FreshBSD

   bktr(4): tsleep(9) -> tsleep_nsec(9)

   ok deraadt@

   sort sk-* methods behind their plain key methods cousins for now

   test security key host keys in addition to user keys

   don't treat HostKeyAgent=none as a path either; avoids spurious
   warnings from the cfgparse regress test

   do not attempt to find an absolute path for sshd_config
   SecurityKeyProvider=internal - unbreaks cfgparse regress test

   Clear r_list if the interface is passive. Additionaly move the check
   for passive interface a bit further up so that the function can return
   earlier.

   Memory leak observed and reported by Jason Tubnor.

   OK benno@

   allow ssh-keyscan to find security key hostkeys

   adapt to ssh-sk-client change

   allow security keys to act as host keys as well as user keys.

   Previously we didn't do this because we didn't want to expose
   the attack surface presented by USB and FIDO protocol handling,
   but now that this is insulated behind ssh-sk-helper there is
   less risk.

   ok markus@

   Make this fit in 80 cols.

   semarie diagnosed a what appeared to be a 'large backwards memcpy' of an
   ipv6 address, but was actually oversize (a large union).  correct access
   to the right subfield.
   ok florian semarie

   Explicitly print root user in status OWNER column

   With "owner root:wheel" (any group) the status output prints ":wheel" only,
   presumably to emphasize that only group membership matters.

   Always print whatever is configured to be explicit and less confusing.

   OK jasper

   Allow more outgoing ports, the default 16 is pretty tight for the
   recursor. Also change strategy to not fetch addresses of nameservers
   pro-actively, it does not help a lot in typical unwind setups and
   consumes resources we would like to spend on actual resolving user
   queries.  ok florian@

   Add a missing unlock.

   Spotted by Hrvoje Popovski using witness(4)
   OK dlg@

   Be less aggressive pre-allocating memory; ok florian@

   whitespace from go fmt + update a comment

   rkpcie: Add support for gen2 negotiation
   * Enable gen2 link training when the dtb is configured with
     max-link-speed = <2>;
   * Workaround a rockchip bug where Target Link Speed is not set when
     PCIE_CLIENT_PCIE_GEN_SEL_2 is configured
   * Wait for LTSSM L0 state after initial link training to ensure gen2
     link training does not start too early

   okay kettenis@

   Simplify resolve_done.
   - check if this is an answer to a still running query up front,
     if not there is nothing more to do
   - get rid of the retry case, we can now just inline it
   - reduce indent by always calculating elapsed time for DOUBT_NXDOMAIN_SEC
   Triggered by, input and OK otto

   failing fsync() with EINVAL should not cause a TempFail in mboxfile,
   it means the file was most likely a device not supporting fsync() so
   we can't do much and retrying isn't going to help.

   introduce a bypass keyword so that builtin filters can bypass processing of
   a phase when a condition is met

   suggested by several people including jung@, ok jung@

   Strip out the optional login style before looking up user in passwd.
   Reported by Dennis Lindroos.  OK tb@

   Return BI_SILENT not BI_AUTH if the challenge service is requested.
   This bug was introduced in the login_passwd rewrite back in 2001.
   From Tom Longshine.

   Add sizes for free() in eso(4).

   OK tedu@

   Add sizes for free() in eap(4).

   OK tedu@

   Add sizes for free() in auixp(4).

   OK tedu@

   Add sizes for free() in auglx(4).

   OK tedu@

   Add sizes for free() in auacer(4).

   OK tedu@

   No use to create resolvers we know are going to be dead; ok florian@

   Revert previous.  When we get an ACPI notification we already have the
   ACPI lock and when we call our own ws_[gs]et_param functions we cannot
   take the lock again, because it's non-recursive.  Thus we need to find
   another way, like not taking the lock if we already have it.  But the
   solutions need to be discussed first, so back it out in the meantime.

   Fix comment: vmctl command options come before arguments

   Run Wycheproof HMAC test vectors against libcrypto.

   Fix documented signatures of HMAC(3) and HMAC_Update(3). The n and len
   arguments were changed from int to size_t with the import of OpenSSL 0.9.8h
   in 2008.

   sync

   usb devices nodes have been excesively permissive.
   repair that.

   sync

   sync

   gpr(4) goes away

   noone has gpr(4) devices.

   actually commit the ssh-sk-helper client code; ok markus

   fix DKIM example

   mistake spotted by jmc@

   perform security key enrollment via ssh-sk-helper too. This means
   that ssh-keygen no longer needs to link against ssh-sk-helper,
   and only ssh-sk-helper needs libfido2 and /dev/uhid* access;

   feedback & ok markus@

   allow sshbuf_put_stringb(buf, NULL); ok markus@

   use ssh-sk-helper for all security key signing operations

   This extracts and refactors the client interface for ssh-sk-helper
   from ssh-agent and generalises it for use by the other programs.
   This means that most OpenSSH tools no longer need to link against
   libfido2 or directly interact with /dev/uhid*

   requested by, feedback and ok markus@

   occuring -> occurring

   spotted by jmc@

   trim previous; ok gilles

   Don't try dead resolvers; ok florian@

   print type as type and not as rcode

   Revert two files committed by accident

   Avoid leaks by using the _buf versions of sldns_wire2str_* functions.
   Also add some consistentcy checking to detect logic errors. ok @florian

   In rde_dispatch_imsg_session() reorder the case blocks a bit so they
   group better together.