add the rest of the rebased patches

patches/0003-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch

@@ -0,0 +1,53 @@
+From d75fce3c40a9e24d8af8a568581e1882d21eb520 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Tue, 30 Dec 2014 09:02:50 -0600
+Subject: [PATCH 03/11] conditionally fill in sin_len/sin6_len if they exist
+
+---
+ src/usr.sbin/ntpd/config.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
+index c0a99b1..87de17a 100644
+--- a/src/usr.sbin/ntpd/config.c
++++ b/src/usr.sbin/ntpd/config.c
+@@ -72,7 +72,9 @@ host_v4(const char *s)
+ 	if ((h = calloc(1, sizeof(struct ntp_addr))) == NULL)
+ 		fatal(NULL);
+ 	sa_in = (struct sockaddr_in *)&h->ss;
++#ifdef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN
+ 	sa_in->sin_len = sizeof(struct sockaddr_in);
++#endif
+ 	sa_in->sin_family = AF_INET;
+ 	sa_in->sin_addr.s_addr = ina.s_addr;
+ 
+@@ -94,7 +96,9 @@ host_v6(const char *s)
+ 		if ((h = calloc(1, sizeof(struct ntp_addr))) == NULL)
+ 			fatal(NULL);
+ 		sa_in6 = (struct sockaddr_in6 *)&h->ss;
++#ifdef SIN6_LEN
+ 		sa_in6->sin6_len = sizeof(struct sockaddr_in6);
++#endif
+ 		sa_in6->sin6_family = AF_INET6;
+ 		memcpy(&sa_in6->sin6_addr,
+ 		    &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
+@@ -156,12 +160,16 @@ host_dns(const char *s, struct ntp_addr **hn)
+ 		h->ss.ss_family = res->ai_family;
+ 		if (res->ai_family == AF_INET) {
+ 			sa_in = (struct sockaddr_in *)&h->ss;
++#ifdef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN
+ 			sa_in->sin_len = sizeof(struct sockaddr_in);
++#endif
+ 			sa_in->sin_addr.s_addr = ((struct sockaddr_in *)
+ 			    res->ai_addr)->sin_addr.s_addr;
+ 		} else {
+ 			sa_in6 = (struct sockaddr_in6 *)&h->ss;
++#ifdef SIN6_LEN
+ 			sa_in6->sin6_len = sizeof(struct sockaddr_in6);
++#endif
+ 			memcpy(&sa_in6->sin6_addr, &((struct sockaddr_in6 *)
+ 			    res->ai_addr)->sin6_addr, sizeof(struct in6_addr));
+ 		}
+-- 
+2.6.4
+

patches/0004-check-if-rdomain-support-is-available.patch

@@ -0,0 +1,116 @@
+From 222700a524b3466607b84c9a896aa8278c4d1aa9 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Tue, 30 Dec 2014 09:05:46 -0600
+Subject: [PATCH 04/11] check if rdomain support is available.
+
+Handle FreeBSD's calling rdomain 'FIB'.
+ - from naddy@openbsd.org
+---
+ src/usr.sbin/ntpd/ntpd.h   |  6 ++++++
+ src/usr.sbin/ntpd/parse.y  |  2 ++
+ src/usr.sbin/ntpd/server.c | 15 ++++++++++++++-
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
+index c93ca20..b007da3 100644
+--- a/src/usr.sbin/ntpd/ntpd.h
++++ b/src/usr.sbin/ntpd/ntpd.h
+@@ -40,6 +40,12 @@
+ #define DRIFTFILE	"/var/db/ntpd.drift"
+ #define	CTLSOCKET	"/var/run/ntpd.sock"
+ 
++#if defined(SO_SETFIB)
++#define	SO_RTABLE	SO_SETFIB
++#define	SIOCGIFRDOMAIN	SIOCGIFFIB
++#define	ifr_rdomainid	ifr_fib
++#endif
++
+ #define	INTERVAL_QUERY_NORMAL		30	/* sync to peers every n secs */
+ #define	INTERVAL_QUERY_PATHETIC		60
+ #define	INTERVAL_QUERY_AGGRESSIVE	5
+diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y
+index 6d50795..33fe13d 100644
+--- a/src/usr.sbin/ntpd/parse.y
++++ b/src/usr.sbin/ntpd/parse.y
+@@ -404,11 +404,13 @@ weight		: WEIGHT NUMBER	{
+ 			opts.weight = $2;
+ 		}
+ rtable		: RTABLE NUMBER {
++#ifdef RT_TABLEID_MAX
+ 			if ($2 < 0 || $2 > RT_TABLEID_MAX) {
+ 				yyerror("rtable must be between 1"
+ 				    " and RT_TABLEID_MAX");
+ 				YYERROR;
+ 			}
++#endif
+ 			opts.rtable = $2;
+ 		}
+ 		;
+diff --git a/src/usr.sbin/ntpd/server.c b/src/usr.sbin/ntpd/server.c
+index fb297d7..2e28b9b 100644
+--- a/src/usr.sbin/ntpd/server.c
++++ b/src/usr.sbin/ntpd/server.c
+@@ -35,11 +35,16 @@ setup_listeners(struct servent *se, struct ntpd_conf *lconf, u_int *cnt)
+ 	struct listen_addr	*la, *nla, *lap;
+ 	struct ifaddrs		*ifa, *ifap;
+ 	struct sockaddr		*sa;
++#ifdef SO_RTABLE
+ 	struct if_data		*ifd;
++#endif
+ 	u_int8_t		*a6;
+ 	size_t			 sa6len = sizeof(struct in6_addr);
+ 	u_int			 new_cnt = 0;
+-	int			 tos = IPTOS_LOWDELAY, rdomain = 0;
++	int			 tos = IPTOS_LOWDELAY;
++#ifdef SO_RTABLE
++	int			 rdomain = 0;
++#endif
+ 
+ 	TAILQ_FOREACH(lap, &lconf->listen_addrs, entry) {
+ 		switch (lap->sa.ss_family) {
+@@ -51,15 +56,19 @@ setup_listeners(struct servent *se, struct ntpd_conf *lconf, u_int *cnt)
+ 				sa = ifap->ifa_addr;
+ 				if (sa == NULL || SA_LEN(sa) == 0)
+ 					continue;
++#ifdef SO_RTABLE
+ 				if (sa->sa_family == AF_LINK) {
+ 					ifd = ifap->ifa_data;
+ 					rdomain = ifd->ifi_rdomain;
+ 				}
++#endif
+ 				if (sa->sa_family != AF_INET &&
+ 				    sa->sa_family != AF_INET6)
+ 					continue;
++#ifdef SO_RTABLE
+ 				if (lap->rtable != -1 && rdomain != lap->rtable)
+ 					continue;
++#endif
+ 
+ 				if (sa->sa_family == AF_INET &&
+ 				    ((struct sockaddr_in *)sa)->sin_addr.s_addr ==
+@@ -78,7 +87,9 @@ setup_listeners(struct servent *se, struct ntpd_conf *lconf, u_int *cnt)
+ 					fatal("setup_listeners calloc");
+ 
+ 				memcpy(&la->sa, sa, SA_LEN(sa));
++#ifdef SO_RTABLE
+ 				la->rtable = rdomain;
++#endif
+ 
+ 				TAILQ_INSERT_TAIL(&lconf->listen_addrs, la, entry);
+ 			}
+@@ -123,10 +134,12 @@ setup_listeners(struct servent *se, struct ntpd_conf *lconf, u_int *cnt)
+ 		    IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) == -1)
+ 			log_warn("setsockopt IPTOS_LOWDELAY");
+ 
++#ifdef SO_RTABLE
+ 		if (la->rtable != -1 &&
+ 		    setsockopt(la->fd, SOL_SOCKET, SO_RTABLE, &la->rtable,
+ 		    sizeof(la->rtable)) == -1)
+ 			fatal("setup_listeners setsockopt SO_RTABLE");
++#endif
+ 
+ 		if (bind(la->fd, (struct sockaddr *)&la->sa,
+ 		    SA_LEN((struct sockaddr *)&la->sa)) == -1) {
+-- 
+2.6.4
+

patches/0005-update-ntpd.conf-to-indicate-OS-dependent-options.patch

@@ -0,0 +1,53 @@
+From f1e8552352638f4214768df629e9020507e4af05 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Tue, 30 Dec 2014 09:20:03 -0600
+Subject: [PATCH 05/11] update ntpd.conf to indicate OS-dependent options
+
+Also, clarify listening behavior based on a patch from
+Dererk <dererk@debian.org>
+Debian bug ID: 575705
+---
+ src/usr.sbin/ntpd/ntpd.conf.5 | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
+index af11a7e..87f94e8 100644
+--- a/src/usr.sbin/ntpd/ntpd.conf.5
++++ b/src/usr.sbin/ntpd/ntpd.conf.5
+@@ -38,9 +38,14 @@ The basic configuration options are as follows:
+ .It Xo Ic listen on Ar address
+ .Op Ic rtable Ar table-id
+ .Xc
++.Xr ntpd 8
++has the ability to sync the local clock to remote NTP servers and, if
++this directive is specified, can act as NTP server itself, redistributing the
++local clock.
++.Pp
+ Specify a local IP address or a hostname the
+ .Xr ntpd 8
+-daemon should listen on.
++daemon should listen on to enable remote clients synchronization.
+ If it appears multiple times,
+ .Xr ntpd 8
+ will listen on each given address.
+@@ -53,7 +58,7 @@ will listen on all local addresses using the specified routing table.
+ does not listen on any address by default.
+ The optional
+ .Ic rtable
+-keyword will specify which routing table to listen on.
++keyword will specify which routing table to listen on, if the operating system supports rdomains.
+ By default
+ .Xr ntpd 8
+ will listen using the current routing table.
+@@ -76,7 +81,7 @@ listen on 127.0.0.1 rtable 4
+ .Xc
+ Specify a timedelta sensor device
+ .Xr ntpd 8
+-should use.
++should use, if the operating system supports sensors.
+ The sensor can be specified multiple times:
+ .Xr ntpd 8
+ will use each given sensor that actually exists.
+-- 
+2.6.4
+

patches/0006-allow-overriding-default-user-and-file-locations.patch

@@ -0,0 +1,52 @@
+From fdb958c8a66e32287aa5292200d0777f9f96784a Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Thu, 1 Jan 2015 07:18:11 -0600
+Subject: [PATCH 06/11] allow overriding default user and file locations
+
+Allow the build process to override the default ntpd file paths and
+default user.
+---
+ src/usr.sbin/ntpd/ntpd.h | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
+index b007da3..7e739c4 100644
+--- a/src/usr.sbin/ntpd/ntpd.h
++++ b/src/usr.sbin/ntpd/ntpd.h
+@@ -35,10 +35,20 @@
+ 
+ #define MAXIMUM(a, b)	((a) > (b) ? (a) : (b))
+ 
++#ifndef NTPD_USER
+ #define	NTPD_USER	"_ntp"
+-#define	CONFFILE	"/etc/ntpd.conf"
+-#define DRIFTFILE	"/var/db/ntpd.drift"
+-#define	CTLSOCKET	"/var/run/ntpd.sock"
++#endif
++
++#ifndef	SYSCONFDIR
++#define	SYSCONFDIR	"/etc"
++#endif
++#define	CONFFILE	SYSCONFDIR "/ntpd.conf"
++
++#ifndef	LOCALSTATEDIR
++#define	LOCALSTATEDIR	"/var"
++#endif
++#define	DRIFTFILE	LOCALSTATEDIR "/db/ntpd.drift"
++#define	CTLSOCKET	LOCALSTATEDIR "/run/ntpd.sock"
+ 
+ #if defined(SO_SETFIB)
+ #define	SO_RTABLE	SO_SETFIB
+@@ -86,7 +96,9 @@
+ #define CONSTRAINT_PORT			"443"	/* HTTPS port */
+ #define	CONSTRAINT_MAXHEADERLENGTH	8192
+ #define CONSTRAINT_PASSFD		(STDERR_FILENO + 1)
++#ifndef CONSTRAINT_CA
+ #define CONSTRAINT_CA			"/etc/ssl/cert.pem"
++#endif
+ 
+ enum client_state {
+ 	STATE_NONE,
+-- 
+2.6.4
+

patches/0007-add-p-option-to-create-a-pid-file.patch

@@ -0,0 +1,159 @@
+From b4f723b7fd4c3a56f8b0e08da5998fa31bac5673 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Wed, 31 Dec 2014 08:26:41 -0600
+Subject: [PATCH 07/11] add -p option to create a pid file
+
+This is used in both the Gentoo and Debian ports.
+
+Origin: https://bugs.gentoo.org/show_bug.cgi?id=493082
+---
+ src/usr.sbin/ntpd/ntpd.8 |  4 ++++
+ src/usr.sbin/ntpd/ntpd.c | 35 +++++++++++++++++++++++++++++------
+ src/usr.sbin/ntpd/ntpd.h |  1 +
+ 3 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.8 b/src/usr.sbin/ntpd/ntpd.8
+index dcfb6d2..1b885a1 100644
+--- a/src/usr.sbin/ntpd/ntpd.8
++++ b/src/usr.sbin/ntpd/ntpd.8
+@@ -25,6 +25,7 @@
+ .Bk -words
+ .Op Fl dnSsv
+ .Op Fl f Ar file
++.Op Fl p Ar file
+ .Ek
+ .Sh DESCRIPTION
+ The
+@@ -59,6 +60,9 @@ instead of the default
+ .It Fl n
+ Configtest mode.
+ Only check the configuration file for validity.
++.It Fl p Ar file
++Write pid to
++.Ar file
+ .It Fl S
+ Do not set the time immediately at startup.
+ This is the default.
+diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
+index 0f43b1f..e31db98 100644
+--- a/src/usr.sbin/ntpd/ntpd.c
++++ b/src/usr.sbin/ntpd/ntpd.c
+@@ -87,6 +87,18 @@ sighdlr(int sig)
+ 	}
+ }
+ 
++void
++writepid(struct ntpd_conf *lconf)
++{
++	if (lconf->pid_file != NULL) {
++		FILE *f = fopen(lconf->pid_file, "w");
++		if (f == NULL)
++			fatal("couldn't open pid file");
++		fprintf(f, "%ld\n", (long) getpid());
++		fclose(f);
++	}
++}
++
+ __dead void
+ usage(void)
+ {
+@@ -96,7 +108,7 @@ usage(void)
+ 		fprintf(stderr,
+ 		    "usage: ntpctl -s all | peers | Sensors | status\n");
+ 	else
+-		fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n",
++		fprintf(stderr, "usage: %s [-dnSsv] [-f file] [-p file]\n",
+ 		    __progname);
+ 	exit(1);
+ }
+@@ -134,7 +146,7 @@ main(int argc, char *argv[])
+ 
+ 	log_init(1, LOG_DAEMON);	/* log to stderr until daemonized */
+ 
+-	while ((ch = getopt(argc, argv, "df:nsSv")) != -1) {
++	while ((ch = getopt(argc, argv, "df:np:sSv")) != -1) {
+ 		switch (ch) {
+ 		case 'd':
+ 			lconf.debug = 1;
+@@ -146,6 +158,9 @@ main(int argc, char *argv[])
+ 		case 'n':
+ 			lconf.noaction = 1;
+ 			break;
++		case 'p':
++			lconf.pid_file = optarg;
++			break;
+ 		case 's':
+ 			lconf.settime = 1;
+ 			break;
+@@ -190,9 +205,11 @@ main(int argc, char *argv[])
+ 	reset_adjtime();
+ 	if (!lconf.settime) {
+ 		log_init(lconf.debug, LOG_DAEMON);
+-		if (!lconf.debug)
++		if (!lconf.debug) {
+ 			if (daemon(1, 0))
+ 				fatal("daemon");
++			writepid(&lconf);
++		}
+ 	} else
+ 		timeout = SETTIME_TIMEOUT * 1000;
+ 
+@@ -271,9 +288,11 @@ main(int argc, char *argv[])
+ 			log_init(lconf.debug, LOG_DAEMON);
+ 			log_warnx("no reply received in time, skipping initial "
+ 			    "time setting");
+-			if (!lconf.debug)
++			if (!lconf.debug) {
+ 				if (daemon(1, 0))
+ 					fatal("daemon");
++				writepid(&lconf);
++			}
+ 		}
+ 
+ 		if (nfds > 0 && (pfd[PFD_PIPE].revents & POLLOUT))
+@@ -316,6 +335,8 @@ main(int argc, char *argv[])
+ 	msgbuf_clear(&ibuf->w);
+ 	free(ibuf);
+ 	log_info("Terminating");
++	if (lconf.pid_file != NULL)
++		unlink(lconf.pid_file);
+ 	return (0);
+ }
+ 
+@@ -398,9 +419,11 @@ dispatch_imsg(struct ntpd_conf *lconf, const char *pw_dir,
+ 			memcpy(&d, imsg.data, sizeof(d));
+ 			ntpd_settime(d);
+ 			/* daemonize now */
+-			if (!lconf->debug)
++			if (!lconf->debug) {
+ 				if (daemon(1, 0))
+ 					fatal("daemon");
++				writepid(lconf);
++			}
+ 			lconf->settime = 0;
+ 			timeout = INFTIM;
+ 			break;
+@@ -528,7 +551,7 @@ readfreq(void)
+ 		freqfp = fopen(DRIFTFILE, "w");
+ 		return;
+ 	}
+-	
++
+ 	freqfp = fdopen(fd, "r+");
+ 
+ 	/* if we're adjusting frequency already, don't override */
+diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
+index 7e739c4..864d4c4 100644
+--- a/src/usr.sbin/ntpd/ntpd.h
++++ b/src/usr.sbin/ntpd/ntpd.h
+@@ -241,6 +241,7 @@ struct ntpd_conf {
+ 	u_int						constraint_errors;
+ 	u_int8_t					*ca;
+ 	size_t						ca_len;
++	char						*pid_file;
+ };
+ 
+ struct ctl_show_status {
+-- 
+2.6.4
+

patches/0008-initialize-setproctitle-where-needed.patch

@@ -0,0 +1,58 @@
+From f86daab4bb1d41bcdcbdaeb6370c500962a09675 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Mon, 12 Jan 2015 06:18:31 -0600
+Subject: [PATCH 08/11] initialize setproctitle where needed
+
+We need to save a copy of argv and __progname to avoid setproctitle
+clobbering them.
+---
+ src/usr.sbin/ntpd/ntpd.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
+index e31db98..19720b3 100644
+--- a/src/usr.sbin/ntpd/ntpd.c
++++ b/src/usr.sbin/ntpd/ntpd.c
+@@ -117,6 +117,13 @@ usage(void)
+ #define PFD_PIPE		0
+ #define PFD_MAX			1
+ 
++/* Saves a copy of argv for setproctitle emulation */
++#ifndef HAVE_SETPROCTITLE
++static char **saved_argv;
++#endif
++
++char *get_progname(char *argv0);
++
+ int
+ main(int argc, char *argv[])
+ {
+@@ -135,6 +142,8 @@ main(int argc, char *argv[])
+ 	gid_t			pw_gid;
+ 	void			*newp;
+ 
++	__progname = get_progname(argv[0]);
++
+ 	if (strcmp(__progname, "ntpctl") == 0) {
+ 		ctl_main(argc, argv);
+ 		/* NOTREACHED */
+@@ -146,6 +155,16 @@ main(int argc, char *argv[])
+ 
+ 	log_init(1, LOG_DAEMON);	/* log to stderr until daemonized */
+ 
++#ifndef HAVE_SETPROCTITLE
++	/* Prepare for later setproctitle emulation */
++	saved_argv = calloc(argc + 1, sizeof(*saved_argv));
++	for (i = 0; i < argc; i++)
++		saved_argv[i] = strdup(argv[i]);
++	saved_argv[i] = NULL;
++	compat_init_setproctitle(argc, argv);
++	argv = saved_argv;
++#endif
++
+ 	while ((ch = getopt(argc, argv, "df:np:sSv")) != -1) {
+ 		switch (ch) {
+ 		case 'd':
+-- 
+2.6.4
+

patches/0009-Notify-the-user-when-constraint-support-is-disabled.patch

@@ -0,0 +1,68 @@
+From 93555bfc44a0eb2039f625ab6a5badde63fa5215 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Fri, 27 Mar 2015 23:14:15 -0500
+Subject: [PATCH 09/11] Notify the user when constraint support is disabled.
+
+Update the manpage and make a constraint line a fatal error if it is
+configured but ntpd is built without libtls present.
+From Paul B. Henson.
+---
+ src/usr.sbin/ntpd/config.c     | 3 +++
+ src/usr.sbin/ntpd/constraint.c | 2 ++
+ src/usr.sbin/ntpd/ntpd.conf.5  | 7 +++++--
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
+index 87de17a..5a75030 100644
+--- a/src/usr.sbin/ntpd/config.c
++++ b/src/usr.sbin/ntpd/config.c
+@@ -219,6 +219,9 @@ new_constraint(void)
+ 	p->id = ++constraint_maxid;
+ 	p->fd = -1;
+ 
++#ifndef HAVE_LIBTLS
++	fatal("constraint configured without libtls support");
++#endif
+ 	return (p);
+ }
+ 
+diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
+index 84d21a9..97f0cd5 100644
+--- a/src/usr.sbin/ntpd/constraint.c
++++ b/src/usr.sbin/ntpd/constraint.c
+@@ -289,12 +289,14 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
+ 	if (setpriority(PRIO_PROCESS, 0, 0) == -1)
+ 		log_warn("could not set priority");
+ 
++#ifdef HAVE_LIBTLS
+ 	/* Init TLS and load cert before chroot() */
+ 	if (tls_init() == -1)
+ 		fatalx("tls_init");
+ 	if ((conf->ca = tls_load_file(CONSTRAINT_CA,
+ 	    &conf->ca_len, NULL)) == NULL)
+ 		log_warnx("constraint certificate verification turned off");
++#endif
+ 
+ 	if (chroot(pw_dir) == -1)
+ 		fatal("chroot");
+diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
+index 87f94e8..7f729d2 100644
+--- a/src/usr.sbin/ntpd/ntpd.conf.5
++++ b/src/usr.sbin/ntpd/ntpd.conf.5
+@@ -185,8 +185,11 @@ authenticated constraint,
+ thereby reducing the impact of unauthenticated NTP
+ man-in-the-middle attacks.
+ Received NTP packets with time information falling outside of a range
+-near the constraint will be discarded and such NTP servers
+-will be marked as invalid.
++near the constraint will be discarded and such NTP servers will be marked as
++invalid. Contraints are only available if
++.Xr ntpd 8
++has been compiled with libtls support. Configuring a constraint without libtls
++support will result in a fatal error.
+ .Bl -tag -width Ds
+ .It Ic constraint from Ar url
+ Specify the URL, IP address or the hostname of an HTTPS server to
+-- 
+2.6.4
+

patches/0010-add-a-method-for-updating-the-realtime-clock-on-sync.patch

@@ -0,0 +1,33 @@
+From 340f04a6e14b05803e376c22b0c9170407b6b77d Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Mon, 4 May 2015 04:27:29 -0500
+Subject: [PATCH 10/11] add a method for updating the realtime clock on sync
+
+from Christian Weisgerber
+---
+ src/usr.sbin/ntpd/ntpd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
+index 19720b3..d7281c1 100644
+--- a/src/usr.sbin/ntpd/ntpd.c
++++ b/src/usr.sbin/ntpd/ntpd.c
+@@ -55,6 +55,7 @@ const char     *ctl_lookup_option(char *, const char **);
+ void		show_status_msg(struct imsg *);
+ void		show_peer_msg(struct imsg *, int);
+ void		show_sensor_msg(struct imsg *, int);
++void		update_time_sync_status(int);
+ 
+ volatile sig_atomic_t	 quit = 0;
+ volatile sig_atomic_t	 reconfig = 0;
+@@ -488,6 +489,7 @@ ntpd_adjtime(double d)
+ 	else if (!firstadj && olddelta.tv_sec == 0 && olddelta.tv_usec == 0)
+ 		synced = 1;
+ 	firstadj = 0;
++	update_time_sync_status(synced);
+ 	return (synced);
+ }
+ 
+-- 
+2.6.4
+

patches/0011-Deal-with-missing-SO_TIMESTAMP.patch

@@ -0,0 +1,69 @@
+From 93d09a37b9a3eb129c2d61db505082ca23ca12f1 Mon Sep 17 00:00:00 2001
+From: Brent Cook <bcook@openbsd.org>
+Date: Sun, 6 Dec 2015 22:35:38 -0600
+Subject: [PATCH 11/11] Deal with missing SO_TIMESTAMP
+
+from Paul B. Henson" <henson@acm.org>
+
+Fall back to the previous client.c implementation when it is not found.
+---
+ src/usr.sbin/ntpd/client.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
+index 7ce3b38..edca87c 100644
+--- a/src/usr.sbin/ntpd/client.c
++++ b/src/usr.sbin/ntpd/client.c
+@@ -163,10 +163,12 @@ client_query(struct ntp_peer *p)
+ 		if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query->fd,
+ 		    IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1)
+ 			log_warn("setsockopt IPTOS_LOWDELAY");
++#ifdef SO_TIMESTAMP
+ 		val = 1;
+ 		if (setsockopt(p->query->fd, SOL_SOCKET, SO_TIMESTAMP,
+ 		    &val, sizeof(val)) == -1)
+ 			fatal("setsockopt SO_TIMESTAMP");
++#endif
+ 	}
+ 
+ 	/*
+@@ -213,7 +215,9 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
+ 		struct cmsghdr	hdr;
+ 		char		buf[CMSG_SPACE(sizeof(tv))];
+ 	} cmsgbuf;
++#ifdef SO_TIMESTAMP
+ 	struct cmsghdr		*cmsg;
++#endif
+ 	ssize_t			 size;
+ 	double			 T1, T2, T3, T4;
+ 	time_t			 interval;
+@@ -226,7 +230,6 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
+ 	somsg.msg_control = cmsgbuf.buf;
+ 	somsg.msg_controllen = sizeof(cmsgbuf.buf);
+ 
+-	T4 = getoffset();
+ 	if ((size = recvmsg(p->query->fd, &somsg, 0)) == -1) {
+ 		if (errno == EHOSTUNREACH || errno == EHOSTDOWN ||
+ 		    errno == ENETUNREACH || errno == ENETDOWN ||
+@@ -251,6 +254,8 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
+ 		return (0);
+ 	}
+ 
++#ifdef SO_TIMESTAMP
++	T4 = getoffset();
+ 	for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL;
+ 	    cmsg = CMSG_NXTHDR(&somsg, cmsg)) {
+ 		if (cmsg->cmsg_level == SOL_SOCKET &&
+@@ -260,6 +265,9 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
+ 			break;
+ 		}
+ 	}
++#else
++	T4 = gettime_corrected();
++#endif
+ 
+ 	if (T4 < JAN_1970) {
+ 		client_log_error(p, "recvmsg control format", EBADF);
+-- 
+2.6.4
+