the truncation check immediately following it was not updated to
match.  Not an issue in practice since the buffers are the same
size.  OK deraadt@

This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent.  The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@

types of functions (perhaps required by 'stdio' or 'libevent' will not
become available unless DNS suceeds.  Replace it with "stdio dns".

ok gilles@

including fork/exec cost, it would be better if constraints were
forked from the master process, which would then tell the ntp
engine.  That would increase accuracy and security.
Lots of conversations with reyk and bcook

"stdio inet".  It took weeks to get to this point...

ok deraadt@

that's the case after kernel code got fixed to handle inet6 for dns...

since that is all it will do till termination.

in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the parsing
together in one function that converts into a struct tm. While we are at it this
also brings us into conformance with RFC 5280 for times allowed in an X509 cert,
as OpenSSL is very liberal with what it allows.
input and fixes from deraadt@ jsing@ guethther@ and others.
ok krw@, guenther@, jsing@

case, by deleting some useless '& of an array' we also eliminate the need
for the casts which prompted the original lint warnings
ok deraadt@

- verify that kbd is executable and kbdtype is not empty
- use safer 'print --' to pipe the initial pf ruleset to pfctl
- simplify the ipsecctl if-block
Feedback and OK halex@
OK krw@

ok florian@ rpe@

Userland should get these from /usr/X11R6/include/libdrm.
ok deraadt@ (and suggested by jsg@)

ok millert@

OK semarie@

on arm and m88k
problems with optind observed by jsg@

development of a cargo cult in case people look at existing files
for examples.  This achieves a consistent .Fo and .Fn quoting style
across the whole tree.

MD4 should have been removed a long time ago.  Also, RFC 6150 moved it to
historic in 2011.  Rides the major crank from removing SHA-0.
Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@

SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1.  This will require a major crank.
ok bcook@, jsing@

necessary
ok deraadt@ jsing@

Hide __xprt_register() and _authenticate(); truncate <rpc/svc_auth.h>
ok deraadt@

Hide bcrypt_autorounds(), prefixing with an underbar for static builds.

feedback/ok rpe

- run domainname only with a non-empty /etc/defaultdomain file
- Make single-user if-block more intuitive, which also matches
better what the comment actually says
OK halex@, krw@ on a similar diff

verified that they are there via isdigit() so we can convert from
ASCII to an int without using atoi().  OK guenther@ deraadt@

four line function and a tonne of license text.
ok beck@

ok deraadt@ "hurray!  finally!" miod@ "Yay!" sthen@

cpu's specific hardware capabilities users of libcrypto might be interested
in, as an integer value. This deprecates the existing OPENSSL_ia32cap()
macro and the OPENSSL_ia32cap_loc() function (which returns the pointer so
that you can mess with stuff you shouldn't mess with).
Interpreting the value returned by OPENSSL_cpu_caps() is, of course,
machine-dependent.
Minor version bump for libcrypto.
ok beck@ jsing@

The creation of Unix sockets directories in /tmp for X happens right
after pruning /tmp. So the whole dance of checking for their
existence, ownership or permissions is not necessary. It's safe to
just create them with the right permissions if X is installed.
Changes to do_fsck():
Remove the _flags variable and pass flags to fsck directly with "$@".
Feedback and OK halex@
OK krw@ on a similar diff