Prepare to release Ximenia tomorrow.

In openpam_subst(3), avoid incrementing past the end of the template.
My thanks to Robert Morris <rtm@lcs.mit.edu> for finding and reporting the bug.
2023-06-26 20:49:39 +02:00 · 2023-06-26 20:49:27 +02:00 · 2023-06-26 20:24:42 +02:00 · 2023-06-26 19:51:48 +02:00 · 2021-10-22 17:21:48 +02:00 · 2021-10-22 17:21:48 +02:00
166 changed files with 7440 additions and 2017 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,30 @@
+/aclocal.m4
+/autom4te.cache
+/compile
+/config.guess
+/config.h.in
+/config.h
+/config.log
+/config.status
+/config.sub
+/configure
+/cov
+/depcomp
+/install-sh
+/libtool
+/ltmain.sh
+/missing
+/stamp-h1
+/test-driver
+*~
+.deps
+.libs
+*.a
+*.la
+*.lo
+*.log
+*.o
+*.pc
+*.profraw
+Makefile
+Makefile.in
--- a/30
+++ b/30
@ -1,30 +0,0 @@
-
-Release checklist
-=================
-
-0) Find a code name for the release
-
-1) Update configure.ac and include/security/openpam_version.h
-
-2) Read through the diffs from the last release, and update the change
-   log.
-
-3) Update the release notes.
-
-4) If any files have been added, update the manifest.
-
-5) Run dist.sh to generate a tarball.
-
-6) Unpack the tarball somewhere safe and build everything.
-
-7) Fix any problems.
-
-8) Submit.
-
-9) Re-run dist.sh to roll the actual release.
-
-A) Publish the tarball on SourceForge.
-
-B) Update the website.
-
-$Id$
--- a/25
+++ b/25
@ -1,4 +1,6 @@

+       _Ἀπόδοτε οὖν τὰ Καίσαρος Καίσαρι καὶ τὰ τοῦ Θεοῦ τῷ Θεῷ_
+
 The OpenPAM library was developed for the FreeBSD Project by ThinkSec AS
 and Network Associates Laboratories, the Security Research Division of
 Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
@ -13,29 +15,42 @@ directly or indirectly, with patches, criticism, suggestions, or
 ideas:

 	Andrew Morgan <morgan@transmeta.com>
+	Ankita Pal <pal.ankita.ankita@gmail.com>
+	Baptiste Daroussin <bapt@freebsd.org>
 	Brian Fundakowski Feldman <green@freebsd.org>
+	Brooks Davis <brooks@freebsd.org>
 	Christos Zoulas <christos@netbsd.org>
 	Daniel Richard G. <skunk@iskunk.org>
-	Darren J. Moffat <Darren.Moffat@sun.com>
+	Darren J. Moffat <darren.moffat@sun.com>
+	Dimitry Andric <dim@freebsd.org>
 	Dmitry V. Levin <ldv@altlinux.org>
+	Don Lewis <truckman@freebsd.org>
 	Emmanuel Dreyfus <manu@netbsd.org>
 	Eric Melville <eric@freebsd.org>
-	Gary Winiger <Gary.Winiger@sun.com>
+	Espen Grøndahl <espegro@usit.uio.no>
+	Gary Winiger <gary.winiger@sun.com>
+	Gavin Atkinson <gavin@freebsd.org>
+	Gleb Smirnoff <glebius@freebsd.org>
 	Hubert Feyrer <hubert@feyrer.de>
+	Jason Evans <jasone@freebsd.org>
 	Joe Marcus Clarke <marcus@freebsd.org>
-	Juli Mallett <jmallett@freebsd.org>
 	Jörg Sonnenberger <joerg@britannica.bec.de>
+	Juli Mallett <jmallett@freebsd.org>
+	Larry Baird <lab@gta.com>
+	Maëlle Lesage <lesage.maelle@gmail.com>
 	Mark Murray <markm@freebsd.org>
+	Matthias Drochner <drochner@netbsd.org>
 	Mike Petullo <mike@flyn.org>
 	Mikhail Teterin <mi@aldan.algebra.com>
 	Mikko Työläjärvi <mbsd@pacbell.net>
 	Nick Hibma <nick@van-laarhoven.org>
+	Patrick Bihan-Faou <patrick-fbsd@mindstep.com>
+	Robert Morris <rtm@lcs.mit.edu>
 	Robert Watson <rwatson@freebsd.org>
 	Ruslan Ermilov <ru@freebsd.org>
 	Sebastian Krahmer <sebastian.krahmer@gmail.com>
 	Solar Designer <solar@openwall.com>
 	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
+	Tim Creech <tcreech@tcreech.com>
 	Wojciech A. Koszek <wkoszek@freebsd.org>
 	Yar Tikhiy <yar@freebsd.org>
-
-$Id$
--- a/165
+++ b/165
@ -1,3 +1,156 @@
+OpenPAM Ximenia							2023-06-27
+
+ - BUGFIX: Fix race condition in openpam_ttyconv(3) when used with
+   expect scripts.
+
+ - BUGFIX: In openpam_set_option(3), when removing an option, properly
+   decrement the option count.
+
+ - BUGFIX: In openpam_subst(3), avoid incrementing past the end of the
+   template.
+============================================================================
+OpenPAM Tabebuia						2019-02-24
+
+ - BUGFIX: Fix off-by-one bug in pam_getenv(3) which was introduced in
+   OpenPAM Radula.
+
+ - ENHANCE: Add unit tests for pam_{get,put,set}env(3).
+============================================================================
+OpenPAM Resedacea						2017-04-30
+
+ - BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in
+   OpenPAM Radula, as it breaks common error-handling constructs.
+
+ - BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the
+   dispatcher when the required service function could not be found.
+
+ - ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is
+   NULL in API functions that have a NULL check.
+
+ - ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and
+   PAM_BAD_CONSTANT error codes for situations where we previously
+   incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant
+   had been passed to an API function.
+
+ - ENHANCE: Improve the RETURN VALUES section in API man pages,
+   especially for functions that cannot fail, which were incorrectly
+   documented as returning -1 on failure.
+============================================================================
+OpenPAM Radula							2017-02-19
+
+ - BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and
+   pam_get_user(3) from using application-provided custom prompts.
+
+ - BUGFIX: Plug a memory leak in pam_set_item(3).
+
+ - BUGFIX: Plug a potential memory leak in openpam_readlinev(3).
+
+ - BUGFIX: In openpam_readword(3), support line continuations within
+   whitespace.
+
+ - ENHANCE: Add a feature flag to control fallback to "other" policy.
+
+ - ENHANCE: Add a pam_return(8) module which returns an arbitrary
+   code specified in the module options.
+
+ - ENHANCE: More and better unit tests.
+============================================================================
+OpenPAM Ourouparia						2014-09-12
+
+ - ENHANCE: When executing a chain, require at least one service
+   function to succeed.  This mitigates fail-open scenarios caused by
+   misconfigurations or missing modules.
+
+ - ENHANCE: Make sure to overwrite buffers which may have contained an
+   authentication token when they're no longer needed.
+
+ - BUGFIX: Under certain circumstances, specifying a non-existent
+   module (or misspelling the name of a module) in a policy could
+   result in a fail-open scenario.  (CVE-2014-3879)
+
+ - FEATURE: Add a search path for modules.  This was implemented in
+   Nummularia but inadvertently left out of the release notes.
+
+ - BUGFIX: The is_upper() predicate only accepted the letter A as an
+   upper-case character instead of the entire A-Z range.  As a result,
+   service and module names containing upper-case letters other than A
+   would be rejected.
+============================================================================
+OpenPAM Nummularia						2013-09-07
+
+ - ENHANCE: Rewrite the dynamic loader to improve readability and
+   reliability.  Modules can now be listed without the ".so" suffix in
+   the policy file; OpenPAM will automatically add it, just like it
+   will automatically add the version number if required.
+
+ - ENHANCE: Allow openpam_straddch(3) to be called without a character
+   so it can be used to preallocate a string.
+
+ - ENHANCE: Improve portability by adding simple asprintf(3) and
+   vasprintf(3) implementations for platforms that don't have them.
+
+ - ENHANCE: Move the libpam sources into a separate subdirectory.
+
+ - ENHANCE: Substantial documentation improvements.
+
+ - BUGFIX: When openpam_readword(3) encountered an opening quote, it
+   would set the first byte in the buffer to '\0', discarding all
+   existing text and, unless the buffer was empty to begin with, all
+   subsequent text as well.  This went unnoticed because none of the
+   unit tests for quoted strings had any text preceding the opening
+   quote.
+
+ - BUGFIX: make --with-modules-dir work the way it was meant to work
+   (but never did).
+============================================================================
+OpenPAM Micrampelis						2012-05-26
+
+ - FEATURE: Add an openpam_readword(3) function which reads the next
+   word from an input stream, applying shell quoting and escaping
+   rules.  Add numerous unit tests for openpam_readword(3).
+
+ - FEATURE: Add an openpam_readlinev(3) function which uses the
+   openpam_readword(3) function to read words from an input stream one
+   at a time until it reaches an unquoted, unescaped newline, and
+   returns an array of those words.  Add several unit tests for
+   openpam_readlinev(3).
+
+ - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the
+   machine's hostname.  This was implemented in Lycopsida but
+   inadvertantly left out of the release notes.
+
+ - FEATURE: In pam_get_authtok(3), if neither the application nor the
+   module have specified a prompt and PAM_HOST and PAM_RHOST are both
+   defined but not equal, use a different default prompt that includes
+   PAM_USER and PAM_HOST.
+
+ - ENHANCE: Rewrite the policy parser to used openpam_readlinev(),
+   which greatly simplifies the code.
+
+ - ENHANCE: The previous implementation of the policy parser relied on
+   the openpam_readline(3) function, which (by design) munges
+   whitespace and understands neither quotes nor backslash escapes.
+   As a result of the aforementioned rewrite, whitespace, quotes and
+   backslash escapes in policy files are now handled in a consistent
+   and predictable manner.
+
+ - ENHANCE: On platforms that have it, use fdlopen(3) to load modules.
+   This closes the race between the ownership / permission check and
+   the dlopen(3) call.
+
+ - ENHANCE: Reduce the amount of pointless error messages generated
+   while searching for a module.
+
+ - ENHANCE: Numerous documentation improvements, both in content and
+   formatting.
+
+ - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed
+   OpenPAM's behavior when several policies exist for the same
+   service, from ignoring all but the first to concatenating them all.
+   Revert to the original behavior.
+
+ - BUGFIX: Plug a memory leak in the policy parser.
+============================================================================
 OpenPAM Lycopsida						2011-12-18

 - ENHANCE: removed static build autodetection, which didn't work
@ -22,7 +175,7 @@ OpenPAM Lycopsida						2011-12-18
   module before loading it.

 - ENHANCE: added / improved input validation in many cases, including
-   the policy file and some function arguments.
+   the policy file and some function arguments.  (CVE-2011-4122)
 ============================================================================
 OpenPAM Hydrangea						2007-12-21

@ -269,7 +422,7 @@ OpenPAM Cinchona						2002-04-08
 - ENHANCE: Add openpam_free_data(), a generic cleanup function for
   pam_set_data() consumers.
 ============================================================================
-OpenPAM	Centaury						2002-03-14
+OpenPAM Centaury						2002-03-14

 - BUGFIX: Add missing #include <string.h> to openpam_log.c.

@ -308,7 +461,7 @@ OpenPAM Celandine						2002-03-05
   module with the same version number as the library itself to one
   with no version number at all.
 ============================================================================
-OpenPAM	Cantaloupe						2002-02-22
+OpenPAM Cantaloupe						2002-02-22

 - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid
   argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures.
@ -338,7 +491,7 @@ OpenPAM	Cantaloupe						2002-02-22
 - ENHANCE: openpam_get_authtok() now respects the echo_pass,
   try_first_pass, and use_first_pass options.
 ============================================================================
-OpenPAM	Caliopsis						2002-02-13
+OpenPAM Caliopsis						2002-02-13

 Fixed a number of bugs in the previous release, including:
  - a number of bugs in and related to pam_[gs]et_item(3)
@ -349,8 +502,6 @@ Fixed a number of bugs in the previous release, including:
  - missing 'continue' in openpam_dispatch.c caused successes to be
    counted as failures
 ============================================================================
-OpenPAM	Calamite						2002-02-09
+OpenPAM Calamite						2002-02-09

 First (beta) release.
-============================================================================
-$Id$
--- a/2
+++ b/2
@ -54,5 +54,3 @@
  directory:

  # make install
-
-$Id$
--- a/4
+++ b/4
@ -1,6 +1,6 @@

 Copyright (c) 2002-2003 Networks Associates Technology, Inc.
-Copyright (c) 2004-2011 Dag-Erling Smørgrav
+Copyright (c) 2004-2023 Dag-Erling Smørgrav
 All rights reserved.

 This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,5 +31,3 @@ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
-
-$Id$
--- a/Makefile.am
+++ b/Makefile.am
@ -1,13 +1,13 @@
-# $Id$
-
 ACLOCAL_AMFLAGS = -I m4

-SUBDIRS = lib bin modules include
+SUBDIRS = misc include lib bin modules

 if WITH_DOC
 SUBDIRS += doc
 endif

+SUBDIRS += t
+
 EXTRA_DIST = \
 	CREDITS \
 	HISTORY \
@ -17,3 +17,32 @@ EXTRA_DIST = \
 	RELNOTES \
 	autogen.sh \
 	misc/gendoc.pl
+
+if WITH_CODE_COVERAGE
+covdir = @abs_top_builddir@/cov
+coverage: coverage-clean all coverage-prepare coverage-run coverage-report
+coverage-clean:
+	-rm -rf "${covdir}"
+coverage-prepare:
+	mkdir "${covdir}"
+if CLANG_CODE_COVERAGE
+profdata = ${covdir}/@PACKAGE@.profdata
+# hardcoding libpam.so here is horrible, need to find a better solution
+coverage-run:
+	LLVM_PROFILE_FILE="${covdir}/@PACKAGE@.%p.raw" \
+	    ${MAKE} -C "@abs_top_builddir@" check
+coverage-report:
+	llvm-profdata@clang_ver@ merge \
+	    --sparse "${covdir}/@PACKAGE@".*.raw -o "${profdata}"
+	llvm-cov@clang_ver@ show \
+	    --format=html --tab-size=8 \
+	    --output-dir="${covdir}" \
+	    --instr-profile="${profdata}" \
+	    --object "@abs_top_builddir@/lib/libpam/.libs/libpam.so"
+	@echo "coverage report: file://${covdir}/index.html"
+endif
+else
+coverage:
+	echo "code coverage is not enabled." >&2
+	false
+endif
--- a/17
+++ b/17
@ -7,21 +7,4 @@ implementations disagree, OpenPAM tries to remain compatible with
 Solaris, at the expense of XSSO conformance and Linux-PAM
 compatibility.

-These are some of OpenPAM's features:
-
-   - Implements the complete PAM API as described in the original PAM
-     paper and in OSF-RFC 86.0; this corresponds to the full XSSO API
-     except for mappings and secondary authentication.  Also
-     implements some extensions found in Solaris 9.
-
-   - Extends the API with several useful and time-saving functions.
-
-   - Performs strict checking of return values from service modules.
-
-   - Reads configuration from /etc/pam.d/, /etc/pam.conf,
-     /usr/local/etc/pam.d/ and /usr/local/etc/pam.conf, in that order;
-     this will be made configurable in a future release.
-
 Please direct bug reports and inquiries to <des@des.no>.
-
-$Id$
--- a/33
+++ b/33
@ -1,24 +1,21 @@

-		 Release notes for OpenPAM Lycopsida
-		 ===================================
+		  Release notes for OpenPAM Ximenia
+		  =================================

-This release corresponds to the code used in FreeBSD HEAD as of the
-release date, and is also expected to work on almost any POSIX-like
-platform that has GNU autotools, GNU make and the GNU compiler suite
-installed.
+OpenPAM is developed primarily on FreeBSD, but is expected to work on
+almost any POSIX-like platform that has GNU autotools, GNU make and
+the GNU compiler suite installed.

-The library itself is complete.  Documentation exists in the form of
-man pages for the library functions.  These man pages are generated by
-a Perl script from specially marked-up comments in the source files
-themselves, which minimizes the chance that any of them should be out
-of date.
+The OpenPAM distribution consists of the following components:

-The distribution also includes three sample modules (pam_deny,
-pam_permit and pam_unix) and a sample application (su).  These are not
-intended for actual use, but rather to serve as examples for module or
-application developers.  It also includes a command-line application
-(pamtest) which can be used to test policies and modules.
+ - The PAM library itself, with complete API documentation.
+
+ - Sample modules (pam_permit, pam_deny and pam_unix) and a sample
+   application (su) which demonstrate how to use the PAM library.
+
+ - A test application (pamtest) which can be used to test policies and
+   modules.
+
+ - Unit tests for limited portions of the library.

 Please direct bug reports and inquiries to <des@des.no>.
-
-$Id$
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+- Fix try_first_pass / use_first_pass (pam_get_authtok() code &
+  documentation are slightly incorrect, OpenPAM's pam_unix(8) is
+  incorrect, all FreeBSD modules are broken)
+
+- Add loop detection to openpam_load_chain().
+
+- Complete unit tests for openpam_dispatch().
+
+- Stop using PAM_SYMBOL_ERR incorrectly.
--- a/autogen.des
+++ b/autogen.des
@ -1,7 +1,4 @@
 #!/bin/sh
-#
-# $Id$
-#

 set -ex

@ -15,7 +12,8 @@ export CONFIG_SHELL=/bin/sh
 	--with-pam-unix \
 	--with-pamtest \
 	--with-su \
-	--with-modules-dir=/usr/lib \
+	--enable-debug \
 	--enable-developer-warnings \
 	--enable-werror \
+	--enable-code-coverage \
 	"$@"
--- a/autogen.sh
+++ b/autogen.sh
@ -1,10 +1,7 @@
 #!/bin/sh
-#
-# $Id$
-#

-aclocal
 libtoolize --copy --force
+aclocal -I m4
 autoheader
-automake -a -c --foreign
+automake --add-missing --copy --foreign
 autoconf
--- a/bin/Makefile.am
+++ b/bin/Makefile.am
@ -1,6 +1,4 @@
-# $Id$
-
-SUBDIRS =
+SUBDIRS = openpam_dump_policy

 if WITH_PAMTEST
 SUBDIRS += pamtest
--- a/bin/openpam_dump_policy/.gitignore
+++ b/bin/openpam_dump_policy/.gitignore
@ -0,0 +1 @@
+/openpam_dump_policy
--- a/bin/openpam_dump_policy/Makefile.am
+++ b/bin/openpam_dump_policy/Makefile.am
@ -0,0 +1,9 @@
+AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/lib/libpam
+
+noinst_PROGRAMS = openpam_dump_policy
+openpam_dump_policy_SOURCES = openpam_dump_policy.c
+if WITH_SYSTEM_LIBPAM
+openpam_dump_policy_LDADD = $(SYSTEM_LIBPAM)
+else
+openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam/libpam.la
+endif
--- a/bin/openpam_dump_policy/openpam_dump_policy.c
+++ b/bin/openpam_dump_policy/openpam_dump_policy.c
@ -0,0 +1,200 @@
+/*-
+ * Copyright (c) 2011-2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_asprintf.h"
+
+static char *
+openpam_chain_name(const char *service, pam_facility_t fclt)
+{
+	const char *facility = pam_facility_name[fclt];
+	char *name;
+
+	if (asprintf(&name, "pam_%s_%s", service, facility) == -1)
+		return (NULL);
+	return (name);
+}
+
+static char *
+openpam_facility_index_name(pam_facility_t fclt)
+{
+	const char *facility = pam_facility_name[fclt];
+	char *name, *p;
+
+	if (asprintf(&name, "PAM_%s", facility) == -1)
+		return (NULL);
+	for (p = name + 4; *p; ++p)
+		*p = toupper((unsigned char)*p);
+	return (name);
+}
+
+int
+openpam_dump_chain(const char *name, pam_chain_t *chain)
+{
+	char *modname, **opt, *p;
+	int i;
+
+	for (i = 0; chain != NULL; ++i, chain = chain->next) {
+		/* declare the module's struct pam_module */
+		modname = strrchr(chain->module->path, '/');
+		modname = strdup(modname ? modname : chain->module->path);
+		if (modname == NULL)
+			return (PAM_BUF_ERR);
+		for (p = modname; *p && *p != '.'; ++p)
+			/* nothing */ ;
+		*p = '\0';
+		printf("extern struct pam_module %s_pam_module;\n", modname);
+		/* module arguments */
+		printf("static char *%s_%d_optv[] = {\n", name, i);
+		for (opt = chain->optv; *opt; ++opt) {
+			printf("\t\"");
+			for (p = *opt; *p; ++p) {
+				if (isprint((unsigned char)*p) && *p != '"')
+					printf("%c", *p);
+				else
+					printf("\\x%02x", (unsigned char)*p);
+			}
+			printf("\",\n");
+		}
+		printf("\tNULL,\n");
+		printf("};\n");
+		/* next module in chain */
+		if (chain->next != NULL)
+			printf("static pam_chain_t %s_%d;\n", name, i + 1);
+		/* chain entry */
+		printf("static pam_chain_t %s_%d = {\n", name, i);
+		printf("\t.module = &%s_pam_module,\n", modname);
+		printf("\t.flag = 0x%08x,\n", chain->flag);
+		printf("\t.optc = %d,\n", chain->optc);
+		printf("\t.optv = %s_%d_optv,\n", name, i);
+		if (chain->next)
+			printf("\t.next = &%s_%d,\n", name, i + 1);
+		else
+			printf("\t.next = NULL,\n");
+		printf("};\n");
+		free(modname);
+	}
+	return (PAM_SUCCESS);
+}
+
+int
+openpam_dump_policy(const char *service)
+{
+	pam_handle_t *pamh;
+	char *name;
+	int fclt, ret;
+
+	if ((pamh = calloc(1, sizeof *pamh)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((ret = openpam_configure(pamh, service)) != PAM_SUCCESS)
+		return (ret);
+	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+		if (pamh->chains[fclt] != NULL) {
+			if ((name = openpam_chain_name(service, fclt)) == NULL)
+				return (PAM_BUF_ERR);
+			ret = openpam_dump_chain(name, pamh->chains[fclt]);
+			free(name);
+			if (ret != PAM_SUCCESS)
+				return (ret);
+		}
+	}
+	printf("static pam_policy_t pam_%s_policy = {\n", service);
+	printf("\t.service = \"%s\",\n", service);
+	printf("\t.chains = {\n");
+	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+		if ((name = openpam_facility_index_name(fclt)) == NULL)
+			return (PAM_BUF_ERR);
+		printf("\t\t[%s] = ", name);
+		free(name);
+		if (pamh->chains[fclt] != NULL) {
+			if ((name = openpam_chain_name(service, fclt)) == NULL)
+				return (PAM_BUF_ERR);
+			printf("&%s_0,\n", name);
+			free(name);
+		} else {
+			printf("NULL,\n");
+		}
+	}
+	printf("\t},\n");
+	printf("};\n");
+	free(pamh);
+	return (PAM_SUCCESS);
+}
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "usage: openpam_dump_policy [-d] policy ...\n");
+	exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+	int i, opt;
+
+	while ((opt = getopt(argc, argv, "d")) != -1)
+		switch (opt) {
+		case 'd':
+			openpam_debug = 1;
+			break;
+		default:
+			usage();
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc < 1)
+		usage();
+
+	printf("#include <security/pam_appl.h>\n");
+	printf("#include \"openpam_impl.h\"\n");
+	for (i = 0; i < argc; ++i)
+		openpam_dump_policy(argv[i]);
+	printf("pam_policy_t *pam_embedded_policies[] = {\n");
+	for (i = 0; i < argc; ++i)
+		printf("\t&pam_%s_policy,\n", argv[i]);
+	printf("\tNULL,\n");
+	printf("};\n");
+	exit(0);
+}
--- a/bin/pamtest/.gitignore
+++ b/bin/pamtest/.gitignore
@ -0,0 +1 @@
+/pamtest
--- a/bin/pamtest/Makefile.am
+++ b/bin/pamtest/Makefile.am
@ -1,9 +1,11 @@
-# $Id$
-
-INCLUDES = -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(top_srcdir)/include

 bin_PROGRAMS = pamtest
 pamtest_SOURCES = pamtest.c
-pamtest_LDADD = $(top_builddir)/lib/libpam.la
+if WITH_SYSTEM_LIBPAM
+pamtest_LDADD = $(SYSTEM_LIBPAM)
+else
+pamtest_LDADD = $(top_builddir)/lib/libpam/libpam.la
+endif

 dist_man1_MANS = pamtest.1
--- a/bin/pamtest/pamtest.1
+++ b/bin/pamtest/pamtest.1
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2011 Dag-Erling Smørgrav
+.\" Copyright (c) 2011-2017 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,19 +26,18 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id$
-.\"
-.Dd November 2, 2011
+.Dd July 11, 2013
 .Dt PAMTEST 1
 .Os
 .Sh NAME
 .Nm pamtest
 .Nd PAM policy tester
-.Sh SYNOPSYS
+.Sh SYNOPSIS
 .Nm
-.Op Fl dksv
+.Op Fl dkMPsv
 .Op Fl H Ar rhost
 .Op Fl h Ar host
+.Op Fl T Ar timeout
 .Op Fl t Ar tty
 .Op Fl U Ar ruser
 .Op Fl u Ar user
@ -116,6 +118,11 @@ The default is to use the result of calling
 .Xr gethostname 3 .
 .It Fl k
 Keep going even if one of the commands fails.
+.It Fl M
+Disable path, ownership and permission checks on module files.
+.It Fl P
+Disable service name validation and path, ownership and permission
+checks on policy files.
 .It Fl s
 Set the
 .Dv PAM_SILENT
@ -128,6 +135,9 @@ flag when calling the
 and
 .Xr pam_close_session 3
 primitives.
+.It Fl T Ar timeout
+Set the conversation timeout (in seconds) for
+.Xr openpam_ttyconv 3 .
 .It Fl t Ar tty
 Specify the name of the tty.
 The default is to use the result of calling
@ -149,14 +159,14 @@ policy:
 pamtest -v system auth account change setcred open close unsetcred
 .Ed
 .Sh SEE ALSO
-.Xr openpam 3
-.Xr pam 3
+.Xr openpam 3 ,
+.Xr pam 3 ,
 .Xr pam.conf 5
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
 .Sh BUGS
 The
 .Nm
--- a/bin/pamtest/pamtest.c
+++ b/bin/pamtest/pamtest.c
@ -6,11 +6,13 @@
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,8 +25,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -32,6 +32,7 @@
 #endif

 #include <err.h>
+#include <limits.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <stdio.h>
@ -113,6 +114,7 @@ pt_authenticate(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_authenticate()");
 	if ((pame = pam_authenticate(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_authenticate()");
 	return (pame);
@ -127,6 +129,7 @@ pt_acct_mgmt(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_acct_mgmt()");
 	if ((pame = pam_acct_mgmt(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_acct_mgmt()");
 	return (pame);
@ -141,6 +144,7 @@ pt_chauthtok(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_chauthtok()");
 	if ((pame = pam_chauthtok(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_chauthtok()");
 	return (pame);
@ -155,6 +159,7 @@ pt_setcred(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_setcred()");
 	if ((pame = pam_setcred(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_setcred()");
 	return (pame);
@ -169,6 +174,7 @@ pt_open_session(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_open_session()");
 	if ((pame = pam_open_session(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_open_session()");
 	return (pame);
@ -183,6 +189,7 @@ pt_close_session(int flags)
 	int pame;

 	flags |= silent;
+	pt_verbose("pam_close_session()");
 	if ((pame = pam_close_session(pamh, flags)) != PAM_SUCCESS)
 		pt_error(pame, "pam_close_session()");
 	return (pame);
@ -261,11 +268,29 @@ static void
 usage(void)
 {

-	fprintf(stderr, "usage: pamtest [-dksv] %s\n",
-	    "[-H rhost] [-h host] [-t tty] [-U ruser] [-u user] service");
+	fprintf(stderr, "usage: pamtest %s service command ...\n",
+	    "[-dkMPsv] [-H rhost] [-h host] [-t tty] [-U ruser] [-u user]");
 	exit(1);
 }

+/*
+ * Handle an option that takes an int argument and can be used only once
+ */
+static void
+opt_num_once(int opt, long *num, const char *arg)
+{
+	char *end;
+	long l;
+
+	l = strtol(arg, &end, 0);
+	if (end == optarg || *end != '\0') {
+		fprintf(stderr,
+		    "The -%c option expects a numeric argument\n", opt);
+		usage();
+	}
+	*num = l;
+}
+
 /*
 * Handle an option that takes a string argument and can be used only once
 */
@ -293,11 +318,12 @@ main(int argc, char *argv[])
 	const char *user = NULL;
 	const char *service = NULL;
 	const char *tty = NULL;
+	long timeout = 0;
 	int keepatit = 0;
 	int pame;
 	int opt;

-	while ((opt = getopt(argc, argv, "dH:h:kst:U:u:v")) != -1)
+	while ((opt = getopt(argc, argv, "dH:h:kMPsT:t:U:u:v")) != -1)
 		switch (opt) {
 		case 'd':
 			openpam_debug++;
@ -311,9 +337,26 @@ main(int argc, char *argv[])
 		case 'k':
 			keepatit = 1;
 			break;
+		case 'M':
+			openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0);
+			openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0);
+			break;
+		case 'P':
+			openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0);
+			openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0);
+			break;
 		case 's':
 			silent = PAM_SILENT;
 			break;
+		case 'T':
+			opt_num_once(opt, &timeout, optarg);
+			if (timeout < 0 || timeout > INT_MAX) {
+				fprintf(stderr,
+				    "Invalid conversation timeout\n");
+				usage();
+			}
+			openpam_ttyconv_timeout = (int)timeout;
+			break;
 		case 't':
 			opt_str_once(opt, &tty, optarg);
 			break;
@ -341,6 +384,8 @@ main(int argc, char *argv[])
 	++argv;

 	/* defaults */
+	if (service == NULL)
+		service = "pamtest";
 	if (rhost == NULL) {
 		if (gethostname(hostname, sizeof(hostname)) == -1)
 			err(1, "gethostname()");
--- a/bin/su/.gitignore
+++ b/bin/su/.gitignore
@ -0,0 +1 @@
+/su
--- a/bin/su/Makefile.am
+++ b/bin/su/Makefile.am
@ -1,9 +1,11 @@
-# $Id$
-
-INCLUDES = -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(top_srcdir)/include

 bin_PROGRAMS = su
 su_SOURCES = su.c
-su_LDADD = $(top_builddir)/lib/libpam.la
+if WITH_SYSTEM_LIBPAM
+su_LDADD = $(SYSTEM_LIBPAM)
+else
+su_LDADD = $(top_builddir)/lib/libpam/libpam.la
+endif

 dist_man1_MANS = su.1
--- a/bin/su/su.1
+++ b/bin/su/su.1
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2011 Dag-Erling Smørgrav
+.\" Copyright (c) 2011-2017 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,15 +26,13 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id$
-.\"
 .Dd November 2, 2011
 .Dt SU 1
 .Os
 .Sh NAME
 .Nm su
 .Nd switch user identity
-.Sh SYNOPSYS
+.Sh SYNOPSIS
 .Nm
 .Op Ar login Op Ar ...
 .Sh DESCRIPTION
@ -53,10 +54,10 @@ The
 utility is provided with the OpenPAM library as a sample application
 and should not be used in production systems.
 .Sh SEE ALSO
-.Xr openpam 3
+.Xr openpam 3 ,
 .Xr pam 3
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
--- a/bin/su/su.c
+++ b/bin/su/su.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/configure.ac
+++ b/configure.ac
@ -1,27 +1,29 @@
-dnl $Id$
-
-AC_PREREQ([2.62])
-AC_REVISION([$Id$])
-AC_INIT([OpenPAM], [trunk], [des@des.no])
-AC_CONFIG_SRCDIR([lib/pam_start.c])
+AC_PREREQ([2.69])
+AC_INIT([OpenPAM], [trunk], [des@des.no], [openpam], [https://openpam.org/])
+AC_CONFIG_SRCDIR([lib/libpam/pam_start.c])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE([foreign])
 AM_CONFIG_HEADER([config.h])

 # C compiler and features
 AC_LANG(C)
-AC_PROG_CC
+AC_PROG_CC([clang gcc cc])
 AC_PROG_CC_STDC
 AC_PROG_CPP
+AC_PROG_CXX([clang++ g++ c++])
 AC_GNU_SOURCE
 AC_C_CONST
 AC_C_RESTRICT
 AC_C_VOLATILE
+AX_COMPILER_VENDOR

 # libtool
 LT_PREREQ([2.2.6])
 LT_INIT([disable-static dlopen])

+# pkg-config
+AX_PROG_PKG_CONFIG
+
 # other programs
 AC_PROG_INSTALL

@ -31,31 +33,29 @@ AC_DEFINE_UNQUOTED(LIB_MAJ, $LIB_MAJ, [OpenPAM library major number])

 AC_ARG_ENABLE([debug],
    AC_HELP_STRING([--enable-debug],
-	[turn debugging on by default]),
-    AC_DEFINE(OPENPAM_DEBUG, 1, [Turn debugging on by default]))
+        [turn debugging macros on]),
+    AC_DEFINE(OPENPAM_DEBUG, 1, [Turn debugging macros on]))

 AC_ARG_ENABLE([unversioned-modules],
    AC_HELP_STRING([--disable-unversioned-modules],
-	[support loading of unversioned modules]),
+        [support loading of unversioned modules]),
    [AS_IF([test x"$enableval" = x"no"], [
-	AC_DEFINE(DISABLE_UNVERSIONED_MODULES,
-	    1,
-	    [Whether loading unversioned modules support is disabled])
+        AC_DEFINE(DISABLE_UNVERSIONED_MODULES,
+            1,
+            [Whether loading unversioned modules support is disabled])
    ])])

 AC_ARG_WITH([modules-dir],
    AC_HELP_STRING([--with-modules-dir=DIR],
-	[OpenPAM modules directory]),
+        [OpenPAM modules directory]),
    [AS_IF([test x"$withval" != x"no"], [
-	OPENPAM_MODULES_DIR="$withval"
-    ], [
-	OPENPAM_MODULES_DIR="$libdir"
-    ])],
-    [OPENPAM_MODULES_DIR="$libdir"])
-AC_DEFINE_UNQUOTED(OPENPAM_MODULES_DIR,
-    "${OPENPAM_MODULES_DIR%/}/",
-    [OpenPAM modules directory])
+        OPENPAM_MODULES_DIR="$withval"
+        AC_DEFINE_UNQUOTED(OPENPAM_MODULES_DIR,
+            "${OPENPAM_MODULES_DIR%/}",
+            [OpenPAM modules directory])
+    ])])
 AC_SUBST(OPENPAM_MODULES_DIR)
+AM_CONDITIONAL([CUSTOM_MODULES_DIR], [test x"$OPENPAM_MODULES_DIR" != x""])

 AC_ARG_WITH([doc],
    AC_HELP_STRING([--without-doc], [do not build documentation]),
@ -64,26 +64,36 @@ AC_ARG_WITH([doc],
 AM_CONDITIONAL([WITH_DOC], [test x"$with_doc" = x"yes"])

 AC_ARG_WITH([pam-unix],
-    AC_HELP_STRING([--with-pam-unix], [compile sample pam_unix(8) implementation]),
+    AC_HELP_STRING([--with-pam-unix], [build sample pam_unix(8) module]),
    [],
    [with_pam_unix=no])
 AM_CONDITIONAL([WITH_PAM_UNIX], [test x"$with_pam_unix" = x"yes"])

 AC_ARG_WITH(pamtest,
-    AC_HELP_STRING([--with-pamtest], [compile test application]),
+    AC_HELP_STRING([--with-pamtest], [build test application]),
    [],
    [with_pamtest=no])
 AM_CONDITIONAL([WITH_PAMTEST], [test x"$with_pamtest" = x"yes"])

 AC_ARG_WITH(su,
-    AC_HELP_STRING([--with-su], [compile sample su(1) implementation]),
+    AC_HELP_STRING([--with-su], [build sample su(1) implementation]),
    [],
    [with_su=no])
 AM_CONDITIONAL([WITH_SU], [test x"$with_su" = x"yes"])

+AC_ARG_WITH(system-libpam,
+    AC_HELP_STRING([--with-system-libpam], [use system libpam]),
+    [],
+    [with_system_libpam=no])
+AM_CONDITIONAL([WITH_SYSTEM_LIBPAM], [test x"$with_system_libpam" = x"yes"])
+
 AC_CHECK_HEADERS([crypt.h])

-AC_CHECK_FUNCS([fpurge strlcmp strlcpy])
+AC_CHECK_FUNCS([asprintf vasprintf])
+AC_CHECK_FUNCS([dlfunc fdlopen])
+AC_CHECK_FUNCS([fpurge])
+AC_CHECK_FUNCS([setlogmask])
+AC_CHECK_FUNCS([strlcat strlcmp strlcpy strlset])

 saved_LIBS="${LIBS}"
 LIBS=""
@ -94,14 +104,19 @@ AC_SUBST(DL_LIBS)

 saved_LIBS="${LIBS}"
 LIBS=""
-AC_CHECK_LIB([crypt], [crypt])
-CRYPT_LIBS="${LIBS}"
+AC_CHECK_LIB([pam], [pam_start])
+SYSTEM_LIBPAM="${LIBS}"
 LIBS="${saved_LIBS}"
-AC_SUBST(CRYPT_LIBS)
+AC_SUBST(SYSTEM_LIBPAM)
+
+AX_PKG_CONFIG_CHECK([cryb-test],
+  [AC_MSG_NOTICE([Cryb test framework found, unit tests enabled.])],
+  [AC_MSG_WARN([Cryb test framework not found, unit tests disabled.])])
+AM_CONDITIONAL([WITH_TEST], [test x"$CRYB_TEST_LIBS" != x""])

 AC_ARG_ENABLE([developer-warnings],
    AS_HELP_STRING([--enable-developer-warnings], [enable strict warnings (default is NO)]),
-    [CFLAGS="${CFLAGS} -Wall -Wextra"])
+    [CFLAGS="${CFLAGS} -Wall -Wextra -Wcast-qual"])
 AC_ARG_ENABLE([debugging-symbols],
    AS_HELP_STRING([--enable-debugging-symbols], [enable debugging symbols (default is NO)]),
    [CFLAGS="${CFLAGS} -O0 -g -fno-inline"])
@ -109,19 +124,47 @@ AC_ARG_ENABLE([werror],
    AS_HELP_STRING([--enable-werror], [use -Werror (default is NO)]),
    [CFLAGS="${CFLAGS} -Werror"])

+AC_ARG_ENABLE([code-coverage],
+    AS_HELP_STRING([--enable-code-coverage],
+        [enable code coverage]))
+AS_IF([test x"$enable_code_coverage" = x"yes"], [
+    AM_COND_IF([WITH_TEST], [
+        AS_IF([test x"$ax_cv_c_compiler_vendor" = x"clang"], [
+            CFLAGS="${CFLAGS} -fprofile-instr-generate -fcoverage-mapping"
+            clang_code_coverage="yes"
+	    AC_SUBST([clang_ver], [${CC#clang}])
+        ], [
+            AC_MSG_ERROR([code coverage is only supported with clang])
+        ])
+        AC_DEFINE([WITH_CODE_COVERAGE], [1], [Define to 1 if code coverage is enabled])
+        AC_MSG_NOTICE([code coverage enabled])
+    ], [
+        AC_MSG_ERROR([code coverage requires unit tests])
+    ])
+])
+AM_CONDITIONAL([WITH_CODE_COVERAGE], [test x"$enable_code_coverage" = x"yes"])
+AM_CONDITIONAL([CLANG_CODE_COVERAGE], [test x"$clang_code_coverage" = x"yes"])
+
 AC_CONFIG_FILES([
+    Makefile
    bin/Makefile
+    bin/openpam_dump_policy/Makefile
    bin/pamtest/Makefile
    bin/su/Makefile
+    doc/Makefile
+    doc/man/Makefile
+    freebsd/Makefile
    include/Makefile
    include/security/Makefile
    lib/Makefile
+    lib/libpam/Makefile
+    misc/Makefile
    modules/Makefile
-    modules/pam_unix/Makefile
    modules/pam_deny/Makefile
    modules/pam_permit/Makefile
-    doc/Makefile
-    doc/man/Makefile
-    Makefile
+    modules/pam_return/Makefile
+    modules/pam_unix/Makefile
+    t/Makefile
 ])
+AC_CONFIG_FILES([misc/coverity.sh],[chmod +x misc/coverity.sh])
 AC_OUTPUT
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@ -1,3 +1 @@
-# $Id$
-
 SUBDIRS = man
--- a/doc/man/.gitignore
+++ b/doc/man/.gitignore
@ -0,0 +1,2 @@
+/*.3
+!/pam_conv.3
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@ -1,9 +1,7 @@
-# $Id$
-
 NULL =

 # Standard PAM API
-PMAN = \
+PAM_MAN = \
 	pam_acct_mgmt.3 \
 	pam_authenticate.3 \
 	pam_chauthtok.3 \
@ -24,7 +22,7 @@ PMAN = \
 	$(NULL)

 # Standard module API
-MMAN = \
+MOD_MAN = \
 	pam_sm_acct_mgmt.3 \
 	pam_sm_authenticate.3 \
 	pam_sm_chauthtok.3 \
@ -34,16 +32,21 @@ MMAN = \
 	$(NULL)

 # OpenPAM extensions
-OMAN = \
+OPENPAM_MAN = \
 	openpam_borrow_cred.3 \
 	openpam_free_data.3 \
 	openpam_free_envlist.3 \
+	openpam_get_feature.3 \
 	openpam_get_option.3 \
 	openpam_log.3 \
 	openpam_nullconv.3 \
 	openpam_readline.3 \
+	openpam_readlinev.3 \
+	openpam_readword.3 \
 	openpam_restore_cred.3 \
+	openpam_set_feature.3 \
 	openpam_set_option.3 \
+	openpam_straddch.3 \
 	openpam_subst.3 \
 	openpam_ttyconv.3 \
 	pam_error.3 \
@ -58,27 +61,35 @@ OMAN = \

 EXTRA_DIST = openpam.man pam.man

-ALLCMAN = $(PMAN) $(MMAN) $(OMAN)
+if !WITH_SYSTEM_LIBPAM
+PAMCMAN = $(PAM_MAN) $(MOD_MAN) $(OPENPAM_MAN)
+PAMXMAN = openpam.3 pam.3
+endif

-dist_man3_MANS = $(ALLCMAN) openpam.3 pam.3 pam_conv.3
+ALLCMAN = $(PAMCMAN)
+GENMAN = $(ALLCMAN) $(PAMXMAN)
+
+dist_man3_MANS = $(GENMAN) pam_conv.3

 dist_man5_MANS = pam.conf.5

-CLEANFILES = $(ALLCMAN) openpam.3 pam.3
+CLEANFILES = $(GENMAN)

 GENDOC = $(top_srcdir)/misc/gendoc.pl

-SRCDIR = $(top_srcdir)/lib
+LIBPAMSRCDIR = $(top_srcdir)/lib/libpam

-VPATH = $(SRCDIR)
+VPATH = $(LIBPAMSRCDIR) $(srcdir)

 SUFFIXES = .3

 .c.3: $(GENDOC)
-	perl -w $(GENDOC) $<
+	perl -w $(GENDOC) $< || rm $@

-openpam.3: $(OMAN) $(GENDOC) openpam.man
-	perl -w $(GENDOC) -o $(abs_srcdir)/$(OMAN) <$(srcdir)/openpam.man
+openpam.3: $(OPENPAM_MAN) $(GENDOC) $(srcdir)/openpam.man
+	perl -w $(GENDOC) -o $(OPENPAM_MAN) <$(srcdir)/openpam.man || rm $@

-pam.3: $(PMAN) $(GENDOC) pam.man
-	perl -w $(GENDOC) -p $(abs_srcdir)/$(PMAN) <$(srcdir)/pam.man
+pam.3: $(PAM_MAN) $(GENDOC) $(srcdir)/pam.man
+	perl -w $(GENDOC) -p $(PAM_MAN) <$(srcdir)/pam.man || rm $@
+
+$(GENMAN): $(GENDOC)
--- a/doc/man/openpam.man
+++ b/doc/man/openpam.man
@ -1,6 +1,3 @@
-.\"
-.\" $Id$
-.\"
 .Sh DESCRIPTION
 These functions are OpenPAM extensions to the PAM API.
 Those named
--- a/doc/man/pam.conf.5
+++ b/doc/man/pam.conf.5
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005-2011 Dag-Erling Smørgrav
+.\" Copyright (c) 2005-2017 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -26,9 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id$
-.\"
-.Dd November 3, 2011
+.Dd March 17, 2013
 .Dt PAM.CONF 5
 .Os
 .Sh NAME
@ -50,7 +48,7 @@ decreasing order of preference:
 .Pp
 If none of these locations contains a policy for the given service,
 the
-.Dv default
+.Dq Dv other
 policy is used instead, if it exists.
 .Pp
 Entries in per-service policy files must be of one of the two forms
@ -65,15 +63,16 @@ Entries in
 policy files are of the same form, but are prefixed by an additional
 field specifying the name of the service they apply to.
 .Pp
-In both types of policy files, blank lines are ignored, as is anything
-to the right of a
+In both cases, blank lines and comments introduced by a
 .Ql #
-sign.
+sign are ignored, and the normal shell quoting rules apply.
+The precise details of how the file is tokenized are described in
+.Xr openpam_readword 3 .
 .Pp
 The
 .Ar facility
 field specifies the facility the entry applies to, and is one of:
-.Bl -tag -width ".Cm password"
+.Bl -tag -width 12n
 .It Cm auth
 Authentication functions
 .Po
@ -99,7 +98,7 @@ The
 field determines how the result returned by the module affects the
 flow of control through (and the final result of) the rest of the
 chain, and is one of:
-.Bl -tag -width ".Cm sufficient"
+.Bl -tag -width 12n
 .It Cm required
 If this module succeeds, the result of the chain will be success
 unless a later module fails.
@ -141,16 +140,18 @@ phase of
 .Pp
 The
 .Ar module-path
-field specifies the name, or optionally the full path, of the module
-to call.
+field specifies the name or full path of the module to call.
+If only the name is specified, the PAM library will search for it in
+the following locations:
+.Bl -enum
+.It
+.Pa /usr/lib
+.It
+.Pa /usr/local/lib
+.El
 .Pp
-The remaining fields are passed as arguments to the module if and when
-it is invoked.
-As a special case, if an argument is of the form ``name=value'' and
-the right-hand side is surrounded by single or double quotes, any
-whitespace between the quote characters will be considered part of the
-same argument rather than a separator between this argument and the
-next.
+The remaining fields, if any, are passed unmodified to the module if
+and when it is invoked.
 .Pp
 The
 .Cm include
@ -161,6 +162,37 @@ This allows one to define system-wide policies which are then included
 into service-specific policies.
 The system-wide policy can then be modified without having to also
 modify each and every service-specific policy.
+.Pp
+.Bf -symbolic
+Take care not to introduce loops when using
+.Cm include
+rules, as there is currently no loop detection in place.
+.Ef
+.Sh MODULE OPTIONS
+Some PAM library functions may alter their behavior when called by a
+service module if certain module options were specified, regardless of
+whether the module itself accords them any importance.
+One such option is
+.Cm debug ,
+which causes the dispatcher to enable debugging messages before
+calling each service function, and disable them afterwards (unless
+they were already enabled).
+Other special options include:
+.Bl -tag -width 12n
+.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
+These options can be used to override the prompts used by
+.Xr pam_get_authtok 3
+and
+.Xr pam_get_user 3 .
+.It Cm echo_pass
+This option controls whether
+.Xr pam_get_authtok 3
+will allow the user to see what they are typing.
+.It Cm try_first_pass , Cm use_first_pass
+These options control
+.Xr pam_get_authtok 3 Ns 's
+use of cached authentication tokens.
+.El
 .Sh SEE ALSO
 .Xr pam 3
 .Sh STANDARDS
@ -177,5 +209,5 @@ DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
-This manual page was written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
--- a/doc/man/pam.man
+++ b/doc/man/pam.man
@ -1,6 +1,3 @@
-.\"
-.\" $Id$
-.\"
 .Sh DESCRIPTION
 The Pluggable Authentication Modules (PAM) library abstracts a number
 of common authentication-related operations and provides a framework
--- a/doc/man/pam_conv.3
+++ b/doc/man/pam_conv.3
@ -1,6 +1,6 @@
 .\"-
 .\" Copyright (c) 2002-2003 Networks Associates Technology, Inc.
-.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" Copyright (c) 2004-2017 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
@ -32,8 +32,6 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id$
-.\"
 .Dd June 16, 2005
 .Dt PAM_CONV 3
 .Os
@ -76,7 +74,7 @@ item.
 .Pp
 The conversation function's first argument specifies the number of
 messages (up to
-.Dv PAM_NUM_MSG )
+.Dv PAM_MAX_NUM_MSG )
 to process.
 The second argument is a pointer to an array of pointers to
 .Vt pam_message
@ -181,3 +179,6 @@ the Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
+.Pp
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
--- a/doc/xsso_errata.txt
+++ b/doc/xsso_errata.txt
@ -1,5 +1,3 @@
-$Id$
-
 Errata in XSSO, chapter 5:

 p. 25:	the first member of struct pam_response is named "resp", not
--- a/freebsd/.gitignore
+++ b/freebsd/.gitignore
@ -0,0 +1,2 @@
+!/Makefile.in
+/work
--- a/freebsd/Makefile.in
+++ b/freebsd/Makefile.in
@ -0,0 +1,33 @@
+# $FreeBSD: portlint$
+
+PORTNAME=	@PACKAGE_TARNAME@
+PORTVERSION=	@PACKAGE_VERSION@
+CATEGORIES=	security devel
+MASTER_SITES=	#
+DISTFILES=	#
+
+MAINTAINER=	@PACKAGE_BUGREPORT@
+COMMENT=	BSD-licensed implementation of Pluggable Authentication Modules
+
+LICENSE=	BSD3CLAUSE
+
+USES=		gmake libtool pkgconfig
+USE_LDCONFIG=	yes
+GNU_CONFIGURE=	yes
+INSTALL_TARGET=	install-strip
+TEST_TARGET=	check
+
+DESCR=		${WRKDIR}/pkg-descr
+
+do-extract:
+	(cd @abs_top_srcdir@ && \
+	    ${GMAKE} distdir && ${MV} ${PKGNAME} ${WRKDIR})
+	(${CAT} ${WRKSRC}/README && ${ECHO} && \
+	    ${ECHO} "WWW: @PACKAGE_URL@") >${DESCR}
+
+post-stage:
+	(cd ${STAGEDIR} && \
+	    ${FIND} -s . -type f -or -type l | cut -c 2- | \
+	    ${SED} -E '/\/man\//s/([0-9])$$/\1.gz/') >>${TMPPLIST}
+
+.include <bsd.port.mk>
--- a/include/Makefile.am
+++ b/include/Makefile.am
@ -1,3 +1 @@
-# $Id$
-
 SUBDIRS = security
--- a/include/security/Makefile.am
+++ b/include/security/Makefile.am
@ -1,8 +1,6 @@
-# $Id$
+securitydir = $(includedir)/security

-openpamdir = $(includedir)/security
-
-openpam_HEADERS = \
+security_HEADERS = \
 	openpam.h \
 	openpam_attr.h \
 	openpam_version.h \
--- a/include/security/openpam.h
+++ b/include/security/openpam.h
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2015 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_OPENPAM_H_INCLUDED
@ -157,12 +155,50 @@ openpam_readline(FILE *_f,
 	int *_lineno,
 	size_t *_lenp)
 	OPENPAM_NONNULL((1));
+
+char **
+openpam_readlinev(FILE *_f,
+	int *_lineno,
+	int *_lenp)
+	OPENPAM_NONNULL((1));
+
+char *
+openpam_readword(FILE *_f,
+	int *_lineno,
+	size_t *_lenp)
+	OPENPAM_NONNULL((1));
 #endif

+int
+openpam_straddch(char **_str,
+	size_t *_sizep,
+	size_t *_lenp,
+	int ch)
+	OPENPAM_NONNULL((1));
+
+/*
+ * Enable / disable optional features
+ */
+enum {
+	OPENPAM_RESTRICT_SERVICE_NAME,
+	OPENPAM_VERIFY_POLICY_FILE,
+	OPENPAM_RESTRICT_MODULE_NAME,
+	OPENPAM_VERIFY_MODULE_FILE,
+	OPENPAM_FALLBACK_TO_OTHER,
+	OPENPAM_NUM_FEATURES
+};
+
+int
+openpam_set_feature(int _feature, int _onoff);
+
+int
+openpam_get_feature(int _feature, int *_onoff);
+
 /*
 * Log levels
 */
 enum {
+	PAM_LOG_LIBDEBUG = -1,
 	PAM_LOG_DEBUG,
 	PAM_LOG_VERBOSE,
 	PAM_LOG_NOTICE,
@ -196,8 +232,8 @@ _openpam_log(int _level,
 void
 openpam_log(int _level,
 	const char *_format,
- 	...)
- 	OPENPAM_FORMAT ((__printf__, 2, 3))
+	...)
+	OPENPAM_FORMAT ((__printf__, 2, 3))
 	OPENPAM_NONNULL((2));
 #endif

--- a/include/security/openpam_attr.h
+++ b/include/security/openpam_attr.h
@ -1,9 +1,5 @@
-/*
- * $Id$
- */
-
-#ifndef SECURITY_PAM_ATTRIBUTES_H_INCLUDED
-#define SECURITY_PAM_ATTRIBUTES_H_INCLUDED
+#ifndef SECURITY_OPENPAM_ATTR_H_INCLUDED
+#define SECURITY_OPENPAM_ATTR_H_INCLUDED

 /* GCC attributes */
 #if defined(__GNUC__) && defined(__GNUC_MINOR__) && !defined(__STRICT_ANSI__)
@ -25,4 +21,10 @@
 # define OPENPAM_NONNULL(params)
 #endif

-#endif /* !SECURITY_PAM_ATTRIBUTES_H_INCLUDED */
+#if OPENPAM_GNUC_PREREQ(2,7)
+# define OPENPAM_UNUSED(var) var __attribute__((__unused__))
+#else
+# define OPENPAM_UNUSED(var) var
+#endif
+
+#endif /* !SECURITY_OPENPAM_ATTR_H_INCLUDED */
--- a/include/security/openpam_version.h
+++ b/include/security/openpam_version.h
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2023 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,15 +31,13 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED
 #define SECURITY_OPENPAM_VERSION_H_INCLUDED

 #define OPENPAM
-#define OPENPAM_VERSION	20111218
-#define OPENPAM_RELEASE	"Lycopsida"
+#define OPENPAM_VERSION	20230627
+#define OPENPAM_RELEASE	"Ximenia"

 #endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */
--- a/include/security/pam_appl.h
+++ b/include/security/pam_appl.h
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_PAM_APPL_H_INCLUDED
--- a/include/security/pam_constants.h
+++ b/include/security/pam_constants.h
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_PAM_CONSTANTS_H_INCLUDED
@ -78,6 +76,10 @@ enum {
 	PAM_TRY_AGAIN			=  27,
 	PAM_MODULE_UNKNOWN		=  28,
 	PAM_DOMAIN_UNKNOWN		=  29,
+	PAM_BAD_HANDLE			=  30,		/* OpenPAM extension */
+	PAM_BAD_ITEM			=  31,		/* OpenPAM extension */
+	PAM_BAD_FEATURE			=  32,		/* OpenPAM extension */
+	PAM_BAD_CONSTANT		=  33,		/* OpenPAM extension */
 	PAM_NUM_ERRORS					/* OpenPAM extension */
 };

--- a/include/security/pam_modules.h
+++ b/include/security/pam_modules.h
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_PAM_MODULES_H_INCLUDED
--- a/include/security/pam_types.h
+++ b/include/security/pam_types.h
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef SECURITY_PAM_TYPES_H_INCLUDED
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@ -1,83 +1,5 @@
-# $Id$
+SUBDIRS =

-NULL =
-
-INCLUDES = -I$(top_srcdir)/include
-
-lib_LTLIBRARIES = libpam.la
-
-noinst_HEADERS = \
-	openpam_constants.h \
-	openpam_debug.h \
-	openpam_impl.h \
-	openpam_strlcmp.h \
-	openpam_strlcpy.h
-
-libpam_la_SOURCES = \
-	openpam_borrow_cred.c \
-	openpam_check_owner_perms.c \
-	openpam_configure.c \
-	openpam_constants.c \
-	openpam_dispatch.c \
-	openpam_dynamic.c \
-	openpam_findenv.c \
-	openpam_free_data.c \
-	openpam_free_envlist.c \
-	openpam_get_option.c \
-	openpam_load.c \
-	openpam_log.c \
-	openpam_nullconv.c \
-	openpam_readline.c \
-	openpam_restore_cred.c \
-	openpam_set_option.c \
-	openpam_static.c \
-	openpam_subst.c \
-	openpam_ttyconv.c \
-	pam_acct_mgmt.c \
-	pam_authenticate.c \
-	pam_chauthtok.c \
-	pam_close_session.c \
-	pam_end.c \
-	pam_error.c \
-	pam_get_authtok.c \
-	pam_get_data.c \
-	pam_get_item.c \
-	pam_get_user.c \
-	pam_getenv.c \
-	pam_getenvlist.c \
-	pam_info.c \
-	pam_open_session.c \
-	pam_prompt.c \
-	pam_putenv.c \
-	pam_set_data.c \
-	pam_set_item.c \
-	pam_setcred.c \
-	pam_setenv.c \
-	pam_start.c \
-	pam_strerror.c \
-	pam_verror.c \
-	pam_vinfo.c \
-	pam_vprompt.c \
-	$(NULL)
-
-libpam_la_LDFLAGS = -no-undefined -version-info @LIB_MAJ@
-libpam_la_LIBADD = @DL_LIBS@
-
-EXTRA_DIST = \
-	pam_authenticate_secondary.c \
-	pam_get_mapped_authtok.c \
-	pam_get_mapped_username.c \
-	pam_set_mapped_authtok.c \
-	pam_set_mapped_username.c \
-	\
-	pam_sm_acct_mgmt.c \
-	pam_sm_authenticate.c \
-	pam_sm_authenticate_secondary.c \
-	pam_sm_chauthtok.c \
-	pam_sm_close_session.c \
-	pam_sm_get_mapped_authtok.c \
-	pam_sm_get_mapped_username.c \
-	pam_sm_open_session.c \
-	pam_sm_set_mapped_authtok.c \
-	pam_sm_set_mapped_username.c \
-	pam_sm_setcred.c
+if !WITH_SYSTEM_LIBPAM
+SUBDIRS += libpam
+endif
--- a/lib/libpam/Makefile.am
+++ b/lib/libpam/Makefile.am
@ -0,0 +1,100 @@
+NULL =
+
+AM_CPPFLAGS = -I$(top_srcdir)/include
+
+lib_LTLIBRARIES = libpam.la
+
+noinst_HEADERS = \
+	openpam_asprintf.h \
+	openpam_constants.h \
+	openpam_cred.h \
+	openpam_ctype.h \
+	openpam_debug.h \
+	openpam_dlfunc.h \
+	openpam_features.h \
+	openpam_impl.h \
+	openpam_strlcat.h \
+	openpam_strlcmp.h \
+	openpam_strlcpy.h \
+	openpam_strlset.h \
+	openpam_vasprintf.h
+
+libpam_la_SOURCES = \
+	openpam_asprintf.c \
+	openpam_borrow_cred.c \
+	openpam_check_owner_perms.c \
+	openpam_configure.c \
+	openpam_constants.c \
+	openpam_dispatch.c \
+	openpam_dynamic.c \
+	openpam_features.c \
+	openpam_findenv.c \
+	openpam_free_data.c \
+	openpam_free_envlist.c \
+	openpam_get_feature.c \
+	openpam_get_option.c \
+	openpam_load.c \
+	openpam_log.c \
+	openpam_nullconv.c \
+	openpam_readline.c \
+	openpam_readlinev.c \
+	openpam_readword.c \
+	openpam_restore_cred.c \
+	openpam_set_option.c \
+	openpam_set_feature.c \
+	openpam_static.c \
+	openpam_straddch.c \
+	openpam_strlcat.c \
+	openpam_strlcpy.c \
+	openpam_strlset.c \
+	openpam_subst.c \
+	openpam_vasprintf.c \
+	openpam_ttyconv.c \
+	pam_acct_mgmt.c \
+	pam_authenticate.c \
+	pam_chauthtok.c \
+	pam_close_session.c \
+	pam_end.c \
+	pam_error.c \
+	pam_get_authtok.c \
+	pam_get_data.c \
+	pam_get_item.c \
+	pam_get_user.c \
+	pam_getenv.c \
+	pam_getenvlist.c \
+	pam_info.c \
+	pam_open_session.c \
+	pam_prompt.c \
+	pam_putenv.c \
+	pam_set_data.c \
+	pam_set_item.c \
+	pam_setcred.c \
+	pam_setenv.c \
+	pam_start.c \
+	pam_strerror.c \
+	pam_verror.c \
+	pam_vinfo.c \
+	pam_vprompt.c \
+	$(NULL)
+
+libpam_la_LDFLAGS = -no-undefined -version-info $(LIB_MAJ)
+libpam_la_LIBADD = $(DL_LIBS)
+
+EXTRA_DIST = \
+	pam_authenticate_secondary.c \
+	pam_get_mapped_authtok.c \
+	pam_get_mapped_username.c \
+	pam_set_mapped_authtok.c \
+	pam_set_mapped_username.c \
+	\
+	pam_sm_acct_mgmt.c \
+	pam_sm_authenticate.c \
+	pam_sm_authenticate_secondary.c \
+	pam_sm_chauthtok.c \
+	pam_sm_close_session.c \
+	pam_sm_get_mapped_authtok.c \
+	pam_sm_get_mapped_username.c \
+	pam_sm_open_session.c \
+	pam_sm_set_mapped_authtok.c \
+	pam_sm_set_mapped_username.c \
+	pam_sm_setcred.c
--- a/lib/libpam/openpam_asprintf.c
+++ b/lib/libpam/openpam_asprintf.c
@ -0,0 +1,55 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE_ASPRINTF
+
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "openpam_asprintf.h"
+#include "openpam_vasprintf.h"
+
+/* like sprintf(3), but allocates memory for the result. */
+int
+openpam_asprintf(char **str, const char *fmt, ...)
+{
+        va_list ap;
+        int ret;
+
+        va_start(ap, fmt);
+        ret = vasprintf(str, fmt, ap);
+        va_end(ap);
+        return (ret);
+}
+
+#endif
--- a/lib/libpam/openpam_asprintf.h
+++ b/lib/libpam/openpam_asprintf.h
@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_ASPRINTF_H_INCLUDED
+#define OPENPAM_ASPRINTF_H_INCLUDED
+
+#ifndef HAVE_ASPRINTF
+int openpam_asprintf(char **, const char *, ...);
+#undef asprintf
+#define asprintf(arg, ...) openpam_asprintf(arg, __VA_ARGS__)
+#endif
+
+#endif
--- a/lib/libpam/openpam_borrow_cred.c
+++ b/lib/libpam/openpam_borrow_cred.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -50,6 +48,7 @@
 #include <security/pam_appl.h>

 #include "openpam_impl.h"
+#include "openpam_cred.h"

 /*
 * OpenPAM extension
@ -68,12 +67,12 @@ openpam_borrow_cred(pam_handle_t *pamh,
 	ENTERI(pwd->pw_uid);
 	r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp);
 	if (r == PAM_SUCCESS && scredp != NULL) {
-		openpam_log(PAM_LOG_DEBUG,
+		openpam_log(PAM_LOG_LIBDEBUG,
 		    "already operating under borrowed credentials");
 		RETURNC(PAM_SYSTEM_ERR);
 	}
 	if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
-		openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d",
+		openpam_log(PAM_LOG_LIBDEBUG, "called with non-zero euid: %d",
 		    (int)geteuid());
 		RETURNC(PAM_PERM_DENIED);
 	}
--- a/lib/libpam/openpam_check_owner_perms.c
+++ b/lib/libpam/openpam_check_owner_perms.c
@ -6,11 +6,13 @@
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,8 +25,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -67,6 +67,12 @@ openpam_check_desc_owner_perms(const char *name, int fd)
 		errno = serrno;
 		return (-1);
 	}
+	if (!S_ISREG(sb.st_mode)) {
+		openpam_log(PAM_LOG_ERROR,
+		    "%s: not a regular file", name);
+		errno = EINVAL;
+		return (-1);
+	}
 	if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
 	    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 		openpam_log(PAM_LOG_ERROR,
@ -84,7 +90,7 @@ openpam_check_desc_owner_perms(const char *name, int fd)
 * up to it are owned by either root or the arbitrator and that they are
 * not writable by group or other.
 *
- * Note that openpam_check_file_owner_perms() should be used instead if
+ * Note that openpam_check_desc_owner_perms() should be used instead if
 * possible to avoid a race between the ownership / permission check and
 * the actual open().
 */
@ -95,8 +101,9 @@ openpam_check_path_owner_perms(const char *path)
 	uid_t root, arbitrator;
 	char pathbuf[PATH_MAX];
 	struct stat sb;
-	int len, serrno;
+	int len, serrno, tip;

+	tip = 1;
 	root = 0;
 	arbitrator = geteuid();
 	if (realpath(path, pathbuf) == NULL)
@ -104,9 +111,17 @@ openpam_check_path_owner_perms(const char *path)
 	len = strlen(pathbuf);
 	while (len > 0) {
 		if (stat(pathbuf, &sb) != 0) {
-			serrno = errno;
-			openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf);
-			errno = serrno;
+			if (errno != ENOENT) {
+				serrno = errno;
+				openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf);
+				errno = serrno;
+			}
+			return (-1);
+		}
+		if (tip && !S_ISREG(sb.st_mode)) {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: not a regular file", pathbuf);
+			errno = EINVAL;
 			return (-1);
 		}
 		if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
@ -118,6 +133,7 @@ openpam_check_path_owner_perms(const char *path)
 		}
 		while (--len > 0 && pathbuf[len] != '/')
 			pathbuf[len] = '\0';
+		tip = 0;
 	}
 	return (0);
 }
--- a/lib/libpam/openpam_configure.c
+++ b/lib/libpam/openpam_configure.c
@ -0,0 +1,486 @@
+/*-
+ * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2015 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * Network Associates Laboratories, the Security Research Division of
+ * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <sys/param.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_ctype.h"
+#include "openpam_strlcat.h"
+#include "openpam_strlcpy.h"
+
+static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t);
+
+/*
+ * Validate a service name.
+ *
+ * Returns a non-zero value if the argument points to a NUL-terminated
+ * string consisting entirely of characters in the POSIX portable filename
+ * character set, excluding the path separator character.
+ */
+static int
+valid_service_name(const char *name)
+{
+	const char *p;
+
+	if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) {
+		/* path separator not allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p))
+				return (0);
+	} else {
+		/* path separator allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p) && *p != '/')
+				return (0);
+	}
+	return (1);
+}
+
+/*
+ * Parse the facility name.
+ *
+ * Returns the corresponding pam_facility_t value, or -1 if the argument
+ * is not a valid facility name.
+ */
+static pam_facility_t
+parse_facility_name(const char *name)
+{
+	int i;
+
+	for (i = 0; i < PAM_NUM_FACILITIES; ++i)
+		if (strcmp(pam_facility_name[i], name) == 0)
+			return (i);
+	return ((pam_facility_t)-1);
+}
+
+/*
+ * Parse the control flag.
+ *
+ * Returns the corresponding pam_control_t value, or -1 if the argument is
+ * not a valid control flag name.
+ */
+static pam_control_t
+parse_control_flag(const char *name)
+{
+	int i;
+
+	for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i)
+		if (strcmp(pam_control_flag_name[i], name) == 0)
+			return (i);
+	return ((pam_control_t)-1);
+}
+
+/*
+ * Validate a file name.
+ *
+ * Returns a non-zero value if the argument points to a NUL-terminated
+ * string consisting entirely of characters in the POSIX portable filename
+ * character set, including the path separator character.
+ */
+static int
+valid_module_name(const char *name)
+{
+	const char *p;
+
+	if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) {
+		/* path separator not allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p))
+				return (0);
+	} else {
+		/* path separator allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p) && *p != '/')
+				return (0);
+	}
+	return (1);
+}
+
+typedef enum { pam_conf_style, pam_d_style } openpam_style_t;
+
+/*
+ * Extracts given chains from a policy file.
+ *
+ * Returns the number of policy entries which were found for the specified
+ * service and facility, or -1 if a system error occurred or a syntax
+ * error was encountered.
+ */
+static int
+openpam_parse_chain(pam_handle_t *pamh,
+	const char *service,
+	pam_facility_t facility,
+	FILE *f,
+	const char *filename,
+	openpam_style_t style)
+{
+	pam_chain_t *this, **next;
+	pam_facility_t fclt;
+	pam_control_t ctlf;
+	char *name, *servicename, *modulename;
+	int count, lineno, ret, serrno;
+	char **wordv, *word;
+	int i, wordc;
+
+	count = 0;
+	this = NULL;
+	name = NULL;
+	lineno = 0;
+	wordc = 0;
+	wordv = NULL;
+	while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) {
+		/* blank line? */
+		if (wordc == 0) {
+			FREEV(wordc, wordv);
+			continue;
+		}
+		i = 0;
+
+		/* check service name if necessary */
+		if (style == pam_conf_style &&
+		    strcmp(wordv[i++], service) != 0) {
+			FREEV(wordc, wordv);
+			continue;
+		}
+
+		/* check facility name */
+		if ((word = wordv[i++]) == NULL ||
+		    (fclt = parse_facility_name(word)) == (pam_facility_t)-1) {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s(%d): missing or invalid facility",
+			    filename, lineno);
+			errno = EINVAL;
+			goto fail;
+		}
+		if (facility != fclt && facility != PAM_FACILITY_ANY) {
+			FREEV(wordc, wordv);
+			continue;
+		}
+
+		/* check for "include" */
+		if ((word = wordv[i++]) != NULL &&
+		    strcmp(word, "include") == 0) {
+			if ((servicename = wordv[i++]) == NULL ||
+			    !valid_service_name(servicename)) {
+				openpam_log(PAM_LOG_ERROR,
+				    "%s(%d): missing or invalid service name",
+				    filename, lineno);
+				errno = EINVAL;
+				goto fail;
+			}
+			if (wordv[i] != NULL) {
+				openpam_log(PAM_LOG_ERROR,
+				    "%s(%d): garbage at end of line",
+				    filename, lineno);
+				errno = EINVAL;
+				goto fail;
+			}
+			ret = openpam_load_chain(pamh, servicename, fclt);
+			FREEV(wordc, wordv);
+			if (ret < 0) {
+				/*
+				 * Bogus errno, but this ensures that the
+				 * outer loop does not just ignore the
+				 * error and keep searching.
+				 */
+				if (errno == ENOENT)
+					errno = EINVAL;
+				goto fail;
+			}
+			continue;
+		}
+
+		/* get control flag */
+		if (word == NULL || /* same word we compared to "include" */
+		    (ctlf = parse_control_flag(word)) == (pam_control_t)-1) {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s(%d): missing or invalid control flag",
+			    filename, lineno);
+			errno = EINVAL;
+			goto fail;
+		}
+
+		/* get module name */
+		if ((modulename = wordv[i++]) == NULL ||
+		    !valid_module_name(modulename)) {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s(%d): missing or invalid module name",
+			    filename, lineno);
+			errno = EINVAL;
+			goto fail;
+		}
+
+		/* allocate new entry */
+		if ((this = calloc(1, sizeof *this)) == NULL)
+			goto syserr;
+		this->flag = ctlf;
+
+		/* load module */
+		if ((this->module = openpam_load_module(modulename)) == NULL) {
+			if (errno == ENOENT)
+				errno = ENOEXEC;
+			goto fail;
+		}
+
+		/*
+		 * The remaining items in wordv are the module's
+		 * arguments.  We could set this->optv = wordv + i, but
+		 * then free(this->optv) wouldn't work.  Instead, we free
+		 * the words we've already consumed, shift the rest up,
+		 * and clear the tail end of the array.
+		 */
+		this->optc = wordc - i;
+		for (i = 0; i < wordc - this->optc; ++i) {
+			FREE(wordv[i]);
+		}
+		for (i = 0; i < this->optc; ++i) {
+			wordv[i] = wordv[wordc - this->optc + i];
+			wordv[wordc - this->optc + i] = NULL;
+		}
+		this->optv = wordv;
+		wordv = NULL;
+		wordc = 0;
+
+		/* hook it up */
+		for (next = &pamh->chains[fclt]; *next != NULL;
+		     next = &(*next)->next)
+			/* nothing */ ;
+		*next = this;
+		this = NULL;
+		++count;
+	}
+	/*
+	 * The loop ended because openpam_readword() returned NULL, which
+	 * can happen for four different reasons: an I/O error (ferror(f)
+	 * is true), a memory allocation failure (ferror(f) is false,
+	 * feof(f) is false, errno is non-zero), the file ended with an
+	 * unterminated quote or backslash escape (ferror(f) is false,
+	 * feof(f) is true, errno is non-zero), or the end of the file was
+	 * reached without error (ferror(f) is false, feof(f) is true,
+	 * errno is zero).
+	 */
+	if (ferror(f) || errno != 0)
+		goto syserr;
+	if (!feof(f))
+		goto fail;
+	fclose(f);
+	return (count);
+syserr:
+	serrno = errno;
+	openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
+	errno = serrno;
+	/* fall through */
+fail:
+	serrno = errno;
+	if (this && this->optc && this->optv)
+		FREEV(this->optc, this->optv);
+	FREE(this);
+	FREEV(wordc, wordv);
+	FREE(wordv);
+	FREE(name);
+	fclose(f);
+	errno = serrno;
+	return (-1);
+}
+
+/*
+ * Read the specified chains from the specified file.
+ *
+ * Returns 0 if the file exists but does not contain any matching lines.
+ *
+ * Returns -1 and sets errno to ENOENT if the file does not exist.
+ *
+ * Returns -1 and sets errno to some other non-zero value if the file
+ * exists but is unsafe or unreadable, or an I/O error occurs.
+ */
+static int
+openpam_load_file(pam_handle_t *pamh,
+	const char *service,
+	pam_facility_t facility,
+	const char *filename,
+	openpam_style_t style)
+{
+	FILE *f;
+	int ret, serrno;
+
+	/* attempt to open the file */
+	if ((f = fopen(filename, "r")) == NULL) {
+		serrno = errno;
+		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR,
+		    "%s: %m", filename);
+		errno = serrno;
+		RETURNN(-1);
+	} else {
+		openpam_log(PAM_LOG_DEBUG, "found %s", filename);
+	}
+
+	/* verify type, ownership and permissions */
+	if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) &&
+	    openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
+		/* already logged the cause */
+		serrno = errno;
+		fclose(f);
+		errno = serrno;
+		RETURNN(-1);
+	}
+
+	/* parse the file */
+	ret = openpam_parse_chain(pamh, service, facility,
+	    f, filename, style);
+	RETURNN(ret);
+}
+
+/*
+ * Locates the policy file for a given service and reads the given chains
+ * from it.
+ *
+ * Returns the number of policy entries which were found for the specified
+ * service and facility, or -1 if a system error occurred or a syntax
+ * error was encountered.
+ */
+static int
+openpam_load_chain(pam_handle_t *pamh,
+	const char *service,
+	pam_facility_t facility)
+{
+	const char *p, **path;
+	char filename[PATH_MAX];
+	size_t len;
+	openpam_style_t style;
+	int ret;
+
+	ENTERS(facility < 0 ? "any" : pam_facility_name[facility]);
+
+	/* either absolute or relative to cwd */
+	if (strchr(service, '/') != NULL) {
+		if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0)
+			style = pam_conf_style;
+		else
+			style = pam_d_style;
+		ret = openpam_load_file(pamh, service, facility,
+		    service, style);
+		RETURNN(ret);
+	}
+
+	/* search standard locations */
+	for (path = openpam_policy_path; *path != NULL; ++path) {
+		/* construct filename */
+		len = strlcpy(filename, *path, sizeof filename);
+		if (len >= sizeof filename) {
+			errno = ENAMETOOLONG;
+			RETURNN(-1);
+		}
+		if (filename[len - 1] == '/') {
+			len = strlcat(filename, service, sizeof filename);
+			if (len >= sizeof filename) {
+				errno = ENAMETOOLONG;
+				RETURNN(-1);
+			}
+			style = pam_d_style;
+		} else {
+			style = pam_conf_style;
+		}
+		ret = openpam_load_file(pamh, service, facility,
+		    filename, style);
+		/* success */
+		if (ret > 0)
+			RETURNN(ret);
+		/* the file exists, but an error occurred */
+		if (ret == -1 && errno != ENOENT)
+			RETURNN(ret);
+		/* in pam.d style, an empty file counts as a hit */
+		if (ret == 0 && style == pam_d_style)
+			RETURNN(ret);
+	}
+
+	/* no hit */
+	errno = ENOENT;
+	RETURNN(-1);
+}
+
+/*
+ * OpenPAM internal
+ *
+ * Configure a service
+ */
+
+int
+openpam_configure(pam_handle_t *pamh,
+	const char *service)
+{
+	pam_facility_t fclt;
+	int serrno;
+
+	ENTERS(service);
+	if (!valid_service_name(service)) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name");
+		RETURNC(PAM_SYSTEM_ERR);
+	}
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+		if (errno != ENOENT)
+			goto load_err;
+	}
+	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+		if (pamh->chains[fclt] != NULL)
+			continue;
+		if (OPENPAM_FEATURE(FALLBACK_TO_OTHER)) {
+			if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
+				goto load_err;
+		}
+	}
+	RETURNC(PAM_SUCCESS);
+load_err:
+	serrno = errno;
+	openpam_clear_chains(pamh->chains);
+	errno = serrno;
+	RETURNC(PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ *
+ * Error codes:
+ *	PAM_SYSTEM_ERR
+ */
--- a/lib/libpam/openpam_constants.c
+++ b/lib/libpam/openpam_constants.c
@ -0,0 +1,183 @@
+/*-
+ * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * Network Associates Laboratories, the Security Research Division of
+ * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+const char *pam_err_name[PAM_NUM_ERRORS] = {
+	[PAM_SUCCESS]			 = "PAM_SUCCESS",
+	[PAM_OPEN_ERR]			 = "PAM_OPEN_ERR",
+	[PAM_SYMBOL_ERR]		 = "PAM_SYMBOL_ERR",
+	[PAM_SERVICE_ERR]		 = "PAM_SERVICE_ERR",
+	[PAM_SYSTEM_ERR]		 = "PAM_SYSTEM_ERR",
+	[PAM_BUF_ERR]			 = "PAM_BUF_ERR",
+	[PAM_CONV_ERR]			 = "PAM_CONV_ERR",
+	[PAM_PERM_DENIED]		 = "PAM_PERM_DENIED",
+	[PAM_MAXTRIES]			 = "PAM_MAXTRIES",
+	[PAM_AUTH_ERR]			 = "PAM_AUTH_ERR",
+	[PAM_NEW_AUTHTOK_REQD]		 = "PAM_NEW_AUTHTOK_REQD",
+	[PAM_CRED_INSUFFICIENT]		 = "PAM_CRED_INSUFFICIENT",
+	[PAM_AUTHINFO_UNAVAIL]		 = "PAM_AUTHINFO_UNAVAIL",
+	[PAM_USER_UNKNOWN]		 = "PAM_USER_UNKNOWN",
+	[PAM_CRED_UNAVAIL]		 = "PAM_CRED_UNAVAIL",
+	[PAM_CRED_EXPIRED]		 = "PAM_CRED_EXPIRED",
+	[PAM_CRED_ERR]			 = "PAM_CRED_ERR",
+	[PAM_ACCT_EXPIRED]		 = "PAM_ACCT_EXPIRED",
+	[PAM_AUTHTOK_EXPIRED]		 = "PAM_AUTHTOK_EXPIRED",
+	[PAM_SESSION_ERR]		 = "PAM_SESSION_ERR",
+	[PAM_AUTHTOK_ERR]		 = "PAM_AUTHTOK_ERR",
+	[PAM_AUTHTOK_RECOVERY_ERR]	 = "PAM_AUTHTOK_RECOVERY_ERR",
+	[PAM_AUTHTOK_LOCK_BUSY]		 = "PAM_AUTHTOK_LOCK_BUSY",
+	[PAM_AUTHTOK_DISABLE_AGING]	 = "PAM_AUTHTOK_DISABLE_AGING",
+	[PAM_NO_MODULE_DATA]		 = "PAM_NO_MODULE_DATA",
+	[PAM_IGNORE]			 = "PAM_IGNORE",
+	[PAM_ABORT]			 = "PAM_ABORT",
+	[PAM_TRY_AGAIN]			 = "PAM_TRY_AGAIN",
+	[PAM_MODULE_UNKNOWN]		 = "PAM_MODULE_UNKNOWN",
+	[PAM_DOMAIN_UNKNOWN]		 = "PAM_DOMAIN_UNKNOWN",
+	[PAM_BAD_HANDLE]		 = "PAM_BAD_HANDLE",
+	[PAM_BAD_ITEM]			 = "PAM_BAD_ITEM",
+	[PAM_BAD_FEATURE]		 = "PAM_BAD_FEATURE",
+	[PAM_BAD_CONSTANT]		 = "PAM_BAD_CONSTANT",
+};
+
+const char *pam_err_text[PAM_NUM_ERRORS] = {
+	[PAM_SUCCESS]			 = "Success",
+	[PAM_OPEN_ERR]			 = "Failed to load module",
+	[PAM_SYMBOL_ERR]		 = "Invalid symbol",
+	[PAM_SERVICE_ERR]		 = "Error in service module",
+	[PAM_SYSTEM_ERR]		 = "System error",
+	[PAM_BUF_ERR]			 = "Memory buffer error",
+	[PAM_CONV_ERR]			 = "Conversation failure",
+	[PAM_PERM_DENIED]		 = "Permission denied",
+	[PAM_MAXTRIES]			 = "Maximum number of tries exceeded",
+	[PAM_AUTH_ERR]			 = "Authentication error",
+	[PAM_NEW_AUTHTOK_REQD]		 = "New authentication token required",
+	[PAM_CRED_INSUFFICIENT]		 = "Insufficient credentials",
+	[PAM_AUTHINFO_UNAVAIL]		 = "Authentication information is unavailable",
+	[PAM_USER_UNKNOWN]		 = "Unknown user",
+	[PAM_CRED_UNAVAIL]		 = "Failed to retrieve user credentials",
+	[PAM_CRED_EXPIRED]		 = "User credentials have expired",
+	[PAM_CRED_ERR]			 = "Failed to set user credentials",
+	[PAM_ACCT_EXPIRED]		 = "User account has expired",
+	[PAM_AUTHTOK_EXPIRED]		 = "Password has expired",
+	[PAM_SESSION_ERR]		 = "Session failure",
+	[PAM_AUTHTOK_ERR]		 = "Authentication token failure",
+	[PAM_AUTHTOK_RECOVERY_ERR]	 = "Failed to recover old authentication token",
+	[PAM_AUTHTOK_LOCK_BUSY]		 = "Authentication token lock busy",
+	[PAM_AUTHTOK_DISABLE_AGING]	 = "Authentication token aging disabled",
+	[PAM_NO_MODULE_DATA]		 = "Module data not found",
+	[PAM_IGNORE]			 = "Ignore this module",
+	[PAM_ABORT]			 = "General failure",
+	[PAM_TRY_AGAIN]			 = "Try again",
+	[PAM_MODULE_UNKNOWN]		 = "Unknown module type",
+	[PAM_DOMAIN_UNKNOWN]		 = "Unknown authentication domain",
+	[PAM_BAD_HANDLE]		 = "Invalid PAM handle",
+	[PAM_BAD_ITEM]			 = "Unrecognized or restricted item",
+	[PAM_BAD_FEATURE]		 = "Unrecognized or restricted feature",
+	[PAM_BAD_CONSTANT]		 = "Invalid constant",
+};
+
+const char *pam_item_name[PAM_NUM_ITEMS] = {
+	[PAM_SERVICE]		 = "PAM_SERVICE",
+	[PAM_USER]		 = "PAM_USER",
+	[PAM_TTY]		 = "PAM_TTY",
+	[PAM_RHOST]		 = "PAM_RHOST",
+	[PAM_CONV]		 = "PAM_CONV",
+	[PAM_AUTHTOK]		 = "PAM_AUTHTOK",
+	[PAM_OLDAUTHTOK]	 = "PAM_OLDAUTHTOK",
+	[PAM_RUSER]		 = "PAM_RUSER",
+	[PAM_USER_PROMPT]	 = "PAM_USER_PROMPT",
+	[PAM_REPOSITORY]	 = "PAM_REPOSITORY",
+	[PAM_AUTHTOK_PROMPT]	 = "PAM_AUTHTOK_PROMPT",
+	[PAM_OLDAUTHTOK_PROMPT]	 = "PAM_OLDAUTHTOK_PROMPT",
+	[PAM_HOST]		 = "PAM_HOST",
+};
+
+const char *pam_facility_name[PAM_NUM_FACILITIES] = {
+	[PAM_ACCOUNT]		 = "account",
+	[PAM_AUTH]		 = "auth",
+	[PAM_PASSWORD]		 = "password",
+	[PAM_SESSION]		 = "session",
+};
+
+const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS] = {
+	[PAM_BINDING]		 = "binding",
+	[PAM_OPTIONAL]		 = "optional",
+	[PAM_REQUIRED]		 = "required",
+	[PAM_REQUISITE]		 = "requisite",
+	[PAM_SUFFICIENT]	 = "sufficient",
+};
+
+const char *pam_func_name[PAM_NUM_PRIMITIVES] = {
+	[PAM_SM_AUTHENTICATE]	 = "pam_authenticate",
+	[PAM_SM_SETCRED]	 = "pam_setcred",
+	[PAM_SM_ACCT_MGMT]	 = "pam_acct_mgmt",
+	[PAM_SM_OPEN_SESSION]	 = "pam_open_session",
+	[PAM_SM_CLOSE_SESSION]	 = "pam_close_session",
+	[PAM_SM_CHAUTHTOK]	 = "pam_chauthtok"
+};
+
+const char *pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
+	[PAM_SM_AUTHENTICATE]	 = "pam_sm_authenticate",
+	[PAM_SM_SETCRED]	 = "pam_sm_setcred",
+	[PAM_SM_ACCT_MGMT]	 = "pam_sm_acct_mgmt",
+	[PAM_SM_OPEN_SESSION]	 = "pam_sm_open_session",
+	[PAM_SM_CLOSE_SESSION]	 = "pam_sm_close_session",
+	[PAM_SM_CHAUTHTOK]	 = "pam_sm_chauthtok"
+};
+
+const char *openpam_policy_path[] = {
+	"/etc/pam.d/",
+	"/etc/pam.conf",
+	"/usr/local/etc/pam.d/",
+	"/usr/local/etc/pam.conf",
+	NULL
+};
+
+const char *openpam_module_path[] = {
+#ifdef OPENPAM_MODULES_DIRECTORY
+	OPENPAM_MODULES_DIRECTORY,
+#else
+	"/usr/lib",
+	"/usr/local/lib",
+#endif
+	NULL
+};
--- a/lib/libpam/openpam_constants.h
+++ b/lib/libpam/openpam_constants.h
@ -1,16 +1,18 @@
 /*-
- * Copyright (c) 2011 Dag-Erling Smørgrav
+ * Copyright (c) 2011-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,18 +25,20 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

-#ifndef OPENPAM_CONSTANTS_INCLUDED
-#define OPENPAM_CONSTANTS_INCLUDED
+#ifndef OPENPAM_CONSTANTS_H_INCLUDED
+#define OPENPAM_CONSTANTS_H_INCLUDED

 extern const char *pam_err_name[PAM_NUM_ERRORS];
+extern const char *pam_err_text[PAM_NUM_ERRORS];
 extern const char *pam_item_name[PAM_NUM_ITEMS];
 extern const char *pam_facility_name[PAM_NUM_FACILITIES];
 extern const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS];
 extern const char *pam_func_name[PAM_NUM_PRIMITIVES];
 extern const char *pam_sm_func_name[PAM_NUM_PRIMITIVES];

+extern const char *openpam_policy_path[];
+extern const char *openpam_module_path[];
+
 #endif
--- a/lib/libpam/openpam_cred.h
+++ b/lib/libpam/openpam_cred.h
@ -31,97 +31,20 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

-#ifdef HAVE_CONFIG_H
-# include "config.h"
+#ifndef OPENPAM_CRED_H_INCLUDED
+#define OPENPAM_CRED_H_INCLUDED
+
+/*
+ * Saved credentials
+ */
+#define PAM_SAVED_CRED "pam_saved_cred"
+struct pam_saved_cred {
+	uid_t	 euid;
+	gid_t	 egid;
+	gid_t	 groups[NGROUPS_MAX];
+	int	 ngroups;
+};
+
 #endif
-
-#include <security/pam_appl.h>
-
-#include "openpam_impl.h"
-
-const char *pam_err_name[PAM_NUM_ERRORS] = {
-	"PAM_SUCCESS",
-	"PAM_OPEN_ERR",
-	"PAM_SYMBOL_ERR",
-	"PAM_SERVICE_ERR",
-	"PAM_SYSTEM_ERR",
-	"PAM_BUF_ERR",
-	"PAM_CONV_ERR",
-	"PAM_PERM_DENIED",
-	"PAM_MAXTRIES",
-	"PAM_AUTH_ERR",
-	"PAM_NEW_AUTHTOK_REQD",
-	"PAM_CRED_INSUFFICIENT",
-	"PAM_AUTHINFO_UNAVAIL",
-	"PAM_USER_UNKNOWN",
-	"PAM_CRED_UNAVAIL",
-	"PAM_CRED_EXPIRED",
-	"PAM_CRED_ERR",
-	"PAM_ACCT_EXPIRED",
-	"PAM_AUTHTOK_EXPIRED",
-	"PAM_SESSION_ERR",
-	"PAM_AUTHTOK_ERR",
-	"PAM_AUTHTOK_RECOVERY_ERR",
-	"PAM_AUTHTOK_LOCK_BUSY",
-	"PAM_AUTHTOK_DISABLE_AGING",
-	"PAM_NO_MODULE_DATA",
-	"PAM_IGNORE",
-	"PAM_ABORT",
-	"PAM_TRY_AGAIN",
-	"PAM_MODULE_UNKNOWN",
-	"PAM_DOMAIN_UNKNOWN"
-};
-
-const char *pam_item_name[PAM_NUM_ITEMS] = {
-	"(NO ITEM)",
-	"PAM_SERVICE",
-	"PAM_USER",
-	"PAM_TTY",
-	"PAM_RHOST",
-	"PAM_CONV",
-	"PAM_AUTHTOK",
-	"PAM_OLDAUTHTOK",
-	"PAM_RUSER",
-	"PAM_USER_PROMPT",
-	"PAM_REPOSITORY",
-	"PAM_AUTHTOK_PROMPT",
-	"PAM_OLDAUTHTOK_PROMPT",
-	"PAM_HOST",
-};
-
-const char *pam_facility_name[PAM_NUM_FACILITIES] = {
-	[PAM_ACCOUNT]		= "account",
-	[PAM_AUTH]		= "auth",
-	[PAM_PASSWORD]		= "password",
-	[PAM_SESSION]		= "session",
-};
-
-const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS] = {
-	[PAM_BINDING]		= "binding",
-	[PAM_OPTIONAL]		= "optional",
-	[PAM_REQUIRED]		= "required",
-	[PAM_REQUISITE]		= "requisite",
-	[PAM_SUFFICIENT]	= "sufficient",
-};
-
-const char *pam_func_name[PAM_NUM_PRIMITIVES] = {
-	"pam_authenticate",
-	"pam_setcred",
-	"pam_acct_mgmt",
-	"pam_open_session",
-	"pam_close_session",
-	"pam_chauthtok"
-};
-
-const char *pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
-	"pam_sm_authenticate",
-	"pam_sm_setcred",
-	"pam_sm_acct_mgmt",
-	"pam_sm_open_session",
-	"pam_sm_close_session",
-	"pam_sm_chauthtok"
-};
--- a/lib/libpam/openpam_ctype.h
+++ b/lib/libpam/openpam_ctype.h
@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 2012-2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_CTYPE_H_INCLUDED
+#define OPENPAM_CTYPE_H_INCLUDED
+
+/*
+ * Evaluates to non-zero if the argument is a digit.
+ */
+#define is_digit(ch)				\
+	(ch >= '0' && ch <= '9')
+
+/*
+ * Evaluates to non-zero if the argument is a hex digit.
+ */
+#define is_xdigit(ch)				\
+	((ch >= '0' && ch <= '9') ||		\
+	 (ch >= 'a' && ch <= 'f') ||		\
+	 (ch >= 'A' && ch <= 'F'))
+
+/*
+ * Evaluates to non-zero if the argument is an uppercase letter.
+ */
+#define is_upper(ch)				\
+	(ch >= 'A' && ch <= 'Z')
+
+/*
+ * Evaluates to non-zero if the argument is a lowercase letter.
+ */
+#define is_lower(ch)				\
+	(ch >= 'a' && ch <= 'z')
+
+/*
+ * Evaluates to non-zero if the argument is a letter.
+ */
+#define is_letter(ch)				\
+	(is_upper(ch) || is_lower(ch))
+
+/*
+ * Evaluates to non-zero if the argument is a linear whitespace character.
+ * For the purposes of this macro, the definition of linear whitespace is
+ * extended to include the form feed and carraige return characters.
+ */
+#define is_lws(ch)				\
+	(ch == ' ' || ch == '\t' || ch == '\f' || ch == '\r')
+
+/*
+ * Evaluates to non-zero if the argument is a whitespace character.
+ */
+#define is_ws(ch)				\
+	(is_lws(ch) || ch == '\n')
+
+/*
+ * Evaluates to non-zero if the argument is a printable ASCII character.
+ * Assumes that the execution character set is a superset of ASCII.
+ */
+#define is_p(ch) \
+	(ch >= '!' && ch <= '~')
+
+/*
+ * Returns non-zero if the argument belongs to the POSIX Portable Filename
+ * Character Set.  Assumes that the execution character set is a superset
+ * of ASCII.
+ */
+#define is_pfcs(ch)				\
+	(is_digit(ch) || is_letter(ch)  ||	\
+	 ch == '.' || ch == '_' || ch == '-')
+
+#endif
--- a/lib/libpam/openpam_debug.h
+++ b/lib/libpam/openpam_debug.h
@ -31,61 +31,67 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

-#ifndef OPENPAM_DEBUG_INCLUDED
-#define OPENPAM_DEBUG_INCLUDED
+#ifndef OPENPAM_DEBUG_H_INCLUDED
+#define OPENPAM_DEBUG_H_INCLUDED

 #ifdef OPENPAM_DEBUG
-#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
+#define ENTER() openpam_log(PAM_LOG_LIBDEBUG, "entering")
 #define ENTERI(i) do { \
 	int i_ = (i); \
 	if (i_ > 0 && i_ < PAM_NUM_ITEMS) \
-		openpam_log(PAM_LOG_DEBUG, "entering: %s", pam_item_name[i_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", pam_item_name[i_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: %d", i_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", i_); \
 } while (0)
 #define ENTERN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "entering: %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", n_); \
 } while (0)
 #define ENTERS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: '%s'", s_); \
 } while (0)
-#define	RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
+#define ENTERF(f) do { \
+	int f_ = (f); \
+	if (f_ >= 0 && f_ <= OPENPAM_NUM_FEATURES) \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", \
+		    openpam_features[f_].name); \
+	else \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", f_); \
+} while (0)
+#define	RETURNV() openpam_log(PAM_LOG_LIBDEBUG, "returning")
 #define RETURNC(c) do { \
 	int c_ = (c); \
 	if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \
-		openpam_log(PAM_LOG_DEBUG, "returning %s", pam_err_name[c_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %s", pam_err_name[c_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %d!", c_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %d!", c_); \
 	return (c_); \
 } while (0)
 #define	RETURNN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "returning %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "returning %d", n_); \
 	return (n_); \
 } while (0)
 #define	RETURNP(p) do { \
-	const void *p_ = (p); \
+	void *p_ = (p); \
 	if (p_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %p", p_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %p", p_); \
 	return (p_); \
 } while (0)
 #define	RETURNS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", s_); \
 	return (s_); \
 } while (0)
 #else
@ -93,6 +99,7 @@
 #define ENTERI(i)
 #define ENTERN(n)
 #define ENTERS(s)
+#define ENTERF(f)
 #define RETURNV() return
 #define RETURNC(c) return (c)
 #define RETURNN(n) return (n)
--- a/lib/libpam/openpam_dispatch.c
+++ b/lib/libpam/openpam_dispatch.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -41,6 +39,8 @@

 #include <sys/param.h>

+#include <stdint.h>
+
 #include <security/pam_appl.h>

 #include "openpam_impl.h"
@ -63,12 +63,10 @@ openpam_dispatch(pam_handle_t *pamh,
 	int flags)
 {
 	pam_chain_t *chain;
-	int err, fail, r;
+	int err, fail, nsuccess, r;
 	int debug;

 	ENTER();
-	if (pamh == NULL)
-		RETURNC(PAM_SYSTEM_ERR);

 	/* prevent recursion */
 	if (pamh->current != NULL) {
@ -101,23 +99,25 @@ openpam_dispatch(pam_handle_t *pamh,
 	}

 	/* execute */
-	for (err = fail = 0; chain != NULL; chain = chain->next) {
+	err = PAM_SUCCESS;
+	fail = nsuccess = 0;
+	for (; chain != NULL; chain = chain->next) {
 		if (chain->module->func[primitive] == NULL) {
 			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
 			    chain->module->path, pam_sm_func_name[primitive]);
-			r = PAM_SYSTEM_ERR;
+			r = PAM_SYMBOL_ERR;
 		} else {
 			pamh->primitive = primitive;
 			pamh->current = chain;
 			debug = (openpam_get_option(pamh, "debug") != NULL);
 			if (debug)
 				++openpam_debug;
-			openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
+			openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
 			    pam_sm_func_name[primitive], chain->module->path);
 			r = (chain->module->func[primitive])(pamh, flags,
-			    chain->optc, (const char **)chain->optv);
+			    chain->optc, (const char **)(intptr_t)chain->optv);
 			pamh->current = NULL;
-			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
+			openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
 			    chain->module->path, pam_sm_func_name[primitive],
 			    pam_strerror(pamh, r));
 			if (debug)
@ -127,6 +127,7 @@ openpam_dispatch(pam_handle_t *pamh,
 		if (r == PAM_IGNORE)
 			continue;
 		if (r == PAM_SUCCESS) {
+			++nsuccess;
 			/*
 			 * For pam_setcred() and pam_chauthtok() with the
 			 * PAM_PRELIM_CHECK flag, treat "sufficient" as
@ -148,11 +149,11 @@ openpam_dispatch(pam_handle_t *pamh,
 		 * fail.  If a required module fails, record the
 		 * return code from the first required module to fail.
 		 */
-		if (err == 0)
+		if (err == PAM_SUCCESS)
 			err = r;
 		if ((chain->flag == PAM_REQUIRED ||
 		    chain->flag == PAM_BINDING) && !fail) {
-			openpam_log(PAM_LOG_DEBUG, "required module failed");
+			openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
 			fail = 1;
 			err = r;
 		}
@ -162,7 +163,7 @@ openpam_dispatch(pam_handle_t *pamh,
 		 * immediately.
 		 */
 		if (chain->flag == PAM_REQUISITE) {
-			openpam_log(PAM_LOG_DEBUG, "requisite module failed");
+			openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
 			fail = 1;
 			break;
 		}
@ -170,6 +171,18 @@ openpam_dispatch(pam_handle_t *pamh,

 	if (!fail && err != PAM_NEW_AUTHTOK_REQD)
 		err = PAM_SUCCESS;
+
+	/*
+	 * Require the chain to be non-empty, and at least one module
+	 * in the chain to be successful, so that we don't fail open.
+	 */
+	if (err == PAM_SUCCESS && nsuccess < 1) {
+		openpam_log(PAM_LOG_ERROR,
+		    "all modules were unsuccessful for %s()",
+		    pam_sm_func_name[primitive]);
+		err = PAM_SYSTEM_ERR;
+	}
+
 	RETURNC(err);
 }

@ -179,6 +192,7 @@ openpam_check_error_code(int primitive, int r)
 {
 	/* common error codes */
 	if (r == PAM_SUCCESS ||
+	    r == PAM_SYSTEM_ERR ||
 	    r == PAM_SERVICE_ERR ||
 	    r == PAM_BUF_ERR ||
 	    r == PAM_CONV_ERR ||
--- a/lib/libpam/openpam_dlfunc.h
+++ b/lib/libpam/openpam_dlfunc.h
@ -0,0 +1,44 @@
+/*-
+ * Copyright (c) 2013 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_DLFCN_H_INCLUDED
+#define OPENPAM_DLFCN_H_INCLUDED
+
+#ifndef HAVE_DLFUNC
+typedef void (*dlfunc_t)();
+
+static inline dlfunc_t
+dlfunc(void *handle, const char *symbol)
+{
+
+	return ((dlfunc_t)dlsym(handle, symbol));
+}
+#endif
+
+#endif
--- a/lib/libpam/openpam_dynamic.c
+++ b/lib/libpam/openpam_dynamic.c
@ -0,0 +1,260 @@
+/*-
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * Network Associates Laboratories, the Security Research Division of
+ * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <sys/param.h>
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_asprintf.h"
+#include "openpam_ctype.h"
+#include "openpam_dlfunc.h"
+
+#ifndef RTLD_NOW
+#define RTLD_NOW RTLD_LAZY
+#endif
+
+/*
+ * OpenPAM internal
+ *
+ * Perform sanity checks and attempt to load a module
+ */
+
+#ifdef HAVE_FDLOPEN
+static void *
+try_dlopen(const char *modfn)
+{
+	void *dlh;
+	int fd;
+
+	openpam_log(PAM_LOG_LIBDEBUG, "dlopen(%s)", modfn);
+	if ((fd = open(modfn, O_RDONLY)) < 0) {
+		if (errno != ENOENT)
+			openpam_log(PAM_LOG_ERROR, "%s: %m", modfn);
+		return (NULL);
+	}
+	if (OPENPAM_FEATURE(VERIFY_MODULE_FILE) &&
+	    openpam_check_desc_owner_perms(modfn, fd) != 0) {
+		close(fd);
+		return (NULL);
+	}
+	if ((dlh = fdlopen(fd, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
+		close(fd);
+		errno = 0;
+		return (NULL);
+	}
+	close(fd);
+	return (dlh);
+}
+#else
+static void *
+try_dlopen(const char *modfn)
+{
+	int check_module_file;
+	void *dlh;
+
+	openpam_log(PAM_LOG_LIBDEBUG, "dlopen(%s)", modfn);
+	openpam_get_feature(OPENPAM_VERIFY_MODULE_FILE,
+	    &check_module_file);
+	if (check_module_file &&
+	    openpam_check_path_owner_perms(modfn) != 0)
+		return (NULL);
+	if ((dlh = dlopen(modfn, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
+		errno = 0;
+		return (NULL);
+	}
+	return (dlh);
+}
+#endif
+
+/*
+ * Try to load a module from the suggested location.
+ */
+static pam_module_t *
+try_module(const char *modpath)
+{
+	const pam_module_t *dlmodule;
+	pam_module_t *module;
+	int i, serrno;
+
+	if ((module = calloc(1, sizeof *module)) == NULL ||
+	    (module->path = strdup(modpath)) == NULL ||
+	    (module->dlh = try_dlopen(modpath)) == NULL)
+		goto err;
+	dlmodule = dlsym(module->dlh, "_pam_module");
+	for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
+		if (dlmodule) {
+			module->func[i] = dlmodule->func[i];
+		} else {
+			module->func[i] = (pam_func_t)dlfunc(module->dlh,
+			    pam_sm_func_name[i]);
+			/*
+			 * This openpam_log() call is a major source of
+			 * log spam, and the cases that matter are caught
+			 * and logged in openpam_dispatch().  This would
+			 * be less problematic if dlerror() returned an
+			 * error code so we could log an error only when
+			 * dlfunc() failed for a reason other than "no
+			 * such symbol".
+			 */
+#if 0
+			if (module->func[i] == NULL)
+				openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
+				    modpath, pam_sm_func_name[i], dlerror());
+#endif
+		}
+	}
+	return (module);
+err:
+	serrno = errno;
+	if (module != NULL) {
+		if (module->dlh != NULL)
+			dlclose(module->dlh);
+		if (module->path != NULL)
+			FREE(module->path);
+		FREE(module);
+	}
+	errno = serrno;
+	if (serrno != 0 && serrno != ENOENT)
+		openpam_log(PAM_LOG_ERROR, "%s: %m", modpath);
+	errno = serrno;
+	return (NULL);
+}
+
+/*
+ * OpenPAM internal
+ *
+ * Locate a dynamically linked module
+ */
+
+pam_module_t *
+openpam_dynamic(const char *modname)
+{
+	pam_module_t *module;
+	char modpath[PATH_MAX];
+	const char **path, *p;
+	int has_so, has_ver;
+	int dot, len;
+
+	/*
+	 * Simple case: module name contains path separator(s)
+	 */
+	if (strchr(modname, '/') != NULL) {
+		/*
+		 * Absolute paths are not allowed if RESTRICT_MODULE_NAME
+		 * is in effect (default off).  Relative paths are never
+		 * allowed.
+		 */
+		if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME) ||
+		    modname[0] != '/') {
+			openpam_log(PAM_LOG_ERROR,
+			    "invalid module name: %s", modname);
+			return (NULL);
+		}
+		return (try_module(modname));
+	}
+
+	/*
+	 * Check for .so and version sufixes
+	 */
+	p = strchr(modname, '\0');
+	has_ver = has_so = 0;
+	while (is_digit(*p))
+		--p;
+	if (*p == '.' && *++p != '\0') {
+		/* found a numeric suffix */
+		has_ver = 1;
+		/* assume that .so is either present or unneeded */
+		has_so = 1;
+	} else if (*p == '\0' && p >= modname + sizeof PAM_SOEXT &&
+	    strcmp(p - sizeof PAM_SOEXT + 1, PAM_SOEXT) == 0) {
+		/* found .so suffix */
+		has_so = 1;
+	}
+
+	/*
+	 * Complicated case: search for the module in the usual places.
+	 */
+	for (path = openpam_module_path; *path != NULL; ++path) {
+		/*
+		 * Assemble the full path, including the version suffix.  Take
+		 * note of where the suffix begins so we can cut it off later.
+		 */
+		if (has_ver)
+			len = snprintf(modpath, sizeof modpath, "%s/%s%n",
+			    *path, modname, &dot);
+		else if (has_so)
+			len = snprintf(modpath, sizeof modpath, "%s/%s%n.%d",
+			    *path, modname, &dot, LIB_MAJ);
+		else
+			len = snprintf(modpath, sizeof modpath, "%s/%s%s%n.%d",
+			    *path, modname, PAM_SOEXT, &dot, LIB_MAJ);
+		/* check for overflow */
+		if (len < 0 || (unsigned int)len >= sizeof modpath) {
+			errno = ENOENT;
+			continue;
+		}
+		/* try the versioned path */
+		if ((module = try_module(modpath)) != NULL)
+			return (module);
+		if (errno == ENOENT && modpath[dot] != '\0') {
+			/* no luck, try the unversioned path */
+			modpath[dot] = '\0';
+			if ((module = try_module(modpath)) != NULL)
+				return (module);
+		}
+	}
+
+	/* :( */
+	return (NULL);
+}
+
+/*
+ * NOPARSE
+ */
--- a/lib/libpam/openpam_features.c
+++ b/lib/libpam/openpam_features.c
@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 2012-2015 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define STRUCT_OPENPAM_FEATURE(name, descr, dflt)	\
+	[OPENPAM_##name] = {				\
+		"OPENPAM_" #name,			\
+		descr,					\
+		dflt					\
+	}
+
+struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = {
+	STRUCT_OPENPAM_FEATURE(
+	    RESTRICT_SERVICE_NAME,
+	    "Disallow path separators in service names",
+	    1
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    VERIFY_POLICY_FILE,
+	    "Verify ownership and permissions of policy files",
+	    1
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    RESTRICT_MODULE_NAME,
+	    "Disallow path separators in module names",
+	    0
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    VERIFY_MODULE_FILE,
+	    "Verify ownership and permissions of module files",
+	    1
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    FALLBACK_TO_OTHER,
+	    "Fall back to \"other\" policy for empty chains",
+	    1
+	),
+};
--- a/lib/libpam/openpam_features.h
+++ b/lib/libpam/openpam_features.h
@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_FEATURES_H_INCLUDED
+#define OPENPAM_FEATURES_H_INCLUDED
+
+struct openpam_feature {
+	const char *name;
+	const char *desc;
+	int onoff;
+};
+
+extern struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES];
+
+/* shortcut for internal use */
+#define OPENPAM_FEATURE(f) \
+	openpam_features[OPENPAM_##f].onoff
+
+#endif
--- a/lib/libpam/openpam_findenv.c
+++ b/lib/libpam/openpam_findenv.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,14 +31,13 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif

+#include <errno.h>
 #include <string.h>

 #include <security/pam_appl.h>
@ -59,12 +58,11 @@ openpam_findenv(pam_handle_t *pamh,
 	int i;

 	ENTER();
-	if (pamh == NULL)
-		RETURNN(-1);
 	for (i = 0; i < pamh->env_count; ++i)
 		if (strncmp(pamh->env[i], name, len) == 0 &&
 		    pamh->env[i][len] == '=')
 			RETURNN(i);
+	errno = ENOENT;
 	RETURNN(-1);
 }

--- a/lib/libpam/openpam_free_data.c
+++ b/lib/libpam/openpam_free_data.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/openpam_free_envlist.c
+++ b/lib/libpam/openpam_free_envlist.c
@ -6,8 +6,7 @@
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
@ -24,8 +23,6 @@
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/openpam_get_feature.c
+++ b/lib/libpam/openpam_get_feature.c
@ -0,0 +1,96 @@
+/*-
+ * Copyright (c) 2012-2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Query the state of an optional feature.
+ */
+
+int
+openpam_get_feature(int feature, int *onoff)
+{
+
+	ENTERF(feature);
+	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
+		RETURNC(PAM_BAD_FEATURE);
+	*onoff = openpam_features[feature].onoff;
+	RETURNC(PAM_SUCCESS);
+}
+
+/*
+ * Error codes:
+ *
+ *	PAM_BAD_FEATURE
+ */
+
+/**
+ * EXPERIMENTAL
+ *
+ * The =openpam_get_feature function stores the current state of the
+ * specified feature in the variable pointed to by its =onoff argument.
+ *
+ * The following features are recognized:
+ *
+ *	=OPENPAM_RESTRICT_SERVICE_NAME:
+ *		Disallow path separators in service names.
+ *		This feature is enabled by default.
+ *		Disabling it allows the application to specify the path to
+ *		the desired policy file directly.
+ *
+ *	=OPENPAM_VERIFY_POLICY_FILE:
+ *		Verify the ownership and permissions of the policy file
+ *		and the path leading up to it.
+ *		This feature is enabled by default.
+ *
+ *	=OPENPAM_RESTRICT_MODULE_NAME:
+ *		Disallow path separators in module names.
+ *		This feature is disabled by default.
+ *		Enabling it prevents the use of modules in non-standard
+ *		locations.
+ *
+ *	=OPENPAM_VERIFY_MODULE_FILE:
+ *		Verify the ownership and permissions of each loadable
+ *		module and the path leading up to it.
+ *		This feature is enabled by default.
+ *
+ *
+ * >openpam_set_feature
+ *
+ * AUTHOR DES
+ */
--- a/lib/libpam/openpam_get_option.c
+++ b/lib/libpam/openpam_get_option.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -44,7 +42,6 @@
 #include <string.h>

 #include <security/pam_appl.h>
-#include <security/openpam.h>

 #include "openpam_impl.h"

--- a/lib/libpam/openpam_impl.h
+++ b/lib/libpam/openpam_impl.h
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef OPENPAM_IMPL_H_INCLUDED
@ -122,19 +120,6 @@ struct pam_handle {
 	int		 env_size;
 };

-#ifdef NGROUPS_MAX
-/*
- * Saved credentials
- */
-#define PAM_SAVED_CRED "pam_saved_cred"
-struct pam_saved_cred {
-	uid_t	 euid;
-	gid_t	 egid;
-	gid_t	 groups[NGROUPS_MAX];
-	int	 ngroups;
-};
-#endif
-
 /*
 * Default policy
 */
@ -143,23 +128,46 @@ struct pam_saved_cred {
 /*
 * Internal functions
 */
-int		 openpam_configure(pam_handle_t *, const char *);
-int		 openpam_dispatch(pam_handle_t *, int, int);
-int		 openpam_findenv(pam_handle_t *, const char *, size_t);
-pam_module_t	*openpam_load_module(const char *);
-void		 openpam_clear_chains(pam_chain_t **);
+int		 openpam_configure(pam_handle_t *, const char *)
+	OPENPAM_NONNULL((1));
+int		 openpam_dispatch(pam_handle_t *, int, int)
+	OPENPAM_NONNULL((1));
+int		 openpam_findenv(pam_handle_t *, const char *, size_t)
+	OPENPAM_NONNULL((1,2));
+pam_module_t	*openpam_load_module(const char *)
+	OPENPAM_NONNULL((1));
+void		 openpam_clear_chains(pam_chain_t **)
+	OPENPAM_NONNULL((1));

-int		 openpam_check_desc_owner_perms(const char *, int);
-int		 openpam_check_path_owner_perms(const char *);
+int		 openpam_check_desc_owner_perms(const char *, int)
+	OPENPAM_NONNULL((1));
+int		 openpam_check_path_owner_perms(const char *)
+	OPENPAM_NONNULL((1));

 #ifdef OPENPAM_STATIC_MODULES
-pam_module_t	*openpam_static(const char *);
+pam_module_t	*openpam_static(const char *)
+	OPENPAM_NONNULL((1));
 #endif
-pam_module_t	*openpam_dynamic(const char *);
+pam_module_t	*openpam_dynamic(const char *)
+	OPENPAM_NONNULL((1));

-#define	FREE(p) do { free((p)); (p) = NULL; } while (0)
+#define	FREE(p)					\
+	do {					\
+		free(p);			\
+		(p) = NULL;			\
+	} while (0)
+
+#define FREEV(c, v)				\
+	do {					\
+		if ((v) != NULL) {		\
+			while ((c)-- > 0)	\
+				FREE((v)[(c)]);	\
+			FREE(v);		\
+		}				\
+	} while (0)

 #include "openpam_constants.h"
 #include "openpam_debug.h"
+#include "openpam_features.h"

 #endif
--- a/lib/libpam/openpam_load.c
+++ b/lib/libpam/openpam_load.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2013 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -52,24 +50,24 @@
 */

 pam_module_t *
-openpam_load_module(const char *path)
+openpam_load_module(const char *modulename)
 {
 	pam_module_t *module;

-	module = openpam_dynamic(path);
+	module = openpam_dynamic(modulename);
 	openpam_log(PAM_LOG_DEBUG, "%s dynamic %s",
-	    (module == NULL) ? "no" : "using", path);
+	    (module == NULL) ? "no" : "using", modulename);

 #ifdef OPENPAM_STATIC_MODULES
 	/* look for a static module */
-	if (module == NULL && strchr(path, '/') == NULL) {
-		module = openpam_static(path);
+	if (module == NULL && strchr(modulename, '/') == NULL) {
+		module = openpam_static(modulename);
 		openpam_log(PAM_LOG_DEBUG, "%s static %s",
-		    (module == NULL) ? "no" : "using", path);
+		    (module == NULL) ? "no" : "using", modulename);
 	}
 #endif
 	if (module == NULL) {
-		openpam_log(PAM_LOG_ERROR, "no %s found", path);
+		openpam_log(PAM_LOG_ERROR, "no %s found", modulename);
 		return (NULL);
 	}
 	return (module);
@ -84,6 +82,7 @@ openpam_load_module(const char *path)
 static void
 openpam_release_module(pam_module_t *module)
 {
+
 	if (module == NULL)
 		return;
 	if (module->dlh == NULL)
@ -104,13 +103,12 @@ openpam_release_module(pam_module_t *module)
 static void
 openpam_destroy_chain(pam_chain_t *chain)
 {
+
 	if (chain == NULL)
 		return;
 	openpam_destroy_chain(chain->next);
 	chain->next = NULL;
-	while (chain->optc--)
-		FREE(chain->optv[chain->optc]);
-	FREE(chain->optv);
+	FREEV(chain->optc, chain->optv);
 	openpam_release_module(chain->module);
 	chain->module = NULL;
 	FREE(chain);
--- a/lib/libpam/openpam_log.c
+++ b/lib/libpam/openpam_log.c
@ -31,30 +31,24 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif

-#include <ctype.h>
+#include <errno.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <syslog.h>

 #include <security/pam_appl.h>

 #include "openpam_impl.h"
+#include "openpam_asprintf.h"

-#ifdef OPENPAM_DEBUG
-int openpam_debug = 1;
-#else
 int openpam_debug = 0;
-#endif

 #if !defined(openpam_log)

@ -69,8 +63,10 @@ openpam_log(int level, const char *fmt, ...)
 {
 	va_list ap;
 	int priority;
+	int serrno;

 	switch (level) {
+	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@ -87,9 +83,11 @@ openpam_log(int level, const char *fmt, ...)
 		priority = LOG_ERR;
 		break;
 	}
+	serrno = errno;
 	va_start(ap, fmt);
 	vsyslog(priority, fmt, ap);
 	va_end(ap);
+	errno = serrno;
 }

 #else
@ -100,8 +98,10 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 	va_list ap;
 	char *format;
 	int priority;
+	int serrno;

 	switch (level) {
+	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@ -118,14 +118,18 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 		priority = LOG_ERR;
 		break;
 	}
+	serrno = errno;
 	va_start(ap, fmt);
 	if (asprintf(&format, "in %s(): %s", func, fmt) > 0) {
+		errno = serrno;
 		vsyslog(priority, format, ap);
 		FREE(format);
 	} else {
+		errno = serrno;
 		vsyslog(priority, fmt, ap);
 	}
 	va_end(ap);
+	errno = serrno;
 }

 #endif
@ -137,6 +141,9 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 * The =level argument indicates the importance of the message.
 * The following levels are defined:
 *
+ *	=PAM_LOG_LIBDEBUG:
+ *		Debugging messages.
+ *		For internal use only.
 *	=PAM_LOG_DEBUG:
 *		Debugging messages.
 *		These messages are normally not logged unless the global
@ -159,4 +166,6 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 *
 * The remaining arguments are a =printf format string and the
 * corresponding arguments.
+ *
+ * The =openpam_log function does not modify the value of :errno.
 */
--- a/lib/libpam/openpam_nullconv.c
+++ b/lib/libpam/openpam_nullconv.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/openpam_readline.c
+++ b/lib/libpam/openpam_readline.c
@ -31,19 +31,17 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif

-#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>

 #include <security/pam_appl.h>
+
 #include "openpam_impl.h"

 #define MIN_LINE_LENGTH 128
@ -61,22 +59,9 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 	size_t len, size;
 	int ch;

-	if ((line = malloc(MIN_LINE_LENGTH)) == NULL)
+	line = NULL;
+	if (openpam_straddch(&line, &size, &len, 0) != 0)
 		return (NULL);
-	size = MIN_LINE_LENGTH;
-	len = 0;
-
-#define line_putch(ch) do { \
-	if (len >= size - 1) { \
-		char *tmp = realloc(line, size *= 2); \
-		if (tmp == NULL) \
-			goto fail; \
-		line = tmp; \
-	} \
-	line[len++] = ch; \
-	line[len] = '\0'; \
-} while (0)
-
 	for (;;) {
 		ch = fgetc(f);
 		/* strip comment */
@ -105,22 +90,10 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 			/* done */
 			break;
 		}
-		/* whitespace */
-		if (isspace(ch)) {
-			/* ignore leading whitespace */
-			/* collapse linear whitespace */
-			if (len > 0 && line[len - 1] != ' ')
-				line_putch(' ');
-			continue;
-		}
 		/* anything else */
-		line_putch(ch);
+		if (openpam_straddch(&line, &size, &len, ch) != 0)
+			goto fail;
 	}
-
-	/* remove trailing whitespace */
-	while (len > 0 && isspace((unsigned char)line[len - 1]))
-		--len;
-	line[len] = '\0';
 	if (len == 0)
 		goto fail;
 	if (lenp != NULL)
@ -132,16 +105,18 @@ fail:
 }

 /**
+ * DEPRECATED openpam_readlinev
+ *
 * The =openpam_readline function reads a line from a file, and returns it
- * in a NUL-terminated buffer allocated with =malloc.
+ * in a NUL-terminated buffer allocated with =!malloc.
 *
 * The =openpam_readline function performs a certain amount of processing
 * on the data it reads:
 *
- *  - Comments (introduced by a hash sign) are stripped, as is leading and
- *    trailing whitespace.
- *  - Any amount of linear whitespace is collapsed to a single space.
+ *  - Comments (introduced by a hash sign) are stripped.
+ *
 *  - Blank lines are ignored.
+ *
 *  - If a line ends in a backslash, the backslash is stripped and the
 *    next line is appended.
 *
@ -152,5 +127,8 @@ fail:
 * terminating NUL character) is stored in the variable it points to.
 *
 * The caller is responsible for releasing the returned buffer by passing
- * it to =free.
+ * it to =!free.
+ *
+ * >openpam_readlinev
+ * >openpam_readword
 */
--- a/lib/libpam/openpam_readlinev.c
+++ b/lib/libpam/openpam_readlinev.c
@ -0,0 +1,153 @@
+/*-
+ * Copyright (c) 2012-2016 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define MIN_WORDV_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Read a line from a file and split it into words.
+ */
+
+char **
+openpam_readlinev(FILE *f, int *lineno, int *lenp)
+{
+	char *word, **wordv, **tmp;
+	size_t wordlen, wordvsize;
+	int ch, serrno, wordvlen;
+
+	wordvsize = MIN_WORDV_SIZE;
+	wordvlen = 0;
+	if ((wordv = malloc(wordvsize * sizeof *wordv)) == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	wordv[wordvlen] = NULL;
+	while ((word = openpam_readword(f, lineno, &wordlen)) != NULL) {
+		if ((unsigned int)wordvlen + 1 >= wordvsize) {
+			/* need to expand the array */
+			wordvsize *= 2;
+			tmp = realloc(wordv, wordvsize * sizeof *wordv);
+			if (tmp == NULL) {
+				errno = ENOMEM;
+				break;
+			}
+			wordv = tmp;
+		}
+		/* insert our word */
+		wordv[wordvlen++] = word;
+		wordv[wordvlen] = NULL;
+		word = NULL;
+	}
+	if (errno != 0) {
+		/* I/O error or out of memory */
+		serrno = errno;
+		while (wordvlen--)
+			free(wordv[wordvlen]);
+		free(wordv);
+		free(word);
+		errno = serrno;
+		return (NULL);
+	}
+	/* assert(!ferror(f)) */
+	ch = fgetc(f);
+	/* assert(ch == EOF || ch == '\n') */
+	if (ch == EOF && wordvlen == 0) {
+		free(wordv);
+		return (NULL);
+	}
+	if (ch == '\n' && lineno != NULL)
+		++*lineno;
+	if (lenp != NULL)
+		*lenp = wordvlen;
+	return (wordv);
+}
+
+/**
+ * The =openpam_readlinev function reads a line from a file, splits it
+ * into words according to the rules described in the =openpam_readword
+ * manual page, and returns a list of those words.
+ *
+ * If =lineno is not =NULL, the integer variable it points to is
+ * incremented every time a newline character is read.
+ * This includes quoted or escaped newline characters and the newline
+ * character at the end of the line.
+ *
+ * If =lenp is not =NULL, the number of words on the line is stored in the
+ * variable to which it points.
+ *
+ * RETURN VALUES
+ *
+ * If successful, the =openpam_readlinev function returns a pointer to a
+ * dynamically allocated array of pointers to individual dynamically
+ * allocated NUL-terminated strings, each containing a single word, in the
+ * order in which they were encountered on the line.
+ * The array is terminated by a =NULL pointer.
+ *
+ * The caller is responsible for freeing both the array and the individual
+ * strings by passing each of them to =!free.
+ *
+ * If the end of the line was reached before any words were read,
+ * =openpam_readlinev returns a pointer to a dynamically allocated array
+ * containing a single =NULL pointer.
+ *
+ * The =openpam_readlinev function can fail and return =NULL for one of
+ * four reasons:
+ *
+ *  - The end of the file was reached before any words were read; :errno is
+ *    zero, =!ferror returns zero, and =!feof returns a non-zero value.
+ *
+ *  - The end of the file was reached while a quote or backslash escape
+ *    was in effect; :errno is set to =EINVAL, =!ferror returns zero, and
+ *    =!feof returns a non-zero value.
+ *
+ *  - An error occurred while reading from the file; :errno is non-zero,
+ *    =!ferror returns a non-zero value and =!feof returns zero.
+ *
+ *  - A =!malloc or =!realloc call failed; :errno is set to =ENOMEM,
+ *    =!ferror returns a non-zero value, and =!feof may or may not return
+ *    a non-zero value.
+ *
+ * >openpam_readline
+ * >openpam_readword
+ *
+ * AUTHOR DES
+ */
--- a/lib/libpam/openpam_readword.c
+++ b/lib/libpam/openpam_readword.c
@ -0,0 +1,214 @@
+/*-
+ * Copyright (c) 2012-2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_ctype.h"
+
+#define MIN_WORD_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Read a word from a file, respecting shell quoting rules.
+ */
+
+char *
+openpam_readword(FILE *f, int *lineno, size_t *lenp)
+{
+	char *word;
+	size_t size, len;
+	int ch, escape, quote;
+	int serrno;
+
+	errno = 0;
+
+	/* skip initial whitespace */
+	escape = quote = 0;
+	while ((ch = getc(f)) != EOF) {
+		if (ch == '\n') {
+			/* either EOL or line continuation */
+			if (!escape)
+				break;
+			if (lineno != NULL)
+				++*lineno;
+			escape = 0;
+		} else if (escape) {
+			/* escaped something else */
+			break;
+		} else if (ch == '#') {
+			/* comment: until EOL, no continuation */
+			while ((ch = getc(f)) != EOF)
+				if (ch == '\n')
+					break;
+			break;
+		} else if (ch == '\\') {
+			escape = 1;
+		} else if (!is_ws(ch)) {
+			break;
+		}
+	}
+	if (ch == EOF)
+		return (NULL);
+	ungetc(ch, f);
+	if (ch == '\n')
+		return (NULL);
+
+	word = NULL;
+	size = len = 0;
+	while ((ch = fgetc(f)) != EOF && (!is_ws(ch) || quote || escape)) {
+		if (ch == '\\' && !escape && quote != '\'') {
+			/* escape next character */
+			escape = ch;
+		} else if ((ch == '\'' || ch == '"') && !quote && !escape) {
+			/* begin quote */
+			quote = ch;
+			/* edge case: empty quoted string */
+			if (openpam_straddch(&word, &size, &len, 0) != 0)
+				return (NULL);
+		} else if (ch == quote && !escape) {
+			/* end quote */
+			quote = 0;
+		} else if (ch == '\n' && escape) {
+			/* line continuation */
+			escape = 0;
+		} else {
+			if (escape && quote && ch != '\\' && ch != quote &&
+			    openpam_straddch(&word, &size, &len, '\\') != 0) {
+				free(word);
+				errno = ENOMEM;
+				return (NULL);
+			}
+			if (openpam_straddch(&word, &size, &len, ch) != 0) {
+				free(word);
+				errno = ENOMEM;
+				return (NULL);
+			}
+			escape = 0;
+		}
+		if (lineno != NULL && ch == '\n')
+			++*lineno;
+	}
+	if (ch == EOF && ferror(f)) {
+		serrno = errno;
+		free(word);
+		errno = serrno;
+		return (NULL);
+	}
+	if (ch == EOF && (escape || quote)) {
+		/* Missing escaped character or closing quote. */
+		free(word);
+		errno = EINVAL;
+		return (NULL);
+	}
+	ungetc(ch, f);
+	if (lenp != NULL)
+		*lenp = len;
+	return (word);
+}
+
+/**
+ * The =openpam_readword function reads the next word from a file, and
+ * returns it in a NUL-terminated buffer allocated with =!malloc.
+ *
+ * A word is a sequence of non-whitespace characters.
+ * However, whitespace characters can be included in a word if quoted or
+ * escaped according to the following rules:
+ *
+ *  - An unescaped single or double quote introduces a quoted string,
+ *    which ends when the same quote character is encountered a second
+ *    time.
+ *    The quotes themselves are stripped.
+ *
+ *  - Within a single- or double-quoted string, all whitespace characters,
+ *    including the newline character, are preserved as-is.
+ *
+ *  - Outside a quoted string, a backslash escapes the next character,
+ *    which is preserved as-is, unless that character is a newline, in
+ *    which case it is discarded and reading continues at the beginning of
+ *    the next line as if the backslash and newline had not been there.
+ *    In all cases, the backslash itself is discarded.
+ *
+ *  - Within a single-quoted string, double quotes and backslashes are
+ *    preserved as-is.
+ *
+ *  - Within a double-quoted string, a single quote is preserved as-is,
+ *    and a backslash is preserved as-is unless used to escape a double
+ *    quote.
+ *
+ * In addition, if the first non-whitespace character on the line is a
+ * hash character (#), the rest of the line is discarded.
+ * If a hash character occurs within a word, however, it is preserved
+ * as-is.
+ * A backslash at the end of a comment does cause line continuation.
+ *
+ * If =lineno is not =NULL, the integer variable it points to is
+ * incremented every time a quoted or escaped newline character is read.
+ *
+ * If =lenp is not =NULL, the length of the word (after quotes and
+ * backslashes have been removed) is stored in the variable it points to.
+ *
+ * RETURN VALUES
+ *
+ * If successful, the =openpam_readword function returns a pointer to a
+ * dynamically allocated NUL-terminated string containing the first word
+ * encountered on the line.
+ *
+ * The caller is responsible for releasing the returned buffer by passing
+ * it to =!free.
+ *
+ * If =openpam_readword reaches the end of the line or file before any
+ * characters are copied to the word, it returns =NULL.  In the former
+ * case, the newline is pushed back to the file.
+ *
+ * If =openpam_readword reaches the end of the file while a quote or
+ * backslash escape is in effect, it sets :errno to =EINVAL and returns
+ * =NULL.
+ *
+ * IMPLEMENTATION NOTES
+ *
+ * The parsing rules are intended to be equivalent to the normal POSIX
+ * shell quoting rules.
+ * Any discrepancy is a bug and should be reported to the author along
+ * with sample input that can be used to reproduce the error.
+ *
+ * >openpam_readline
+ * >openpam_readlinev
+ *
+ * AUTHOR DES
+ */
--- a/lib/libpam/openpam_restore_cred.c
+++ b/lib/libpam/openpam_restore_cred.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -50,6 +48,7 @@
 #include <security/pam_appl.h>

 #include "openpam_impl.h"
+#include "openpam_cred.h"

 /*
 * OpenPAM extension
--- a/lib/libpam/openpam_set_feature.c
+++ b/lib/libpam/openpam_set_feature.c
@ -0,0 +1,72 @@
+/*-
+ * Copyright (c) 2012-2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Enable or disable an optional feature.
+ */
+
+int
+openpam_set_feature(int feature, int onoff)
+{
+
+	ENTERF(feature);
+	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
+		RETURNC(PAM_BAD_FEATURE);
+	openpam_features[feature].onoff = onoff;
+	RETURNC(PAM_SUCCESS);
+}
+
+/*
+ * Error codes:
+ *
+ *	PAM_BAD_FEATURE
+ */
+
+/**
+ * EXPERIMENTAL
+ *
+ * The =openpam_set_feature function sets the state of the specified
+ * feature to the value specified by the =onoff argument.
+ * See =openpam_get_feature for a list of recognized features.
+ *
+ * >openpam_get_feature
+ *
+ * AUTHOR DES
+ */
--- a/lib/libpam/openpam_set_option.c
+++ b/lib/libpam/openpam_set_option.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2023 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -46,9 +44,9 @@
 #include <string.h>

 #include <security/pam_appl.h>
-#include <security/openpam.h>

 #include "openpam_impl.h"
+#include "openpam_asprintf.h"

 /*
 * OpenPAM extension
@ -85,6 +83,7 @@ openpam_set_option(pam_handle_t *pamh,
 		for (free(cur->optv[i]); i < cur->optc; ++i)
 			cur->optv[i] = cur->optv[i + 1];
 		cur->optv[i] = NULL;
+		--cur->optc;
 		RETURNC(PAM_SUCCESS);
 	}
 	if (asprintf(&opt, "%.*s=%s", (int)len, option, value) < 0)
--- a/lib/libpam/openpam_static.c
+++ b/lib/libpam/openpam_static.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/openpam_straddch.c
+++ b/lib/libpam/openpam_straddch.c
@ -0,0 +1,113 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define MIN_STR_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Add a character to a string, expanding the buffer if needed.
+ */
+
+int
+openpam_straddch(char **str, size_t *size, size_t *len, int ch)
+{
+	size_t tmpsize;
+	char *tmpstr;
+
+	if (*str == NULL) {
+		/* initial allocation */
+		tmpsize = MIN_STR_SIZE;
+		if ((tmpstr = malloc(tmpsize)) == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+		*str = tmpstr;
+		*size = tmpsize;
+		*len = 0;
+	} else if (ch != 0 && *len + 1 >= *size) {
+		/* additional space required */
+		tmpsize = *size * 2;
+		if ((tmpstr = realloc(*str, tmpsize)) == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+		*size = tmpsize;
+		*str = tmpstr;
+	}
+	if (ch != 0) {
+		(*str)[*len] = ch;
+		++*len;
+	}
+	(*str)[*len] = '\0';
+	return (0);
+}
+
+/**
+ * The =openpam_straddch function appends a character to a dynamically
+ * allocated NUL-terminated buffer, reallocating the buffer as needed.
+ *
+ * The =str argument points to a variable containing either a pointer to
+ * an existing buffer or =NULL.
+ * If the value of the variable pointed to by =str is =NULL, a new buffer
+ * is allocated.
+ *
+ * The =size and =len argument point to variables used to hold the size
+ * of the buffer and the length of the string it contains, respectively.
+ *
+ * The final argument, =ch, is the character that should be appended to
+ * the string.  If =ch is 0, nothing is appended, but a new buffer is
+ * still allocated if =str is NULL.  This can be used to "bootstrap" the
+ * string.
+ *
+ * If a new buffer is allocated or an existing buffer is reallocated to
+ * make room for the additional character, =str and =size are updated
+ * accordingly.
+ *
+ * The =openpam_straddch function ensures that the buffer is always
+ * NUL-terminated.
+ *
+ * If the =openpam_straddch function is successful, it increments the
+ * integer variable pointed to by =len (unless =ch was 0) and returns 0.
+ * Otherwise, it leaves the variables pointed to by =str, =size and =len
+ * unmodified, sets :errno to =ENOMEM and returns -1.
+ *
+ * AUTHOR DES
+ */
--- a/lib/libpam/openpam_strlcat.c
+++ b/lib/libpam/openpam_strlcat.c
@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2011-2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE_STRLCAT
+
+#include <stddef.h>
+
+#include "openpam_strlcat.h"
+
+/* like strcat(3), but always NUL-terminates; returns strlen(src) */
+size_t
+openpam_strlcat(char *dst, const char *src, size_t size)
+{
+	size_t len;
+
+	for (len = 0; *dst && size > 1; ++len, --size)
+		dst++;
+	for (; *src && size > 1; ++len, --size)
+		*dst++ = *src++;
+	*dst = '\0';
+	while (*src)
+		++len, ++src;
+	return (len);
+}
+
+#endif
--- a/lib/libpam/openpam_strlcat.h
+++ b/lib/libpam/openpam_strlcat.h
@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2011 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_STRLCAT_H_INCLUDED
+#define OPENPAM_STRLCAT_H_INCLUDED
+
+#ifndef HAVE_STRLCAT
+size_t openpam_strlcat(char *, const char *, size_t);
+#undef strlcat
+#define strlcat(arg, ...) openpam_strlcat(arg, __VA_ARGS__)
+#endif
+
+#endif
--- a/lib/libpam/openpam_strlcmp.h
+++ b/lib/libpam/openpam_strlcmp.h
@ -6,11 +6,13 @@
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,8 +25,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef OPENPAM_STRLCMP_H_INCLUDED
--- a/lib/libpam/openpam_strlcpy.c
+++ b/lib/libpam/openpam_strlcpy.c
@ -0,0 +1,54 @@
+/*-
+ * Copyright (c) 2011-2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE_STRLCPY
+
+#include <stddef.h>
+
+#include "openpam_strlcpy.h"
+
+/* like strcpy(3), but always NUL-terminates; returns strlen(src) */
+size_t
+openpam_strlcpy(char *dst, const char *src, size_t size)
+{
+	size_t len;
+
+	for (len = 0; *src && size > 1; ++len, --size)
+		*dst++ = *src++;
+	*dst = '\0';
+	while (*src)
+		++len, ++src;
+	return (len);
+}
+
+#endif
--- a/lib/libpam/openpam_strlcpy.h
+++ b/lib/libpam/openpam_strlcpy.h
@ -6,11 +6,13 @@
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,27 +25,15 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifndef OPENPAM_STRLCPY_H_INCLUDED
 #define OPENPAM_STRLCPY_H_INCLUDED

 #ifndef HAVE_STRLCPY
-/* like strcpy(3), but always NUL-terminates; returns strlen(src) */
-size_t
-strlcpy(char *dst, const char *src, size_t size)
-{
-	size_t len;
-
-	for (len = 0; *src && size > 1; ++len, --size)
-		*dst++ = *src++;
-	*dst = '\0';
-	while (*src)
-		++len, ++src;
-	return (len);
-}
+size_t openpam_strlcpy(char *, const char *, size_t);
+#undef strlcpy
+#define strlcpy(arg, ...) openpam_strlcpy(arg, __VA_ARGS__)
 #endif

 #endif
--- a/lib/libpam/openpam_strlset.c
+++ b/lib/libpam/openpam_strlset.c
@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE_STRLSET
+
+#include <stddef.h>
+
+#include "openpam_strlset.h"
+
+/*
+ * like memset(3), but stops at the first NUL byte and NUL-terminates the
+ * result.  Returns the number of bytes that were written, not including
+ * the terminating NUL.
+ */
+size_t
+openpam_strlset(char *str, int ch, size_t size)
+{
+	size_t len;
+
+	for (len = 0; *str && size > 1; ++len, --size)
+		*str++ = ch;
+	*str = '\0';
+	return (++len);
+}
+
+#endif
--- a/lib/libpam/openpam_strlset.h
+++ b/lib/libpam/openpam_strlset.h
@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_STRLSET_H_INCLUDED
+#define OPENPAM_STRLSET_H_INCLUDED
+
+#ifndef HAVE_STRLSET
+size_t openpam_strlset(char *, int, size_t);
+#undef strlset
+#define strlset(arg, ...) openpam_strlset(arg, __VA_ARGS__)
+#endif
+
+#endif
--- a/lib/libpam/openpam_subst.c
+++ b/lib/libpam/openpam_subst.c
@ -1,16 +1,18 @@
 /*-
- * Copyright (c) 2011 Dag-Erling Smørgrav
+ * Copyright (c) 2011-2023 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer
- *    in this position and unchanged.
+ *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,8 +25,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -104,7 +104,8 @@ openpam_subst(const pam_handle_t *pamh,
 				subst_char('%');
 				subst_char(*template);
 			}
-			++template;
+			if (*template)
+				++template;
 		} else {
 			subst_char(*template++);
 		}
--- a/lib/libpam/openpam_ttyconv.c
+++ b/lib/libpam/openpam_ttyconv.c
@ -0,0 +1,400 @@
+/*-
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * Network Associates Laboratories, the Security Research Division of
+ * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/poll.h>
+#include <sys/time.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_strlset.h"
+
+int openpam_ttyconv_timeout = 0;
+
+static volatile sig_atomic_t caught_signal;
+
+/*
+ * Handle incoming signals during tty conversation
+ */
+static void
+catch_signal(int signo)
+{
+
+	switch (signo) {
+	case SIGINT:
+	case SIGQUIT:
+	case SIGTERM:
+		caught_signal = signo;
+		break;
+	}
+}
+
+/*
+ * Accept a response from the user on a tty
+ */
+static int
+prompt_tty(int ifd, int ofd, const char *message, char *response, int echo)
+{
+	struct sigaction action;
+	struct sigaction saction_sigint, saction_sigquit, saction_sigterm;
+	struct termios tcattr;
+	struct timeval now, target, remaining;
+	int remaining_ms;
+	tcflag_t slflag;
+	struct pollfd pfd;
+	int serrno;
+	int pos, ret;
+	char ch;
+
+	/* turn echo off if requested */
+	slflag = 0; /* prevent bogus uninitialized variable warning */
+	if (!echo) {
+		if (tcgetattr(ifd, &tcattr) != 0) {
+			openpam_log(PAM_LOG_ERROR, "tcgetattr(): %m");
+			return (-1);
+		}
+		slflag = tcattr.c_lflag;
+		tcattr.c_lflag &= ~ECHO;
+		if (tcsetattr(ifd, TCSAFLUSH, &tcattr) != 0) {
+			openpam_log(PAM_LOG_ERROR, "tcsetattr(): %m");
+			return (-1);
+		}
+	}
+
+	/* write prompt */
+	if (write(ofd, message, strlen(message)) < 0) {
+		openpam_log(PAM_LOG_ERROR, "write(): %m");
+		return (-1);
+	}
+
+	/* install signal handlers */
+	caught_signal = 0;
+	action.sa_handler = &catch_signal;
+	action.sa_flags = 0;
+	sigfillset(&action.sa_mask);
+	sigaction(SIGINT, &action, &saction_sigint);
+	sigaction(SIGQUIT, &action, &saction_sigquit);
+	sigaction(SIGTERM, &action, &saction_sigterm);
+
+	/* compute timeout */
+	if (openpam_ttyconv_timeout > 0) {
+		(void)gettimeofday(&now, NULL);
+		remaining.tv_sec = openpam_ttyconv_timeout;
+		remaining.tv_usec = 0;
+		timeradd(&now, &remaining, &target);
+	} else {
+		/* prevent bogus uninitialized variable warning */
+		now.tv_sec = now.tv_usec = 0;
+		remaining.tv_sec = remaining.tv_usec = 0;
+		target.tv_sec = target.tv_usec = 0;
+	}
+
+	/* input loop */
+	pos = 0;
+	ret = -1;
+	serrno = 0;
+	while (!caught_signal) {
+		pfd.fd = ifd;
+		pfd.events = POLLIN;
+		pfd.revents = 0;
+		if (openpam_ttyconv_timeout > 0) {
+			gettimeofday(&now, NULL);
+			if (timercmp(&now, &target, >))
+				break;
+			timersub(&target, &now, &remaining);
+			remaining_ms = remaining.tv_sec * 1000 +
+			    remaining.tv_usec / 1000;
+		} else {
+			remaining_ms = -1;
+		}
+		if ((ret = poll(&pfd, 1, remaining_ms)) < 0) {
+			serrno = errno;
+			if (errno == EINTR)
+				continue;
+			openpam_log(PAM_LOG_ERROR, "poll(): %m");
+			break;
+		} else if (ret == 0) {
+			/* timeout */
+			write(ofd, " timed out", 10);
+			openpam_log(PAM_LOG_NOTICE, "timed out");
+			break;
+		}
+		if ((ret = read(ifd, &ch, 1)) < 0) {
+			serrno = errno;
+			openpam_log(PAM_LOG_ERROR, "read(): %m");
+			break;
+		} else if (ret == 0 || ch == '\n') {
+			response[pos] = '\0';
+			ret = pos;
+			break;
+		}
+		if (pos + 1 < PAM_MAX_RESP_SIZE)
+			response[pos++] = ch;
+		/* overflow is discarded */
+	}
+
+	/* restore tty state */
+	if (!echo) {
+		tcattr.c_lflag = slflag;
+		if (tcsetattr(ifd, 0, &tcattr) != 0) {
+			/* treat as non-fatal, since we have our answer */
+			openpam_log(PAM_LOG_NOTICE, "tcsetattr(): %m");
+		}
+	}
+
+	/* restore signal handlers and re-post caught signal*/
+	sigaction(SIGINT, &saction_sigint, NULL);
+	sigaction(SIGQUIT, &saction_sigquit, NULL);
+	sigaction(SIGTERM, &saction_sigterm, NULL);
+	if (caught_signal != 0) {
+		openpam_log(PAM_LOG_ERROR, "caught signal %d",
+		    (int)caught_signal);
+		raise((int)caught_signal);
+		/* if raise() had no effect... */
+		serrno = EINTR;
+		ret = -1;
+	}
+
+	/* done */
+	write(ofd, "\n", 1);
+	errno = serrno;
+	return (ret);
+}
+
+/*
+ * Accept a response from the user on a non-tty stdin.
+ */
+static int
+prompt_notty(const char *message, char *response)
+{
+	struct timeval now, target, remaining;
+	int remaining_ms;
+	struct pollfd pfd;
+	int ch, pos, ret;
+
+	/* show prompt */
+	fputs(message, stdout);
+	fflush(stdout);
+
+	/* compute timeout */
+	if (openpam_ttyconv_timeout > 0) {
+		(void)gettimeofday(&now, NULL);
+		remaining.tv_sec = openpam_ttyconv_timeout;
+		remaining.tv_usec = 0;
+		timeradd(&now, &remaining, &target);
+	} else {
+		/* prevent bogus uninitialized variable warning */
+		now.tv_sec = now.tv_usec = 0;
+		remaining.tv_sec = remaining.tv_usec = 0;
+		target.tv_sec = target.tv_usec = 0;
+	}
+
+	/* input loop */
+	pos = 0;
+	for (;;) {
+		pfd.fd = STDIN_FILENO;
+		pfd.events = POLLIN;
+		pfd.revents = 0;
+		if (openpam_ttyconv_timeout > 0) {
+			gettimeofday(&now, NULL);
+			if (timercmp(&now, &target, >))
+				break;
+			timersub(&target, &now, &remaining);
+			remaining_ms = remaining.tv_sec * 1000 +
+			    remaining.tv_usec / 1000;
+		} else {
+			remaining_ms = -1;
+		}
+		if ((ret = poll(&pfd, 1, remaining_ms)) < 0) {
+			/* interrupt is ok, everything else -> bail */
+			if (errno == EINTR)
+				continue;
+			perror("\nopenpam_ttyconv");
+			return (-1);
+		} else if (ret == 0) {
+			/* timeout */
+			break;
+		} else {
+			/* input */
+			if ((ch = getchar()) == EOF && ferror(stdin)) {
+				perror("\nopenpam_ttyconv");
+				return (-1);
+			}
+			if (ch == EOF || ch == '\n') {
+				response[pos] = '\0';
+				return (pos);
+			}
+			if (pos + 1 < PAM_MAX_RESP_SIZE)
+				response[pos++] = ch;
+			/* overflow is discarded */
+		}
+	}
+	fputs("\nopenpam_ttyconv: timeout\n", stderr);
+	return (-1);
+}
+
+/*
+ * Determine whether stdin is a tty; if not, try to open the tty; in
+ * either case, call the appropriate method.
+ */
+static int
+prompt(const char *message, char *response, int echo)
+{
+	int ifd, ofd, ret;
+
+	if (isatty(STDIN_FILENO)) {
+		fflush(stdout);
+#ifdef HAVE_FPURGE
+		fpurge(stdin);
+#endif
+		ifd = STDIN_FILENO;
+		ofd = STDOUT_FILENO;
+	} else {
+		if ((ifd = open("/dev/tty", O_RDWR)) < 0)
+			/* no way to prevent echo */
+			return (prompt_notty(message, response));
+		ofd = ifd;
+	}
+	ret = prompt_tty(ifd, ofd, message, response, echo);
+	if (ifd != STDIN_FILENO)
+		close(ifd);
+	return (ret);
+}
+
+/*
+ * OpenPAM extension
+ *
+ * Simple tty-based conversation function
+ */
+
+int
+openpam_ttyconv(int n,
+	 const struct pam_message **msg,
+	 struct pam_response **resp,
+	 void *data)
+{
+	char respbuf[PAM_MAX_RESP_SIZE];
+	struct pam_response *aresp;
+	int i;
+
+	ENTER();
+	(void)data;
+	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+		RETURNC(PAM_CONV_ERR);
+	if ((aresp = calloc(n, sizeof *aresp)) == NULL)
+		RETURNC(PAM_BUF_ERR);
+	for (i = 0; i < n; ++i) {
+		aresp[i].resp_retcode = 0;
+		aresp[i].resp = NULL;
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+			if (prompt(msg[i]->msg, respbuf, 0) < 0 ||
+			    (aresp[i].resp = strdup(respbuf)) == NULL)
+				goto fail;
+			break;
+		case PAM_PROMPT_ECHO_ON:
+			if (prompt(msg[i]->msg, respbuf, 1) < 0 ||
+			    (aresp[i].resp = strdup(respbuf)) == NULL)
+				goto fail;
+			break;
+		case PAM_ERROR_MSG:
+			fputs(msg[i]->msg, stderr);
+			if (strlen(msg[i]->msg) > 0 &&
+			    msg[i]->msg[strlen(msg[i]->msg) - 1] != '\n')
+				fputc('\n', stderr);
+			break;
+		case PAM_TEXT_INFO:
+			fputs(msg[i]->msg, stdout);
+			if (strlen(msg[i]->msg) > 0 &&
+			    msg[i]->msg[strlen(msg[i]->msg) - 1] != '\n')
+				fputc('\n', stdout);
+			break;
+		default:
+			goto fail;
+		}
+	}
+	*resp = aresp;
+	memset(respbuf, 0, sizeof respbuf);
+	RETURNC(PAM_SUCCESS);
+fail:
+	for (i = 0; i < n; ++i) {
+		if (aresp[i].resp != NULL) {
+			strlset(aresp[i].resp, 0, PAM_MAX_RESP_SIZE);
+			FREE(aresp[i].resp);
+		}
+	}
+	memset(aresp, 0, n * sizeof *aresp);
+	FREE(aresp);
+	*resp = NULL;
+	memset(respbuf, 0, sizeof respbuf);
+	RETURNC(PAM_CONV_ERR);
+}
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =openpam_ttyconv function is a standard conversation function
+ * suitable for use on TTY devices.
+ * It should be adequate for the needs of most text-based interactive
+ * programs.
+ *
+ * The =openpam_ttyconv function allows the application to specify a
+ * timeout for user input by setting the global integer variable
+ * :openpam_ttyconv_timeout to the length of the timeout in seconds.
+ *
+ * >openpam_nullconv
+ * >pam_prompt
+ * >pam_vprompt
+ */
--- a/lib/libpam/openpam_vasprintf.c
+++ b/lib/libpam/openpam_vasprintf.c
@ -0,0 +1,58 @@
+/*-
+ * Copyright (c) 2011-2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE_VASPRINTF
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "openpam_vasprintf.h"
+
+/* like vsprintf(3), but allocates memory for the result. */
+int
+openpam_vasprintf(char **str, const char *fmt, va_list ap)
+{
+        va_list apcopy;
+        int len, ret;
+
+        va_copy(apcopy, ap);
+        len = vsnprintf(NULL, 0, fmt, ap);
+        if ((*str = malloc(len + 1)) == NULL)
+                return (-1);
+        ret = vsnprintf(*str, len + 1, fmt, apcopy);
+        va_end(apcopy);
+        return (ret);
+}
+
+#endif
--- a/lib/libpam/openpam_vasprintf.h
+++ b/lib/libpam/openpam_vasprintf.h
@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OPENPAM_VASPRINTF_H_INCLUDED
+#define OPENPAM_VASPRINTF_H_INCLUDED
+
+#ifndef HAVE_VASPRINTF
+int openpam_vasprintf(char **, const char *, va_list);
+#undef vasprintf
+#define vasprintf(arg, ...) openpam_vasprintf(arg, __VA_ARGS__)
+#endif
+
+#endif
--- a/lib/libpam/pam_acct_mgmt.c
+++ b/lib/libpam/pam_acct_mgmt.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/pam_authenticate.c
+++ b/lib/libpam/pam_authenticate.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -60,7 +58,7 @@ pam_authenticate(pam_handle_t *pamh,

 	ENTER();
 	if (flags & ~(PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK))
-		RETURNC(PAM_SYMBOL_ERR);
+		RETURNC(PAM_BAD_CONSTANT);
 	r = openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags);
 	pam_set_item(pamh, PAM_AUTHTOK, NULL);
 	RETURNC(r);
@ -72,7 +70,7 @@ pam_authenticate(pam_handle_t *pamh,
 *	=openpam_dispatch
 *	=pam_sm_authenticate
 *	!PAM_IGNORE
- *	PAM_SYMBOL_ERR
+ *	PAM_BAD_CONSTANT
 */

 /**
@ -92,5 +90,5 @@ pam_authenticate(pam_handle_t *pamh,
 *		Fail if the user's authentication token is null.
 *
 * If any other bits are set, =pam_authenticate will return
- * =PAM_SYMBOL_ERR.
+ * =PAM_BAD_CONSTANT.
 */
--- a/lib/libpam/pam_authenticate_secondary.c
+++ b/lib/libpam/pam_authenticate_secondary.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/pam_chauthtok.c
+++ b/lib/libpam/pam_chauthtok.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -60,7 +58,7 @@ pam_chauthtok(pam_handle_t *pamh,

 	ENTER();
 	if (flags & ~(PAM_SILENT|PAM_CHANGE_EXPIRED_AUTHTOK))
-		RETURNC(PAM_SYMBOL_ERR);
+		RETURNC(PAM_BAD_CONSTANT);
 	r = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
 	    flags | PAM_PRELIM_CHECK);
 	if (r == PAM_SUCCESS)
@ -77,7 +75,7 @@ pam_chauthtok(pam_handle_t *pamh,
 *	=openpam_dispatch
 *	=pam_sm_chauthtok
 *	!PAM_IGNORE
- *	PAM_SYMBOL_ERR
+ *	PAM_BAD_CONSTANT
 */

 /**
@ -93,5 +91,5 @@ pam_chauthtok(pam_handle_t *pamh,
 *	=PAM_CHANGE_EXPIRED_AUTHTOK:
 *		Change only those authentication tokens that have expired.
 *
- * If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR.
+ * If any other bits are set, =pam_chauthtok will return =PAM_BAD_CONSTANT.
 */
--- a/lib/libpam/pam_close_session.c
+++ b/lib/libpam/pam_close_session.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -60,7 +58,7 @@ pam_close_session(pam_handle_t *pamh,

 	ENTER();
 	if (flags & ~(PAM_SILENT))
-		RETURNC(PAM_SYMBOL_ERR);
+		RETURNC(PAM_BAD_CONSTANT);
 	r = openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags);
 	RETURNC(r);
 }
@ -71,7 +69,7 @@ pam_close_session(pam_handle_t *pamh,
 *	=openpam_dispatch
 *	=pam_sm_close_session
 *	!PAM_IGNORE
- *	PAM_SYMBOL_ERR
+ *	PAM_BAD_CONSTANT
 */

 /**
@ -85,5 +83,5 @@ pam_close_session(pam_handle_t *pamh,
 *		Do not emit any messages.
 *
 * If any other bits are set, =pam_close_session will return
- * =PAM_SYMBOL_ERR.
+ * =PAM_BAD_CONSTANT.
 */
--- a/lib/libpam/pam_end.c
+++ b/lib/libpam/pam_end.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -61,7 +59,7 @@ pam_end(pam_handle_t *pamh,

 	ENTER();
 	if (pamh == NULL)
-		RETURNC(PAM_SYSTEM_ERR);
+		RETURNC(PAM_BAD_HANDLE);

 	/* clear module data */
 	while ((dp = pamh->module_data) != NULL) {
@ -94,7 +92,7 @@ pam_end(pam_handle_t *pamh,
 /*
 * Error codes:
 *
- *	PAM_SYSTEM_ERR
+ *	PAM_BAD_HANDLE
 */

 /**
--- a/lib/libpam/pam_error.c
+++ b/lib/libpam/pam_error.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/lib/libpam/pam_get_authtok.c
+++ b/lib/libpam/pam_get_authtok.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -48,8 +46,10 @@
 #include <security/openpam.h>

 #include "openpam_impl.h"
+#include "openpam_strlset.h"

 static const char authtok_prompt[] = "Password:";
+static const char authtok_prompt_remote[] = "Password for %u@%h:";
 static const char oldauthtok_prompt[] = "Old Password:";
 static const char newauthtok_prompt[] = "New Password:";

@ -69,12 +69,11 @@ pam_get_authtok(pam_handle_t *pamh,
 	size_t prompt_size;
 	const void *oldauthtok, *prevauthtok, *promptp;
 	const char *prompt_option, *default_prompt;
+	const void *lhost, *rhost;
 	char *resp, *resp2;
 	int pitem, r, style, twice;

 	ENTER();
-	if (pamh == NULL || authtok == NULL)
-		RETURNC(PAM_SYSTEM_ERR);
 	*authtok = NULL;
 	twice = 0;
 	switch (item) {
@ -82,6 +81,14 @@ pam_get_authtok(pam_handle_t *pamh,
 		pitem = PAM_AUTHTOK_PROMPT;
 		prompt_option = "authtok_prompt";
 		default_prompt = authtok_prompt;
+		r = pam_get_item(pamh, PAM_RHOST, &rhost);
+		if (r == PAM_SUCCESS && rhost != NULL) {
+			r = pam_get_item(pamh, PAM_HOST, &lhost);
+			if (r == PAM_SUCCESS && lhost != NULL) {
+				if (strcmp(rhost, lhost) != 0)
+					default_prompt = authtok_prompt_remote;
+			}
+		}
 		r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok);
 		if (r == PAM_SUCCESS && oldauthtok != NULL) {
 			default_prompt = newauthtok_prompt;
@ -95,7 +102,7 @@ pam_get_authtok(pam_handle_t *pamh,
 		twice = 0;
 		break;
 	default:
-		RETURNC(PAM_SYMBOL_ERR);
+		RETURNC(PAM_BAD_CONSTANT);
 	}
 	if (openpam_get_option(pamh, "try_first_pass") ||
 	    openpam_get_option(pamh, "use_first_pass")) {
@ -103,17 +110,19 @@ pam_get_authtok(pam_handle_t *pamh,
 		if (r == PAM_SUCCESS && prevauthtok != NULL) {
 			*authtok = prevauthtok;
 			RETURNC(PAM_SUCCESS);
-		}
-		else if (openpam_get_option(pamh, "use_first_pass"))
+		} else if (openpam_get_option(pamh, "use_first_pass")) {
 			RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
+		}
 	}
 	/* pam policy overrides the module's choice */
 	if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL)
 		prompt = promptp;
 	/* no prompt provided, see if there is one tucked away somewhere */
-	if (prompt == NULL)
-		if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL)
+	if (prompt == NULL) {
+		r = pam_get_item(pamh, pitem, &promptp);
+		if (r == PAM_SUCCESS && promptp != NULL)
 			prompt = promptp;
+	}
 	/* fall back to hardcoded default */
 	if (prompt == NULL)
 		prompt = default_prompt;
@ -130,16 +139,21 @@ pam_get_authtok(pam_handle_t *pamh,
 	if (twice) {
 		r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt);
 		if (r != PAM_SUCCESS) {
+			strlset(resp, 0, PAM_MAX_RESP_SIZE);
 			FREE(resp);
 			RETURNC(r);
 		}
-		if (strcmp(resp, resp2) != 0)
+		if (strcmp(resp, resp2) != 0) {
+			strlset(resp, 0, PAM_MAX_RESP_SIZE);
 			FREE(resp);
+		}
+		strlset(resp2, 0, PAM_MAX_RESP_SIZE);
 		FREE(resp2);
 	}
 	if (resp == NULL)
 		RETURNC(PAM_TRY_AGAIN);
 	r = pam_set_item(pamh, item, resp);
+	strlset(resp, 0, PAM_MAX_RESP_SIZE);
 	FREE(resp);
 	if (r != PAM_SUCCESS)
 		RETURNC(r);
@ -154,14 +168,17 @@ pam_get_authtok(pam_handle_t *pamh,
 *	=pam_prompt
 *	=pam_set_item
 *	!PAM_SYMBOL_ERR
+ *	PAM_BAD_CONSTANT
 *	PAM_TRY_AGAIN
 */

 /**
- * The =pam_get_authtok function returns the cached authentication token,
- * or prompts the user if no token is currently cached.
+ * The =pam_get_authtok function either prompts the user for an
+ * authentication token or retrieves a cached authentication token,
+ * depending on circumstances.
 * Either way, a pointer to the authentication token is stored in the
- * location pointed to by the =authtok argument.
+ * location pointed to by the =authtok argument, and the corresponding PAM
+ * item is updated.
 *
 * The =item argument must have one of the following values:
 *
@ -176,20 +193,47 @@ pam_get_authtok(pam_handle_t *pamh,
 * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item,
 * as appropriate, will be used.
 * If that item is also =NULL, a hardcoded default prompt will be used.
- * Either way, the prompt is expanded using =openpam_subst before it is
- * passed to the conversation function.
- *
- * If =pam_get_authtok is called from a module and the ;authtok_prompt /
- * ;oldauthtok_prompt option is set in the policy file, the value of that
- * option takes precedence over both the =prompt argument and the
- * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item.
+ * Additionally, when =pam_get_authtok is called from a service module,
+ * the prompt may be affected by module options as described below.
+ * The prompt is then expanded using =openpam_subst before it is passed to
+ * the conversation function.
 *
 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
 * item, =pam_get_authtok will ask the user to confirm the new token by
 * retyping it.
 * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN.
 *
+ * MODULE OPTIONS
+ *
+ * When called by a service module, =pam_get_authtok will recognize the
+ * following module options:
+ *
+ *	;authtok_prompt:
+ *		Prompt to use when =item is set to =PAM_AUTHTOK.
+ *		This option overrides both the =prompt argument and the
+ *		=PAM_AUTHTOK_PROMPT item.
+ *	;echo_pass:
+ *		If the application's conversation function allows it, this
+ *		lets the user see what they are typing.
+ *		This should only be used for non-reusable authentication
+ *		tokens.
+ *	;oldauthtok_prompt:
+ *		Prompt to use when =item is set to =PAM_OLDAUTHTOK.
+ *		This option overrides both the =prompt argument and the
+ *		=PAM_OLDAUTHTOK_PROMPT item.
+ *	;try_first_pass:
+ *		If the requested item is non-null, return it without
+ *		prompting the user.
+ *		Typically, the service module will verify the token, and
+ *		if it does not match, clear the item before calling
+ *		=pam_get_authtok a second time.
+ *	;use_first_pass:
+ *		Do not prompt the user at all; just return the cached
+ *		value, or =PAM_AUTH_ERR if there is none.
+ *
+ * >pam_conv
 * >pam_get_item
 * >pam_get_user
+ * >openpam_get_option
 * >openpam_subst
 */
--- a/lib/libpam/pam_get_data.c
+++ b/lib/libpam/pam_get_data.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -60,8 +58,6 @@ pam_get_data(const pam_handle_t *pamh,
 	pam_data_t *dp;

 	ENTERS(module_data_name);
-	if (pamh == NULL)
-		RETURNC(PAM_SYSTEM_ERR);
 	for (dp = pamh->module_data; dp != NULL; dp = dp->next) {
 		if (strcmp(dp->name, module_data_name) == 0) {
 			*data = (void *)dp->data;
@ -74,7 +70,6 @@ pam_get_data(const pam_handle_t *pamh,
 /*
 * Error codes:
 *
- *	PAM_SYSTEM_ERR
 *	PAM_NO_MODULE_DATA
 */

--- a/lib/libpam/pam_get_item.c
+++ b/lib/libpam/pam_get_item.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2017 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
@ -59,8 +57,6 @@ pam_get_item(const pam_handle_t *pamh,
 {

 	ENTERI(item_type);
-	if (pamh == NULL)
-		RETURNC(PAM_SYSTEM_ERR);
 	switch (item_type) {
 	case PAM_SERVICE:
 	case PAM_USER:
@ -78,15 +74,14 @@ pam_get_item(const pam_handle_t *pamh,
 		*item = pamh->item[item_type];
 		RETURNC(PAM_SUCCESS);
 	default:
-		RETURNC(PAM_SYMBOL_ERR);
+		RETURNC(PAM_BAD_ITEM);
 	}
 }

 /*
 * Error codes:
 *
- *	PAM_SYMBOL_ERR
- *	PAM_SYSTEM_ERR
+ *	PAM_BAD_ITEM
 */

 /**
--- a/lib/libpam/pam_get_mapped_authtok.c
+++ b/lib/libpam/pam_get_mapped_authtok.c
@ -31,8 +31,6 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
- * $Id$
 */

 #ifdef HAVE_CONFIG_H
--- a/Show More
+++ b/Show More