Update to OpenPAM Micrampelis.

2012-05-26 17:10:16 +00:00 · 2012-05-26 17:10:16 +00:00 · e591108b4f
commit e591108b4f
parent 14a6c41ca7 4d990f74cc
114 changed files with 5799 additions and 1070 deletions
--- a/contrib/openpam/CREDITS
+++ b/contrib/openpam/CREDITS
@ -16,16 +16,21 @@ ideas:
 	Brian Fundakowski Feldman <green@freebsd.org>
 	Christos Zoulas <christos@netbsd.org>
 	Daniel Richard G. <skunk@iskunk.org>
-	Darren J. Moffat <Darren.Moffat@sun.com>
+	Darren J. Moffat <darren.moffat@sun.com>
 	Dmitry V. Levin <ldv@altlinux.org>
 	Don Lewis <truckman@freebsd.org>
 	Emmanuel Dreyfus <manu@netbsd.org>
 	Eric Melville <eric@freebsd.org>
-	Gary Winiger <Gary.Winiger@sun.com>
+	Gary Winiger <gary.winiger@sun.com>
 	Gleb Smirnoff <glebius@freebsd.org>
 	Hubert Feyrer <hubert@feyrer.de>
 	Jason Evans <jasone@freebsd.org>
 	Joe Marcus Clarke <marcus@freebsd.org>
 	Juli Mallett <jmallett@freebsd.org>
 	Jörg Sonnenberger <joerg@britannica.bec.de>
 	Maëlle Lesage <lesage.maelle@gmail.com>
 	Mark Murray <markm@freebsd.org>
 	Matthias Drochner <drochner@netbsd.org>
 	Mike Petullo <mike@flyn.org>
 	Mikhail Teterin <mi@aldan.algebra.com>
 	Mikko Työläjärvi <mbsd@pacbell.net>
@ -38,4 +43,4 @@ ideas:
 	Wojciech A. Koszek <wkoszek@freebsd.org>
 	Yar Tikhiy <yar@freebsd.org>
-$Id: CREDITS 498 2011-11-21 16:27:04Z des $
+$Id: CREDITS 587 2012-04-08 11:12:10Z des $
--- a/contrib/openpam/HISTORY
+++ b/contrib/openpam/HISTORY
@ -1,3 +1,51 @@
 OpenPAM Micrampelis						2012-05-26
 - FEATURE: Add an openpam_readword(3) function which reads the next
   word from an input stream, applying shell quoting and escaping
   rules.  Add numerous unit tests for openpam_readword(3).
 - FEATURE: Add an openpam_readlinev(3) function which uses the
   openpam_readword(3) function to read words from an input stream one
   at a time until it reaches an unquoted, unescaped newline, and
   returns an array of those words.  Add several unit tests for
   openpam_readlinev(3).
 - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the
   machine's hostname.  This was implemented in Lycopsida but
   inadvertantly left out of the release notes.
 - FEATURE: In pam_get_authtok(3), if neither the application nor the
   module have specified a prompt and PAM_HOST and PAM_RHOST are both
   defined but not equal, use a different default prompt that includes
   PAM_USER and PAM_HOST.
 - ENHANCE: Rewrite the policy parser to used openpam_readlinev(),
   which greatly simplifies the code.
 - ENHANCE: The previous implementation of the policy parser relied on
   the openpam_readline(3) function, which (by design) munges
   whitespace and understands neither quotes nor backslash escapes.
   As a result of the aforementioned rewrite, whitespace, quotes and
   backslash escapes in policy files are now handled in a consistent
   and predictable manner.
 - ENHANCE: On platforms that have it, use fdlopen(3) to load modules.
   This closes the race between the ownership / permission check and
   the dlopen(3) call.
 - ENHANCE: Reduce the amount of pointless error messages generated
   while searching for a module.
 - ENHANCE: Numerous documentation improvements, both in content and
   formatting.
 - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed
   OpenPAM's behavior when several policies exist for the same
   service, from ignoring all but the first to concatenating them all.
   Revert to the original behavior.
 - BUGFIX: Plug a memory leak in the policy parser.
 ============================================================================
 OpenPAM Lycopsida						2011-12-18
 - ENHANCE: removed static build autodetection, which didn't work
@ -269,7 +317,7 @@ OpenPAM Cinchona						2002-04-08
 - ENHANCE: Add openpam_free_data(), a generic cleanup function for
   pam_set_data() consumers.
 ============================================================================
-OpenPAM	Centaury						2002-03-14
+OpenPAM Centaury						2002-03-14
 - BUGFIX: Add missing #include <string.h> to openpam_log.c.
@ -308,7 +356,7 @@ OpenPAM Celandine						2002-03-05
   module with the same version number as the library itself to one
   with no version number at all.
 ============================================================================
-OpenPAM	Cantaloupe						2002-02-22
+OpenPAM Cantaloupe						2002-02-22
 - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid
   argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures.
@ -338,7 +386,7 @@ OpenPAM	Cantaloupe						2002-02-22
 - ENHANCE: openpam_get_authtok() now respects the echo_pass,
   try_first_pass, and use_first_pass options.
 ============================================================================
-OpenPAM	Caliopsis						2002-02-13
+OpenPAM Caliopsis						2002-02-13
 Fixed a number of bugs in the previous release, including:
  - a number of bugs in and related to pam_[gs]et_item(3)
@ -349,8 +397,8 @@ Fixed a number of bugs in the previous release, including:
  - missing 'continue' in openpam_dispatch.c caused successes to be
    counted as failures
 ============================================================================
-OpenPAM	Calamite						2002-02-09
+OpenPAM Calamite						2002-02-09
 First (beta) release.
 ============================================================================
-$Id: HISTORY 504 2011-12-18 14:11:12Z des $
+$Id: HISTORY 609 2012-05-26 13:57:45Z des $
--- a/contrib/openpam/LICENSE
+++ b/contrib/openpam/LICENSE
@ -1,6 +1,6 @@
 Copyright (c) 2002-2003 Networks Associates Technology, Inc.
-Copyright (c) 2004-2011 Dag-Erling Smørgrav
+Copyright (c) 2004-2012 Dag-Erling Smørgrav
 All rights reserved.
 This software was developed for the FreeBSD Project by ThinkSec AS and
@ -32,4 +32,4 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
-$Id: LICENSE 437 2011-09-13 12:00:13Z des $
+$Id: LICENSE 546 2012-03-31 23:13:20Z des $
--- a/contrib/openpam/Makefile.am
+++ b/contrib/openpam/Makefile.am
@ -1,4 +1,4 @@
-# $Id: Makefile.am 428 2010-03-09 17:32:17Z des $
+# $Id: Makefile.am 549 2012-04-01 20:38:30Z des $
 ACLOCAL_AMFLAGS = -I m4
@ -8,6 +8,8 @@ if WITH_DOC
 SUBDIRS += doc
 endif
 SUBDIRS += t
 EXTRA_DIST = \
 	CREDITS \
 	HISTORY \
--- a/contrib/openpam/Makefile.in
+++ b/contrib/openpam/Makefile.in
@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.am 428 2010-03-09 17:32:17Z des $
+# $Id: Makefile.am 549 2012-04-01 20:38:30Z des $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@ -39,8 +39,8 @@ host_triplet = @host@
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
-	$(top_srcdir)/configure INSTALL config.guess config.sub \
+	$(srcdir)/pamgdb.in $(top_srcdir)/configure INSTALL TODO \
-	depcomp install-sh ltmain.sh missing
+	config.guess config.sub depcomp install-sh ltmain.sh missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
@ -49,7 +49,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
 configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_FILES = pamgdb
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
@ -67,7 +67,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir dist dist-all distcheck
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = lib bin modules include doc
+DIST_SUBDIRS = lib bin modules include doc t
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@ -222,7 +222,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = lib bin modules include $(am__append_1)
+SUBDIRS = lib bin modules include $(am__append_1) t
 EXTRA_DIST = \
 	CREDITS \
 	HISTORY \
@ -288,6 +288,8 @@ $(srcdir)/config.h.in:  $(am__configure_deps)
 distclean-hdr:
 	-rm -f config.h stamp-h1
 pamgdb: $(top_builddir)/config.status $(srcdir)/pamgdb.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 mostlyclean-libtool:
 	-rm -f *.lo
--- a/contrib/openpam/RELNOTES
+++ b/contrib/openpam/RELNOTES
@ -1,6 +1,6 @@
-		 Release notes for OpenPAM Lycopsida
+		Release notes for OpenPAM Micrampelis
-		 ===================================
+		=====================================
 This release corresponds to the code used in FreeBSD HEAD as of the
 release date, and is also expected to work on almost any POSIX-like
@ -19,6 +19,9 @@ intended for actual use, but rather to serve as examples for module or
 application developers.  It also includes a command-line application
 (pamtest) which can be used to test policies and modules.
 Unit tests for limited portions of the library can be found in the t
 subdirectory.
 Please direct bug reports and inquiries to <des@des.no>.
-$Id: RELNOTES 506 2011-12-18 14:25:12Z des $
+$Id: RELNOTES 609 2012-05-26 13:57:45Z des $
--- a/contrib/openpam/TODO
+++ b/contrib/openpam/TODO
@ -0,0 +1,13 @@
 Before the next release:
 - Complete the transition from PAM_LOG_DEBUG to PAM_LOG_LIBDEBUG.
 Whenever:
 - Implement mechanism to enable / disable optional features.  Use it
   to disable strict error checking so pamtest and unit tests can do
   things that we don't allow in production.
 - Rewrite the module-loading code.
 $Id: TODO 592 2012-04-08 13:19:51Z des $
--- a/contrib/openpam/aclocal.m4
+++ b/contrib/openpam/aclocal.m4
@ -22,8 +22,8 @@ To do so, use the procedure documented by the package, typically `autoreconf'.])
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-#                 Inc.
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@ -32,8 +32,8 @@ To do so, use the procedure documented by the package, typically `autoreconf'.])
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-#                 Inc.
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@ -167,6 +167,8 @@ AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
 AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
 _LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
 dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@ -652,7 +654,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
@ -816,6 +818,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
  [C],			[_LT_LANG(C)],
  [C++],		[_LT_LANG(CXX)],
  [Go],			[_LT_LANG(GO)],
  [Java],		[_LT_LANG(GCJ)],
  [Fortran 77],		[_LT_LANG(F77)],
  [Fortran],		[_LT_LANG(FC)],
@ -837,6 +840,29 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 m4_ifndef([AC_PROG_GO], [
 # NOTE: This macro has been submitted for inclusion into   #
 #  GNU Autoconf as AC_PROG_GO.  When it is available in    #
 #  a released version of Autoconf we should remove this    #
 #  macro and use it instead.                               #
 m4_defun([AC_PROG_GO],
 [AC_LANG_PUSH(Go)dnl
 AC_ARG_VAR([GOC],     [Go compiler command])dnl
 AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
 _AC_ARG_VAR_LDFLAGS()dnl
 AC_CHECK_TOOL(GOC, gccgo)
 if test -z "$GOC"; then
  if test -n "$ac_tool_prefix"; then
    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
  fi
 fi
 if test -z "$GOC"; then
  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
 fi
 ])#m4_defun
 ])#m4_ifndef
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@ -867,6 +893,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
       m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 AC_PROVIDE_IFELSE([AC_PROG_GO],
  [LT_LANG(GO)],
  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
 AC_PROVIDE_IFELSE([LT_PROG_RC],
  [LT_LANG(RC)],
  [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@ -969,7 +999,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
        _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
 	# appears in it, assume the flag caused a linker warning
        if test -s conftest.err && $GREP single_module conftest.err; then
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
 	# Otherwise, if the output was created with a 0 exit code from
 	# the compiler, it worked.
 	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@ -977,6 +1013,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
      fi])
    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
      [lt_cv_ld_exported_symbols_list],
      [lt_cv_ld_exported_symbols_list=no
@ -988,6 +1025,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
    ])
    AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
      [lt_cv_ld_force_load=no
      cat > conftest.c << _LT_EOF
@ -1005,7 +1043,9 @@ _LT_EOF
      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
      _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
 	cat conftest.err >&AS_MESSAGE_LOG_FD
      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
      else
 	cat conftest.err >&AS_MESSAGE_LOG_FD
@ -1050,8 +1090,8 @@ _LT_EOF
 ])
-# _LT_DARWIN_LINKER_FEATURES
+# _LT_DARWIN_LINKER_FEATURES([TAG])
-# --------------------------
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@ -1062,6 +1102,8 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
  if test "$lt_cv_ld_force_load" = "yes"; then
    _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
  else
    _LT_TAGVAR(whole_archive_flag_spec, $1)=''
  fi
@ -1345,14 +1387,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
    CFLAGS="$SAVE_CFLAGS"
  fi
  ;;
-sparc*-*solaris*)
+*-*solaris*)
  # Find out which ABI we are using.
  echo 'int i;' > conftest.$ac_ext
  if AC_TRY_EVAL(ac_compile); then
    case `/usr/bin/file conftest.o` in
    *64-bit*)
      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
        case $host in
        i?86-*-solaris*)
          LD="${LD-ld} -m elf_x86_64"
          ;;
        sparc*-*-solaris*)
          LD="${LD-ld} -m elf64_sparc"
          ;;
        esac
        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
          LD="${LD-ld}_sol2"
        fi
        ;;
      *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@ -1429,13 +1484,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
  case $host_os in
  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
    ;;
  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
    ;;
  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 case $host_os in
@ -1615,6 +1670,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
    lt_cv_sys_max_cmd_len=196608
    ;;
  os2*)
    # The test takes a long time on OS/2.
    lt_cv_sys_max_cmd_len=8192
    ;;
  osf*)
    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@ -1654,7 +1714,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
      # If test is not a shell built-in, we'll probably end up computing a
      # maximum length that is only half of the actual maximum length, but
      # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
      do
@ -2200,7 +2260,7 @@ need_version=unknown
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
  shlibpath_var=LIBPATH
@ -2209,7 +2269,7 @@ aix3*)
  ;;
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  hardcode_into_libs=yes
@ -2274,7 +2334,7 @@ beos*)
  ;;
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
@ -2413,7 +2473,7 @@ m4_if([$1], [],[
  ;;
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@ -2466,17 +2526,18 @@ freebsd* | dragonfly*)
  ;;
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  ;;
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  dynamic_linker="$host_os runtime_loader"
@ -2537,7 +2598,7 @@ hpux9* | hpux10* | hpux11*)
  ;;
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@ -2553,7 +2614,7 @@ irix5* | irix6* | nonstopux*)
    nonstopux*) version_type=nonstopux ;;
    *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@ -2590,9 +2651,9 @@ linux*oldld* | linux*aout* | linux*coff*)
  dynamic_linker=no
  ;;
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -2655,7 +2716,7 @@ netbsd*)
  ;;
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=yes
@ -2724,7 +2785,7 @@ rdos*)
  ;;
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -2749,7 +2810,7 @@ sunos4*)
  ;;
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
@ -2773,7 +2834,7 @@ sysv4 | sysv4.3*)
 sysv4*MP*)
  if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
    soname_spec='$libname${shared_ext}.$major'
    shlibpath_var=LD_LIBRARY_PATH
@ -2804,7 +2865,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 tpf*)
  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -2814,7 +2875,7 @@ tpf*)
  ;;
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
@ -3236,7 +3297,7 @@ irix5* | irix6* | nonstopux*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
  lt_cv_deplibs_check_method=pass_all
  ;;
@ -3656,6 +3717,7 @@ for ac_symprfx in "" "_"; do
    # which start with @ or ?.
    lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
 "     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@ -4240,7 +4302,9 @@ m4_if([$1], [CXX], [
    case $cc_basename in
    nvcc*) # Cuda Compiler Driver 2.2
      _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Xcompiler -fPIC'
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
      fi
      ;;
    esac
  else
@ -4332,18 +4396,33 @@ m4_if([$1], [CXX], [
 	;;
      *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
 	*Sun\ F* | *Sun*Fortran*)
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
 	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
        *Intel*\ [[CF]]*Compiler*)
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
 	  ;;
 	*Portland\ Group*)
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  ;;
 	esac
 	;;
      esac
@ -4503,7 +4582,9 @@ m4_if([$1], [CXX], [
    ;;
  cygwin* | mingw* | cegcc*)
    case $cc_basename in
-    cl*) ;;
+    cl*)
      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
      ;;
    *)
      _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
      _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
@ -4528,7 +4609,6 @@ m4_if([$1], [CXX], [
  _LT_TAGVAR(hardcode_direct, $1)=no
  _LT_TAGVAR(hardcode_direct_absolute, $1)=no
  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
  _LT_TAGVAR(hardcode_libdir_separator, $1)=
  _LT_TAGVAR(hardcode_minus_L, $1)=no
  _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@ -4779,8 +4859,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
 	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
@ -5075,6 +5154,7 @@ _LT_EOF
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
 	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
 	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
@ -5172,7 +5252,6 @@ _LT_EOF
      fi
      if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
 	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@ -5614,9 +5693,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
    [Flag to hardcode $libdir into a binary during linking.
    This must work even if $libdir does not exist])
 _LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
    [[If ld is used when linking, flag to hardcode $libdir into a binary
    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
    [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@ -5770,7 +5846,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
 _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@ -6901,12 +6976,18 @@ public class foo {
  }
 };
 _LT_EOF
 ], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
 package foo
 func foo() {
 }
 _LT_EOF
 ])
 _lt_libdeps_save_CFLAGS=$CFLAGS
 case "$CC $CFLAGS " in #(
 *\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
 *\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
 *\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
 esac
 dnl Parse the compiler output and extract the necessary
@ -7103,7 +7184,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
 _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@ -7236,7 +7316,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
 _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@ -7419,6 +7498,73 @@ CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 # _LT_LANG_GO_CONFIG([TAG])
 # --------------------------
 # Ensure that the configuration variables for the GNU Go compiler
 # are suitably defined.  These variables are subsequently used by _LT_CONFIG
 # to write the compiler configuration to `libtool'.
 m4_defun([_LT_LANG_GO_CONFIG],
 [AC_REQUIRE([LT_PROG_GO])dnl
 AC_LANG_SAVE
 # Source file extension for Go test sources.
 ac_ext=go
 # Object file extension for compiled Go test sources.
 objext=o
 _LT_TAGVAR(objext, $1)=$objext
 # Code to be used in simple compile tests
 lt_simple_compile_test_code="package main; func main() { }"
 # Code to be used in simple link tests
 lt_simple_link_test_code='package main; func main() { }'
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_TAG_COMPILER
 # save warnings/boilerplate of simple test code
 _LT_COMPILER_BOILERPLATE
 _LT_LINKER_BOILERPLATE
 # Allow CC to be a program name with arguments.
 lt_save_CC=$CC
 lt_save_CFLAGS=$CFLAGS
 lt_save_GCC=$GCC
 GCC=yes
 CC=${GOC-"gccgo"}
 CFLAGS=$GOFLAGS
 compiler=$CC
 _LT_TAGVAR(compiler, $1)=$CC
 _LT_TAGVAR(LD, $1)="$LD"
 _LT_CC_BASENAME([$compiler])
 # Go did not exist at the time GCC didn't implicitly link libc in.
 _LT_TAGVAR(archive_cmds_need_lc, $1)=no
 _LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
 _LT_TAGVAR(reload_flag, $1)=$reload_flag
 _LT_TAGVAR(reload_cmds, $1)=$reload_cmds
 if test -n "$compiler"; then
  _LT_COMPILER_NO_RTTI($1)
  _LT_COMPILER_PIC($1)
  _LT_COMPILER_C_O($1)
  _LT_COMPILER_FILE_LOCKS($1)
  _LT_LINKER_SHLIBS($1)
  _LT_LINKER_HARDCODE_LIBPATH($1)
  _LT_CONFIG($1)
 fi
 AC_LANG_RESTORE
 GCC=$lt_save_GCC
 CC=$lt_save_CC
 CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GO_CONFIG
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@ -7488,6 +7634,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 # LT_PROG_GO
 # ----------
 AC_DEFUN([LT_PROG_GO],
 [AC_CHECK_TOOL(GOC, gccgo,)
 ])
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@ -8152,9 +8305,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
    case $withval in
    yes|no) pic_mode=$withval ;;
    *)
      pic_mode=default
      # Look at the argument we got.  We use all the common list separators.
      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
      for lt_pkg in $withval; do
 	IFS="$lt_save_ifs"
 	if test "X$lt_pkg" = "X$lt_p"; then
 	  pic_mode=yes
 	fi
      done
      IFS="$lt_save_ifs"
      ;;
    esac],
    [pic_mode=default])
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
@ -8326,15 +8494,15 @@ m4_define([lt_dict_filter],
 # @configure_input@
-# serial 3293 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
-m4_define([LT_PACKAGE_VERSION], [2.4])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
-m4_define([LT_PACKAGE_REVISION], [1.3293])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.4'
+[macro_version='2.4.2'
-macro_revision='1.3293'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
--- a/contrib/openpam/bin/Makefile.am
+++ b/contrib/openpam/bin/Makefile.am
@ -1,6 +1,6 @@
-# $Id: Makefile.am 467 2011-11-02 23:42:21Z des $
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
-SUBDIRS =
+SUBDIRS = openpam_dump_policy
 if WITH_PAMTEST
 SUBDIRS += pamtest
--- a/contrib/openpam/bin/Makefile.in
+++ b/contrib/openpam/bin/Makefile.in
@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.am 467 2011-11-02 23:42:21Z des $
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@ -63,7 +63,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = pamtest su
+DIST_SUBDIRS = openpam_dump_policy pamtest su
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
  dir0=`pwd`; \
@ -207,7 +207,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUBDIRS = $(am__append_1) $(am__append_2)
+SUBDIRS = openpam_dump_policy $(am__append_1) $(am__append_2)
 all: all-recursive
 .SUFFIXES:
--- a/contrib/openpam/bin/openpam_dump_policy/Makefile.am
+++ b/contrib/openpam/bin/openpam_dump_policy/Makefile.am
@ -0,0 +1,7 @@
 # $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
 INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
 noinst_PROGRAMS = openpam_dump_policy
 openpam_dump_policy_SOURCES = openpam_dump_policy.c
 openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam.la
--- a/contrib/openpam/bin/openpam_dump_policy/Makefile.in
+++ b/contrib/openpam/bin/openpam_dump_policy/Makefile.in
@ -0,0 +1,474 @@
 # Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
 # 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
 # Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY, to the extent permitted by law; without
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
@SET_MAKE@
 # $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
 INSTALL_HEADER = $(INSTALL_DATA)
 transform = $(program_transform_name)
 NORMAL_INSTALL = :
 PRE_INSTALL = :
 POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 noinst_PROGRAMS = openpam_dump_policy$(EXEEXT)
 subdir = bin/openpam_dump_policy
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
 PROGRAMS = $(noinst_PROGRAMS)
 am_openpam_dump_policy_OBJECTS = openpam_dump_policy.$(OBJEXT)
 openpam_dump_policy_OBJECTS = $(am_openpam_dump_policy_OBJECTS)
 openpam_dump_policy_DEPENDENCIES = $(top_builddir)/lib/libpam.la
 DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
 	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
 LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(openpam_dump_policy_SOURCES)
 DIST_SOURCES = $(openpam_dump_policy_SOURCES)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPT_LIBS = @CRYPT_LIBS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DLLTOOL = @DLLTOOL@
 DL_LIBS = @DL_LIBS@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LIB_MAJ = @LIB_MAJ@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
 NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
 OPENPAM_MODULES_DIR = @OPENPAM_MODULES_DIR@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 RANLIB = @RANLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
 abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 datadir = @datadir@
 datarootdir = @datarootdir@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
 mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
 openpam_dump_policy_SOURCES = openpam_dump_policy.c
 openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam.la
 all: all-am
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
 $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
 	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
 	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/openpam_dump_policy/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign bin/openpam_dump_policy/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
 	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
 	  *) \
 	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
 	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
 	esac;
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(top_srcdir)/configure:  $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
 clean-noinstPROGRAMS:
 	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
 	echo " rm -f" $$list; \
 	rm -f $$list || exit $$?; \
 	test -n "$(EXEEXT)" || exit 0; \
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
 openpam_dump_policy$(EXEEXT): $(openpam_dump_policy_OBJECTS) $(openpam_dump_policy_DEPENDENCIES) 
 	@rm -f openpam_dump_policy$(EXEEXT)
 	$(LINK) $(openpam_dump_policy_OBJECTS) $(openpam_dump_policy_LDADD) $(LIBS)
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
 distclean-compile:
 	-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dump_policy.Po@am__quote@
 .c.o:
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(COMPILE) -c $<
 .c.obj:
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 .c.lo:
@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 mostlyclean-libtool:
 	-rm -f *.lo
 clean-libtool:
 	-rm -rf .libs _libs
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
 	  if test $$# -gt 0; then \
 	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
 	      "$$@" $$unique; \
 	  else \
 	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
 	      $$unique; \
 	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
 	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$unique
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
 	  dist_files=`for file in $$list; do echo $$file; done | \
 	  sed -e "s|^$$srcdirstrip/||;t" \
 	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
 	case $$dist_files in \
 	  */*) $(MKDIR_P) `echo "$$dist_files" | \
 			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
 			   sort -u` ;; \
 	esac; \
 	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d "$(distdir)/$$file"; then \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
 	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
 	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
 	    test -f "$(distdir)/$$file" \
 	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
 check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS)
 installdirs:
 install: install-am
 install-exec: install-exec-am
 install-data: install-data-am
 uninstall: uninstall-am
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
 installcheck: installcheck-am
 install-strip:
 	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
 	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
 	  `test -z '$(STRIP)' || \
 	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
 mostlyclean-generic:
 clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
 	@echo "it deletes files that may require special tools to rebuild."
 clean: clean-am
 clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
 	mostlyclean-am
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
 dvi: dvi-am
 dvi-am:
 html: html-am
 html-am:
 info: info-am
 info-am:
 install-data-am:
 install-dvi: install-dvi-am
 install-dvi-am:
 install-exec-am:
 install-html: install-html-am
 install-html-am:
 install-info: install-info-am
 install-info-am:
 install-man:
 install-pdf: install-pdf-am
 install-pdf-am:
 install-ps: install-ps-am
 install-ps-am:
 installcheck-am:
 maintainer-clean: maintainer-clean-am
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 mostlyclean: mostlyclean-am
 mostlyclean-am: mostlyclean-compile mostlyclean-generic \
 	mostlyclean-libtool
 pdf: pdf-am
 pdf-am:
 ps: ps-am
 ps-am:
 uninstall-am:
 .MAKE: install-am install-strip
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
 	clean-libtool clean-noinstPROGRAMS ctags distclean \
 	distclean-compile distclean-generic distclean-libtool \
 	distclean-tags distdir dvi dvi-am html html-am info info-am \
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-html \
 	install-html-am install-info install-info-am install-man \
 	install-pdf install-pdf-am install-ps install-ps-am \
 	install-strip installcheck installcheck-am installdirs \
 	maintainer-clean maintainer-clean-generic mostlyclean \
 	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
 	pdf pdf-am ps ps-am tags uninstall uninstall-am
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
--- a/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c
+++ b/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c
@ -0,0 +1,202 @@
 /*-
 * Copyright (c) 2011 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_dump_policy.c 582 2012-04-06 23:23:35Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 static char *
 openpam_chain_name(const char *service, pam_facility_t fclt)
 {
 	const char *facility = pam_facility_name[fclt];
 	char *name;
 	if (asprintf(&name, "pam_%s_%s", service, facility) == -1)
 		return (NULL);
 	return (name);
 }
 static char *
 openpam_facility_index_name(pam_facility_t fclt)
 {
 	const char *facility = pam_facility_name[fclt];
 	char *name, *p;
 	if (asprintf(&name, "PAM_%s", facility) == -1)
 		return (NULL);
 	for (p = name + 4; *p; ++p)
 		*p = toupper(*p);
 	return (name);
 }
 int
 openpam_dump_chain(const char *name, pam_chain_t *chain)
 {
 	char *modname, **opt, *p;
 	int i;
 	for (i = 0; chain != NULL; ++i, chain = chain->next) {
 		/* declare the module's struct pam_module */
 		modname = strrchr(chain->module->path, '/');
 		modname = strdup(modname ? modname : chain->module->path);
 		if (modname == NULL)
 			return (PAM_BUF_ERR);
 		for (p = modname; *p && *p != '.'; ++p)
 			/* nothing */ ;
 		*p = '\0';
 		printf("extern struct pam_module %s_pam_module;\n", modname);
 		/* module arguments */
 		printf("static char *%s_%d_optv[] = {\n", name, i);
 		for (opt = chain->optv; *opt; ++opt) {
 			printf("\t\"");
 			for (p = *opt; *p; ++p) {
 				if (isprint((unsigned char)*p) && *p != '"')
 					printf("%c", *p);
 				else
 					printf("\\x%02x", (unsigned char)*p);
 			}
 			printf("\",\n");
 		}
 		printf("\tNULL,\n");
 		printf("};\n");
 		/* next module in chain */
 		if (chain->next != NULL)
 			printf("static pam_chain_t %s_%d;\n", name, i + 1);
 		/* chain entry */
 		printf("static pam_chain_t %s_%d = {\n", name, i);
 		printf("\t.module = &%s_pam_module,\n", modname);
 		printf("\t.flag = 0x%08x,\n", chain->flag);
 		printf("\t.optc = %d,\n", chain->optc);
 		printf("\t.optv = %s_%d_optv,\n", name, i);
 		if (chain->next)
 			printf("\t.next = &%s_%d,\n", name, i + 1);
 		else
 			printf("\t.next = NULL,\n");
 		printf("};\n");
 		free(modname);
 	}
 	return (PAM_SUCCESS);
 }
 int
 openpam_dump_policy(const char *service)
 {
 	pam_handle_t *pamh;
 	char *name;
 	int fclt, ret;
 	if ((pamh = calloc(1, sizeof *pamh)) == NULL)
 		return (PAM_BUF_ERR);
 	if ((ret = openpam_configure(pamh, service)) != PAM_SUCCESS)
 		return (ret);
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL) {
 			if ((name = openpam_chain_name(service, fclt)) == NULL)
 				return (PAM_BUF_ERR);
 			ret = openpam_dump_chain(name, pamh->chains[fclt]);
 			free(name);
 			if (ret != PAM_SUCCESS)
 				return (ret);
 		}
 	}
 	printf("static pam_policy_t pam_%s_policy = {\n", service);
 	printf("\t.service = \"%s\",\n", service);
 	printf("\t.chains = {\n");
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if ((name = openpam_facility_index_name(fclt)) == NULL)
 			return (PAM_BUF_ERR);
 		printf("\t\t[%s] = ", name);
 		free(name);
 		if (pamh->chains[fclt] != NULL) {
 			if ((name = openpam_chain_name(service, fclt)) == NULL)
 				return (PAM_BUF_ERR);
 			printf("&%s_0,\n", name);
 			free(name);
 		} else {
 			printf("NULL,\n");
 		}
 	}
 	printf("\t},\n");
 	printf("};\n");
 	free(pamh);
 	return (PAM_SUCCESS);
 }
 static void
 usage(void)
 {
 	fprintf(stderr, "usage: openpam_dump_policy [-d] policy ...\n");
 	exit(1);
 }
 int
 main(int argc, char *argv[])
 {
 	int i, opt;
 	while ((opt = getopt(argc, argv, "d")) != -1)
 		switch (opt) {
 		case 'd':
 			openpam_debug = 1;
 			break;
 		default:
 			usage();
 		}
 	argc -= optind;
 	argv += optind;
 	if (argc < 1)
 		usage();
 	printf("#include <security/pam_appl.h>\n");
 	printf("#include \"openpam_impl.h\"\n");
 	for (i = 0; i < argc; ++i)
 		openpam_dump_policy(argv[i]);
 	printf("pam_policy_t *pam_embedded_policies[] = {\n");
 	for (i = 0; i < argc; ++i)
 		printf("\t&pam_%s_policy,\n", argv[i]);
 	printf("\tNULL,\n");
 	printf("};\n");
 	exit(0);
 }
--- a/contrib/openpam/bin/pamtest/pamtest.1
+++ b/contrib/openpam/bin/pamtest/pamtest.1
@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pamtest.1 471 2011-11-03 09:44:40Z des $
+.\" $Id: pamtest.1 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 2, 2011
+.Dd May 26, 2012
 .Dt PAMTEST 1
 .Os
 .Sh NAME
@ -33,7 +36,7 @@
 .Nd PAM policy tester
 .Sh SYNOPSYS
 .Nm
-.Op Fl dksv
+.Op Fl dkMPsv
 .Op Fl H Ar rhost
 .Op Fl h Ar host
 .Op Fl t Ar tty
@ -116,6 +119,11 @@ The default is to use the result of calling
 .Xr gethostname 3 .
 .It Fl k
 Keep going even if one of the commands fails.
 .It Fl M
 Disable path, ownership and permission checks on module files.
 .It Fl P
 Disable service name validation and path, ownership and permission
 checks on policy files.
 .It Fl s
 Set the
 .Dv PAM_SILENT
@ -149,14 +157,14 @@ policy:
 pamtest -v system auth account change setcred open close unsetcred
 .Ed
 .Sh SEE ALSO
-.Xr openpam 3
+.Xr openpam 3 ,
-.Xr pam 3
+.Xr pam 3 ,
 .Xr pam.conf 5
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
 .Sh BUGS
 The
 .Nm
--- a/contrib/openpam/bin/pamtest/pamtest.c
+++ b/contrib/openpam/bin/pamtest/pamtest.c
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,7 +27,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: pamtest.c 472 2011-11-03 09:46:52Z des $
+ * $Id: pamtest.c 595 2012-04-14 14:28:35Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -261,8 +264,8 @@ static void
 usage(void)
 {
-	fprintf(stderr, "usage: pamtest [-dksv] %s\n",
+	fprintf(stderr, "usage: pamtest %s service command ...\n",
-	    "[-H rhost] [-h host] [-t tty] [-U ruser] [-u user] service");
+	    "[-dkMPsv] [-H rhost] [-h host] [-t tty] [-U ruser] [-u user]");
 	exit(1);
 }
@ -297,7 +300,7 @@ main(int argc, char *argv[])
 	int pame;
 	int opt;
-	while ((opt = getopt(argc, argv, "dH:h:kst:U:u:v")) != -1)
+	while ((opt = getopt(argc, argv, "dH:h:kMPst:U:u:v")) != -1)
 		switch (opt) {
 		case 'd':
 			openpam_debug++;
@ -311,6 +314,14 @@ main(int argc, char *argv[])
 		case 'k':
 			keepatit = 1;
 			break;
 		case 'M':
 			openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0);
 			openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0);
 			break;
 		case 'P':
 			openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0);
 			openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0);
 			break;
 		case 's':
 			silent = PAM_SILENT;
 			break;
--- a/contrib/openpam/bin/su/su.1
+++ b/contrib/openpam/bin/su/su.1
@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -23,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: su.1 458 2011-11-02 13:10:25Z des $
+.\" $Id: su.1 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 2, 2011
+.Dd May 26, 2012
 .Dt SU 1
 .Os
 .Sh NAME
@ -53,10 +56,10 @@ The
 utility is provided with the OpenPAM library as a sample application
 and should not be used in production systems.
 .Sh SEE ALSO
-.Xr openpam 3
+.Xr openpam 3 ,
 .Xr pam 3
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/config.h.in
+++ b/contrib/openpam/config.h.in
@ -9,6 +9,9 @@
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 /* Define to 1 if you have the `fdlopen' function. */
 #undef HAVE_FDLOPEN
 /* Define to 1 if you have the `fpurge' function. */
 #undef HAVE_FPURGE
@ -36,6 +39,9 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H
 /* Define to 1 if you have the `strlcat' function. */
 #undef HAVE_STRLCAT
 /* Define to 1 if you have the `strlcmp' function. */
 #undef HAVE_STRLCMP
--- a/contrib/openpam/configure
+++ b/contrib/openpam/configure
@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.ac Id: configure.ac 507 2011-12-18 14:43:40Z des .
+# From configure.ac Id: configure.ac 610 2012-05-26 14:03:45Z des .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for OpenPAM 20111218.
+# Generated by GNU Autoconf 2.68 for OpenPAM 20120526.
 #
 # Report bugs to <des@des.no>.
 #
@ -570,8 +570,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='OpenPAM'
 PACKAGE_TARNAME='openpam'
-PACKAGE_VERSION='20111218'
+PACKAGE_VERSION='20120526'
-PACKAGE_STRING='OpenPAM 20111218'
+PACKAGE_STRING='OpenPAM 20120526'
 PACKAGE_BUGREPORT='des@des.no'
 PACKAGE_URL=''
@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures OpenPAM 20111218 to adapt to many kinds of systems.
+\`configure' configures OpenPAM 20120526 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1378,7 +1378,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenPAM 20111218:";;
+     short | recursive ) echo "Configuration of OpenPAM 20120526:";;
   esac
  cat <<\_ACEOF
@ -1405,7 +1405,7 @@ Optional Features:
 Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                          both]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-sysroot=DIR Search for dependent libraries within DIR
@ -1492,7 +1492,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-OpenPAM configure 20111218
+OpenPAM configure 20120526
 generated by GNU Autoconf 2.68
 Copyright (C) 2010 Free Software Foundation, Inc.
@ -1861,7 +1861,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by OpenPAM $as_me 20111218, which was
+It was created by OpenPAM $as_me 20120526, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
  $ $0 $@
@ -2678,7 +2678,7 @@ fi
 # Define the identity of the package.
 PACKAGE='openpam'
- VERSION='20111218'
+ VERSION='20120526'
 cat >>confdefs.h <<_ACEOF
@ -4631,8 +4631,8 @@ esac
-macro_version='2.4'
+macro_version='2.4.2'
-macro_revision='1.3293'
+macro_revision='1.3337'
@ -5347,6 +5347,11 @@ else
    lt_cv_sys_max_cmd_len=196608
    ;;
  os2*)
    # The test takes a long time on OS/2.
    lt_cv_sys_max_cmd_len=8192
    ;;
  osf*)
    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@ -5386,7 +5391,7 @@ else
      # If test is not a shell built-in, we'll probably end up computing a
      # maximum length that is only half of the actual maximum length, but
      # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
      do
@ -5815,7 +5820,7 @@ irix5* | irix6* | nonstopux*)
  lt_cv_deplibs_check_method=pass_all
  ;;
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
  lt_cv_deplibs_check_method=pass_all
  ;;
@ -6455,13 +6460,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
  case $host_os in
  openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
    ;;
  *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
    ;;
  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 case $host_os in
@ -6608,6 +6613,7 @@ for ac_symprfx in "" "_"; do
    # which start with @ or ?.
    lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
 "     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@ -6996,7 +7002,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
    CFLAGS="$SAVE_CFLAGS"
  fi
  ;;
-sparc*-*solaris*)
+*-*solaris*)
  # Find out which ABI we are using.
  echo 'int i;' > conftest.$ac_ext
  if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@ -7007,7 +7013,20 @@ sparc*-*solaris*)
    case `/usr/bin/file conftest.o` in
    *64-bit*)
      case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
        case $host in
        i?86-*-solaris*)
          LD="${LD-ld} -m elf_x86_64"
          ;;
        sparc*-*-solaris*)
          LD="${LD-ld} -m elf64_sparc"
          ;;
        esac
        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
          LD="${LD-ld}_sol2"
        fi
        ;;
      *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@ -7647,7 +7666,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
        _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
 	# appears in it, assume the flag caused a linker warning
        if test -s conftest.err && $GREP single_module conftest.err; then
 	  cat conftest.err >&5
 	# Otherwise, if the output was created with a 0 exit code from
 	# the compiler, it worked.
 	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@ -7658,6 +7683,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
 if ${lt_cv_ld_exported_symbols_list+:} false; then :
@ -7690,6 +7716,7 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
 $as_echo_n "checking for -force_load linker flag... " >&6; }
 if ${lt_cv_ld_force_load+:} false; then :
@ -7711,7 +7738,9 @@ _LT_EOF
      echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
      $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
      _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
 	cat conftest.err >&5
      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
      else
 	cat conftest.err >&5
@ -7847,7 +7876,22 @@ fi
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
    case $withval in
    yes|no) pic_mode=$withval ;;
    *)
      pic_mode=default
      # Look at the argument we got.  We use all the common list separators.
      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
      for lt_pkg in $withval; do
 	IFS="$lt_save_ifs"
 	if test "X$lt_pkg" = "X$lt_p"; then
 	  pic_mode=yes
 	fi
      done
      IFS="$lt_save_ifs"
      ;;
    esac
 else
  pic_mode=default
 fi
@ -7920,6 +7964,10 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
@ -8380,7 +8428,9 @@ lt_prog_compiler_static=
    case $cc_basename in
    nvcc*) # Cuda Compiler Driver 2.2
      lt_prog_compiler_wl='-Xlinker '
-      lt_prog_compiler_pic='-Xcompiler -fPIC'
+      if test -n "$lt_prog_compiler_pic"; then
        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
      fi
      ;;
    esac
  else
@ -8471,18 +8521,33 @@ lt_prog_compiler_static=
 	;;
      *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl=''
 	  ;;
 	*Sun\ F* | *Sun*Fortran*)
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Qoption ld '
 	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
        *Intel*\ [CF]*Compiler*)
 	  lt_prog_compiler_wl='-Wl,'
 	  lt_prog_compiler_pic='-fPIC'
 	  lt_prog_compiler_static='-static'
 	  ;;
 	*Portland\ Group*)
 	  lt_prog_compiler_wl='-Wl,'
 	  lt_prog_compiler_pic='-fpic'
 	  lt_prog_compiler_static='-Bstatic'
 	  ;;
 	esac
 	;;
      esac
@ -8844,7 +8909,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
  hardcode_direct=no
  hardcode_direct_absolute=no
  hardcode_libdir_flag_spec=
  hardcode_libdir_flag_spec_ld=
  hardcode_libdir_separator=
  hardcode_minus_L=no
  hardcode_shlibpath_var=unsupported
@ -9094,8 +9158,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
 	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
 	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
@ -9474,6 +9537,7 @@ fi
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
 	enable_shared_with_static_runtimes=yes
 	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	old_postinstall_cmds='chmod 644 $oldlib'
@ -9519,6 +9583,7 @@ fi
  hardcode_shlibpath_var=unsupported
  if test "$lt_cv_ld_force_load" = "yes"; then
    whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
  else
    whole_archive_flag_spec=''
  fi
@ -9598,7 +9663,6 @@ fi
      fi
      if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
 	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@ -10216,11 +10280,6 @@ esac
@ -10316,7 +10375,7 @@ need_version=unknown
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
  shlibpath_var=LIBPATH
@ -10325,7 +10384,7 @@ aix3*)
  ;;
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  hardcode_into_libs=yes
@ -10390,7 +10449,7 @@ beos*)
  ;;
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
@ -10529,7 +10588,7 @@ darwin* | rhapsody*)
  ;;
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@ -10582,17 +10641,18 @@ freebsd* | dragonfly*)
  ;;
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=no
  hardcode_into_libs=yes
  ;;
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  dynamic_linker="$host_os runtime_loader"
@ -10653,7 +10713,7 @@ hpux9* | hpux10* | hpux11*)
  ;;
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@ -10669,7 +10729,7 @@ irix5* | irix6* | nonstopux*)
    nonstopux*) version_type=nonstopux ;;
    *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@ -10706,9 +10766,9 @@ linux*oldld* | linux*aout* | linux*coff*)
  dynamic_linker=no
  ;;
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -10790,7 +10850,7 @@ netbsd*)
  ;;
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  shlibpath_var=LD_LIBRARY_PATH
  shlibpath_overrides_runpath=yes
@ -10859,7 +10919,7 @@ rdos*)
  ;;
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -10884,7 +10944,7 @@ sunos4*)
  ;;
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
@ -10908,7 +10968,7 @@ sysv4 | sysv4.3*)
 sysv4*MP*)
  if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
    soname_spec='$libname${shared_ext}.$major'
    shlibpath_var=LD_LIBRARY_PATH
@ -10939,7 +10999,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 tpf*)
  # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  need_lib_prefix=no
  need_version=no
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@ -10949,7 +11009,7 @@ tpf*)
  ;;
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
  soname_spec='${libname}${release}${shared_ext}$major'
  shlibpath_var=LD_LIBRARY_PATH
@ -11731,6 +11791,8 @@ CC="$lt_save_CC"
        ac_config_commands="$ac_config_commands libtool"
@ -11875,7 +11937,7 @@ fi
 done
-for ac_func in fpurge strlcmp strlcpy
+for ac_func in fdlopen fpurge strlcat strlcmp strlcpy
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@ -12006,7 +12068,9 @@ if test "${enable_werror+set}" = set; then :
 fi
-ac_config_files="$ac_config_files bin/Makefile bin/pamtest/Makefile bin/su/Makefile include/Makefile include/security/Makefile lib/Makefile modules/Makefile modules/pam_unix/Makefile modules/pam_deny/Makefile modules/pam_permit/Makefile doc/Makefile doc/man/Makefile Makefile"
+ac_config_files="$ac_config_files Makefile bin/Makefile bin/openpam_dump_policy/Makefile bin/pamtest/Makefile bin/su/Makefile doc/Makefile doc/man/Makefile include/Makefile include/security/Makefile lib/Makefile modules/Makefile modules/pam_deny/Makefile modules/pam_permit/Makefile modules/pam_unix/Makefile t/Makefile"
 ac_config_files="$ac_config_files pamgdb"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@ -12558,7 +12622,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by OpenPAM $as_me 20111218, which was
+This file was extended by OpenPAM $as_me 20120526, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -12624,7 +12688,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-OpenPAM config.status 20111218
+OpenPAM config.status 20120526
 configured by $0, generated by GNU Autoconf 2.68,
  with options \\"\$ac_cs_config\\"
@ -12761,6 +12825,7 @@ pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
 enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
 SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
 ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
 PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
 host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
 host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
 host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
@ -12843,7 +12908,6 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
 allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
 no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_flag_spec_ld='`$ECHO "$hardcode_libdir_flag_spec_ld" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
 hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
 hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
@ -12899,6 +12963,7 @@ _LTECHO_EOF'
 # Quote evaled strings.
 for var in SHELL \
 ECHO \
 PATH_SEPARATOR \
 SED \
 GREP \
 EGREP \
@ -12949,7 +13014,6 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
 hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
 exclude_expsyms \
 include_expsyms \
@ -13033,19 +13097,22 @@ do
    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
    "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
    "bin/Makefile") CONFIG_FILES="$CONFIG_FILES bin/Makefile" ;;
    "bin/openpam_dump_policy/Makefile") CONFIG_FILES="$CONFIG_FILES bin/openpam_dump_policy/Makefile" ;;
    "bin/pamtest/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pamtest/Makefile" ;;
    "bin/su/Makefile") CONFIG_FILES="$CONFIG_FILES bin/su/Makefile" ;;
    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
    "doc/man/Makefile") CONFIG_FILES="$CONFIG_FILES doc/man/Makefile" ;;
    "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
    "include/security/Makefile") CONFIG_FILES="$CONFIG_FILES include/security/Makefile" ;;
    "lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
    "modules/Makefile") CONFIG_FILES="$CONFIG_FILES modules/Makefile" ;;
    "modules/pam_unix/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_unix/Makefile" ;;
    "modules/pam_deny/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_deny/Makefile" ;;
    "modules/pam_permit/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_permit/Makefile" ;;
-    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+    "modules/pam_unix/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_unix/Makefile" ;;
-    "doc/man/Makefile") CONFIG_FILES="$CONFIG_FILES doc/man/Makefile" ;;
+    "t/Makefile") CONFIG_FILES="$CONFIG_FILES t/Makefile" ;;
-    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "pamgdb") CONFIG_FILES="$CONFIG_FILES pamgdb" ;;
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
@ -13757,8 +13824,8 @@ $as_echo X"$file" |
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-#                 Inc.
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@ -13812,6 +13879,9 @@ SHELL=$lt_SHELL
 # An echo program that protects backslashes.
 ECHO=$lt_ECHO
 # The PATH separator for the build system.
 PATH_SEPARATOR=$lt_PATH_SEPARATOR
 # The host system.
 host_alias=$host_alias
 host=$host
@ -14113,10 +14183,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 # If ld is used when linking, flag to hardcode \$libdir into a binary
 # during linking.  This must work even if \$libdir does not exist.
 hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
@ -14367,6 +14433,7 @@ fi
  chmod +x "$ofile"
 ;;
    "pamgdb":F) chmod +x pamgdb ;;
  esac
 done # for ac_tag
--- a/contrib/openpam/configure.ac
+++ b/contrib/openpam/configure.ac
@ -1,8 +1,8 @@
-dnl $Id: configure.ac 507 2011-12-18 14:43:40Z des $
+dnl $Id: configure.ac 610 2012-05-26 14:03:45Z des $
 AC_PREREQ([2.62])
-AC_REVISION([$Id: configure.ac 507 2011-12-18 14:43:40Z des $])
+AC_REVISION([$Id: configure.ac 610 2012-05-26 14:03:45Z des $])
-AC_INIT([OpenPAM], [20111218], [des@des.no])
+AC_INIT([OpenPAM], [20120526], [des@des.no])
 AC_CONFIG_SRCDIR([lib/pam_start.c])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE([foreign])
@ -83,7 +83,7 @@ AM_CONDITIONAL([WITH_SU], [test x"$with_su" = x"yes"])
 AC_CHECK_HEADERS([crypt.h])
-AC_CHECK_FUNCS([fpurge strlcmp strlcpy])
+AC_CHECK_FUNCS([fdlopen fpurge strlcat strlcmp strlcpy])
 saved_LIBS="${LIBS}"
 LIBS=""
@ -110,18 +110,21 @@ AC_ARG_ENABLE([werror],
    [CFLAGS="${CFLAGS} -Werror"])
 AC_CONFIG_FILES([
    Makefile
    bin/Makefile
    bin/openpam_dump_policy/Makefile
    bin/pamtest/Makefile
    bin/su/Makefile
    doc/Makefile
    doc/man/Makefile
    include/Makefile
    include/security/Makefile
    lib/Makefile
    modules/Makefile
    modules/pam_unix/Makefile
    modules/pam_deny/Makefile
    modules/pam_permit/Makefile
-    doc/Makefile
+    modules/pam_unix/Makefile
-    doc/man/Makefile
+    t/Makefile
    Makefile
 ])
 AC_CONFIG_FILES([pamgdb],[chmod +x pamgdb])
 AC_OUTPUT
--- a/contrib/openpam/doc/man/Makefile.am
+++ b/contrib/openpam/doc/man/Makefile.am
@ -1,4 +1,4 @@
-# $Id: Makefile.am 455 2011-10-29 18:31:11Z des $
+# $Id: Makefile.am 594 2012-04-14 14:18:41Z des $
 NULL =
@ -38,12 +38,17 @@ OMAN = \
 	openpam_borrow_cred.3 \
 	openpam_free_data.3 \
 	openpam_free_envlist.3 \
 	openpam_get_feature.3 \
 	openpam_get_option.3 \
 	openpam_log.3 \
 	openpam_nullconv.3 \
 	openpam_readline.3 \
 	openpam_readlinev.3 \
 	openpam_readword.3 \
 	openpam_restore_cred.3 \
 	openpam_set_feature.3 \
 	openpam_set_option.3 \
 	openpam_straddch.3 \
 	openpam_subst.3 \
 	openpam_ttyconv.3 \
 	pam_error.3 \
@ -68,17 +73,17 @@ CLEANFILES = $(ALLCMAN) openpam.3 pam.3
 GENDOC = $(top_srcdir)/misc/gendoc.pl
-SRCDIR = $(top_srcdir)/lib
+LIBSRCDIR = $(top_srcdir)/lib
-VPATH = $(SRCDIR)
+VPATH = $(LIBSRCDIR) $(srcdir)
 SUFFIXES = .3
 .c.3: $(GENDOC)
 	perl -w $(GENDOC) $<
-openpam.3: $(OMAN) $(GENDOC) openpam.man
+openpam.3: $(OMAN) $(GENDOC) $(srcdir)/openpam.man
 	perl -w $(GENDOC) -o $(abs_srcdir)/$(OMAN) <$(srcdir)/openpam.man
-pam.3: $(PMAN) $(GENDOC) pam.man
+pam.3: $(PMAN) $(GENDOC) $(srcdir)/pam.man
 	perl -w $(GENDOC) -p $(abs_srcdir)/$(PMAN) <$(srcdir)/pam.man
--- a/contrib/openpam/doc/man/Makefile.in
+++ b/contrib/openpam/doc/man/Makefile.in
@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.am 455 2011-10-29 18:31:11Z des $
+# $Id: Makefile.am 594 2012-04-14 14:18:41Z des $
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@ -74,7 +74,7 @@ man5dir = $(mandir)/man5
 NROFF = nroff
 MANS = $(dist_man3_MANS) $(dist_man5_MANS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-VPATH = $(SRCDIR)
+VPATH = $(LIBSRCDIR) $(srcdir)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AR = @AR@
@ -232,12 +232,17 @@ OMAN = \
 	openpam_borrow_cred.3 \
 	openpam_free_data.3 \
 	openpam_free_envlist.3 \
 	openpam_get_feature.3 \
 	openpam_get_option.3 \
 	openpam_log.3 \
 	openpam_nullconv.3 \
 	openpam_readline.3 \
 	openpam_readlinev.3 \
 	openpam_readword.3 \
 	openpam_restore_cred.3 \
 	openpam_set_feature.3 \
 	openpam_set_option.3 \
 	openpam_straddch.3 \
 	openpam_subst.3 \
 	openpam_ttyconv.3 \
 	pam_error.3 \
@ -256,7 +261,7 @@ dist_man3_MANS = $(ALLCMAN) openpam.3 pam.3 pam_conv.3
 dist_man5_MANS = pam.conf.5
 CLEANFILES = $(ALLCMAN) openpam.3 pam.3
 GENDOC = $(top_srcdir)/misc/gendoc.pl
-SRCDIR = $(top_srcdir)/lib
+LIBSRCDIR = $(top_srcdir)/lib
 SUFFIXES = .3
 all: all-am
@ -536,10 +541,10 @@ uninstall-man: uninstall-man3 uninstall-man5
 .c.3: $(GENDOC)
 	perl -w $(GENDOC) $<
-openpam.3: $(OMAN) $(GENDOC) openpam.man
+openpam.3: $(OMAN) $(GENDOC) $(srcdir)/openpam.man
 	perl -w $(GENDOC) -o $(abs_srcdir)/$(OMAN) <$(srcdir)/openpam.man
-pam.3: $(PMAN) $(GENDOC) pam.man
+pam.3: $(PMAN) $(GENDOC) $(srcdir)/pam.man
 	perl -w $(GENDOC) -p $(abs_srcdir)/$(PMAN) <$(srcdir)/pam.man
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
--- a/contrib/openpam/doc/man/openpam.3
+++ b/contrib/openpam/doc/man/openpam.3
@ -34,19 +34,24 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM 3
 .Os
 .Sh NAME
 .Nm openpam_borrow_cred ,
 .Nm openpam_free_data ,
 .Nm openpam_free_envlist ,
 .Nm openpam_get_feature ,
 .Nm openpam_get_option ,
 .Nm openpam_log ,
 .Nm openpam_nullconv ,
 .Nm openpam_readline ,
 .Nm openpam_readlinev ,
 .Nm openpam_readword ,
 .Nm openpam_restore_cred ,
 .Nm openpam_set_feature ,
 .Nm openpam_set_option ,
 .Nm openpam_straddch ,
 .Nm openpam_subst ,
 .Nm openpam_ttyconv ,
 .Nm pam_error ,
@ -68,6 +73,8 @@
 .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status"
 .Ft "void"
 .Fn openpam_free_envlist "char **envlist"
 .Ft "int"
 .Fn openpam_get_feature "int feature" "int *onoff"
 .Ft "const char *"
 .Fn openpam_get_option "pam_handle_t *pamh" "const char *option"
 .Ft "void"
@ -76,11 +83,19 @@
 .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Ft "char *"
 .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp"
 .Ft "char **"
 .Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp"
 .Ft "char *"
 .Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp"
 .Ft "int"
 .Fn openpam_restore_cred "pam_handle_t *pamh"
 .Ft "int"
 .Fn openpam_set_feature "int feature" "int onoff"
 .Ft "int"
 .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value"
 .Ft "int"
 .Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch"
 .Ft "int"
 .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template"
 .Ft "int"
 .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
@ -117,12 +132,17 @@ standardization.
 .Xr openpam_borrow_cred 3 ,
 .Xr openpam_free_data 3 ,
 .Xr openpam_free_envlist 3 ,
 .Xr openpam_get_feature 3 ,
 .Xr openpam_get_option 3 ,
 .Xr openpam_log 3 ,
 .Xr openpam_nullconv 3 ,
 .Xr openpam_readline 3 ,
 .Xr openpam_readlinev 3 ,
 .Xr openpam_readword 3 ,
 .Xr openpam_restore_cred 3 ,
 .Xr openpam_set_feature 3 ,
 .Xr openpam_set_option 3 ,
 .Xr openpam_straddch 3 ,
 .Xr openpam_subst 3 ,
 .Xr openpam_ttyconv 3 ,
 .Xr pam_error 3 ,
@ -146,3 +166,6 @@ Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
 The OpenPAM library is maintained by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_borrow_cred.3
+++ b/contrib/openpam/doc/man/openpam_borrow_cred.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_BORROW_CRED 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_borrow_cred "pam_handle_t *pamh" "const struct passwd *pwd"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_borrow_cred
 function saves the current credentials and
 switches to those of the user specified by its
 .Fa pwd
@ -62,7 +62,7 @@ The original credentials can be restored using
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_borrow_cred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -81,15 +81,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_borrow_cred
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_borrow_cred
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_free_data.3
+++ b/contrib/openpam/doc/man/openpam_free_data.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_FREE_DATA 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_free_data
 function is a cleanup function suitable for
 passing to
 .Xr pam_set_data 3 .
@ -64,15 +64,15 @@ argument to
 .Xr pam_set_data 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_free_data
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_free_data
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_free_envlist.3
+++ b/contrib/openpam/doc/man/openpam_free_envlist.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_FREE_ENVLIST 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_free_envlist "char **envlist"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_free_envlist
 function is a convenience function which
 frees all the environment variables in an environment list, and the
 list itself.
@ -62,12 +62,11 @@ It is suitable for freeing the return value from
 .Xr pam_getenvlist 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_free_envlist
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_free_envlist
-function and this manual page were developed for the
+function and this manual page were
-.Fx
+developed by
-Project by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
 .An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
--- a/contrib/openpam/doc/man/openpam_get_feature.3
+++ b/contrib/openpam/doc/man/openpam_get_feature.3
@ -0,0 +1,105 @@
 .\"-
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
 .\" Network Associates Laboratories, the Security Research Division of
 .\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd May 26, 2012
 .Dt OPENPAM_GET_FEATURE 3
 .Os
 .Sh NAME
 .Nm openpam_get_feature
 .Nd query the state of an optional feature
 .Sh LIBRARY
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "int"
 .Fn openpam_get_feature "int feature" "int *onoff"
 .Sh DESCRIPTION
 .Bf Sy
 This function is experimental and may be modified or removed in a future release without further warning.
 .Ef
 .Pp
 The
 .Fn openpam_get_feature
 function stores the current state of the
 specified feature in the variable pointed to by its
 .Fa onoff
 argument.
 .Pp
 The following features are recognized:
 .Bl -tag -width 18n
 .It Dv OPENPAM_RESTRICT_SERVICE_NAME
 Disallow path separators in service names.
 This feature is enabled by default.
 Disabling it allows the application to specify the path to
 the desired policy file directly.
 .It Dv OPENPAM_VERIFY_POLICY_FILE
 Verify the ownership and permissions of the policy file
 and the path leading up to it.
 This feature is enabled by default.
 .It Dv OPENPAM_RESTRICT_MODULE_NAME
 Disallow path separators in module names.
 This feature is disabled by default.
 Enabling it prevents the use of modules in non-standard
 locations.
 .It Dv OPENPAM_VERIFY_MODULE_FILE
 Verify the ownership and permissions of each loadable
 module and the path leading up to it.
 This feature is enabled by default.
 .El
 .Sh RETURN VALUES
 The
 .Fn openpam_get_feature
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYMBOL_ERR
 Invalid symbol.
 .El
 .Sh SEE ALSO
 .Xr openpam_set_feature 3 ,
 .Xr pam 3 ,
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
 .Fn openpam_get_feature
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Fn openpam_get_feature
 function and this manual page were
 developed by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_get_option.3
+++ b/contrib/openpam/doc/man/openpam_get_option.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_GET_OPTION 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_get_option "pam_handle_t *pamh" "const char *option"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_get_option
 function returns the value of the specified
 option in the context of the currently executing service module, or
 .Dv NULL
@ -58,7 +58,7 @@ if the option is not set or no module is currently executing.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_get_option
 function returns
 .Dv NULL
 on failure.
@ -67,15 +67,15 @@ on failure.
 .Xr pam 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_get_option
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_get_option
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_log.3
+++ b/contrib/openpam/doc/man/openpam_log.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_LOG 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_log "int level" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_log
 function logs messages using
 .Xr syslog 3 .
 It is primarily intended for internal use by the library and modules.
@ -60,6 +60,9 @@ The
 argument indicates the importance of the message.
 The following levels are defined:
 .Bl -tag -width 18n
 .It Dv PAM_LOG_LIBDEBUG
 Debugging messages.
 For internal use only.
 .It Dv PAM_LOG_DEBUG
 Debugging messages.
 These messages are normally not logged unless the global
@ -101,15 +104,15 @@ corresponding arguments.
 .Xr syslog 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_log
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_log
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_nullconv.3
+++ b/contrib/openpam/doc/man/openpam_nullconv.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_NULLCONV 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_nullconv
 function is a null conversation function suitable
 for applications that want to use PAM but don't support interactive
 dialog with the user.
@ -71,7 +71,7 @@ try to query the user.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_nullconv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_CONV_ERR
@ -88,15 +88,15 @@ Conversation failure.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_nullconv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_nullconv
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_readline.3
+++ b/contrib/openpam/doc/man/openpam_readline.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_READLINE 3
 .Os
 .Sh NAME
@ -44,27 +44,32 @@
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In stdio.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "char *"
 .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp"
 .Sh DESCRIPTION
 .Bf Sy
 This function is deprecated and may be removed in a future release without further warning.
 The
-.Nm
+.Fn openpam_readlinev
 function may be used to achieve similar results.
 .Ef
 .Pp
 The
 .Fn openpam_readline
 function reads a line from a file, and returns it
 in a NUL-terminated buffer allocated with
 .Xr malloc 3 .
 .Pp
 The
-.Nm
+.Fn openpam_readline
 function performs a certain amount of processing
 on the data it reads:
 .Bl -bullet
 .It
-Comments (introduced by a hash sign) are stripped, as is leading and
+Comments (introduced by a hash sign) are stripped.
 trailing whitespace.
 .It
 Any amount of linear whitespace is collapsed to a single space.
 .It
 Blank lines are ignored.
 .It
@ -89,27 +94,28 @@ terminating NUL character) is stored in the variable it points to.
 The caller is responsible for releasing the returned buffer by passing
 it to
 .Xr free 3 .
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_readline
 function returns
 .Dv NULL
 on failure.
 .Sh SEE ALSO
-.Xr free 3 ,
+.Xr openpam_readlinev 3 ,
-.Xr malloc 3 ,
+.Xr openpam_readword 3 ,
 .Xr pam 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_readline
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_readline
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_readlinev.3
+++ b/contrib/openpam/doc/man/openpam_readlinev.3
@ -0,0 +1,159 @@
 .\"-
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
 .\" Network Associates Laboratories, the Security Research Division of
 .\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd May 26, 2012
 .Dt OPENPAM_READLINEV 3
 .Os
 .Sh NAME
 .Nm openpam_readlinev
 .Nd read a line from a file and split it into words
 .Sh LIBRARY
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In stdio.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "char **"
 .Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp"
 .Sh DESCRIPTION
 The
 .Fn openpam_readlinev
 function reads a line from a file, splits it
 into words according to the rules described in the
 .Xr openpam_readword 3
 manual page, and returns a list of those words.
 .Pp
 If
 .Fa lineno
 is not
 .Dv NULL ,
 the integer variable it points to is
 incremented every time a newline character is read.
 This includes quoted or escaped newline characters and the newline
 character at the end of the line.
 .Pp
 If
 .Fa lenp
 is not
 .Dv NULL ,
 the number of words on the line is stored in the
 variable to which it points.
 .Sh RETURN VALUES
 If successful, the
 .Fn openpam_readlinev
 function returns a pointer to a
 dynamically allocated array of pointers to individual dynamically
 allocated NUL-terminated strings, each containing a single word, in the
 order in which they were encountered on the line.
 The array is terminated by a
 .Dv NULL
 pointer.
 .Pp
 The caller is responsible for freeing both the array and the individual
 strings by passing each of them to
 .Xr free 3 .
 .Pp
 If the end of the line was reached before any words were read,
 .Fn openpam_readlinev
 returns a pointer to a dynamically allocated array
 containing a single
 .Dv NULL
 pointer.
 .Pp
 The
 .Fn openpam_readlinev
 function can fail and return
 .Dv NULL
 for one of
 four reasons:
 .Bl -bullet
 .It
 The end of the file was reached before any words were read;
 .Va errno
 is
 zero,
 .Xr ferror 3
 returns zero, and
 .Xr feof 3
 returns a non-zero value.
 .It
 The end of the file was reached while a quote or backslash escape
 was in effect;
 .Va errno
 is set to
 .Dv EINVAL ,
 .Xr ferror 3
 returns zero, and
 .Xr feof 3
 returns a non-zero value.
 .It
 An error occurred while reading from the file;
 .Va errno
 is non-zero,
 .Xr ferror 3
 returns a non-zero value and
 .Xr feof 3
 returns zero.
 .It
 A
 .Xr malloc 3
 or
 .Xr realloc 3
 call failed;
 .Va errno
 is set to
 .Dv ENOMEM ,
 .Xr ferror 3
 returns a non-zero value, and
 .Xr feof 3
 may or may not return
 a non-zero value.
 .El
 .Sh SEE ALSO
 .Xr openpam_readline 3 ,
 .Xr openpam_readword 3 ,
 .Xr pam 3
 .Sh STANDARDS
 The
 .Fn openpam_readlinev
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Fn openpam_readlinev
 function and this manual page were
 developed by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_readword.3
+++ b/contrib/openpam/doc/man/openpam_readword.3
@ -0,0 +1,152 @@
 .\"-
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
 .\" Network Associates Laboratories, the Security Research Division of
 .\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd May 26, 2012
 .Dt OPENPAM_READWORD 3
 .Os
 .Sh NAME
 .Nm openpam_readword
 .Nd read a word from a file, respecting shell quoting rules
 .Sh LIBRARY
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In stdio.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "char *"
 .Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp"
 .Sh DESCRIPTION
 The
 .Fn openpam_readword
 function reads the next word from a file, and
 returns it in a NUL-terminated buffer allocated with
 .Xr malloc 3 .
 .Pp
 A word is a sequence of non-whitespace characters.
 However, whitespace characters can be included in a word if quoted or
 escaped according to the following rules:
 .Bl -bullet
 .It
 An unescaped single or double quote introduces a quoted string,
 which ends when the same quote character is encountered a second
 time.
 The quotes themselves are stripped.
 .It
 Within a single- or double-quoted string, all whitespace characters,
 including the newline character, are preserved as-is.
 .It
 Outside a quoted string, a backslash escapes the next character,
 which is preserved as-is, unless that character is a newline, in
 which case it is discarded and reading continues at the beginning of
 the next line as if the backslash and newline had not been there.
 In all cases, the backslash itself is discarded.
 .It
 Within a single-quoted string, double quotes and backslashes are
 preserved as-is.
 .It
 Within a double-quoted string, a single quote is preserved as-is,
 and a backslash is preserved as-is unless used to escape a double
 quote.
 .El
 .Pp
 In addition, if the first non-whitespace character on the line is a
 hash character (#), the rest of the line is discarded.
 If a hash character occurs within a word, however, it is preserved
 as-is.
 A backslash at the end of a comment does cause line continuation.
 .Pp
 If
 .Fa lineno
 is not
 .Dv NULL ,
 the integer variable it points to is
 incremented every time a quoted or escaped newline character is read.
 .Pp
 If
 .Fa lenp
 is not
 .Dv NULL ,
 the length of the word (after quotes and
 backslashes have been removed) is stored in the variable it points to.
 .Sh RETURN VALUES
 If successful, the
 .Fn openpam_readword
 function returns a pointer to a
 dynamically allocated NUL-terminated string containing the first word
 encountered on the line.
 .Pp
 The caller is responsible for releasing the returned buffer by passing
 it to
 .Xr free 3 .
 .Pp
 If
 .Fn openpam_readword
 reaches the end of the line or file before any
 characters are copied to the word, it returns
 .Dv NULL .
 In the former
 case, the newline is pushed back to the file.
 .Pp
 If
 .Fn openpam_readword
 reaches the end of the file while a quote or
 backslash escape is in effect, it sets
 .Va errno
 to
 .Dv EINVAL
 and returns
 .Dv NULL .
 .Sh IMPLEMENTATION NOTES
 The parsing rules are intended to be equivalent to the normal POSIX
 shell quoting rules.
 Any discrepancy is a bug and should be reported to the author along
 with sample input that can be used to reproduce the error.
 .Pp
 .Sh SEE ALSO
 .Xr openpam_readline 3 ,
 .Xr openpam_readlinev 3 ,
 .Xr pam 3
 .Sh STANDARDS
 The
 .Fn openpam_readword
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Fn openpam_readword
 function and this manual page were
 developed by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_restore_cred.3
+++ b/contrib/openpam/doc/man/openpam_restore_cred.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_RESTORE_CRED 3
 .Os
 .Sh NAME
@ -50,13 +50,13 @@
 .Fn openpam_restore_cred "pam_handle_t *pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_restore_cred
 function restores the credentials saved by
 .Xr openpam_borrow_cred 3 .
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_restore_cred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_NO_MODULE_DATA
@ -73,15 +73,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_restore_cred
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_restore_cred
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_set_feature.3
+++ b/contrib/openpam/doc/man/openpam_set_feature.3
@ -0,0 +1,87 @@
 .\"-
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
 .\" Network Associates Laboratories, the Security Research Division of
 .\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd May 26, 2012
 .Dt OPENPAM_SET_FEATURE 3
 .Os
 .Sh NAME
 .Nm openpam_set_feature
 .Nd enable or disable an optional feature
 .Sh LIBRARY
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "int"
 .Fn openpam_set_feature "int feature" "int onoff"
 .Sh DESCRIPTION
 .Bf Sy
 This function is experimental and may be modified or removed in a future release without further warning.
 .Ef
 .Pp
 The
 .Fn openpam_set_feature
 function sets the state of the specified
 feature to the value specified by the
 .Fa onoff
 argument.
 See
 .Xr openpam_get_feature 3
 for a list of recognized features.
 .Pp
 .Sh RETURN VALUES
 The
 .Fn openpam_set_feature
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYMBOL_ERR
 Invalid symbol.
 .El
 .Sh SEE ALSO
 .Xr openpam_get_feature 3 ,
 .Xr pam 3 ,
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
 .Fn openpam_set_feature
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Fn openpam_set_feature
 function and this manual page were
 developed by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_set_option.3
+++ b/contrib/openpam/doc/man/openpam_set_option.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_SET_OPTION 3
 .Os
 .Sh NAME
@ -50,13 +50,13 @@
 .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_set_option
 function sets the specified option in the
 context of the currently executing service module.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_set_option
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -70,15 +70,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_set_option
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_set_option
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/openpam_straddch.3
+++ b/contrib/openpam/doc/man/openpam_straddch.3
@ -0,0 +1,122 @@
 .\"-
 .\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
 .\" All rights reserved.
 .\"
 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
 .\" Network Associates Laboratories, the Security Research Division of
 .\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3. The name of the author may not be used to endorse or promote
 .\"    products derived from this software without specific prior written
 .\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd May 26, 2012
 .Dt OPENPAM_STRADDCH 3
 .Os
 .Sh NAME
 .Nm openpam_straddch
 .Nd add a character to a string, expanding the buffer if needed
 .Sh LIBRARY
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "int"
 .Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch"
 .Sh DESCRIPTION
 The
 .Fn openpam_straddch
 function appends a character to a dynamically
 allocated NUL-terminated buffer, reallocating the buffer as needed.
 .Pp
 The
 .Fa str
 argument points to a variable containing either a pointer to
 an existing buffer or
 .Dv NULL .
 If the value of the variable pointed to by
 .Fa str
 is
 .Dv NULL ,
 a new buffer
 is allocated.
 .Pp
 The
 .Fa size
 and
 .Fa len
 argument point to variables used to hold the size
 of the buffer and the length of the string it contains, respectively.
 .Pp
 If a new buffer is allocated or an existing buffer is reallocated to
 make room for the additional character,
 .Fa str
 and
 .Fa size
 are updated
 accordingly.
 .Pp
 The
 .Fn openpam_straddch
 function ensures that the buffer is always
 NUL-terminated.
 .Pp
 If the
 .Fn openpam_straddch
 function is successful, it increments the
 integer variable pointed to by
 .Fa len
 and returns 0.
 Otherwise, it leaves the variables pointed to by
 .Fa str ,
 .Fa size
 and
 .Fa len
 unmodified, sets
 .Va errno
 to
 .Dv ENOMEM
 and returns -1.
 .Pp
 .Sh RETURN VALUES
 The
 .Fn openpam_straddch
 function returns 0 on success and -1 on failure.
 .Sh SEE ALSO
 .Xr pam 3 ,
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
 .Fn openpam_straddch
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
 .Fn openpam_straddch
 function and this manual page were
 developed by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/openpam_subst.3
+++ b/contrib/openpam/doc/man/openpam_subst.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_SUBST 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_subst
 function expands a string, substituting PAM item
 values for all occurrences of specific substitution codes.
 The
@ -73,12 +73,12 @@ string,
 .Fa bufsize
 is updated to reflect the amount of space required to
 hold the entire string, and
-.Nm
+.Fn openpam_subst
 returns
 .Dv PAM_TRY_AGAIN .
 .Pp
 If
-.Nm
+.Fn openpam_subst
 fails for any other reason, the
 .Fa bufsize
 argument is
@ -112,10 +112,9 @@ Replaced by the current value of the
 .Dv PAM_USER
 item.
 .El
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_subst
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYSTEM_ERR
@ -131,12 +130,11 @@ Try again.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_subst
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_subst
-function and this manual page were developed for the
+function and this manual page were
-.Fx
+developed by
-Project by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
 .An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
--- a/contrib/openpam/doc/man/openpam_ttyconv.3
+++ b/contrib/openpam/doc/man/openpam_ttyconv.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_TTYCONV 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_ttyconv
 function is a standard conversation function
 suitable for use on TTY devices.
 It should be adequate for the needs of most text-based interactive
 programs.
 .Pp
 The
-.Nm
+.Fn openpam_ttyconv
 function allows the application to specify a
 timeout for user input by setting the global integer variable
 .Va openpam_ttyconv_timeout
@ -65,7 +65,7 @@ to the length of the timeout in seconds.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_ttyconv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -83,15 +83,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_ttyconv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn openpam_ttyconv
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam.3
+++ b/contrib/openpam/doc/man/pam.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM 3
 .Os
 .Sh NAME
@ -291,3 +291,6 @@ Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
 The OpenPAM library is maintained by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/pam.conf.5
+++ b/contrib/openpam/doc/man/pam.conf.5
@ -26,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pam.conf.5 485 2011-11-03 16:57:37Z des $
+.\" $Id: pam.conf.5 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 3, 2011
+.Dd May 26, 2012
 .Dt PAM.CONF 5
 .Os
 .Sh NAME
@ -50,7 +50,7 @@ decreasing order of preference:
 .Pp
 If none of these locations contains a policy for the given service,
 the
-.Dv default
+.Dq Dv other
 policy is used instead, if it exists.
 .Pp
 Entries in per-service policy files must be of one of the two forms
@ -177,5 +177,5 @@ DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
-This manual page was written by
+The OpenPAM library is maintained by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/pam_acct_mgmt.3
+++ b/contrib/openpam/doc/man/pam_acct_mgmt.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_ACCT_MGMT 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_acct_mgmt
 function verifies and enforces account restrictions
 after the user has been authenticated.
 .Pp
@ -65,12 +65,12 @@ Fail if the user's authentication token is null.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_acct_mgmt
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_acct_mgmt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -104,11 +104,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_acct_mgmt
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_authenticate.3
+++ b/contrib/openpam/doc/man/pam_authenticate.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_AUTHENTICATE 3
 .Os
 .Sh NAME
@ -49,14 +49,14 @@
 .Fn pam_authenticate "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_authenticate
 function attempts to authenticate the user
 associated with the pam context specified by the
 .Fa pamh
 argument.
 .Pp
 The application is free to call
-.Nm
+.Fn pam_authenticate
 as many times as it
 wishes, but some modules may maintain an internal retry counter and
 return
@ -75,12 +75,12 @@ Fail if the user's authentication token is null.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_authenticate
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_authenticate
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -118,11 +118,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_authenticate
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_chauthtok.3
+++ b/contrib/openpam/doc/man/pam_chauthtok.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_CHAUTHTOK 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_chauthtok "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_chauthtok
 function attempts to change the authentication token
 for the user associated with the pam context specified by the
 .Fa pamh
@ -67,12 +67,12 @@ Change only those authentication tokens that have expired.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_chauthtok
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_chauthtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -110,11 +110,11 @@ Try again.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_chauthtok
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_close_session.3
+++ b/contrib/openpam/doc/man/pam_close_session.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_CLOSE_SESSION 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_close_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_close_session
 function tears down the user session previously
 set up by
 .Xr pam_open_session 3 .
@ -64,12 +64,12 @@ Do not emit any messages.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_close_session
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_close_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -100,11 +100,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_close_session
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_conv.3
+++ b/contrib/openpam/doc/man/pam_conv.3
@ -32,9 +32,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pam_conv.3 437 2011-09-13 12:00:13Z des $
+.\" $Id: pam_conv.3 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd June 16, 2005
+.Dd May 26, 2012
 .Dt PAM_CONV 3
 .Os
 .Sh NAME
@ -181,3 +181,6 @@ the Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
 The OpenPAM library is maintained by
 .An Dag-Erling Sm\(/orgrav Aq des@des.no .
--- a/contrib/openpam/doc/man/pam_end.3
+++ b/contrib/openpam/doc/man/pam_end.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_END 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_end "pam_handle_t *pamh" "int status"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_end
 function terminates a PAM transaction and destroys the
 corresponding PAM context, releasing all resources allocated to it.
 .Pp
@ -57,11 +57,10 @@ The
 .Fa status
 argument should be set to the error code returned by the
 last API call before the call to
-.Nm
+.Fn pam_end .
 .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_end
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYSTEM_ERR
@ -77,11 +76,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_end
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_error.3
+++ b/contrib/openpam/doc/man/pam_error.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_ERROR 3
 .Os
 .Sh NAME
@ -49,13 +49,13 @@
 .Fn pam_error "const pam_handle_t *pamh" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_error
 function displays an error message through the
 intermediary of the given PAM context's conversation function.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_error
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -73,15 +73,15 @@ System error.
 .Xr pam_verror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_error
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_error
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_get_authtok.3
+++ b/contrib/openpam/doc/man/pam_get_authtok.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_AUTHTOK 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_authtok
 function returns the cached authentication token,
 or prompts the user if no token is currently cached.
 Either way, a pointer to the authentication token is stored in the
@ -89,7 +89,7 @@ before it is
 passed to the conversation function.
 .Pp
 If
-.Nm
+.Fn pam_get_authtok
 is called from a module and the
 .Dv authtok_prompt
 /
@ -110,17 +110,17 @@ is set to
 and there is a non-null
 .Dv PAM_OLDAUTHTOK
 item,
-.Nm
+.Fn pam_get_authtok
 will ask the user to confirm the new token by
 retyping it.
 If there is a mismatch,
-.Nm
+.Fn pam_get_authtok
 will return
 .Dv PAM_TRY_AGAIN .
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_authtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -140,15 +140,15 @@ Try again.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_get_authtok
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_get_authtok
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_get_data.3
+++ b/contrib/openpam/doc/man/pam_get_data.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_DATA 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_get_data "const pam_handle_t *pamh" "const char *module_data_name" "const void **data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_data
 function looks up the opaque object associated with
 the string specified by the
 .Fa module_data_name
@ -61,7 +61,7 @@ A pointer to the object is stored in the location pointed to by the
 .Fa data
 argument.
 If
-.Nm
+.Fn pam_get_data
 fails, the
 .Fa data
 argument is untouched.
@ -72,7 +72,7 @@ are useful for managing
 data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_data
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_NO_MODULE_DATA
@ -91,11 +91,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_get_data
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_get_item.3
+++ b/contrib/openpam/doc/man/pam_get_item.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_ITEM 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_get_item "const pam_handle_t *pamh" "int item_type" "const void **item"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_item
 function stores a pointer to the item specified by
 the
 .Fa item_type
@ -60,7 +60,7 @@ The item is retrieved from the PAM context specified by the
 .Fa pamh
 argument.
 If
-.Nm
+.Fn pam_get_item
 fails, the
 .Fa item
 argument is untouched.
@ -107,7 +107,7 @@ for a description of
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_item
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYMBOL_ERR
@ -127,11 +127,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_get_item
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_get_user.3
+++ b/contrib/openpam/doc/man/pam_get_user.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_USER 3
 .Os
 .Sh NAME
@ -49,13 +49,13 @@
 .Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_user
 function returns the name of the target user, as
 specified to
 .Xr pam_start 3 .
 If no user was specified, nor set using
 .Xr pam_set_item 3 ,
-.Nm
+.Fn pam_get_user
 will prompt for a user name.
 Either way, a pointer to the user name is stored in the location
 pointed to by the
@ -80,7 +80,7 @@ before it is
 passed to the conversation function.
 .Pp
 If
-.Nm
+.Fn pam_get_user
 is called from a module and the
 .Dv user_prompt
 option is
@ -93,7 +93,7 @@ item.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_user
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -118,11 +118,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_get_user
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_getenv.3
+++ b/contrib/openpam/doc/man/pam_getenv.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GETENV 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_getenv "pam_handle_t *pamh" "const char *name"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_getenv
 function returns the value of an environment variable.
 Its semantics are similar to those of
 .Xr getenv 3 ,
@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_getenv
 function returns
 .Dv NULL
 on failure.
@ -75,11 +75,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_getenv
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_getenvlist.3
+++ b/contrib/openpam/doc/man/pam_getenvlist.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GETENVLIST 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_getenvlist "pam_handle_t *pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_getenvlist
 function returns a copy of the given PAM context's
 environment list as a pointer to an array of strings.
 The last element in the array is
@ -77,7 +77,7 @@ after use:
 .Ed
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_getenvlist
 function returns
 .Dv NULL
 on failure.
@ -96,11 +96,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_getenvlist
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_info.3
+++ b/contrib/openpam/doc/man/pam_info.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_INFO 3
 .Os
 .Sh NAME
@ -49,13 +49,13 @@
 .Fn pam_info "const pam_handle_t *pamh" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_info
 function displays an informational message through the
 intermediary of the given PAM context's conversation function.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_info
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -73,15 +73,15 @@ System error.
 .Xr pam_vinfo 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_info
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_info
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_open_session.3
+++ b/contrib/openpam/doc/man/pam_open_session.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_OPEN_SESSION 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_open_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_open_session
 sets up a user session for a previously
 authenticated user.
 The session should later be torn down by a call to
@ -65,12 +65,12 @@ Do not emit any messages.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_open_session
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_open_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -101,11 +101,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_open_session
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_prompt.3
+++ b/contrib/openpam/doc/man/pam_prompt.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_PROMPT 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_prompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_prompt
 function constructs a message from the specified format
 string and arguments and passes it to the given PAM context's
 conversation function.
@ -67,7 +67,7 @@ for further details.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_prompt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -85,15 +85,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_prompt
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_prompt
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_putenv.3
+++ b/contrib/openpam/doc/man/pam_putenv.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_PUTENV 3
 .Os
 .Sh NAME
@ -49,8 +49,8 @@
 .Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_putenv
-function sets a environment variable.
+function sets an environment variable.
 Its semantics are similar to those of
 .Xr putenv 3 ,
 but it modifies the PAM
@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_putenv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -80,11 +80,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_putenv
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_set_data.3
+++ b/contrib/openpam/doc/man/pam_set_data.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SET_DATA 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_set_data
 function associates a pointer to an opaque object
 with an arbitrary string specified by the
 .Fa module_data_name
@ -71,7 +71,7 @@ are useful for managing
 data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_set_data
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -90,11 +90,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_set_data
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_set_item.3
+++ b/contrib/openpam/doc/man/pam_set_item.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SET_ITEM 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_set_item
 function sets the item specified by the
 .Fa item_type
 argument to a copy of the object pointed to by the
@ -63,7 +63,7 @@ See
 for a list of recognized item types.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_set_item
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -84,11 +84,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_set_item
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_setcred.3
+++ b/contrib/openpam/doc/man/pam_setcred.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SETCRED 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_setcred "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_setcred
 function manages the application's credentials.
 .Pp
 The
@ -72,12 +72,12 @@ Refresh credentials.
 The latter four are mutually exclusive.
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_setcred
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_setcred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -113,11 +113,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_setcred
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_setenv.3
+++ b/contrib/openpam/doc/man/pam_setenv.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SETENV 3
 .Os
 .Sh NAME
@ -49,8 +49,8 @@
 .Fn pam_setenv "pam_handle_t *pamh" "const char *name" "const char *value" "int overwrite"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_setenv
-function sets a environment variable.
+function sets an environment variable.
 Its semantics are similar to those of
 .Xr setenv 3 ,
 but it modifies the PAM
@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_setenv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -75,15 +75,15 @@ System error.
 .Xr setenv 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_setenv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_setenv
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
+++ b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_ACCT_MGMT 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn pam_sm_acct_mgmt "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_acct_mgmt
 function is the service module's implementation
 of the
 .Xr pam_acct_mgmt 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_acct_mgmt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -94,11 +94,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_acct_mgmt
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_authenticate.3
+++ b/contrib/openpam/doc/man/pam_sm_authenticate.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_AUTHENTICATE 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn pam_sm_authenticate "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_authenticate
 function is the service module's
 implementation of the
 .Xr pam_authenticate 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_authenticate
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -96,11 +96,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_authenticate
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_chauthtok.3
+++ b/contrib/openpam/doc/man/pam_sm_chauthtok.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_CHAUTHTOK 3
 .Os
 .Sh NAME
@ -50,7 +50,7 @@
 .Fn pam_sm_chauthtok "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_chauthtok
 function is the service module's implementation
 of the
 .Xr pam_chauthtok 3
@ -67,7 +67,7 @@ with the
 flag set.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_chauthtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -106,11 +106,11 @@ Try again.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_chauthtok
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_close_session.3
+++ b/contrib/openpam/doc/man/pam_sm_close_session.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_CLOSE_SESSION 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn pam_sm_close_session "pam_handle_t *pamh" "int flags" "int args" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_close_session
 function is the service module's
 implementation of the
 .Xr pam_close_session 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_close_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -88,11 +88,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_close_session
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_open_session.3
+++ b/contrib/openpam/doc/man/pam_sm_open_session.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_OPEN_SESSION 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn pam_sm_open_session "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_open_session
 function is the service module's
 implementation of the
 .Xr pam_open_session 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_open_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -88,11 +88,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_open_session
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_sm_setcred.3
+++ b/contrib/openpam/doc/man/pam_sm_setcred.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_SETCRED 3
 .Os
 .Sh NAME
@ -50,14 +50,14 @@
 .Fn pam_sm_setcred "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_setcred
 function is the service module's implementation of
 the
 .Xr pam_setcred 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_setcred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@ -94,11 +94,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_sm_setcred
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_start.3
+++ b/contrib/openpam/doc/man/pam_start.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_START 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_start
 function creates and initializes a PAM context.
 .Pp
 The
@ -78,7 +78,7 @@ for details.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_start
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -99,11 +99,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_start
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_strerror.3
+++ b/contrib/openpam/doc/man/pam_strerror.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_STRERROR 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_strerror "const pam_handle_t *pamh" "int error_number"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_strerror
 function returns a pointer to a string containing a
 textual description of the error indicated by the
 .Fa error_number
@ -64,7 +64,7 @@ or
 .Dv NULL .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_strerror
 function returns
 .Dv NULL
 on failure.
@ -78,11 +78,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_strerror
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_verror.3
+++ b/contrib/openpam/doc/man/pam_verror.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VERROR 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_verror "const pam_handle_t *pamh" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_verror
 function passes its arguments to
 .Xr pam_vprompt 3
 with a
@ -59,7 +59,7 @@ and discards the response.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_verror
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -77,15 +77,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_verror
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_verror
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_vinfo.3
+++ b/contrib/openpam/doc/man/pam_vinfo.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VINFO 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_vinfo "const pam_handle_t *pamh" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_vinfo
 function passes its arguments to
 .Xr pam_vprompt 3
 with a
@ -59,7 +59,7 @@ and discards the response.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_vinfo
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -77,15 +77,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_vinfo
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_vinfo
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/doc/man/pam_vprompt.3
+++ b/contrib/openpam/doc/man/pam_vprompt.3
@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VPROMPT 3
 .Os
 .Sh NAME
@ -49,7 +49,7 @@
 .Fn pam_vprompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_vprompt
 function constructs a string from the
 .Fa fmt
 and
@ -93,7 +93,7 @@ If they do, they may be truncated.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_vprompt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@ -114,15 +114,15 @@ System error.
 .Xr vsnprintf 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_vprompt
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
+.Fn pam_vprompt
-function and this manual page were developed for the
+function and this manual page were
 developed for the
 .Fx
-Project by
+Project by ThinkSec AS and Network Associates Laboratories, the
 ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
--- a/contrib/openpam/include/security/openpam.h
+++ b/contrib/openpam/include/security/openpam.h
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam.h 455 2011-10-29 18:31:11Z des $
+ * $Id: openpam.h 605 2012-04-20 11:05:10Z des $
 */
 #ifndef SECURITY_OPENPAM_H_INCLUDED
@ -157,12 +157,49 @@ openpam_readline(FILE *_f,
 	int *_lineno,
 	size_t *_lenp)
 	OPENPAM_NONNULL((1));
 char **
 openpam_readlinev(FILE *_f,
 	int *_lineno,
 	int *_lenp)
 	OPENPAM_NONNULL((1));
 char *
 openpam_readword(FILE *_f,
 	int *_lineno,
 	size_t *_lenp)
 	OPENPAM_NONNULL((1));
 #endif
 int
 openpam_straddch(char **_str,
 	size_t *_sizep,
 	size_t *_lenp,
 	int ch)
 	OPENPAM_NONNULL((1));
 /*
 * Enable / disable optional features
 */
 enum {
 	OPENPAM_RESTRICT_SERVICE_NAME,
 	OPENPAM_VERIFY_POLICY_FILE,
 	OPENPAM_RESTRICT_MODULE_NAME,
 	OPENPAM_VERIFY_MODULE_FILE,
 	OPENPAM_NUM_FEATURES
 };
 int
 openpam_set_feature(int _feature, int _onoff);
 int
 openpam_get_feature(int _feature, int *_onoff);
 /*
 * Log levels
 */
 enum {
 	PAM_LOG_LIBDEBUG = -1,
 	PAM_LOG_DEBUG,
 	PAM_LOG_VERBOSE,
 	PAM_LOG_NOTICE,
@ -196,8 +233,8 @@ _openpam_log(int _level,
 void
 openpam_log(int _level,
 	const char *_format,
- 	...)
+	...)
- 	OPENPAM_FORMAT ((__printf__, 2, 3))
+	OPENPAM_FORMAT ((__printf__, 2, 3))
 	OPENPAM_NONNULL((2));
 #endif
--- a/contrib/openpam/include/security/openpam_version.h
+++ b/contrib/openpam/include/security/openpam_version.h
@ -32,14 +32,14 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $
+ * $Id: openpam_version.h 609 2012-05-26 13:57:45Z des $
 */
 #ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED
 #define SECURITY_OPENPAM_VERSION_H_INCLUDED
 #define OPENPAM
-#define OPENPAM_VERSION	20111218
+#define OPENPAM_VERSION	20120526
-#define OPENPAM_RELEASE	"Lycopsida"
+#define OPENPAM_RELEASE	"Micrampelis"
 #endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */
--- a/contrib/openpam/lib/Makefile.am
+++ b/contrib/openpam/lib/Makefile.am
@ -1,4 +1,4 @@
-# $Id: Makefile.am 499 2011-11-22 11:51:50Z des $
+# $Id: Makefile.am 602 2012-04-15 17:31:15Z des $
 NULL =
@ -8,8 +8,11 @@ lib_LTLIBRARIES = libpam.la
 noinst_HEADERS = \
 	openpam_constants.h \
 	openpam_ctype.h \
 	openpam_debug.h \
 	openpam_features.h \
 	openpam_impl.h \
 	openpam_strlcat.h \
 	openpam_strlcmp.h \
 	openpam_strlcpy.h
@ -20,17 +23,23 @@ libpam_la_SOURCES = \
 	openpam_constants.c \
 	openpam_dispatch.c \
 	openpam_dynamic.c \
 	openpam_features.c \
 	openpam_findenv.c \
 	openpam_free_data.c \
 	openpam_free_envlist.c \
 	openpam_get_feature.c \
 	openpam_get_option.c \
 	openpam_load.c \
 	openpam_log.c \
 	openpam_nullconv.c \
 	openpam_readline.c \
 	openpam_readlinev.c \
 	openpam_readword.c \
 	openpam_restore_cred.c \
 	openpam_set_option.c \
 	openpam_set_feature.c \
 	openpam_static.c \
 	openpam_straddch.c \
 	openpam_subst.c \
 	openpam_ttyconv.c \
 	pam_acct_mgmt.c \
--- a/contrib/openpam/lib/Makefile.in
+++ b/contrib/openpam/lib/Makefile.in
@ -15,7 +15,7 @@
@SET_MAKE@
-# $Id: Makefile.am 499 2011-11-22 11:51:50Z des $
+# $Id: Makefile.am 602 2012-04-15 17:31:15Z des $
 VPATH = @srcdir@
@ -76,11 +76,13 @@ am__objects_1 =
 am_libpam_la_OBJECTS = openpam_borrow_cred.lo \
 	openpam_check_owner_perms.lo openpam_configure.lo \
 	openpam_constants.lo openpam_dispatch.lo openpam_dynamic.lo \
-	openpam_findenv.lo openpam_free_data.lo \
+	openpam_features.lo openpam_findenv.lo openpam_free_data.lo \
-	openpam_free_envlist.lo openpam_get_option.lo openpam_load.lo \
+	openpam_free_envlist.lo openpam_get_feature.lo \
-	openpam_log.lo openpam_nullconv.lo openpam_readline.lo \
+	openpam_get_option.lo openpam_load.lo openpam_log.lo \
-	openpam_restore_cred.lo openpam_set_option.lo \
+	openpam_nullconv.lo openpam_readline.lo openpam_readlinev.lo \
-	openpam_static.lo openpam_subst.lo openpam_ttyconv.lo \
+	openpam_readword.lo openpam_restore_cred.lo \
 	openpam_set_option.lo openpam_set_feature.lo openpam_static.lo \
 	openpam_straddch.lo openpam_subst.lo openpam_ttyconv.lo \
 	pam_acct_mgmt.lo pam_authenticate.lo pam_chauthtok.lo \
 	pam_close_session.lo pam_end.lo pam_error.lo \
 	pam_get_authtok.lo pam_get_data.lo pam_get_item.lo \
@ -234,8 +236,11 @@ INCLUDES = -I$(top_srcdir)/include
 lib_LTLIBRARIES = libpam.la
 noinst_HEADERS = \
 	openpam_constants.h \
 	openpam_ctype.h \
 	openpam_debug.h \
 	openpam_features.h \
 	openpam_impl.h \
 	openpam_strlcat.h \
 	openpam_strlcmp.h \
 	openpam_strlcpy.h
@ -246,17 +251,23 @@ libpam_la_SOURCES = \
 	openpam_constants.c \
 	openpam_dispatch.c \
 	openpam_dynamic.c \
 	openpam_features.c \
 	openpam_findenv.c \
 	openpam_free_data.c \
 	openpam_free_envlist.c \
 	openpam_get_feature.c \
 	openpam_get_option.c \
 	openpam_load.c \
 	openpam_log.c \
 	openpam_nullconv.c \
 	openpam_readline.c \
 	openpam_readlinev.c \
 	openpam_readword.c \
 	openpam_restore_cred.c \
 	openpam_set_option.c \
 	openpam_set_feature.c \
 	openpam_static.c \
 	openpam_straddch.c \
 	openpam_subst.c \
 	openpam_ttyconv.c \
 	pam_acct_mgmt.c \
@ -387,17 +398,23 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_constants.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dispatch.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dynamic.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_features.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_findenv.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_free_data.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_free_envlist.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_get_feature.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_get_option.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_load.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_log.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_nullconv.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readline.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readlinev.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readword.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_restore_cred.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_set_feature.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_set_option.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_static.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_straddch.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_subst.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_ttyconv.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_acct_mgmt.Plo@am__quote@
--- a/contrib/openpam/lib/openpam_check_owner_perms.c
+++ b/contrib/openpam/lib/openpam_check_owner_perms.c
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,7 +27,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_check_owner_perms.c 499 2011-11-22 11:51:50Z des $
+ * $Id: openpam_check_owner_perms.c 543 2012-03-31 22:11:34Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -67,6 +70,12 @@ openpam_check_desc_owner_perms(const char *name, int fd)
 		errno = serrno;
 		return (-1);
 	}
 	if (!S_ISREG(sb.st_mode)) {
 		openpam_log(PAM_LOG_ERROR,
 		    "%s: not a regular file", name);
 		errno = EINVAL;
 		return (-1);
 	}
 	if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
 	    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 		openpam_log(PAM_LOG_ERROR,
@ -84,7 +93,7 @@ openpam_check_desc_owner_perms(const char *name, int fd)
 * up to it are owned by either root or the arbitrator and that they are
 * not writable by group or other.
 *
- * Note that openpam_check_file_owner_perms() should be used instead if
+ * Note that openpam_check_desc_owner_perms() should be used instead if
 * possible to avoid a race between the ownership / permission check and
 * the actual open().
 */
@ -95,8 +104,9 @@ openpam_check_path_owner_perms(const char *path)
 	uid_t root, arbitrator;
 	char pathbuf[PATH_MAX];
 	struct stat sb;
-	int len, serrno;
+	int len, serrno, tip;
 	tip = 1;
 	root = 0;
 	arbitrator = geteuid();
 	if (realpath(path, pathbuf) == NULL)
@ -111,6 +121,12 @@ openpam_check_path_owner_perms(const char *path)
 			}
 			return (-1);
 		}
 		if (tip && !S_ISREG(sb.st_mode)) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s: not a regular file", pathbuf);
 			errno = EINVAL;
 			return (-1);
 		}
 		if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
 		    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 			openpam_log(PAM_LOG_ERROR,
@ -120,6 +136,7 @@ openpam_check_path_owner_perms(const char *path)
 		}
 		while (--len > 0 && pathbuf[len] != '/')
 			pathbuf[len] = '\0';
 		tip = 0;
 	}
 	return (0);
 }
--- a/contrib/openpam/lib/openpam_configure.c
+++ b/contrib/openpam/lib/openpam_configure.c
@ -1,6 +1,6 @@
 /*-
 * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * This software was developed for the FreeBSD Project by ThinkSec AS and
@ -32,13 +32,15 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_configure.c 500 2011-11-22 12:07:03Z des $
+ * $Id: openpam_configure.c 601 2012-04-14 20:37:45Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <sys/param.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdio.h>
@ -48,389 +50,183 @@
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
-#include "openpam_strlcmp.h"
+#include "openpam_ctype.h"
 #include "openpam_strlcat.h"
 #include "openpam_strlcpy.h"
 static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t);
 /*
- * Evaluates to non-zero if the argument is a linear whitespace character.
+ * Validate a service name.
 */
 #define is_lws(ch)				\
 	(ch == ' ' || ch == '\t')
 /*
 * Evaluates to non-zero if the argument is a printable ASCII character.
 * Assumes that the execution character set is a superset of ASCII.
 */
 #define is_p(ch) \
 	(ch >= '!' && ch <= '~')
 /*
 * Returns non-zero if the argument belongs to the POSIX Portable Filename
 * Character Set.  Assumes that the execution character set is a superset
 * of ASCII.
 */
 #define is_pfcs(ch)				\
 	((ch >= '0' && ch <= '9') ||		\
 	 (ch >= 'A' && ch <= 'Z') ||		\
 	 (ch >= 'a' && ch <= 'z') ||		\
 	 ch == '.' || ch == '_' || ch == '-')
 /*
 * Parse the service name.
 *
- * Returns the length of the service name, or 0 if the end of the string
+ * Returns a non-zero value if the argument points to a NUL-terminated
- * was reached or a disallowed non-whitespace character was encountered.
+ * string consisting entirely of characters in the POSIX portable filename
- *
+ * character set, excluding the path separator character.
 * If parse_service_name() is successful, it updates *service to point to
 * the first character of the service name and *line to point one
 * character past the end.  If it reaches the end of the string, it
 * updates *line to point to the terminating NUL character and leaves
 * *service unmodified.  In all other cases, it leaves both *line and
 * *service unmodified.
 *
 * Allowed characters are all characters in the POSIX portable filename
 * character set.
 */
 static int
-parse_service_name(char **line, char **service)
+valid_service_name(const char *name)
 {
-	char *b, *e;
+	const char *p;
-	for (b = *line; *b && is_lws(*b); ++b)
+	if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) {
-		/* nothing */ ;
+		/* path separator not allowed */
-	if (!*b) {
+		for (p = name; *p != '\0'; ++p)
-		*line = b;
+			if (!is_pfcs(*p))
-		return (0);
+				return (0);
 	} else {
 		/* path separator allowed */
 		for (p = name; *p != '\0'; ++p)
 			if (!is_pfcs(*p) && *p != '/')
 				return (0);
 	}
-	for (e = b; *e && !is_lws(*e); ++e)
+	return (1);
 		if (!is_pfcs(*e))
 			return (0);
 	if (e == b)
 		return (0);
 	*line = e;
 	*service = b;
 	return (e - b);
 }
 /*
 * Parse the facility name.
 *
- * Returns the corresponding pam_facility_t value, or -1 if the end of the
+ * Returns the corresponding pam_facility_t value, or -1 if the argument
- * string was reached, a disallowed non-whitespace character was
+ * is not a valid facility name.
 * encountered, or the first word was not a recognized facility name.
 *
 * If parse_facility_name() is successful, it updates *line to point one
 * character past the end of the facility name.  If it reaches the end of
 * the string, it updates *line to point to the terminating NUL character.
 * In all other cases, it leaves *line unmodified.
 */
 static pam_facility_t
-parse_facility_name(char **line)
+parse_facility_name(const char *name)
 {
 	char *b, *e;
 	int i;
 	for (b = *line; *b && is_lws(*b); ++b)
 		/* nothing */ ;
 	if (!*b) {
 		*line = b;
 		return ((pam_facility_t)-1);
 	}
 	for (e = b; *e && !is_lws(*e); ++e)
 		/* nothing */ ;
 	if (e == b)
 		return ((pam_facility_t)-1);
 	for (i = 0; i < PAM_NUM_FACILITIES; ++i)
-		if (strlcmp(pam_facility_name[i], b, e - b) == 0)
+		if (strcmp(pam_facility_name[i], name) == 0)
-			break;
+			return (i);
-	if (i == PAM_NUM_FACILITIES)
+	return ((pam_facility_t)-1);
 		return ((pam_facility_t)-1);
 	*line = e;
 	return (i);
 }
 /*
 * Parse the word "include".
 *
 * If the next word on the line is "include", parse_include() updates
 * *line to point one character past "include" and returns 1.  Otherwise,
 * it leaves *line unmodified and returns 0.
 */
 static int
 parse_include(char **line)
 {
 	char *b, *e;
 	for (b = *line; *b && is_lws(*b); ++b)
 		/* nothing */ ;
 	if (!*b) {
 		*line = b;
 		return (-1);
 	}
 	for (e = b; *e && !is_lws(*e); ++e)
 		/* nothing */ ;
 	if (e == b)
 		return (0);
 	if (strlcmp("include", b, e - b) != 0)
 		return (0);
 	*line = e;
 	return (1);
 }
 /*
 * Parse the control flag.
 *
- * Returns the corresponding pam_control_t value, or -1 if the end of the
+ * Returns the corresponding pam_control_t value, or -1 if the argument is
- * string was reached, a disallowed non-whitespace character was
+ * not a valid control flag name.
 * encountered, or the first word was not a recognized control flag.
 *
 * If parse_control_flag() is successful, it updates *line to point one
 * character past the end of the control flag.  If it reaches the end of
 * the string, it updates *line to point to the terminating NUL character.
 * In all other cases, it leaves *line unmodified.
 */
 static pam_control_t
-parse_control_flag(char **line)
+parse_control_flag(const char *name)
 {
 	char *b, *e;
 	int i;
 	for (b = *line; *b && is_lws(*b); ++b)
 		/* nothing */ ;
 	if (!*b) {
 		*line = b;
 		return ((pam_control_t)-1);
 	}
 	for (e = b; *e && !is_lws(*e); ++e)
 		/* nothing */ ;
 	if (e == b)
 		return ((pam_control_t)-1);
 	for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i)
-		if (strlcmp(pam_control_flag_name[i], b, e - b) == 0)
+		if (strcmp(pam_control_flag_name[i], name) == 0)
-			break;
+			return (i);
-	if (i == PAM_NUM_CONTROL_FLAGS)
+	return ((pam_control_t)-1);
 		return ((pam_control_t)-1);
 	*line = e;
 	return (i);
 }
 /*
- * Parse a file name.
+ * Validate a file name.
 *
- * Returns the length of the file name, or 0 if the end of the string was
+ * Returns a non-zero value if the argument points to a NUL-terminated
- * reached or a disallowed non-whitespace character was encountered.
+ * string consisting entirely of characters in the POSIX portable filename
- *
+ * character set, including the path separator character.
 * If parse_filename() is successful, it updates *filename to point to the
 * first character of the filename and *line to point one character past
 * the end.  If it reaches the end of the string, it updates *line to
 * point to the terminating NUL character and leaves *filename unmodified.
 * In all other cases, it leaves both *line and *filename unmodified.
 *
 * Allowed characters are all characters in the POSIX portable filename
 * character set, plus the path separator (forward slash).
 */
 static int
-parse_filename(char **line, char **filename)
+valid_module_name(const char *name)
 {
-	char *b, *e;
+	const char *p;
-	for (b = *line; *b && is_lws(*b); ++b)
+	if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) {
-		/* nothing */ ;
+		/* path separator not allowed */
-	if (!*b) {
+		for (p = name; *p != '\0'; ++p)
-		*line = b;
+			if (!is_pfcs(*p))
-		return (0);
+				return (0);
 	}
 	for (e = b; *e && !is_lws(*e); ++e)
 		if (!is_pfcs(*e) && *e != '/')
 			return (0);
 	if (e == b)
 		return (0);
 	*line = e;
 	*filename = b;
 	return (e - b);
 }
 /*
 * Parse an option.
 *
 * Returns a dynamically allocated string containing the next module
 * option, or NULL if the end of the string was reached or a disallowed
 * non-whitespace character was encountered.
 *
 * If parse_option() is successful, it updates *line to point one
 * character past the end of the option.  If it reaches the end of the
 * string, it updates *line to point to the terminating NUL character.  In
 * all other cases, it leaves *line unmodified.
 *
 * If parse_option() fails to allocate memory, it will return NULL and set
 * errno to a non-zero value.
 *
 * Allowed characters for option names are all characters in the POSIX
 * portable filename character set.  Allowed characters for option values
 * are any printable non-whitespace characters.  The option value may be
 * quoted in either single or double quotes, in which case space
 * characters and whichever quote character was not used are allowed.
 * Note that the entire value must be quoted, not just part of it.
 */
 static char *
 parse_option(char **line)
 {
 	char *nb, *ne, *vb, *ve;
 	unsigned char q = 0;
 	char *option;
 	size_t size;
 	errno = 0;
 	for (nb = *line; *nb && is_lws(*nb); ++nb)
 		/* nothing */ ;
 	if (!*nb) {
 		*line = nb;
 		return (NULL);
 	}
 	for (ne = nb; *ne && !is_lws(*ne) && *ne != '='; ++ne)
 		if (!is_pfcs(*ne))
 			return (NULL);
 	if (ne == nb)
 		return (NULL);
 	if (*ne == '=') {
 		vb = ne + 1;
 		if (*vb == '"' || *vb == '\'')
 			q = *vb++;
 		for (ve = vb;
 		     *ve && *ve != q && (is_p(*ve) || (q && is_lws(*ve)));
 		     ++ve)
 			/* nothing */ ;
 		if (q && *ve != q)
 			/* non-printable character or missing endquote */
 			return (NULL);
 		if (q && *(ve + 1) && !is_lws(*(ve + 1)))
 			/* garbage after value */
 			return (NULL);
 	} else {
-		vb = ve = ne;
+		/* path separator allowed */
 		for (p = name; *p != '\0'; ++p)
 			if (!is_pfcs(*p) && *p != '/')
 				return (0);
 	}
-	size = (ne - nb) + 1;
+	return (1);
 	if (ve > vb)
 		size += (ve - vb) + 1;
 	if ((option = malloc(size)) == NULL)
 		return (NULL);
 	strncpy(option, nb, ne - nb);
 	if (ve > vb) {
 		option[ne - nb] = '=';
 		strncpy(option + (ne - nb) + 1, vb, ve - vb);
 	}
 	option[size - 1] = '\0';
 	*line = q ? ve + 1 : ve;
 	return (option);
 }
 /*
 * Consume trailing whitespace.
 *
 * If there are no non-whitespace characters left on the line, parse_eol()
 * updates *line to point at the terminating NUL character and returns 0.
 * Otherwise, it leaves *line unmodified and returns a non-zero value.
 */
 static int
 parse_eol(char **line)
 {
 	char *p;
 	for (p = *line; *p && is_lws(*p); ++p)
 		/* nothing */ ;
 	if (*p)
 		return ((unsigned char)*p);
 	*line = p;
 	return (0);
 }
 typedef enum { pam_conf_style, pam_d_style } openpam_style_t;
 /*
 * Extracts given chains from a policy file.
 *
 * Returns the number of policy entries which were found for the specified
 * service and facility, or -1 if a system error occurred or a syntax
 * error was encountered.
 */
 static int
 openpam_parse_chain(pam_handle_t *pamh,
 	const char *service,
 	pam_facility_t facility,
 	FILE *f,
 	const char *filename,
 	openpam_style_t style)
 {
 	pam_chain_t *this, **next;
 	pam_facility_t fclt;
 	pam_control_t ctlf;
-	char *line0, *line, *str, *name;
+	char *name, *servicename, *modulename;
-	char *option, **optv;
+	int count, lineno, ret, serrno;
-	int len, lineno, ret;
+	char **wordv, *word;
-	FILE *f;
+	int i, wordc;
-	if ((f = fopen(filename, "r")) == NULL) {
+	count = 0;
 		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
 		    "%s: %m", filename);
 		return (PAM_SUCCESS);
 	}
 	if (openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
 		fclose(f);
 		return (PAM_SYSTEM_ERR);
 	}
 	this = NULL;
 	name = NULL;
 	lineno = 0;
-	while ((line0 = line = openpam_readline(f, &lineno, NULL)) != NULL) {
+	wordc = 0;
-		/* get service name if necessary */
+	wordv = NULL;
-		if (style == pam_conf_style) {
+	while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) {
-			if ((len = parse_service_name(&line, &str)) == 0) {
+		/* blank line? */
-				openpam_log(PAM_LOG_NOTICE,
+		if (wordc == 0) {
-				    "%s(%d): invalid service name (ignored)",
+			FREEV(wordc, wordv);
-				    filename, lineno);
+			continue;
-				FREE(line0);
+		}
-				continue;
+		i = 0;
-			}
+
-			if (strlcmp(service, str, len) != 0) {
+		/* check service name if necessary */
-				FREE(line0);
+		if (style == pam_conf_style &&
-				continue;
+		    strcmp(wordv[i++], service) != 0) {
-			}
+			FREEV(wordc, wordv);
 			continue;
 		}
-		/* get facility name */
+		/* check facility name */
-		if ((fclt = parse_facility_name(&line)) == (pam_facility_t)-1) {
+		if ((word = wordv[i++]) == NULL ||
 		    (fclt = parse_facility_name(word)) == (pam_facility_t)-1) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid facility",
 			    filename, lineno);
 			goto fail;
 		}
 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
-			FREE(line0);
+			FREEV(wordc, wordv);
 			continue;
 		}
 		/* check for "include" */
-		if (parse_include(&line)) {
+		if ((word = wordv[i++]) != NULL &&
-			if ((len = parse_service_name(&line, &str)) == 0) {
+		    strcmp(word, "include") == 0) {
 			if ((servicename = wordv[i++]) == NULL ||
 			    !valid_service_name(servicename)) {
 				openpam_log(PAM_LOG_ERROR,
-				    "%s(%d): missing or invalid filename",
+				    "%s(%d): missing or invalid service name",
 				    filename, lineno);
 				goto fail;
 			}
-			if ((name = strndup(str, len)) == NULL)
+			if (wordv[i] != NULL) {
 				goto syserr;
 			if (parse_eol(&line) != 0) {
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): garbage at end of line",
 				    filename, lineno);
 				goto fail;
 			}
-			ret = openpam_load_chain(pamh, name, fclt);
+			ret = openpam_load_chain(pamh, servicename, fclt);
-			FREE(name);
+			FREEV(wordc, wordv);
-			if (ret != PAM_SUCCESS)
+			if (ret < 0)
 				goto fail;
 			FREE(line0);
 			continue;
 		}
 		/* get control flag */
-		if ((ctlf = parse_control_flag(&line)) == (pam_control_t)-1) {
+		if (word == NULL || /* same word we compared to "include" */
 		    (ctlf = parse_control_flag(word)) == (pam_control_t)-1) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid control flag",
 			    filename, lineno);
@ -438,73 +234,76 @@ openpam_parse_chain(pam_handle_t *pamh,
 		}
 		/* get module name */
-		if ((len = parse_filename(&line, &str)) == 0) {
+		if ((modulename = wordv[i++]) == NULL ||
 		    !valid_module_name(modulename)) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid module name",
 			    filename, lineno);
 			goto fail;
 		}
 		if ((name = strndup(str, len)) == NULL)
 			goto syserr;
 		/* allocate new entry */
 		if ((this = calloc(1, sizeof *this)) == NULL)
 			goto syserr;
 		this->flag = ctlf;
 		/* get module options */
 		if ((this->optv = malloc(sizeof *optv)) == NULL)
 			goto syserr;
 		this->optc = 0;
 		while ((option = parse_option(&line)) != NULL) {
 			optv = realloc(this->optv,
 			    (this->optc + 2) * sizeof *optv);
 			if (optv == NULL)
 				goto syserr;
 			this->optv = optv;
 			this->optv[this->optc++] = option;
 		}
 		this->optv[this->optc] = NULL;
 		if (*line != '\0') {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): syntax error in module options",
 			    filename, lineno);
 			goto fail;
 		}
 		/* load module */
-		this->module = openpam_load_module(name);
+		if ((this->module = openpam_load_module(modulename)) == NULL)
 		FREE(name);
 		if (this->module == NULL)
 			goto fail;
 		/*
 		 * The remaining items in wordv are the module's
 		 * arguments.  We could set this->optv = wordv + i, but
 		 * then free(this->optv) wouldn't work.  Instead, we free
 		 * the words we've already consumed, shift the rest up,
 		 * and clear the tail end of the array.
 		 */
 		this->optc = wordc - i;
 		for (i = 0; i < wordc - this->optc; ++i) {
 			FREE(wordv[i]);
 			wordv[i] = wordv[wordc - this->optc + i];
 			wordv[wordc - this->optc + i] = NULL;
 		}
 		this->optv = wordv;
 		wordv = NULL;
 		wordc = 0;
 		/* hook it up */
 		for (next = &pamh->chains[fclt]; *next != NULL;
 		     next = &(*next)->next)
 			/* nothing */ ;
 		*next = this;
 		this = NULL;
-
+		++count;
 		/* next please... */
 		FREE(line0);
 	}
-	if (!feof(f))
+	/*
 	 * The loop ended because openpam_readword() returned NULL, which
 	 * can happen for four different reasons: an I/O error (ferror(f)
 	 * is true), a memory allocation failure (ferror(f) is false,
 	 * errno is non-zero)
 	 */
 	if (ferror(f) || errno != 0)
 		goto syserr;
 	if (!feof(f))
 		goto fail;
 	fclose(f);
-	return (PAM_SUCCESS);
+	return (count);
 syserr:
 	serrno = errno;
 	openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
 	errno = serrno;
 	/* fall through */
 fail:
-	if (this && this->optc) {
+	serrno = errno;
-		while (this->optc--)
+	if (this && this->optc && this->optv)
-			FREE(this->optv[this->optc]);
+		FREEV(this->optc, this->optv);
 		FREE(this->optv);
 	}
 	FREE(this);
-	FREE(line0);
+	FREEV(wordc, wordv);
 	FREE(wordv);
 	FREE(name);
 	fclose(f);
-	return (PAM_SYSTEM_ERR);
+	errno = serrno;
 	return (-1);
 }
 static const char *openpam_policy_path[] = {
@ -515,45 +314,111 @@ static const char *openpam_policy_path[] = {
 	NULL
 };
 /*
 * Read the specified chains from the specified file.
 *
 * Returns 0 if the file exists but does not contain any matching lines.
 *
 * Returns -1 and sets errno to ENOENT if the file does not exist.
 *
 * Returns -1 and sets errno to some other non-zero value if the file
 * exists but is unsafe or unreadable, or an I/O error occurs.
 */
 static int
 openpam_load_file(pam_handle_t *pamh,
 	const char *service,
 	pam_facility_t facility,
 	const char *filename,
 	openpam_style_t style)
 {
 	FILE *f;
 	int ret, serrno;
 	/* attempt to open the file */
 	if ((f = fopen(filename, "r")) == NULL) {
 		serrno = errno;
 		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR,
 		    "%s: %m", filename);
 		errno = serrno;
 		RETURNN(-1);
 	} else {
 		openpam_log(PAM_LOG_DEBUG, "found %s", filename);
 	}
 	/* verify type, ownership and permissions */
 	if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) &&
 	    openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
 		/* already logged the cause */
 		serrno = errno;
 		fclose(f);
 		errno = serrno;
 		RETURNN(-1);
 	}
 	/* parse the file */
 	ret = openpam_parse_chain(pamh, service, facility,
 	    f, filename, style);
 	RETURNN(ret);
 }
 /*
 * Locates the policy file for a given service and reads the given chains
 * from it.
 *
 * Returns the number of policy entries which were found for the specified
 * service and facility, or -1 if a system error occurred or a syntax
 * error was encountered.
 */
 static int
 openpam_load_chain(pam_handle_t *pamh,
 	const char *service,
 	pam_facility_t facility)
 {
-	const char **path;
+	const char *p, **path;
-	char *filename;
+	char filename[PATH_MAX];
 	size_t len;
 	openpam_style_t style;
 	int ret;
-	/* don't allow to escape from policy_path */
+	ENTERS(facility < 0 ? "any" : pam_facility_name[facility]);
-	if (strchr(service, '/')) {
+
-		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
+	/* either absolute or relative to cwd */
-		    service);
+	if (strchr(service, '/') != NULL) {
-		return (-PAM_SYSTEM_ERR);
+		if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0)
 			style = pam_conf_style;
 		else
 			style = pam_d_style;
 		ret = openpam_load_file(pamh, service, facility,
 		    service, style);
 		RETURNN(ret);
 	}
 	/* search standard locations */
 	for (path = openpam_policy_path; *path != NULL; ++path) {
-		len = strlen(*path);
+		/* construct filename */
-		if ((*path)[len - 1] == '/') {
+		len = strlcpy(filename, *path, sizeof filename);
-			if (asprintf(&filename, "%s%s", *path, service) < 0) {
+		if (filename[len - 1] == '/') {
-				openpam_log(PAM_LOG_ERROR, "asprintf(): %m");
+			len = strlcat(filename, service, sizeof filename);
-				return (PAM_BUF_ERR);
+			if (len >= sizeof filename) {
 				errno = ENAMETOOLONG;
 				RETURNN(-1);
 			}
-			ret = openpam_parse_chain(pamh, service, facility,
+			style = pam_d_style;
 			    filename, pam_d_style);
 			FREE(filename);
 		} else {
-			ret = openpam_parse_chain(pamh, service, facility,
+			style = pam_conf_style;
 			    *path, pam_conf_style);
 		}
-		if (ret != PAM_SUCCESS)
+		ret = openpam_load_file(pamh, service, facility,
-			return (ret);
+		    filename, style);
 		/* the file exists, but an error occurred */
 		if (ret == -1 && errno != ENOENT)
 			RETURNN(ret);
 		/* in pam.d style, an empty file counts as a hit */
 		if (ret == 0 && style == pam_d_style)
 			RETURNN(ret);
 	}
-	return (PAM_SUCCESS);
+
 	/* no hit */
 	RETURNN(0);
 }
 /*
@ -567,25 +432,27 @@ openpam_configure(pam_handle_t *pamh,
 	const char *service)
 {
 	pam_facility_t fclt;
-	const char *p;
+	int serrno;
-	for (p = service; *p; ++p)
+	ENTERS(service);
-		if (!is_pfcs(*p))
+	if (!valid_service_name(service)) {
-			return (PAM_SYSTEM_ERR);
+		openpam_log(PAM_LOG_ERROR, "invalid service name");
-
+		RETURNC(PAM_SYSTEM_ERR);
-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) != PAM_SUCCESS)
+	}
 	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
 		goto load_err;
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL)
 			continue;
-		if (openpam_load_chain(pamh, PAM_OTHER, fclt) != PAM_SUCCESS)
+		if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
 			goto load_err;
 	}
-	return (PAM_SUCCESS);
+	RETURNC(PAM_SUCCESS);
 load_err:
 	serrno = errno;
 	openpam_clear_chains(pamh->chains);
-	return (PAM_SYSTEM_ERR);
+	errno = serrno;
 	RETURNC(PAM_SYSTEM_ERR);
 }
 /*
--- a/contrib/openpam/lib/openpam_constants.h
+++ b/contrib/openpam/lib/openpam_constants.h
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,11 +27,11 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_constants.h 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_constants.h 606 2012-04-20 11:06:38Z des $
 */
-#ifndef OPENPAM_CONSTANTS_INCLUDED
+#ifndef OPENPAM_CONSTANTS_H_INCLUDED
-#define OPENPAM_CONSTANTS_INCLUDED
+#define OPENPAM_CONSTANTS_H_INCLUDED
 extern const char *pam_err_name[PAM_NUM_ERRORS];
 extern const char *pam_item_name[PAM_NUM_ITEMS];
--- a/contrib/openpam/lib/openpam_ctype.h
+++ b/contrib/openpam/lib/openpam_ctype.h
@ -0,0 +1,68 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_ctype.h 578 2012-04-06 00:45:59Z des $
 */
 #ifndef OPENPAM_CTYPE_H_INCLUDED
 #define OPENPAM_CTYPE_H_INCLUDED
 /*
 * Evaluates to non-zero if the argument is a linear whitespace character.
 * For the purposes of this macro, the definition of linear whitespace is
 * extended to include the form feed and carraige return characters.
 */
 #define is_lws(ch)				\
 	(ch == ' ' || ch == '\t' || ch == '\f' || ch == '\r')
 /*
 * Evaluates to non-zero if the argument is a whitespace character.
 */
 #define is_ws(ch)				\
 	(is_lws(ch) || ch == '\n')
 /*
 * Evaluates to non-zero if the argument is a printable ASCII character.
 * Assumes that the execution character set is a superset of ASCII.
 */
 #define is_p(ch) \
 	(ch >= '!' && ch <= '~')
 /*
 * Returns non-zero if the argument belongs to the POSIX Portable Filename
 * Character Set.  Assumes that the execution character set is a superset
 * of ASCII.
 */
 #define is_pfcs(ch)				\
 	((ch >= '0' && ch <= '9') ||		\
 	 (ch >= 'A' && ch <= 'Z') ||		\
 	 (ch >= 'a' && ch <= 'z') ||		\
 	 ch == '.' || ch == '_' || ch == '-')
 #endif
--- a/contrib/openpam/lib/openpam_debug.h
+++ b/contrib/openpam/lib/openpam_debug.h
@ -32,60 +32,68 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_debug.h 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_debug.h 606 2012-04-20 11:06:38Z des $
 */
-#ifndef OPENPAM_DEBUG_INCLUDED
+#ifndef OPENPAM_DEBUG_H_INCLUDED
-#define OPENPAM_DEBUG_INCLUDED
+#define OPENPAM_DEBUG_H_INCLUDED
 #ifdef OPENPAM_DEBUG
-#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
+#define ENTER() openpam_log(PAM_LOG_LIBDEBUG, "entering")
 #define ENTERI(i) do { \
 	int i_ = (i); \
 	if (i_ > 0 && i_ < PAM_NUM_ITEMS) \
-		openpam_log(PAM_LOG_DEBUG, "entering: %s", pam_item_name[i_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", pam_item_name[i_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: %d", i_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", i_); \
 } while (0)
 #define ENTERN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "entering: %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", n_); \
 } while (0)
 #define ENTERS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: '%s'", s_); \
 } while (0)
-#define	RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
+#define ENTERF(f) do { \
 	int f_ = (f); \
 	if (f_ >= 0 && f_ <= OPENPAM_NUM_FEATURES) \
 		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", \
 		    openpam_features[f_].name); \
 	else \
 		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", f_); \
 } while (0)
 #define	RETURNV() openpam_log(PAM_LOG_LIBDEBUG, "returning")
 #define RETURNC(c) do { \
 	int c_ = (c); \
 	if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \
-		openpam_log(PAM_LOG_DEBUG, "returning %s", pam_err_name[c_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %s", pam_err_name[c_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %d!", c_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %d!", c_); \
 	return (c_); \
 } while (0)
 #define	RETURNN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "returning %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "returning %d", n_); \
 	return (n_); \
 } while (0)
 #define	RETURNP(p) do { \
-	const void *p_ = (p); \
+	void *p_ = (p); \
 	if (p_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %p", p_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %p", p_); \
 	return (p_); \
 } while (0)
 #define	RETURNS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", s_); \
 	return (s_); \
 } while (0)
 #else
@ -93,6 +101,7 @@
 #define ENTERI(i)
 #define ENTERN(n)
 #define ENTERS(s)
 #define ENTERF(f)
 #define RETURNV() return
 #define RETURNC(c) return (c)
 #define RETURNN(n) return (n)
--- a/contrib/openpam/lib/openpam_dynamic.c
+++ b/contrib/openpam/lib/openpam_dynamic.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_dynamic.c 502 2011-12-18 13:59:22Z des $
+ * $Id: openpam_dynamic.c 607 2012-04-20 11:09:37Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -40,6 +40,7 @@
 #endif
 #include <dlfcn.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
@ -60,15 +61,50 @@
 * Perform sanity checks and attempt to load a module
 */
 #ifdef HAVE_FDLOPEN
 static void *
 try_dlopen(const char *modfn)
 {
 	void *dlh;
 	int fd;
-	if (openpam_check_path_owner_perms(modfn) != 0)
+	if ((fd = open(modfn, O_RDONLY)) < 0)
 		return (NULL);
-	return (dlopen(modfn, RTLD_NOW));
+	if (OPENPAM_FEATURE(VERIFY_MODULE_FILE) &&
 	    openpam_check_desc_owner_perms(modfn, fd) != 0) {
 		close(fd);
 		return (NULL);
 	}
 	if ((dlh = fdlopen(fd, RTLD_NOW)) == NULL) {
 		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
 		close(fd);
 		errno = 0;
 		return (NULL);
 	}
 	close(fd);
 	return (dlh);
 }
-    
+#else
 static void *
 try_dlopen(const char *modfn)
 {
 	int check_module_file;
 	void *dlh;
 	openpam_get_feature(OPENPAM_VERIFY_MODULE_FILE,
 	    &check_module_file);
 	if (check_module_file &&
 	    openpam_check_path_owner_perms(modfn) != 0)
 		return (NULL);
 	if ((dlh = dlopen(modfn, RTLD_NOW)) == NULL) {
 		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
 		errno = 0;
 		return (NULL);
 	}
 	return (dlh);
 }
 #endif
 /*
 * OpenPAM internal
 *
@ -100,9 +136,6 @@ openpam_dynamic(const char *path)
 		*strrchr(vpath, '.') = '\0';
 		dlh = try_dlopen(vpath);
 	}
 	serrno = errno;
 	FREE(vpath);
 	errno = serrno;
 	if (dlh == NULL)
 		goto err;
 	if ((module = calloc(1, sizeof *module)) == NULL)
@ -112,19 +145,41 @@ openpam_dynamic(const char *path)
 	module->dlh = dlh;
 	dlmodule = dlsym(dlh, "_pam_module");
 	for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
-		module->func[i] = dlmodule ? dlmodule->func[i] :
+		if (dlmodule) {
-		    (pam_func_t)dlsym(dlh, pam_sm_func_name[i]);
+			module->func[i] = dlmodule->func[i];
-		if (module->func[i] == NULL)
+		} else {
-			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
+			module->func[i] =
-			    path, pam_sm_func_name[i], dlerror());
+			    (pam_func_t)dlsym(dlh, pam_sm_func_name[i]);
 			/*
 			 * This openpam_log() call is a major source of
 			 * log spam, and the cases that matter are caught
 			 * and logged in openpam_dispatch().  This would
 			 * be less problematic if dlerror() returned an
 			 * error code so we could log an error only when
 			 * dlsym() failed for a reason other than "no such
 			 * symbol".
 			 */
 #if 0
 			if (module->func[i] == NULL)
 				openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
 				    path, pam_sm_func_name[i], dlerror());
 #endif
 		}
 	}
 	FREE(vpath);
 	return (module);
 buf_err:
 	serrno = errno;
 	if (dlh != NULL)
 		dlclose(dlh);
 	FREE(module);
 	errno = serrno;
 err:
-	openpam_log(PAM_LOG_ERROR, "%m");
+	serrno = errno;
 	if (errno != 0)
 		openpam_log(PAM_LOG_ERROR, "%s: %m", vpath);
 	FREE(vpath);
 	errno = serrno;
 	return (NULL);
 }
--- a/contrib/openpam/lib/openpam_features.c
+++ b/contrib/openpam/lib/openpam_features.c
@ -0,0 +1,69 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_features.c 608 2012-05-17 16:00:13Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 #define STRUCT_OPENPAM_FEATURE(name, descr, dflt)	\
 	[OPENPAM_##name] = {				\
 		"OPENPAM_" #name,			\
 		descr,					\
 		dflt					\
 	}
 struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = {
 	STRUCT_OPENPAM_FEATURE(
 	    RESTRICT_SERVICE_NAME,
 	    "Disallow path separators in service names",
 	    1
 	),
 	STRUCT_OPENPAM_FEATURE(
 	    VERIFY_POLICY_FILE,
 	    "Verify ownership and permissions of policy files",
 	    1
 	),
 	STRUCT_OPENPAM_FEATURE(
 	    RESTRICT_MODULE_NAME,
 	    "Disallow path separators in module names",
 	    0
 	),
 	STRUCT_OPENPAM_FEATURE(
 	    VERIFY_MODULE_FILE,
 	    "Verify ownership and permissions of module files",
 	    1
 	),
 };
--- a/contrib/openpam/lib/openpam_features.h
+++ b/contrib/openpam/lib/openpam_features.h
@ -0,0 +1,48 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id$
 */
 #ifndef OPENPAM_FEATURES_H_INCLUDED
 #define OPENPAM_FEATURES_H_INCLUDED
 struct openpam_feature {
 	const char *name;
 	const char *desc;
 	int onoff;
 };
 extern struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES];
 /* shortcut for internal use */
 #define OPENPAM_FEATURE(f) \
 	openpam_features[OPENPAM_##f].onoff
 #endif
--- a/contrib/openpam/lib/openpam_get_feature.c
+++ b/contrib/openpam/lib/openpam_get_feature.c
@ -0,0 +1,99 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_get_feature.c 608 2012-05-17 16:00:13Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 #include "openpam_impl.h"
 /*
 * OpenPAM extension
 *
 * Query the state of an optional feature.
 */
 int
 openpam_get_feature(int feature, int *onoff)
 {
 	ENTERF(feature);
 	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
 		RETURNC(PAM_SYMBOL_ERR);
 	*onoff = openpam_features[feature].onoff;
 	RETURNC(PAM_SUCCESS);
 }
 /*
 * Error codes:
 *
 *	PAM_SYMBOL_ERR
 */
 /**
 * EXPERIMENTAL
 *
 * The =openpam_get_feature function stores the current state of the
 * specified feature in the variable pointed to by its =onoff argument.
 *
 * The following features are recognized:
 *
 *	=OPENPAM_RESTRICT_SERVICE_NAME:
 *		Disallow path separators in service names.
 *		This feature is enabled by default.
 *		Disabling it allows the application to specify the path to
 *		the desired policy file directly.
 *
 *	=OPENPAM_VERIFY_POLICY_FILE:
 *		Verify the ownership and permissions of the policy file
 *		and the path leading up to it.
 *		This feature is enabled by default.
 *
 *	=OPENPAM_RESTRICT_MODULE_NAME:
 *		Disallow path separators in module names.
 *		This feature is disabled by default.
 *		Enabling it prevents the use of modules in non-standard
 *		locations.
 *
 *	=OPENPAM_VERIFY_MODULE_FILE:
 *		Verify the ownership and permissions of each loadable
 *		module and the path leading up to it.
 *		This feature is enabled by default.
 *
 *
 * >openpam_set_feature
 *
 * AUTHOR DES
 */
--- a/contrib/openpam/lib/openpam_get_option.c
+++ b/contrib/openpam/lib/openpam_get_option.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_get_option.c 482 2011-11-03 16:33:02Z des $
+ * $Id: openpam_get_option.c 531 2012-03-31 14:24:37Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -44,7 +44,6 @@
 #include <string.h>
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 #include "openpam_impl.h"
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_impl.h 499 2011-11-22 11:51:50Z des $
+ * $Id: openpam_impl.h 594 2012-04-14 14:18:41Z des $
 */
 #ifndef OPENPAM_IMPL_H_INCLUDED
@ -157,9 +157,23 @@ pam_module_t	*openpam_static(const char *);
 #endif
 pam_module_t	*openpam_dynamic(const char *);
-#define	FREE(p) do { free((p)); (p) = NULL; } while (0)
+#define	FREE(p)					\
 	do {					\
 		free(p);			\
 		(p) = NULL;			\
 	} while (0)
 #define FREEV(c, v)				\
 	do {					\
 		while (c) {			\
 			--(c);			\
 			FREE((v)[(c)]);		\
 		}				\
 		FREE(v);			\
 	} while (0)
 #include "openpam_constants.h"
 #include "openpam_debug.h"
 #include "openpam_features.h"
 #endif
--- a/contrib/openpam/lib/openpam_load.c
+++ b/contrib/openpam/lib/openpam_load.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_load.c 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_load.c 547 2012-04-01 15:01:21Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -108,9 +108,7 @@ openpam_destroy_chain(pam_chain_t *chain)
 		return;
 	openpam_destroy_chain(chain->next);
 	chain->next = NULL;
-	while (chain->optc--)
+	FREEV(chain->optc, chain->optv);
 		FREE(chain->optv[chain->optc]);
 	FREE(chain->optv);
 	openpam_release_module(chain->module);
 	chain->module = NULL;
 	FREE(chain);
--- a/contrib/openpam/lib/openpam_log.c
+++ b/contrib/openpam/lib/openpam_log.c
@ -32,18 +32,17 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_log.c 437 2011-09-13 12:00:13Z des $
+ * $Id: openpam_log.c 544 2012-03-31 22:47:15Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
-#include <ctype.h>
+#include <errno.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <security/pam_appl.h>
@ -71,6 +70,7 @@ openpam_log(int level, const char *fmt, ...)
 	int priority;
 	switch (level) {
 	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@ -100,8 +100,10 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 	va_list ap;
 	char *format;
 	int priority;
 	int serrno;
 	switch (level) {
 	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@ -119,10 +121,13 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 		break;
 	}
 	va_start(ap, fmt);
 	serrno = errno;
 	if (asprintf(&format, "in %s(): %s", func, fmt) > 0) {
 		errno = serrno;
 		vsyslog(priority, format, ap);
 		FREE(format);
 	} else {
 		errno = serrno;
 		vsyslog(priority, fmt, ap);
 	}
 	va_end(ap);
@ -137,6 +142,9 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 * The =level argument indicates the importance of the message.
 * The following levels are defined:
 *
 *	=PAM_LOG_LIBDEBUG:
 *		Debugging messages.
 *		For internal use only.
 *	=PAM_LOG_DEBUG:
 *		Debugging messages.
 *		These messages are normally not logged unless the global
--- a/contrib/openpam/lib/openpam_readline.c
+++ b/contrib/openpam/lib/openpam_readline.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_readline.c 473 2011-11-03 10:48:25Z des $
+ * $Id: openpam_readline.c 596 2012-04-14 14:52:40Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -44,6 +44,7 @@
 #include <stdlib.h>
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 #define MIN_LINE_LENGTH 128
@ -61,22 +62,11 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 	size_t len, size;
 	int ch;
-	if ((line = malloc(MIN_LINE_LENGTH)) == NULL)
+	if ((line = malloc(size = MIN_LINE_LENGTH)) == NULL) {
 		openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 		return (NULL);
-	size = MIN_LINE_LENGTH;
+	}
 	len = 0;
 #define line_putch(ch) do { \
 	if (len >= size - 1) { \
 		char *tmp = realloc(line, size *= 2); \
 		if (tmp == NULL) \
 			goto fail; \
 		line = tmp; \
 	} \
 	line[len++] = ch; \
 	line[len] = '\0'; \
 } while (0)
 	for (;;) {
 		ch = fgetc(f);
 		/* strip comment */
@ -105,26 +95,15 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 			/* done */
 			break;
 		}
 		/* whitespace */
 		if (isspace(ch)) {
 			/* ignore leading whitespace */
 			/* collapse linear whitespace */
 			if (len > 0 && line[len - 1] != ' ')
 				line_putch(' ');
 			continue;
 		}
 		/* anything else */
-		line_putch(ch);
+		if (openpam_straddch(&line, &size, &len, ch) != 0)
 			goto fail;
 	}
 	/* remove trailing whitespace */
 	while (len > 0 && isspace((unsigned char)line[len - 1]))
 		--len;
 	line[len] = '\0';
 	if (len == 0)
 		goto fail;
 	if (lenp != NULL)
 		*lenp = len;
 	openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", line);
 	return (line);
 fail:
 	FREE(line);
@ -132,16 +111,18 @@ fail:
 }
 /**
 * DEPRECATED openpam_readlinev
 *
 * The =openpam_readline function reads a line from a file, and returns it
- * in a NUL-terminated buffer allocated with =malloc.
+ * in a NUL-terminated buffer allocated with =!malloc.
 *
 * The =openpam_readline function performs a certain amount of processing
 * on the data it reads:
 *
- *  - Comments (introduced by a hash sign) are stripped, as is leading and
+ *  - Comments (introduced by a hash sign) are stripped.
- *    trailing whitespace.
+ *
 *  - Any amount of linear whitespace is collapsed to a single space.
 *  - Blank lines are ignored.
 *
 *  - If a line ends in a backslash, the backslash is stripped and the
 *    next line is appended.
 *
@ -152,5 +133,8 @@ fail:
 * terminating NUL character) is stored in the variable it points to.
 *
 * The caller is responsible for releasing the returned buffer by passing
- * it to =free.
+ * it to =!free.
 *
 * >openpam_readlinev
 * >openpam_readword
 */
--- a/contrib/openpam/lib/openpam_readlinev.c
+++ b/contrib/openpam/lib/openpam_readlinev.c
@ -0,0 +1,156 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_readlinev.c 588 2012-04-08 11:52:25Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 #define MIN_WORDV_SIZE	32
 /*
 * OpenPAM extension
 *
 * Read a line from a file and split it into words.
 */
 char **
 openpam_readlinev(FILE *f, int *lineno, int *lenp)
 {
 	char *word, **wordv, **tmp;
 	size_t wordlen, wordvsize;
 	int ch, serrno, wordvlen;
 	wordvsize = MIN_WORDV_SIZE;
 	wordvlen = 0;
 	if ((wordv = malloc(wordvsize * sizeof *wordv)) == NULL) {
 		openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 		errno = ENOMEM;
 		return (NULL);
 	}
 	wordv[wordvlen] = NULL;
 	while ((word = openpam_readword(f, lineno, &wordlen)) != NULL) {
 		if ((unsigned int)wordvlen + 1 >= wordvsize) {
 			/* need to expand the array */
 			wordvsize *= 2;
 			tmp = realloc(wordv, wordvsize * sizeof *wordv);
 			if (tmp == NULL) {
 				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 				errno = ENOMEM;
 				break;
 			}
 			wordv = tmp;
 		}
 		/* insert our word */
 		wordv[wordvlen++] = word;
 		wordv[wordvlen] = NULL;
 	}
 	if (errno != 0) {
 		/* I/O error or out of memory */
 		serrno = errno;
 		while (wordvlen--)
 			free(wordv[wordvlen]);
 		free(wordv);
 		errno = serrno;
 		return (NULL);
 	}
 	/* assert(!ferror(f)) */
 	ch = fgetc(f);
 	/* assert(ch == EOF || ch == '\n') */
 	if (ch == EOF && wordvlen == 0) {
 		free(wordv);
 		return (NULL);
 	}
 	if (ch == '\n' && lineno != NULL)
 		++*lineno;
 	if (lenp != NULL)
 		*lenp = wordvlen;
 	return (wordv);
 }
 /**
 * The =openpam_readlinev function reads a line from a file, splits it
 * into words according to the rules described in the =openpam_readword
 * manual page, and returns a list of those words.
 *
 * If =lineno is not =NULL, the integer variable it points to is
 * incremented every time a newline character is read.
 * This includes quoted or escaped newline characters and the newline
 * character at the end of the line.
 *
 * If =lenp is not =NULL, the number of words on the line is stored in the
 * variable to which it points.
 *
 * RETURN VALUES
 *
 * If successful, the =openpam_readlinev function returns a pointer to a
 * dynamically allocated array of pointers to individual dynamically
 * allocated NUL-terminated strings, each containing a single word, in the
 * order in which they were encountered on the line.
 * The array is terminated by a =NULL pointer.
 *
 * The caller is responsible for freeing both the array and the individual
 * strings by passing each of them to =!free.
 *
 * If the end of the line was reached before any words were read,
 * =openpam_readlinev returns a pointer to a dynamically allocated array
 * containing a single =NULL pointer.
 *
 * The =openpam_readlinev function can fail and return =NULL for one of
 * four reasons:
 *
 *  - The end of the file was reached before any words were read; :errno is
 *    zero, =!ferror returns zero, and =!feof returns a non-zero value.
 *
 *  - The end of the file was reached while a quote or backslash escape
 *    was in effect; :errno is set to =EINVAL, =!ferror returns zero, and
 *    =!feof returns a non-zero value.
 *
 *  - An error occurred while reading from the file; :errno is non-zero,
 *    =!ferror returns a non-zero value and =!feof returns zero.
 *
 *  - A =!malloc or =!realloc call failed; :errno is set to =ENOMEM,
 *    =!ferror returns a non-zero value, and =!feof may or may not return
 *    a non-zero value.
 *
 * >openpam_readline
 * >openpam_readword
 *
 * AUTHOR DES
 */
--- a/contrib/openpam/lib/openpam_readword.c
+++ b/contrib/openpam/lib/openpam_readword.c
@ -0,0 +1,207 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_readword.c 588 2012-04-08 11:52:25Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 #include "openpam_ctype.h"
 #define MIN_WORD_SIZE	32
 /*
 * OpenPAM extension
 *
 * Read a word from a file, respecting shell quoting rules.
 */
 char *
 openpam_readword(FILE *f, int *lineno, size_t *lenp)
 {
 	char *word;
 	size_t size, len;
 	int ch, comment, escape, quote;
 	int serrno;
 	errno = 0;
 	/* skip initial whitespace */
 	comment = 0;
 	while ((ch = getc(f)) != EOF && ch != '\n') {
 		if (ch == '#')
 			comment = 1;
 		if (!is_lws(ch) && !comment)
 			break;
 	}
 	if (ch == EOF)
 		return (NULL);
 	ungetc(ch, f);
 	if (ch == '\n')
 		return (NULL);
 	word = NULL;
 	size = len = 0;
 	escape = quote = 0;
 	while ((ch = fgetc(f)) != EOF && (!is_ws(ch) || quote || escape)) {
 		if (ch == '\\' && !escape && quote != '\'') {
 			/* escape next character */
 			escape = ch;
 		} else if ((ch == '\'' || ch == '"') && !quote && !escape) {
 			/* begin quote */
 			quote = ch;
 			/* edge case: empty quoted string */
 			if (word == NULL && (word = malloc(1)) == NULL) {
 				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 				errno = ENOMEM;
 				return (NULL);
 			}
 			*word = '\0';
 			size = 1;
 		} else if (ch == quote && !escape) {
 			/* end quote */
 			quote = 0;
 		} else if (ch == '\n' && escape && quote != '\'') {
 			/* line continuation */
 			escape = 0;
 		} else {
 			if (escape && quote && ch != '\\' && ch != quote &&
 			    openpam_straddch(&word, &size, &len, '\\') != 0) {
 				free(word);
 				errno = ENOMEM;
 				return (NULL);
 			}
 			if (openpam_straddch(&word, &size, &len, ch) != 0) {
 				free(word);
 				errno = ENOMEM;
 				return (NULL);
 			}
 			escape = 0;
 		}
 		if (lineno != NULL && ch == '\n')
 			++*lineno;
 	}
 	if (ch == EOF && ferror(f)) {
 		serrno = errno;
 		free(word);
 		errno = serrno;
 		return (NULL);
 	}
 	if (ch == EOF && (escape || quote)) {
 		/* Missing escaped character or closing quote. */
 		openpam_log(PAM_LOG_ERROR, "unexpected end of file");
 		free(word);
 		errno = EINVAL;
 		return (NULL);
 	}
 	ungetc(ch, f);
 	if (lenp != NULL)
 		*lenp = len;
 	return (word);
 }
 /**
 * The =openpam_readword function reads the next word from a file, and
 * returns it in a NUL-terminated buffer allocated with =!malloc.
 *
 * A word is a sequence of non-whitespace characters.
 * However, whitespace characters can be included in a word if quoted or
 * escaped according to the following rules:
 *
 *  - An unescaped single or double quote introduces a quoted string,
 *    which ends when the same quote character is encountered a second
 *    time.
 *    The quotes themselves are stripped.
 *
 *  - Within a single- or double-quoted string, all whitespace characters,
 *    including the newline character, are preserved as-is.
 *
 *  - Outside a quoted string, a backslash escapes the next character,
 *    which is preserved as-is, unless that character is a newline, in
 *    which case it is discarded and reading continues at the beginning of
 *    the next line as if the backslash and newline had not been there.
 *    In all cases, the backslash itself is discarded.
 *
 *  - Within a single-quoted string, double quotes and backslashes are
 *    preserved as-is.
 *
 *  - Within a double-quoted string, a single quote is preserved as-is,
 *    and a backslash is preserved as-is unless used to escape a double
 *    quote.
 *
 * In addition, if the first non-whitespace character on the line is a
 * hash character (#), the rest of the line is discarded.
 * If a hash character occurs within a word, however, it is preserved
 * as-is.
 * A backslash at the end of a comment does cause line continuation.
 *
 * If =lineno is not =NULL, the integer variable it points to is
 * incremented every time a quoted or escaped newline character is read.
 *
 * If =lenp is not =NULL, the length of the word (after quotes and
 * backslashes have been removed) is stored in the variable it points to.
 *
 * RETURN VALUES
 *
 * If successful, the =openpam_readword function returns a pointer to a
 * dynamically allocated NUL-terminated string containing the first word
 * encountered on the line.
 *
 * The caller is responsible for releasing the returned buffer by passing
 * it to =!free.
 *
 * If =openpam_readword reaches the end of the line or file before any
 * characters are copied to the word, it returns =NULL.  In the former
 * case, the newline is pushed back to the file.
 *
 * If =openpam_readword reaches the end of the file while a quote or
 * backslash escape is in effect, it sets :errno to =EINVAL and returns
 * =NULL.
 *
 * IMPLEMENTATION NOTES
 *
 * The parsing rules are intended to be equivalent to the normal POSIX
 * shell quoting rules.
 * Any discrepancy is a bug and should be reported to the author along
 * with sample input that can be used to reproduce the error.
 *
 * >openpam_readline
 * >openpam_readlinev
 *
 * AUTHOR DES
 */
--- a/contrib/openpam/lib/openpam_set_feature.c
+++ b/contrib/openpam/lib/openpam_set_feature.c
@ -0,0 +1,75 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_set_feature.c 608 2012-05-17 16:00:13Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 #include "openpam_impl.h"
 /*
 * OpenPAM extension
 *
 * Enable or disable an optional feature.
 */
 int
 openpam_set_feature(int feature, int onoff)
 {
 	ENTERF(feature);
 	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
 		RETURNC(PAM_SYMBOL_ERR);
 	openpam_features[feature].onoff = onoff;
 	RETURNC(PAM_SUCCESS);
 }
 /*
 * Error codes:
 *
 *	PAM_SYMBOL_ERR
 */
 /**
 * EXPERIMENTAL
 *
 * The =openpam_set_feature function sets the state of the specified
 * feature to the value specified by the =onoff argument.
 * See =openpam_get_feature for a list of recognized features.
 *
 * >openpam_get_feature
 *
 * AUTHOR DES
 */
--- a/contrib/openpam/lib/openpam_set_option.c
+++ b/contrib/openpam/lib/openpam_set_option.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_set_option.c 482 2011-11-03 16:33:02Z des $
+ * $Id: openpam_set_option.c 532 2012-03-31 14:24:53Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -46,7 +46,6 @@
 #include <string.h>
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 #include "openpam_impl.h"
--- a/contrib/openpam/lib/openpam_straddch.c
+++ b/contrib/openpam/lib/openpam_straddch.c
@ -0,0 +1,111 @@
 /*-
 * Copyright (c) 2012 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_straddch.c 568 2012-04-05 14:35:53Z des $
 */
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 #include <errno.h>
 #include <stdlib.h>
 #include <security/pam_appl.h>
 #include "openpam_impl.h"
 #define MIN_STR_SIZE	32
 /*
 * OpenPAM extension
 *
 * Add a character to a string, expanding the buffer if needed.
 */
 int
 openpam_straddch(char **str, size_t *size, size_t *len, int ch)
 {
 	size_t tmpsize;
 	char *tmpstr;
 	if (*str == NULL) {
 		/* initial allocation */
 		tmpsize = MIN_STR_SIZE;
 		if ((tmpstr = malloc(tmpsize)) == NULL) {
 			openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 			errno = ENOMEM;
 			return (-1);
 		}
 		*str = tmpstr;
 		*size = tmpsize;
 		*len = 0;
 	} else if (*len + 1 >= *size) {
 		/* additional space required */
 		tmpsize = *size * 2;
 		if ((tmpstr = realloc(*str, tmpsize)) == NULL) {
 			openpam_log(PAM_LOG_ERROR, "realloc(): %m");
 			errno = ENOMEM;
 			return (-1);
 		}
 		*size = tmpsize;
 		*str = tmpstr;
 	}
 	(*str)[*len] = ch;
 	++*len;
 	(*str)[*len] = '\0';
 	return (0);
 }
 /**
 * The =openpam_straddch function appends a character to a dynamically
 * allocated NUL-terminated buffer, reallocating the buffer as needed.
 *
 * The =str argument points to a variable containing either a pointer to
 * an existing buffer or =NULL.
 * If the value of the variable pointed to by =str is =NULL, a new buffer
 * is allocated.
 *
 * The =size and =len argument point to variables used to hold the size
 * of the buffer and the length of the string it contains, respectively.
 *
 * If a new buffer is allocated or an existing buffer is reallocated to
 * make room for the additional character, =str and =size are updated
 * accordingly.
 *
 * The =openpam_straddch function ensures that the buffer is always
 * NUL-terminated.
 *
 * If the =openpam_straddch function is successful, it increments the
 * integer variable pointed to by =len and returns 0.
 * Otherwise, it leaves the variables pointed to by =str, =size and =len
 * unmodified, sets :errno to =ENOMEM and returns -1.
 *
 * AUTHOR DES
 */
--- a/contrib/openpam/lib/openpam_strlcat.h
+++ b/contrib/openpam/lib/openpam_strlcat.h
@ -0,0 +1,54 @@
 /*-
 * Copyright (c) 2011 Dag-Erling Smørgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: openpam_strlcat.h 578 2012-04-06 00:45:59Z des $
 */
 #ifndef OPENPAM_STRLCAT_H_INCLUDED
 #define OPENPAM_STRLCAT_H_INCLUDED
 #ifndef HAVE_STRLCAT
 /* like strcat(3), but always NUL-terminates; returns strlen(src) */
 static size_t
 strlcat(char *dst, const char *src, size_t size)
 {
 	size_t len;
 	for (len = 0; *dst && size > 1; ++len, --size)
 		dst++;
 	for (; *src && size > 1; ++len, --size)
 		*dst++ = *src++;
 	*dst = '\0';
 	while (*src)
 		++len, ++src;
 	return (len);
 }
 #endif
 #endif
--- a/contrib/openpam/lib/openpam_strlcmp.h
+++ b/contrib/openpam/lib/openpam_strlcmp.h
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,7 +27,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_strlcmp.h 475 2011-11-03 15:29:24Z des $
+ * $Id: openpam_strlcmp.h 578 2012-04-06 00:45:59Z des $
 */
 #ifndef OPENPAM_STRLCMP_H_INCLUDED
--- a/contrib/openpam/lib/openpam_strlcpy.h
+++ b/contrib/openpam/lib/openpam_strlcpy.h
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,7 +27,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $
+ * $Id: openpam_strlcpy.h 578 2012-04-06 00:45:59Z des $
 */
 #ifndef OPENPAM_STRLCPY_H_INCLUDED
@ -32,7 +35,7 @@
 #ifndef HAVE_STRLCPY
 /* like strcpy(3), but always NUL-terminates; returns strlen(src) */
-size_t
+static size_t
 strlcpy(char *dst, const char *src, size_t size)
 {
 	size_t len;
--- a/contrib/openpam/lib/openpam_subst.c
+++ b/contrib/openpam/lib/openpam_subst.c
@ -11,6 +11,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -24,7 +27,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_subst.c 461 2011-11-02 14:00:38Z des $
+ * $Id: openpam_subst.c 543 2012-03-31 22:11:34Z des $
 */
 #ifdef HAVE_CONFIG_H
--- a/contrib/openpam/lib/openpam_ttyconv.c
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@ -32,7 +32,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $Id: openpam_ttyconv.c 437 2011-09-13 12:00:13Z des $
+ * $Id: openpam_ttyconv.c 527 2012-02-26 03:23:59Z des $
 */
 #ifdef HAVE_CONFIG_H
@ -69,17 +69,17 @@ prompt(const char *msg)
 {
 	char buf[PAM_MAX_RESP_SIZE];
 	struct sigaction action, saved_action;
-	sigset_t saved_sigset, sigset;
+	sigset_t saved_sigset, the_sigset;
 	unsigned int saved_alarm;
 	int eof, error, fd;
 	size_t len;
 	char *retval;
 	char ch;
-	sigemptyset(&sigset);
+	sigemptyset(&the_sigset);
-	sigaddset(&sigset, SIGINT);
+	sigaddset(&the_sigset, SIGINT);
-	sigaddset(&sigset, SIGTSTP);
+	sigaddset(&the_sigset, SIGTSTP);
-	sigprocmask(SIG_SETMASK, &sigset, &saved_sigset);
+	sigprocmask(SIG_SETMASK, &the_sigset, &saved_sigset);
 	action.sa_handler = &timeout;
 	action.sa_flags = 0;
 	sigemptyset(&action.sa_mask);
--- a/Show More
+++ b/Show More