openntpd-openssl/patches/3-patch_unhardcode-ports.patch

From: Pekka Helenius <fincer89@hotmail.com>
Date: Tue, 04 Aug 2020 01:52:11 +0300
Subject: Unhardcode NTP server, client and constraint UDP & TCP port numbers


--- a/src/client.c	2020-08-02 02:03:13.840286484 +0300
+++ b/src/client.c	2020-08-02 02:04:23.993619892 +0300
@@ -76,13 +76,13 @@ client_addr_init(struct ntp_peer *p)
 		case AF_INET:
 			sa_in = (struct sockaddr_in *)&h->ss;
 			if (ntohs(sa_in->sin_port) == 0)
-				sa_in->sin_port = htons(123);
+				sa_in->sin_port = htons(p->addr_head.port);
 			p->state = STATE_DNS_DONE;
 			break;
 		case AF_INET6:
 			sa_in6 = (struct sockaddr_in6 *)&h->ss;
 			if (ntohs(sa_in6->sin6_port) == 0)
-				sa_in6->sin6_port = htons(123);
+				sa_in6->sin6_port = htons(p->addr_head.port);
 			p->state = STATE_DNS_DONE;
 			break;
 		default:
@@ -122,9 +122,10 @@ client_nextaddr(struct ntp_peer *p)
 	p->shift = 0;
 	p->trustlevel = TRUSTLEVEL_PATHETIC;
 
-	if (p->addr == NULL)
+	if (p->addr == NULL) {
 		p->addr = p->addr_head.a;
-	else if ((p->addr = p->addr->next) == NULL)
+		p->port = p->addr_head.port;
+	} else if ((p->addr = p->addr->next) == NULL)
 		return (1);
 
 	return (0);
--- a/src/ntp.c	2020-07-31 23:34:32.000000000 +0300
+++ b/src/ntp.c	2020-08-01 00:56:09.608057581 +0300
@@ -603,6 +603,8 @@ ntp_dispatch_imsg_dns(void)
 					    peer->addr_head.name;
 					npeer->addr_head.pool =
 					    peer->addr_head.pool;
+					npeer->addr_head.port =
+						peer->addr_head.port;
 					client_peer_init(npeer);
 					npeer->state = STATE_DNS_DONE;
 					peer_add(npeer);
@@ -611,6 +613,7 @@ ntp_dispatch_imsg_dns(void)
 					h->next = peer->addr;
 					peer->addr = h;
 					peer->addr_head.a = peer->addr;
+					peer->addr_head.port = peer->port;
 					peer->state = STATE_DNS_DONE;
 				}
 			}
--- a/src/config.c	2020-07-31 23:11:30.000000000 +0300
+++ b/src/config.c	2020-08-01 01:02:14.468057965 +0300
@@ -196,3 +196,10 @@ new_constraint(void)
 	return (p);
 }
 
+int
+intdup(int in)
+{
+	int *out;
+	out = &in;
+	return *out;
+}
--- a/src/ntpd.h	2020-07-31 23:00:51.000000000 +0300
+++ b/src/ntpd.h	2020-08-01 01:27:06.418059534 +0300
@@ -95,7 +95,7 @@
 #define CONSTRAINT_SCAN_INTERVAL	(15*60)
 #define CONSTRAINT_SCAN_TIMEOUT		(10)
 #define CONSTRAINT_MARGIN		(2.0*60)
-#define CONSTRAINT_PORT			"443"	/* HTTPS port */
+
 #define	CONSTRAINT_MAXHEADERLENGTH	8192
 #define CONSTRAINT_PASSFD		(STDERR_FILENO + 1)
 
@@ -121,6 +121,7 @@ struct listen_addr {
 	struct sockaddr_storage		 sa;
 	int				 fd;
 	int				 rtable;
+	int				port;
 };
 
 struct ntp_addr {
@@ -132,14 +133,17 @@ struct ntp_addr {
 struct ntp_addr_wrap {
 	char			*name;
 	char			*path;
+	int				port;
 	struct ntp_addr		*a;
 	u_int8_t		 pool;
 };
 
 struct ntp_addr_msg {
 	struct ntp_addr		 a;
+	int		port;
 	size_t			 namelen;
 	size_t			 pathlen;
+	size_t			portlen;
 };
 
 struct ntp_status {
@@ -184,6 +188,7 @@ struct ntp_peer {
 	u_int8_t			 trusted;
 	int				 lasterror;
 	int				 senderrors;
+	int				port;
 };
 
 struct ntp_sensor {
@@ -206,6 +211,7 @@ struct constraint {
 	TAILQ_ENTRY(constraint)		 entry;
 	struct ntp_addr_wrap		 addr_head;
 	struct ntp_addr			*addr;
+	int				port;
 	int				 senderrors;
 	enum client_state		 state;
 	u_int32_t			 id;
@@ -365,6 +371,7 @@ void			 host_dns_free(struct ntp_addr *)
 struct ntp_peer		*new_peer(void);
 struct ntp_conf_sensor	*new_sensor(char *);
 struct constraint	*new_constraint(void);
+int 	intdup(int);
 
 /* ntp_msg.c */
 int	ntp_getmsg(struct sockaddr *, char *, ssize_t, struct ntp_msg *);
@@ -401,6 +408,7 @@ void	 priv_constraint_kill(u_int32_t);
 int	 priv_constraint_dispatch(struct pollfd *);
 void	 priv_constraint_check_child(pid_t, int);
 char	*get_string(u_int8_t *, size_t);
+int	intlen(int);
 
 /* util.c */
 double			 gettime_corrected(void);
--- a/src/constraint.c	2020-08-02 01:56:09.060286035 +0300
+++ b/src/constraint.c	2020-08-02 01:56:47.110286075 +0300
@@ -66,11 +66,11 @@ void	 priv_constraint_readquery(struct c
 	    uint8_t **);
 
 struct httpsdate *
-	 httpsdate_init(const char *, const char *, const char *,
+	 httpsdate_init(const char *, const int *, const char *,
 	    const char *, const u_int8_t *, size_t);
 void	 httpsdate_free(void *);
 int	 httpsdate_request(struct httpsdate *, struct timeval *);
-void	*httpsdate_query(const char *, const char *, const char *,
+void	*httpsdate_query(const char *, const int *, const char *,
 	    const char *, const u_int8_t *, size_t,
 	    struct timeval *, struct timeval *);
 
@@ -125,13 +125,13 @@ constraint_addr_init(struct constraint *
 	case AF_INET:
 		sa_in = (struct sockaddr_in *)&h->ss;
 		if (ntohs(sa_in->sin_port) == 0)
-			sa_in->sin_port = htons(443);
+			sa_in->sin_port = htons(cstr->addr_head.port);
 		cstr->state = STATE_DNS_DONE;
 		break;
 	case AF_INET6:
 		sa_in6 = (struct sockaddr_in6 *)&h->ss;
 		if (ntohs(sa_in6->sin6_port) == 0)
-			sa_in6->sin6_port = htons(443);
+			sa_in6->sin6_port = htons(cstr->addr_head.port);
 		cstr->state = STATE_DNS_DONE;
 		break;
 	default:
@@ -206,6 +206,7 @@ constraint_query(struct constraint *cstr
 
 	memset(&am, 0, sizeof(am));
 	memcpy(&am.a, cstr->addr, sizeof(am.a));
+	memcpy(&am.port, &cstr->addr_head.port, sizeof(am.port));
 
 	iov[iov_cnt].iov_base = &am;
 	iov[iov_cnt++].iov_len = sizeof(am);
@@ -219,6 +220,11 @@ constraint_query(struct constraint *cstr
 		iov[iov_cnt].iov_base = cstr->addr_head.path;
 		iov[iov_cnt++].iov_len = am.pathlen;
 	}
+	if (cstr->addr_head.port) {
+		am.portlen = intlen(cstr->addr_head.port) + 1;
+		iov[iov_cnt].iov_base = &cstr->addr_head.port;
+		iov[iov_cnt++].iov_len = am.portlen;
+	}
 
 	imsg_composev(ibuf_main, IMSG_CONSTRAINT_QUERY,
 	    cstr->id, 0, -1, iov, iov_cnt);
@@ -246,7 +252,7 @@ priv_constraint_msg(u_int32_t id, u_int8
 		return;
 	}
 	memcpy(&am, data, sizeof(am));
-	if (len != (sizeof(am) + am.namelen + am.pathlen)) {
+    if (len != (sizeof(am) + am.namelen + am.pathlen + am.portlen)) {
 		log_warnx("constraint id %d: invalid query received", id);
 		return;
 	}
@@ -301,6 +307,7 @@ priv_constraint_readquery(struct constra
 	int			 n;
 	struct imsg		 imsg;
 	size_t			 mlen;
+	int			port;
 
 	/* Read the message our parent left us. */
 	if (((n = imsg_read(&cstr->ibuf)) == -1 && errno != EAGAIN) || n == 0)
@@ -324,7 +331,7 @@ priv_constraint_readquery(struct constra
 		);
 
 	memcpy(am, imsg.data, sizeof(*am));
-	if (mlen != (sizeof(*am) + am->namelen + am->pathlen))
+	if (mlen != (sizeof(*am) + am->namelen + am->pathlen + am->portlen))
 		fatalx("constraint: invalid message length received from parent process (%s)",
 			   __func__
 			  );
@@ -334,12 +341,15 @@ priv_constraint_readquery(struct constra
 		fatal("constraint: can't allocate memory (%s)", __func__);
 
 	memcpy(h, &am->a, sizeof(*h));
+	memcpy(&port, &am->port, sizeof(port));
 	h->next = NULL;
-
+	
 	cstr->id = imsg.hdr.peerid;
 	cstr->addr = h;
 	cstr->addr_head.a = h;
-
+	cstr->port = port;
+	cstr->addr_head.port = port;
+	
 	dptr = imsg.data;
 	memcpy(*data, dptr + sizeof(*am), mlen - sizeof(*am));
 	imsg_free(&imsg);
@@ -434,10 +444,14 @@ priv_constraint_child(const char *pw_dir
 		    get_string(data, am.pathlen)) == NULL)
 			fatalx("constraint %s: invalid path", addr);
 	}
+	if (am.portlen) {
+		if (cstr.addr_head.port == 0)
+			fatalx("constraint %s: invalid port", addr);
+	}
 
 	/* Run! */
 	if ((ctx = httpsdate_query(addr,
-	    CONSTRAINT_PORT, cstr.addr_head.name, cstr.addr_head.path,
+	    &cstr.addr_head.port, cstr.addr_head.name, cstr.addr_head.path,
 	    conf->ca, conf->ca_len, &rectv, &xmttv)) == NULL) {
 		log_debug("constraint %s: failed to get proper time results", addr);
 		/* Abort with failure but without warning */
@@ -800,8 +814,14 @@ constraint_msg_dns(u_int32_t id, u_int8_
 			ncstr->addr_head.a = h;
 			ncstr->addr_head.name = strdup(cstr->addr_head.name);
 			ncstr->addr_head.path = strdup(cstr->addr_head.path);
+			ncstr->addr_head.port = intdup(cstr->addr_head.port);
+
+			// Unless we do this, we have value 0 in ncstr->port
+			ncstr->port = intdup(cstr->port);
+
 			if (ncstr->addr_head.name == NULL ||
-			    ncstr->addr_head.path == NULL)
+			    ncstr->addr_head.path == NULL ||
+			    ncstr->addr_head.port == 0 || ncstr->port == 0)
                 fatal("constraint id %d: DNS dispatching failed: invalid data", id);
 			ncstr->addr_head.pool = cstr->addr_head.pool;
 			ncstr->state = STATE_DNS_DONE;
@@ -811,6 +831,7 @@ constraint_msg_dns(u_int32_t id, u_int8_
 			h->next = ncstr->addr;
 			ncstr->addr = h;
 			ncstr->addr_head.a = h;
+			// TODO missing port?
 		}
 	} while (len);
 
@@ -912,10 +933,11 @@ constraint_check(double val)
 }
 
 struct httpsdate *
-httpsdate_init(const char *addr, const char *port, const char *hostname,
+httpsdate_init(const char *addr, const int *port, const char *hostname,
     const char *path, const u_int8_t *ca, size_t ca_len)
 {
 	struct httpsdate	*httpsdate = NULL;
+	char	port_s[sizeof(port)];
 
 	if ((httpsdate = calloc(1, sizeof(*httpsdate))) == NULL)
 		goto fail;
@@ -923,8 +945,10 @@ httpsdate_init(const char *addr, const c
 	if (hostname == NULL)
 		hostname = addr;
 
+	sprintf(port_s, "%d", *port);
+
 	if ((httpsdate->tls_addr = strdup(addr)) == NULL ||
-	    (httpsdate->tls_port = strdup(port)) == NULL ||
+	    (httpsdate->tls_port = strdup(port_s)) == NULL ||
 	    (httpsdate->tls_hostname = strdup(hostname)) == NULL ||
 	    (httpsdate->tls_path = strdup(path)) == NULL)
 		goto fail;
@@ -1098,7 +1122,7 @@ httpsdate_request(struct httpsdate *http
 }
 
 void *
-httpsdate_query(const char *addr, const char *port, const char *hostname,
+httpsdate_query(const char *addr, const int *port, const char *hostname,
     const char *path, const u_int8_t *ca, size_t ca_len,
     struct timeval *rectv, struct timeval *xmttv)
 {
@@ -1183,3 +1207,17 @@ get_string(u_int8_t *ptr, size_t len)
 
 	return strndup(ptr, i);
 }
+
+int
+intlen(int val)
+{
+	int n = 1;
+	if (val < 0)
+		return 0;
+	while(val > 9) {
+		n++;
+		val /= 10;
+	}
+
+	return val;
+}
--- a/src/parse.y	2020-07-31 23:57:08.000000000 +0300
+++ b/src/parse.y	2020-08-01 01:51:28.041394057 +0300
@@ -60,6 +60,7 @@ int		 findeol(void);
 struct sockaddr_in		 query_addr4;
 struct sockaddr_in6		 query_addr6;
 int				 poolseqnum;
+struct servent		*se;
 
 struct opts {
 	int		weight;
@@ -68,6 +69,7 @@ struct opts {
 	int		rtable;
 	int		trusted;
 	char		*refstr;
+	int		port;
 } opts;
 void		opts_default(void);
 
@@ -86,18 +88,21 @@ typedef struct {
 %token	LISTEN ON CONSTRAINT CONSTRAINTS FROM QUERY TRUSTED
 %token	SERVER SERVERS SENSOR CORRECTION RTABLE REFID STRATUM WEIGHT
 %token	ERROR
+%token	PORT
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
 %type	<v.addr>		address url urllist
 %type	<v.opts>		listen_opts listen_opts_l listen_opt
 %type	<v.opts>		server_opts server_opts_l server_opt
 %type	<v.opts>		sensor_opts sensor_opts_l sensor_opt
+%type	<v.opts>		constraint_opts constraint_opts_l constraint_opt
 %type	<v.opts>		correction
 %type	<v.opts>		rtable
 %type	<v.opts>		refid
 %type	<v.opts>		stratum
 %type	<v.opts>		weight
 %type	<v.opts>		trusted
+%type	<v.opts>		port
 %%
 
 grammar		: /* empty */
@@ -125,6 +130,10 @@ main		: LISTEN ON address listen_opts	{
 					fatal("can't allocate memory for listening address");
 				la->fd = -1;
 				la->rtable = $4.rtable;
+
+				if ($4.port != 0)
+					la->port = $4.port;
+
 				memcpy(&la->sa, &h->ss,
 				    sizeof(struct sockaddr_storage));
 				TAILQ_INSERT_TAIL(&conf->listen_addrs, la,
@@ -186,10 +195,22 @@ main		: LISTEN ON address listen_opts	{
 				p->trusted = $3.trusted;
 				conf->trusted_peers = conf->trusted_peers ||
 				    $3.trusted;
+
+				if ($3.port == 0) {
+					if ((se = getservbyname("ntp", "udp")) == NULL) {
+						fatal("new server: can't find default system information for NTP protocol (getservbyname)");
+					} else {
+						$3.port = ntohs(se->s_port);
+					}
+				}
+				p->port = $3.port;
+				$2->port = p->port;
+
 				p->query_addr4 = query_addr4;
 				p->query_addr6 = query_addr6;
 				p->addr = h;
 				p->addr_head.a = h;
+				p->addr_head.port = intdup($2->port);
 				p->addr_head.pool = ++poolseqnum;
 				p->addr_head.name = strdup($2->name);
 				if (p->addr_head.name == NULL)
@@ -228,9 +249,21 @@ main		: LISTEN ON address listen_opts	{
 			p->trusted = $3.trusted;
 			conf->trusted_peers = conf->trusted_peers ||
 			    $3.trusted;
+
+			if ($3.port == 0) {
+				if ((se = getservbyname("ntp", "udp")) == NULL) {
+					fatal("new server: can't find default system information for NTP protocol (getservbyname)");
+				} else {
+					$3.port = ntohs(se->s_port);
+				}
+			}
+			p->port = $3.port;
+			$2->port = p->port;
+
 			p->query_addr4 = query_addr4;
 			p->query_addr6 = query_addr6;
 			p->addr_head.a = p->addr;
+			p->addr_head.port = intdup($2->port);
 			p->addr_head.pool = 0;
 			p->addr_head.name = strdup($2->name);
 			if (p->addr_head.name == NULL)
@@ -241,7 +274,7 @@ main		: LISTEN ON address listen_opts	{
 			free($2->name);
 			free($2);
 		}
-		| CONSTRAINTS FROM url		{
+		| CONSTRAINTS FROM url constraint_opts		{
 			struct constraint	*p;
 			struct ntp_addr		*h, *next;
 
@@ -266,6 +299,17 @@ main		: LISTEN ON address listen_opts	{
 				p = new_constraint();
 				p->addr = h;
 				p->addr_head.a = h;
+
+				if ($4.port == 0) {
+					if ((se = getservbyname("https", "tcp")) == NULL) {
+						fatal("new constraint: can't find default system information for HTTPS protocol (getservbyname)");
+					} else {
+						$4.port = ntohs(se->s_port);
+					}
+				}
+				p->port = $4.port;
+				p->addr_head.port = intdup($4.port);
+
 				p->addr_head.pool = ++poolseqnum;
 				p->addr_head.name = strdup($3->name);
 				p->addr_head.path = strdup($3->path);
@@ -281,7 +325,7 @@ main		: LISTEN ON address listen_opts	{
 			free($3->name);
 			free($3);
 		}
-		| CONSTRAINT FROM urllist		{
+		| CONSTRAINT FROM urllist constraint_opts		{
 			struct constraint	*p;
 			struct ntp_addr		*h, *next;
 
@@ -304,6 +348,17 @@ main		: LISTEN ON address listen_opts	{
 			}
 
 			p->addr_head.a = p->addr;
+
+			if ($4.port == 0) {
+				if ((se = getservbyname("https", "tcp")) == NULL) {
+						fatal("new constraint: can't find default system information for HTTPS protocol (getservbyname)");
+				} else {
+					$4.port = ntohs(se->s_port);
+				}
+			}
+			p->port = $4.port;
+			p->addr_head.port = intdup($4.port);
+
 			p->addr_head.pool = 0;
 			p->addr_head.name = strdup($3->name);
 			p->addr_head.path = strdup($3->path);
@@ -410,6 +465,7 @@ listen_opts_l	: listen_opts_l listen_opt
 		| listen_opt
 		;
 listen_opt	: rtable
+		| port
 		;
 
 server_opts	:	{ opts_default(); }
@@ -422,6 +478,18 @@ server_opts_l	: server_opts_l server_opt
 		;
 server_opt	: weight
 		| trusted
+		| port
+		;
+
+constraint_opts	:	{ opts_default(); }
+		  constraint_opts_l
+			{ $$ = opts; }
+		|	{ opts_default(); $$ = opts; }
+		;
+constraint_opts_l	: constraint_opts_l constraint_opt
+		| constraint_opt
+		;
+constraint_opt	: port
 		;
 
 sensor_opts	:	{ opts_default(); }
@@ -478,6 +546,17 @@ weight		: WEIGHT NUMBER	{
 			}
 			opts.weight = $2;
 		}
+		;
+
+port		: PORT NUMBER	{
+			if ($2 < 1 || $2 > 65535) {
+				yyerror("port must be between 1 and 65535");
+				YYERROR;
+			}
+			opts.port = $2;
+		}
+		;
+
 rtable		: RTABLE NUMBER {
 #ifdef RT_TABLEID_MAX
 			if ($2 < 0 || $2 > RT_TABLEID_MAX) {
@@ -502,6 +581,7 @@ opts_default(void)
 	memset(&opts, 0, sizeof opts);
 	opts.weight = 1;
 	opts.stratum = 1;
+	opts.port = 0;
 }
 
 struct keywords {
@@ -542,6 +622,7 @@ lookup(char *s)
 		{ "from",		FROM},
 		{ "listen",		LISTEN},
 		{ "on",			ON},
+		{ "port",		PORT},
 		{ "query",		QUERY},
 		{ "refid",		REFID},
 		{ "rtable",		RTABLE},
--- a/src/server.c	2020-08-01 00:04:05.000000000 +0300
+++ b/src/server.c	2020-08-01 01:14:42.328058753 +0300
@@ -107,14 +107,18 @@ setup_listeners(struct servent *se, stru
 	for (la = TAILQ_FIRST(&lconf->listen_addrs); la; ) {
 		switch (la->sa.ss_family) {
 		case AF_INET:
-			if (((struct sockaddr_in *)&la->sa)->sin_port == 0)
-				((struct sockaddr_in *)&la->sa)->sin_port =
-				    se->s_port;
+			if ((la->port == 0) && \
+			(((struct sockaddr_in *)&la->sa)->sin_port == 0))
+				((struct sockaddr_in *)&la->sa)->sin_port = se->s_port;
+			else
+				((struct sockaddr_in *)&la->sa)->sin_port = ntohs(la->port);
 			break;
 		case AF_INET6:
-			if (((struct sockaddr_in6 *)&la->sa)->sin6_port == 0)
-				((struct sockaddr_in6 *)&la->sa)->sin6_port =
-				    se->s_port;
+			if ((la->port == 0) && \
+			(((struct sockaddr_in6 *)&la->sa)->sin6_port == 0))
+				((struct sockaddr_in6 *)&la->sa)->sin6_port = se->s_port;
+			else
+				((struct sockaddr_in6 *)&la->sa)->sin6_port = ntohs(la->port);
 			break;
 		case AF_UNSPEC:
 			nla = TAILQ_NEXT(la, entry);
--- a/src/ntpd.conf.5	2020-07-31 23:00:51.000000000 +0300
+++ b/src/ntpd.conf.5	2020-08-01 01:22:25.424725907 +0300
@@ -14,7 +14,7 @@
 .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 16 2020 $
+.Dd $Mdocdate: August 01 2020 $
 .Dt NTPD.CONF 5
 .Os
 .Sh NAME
@@ -37,6 +37,7 @@ The basic configuration options are as f
 .Bl -tag -width Ds
 .It Xo Ic listen on Ar address
 .Op Ic rtable Ar table-id
+.Op Ic port Ar port-number
 .Xc
 .Xr ntpd 8
 has the ability to sync the local clock to remote NTP servers and, if
@@ -62,6 +63,12 @@ keyword will specify which routing table
 By default
 .Xr ntpd 8
 will listen using the current routing table.
+The optional
+.Ic port
+keyword will specify which local UDP port the NTP server process should use for inbound connections.
+By default
+.Xr ntpd 8
+will listen to UDP port 123 for new client connections.
 For example:
 .Bd -literal -offset indent
 listen on *
@@ -72,6 +79,7 @@ or
 listen on 127.0.0.1
 listen on ::1
 listen on 127.0.0.1 rtable 4
+listen on 127.0.0.1 port 1230
 .Ed
 .It Ic query from Ar sourceaddr
 Specify a local IP address the
@@ -165,6 +173,7 @@ than a server with a weight of 1.
 .It Xo Ic server Ar address
 .Op Ic trusted
 .Op Ic weight Ar weight-value
+.Op Ic port Ar port-number
 .Xc
 Specify the IP address or the hostname of an NTP
 server to synchronize to.
@@ -182,6 +191,7 @@ For example:
 .Bd -literal -offset indent
 server 10.0.0.2 weight 5
 server ntp.example.org weight 1
+server ntp.foo.org port 123
 .Ed
 .Pp
 To provide redundancy, it is good practice to configure multiple servers.
@@ -190,6 +200,7 @@ network latency.
 .It Xo Ic servers Ar address
 .Op Ic trusted
 .Op Ic weight Ar weight-value
+.Op Ic port Ar port-number
 .Xc
 As with
 .Cm server ,
@@ -204,6 +215,7 @@ For example:
 .Bd -literal -offset indent
 servers pool.ntp.org
 servers pool.ntp.org weight 5
+servers pool.ntp.org weight 6 port 123
 .Ed
 .El
 .Sh CONSTRAINTS
@@ -227,8 +239,13 @@ without libtls causes
 to log a warning message on startup.
 .Bl -tag -width Ds
 .It Ic constraint from Ar url [ip...]
+.Op Ic port Ar port-number
 Specify the URL, IP address or the hostname of an HTTPS server to
-provide a constraint.
+provide a constraint. The optional
+.Ic port
+number is an HTTPS server port to connect to. By default
+.Xr ntpd 8
+will connect to remote TCP port 443.
 If the url is followed by one or more addresses the url and addresses will be
 tried until a working one is found.
 The url path and expected certificate name is always taken from the
@@ -242,8 +259,10 @@ will calculate a median constraint from
 server ntp.example.org
 constraint from www.example.com
 constraint from "https://9.9.9.9" "2620:fe::9"
+constraint from www.google.com port 443
 .Ed
 .It Ic constraints from Ar url
+.Op Ic port Ar port-number
 As with
 .Ic constraint from ,
 specify the URL, IP address or the hostname of an HTTPS server to
@@ -251,10 +270,16 @@ provide a constraint.
 Should the hostname resolve to multiple IP addresses,
 .Xr ntpd 8
 will calculate a median constraint from all of them.
+The optional
+.Ic port
+number is an HTTPS server port to connect to. By default
+.Xr ntpd 8
+will connect to remote TCP port 443.
 For example:
 .Bd -literal -offset indent
 servers pool.ntp.org
 constraints from "https://www.google.com/"
+constraints from "https://duckduckgo.com/" port 443
 .Ed
 .El
 .Sh FILES