog(LOG_ERR, "adj_systime: %m");
352 if (enable_panic_check && allow_panic) {
353 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
354 }
355 return FALSE;
356 }
357 }
358 if (enable_panic_check && allow_panic) {
359 msyslog(LOG_ERR, "adj_systime: allow_panic is TRUE!");
360 }
361 return TRUE;
362 }
363 #endif
364
365
366 /*
367 * step_systime - step the system clock.
368 */
369
370 int
step_systime(double step)371 step_systime(
372 double step
373 )
374 {
375 time_t pivot; /* for ntp era unfolding */
376 struct timeval timetv, tvlast, tvdiff;
377 struct timespec timets;
378 struct calendar jd;
379 l_fp fp_ofs, fp_sys; /* offset and target system time in FP */
380
381 /*
382 * Get pivot time for NTP era unfolding. Since we don't step
383 * very often, we can afford to do the whole calculation from
384 * scratch. And we're not in the time-critical path yet.
385 */
386 #if SIZEOF_TIME_T > 4
387 /*
388 * This code makes sure the resulting time stamp for the new
389 * system time is in the 2^32 seconds starting at 1970-01-01,
390 * 00:00:00 UTC.
391 */
392 pivot = 0x80000000;
393 #if USE_COMPILETIME_PIVOT
394 /*
395 * Add the compile time minus 10 years to get a possible target
396 * area of (compile time - 10 years) to (compile time + 126
397 * years). This should be sufficient for a given binary of
398 * NTPD.
399 */
400 if (ntpcal_get_build_date(&jd)) {
401 jd.year -= 10;
402 pivot += ntpcal_date_to_time(&jd);
403 } else {
404 msyslog(LOG_ERR,
405 "step-systime: assume 1970-01-01 as build date");
406 }
407 #else
408 UNUSED_LOCAL(jd);
409 #endif /* USE_COMPILETIME_PIVOT */
410 #else
411 UNUSED_LOCAL(jd);
412 /* This makes sure the resulting time stamp is on or after
413 * 1969-12-31/23:59:59 UTC and gives us additional two years,
414 * from the change of NTP era in 2036 to the UNIX rollover in
415 * 2038. (Minus one second, but that won't hurt.) We *really*
416 * need a longer 'time_t' after that! Or a different baseline,
417 * but that would cause other serious trouble, too.
418 */
419 pivot = 0x7FFFFFFF;
420 #endif
421
422 /* get the complete jump distance as l_fp */
423 DTOLFP(sys_residual, &fp_sys);
424 DTOLFP(step, &fp_ofs);
425 L_ADD(&fp_ofs, &fp_sys);
426
427 /* ---> time-critical path starts ---> */
428
429 /* get the current time as l_fp (without fuzz) and as struct timeval */
430 get_ostime(&timets);
431 fp_sys = tspec_stamp_to_lfp(timets);
432 tvlast.tv_sec = timets.tv_sec;
433 tvlast.tv_usec = (timets.tv_nsec + 500) / 1000;
434
435 /* get the target time as l_fp */
436 L_ADD(&fp_sys, &fp_ofs);
437
438 /* unfold the new system time */
439 timetv = lfp_stamp_to_tval(fp_sys, &pivot);
440
441 /* now set new system time */
442 if (ntp_set_tod(&timetv, NULL) != 0) {
443 msyslog(LOG_ERR, "step-systime: %m");
444 if (enable_panic_check && allow_panic) {
445 msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
446 }
447 return FALSE;
448 }
449
450 /* <--- time-critical path ended with 'ntp_set_tod()' <--- */
451
452 sys_residual = 0;
453 lamport_violated = (step < 0);
454 if (step_callback)
455 (*step_callback)();
456
457 #ifdef NEED_HPUX_ADJTIME
458 /*
459 * CHECKME: is this correct when called by ntpdate?????
460 */
461 _clear_adjtime();
462 #endif
463
464 /*
465 * FreeBSD, for example, has:
466 * struct utmp {
467 * char ut_line[UT_LINESIZE];
468 * char ut_name[UT_NAMESIZE];
469 * char ut_host[UT_HOSTSIZE];
470 * long ut_time;
471 * };
472 * and appends line="|", name="date", host="", time for the OLD
473 * and appends line="{", name="date", host="", time for the NEW // }
474 * to _PATH_WTMP .
475 *
476 * Some OSes have utmp, some have utmpx.
477 */
478
479 /*
480 * Write old and new time entries in utmp and wtmp if step
481 * adjustment is greater than one second.
482 *
483 * This might become even Uglier...
484 */
485 tvdiff = abs_tval(sub_tval(timetv, tvlast));
486 if (tvdiff.tv_sec > 0) {
487 #ifdef HAVE_UTMP_H
488 struct utmp ut;
489 #endif
490 #ifdef HAVE_UTMPX_H
491 struct utmpx utx;
492 #endif
493
494 #ifdef HAVE_UTMP_H
495 ZERO(ut);
496 #endif
497 #ifdef HAVE_UTMPX_H
498 ZERO(utx);
499 #endif
500
501 /* UTMP */
502
503 #ifdef UPDATE_UTMP
504 # ifdef HAVE_PUTUTLINE
505 # ifndef _PATH_UTMP
506 # define _PATH_UTMP UTMP_FILE
507 # endif
508 utmpname(_PATH_UTMP);
509 ut.ut_type = OLD_TIME;
510 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line));
511 ut.ut_time = tvlast.tv_sec;
512 setutent();
513 pututline(&ut);
514 ut.ut_type = NEW_TIME;
515 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line));
516 ut.ut_time = timetv.tv_sec;
517 setutent();
518 pututline(&ut);
519 endutent();
520 # else /* not HAVE_PUTUTLINE */
521 # endif /* not HAVE_PUTUTLINE */
522 #endif /* UPDATE_UTMP */
523
524 /* UTMPX */
525
526 #ifdef UPDATE_UTMPX
527 # ifdef HAVE_PUTUTXLINE
528 utx.ut_type = OLD_TIME;
529 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line));
530 utx.ut_tv = tvlast;
531 setutxent();
532 pututxline(&utx);
533 utx.ut_type = NEW_TIME;
534 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line));
535 utx.ut_tv = timetv;
536 setutxent();
537 pututxline(&utx);
538 endutxent();
539 # else /* not HAVE_PUTUTXLINE */
540 # endif /* not HAVE_PUTUTXLINE */
541 #endif /* UPDATE_UTMPX */
542
543 /* WTMP */
544
545 #ifdef UPDATE_WTMP
546 # ifdef HAVE_PUTUTLINE
547 # ifndef _PATH_WTMP
548 # define _PATH_WTMP WTMP_FILE
549 # endif
550 utmpname(_PATH_WTMP);
551 ut.ut_type = OLD_TIME;
552 strlcpy(ut.ut_line, OTIME_MSG, sizeof(ut.ut_line));
553 ut.ut_time = tvlast.tv_sec;
554 setutent();
555 pututline(&ut);
556 ut.ut_type = NEW_TIME;
557 strlcpy(ut.ut_line, NTIME_MSG, sizeof(ut.ut_line));
558 ut.ut_time = timetv.tv_sec;
559 setutent();
560 pututline(&ut);
561 endutent();
562 # else /* not HAVE_PUTUTLINE */
563 # endif /* not HAVE_PUTUTLINE */
564 #endif /* UPDATE_WTMP */
565
566 /* WTMPX */
567
568 #ifdef UPDATE_WTMPX
569 # ifdef HAVE_PUTUTXLINE
570 utx.ut_type = OLD_TIME;
571 utx.ut_tv = tvlast;
572 strlcpy(utx.ut_line, OTIME_MSG, sizeof(utx.ut_line));
573 # ifdef HAVE_UPDWTMPX
574 updwtmpx(WTMPX_FILE, &utx);
575 # else /* not HAVE_UPDWTMPX */
576 # endif /* not HAVE_UPDWTMPX */
577 # else /* not HAVE_PUTUTXLINE */
578 # endif /* not HAVE_PUTUTXLINE */
579 # ifdef HAVE_PUTUTXLINE
580 utx.ut_type = NEW_TIME;
581 utx.ut_tv = timetv;
582 strlcpy(utx.ut_line, NTIME_MSG, sizeof(utx.ut_line));
583 # ifdef HAVE_UPDWTMPX
584 updwtmpx(WTMPX_FILE, &utx);
585 # else /* not HAVE_UPDWTMPX */
586 # endif /* not HAVE_UPDWTMPX */
587 # else /* not HAVE_PUTUTXLINE */
588 # endif /* not HAVE_PUTUTXLINE */
589 #endif /* UPDATE_WTMPX */
590
591 }
592 if (enable_panic_check && allow_panic) {
593 msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
594 INSIST(!allow_panic);
595 }
596 return TRUE;
597 }
598
599 #endif /* !SIM */
600