Update to OpenPAM Micrampelis.

112 files changed, 5773 insertions, 1068 deletions

diff --git a/contrib/openpam/CREDITS b/contrib/openpam/CREDITS
index a003ac0..2725d88 100644
--- a/contrib/openpam/CREDITS
+++ b/contrib/openpam/CREDITS
@@ -16,16 +16,21 @@ ideas:
 	Brian Fundakowski Feldman <green@freebsd.org>
 	Christos Zoulas <christos@netbsd.org>
 	Daniel Richard G. <skunk@iskunk.org>
-	Darren J. Moffat <Darren.Moffat@sun.com>
+	Darren J. Moffat <darren.moffat@sun.com>
 	Dmitry V. Levin <ldv@altlinux.org>
+	Don Lewis <truckman@freebsd.org>
 	Emmanuel Dreyfus <manu@netbsd.org>
 	Eric Melville <eric@freebsd.org>
-	Gary Winiger <Gary.Winiger@sun.com>
+	Gary Winiger <gary.winiger@sun.com>
+	Gleb Smirnoff <glebius@freebsd.org>
 	Hubert Feyrer <hubert@feyrer.de>
+	Jason Evans <jasone@freebsd.org>
 	Joe Marcus Clarke <marcus@freebsd.org>
 	Juli Mallett <jmallett@freebsd.org>
 	Jörg Sonnenberger <joerg@britannica.bec.de>
+	Maëlle Lesage <lesage.maelle@gmail.com>
 	Mark Murray <markm@freebsd.org>
+	Matthias Drochner <drochner@netbsd.org>
 	Mike Petullo <mike@flyn.org>
 	Mikhail Teterin <mi@aldan.algebra.com>
 	Mikko Työläjärvi <mbsd@pacbell.net>
@@ -38,4 +43,4 @@ ideas:
 	Wojciech A. Koszek <wkoszek@freebsd.org>
 	Yar Tikhiy <yar@freebsd.org>
 
-$Id: CREDITS 498 2011-11-21 16:27:04Z des $
+$Id: CREDITS 587 2012-04-08 11:12:10Z des $
diff --git a/contrib/openpam/HISTORY b/contrib/openpam/HISTORY
index 81af9ea..3cc4c96 100644
--- a/contrib/openpam/HISTORY
+++ b/contrib/openpam/HISTORY
@@ -1,3 +1,51 @@
+OpenPAM Micrampelis						2012-05-26
+
+ - FEATURE: Add an openpam_readword(3) function which reads the next
+   word from an input stream, applying shell quoting and escaping
+   rules.  Add numerous unit tests for openpam_readword(3).
+
+ - FEATURE: Add an openpam_readlinev(3) function which uses the
+   openpam_readword(3) function to read words from an input stream one
+   at a time until it reaches an unquoted, unescaped newline, and
+   returns an array of those words.  Add several unit tests for
+   openpam_readlinev(3).
+
+ - FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the
+   machine's hostname.  This was implemented in Lycopsida but
+   inadvertantly left out of the release notes.
+
+ - FEATURE: In pam_get_authtok(3), if neither the application nor the
+   module have specified a prompt and PAM_HOST and PAM_RHOST are both
+   defined but not equal, use a different default prompt that includes
+   PAM_USER and PAM_HOST.
+
+ - ENHANCE: Rewrite the policy parser to used openpam_readlinev(),
+   which greatly simplifies the code.
+
+ - ENHANCE: The previous implementation of the policy parser relied on
+   the openpam_readline(3) function, which (by design) munges
+   whitespace and understands neither quotes nor backslash escapes.
+   As a result of the aforementioned rewrite, whitespace, quotes and
+   backslash escapes in policy files are now handled in a consistent
+   and predictable manner.
+
+ - ENHANCE: On platforms that have it, use fdlopen(3) to load modules.
+   This closes the race between the ownership / permission check and
+   the dlopen(3) call.
+
+ - ENHANCE: Reduce the amount of pointless error messages generated
+   while searching for a module.
+
+ - ENHANCE: Numerous documentation improvements, both in content and
+   formatting.
+
+ - BUGFIX: A patch incorporated in Lycopsida inadvertantly changed
+   OpenPAM's behavior when several policies exist for the same
+   service, from ignoring all but the first to concatenating them all.
+   Revert to the original behavior.
+
+ - BUGFIX: Plug a memory leak in the policy parser.
+============================================================================
 OpenPAM Lycopsida						2011-12-18
 
  - ENHANCE: removed static build autodetection, which didn't work
@@ -269,7 +317,7 @@ OpenPAM Cinchona						2002-04-08
  - ENHANCE: Add openpam_free_data(), a generic cleanup function for
    pam_set_data() consumers.
 ============================================================================
-OpenPAM	Centaury						2002-03-14
+OpenPAM Centaury						2002-03-14
 
  - BUGFIX: Add missing #include <string.h> to openpam_log.c.
 
@@ -308,7 +356,7 @@ OpenPAM Celandine						2002-03-05
    module with the same version number as the library itself to one
    with no version number at all.
 ============================================================================
-OpenPAM	Cantaloupe						2002-02-22
+OpenPAM Cantaloupe						2002-02-22
 
  - BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid
    argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures.
@@ -338,7 +386,7 @@ OpenPAM	Cantaloupe						2002-02-22
  - ENHANCE: openpam_get_authtok() now respects the echo_pass,
    try_first_pass, and use_first_pass options.
 ============================================================================
-OpenPAM	Caliopsis						2002-02-13
+OpenPAM Caliopsis						2002-02-13
 
 Fixed a number of bugs in the previous release, including:
   - a number of bugs in and related to pam_[gs]et_item(3)
@@ -349,8 +397,8 @@ Fixed a number of bugs in the previous release, including:
   - missing 'continue' in openpam_dispatch.c caused successes to be
     counted as failures
 ============================================================================
-OpenPAM	Calamite						2002-02-09
+OpenPAM Calamite						2002-02-09
 
 First (beta) release.
 ============================================================================
-$Id: HISTORY 504 2011-12-18 14:11:12Z des $
+$Id: HISTORY 609 2012-05-26 13:57:45Z des $
diff --git a/contrib/openpam/LICENSE b/contrib/openpam/LICENSE
index e6d4325..5119794 100644
--- a/contrib/openpam/LICENSE
+++ b/contrib/openpam/LICENSE
@@ -1,6 +1,6 @@
 
 Copyright (c) 2002-2003 Networks Associates Technology, Inc.
-Copyright (c) 2004-2011 Dag-Erling Smørgrav
+Copyright (c) 2004-2012 Dag-Erling Smørgrav
 All rights reserved.
 
 This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -32,4 +32,4 @@ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
 
-$Id: LICENSE 437 2011-09-13 12:00:13Z des $
+$Id: LICENSE 546 2012-03-31 23:13:20Z des $
diff --git a/contrib/openpam/Makefile.am b/contrib/openpam/Makefile.am
index 96ed4ea..5c4fbf3 100644
--- a/contrib/openpam/Makefile.am
+++ b/contrib/openpam/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am 428 2010-03-09 17:32:17Z des $
+# $Id: Makefile.am 549 2012-04-01 20:38:30Z des $
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -8,6 +8,8 @@ if WITH_DOC
 SUBDIRS += doc
 endif
 
+SUBDIRS += t
+
 EXTRA_DIST = \
 	CREDITS \
 	HISTORY \
diff --git a/contrib/openpam/Makefile.in b/contrib/openpam/Makefile.in
index 44624b8..3c0c783 100644
--- a/contrib/openpam/Makefile.in
+++ b/contrib/openpam/Makefile.in
@@ -15,7 +15,7 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am 428 2010-03-09 17:32:17Z des $
+# $Id: Makefile.am 549 2012-04-01 20:38:30Z des $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -39,8 +39,8 @@ host_triplet = @host@
 subdir = .
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(srcdir)/config.h.in \
-	$(top_srcdir)/configure INSTALL config.guess config.sub \
-	depcomp install-sh ltmain.sh missing
+	$(srcdir)/pamgdb.in $(top_srcdir)/configure INSTALL TODO \
+	config.guess config.sub depcomp install-sh ltmain.sh missing
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
@@ -49,7 +49,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
  configure.lineno config.status.lineno
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = config.h
-CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_FILES = pamgdb
 CONFIG_CLEAN_VPATH_FILES =
 SOURCES =
 DIST_SOURCES =
@@ -67,7 +67,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir dist dist-all distcheck
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = lib bin modules include doc
+DIST_SUBDIRS = lib bin modules include doc t
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 distdir = $(PACKAGE)-$(VERSION)
 top_distdir = $(distdir)
@@ -222,7 +222,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = lib bin modules include $(am__append_1)
+SUBDIRS = lib bin modules include $(am__append_1) t
 EXTRA_DIST = \
 	CREDITS \
 	HISTORY \
@@ -288,6 +288,8 @@ $(srcdir)/config.h.in:  $(am__configure_deps)
 
 distclean-hdr:
 	-rm -f config.h stamp-h1
+pamgdb: $(top_builddir)/config.status $(srcdir)/pamgdb.in
+	cd $(top_builddir) && $(SHELL) ./config.status $@
 
 mostlyclean-libtool:
 	-rm -f *.lo
diff --git a/contrib/openpam/RELNOTES b/contrib/openpam/RELNOTES
index 71f7eb9..5364601 100644
--- a/contrib/openpam/RELNOTES
+++ b/contrib/openpam/RELNOTES
@@ -1,6 +1,6 @@
 
-		 Release notes for OpenPAM Lycopsida
-		 ===================================
+		Release notes for OpenPAM Micrampelis
+		=====================================
 
 This release corresponds to the code used in FreeBSD HEAD as of the
 release date, and is also expected to work on almost any POSIX-like
@@ -19,6 +19,9 @@ intended for actual use, but rather to serve as examples for module or
 application developers.  It also includes a command-line application
 (pamtest) which can be used to test policies and modules.
 
+Unit tests for limited portions of the library can be found in the t
+subdirectory.
+
 Please direct bug reports and inquiries to <des@des.no>.
 
-$Id: RELNOTES 506 2011-12-18 14:25:12Z des $
+$Id: RELNOTES 609 2012-05-26 13:57:45Z des $
diff --git a/contrib/openpam/TODO b/contrib/openpam/TODO
new file mode 100644
index 0000000..2d0af16
--- /dev/null
+++ b/contrib/openpam/TODO
@@ -0,0 +1,13 @@
+Before the next release:
+
+ - Complete the transition from PAM_LOG_DEBUG to PAM_LOG_LIBDEBUG.
+
+Whenever:
+
+ - Implement mechanism to enable / disable optional features.  Use it
+   to disable strict error checking so pamtest and unit tests can do
+   things that we don't allow in production.
+
+ - Rewrite the module-loading code.
+
+$Id: TODO 592 2012-04-08 13:19:51Z des $
diff --git a/contrib/openpam/aclocal.m4 b/contrib/openpam/aclocal.m4
index c3aa435..99ed44a 100644
--- a/contrib/openpam/aclocal.m4
+++ b/contrib/openpam/aclocal.m4
@@ -22,8 +22,8 @@ To do so, use the procedure documented by the package, typically `autoreconf'.])
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 # This file is free software; the Free Software Foundation gives
@@ -32,8 +32,8 @@ To do so, use the procedure documented by the package, typically `autoreconf'.])
 
 m4_define([_LT_COPYING], [dnl
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -167,6 +167,8 @@ AC_REQUIRE([AC_CANONICAL_BUILD])dnl
 AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl
 AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl
 
+_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl
+dnl
 _LT_DECL([], [host_alias], [0], [The host system])dnl
 _LT_DECL([], [host], [0])dnl
 _LT_DECL([], [host_os], [0])dnl
@@ -652,7 +654,7 @@ m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl
 m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION])
 configured by $[0], generated by m4_PACKAGE_STRING.
 
-Copyright (C) 2010 Free Software Foundation, Inc.
+Copyright (C) 2011 Free Software Foundation, Inc.
 This config.lt script is free software; the Free Software Foundation
 gives unlimited permision to copy, distribute and modify it."
 
@@ -816,6 +818,7 @@ AC_DEFUN([LT_LANG],
 m4_case([$1],
   [C],			[_LT_LANG(C)],
   [C++],		[_LT_LANG(CXX)],
+  [Go],			[_LT_LANG(GO)],
   [Java],		[_LT_LANG(GCJ)],
   [Fortran 77],		[_LT_LANG(F77)],
   [Fortran],		[_LT_LANG(FC)],
@@ -837,6 +840,29 @@ m4_defun([_LT_LANG],
 ])# _LT_LANG
 
 
+m4_ifndef([AC_PROG_GO], [
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_GO.  When it is available in    #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+m4_defun([AC_PROG_GO],
+[AC_LANG_PUSH(Go)dnl
+AC_ARG_VAR([GOC],     [Go compiler command])dnl
+AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl
+_AC_ARG_VAR_LDFLAGS()dnl
+AC_CHECK_TOOL(GOC, gccgo)
+if test -z "$GOC"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo])
+  fi
+fi
+if test -z "$GOC"; then
+  AC_CHECK_PROG(GOC, gccgo, gccgo, false)
+fi
+])#m4_defun
+])#m4_ifndef
+
+
 # _LT_LANG_DEFAULT_CONFIG
 # -----------------------
 m4_defun([_LT_LANG_DEFAULT_CONFIG],
@@ -867,6 +893,10 @@ AC_PROVIDE_IFELSE([AC_PROG_GCJ],
        m4_ifdef([LT_PROG_GCJ],
 	[m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])])
 
+AC_PROVIDE_IFELSE([AC_PROG_GO],
+  [LT_LANG(GO)],
+  [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])])
+
 AC_PROVIDE_IFELSE([LT_PROG_RC],
   [LT_LANG(RC)],
   [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])])
@@ -969,7 +999,13 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&AS_MESSAGE_LOG_FD
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -977,6 +1013,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	rm -rf libconftest.dylib*
 	rm -f conftest.*
       fi])
+
     AC_CACHE_CHECK([for -exported_symbols_list linker flag],
       [lt_cv_ld_exported_symbols_list],
       [lt_cv_ld_exported_symbols_list=no
@@ -988,6 +1025,7 @@ m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[
 	[lt_cv_ld_exported_symbols_list=no])
 	LDFLAGS="$save_LDFLAGS"
     ])
+
     AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load],
       [lt_cv_ld_force_load=no
       cat > conftest.c << _LT_EOF
@@ -1005,7 +1043,9 @@ _LT_EOF
       echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD
       $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
       _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&AS_MESSAGE_LOG_FD
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
       else
 	cat conftest.err >&AS_MESSAGE_LOG_FD
@@ -1050,8 +1090,8 @@ _LT_EOF
 ])
 
 
-# _LT_DARWIN_LINKER_FEATURES
-# --------------------------
+# _LT_DARWIN_LINKER_FEATURES([TAG])
+# ---------------------------------
 # Checks for linker and compiler features on darwin
 m4_defun([_LT_DARWIN_LINKER_FEATURES],
 [
@@ -1062,6 +1102,8 @@ m4_defun([_LT_DARWIN_LINKER_FEATURES],
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
   if test "$lt_cv_ld_force_load" = "yes"; then
     _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+    m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes],
+                  [FC],  [_LT_TAGVAR(compiler_needs_object, $1)=yes])
   else
     _LT_TAGVAR(whole_archive_flag_spec, $1)=''
   fi
@@ -1345,14 +1387,27 @@ s390*-*linux*|s390*-*tpf*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -1429,13 +1484,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
 case $host_os in
@@ -1615,6 +1670,11 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -1654,7 +1714,7 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
@@ -2200,7 +2260,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -2209,7 +2269,7 @@ aix3*)
   ;;
 
 aix[[4-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -2274,7 +2334,7 @@ beos*)
   ;;
 
 bsdi[[45]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -2413,7 +2473,7 @@ m4_if([$1], [],[
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -2466,17 +2526,18 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
   ;;
 
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   dynamic_linker="$host_os runtime_loader"
@@ -2537,7 +2598,7 @@ hpux9* | hpux10* | hpux11*)
   ;;
 
 interix[[3-9]]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -2553,7 +2614,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -2590,9 +2651,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2655,7 +2716,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -2724,7 +2785,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2749,7 +2810,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -2773,7 +2834,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -2804,7 +2865,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -2814,7 +2875,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -3236,7 +3297,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -3656,6 +3717,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK ['"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -4240,7 +4302,9 @@ m4_if([$1], [CXX], [
     case $cc_basename in
     nvcc*) # Cuda Compiler Driver 2.2
       _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker '
-      _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Xcompiler -fPIC'
+      if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then
+        _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)"
+      fi
       ;;
     esac
   else
@@ -4332,18 +4396,33 @@ m4_if([$1], [CXX], [
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)=''
 	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	  ;;
+        *Intel*\ [[CF]]*Compiler*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	  ;;
+	*Portland\ Group*)
+	  _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	  _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  ;;
 	esac
 	;;
       esac
@@ -4503,7 +4582,9 @@ m4_if([$1], [CXX], [
     ;;
   cygwin* | mingw* | cegcc*)
     case $cc_basename in
-    cl*) ;;
+    cl*)
+      _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
+      ;;
     *)
       _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
       _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname']
@@ -4528,7 +4609,6 @@ m4_if([$1], [CXX], [
   _LT_TAGVAR(hardcode_direct, $1)=no
   _LT_TAGVAR(hardcode_direct_absolute, $1)=no
   _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
   _LT_TAGVAR(hardcode_libdir_separator, $1)=
   _LT_TAGVAR(hardcode_minus_L, $1)=no
   _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -4779,8 +4859,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive'
-	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-	  _LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+	  _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~
@@ -5075,6 +5154,7 @@ _LT_EOF
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, $1)='true'
 	_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+	_LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	_LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	_LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib'
@@ -5172,7 +5252,6 @@ _LT_EOF
       fi
       if test "$with_gnu_ld" = no; then
 	_LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
 	_LT_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_TAGVAR(hardcode_direct, $1)=yes
 	_LT_TAGVAR(hardcode_direct_absolute, $1)=yes
@@ -5614,9 +5693,6 @@ _LT_TAGDECL([], [no_undefined_flag], [1],
 _LT_TAGDECL([], [hardcode_libdir_flag_spec], [1],
     [Flag to hardcode $libdir into a binary during linking.
     This must work even if $libdir does not exist])
-_LT_TAGDECL([], [hardcode_libdir_flag_spec_ld], [1],
-    [[If ld is used when linking, flag to hardcode $libdir into a binary
-    during linking.  This must work even if $libdir does not exist]])
 _LT_TAGDECL([], [hardcode_libdir_separator], [1],
     [Whether we need a single "-rpath" flag with a separated argument])
 _LT_TAGDECL([], [hardcode_direct], [0],
@@ -5770,7 +5846,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
@@ -6901,12 +6976,18 @@ public class foo {
   }
 };
 _LT_EOF
+], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF
+package foo
+func foo() {
+}
+_LT_EOF
 ])
 
 _lt_libdeps_save_CFLAGS=$CFLAGS
 case "$CC $CFLAGS " in #(
 *\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;;
 *\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;;
+*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;;
 esac
 
 dnl Parse the compiler output and extract the necessary
@@ -7103,7 +7184,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -7236,7 +7316,6 @@ _LT_TAGVAR(export_dynamic_flag_spec, $1)=
 _LT_TAGVAR(hardcode_direct, $1)=no
 _LT_TAGVAR(hardcode_direct_absolute, $1)=no
 _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_TAGVAR(hardcode_minus_L, $1)=no
 _LT_TAGVAR(hardcode_automatic, $1)=no
@@ -7419,6 +7498,73 @@ CFLAGS=$lt_save_CFLAGS
 ])# _LT_LANG_GCJ_CONFIG
 
 
+# _LT_LANG_GO_CONFIG([TAG])
+# --------------------------
+# Ensure that the configuration variables for the GNU Go compiler
+# are suitably defined.  These variables are subsequently used by _LT_CONFIG
+# to write the compiler configuration to `libtool'.
+m4_defun([_LT_LANG_GO_CONFIG],
+[AC_REQUIRE([LT_PROG_GO])dnl
+AC_LANG_SAVE
+
+# Source file extension for Go test sources.
+ac_ext=go
+
+# Object file extension for compiled Go test sources.
+objext=o
+_LT_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="package main; func main() { }"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='package main; func main() { }'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_TAG_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_CFLAGS=$CFLAGS
+lt_save_GCC=$GCC
+GCC=yes
+CC=${GOC-"gccgo"}
+CFLAGS=$GOFLAGS
+compiler=$CC
+_LT_TAGVAR(compiler, $1)=$CC
+_LT_TAGVAR(LD, $1)="$LD"
+_LT_CC_BASENAME([$compiler])
+
+# Go did not exist at the time GCC didn't implicitly link libc in.
+_LT_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_TAGVAR(reload_flag, $1)=$reload_flag
+_LT_TAGVAR(reload_cmds, $1)=$reload_cmds
+
+if test -n "$compiler"; then
+  _LT_COMPILER_NO_RTTI($1)
+  _LT_COMPILER_PIC($1)
+  _LT_COMPILER_C_O($1)
+  _LT_COMPILER_FILE_LOCKS($1)
+  _LT_LINKER_SHLIBS($1)
+  _LT_LINKER_HARDCODE_LIBPATH($1)
+
+  _LT_CONFIG($1)
+fi
+
+AC_LANG_RESTORE
+
+GCC=$lt_save_GCC
+CC=$lt_save_CC
+CFLAGS=$lt_save_CFLAGS
+])# _LT_LANG_GO_CONFIG
+
+
 # _LT_LANG_RC_CONFIG([TAG])
 # -------------------------
 # Ensure that the configuration variables for the Windows resource compiler
@@ -7488,6 +7634,13 @@ dnl aclocal-1.4 backwards compatibility:
 dnl AC_DEFUN([LT_AC_PROG_GCJ], [])
 
 
+# LT_PROG_GO
+# ----------
+AC_DEFUN([LT_PROG_GO],
+[AC_CHECK_TOOL(GOC, gccgo,)
+])
+
+
 # LT_PROG_RC
 # ----------
 AC_DEFUN([LT_PROG_RC],
@@ -8152,9 +8305,24 @@ dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], [])
 # MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
 m4_define([_LT_WITH_PIC],
 [AC_ARG_WITH([pic],
-    [AS_HELP_STRING([--with-pic],
+    [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@],
 	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
+    [lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
     [pic_mode=default])
 
 test -z "$pic_mode" && pic_mode=m4_default([$1], [default])
@@ -8326,15 +8494,15 @@ m4_define([lt_dict_filter],
 
 # @configure_input@
 
-# serial 3293 ltversion.m4
+# serial 3337 ltversion.m4
 # This file is part of GNU Libtool
 
-m4_define([LT_PACKAGE_VERSION], [2.4])
-m4_define([LT_PACKAGE_REVISION], [1.3293])
+m4_define([LT_PACKAGE_VERSION], [2.4.2])
+m4_define([LT_PACKAGE_REVISION], [1.3337])
 
 AC_DEFUN([LTVERSION_VERSION],
-[macro_version='2.4'
-macro_revision='1.3293'
+[macro_version='2.4.2'
+macro_revision='1.3337'
 _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?])
 _LT_DECL(, macro_revision, 0)
 ])
diff --git a/contrib/openpam/bin/Makefile.am b/contrib/openpam/bin/Makefile.am
index 78ebeaa..ec7a99e 100644
--- a/contrib/openpam/bin/Makefile.am
+++ b/contrib/openpam/bin/Makefile.am
@@ -1,6 +1,6 @@
-# $Id: Makefile.am 467 2011-11-02 23:42:21Z des $
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
 
-SUBDIRS =
+SUBDIRS = openpam_dump_policy
 
 if WITH_PAMTEST
 SUBDIRS += pamtest
diff --git a/contrib/openpam/bin/Makefile.in b/contrib/openpam/bin/Makefile.in
index 4f6089d..3c11bbf 100644
--- a/contrib/openpam/bin/Makefile.in
+++ b/contrib/openpam/bin/Makefile.in
@@ -15,7 +15,7 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am 467 2011-11-02 23:42:21Z des $
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
@@ -63,7 +63,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
 	distdir
 ETAGS = etags
 CTAGS = ctags
-DIST_SUBDIRS = pamtest su
+DIST_SUBDIRS = openpam_dump_policy pamtest su
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 am__relativize = \
   dir0=`pwd`; \
@@ -207,7 +207,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUBDIRS = $(am__append_1) $(am__append_2)
+SUBDIRS = openpam_dump_policy $(am__append_1) $(am__append_2)
 all: all-recursive
 
 .SUFFIXES:
diff --git a/contrib/openpam/bin/openpam_dump_policy/Makefile.am b/contrib/openpam/bin/openpam_dump_policy/Makefile.am
new file mode 100644
index 0000000..a5fda16
--- /dev/null
+++ b/contrib/openpam/bin/openpam_dump_policy/Makefile.am
@@ -0,0 +1,7 @@
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
+
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
+
+noinst_PROGRAMS = openpam_dump_policy
+openpam_dump_policy_SOURCES = openpam_dump_policy.c
+openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam.la
diff --git a/contrib/openpam/bin/openpam_dump_policy/Makefile.in b/contrib/openpam/bin/openpam_dump_policy/Makefile.in
new file mode 100644
index 0000000..54f09a4
--- /dev/null
+++ b/contrib/openpam/bin/openpam_dump_policy/Makefile.in
@@ -0,0 +1,474 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 538 2012-03-31 17:04:29Z des $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+noinst_PROGRAMS = openpam_dump_policy$(EXEEXT)
+subdir = bin/openpam_dump_policy
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
+am_openpam_dump_policy_OBJECTS = openpam_dump_policy.$(OBJEXT)
+openpam_dump_policy_OBJECTS = $(am_openpam_dump_policy_OBJECTS)
+openpam_dump_policy_DEPENDENCIES = $(top_builddir)/lib/libpam.la
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(openpam_dump_policy_SOURCES)
+DIST_SOURCES = $(openpam_dump_policy_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPT_LIBS = @CRYPT_LIBS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DL_LIBS = @DL_LIBS@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_MAJ = @LIB_MAJ@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENPAM_MODULES_DIR = @OPENPAM_MODULES_DIR@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
+openpam_dump_policy_SOURCES = openpam_dump_policy.c
+openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign bin/openpam_dump_policy/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign bin/openpam_dump_policy/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+openpam_dump_policy$(EXEEXT): $(openpam_dump_policy_OBJECTS) $(openpam_dump_policy_DEPENDENCIES) 
+	@rm -f openpam_dump_policy$(EXEEXT)
+	$(LINK) $(openpam_dump_policy_OBJECTS) $(openpam_dump_policy_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dump_policy.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstPROGRAMS ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c b/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c
new file mode 100644
index 0000000..b65dbbd
--- /dev/null
+++ b/contrib/openpam/bin/openpam_dump_policy/openpam_dump_policy.c
@@ -0,0 +1,202 @@
+/*-
+ * Copyright (c) 2011 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_dump_policy.c 582 2012-04-06 23:23:35Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+static char *
+openpam_chain_name(const char *service, pam_facility_t fclt)
+{
+	const char *facility = pam_facility_name[fclt];
+	char *name;
+
+	if (asprintf(&name, "pam_%s_%s", service, facility) == -1)
+		return (NULL);
+	return (name);
+}
+
+static char *
+openpam_facility_index_name(pam_facility_t fclt)
+{
+	const char *facility = pam_facility_name[fclt];
+	char *name, *p;
+
+	if (asprintf(&name, "PAM_%s", facility) == -1)
+		return (NULL);
+	for (p = name + 4; *p; ++p)
+		*p = toupper(*p);
+	return (name);
+}
+
+int
+openpam_dump_chain(const char *name, pam_chain_t *chain)
+{
+	char *modname, **opt, *p;
+	int i;
+
+	for (i = 0; chain != NULL; ++i, chain = chain->next) {
+		/* declare the module's struct pam_module */
+		modname = strrchr(chain->module->path, '/');
+		modname = strdup(modname ? modname : chain->module->path);
+		if (modname == NULL)
+			return (PAM_BUF_ERR);
+		for (p = modname; *p && *p != '.'; ++p)
+			/* nothing */ ;
+		*p = '\0';
+		printf("extern struct pam_module %s_pam_module;\n", modname);
+		/* module arguments */
+		printf("static char *%s_%d_optv[] = {\n", name, i);
+		for (opt = chain->optv; *opt; ++opt) {
+			printf("\t\"");
+			for (p = *opt; *p; ++p) {
+				if (isprint((unsigned char)*p) && *p != '"')
+					printf("%c", *p);
+				else
+					printf("\\x%02x", (unsigned char)*p);
+			}
+			printf("\",\n");
+		}
+		printf("\tNULL,\n");
+		printf("};\n");
+		/* next module in chain */
+		if (chain->next != NULL)
+			printf("static pam_chain_t %s_%d;\n", name, i + 1);
+		/* chain entry */
+		printf("static pam_chain_t %s_%d = {\n", name, i);
+		printf("\t.module = &%s_pam_module,\n", modname);
+		printf("\t.flag = 0x%08x,\n", chain->flag);
+		printf("\t.optc = %d,\n", chain->optc);
+		printf("\t.optv = %s_%d_optv,\n", name, i);
+		if (chain->next)
+			printf("\t.next = &%s_%d,\n", name, i + 1);
+		else
+			printf("\t.next = NULL,\n");
+		printf("};\n");
+		free(modname);
+	}
+	return (PAM_SUCCESS);
+}
+
+int
+openpam_dump_policy(const char *service)
+{
+	pam_handle_t *pamh;
+	char *name;
+	int fclt, ret;
+
+	if ((pamh = calloc(1, sizeof *pamh)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((ret = openpam_configure(pamh, service)) != PAM_SUCCESS)
+		return (ret);
+	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+		if (pamh->chains[fclt] != NULL) {
+			if ((name = openpam_chain_name(service, fclt)) == NULL)
+				return (PAM_BUF_ERR);
+			ret = openpam_dump_chain(name, pamh->chains[fclt]);
+			free(name);
+			if (ret != PAM_SUCCESS)
+				return (ret);
+		}
+	}
+	printf("static pam_policy_t pam_%s_policy = {\n", service);
+	printf("\t.service = \"%s\",\n", service);
+	printf("\t.chains = {\n");
+	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+		if ((name = openpam_facility_index_name(fclt)) == NULL)
+			return (PAM_BUF_ERR);
+		printf("\t\t[%s] = ", name);
+		free(name);
+		if (pamh->chains[fclt] != NULL) {
+			if ((name = openpam_chain_name(service, fclt)) == NULL)
+				return (PAM_BUF_ERR);
+			printf("&%s_0,\n", name);
+			free(name);
+		} else {
+			printf("NULL,\n");
+		}
+	}
+	printf("\t},\n");
+	printf("};\n");
+	free(pamh);
+	return (PAM_SUCCESS);
+}
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "usage: openpam_dump_policy [-d] policy ...\n");
+	exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+	int i, opt;
+
+	while ((opt = getopt(argc, argv, "d")) != -1)
+		switch (opt) {
+		case 'd':
+			openpam_debug = 1;
+			break;
+		default:
+			usage();
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc < 1)
+		usage();
+
+	printf("#include <security/pam_appl.h>\n");
+	printf("#include \"openpam_impl.h\"\n");
+	for (i = 0; i < argc; ++i)
+		openpam_dump_policy(argv[i]);
+	printf("pam_policy_t *pam_embedded_policies[] = {\n");
+	for (i = 0; i < argc; ++i)
+		printf("\t&pam_%s_policy,\n", argv[i]);
+	printf("\tNULL,\n");
+	printf("};\n");
+	exit(0);
+}
diff --git a/contrib/openpam/bin/pamtest/pamtest.1 b/contrib/openpam/bin/pamtest/pamtest.1
index 78e8353..5cf2e0c 100644
--- a/contrib/openpam/bin/pamtest/pamtest.1
+++ b/contrib/openpam/bin/pamtest/pamtest.1
@@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -23,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pamtest.1 471 2011-11-03 09:44:40Z des $
+.\" $Id: pamtest.1 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 2, 2011
+.Dd May 26, 2012
 .Dt PAMTEST 1
 .Os
 .Sh NAME
@@ -33,7 +36,7 @@
 .Nd PAM policy tester
 .Sh SYNOPSYS
 .Nm
-.Op Fl dksv
+.Op Fl dkMPsv
 .Op Fl H Ar rhost
 .Op Fl h Ar host
 .Op Fl t Ar tty
@@ -116,6 +119,11 @@ The default is to use the result of calling
 .Xr gethostname 3 .
 .It Fl k
 Keep going even if one of the commands fails.
+.It Fl M
+Disable path, ownership and permission checks on module files.
+.It Fl P
+Disable service name validation and path, ownership and permission
+checks on policy files.
 .It Fl s
 Set the
 .Dv PAM_SILENT
@@ -149,14 +157,14 @@ policy:
 pamtest -v system auth account change setcred open close unsetcred
 .Ed
 .Sh SEE ALSO
-.Xr openpam 3
-.Xr pam 3
+.Xr openpam 3 ,
+.Xr pam 3 ,
 .Xr pam.conf 5
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
 .Sh BUGS
 The
 .Nm
diff --git a/contrib/openpam/bin/pamtest/pamtest.c b/contrib/openpam/bin/pamtest/pamtest.c
index 0addfad..bfc612e 100644
--- a/contrib/openpam/bin/pamtest/pamtest.c
+++ b/contrib/openpam/bin/pamtest/pamtest.c
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: pamtest.c 472 2011-11-03 09:46:52Z des $
+ * $Id: pamtest.c 595 2012-04-14 14:28:35Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -261,8 +264,8 @@ static void
 usage(void)
 {
 
-	fprintf(stderr, "usage: pamtest [-dksv] %s\n",
-	    "[-H rhost] [-h host] [-t tty] [-U ruser] [-u user] service");
+	fprintf(stderr, "usage: pamtest %s service command ...\n",
+	    "[-dkMPsv] [-H rhost] [-h host] [-t tty] [-U ruser] [-u user]");
 	exit(1);
 }
 
@@ -297,7 +300,7 @@ main(int argc, char *argv[])
 	int pame;
 	int opt;
 
-	while ((opt = getopt(argc, argv, "dH:h:kst:U:u:v")) != -1)
+	while ((opt = getopt(argc, argv, "dH:h:kMPst:U:u:v")) != -1)
 		switch (opt) {
 		case 'd':
 			openpam_debug++;
@@ -311,6 +314,14 @@ main(int argc, char *argv[])
 		case 'k':
 			keepatit = 1;
 			break;
+		case 'M':
+			openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0);
+			openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0);
+			break;
+		case 'P':
+			openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0);
+			openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0);
+			break;
 		case 's':
 			silent = PAM_SILENT;
 			break;
diff --git a/contrib/openpam/bin/su/su.1 b/contrib/openpam/bin/su/su.1
index 9a67ea3..2dc11bb 100644
--- a/contrib/openpam/bin/su/su.1
+++ b/contrib/openpam/bin/su/su.1
@@ -10,6 +10,9 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -23,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: su.1 458 2011-11-02 13:10:25Z des $
+.\" $Id: su.1 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 2, 2011
+.Dd May 26, 2012
 .Dt SU 1
 .Os
 .Sh NAME
@@ -53,10 +56,10 @@ The
 utility is provided with the OpenPAM library as a sample application
 and should not be used in production systems.
 .Sh SEE ALSO
-.Xr openpam 3
+.Xr openpam 3 ,
 .Xr pam 3
 .Sh AUTHORS
 The
 .Nm
 utility and this manual page were written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/config.h.in b/contrib/openpam/config.h.in
index 3d16ce8..69f703c 100644
--- a/contrib/openpam/config.h.in
+++ b/contrib/openpam/config.h.in
@@ -9,6 +9,9 @@
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
+/* Define to 1 if you have the `fdlopen' function. */
+#undef HAVE_FDLOPEN
+
 /* Define to 1 if you have the `fpurge' function. */
 #undef HAVE_FPURGE
 
@@ -36,6 +39,9 @@
 /* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H
 
+/* Define to 1 if you have the `strlcat' function. */
+#undef HAVE_STRLCAT
+
 /* Define to 1 if you have the `strlcmp' function. */
 #undef HAVE_STRLCMP
 
diff --git a/contrib/openpam/configure b/contrib/openpam/configure
index fe13a93..5348d3f 100755
--- a/contrib/openpam/configure
+++ b/contrib/openpam/configure
@@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.ac Id: configure.ac 507 2011-12-18 14:43:40Z des .
+# From configure.ac Id: configure.ac 610 2012-05-26 14:03:45Z des .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for OpenPAM 20111218.
+# Generated by GNU Autoconf 2.68 for OpenPAM 20120526.
 #
 # Report bugs to <des@des.no>.
 #
@@ -570,8 +570,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='OpenPAM'
 PACKAGE_TARNAME='openpam'
-PACKAGE_VERSION='20111218'
-PACKAGE_STRING='OpenPAM 20111218'
+PACKAGE_VERSION='20120526'
+PACKAGE_STRING='OpenPAM 20120526'
 PACKAGE_BUGREPORT='des@des.no'
 PACKAGE_URL=''
 
@@ -1308,7 +1308,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures OpenPAM 20111218 to adapt to many kinds of systems.
+\`configure' configures OpenPAM 20120526 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1378,7 +1378,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenPAM 20111218:";;
+     short | recursive ) echo "Configuration of OpenPAM 20120526:";;
    esac
   cat <<\_ACEOF
 
@@ -1405,7 +1405,7 @@ Optional Features:
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
-  --with-pic              try to use only PIC/non-PIC objects [default=use
+  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                           both]
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-sysroot=DIR Search for dependent libraries within DIR
@@ -1492,7 +1492,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-OpenPAM configure 20111218
+OpenPAM configure 20120526
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -1861,7 +1861,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by OpenPAM $as_me 20111218, which was
+It was created by OpenPAM $as_me 20120526, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -2678,7 +2678,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='openpam'
- VERSION='20111218'
+ VERSION='20120526'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -4631,8 +4631,8 @@ esac
 
 
 
-macro_version='2.4'
-macro_revision='1.3293'
+macro_version='2.4.2'
+macro_revision='1.3337'
 
 
 
@@ -5347,6 +5347,11 @@ else
     lt_cv_sys_max_cmd_len=196608
     ;;
 
+  os2*)
+    # The test takes a long time on OS/2.
+    lt_cv_sys_max_cmd_len=8192
+    ;;
+
   osf*)
     # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
     # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
@@ -5386,7 +5391,7 @@ else
       # If test is not a shell built-in, we'll probably end up computing a
       # maximum length that is only half of the actual maximum length, but
       # we can't tell.
-      while { test "X"`func_fallback_echo "$teststring$teststring" 2>/dev/null` \
+      while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \
 	         = "X$teststring$teststring"; } >/dev/null 2>&1 &&
 	      test $i != 17 # 1/2 MB should be enough
       do
@@ -5815,7 +5820,7 @@ irix5* | irix6* | nonstopux*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
@@ -6455,13 +6460,13 @@ old_postuninstall_cmds=
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib"
     ;;
   *)
-    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib"
     ;;
   esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib"
 fi
 
 case $host_os in
@@ -6608,6 +6613,7 @@ for ac_symprfx in "" "_"; do
     # which start with @ or ?.
     lt_cv_sys_global_symbol_pipe="$AWK '"\
 "     {last_section=section; section=\$ 3};"\
+"     /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\
 "     /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\
 "     \$ 0!~/External *\|/{next};"\
 "     / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\
@@ -6996,7 +7002,7 @@ $as_echo "$lt_cv_cc_needs_belf" >&6; }
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
-sparc*-*solaris*)
+*-*solaris*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
@@ -7007,7 +7013,20 @@ sparc*-*solaris*)
     case `/usr/bin/file conftest.o` in
     *64-bit*)
       case $lt_cv_prog_gnu_ld in
-      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      yes*)
+        case $host in
+        i?86-*-solaris*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        sparc*-*-solaris*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+        esac
+        # GNU ld 2.21 introduced _sol2 emulations.  Use them if available.
+        if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then
+          LD="${LD-ld}_sol2"
+        fi
+        ;;
       *)
 	if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
 	  LD="${LD-ld} -64"
@@ -7647,7 +7666,13 @@ else
 	$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
 	  -dynamiclib -Wl,-single_module conftest.c 2>conftest.err
         _lt_result=$?
-	if test -f libconftest.dylib && test ! -s conftest.err && test $_lt_result = 0; then
+	# If there is a non-empty error log, and "single_module"
+	# appears in it, assume the flag caused a linker warning
+        if test -s conftest.err && $GREP single_module conftest.err; then
+	  cat conftest.err >&5
+	# Otherwise, if the output was created with a 0 exit code from
+	# the compiler, it worked.
+	elif test -f libconftest.dylib && test $_lt_result -eq 0; then
 	  lt_cv_apple_cc_single_mod=yes
 	else
 	  cat conftest.err >&5
@@ -7658,6 +7683,7 @@ else
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5
 $as_echo "$lt_cv_apple_cc_single_mod" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5
 $as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
 if ${lt_cv_ld_exported_symbols_list+:} false; then :
@@ -7690,6 +7716,7 @@ rm -f core conftest.err conftest.$ac_objext \
 fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5
 $as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5
 $as_echo_n "checking for -force_load linker flag... " >&6; }
 if ${lt_cv_ld_force_load+:} false; then :
@@ -7711,7 +7738,9 @@ _LT_EOF
       echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5
       $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err
       _lt_result=$?
-      if test -f conftest && test ! -s conftest.err && test $_lt_result = 0 && $GREP forced_load conftest 2>&1 >/dev/null; then
+      if test -s conftest.err && $GREP force_load conftest.err; then
+	cat conftest.err >&5
+      elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then
 	lt_cv_ld_force_load=yes
       else
 	cat conftest.err >&5
@@ -7847,7 +7876,22 @@ fi
 
 # Check whether --with-pic was given.
 if test "${with_pic+set}" = set; then :
-  withval=$with_pic; pic_mode="$withval"
+  withval=$with_pic; lt_p=${PACKAGE-default}
+    case $withval in
+    yes|no) pic_mode=$withval ;;
+    *)
+      pic_mode=default
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for lt_pkg in $withval; do
+	IFS="$lt_save_ifs"
+	if test "X$lt_pkg" = "X$lt_p"; then
+	  pic_mode=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
 else
   pic_mode=default
 fi
@@ -7925,6 +7969,10 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 
 
 
+
+
+
+
 test -z "$LN_S" && LN_S="ln -s"
 
 
@@ -8380,7 +8428,9 @@ lt_prog_compiler_static=
     case $cc_basename in
     nvcc*) # Cuda Compiler Driver 2.2
       lt_prog_compiler_wl='-Xlinker '
-      lt_prog_compiler_pic='-Xcompiler -fPIC'
+      if test -n "$lt_prog_compiler_pic"; then
+        lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic"
+      fi
       ;;
     esac
   else
@@ -8471,18 +8521,33 @@ lt_prog_compiler_static=
 	;;
       *)
 	case `$CC -V 2>&1 | sed 5q` in
-	*Sun\ F* | *Sun*Fortran*)
+	*Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*)
 	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl=''
 	  ;;
+	*Sun\ F* | *Sun*Fortran*)
+	  lt_prog_compiler_pic='-KPIC'
+	  lt_prog_compiler_static='-Bstatic'
+	  lt_prog_compiler_wl='-Qoption ld '
+	  ;;
 	*Sun\ C*)
 	  # Sun C 5.9
 	  lt_prog_compiler_pic='-KPIC'
 	  lt_prog_compiler_static='-Bstatic'
 	  lt_prog_compiler_wl='-Wl,'
 	  ;;
+        *Intel*\ [CF]*Compiler*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fPIC'
+	  lt_prog_compiler_static='-static'
+	  ;;
+	*Portland\ Group*)
+	  lt_prog_compiler_wl='-Wl,'
+	  lt_prog_compiler_pic='-fpic'
+	  lt_prog_compiler_static='-Bstatic'
+	  ;;
 	esac
 	;;
       esac
@@ -8844,7 +8909,6 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   hardcode_direct=no
   hardcode_direct_absolute=no
   hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
   hardcode_libdir_separator=
   hardcode_minus_L=no
   hardcode_shlibpath_var=unsupported
@@ -9094,8 +9158,7 @@ _LT_EOF
 	xlf* | bgf* | bgxlf* | mpixlf*)
 	  # IBM XL Fortran 10.1 on PPC cannot create shared libs itself
 	  whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
-	  hardcode_libdir_flag_spec=
-	  hardcode_libdir_flag_spec_ld='-rpath $libdir'
+	  hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
 	  archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
 	  if test "x$supports_anon_versioning" = xyes; then
 	    archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
@@ -9474,6 +9537,7 @@ fi
 	# The linker will not automatically build a static lib if we build a DLL.
 	# _LT_TAGVAR(old_archive_from_new_cmds, )='true'
 	enable_shared_with_static_runtimes=yes
+	exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*'
 	export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols'
 	# Don't use ranlib
 	old_postinstall_cmds='chmod 644 $oldlib'
@@ -9519,6 +9583,7 @@ fi
   hardcode_shlibpath_var=unsupported
   if test "$lt_cv_ld_force_load" = "yes"; then
     whole_archive_flag_spec='`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`'
+
   else
     whole_archive_flag_spec=''
   fi
@@ -9598,7 +9663,6 @@ fi
       fi
       if test "$with_gnu_ld" = no; then
 	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld='+b $libdir'
 	hardcode_libdir_separator=:
 	hardcode_direct=yes
 	hardcode_direct_absolute=yes
@@ -10222,11 +10286,6 @@ esac
 
 
 
-
-
-
-
-
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5
 $as_echo_n "checking dynamic linker characteristics... " >&6; }
 
@@ -10316,7 +10375,7 @@ need_version=unknown
 
 case $host_os in
 aix3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
   shlibpath_var=LIBPATH
 
@@ -10325,7 +10384,7 @@ aix3*)
   ;;
 
 aix[4-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   hardcode_into_libs=yes
@@ -10390,7 +10449,7 @@ beos*)
   ;;
 
 bsdi[45]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -10529,7 +10588,7 @@ darwin* | rhapsody*)
   ;;
 
 dgux*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
@@ -10582,17 +10641,18 @@ freebsd* | dragonfly*)
   ;;
 
 gnu*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
   hardcode_into_libs=yes
   ;;
 
 haiku*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   dynamic_linker="$host_os runtime_loader"
@@ -10653,7 +10713,7 @@ hpux9* | hpux10* | hpux11*)
   ;;
 
 interix[3-9]*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
@@ -10669,7 +10729,7 @@ irix5* | irix6* | nonstopux*)
     nonstopux*) version_type=nonstopux ;;
     *)
 	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
+		version_type=linux # correct to gnu/linux during the next big refactor
 	else
 		version_type=irix
 	fi ;;
@@ -10706,9 +10766,9 @@ linux*oldld* | linux*aout* | linux*coff*)
   dynamic_linker=no
   ;;
 
-# This must be Linux ELF.
+# This must be glibc/ELF.
 linux* | k*bsd*-gnu | kopensolaris*-gnu)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -10790,7 +10850,7 @@ netbsd*)
   ;;
 
 newsos6)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   shlibpath_var=LD_LIBRARY_PATH
   shlibpath_overrides_runpath=yes
@@ -10859,7 +10919,7 @@ rdos*)
   ;;
 
 solaris*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -10884,7 +10944,7 @@ sunos4*)
   ;;
 
 sysv4 | sysv4.3*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -10908,7 +10968,7 @@ sysv4 | sysv4.3*)
 
 sysv4*MP*)
   if test -d /usr/nec ;then
-    version_type=linux
+    version_type=linux # correct to gnu/linux during the next big refactor
     library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
     soname_spec='$libname${shared_ext}.$major'
     shlibpath_var=LD_LIBRARY_PATH
@@ -10939,7 +10999,7 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 
 tpf*)
   # TPF is a cross-target only.  Preferred cross-host = GNU/Linux.
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   need_lib_prefix=no
   need_version=no
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -10949,7 +11009,7 @@ tpf*)
   ;;
 
 uts4*)
-  version_type=linux
+  version_type=linux # correct to gnu/linux during the next big refactor
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
   shlibpath_var=LD_LIBRARY_PATH
@@ -11731,6 +11791,8 @@ CC="$lt_save_CC"
 
 
 
+
+
         ac_config_commands="$ac_config_commands libtool"
 
 
@@ -11875,7 +11937,7 @@ fi
 done
 
 
-for ac_func in fpurge strlcmp strlcpy
+for ac_func in fdlopen fpurge strlcat strlcmp strlcpy
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -12006,7 +12068,9 @@ if test "${enable_werror+set}" = set; then :
 fi
 
 
-ac_config_files="$ac_config_files bin/Makefile bin/pamtest/Makefile bin/su/Makefile include/Makefile include/security/Makefile lib/Makefile modules/Makefile modules/pam_unix/Makefile modules/pam_deny/Makefile modules/pam_permit/Makefile doc/Makefile doc/man/Makefile Makefile"
+ac_config_files="$ac_config_files Makefile bin/Makefile bin/openpam_dump_policy/Makefile bin/pamtest/Makefile bin/su/Makefile doc/Makefile doc/man/Makefile include/Makefile include/security/Makefile lib/Makefile modules/Makefile modules/pam_deny/Makefile modules/pam_permit/Makefile modules/pam_unix/Makefile t/Makefile"
+
+ac_config_files="$ac_config_files pamgdb"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -12558,7 +12622,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by OpenPAM $as_me 20111218, which was
+This file was extended by OpenPAM $as_me 20120526, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -12624,7 +12688,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-OpenPAM config.status 20111218
+OpenPAM config.status 20120526
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
@@ -12761,6 +12825,7 @@ pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`'
 enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`'
 SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`'
 ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`'
+PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`'
 host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`'
 host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`'
 host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`'
@@ -12843,7 +12908,6 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
 allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
 no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`'
-hardcode_libdir_flag_spec_ld='`$ECHO "$hardcode_libdir_flag_spec_ld" | $SED "$delay_single_quote_subst"`'
 hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
 hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
 hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
@@ -12899,6 +12963,7 @@ _LTECHO_EOF'
 # Quote evaled strings.
 for var in SHELL \
 ECHO \
+PATH_SEPARATOR \
 SED \
 GREP \
 EGREP \
@@ -12949,7 +13014,6 @@ with_gnu_ld \
 allow_undefined_flag \
 no_undefined_flag \
 hardcode_libdir_flag_spec \
-hardcode_libdir_flag_spec_ld \
 hardcode_libdir_separator \
 exclude_expsyms \
 include_expsyms \
@@ -13033,19 +13097,22 @@ do
     "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
     "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
     "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "bin/Makefile") CONFIG_FILES="$CONFIG_FILES bin/Makefile" ;;
+    "bin/openpam_dump_policy/Makefile") CONFIG_FILES="$CONFIG_FILES bin/openpam_dump_policy/Makefile" ;;
     "bin/pamtest/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pamtest/Makefile" ;;
     "bin/su/Makefile") CONFIG_FILES="$CONFIG_FILES bin/su/Makefile" ;;
+    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
+    "doc/man/Makefile") CONFIG_FILES="$CONFIG_FILES doc/man/Makefile" ;;
     "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
     "include/security/Makefile") CONFIG_FILES="$CONFIG_FILES include/security/Makefile" ;;
     "lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile" ;;
     "modules/Makefile") CONFIG_FILES="$CONFIG_FILES modules/Makefile" ;;
-    "modules/pam_unix/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_unix/Makefile" ;;
     "modules/pam_deny/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_deny/Makefile" ;;
     "modules/pam_permit/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_permit/Makefile" ;;
-    "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
-    "doc/man/Makefile") CONFIG_FILES="$CONFIG_FILES doc/man/Makefile" ;;
-    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "modules/pam_unix/Makefile") CONFIG_FILES="$CONFIG_FILES modules/pam_unix/Makefile" ;;
+    "t/Makefile") CONFIG_FILES="$CONFIG_FILES t/Makefile" ;;
+    "pamgdb") CONFIG_FILES="$CONFIG_FILES pamgdb" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac
@@ -13757,8 +13824,8 @@ $as_echo X"$file" |
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
 #   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005,
-#                 2006, 2007, 2008, 2009, 2010 Free Software Foundation,
-#                 Inc.
+#                 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+#                 Foundation, Inc.
 #   Written by Gordon Matzigkeit, 1996
 #
 #   This file is part of GNU Libtool.
@@ -13812,6 +13879,9 @@ SHELL=$lt_SHELL
 # An echo program that protects backslashes.
 ECHO=$lt_ECHO
 
+# The PATH separator for the build system.
+PATH_SEPARATOR=$lt_PATH_SEPARATOR
+
 # The host system.
 host_alias=$host_alias
 host=$host
@@ -14113,10 +14183,6 @@ no_undefined_flag=$lt_no_undefined_flag
 # This must work even if \$libdir does not exist
 hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
 
-# If ld is used when linking, flag to hardcode \$libdir into a binary
-# during linking.  This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
 # Whether we need a single "-rpath" flag with a separated argument.
 hardcode_libdir_separator=$lt_hardcode_libdir_separator
 
@@ -14367,6 +14433,7 @@ fi
   chmod +x "$ofile"
 
  ;;
+    "pamgdb":F) chmod +x pamgdb ;;
 
   esac
 done # for ac_tag
diff --git a/contrib/openpam/configure.ac b/contrib/openpam/configure.ac
index a7453b9..fb30726 100644
--- a/contrib/openpam/configure.ac
+++ b/contrib/openpam/configure.ac
@@ -1,8 +1,8 @@
-dnl $Id: configure.ac 507 2011-12-18 14:43:40Z des $
+dnl $Id: configure.ac 610 2012-05-26 14:03:45Z des $
 
 AC_PREREQ([2.62])
-AC_REVISION([$Id: configure.ac 507 2011-12-18 14:43:40Z des $])
-AC_INIT([OpenPAM], [20111218], [des@des.no])
+AC_REVISION([$Id: configure.ac 610 2012-05-26 14:03:45Z des $])
+AC_INIT([OpenPAM], [20120526], [des@des.no])
 AC_CONFIG_SRCDIR([lib/pam_start.c])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE([foreign])
@@ -83,7 +83,7 @@ AM_CONDITIONAL([WITH_SU], [test x"$with_su" = x"yes"])
 
 AC_CHECK_HEADERS([crypt.h])
 
-AC_CHECK_FUNCS([fpurge strlcmp strlcpy])
+AC_CHECK_FUNCS([fdlopen fpurge strlcat strlcmp strlcpy])
 
 saved_LIBS="${LIBS}"
 LIBS=""
@@ -110,18 +110,21 @@ AC_ARG_ENABLE([werror],
     [CFLAGS="${CFLAGS} -Werror"])
 
 AC_CONFIG_FILES([
+    Makefile
     bin/Makefile
+    bin/openpam_dump_policy/Makefile
     bin/pamtest/Makefile
     bin/su/Makefile
+    doc/Makefile
+    doc/man/Makefile
     include/Makefile
     include/security/Makefile
     lib/Makefile
     modules/Makefile
-    modules/pam_unix/Makefile
     modules/pam_deny/Makefile
     modules/pam_permit/Makefile
-    doc/Makefile
-    doc/man/Makefile
-    Makefile
+    modules/pam_unix/Makefile
+    t/Makefile
 ])
+AC_CONFIG_FILES([pamgdb],[chmod +x pamgdb])
 AC_OUTPUT
diff --git a/contrib/openpam/doc/man/Makefile.am b/contrib/openpam/doc/man/Makefile.am
index 3d1b94b..4062a54 100644
--- a/contrib/openpam/doc/man/Makefile.am
+++ b/contrib/openpam/doc/man/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am 455 2011-10-29 18:31:11Z des $
+# $Id: Makefile.am 594 2012-04-14 14:18:41Z des $
 
 NULL =
 
@@ -38,12 +38,17 @@ OMAN = \
 	openpam_borrow_cred.3 \
 	openpam_free_data.3 \
 	openpam_free_envlist.3 \
+	openpam_get_feature.3 \
 	openpam_get_option.3 \
 	openpam_log.3 \
 	openpam_nullconv.3 \
 	openpam_readline.3 \
+	openpam_readlinev.3 \
+	openpam_readword.3 \
 	openpam_restore_cred.3 \
+	openpam_set_feature.3 \
 	openpam_set_option.3 \
+	openpam_straddch.3 \
 	openpam_subst.3 \
 	openpam_ttyconv.3 \
 	pam_error.3 \
@@ -68,17 +73,17 @@ CLEANFILES = $(ALLCMAN) openpam.3 pam.3
 
 GENDOC = $(top_srcdir)/misc/gendoc.pl
 
-SRCDIR = $(top_srcdir)/lib
+LIBSRCDIR = $(top_srcdir)/lib
 
-VPATH = $(SRCDIR)
+VPATH = $(LIBSRCDIR) $(srcdir)
 
 SUFFIXES = .3
 
 .c.3: $(GENDOC)
 	perl -w $(GENDOC) $<
 
-openpam.3: $(OMAN) $(GENDOC) openpam.man
+openpam.3: $(OMAN) $(GENDOC) $(srcdir)/openpam.man
 	perl -w $(GENDOC) -o $(abs_srcdir)/$(OMAN) <$(srcdir)/openpam.man
 
-pam.3: $(PMAN) $(GENDOC) pam.man
+pam.3: $(PMAN) $(GENDOC) $(srcdir)/pam.man
 	perl -w $(GENDOC) -p $(abs_srcdir)/$(PMAN) <$(srcdir)/pam.man
diff --git a/contrib/openpam/doc/man/Makefile.in b/contrib/openpam/doc/man/Makefile.in
index 91c9feb..298304d 100644
--- a/contrib/openpam/doc/man/Makefile.in
+++ b/contrib/openpam/doc/man/Makefile.in
@@ -15,7 +15,7 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am 455 2011-10-29 18:31:11Z des $
+# $Id: Makefile.am 594 2012-04-14 14:18:41Z des $
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -74,7 +74,7 @@ man5dir = $(mandir)/man5
 NROFF = nroff
 MANS = $(dist_man3_MANS) $(dist_man5_MANS)
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-VPATH = $(SRCDIR)
+VPATH = $(LIBSRCDIR) $(srcdir)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
 AR = @AR@
@@ -232,12 +232,17 @@ OMAN = \
 	openpam_borrow_cred.3 \
 	openpam_free_data.3 \
 	openpam_free_envlist.3 \
+	openpam_get_feature.3 \
 	openpam_get_option.3 \
 	openpam_log.3 \
 	openpam_nullconv.3 \
 	openpam_readline.3 \
+	openpam_readlinev.3 \
+	openpam_readword.3 \
 	openpam_restore_cred.3 \
+	openpam_set_feature.3 \
 	openpam_set_option.3 \
+	openpam_straddch.3 \
 	openpam_subst.3 \
 	openpam_ttyconv.3 \
 	pam_error.3 \
@@ -256,7 +261,7 @@ dist_man3_MANS = $(ALLCMAN) openpam.3 pam.3 pam_conv.3
 dist_man5_MANS = pam.conf.5
 CLEANFILES = $(ALLCMAN) openpam.3 pam.3
 GENDOC = $(top_srcdir)/misc/gendoc.pl
-SRCDIR = $(top_srcdir)/lib
+LIBSRCDIR = $(top_srcdir)/lib
 SUFFIXES = .3
 all: all-am
 
@@ -536,10 +541,10 @@ uninstall-man: uninstall-man3 uninstall-man5
 .c.3: $(GENDOC)
 	perl -w $(GENDOC) $<
 
-openpam.3: $(OMAN) $(GENDOC) openpam.man
+openpam.3: $(OMAN) $(GENDOC) $(srcdir)/openpam.man
 	perl -w $(GENDOC) -o $(abs_srcdir)/$(OMAN) <$(srcdir)/openpam.man
 
-pam.3: $(PMAN) $(GENDOC) pam.man
+pam.3: $(PMAN) $(GENDOC) $(srcdir)/pam.man
 	perl -w $(GENDOC) -p $(abs_srcdir)/$(PMAN) <$(srcdir)/pam.man
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/contrib/openpam/doc/man/openpam.3 b/contrib/openpam/doc/man/openpam.3
index c04a2aa..a3ff7fc 100644
--- a/contrib/openpam/doc/man/openpam.3
+++ b/contrib/openpam/doc/man/openpam.3
@@ -34,19 +34,24 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM 3
 .Os
 .Sh NAME
 .Nm openpam_borrow_cred ,
 .Nm openpam_free_data ,
 .Nm openpam_free_envlist ,
+.Nm openpam_get_feature ,
 .Nm openpam_get_option ,
 .Nm openpam_log ,
 .Nm openpam_nullconv ,
 .Nm openpam_readline ,
+.Nm openpam_readlinev ,
+.Nm openpam_readword ,
 .Nm openpam_restore_cred ,
+.Nm openpam_set_feature ,
 .Nm openpam_set_option ,
+.Nm openpam_straddch ,
 .Nm openpam_subst ,
 .Nm openpam_ttyconv ,
 .Nm pam_error ,
@@ -68,6 +73,8 @@
 .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status"
 .Ft "void"
 .Fn openpam_free_envlist "char **envlist"
+.Ft "int"
+.Fn openpam_get_feature "int feature" "int *onoff"
 .Ft "const char *"
 .Fn openpam_get_option "pam_handle_t *pamh" "const char *option"
 .Ft "void"
@@ -76,11 +83,19 @@
 .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Ft "char *"
 .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp"
+.Ft "char **"
+.Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp"
+.Ft "char *"
+.Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp"
 .Ft "int"
 .Fn openpam_restore_cred "pam_handle_t *pamh"
 .Ft "int"
+.Fn openpam_set_feature "int feature" "int onoff"
+.Ft "int"
 .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value"
 .Ft "int"
+.Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch"
+.Ft "int"
 .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template"
 .Ft "int"
 .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
@@ -117,12 +132,17 @@ standardization.
 .Xr openpam_borrow_cred 3 ,
 .Xr openpam_free_data 3 ,
 .Xr openpam_free_envlist 3 ,
+.Xr openpam_get_feature 3 ,
 .Xr openpam_get_option 3 ,
 .Xr openpam_log 3 ,
 .Xr openpam_nullconv 3 ,
 .Xr openpam_readline 3 ,
+.Xr openpam_readlinev 3 ,
+.Xr openpam_readword 3 ,
 .Xr openpam_restore_cred 3 ,
+.Xr openpam_set_feature 3 ,
 .Xr openpam_set_option 3 ,
+.Xr openpam_straddch 3 ,
 .Xr openpam_subst 3 ,
 .Xr openpam_ttyconv 3 ,
 .Xr pam_error 3 ,
@@ -146,3 +166,6 @@ Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
+.Pp
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_borrow_cred.3 b/contrib/openpam/doc/man/openpam_borrow_cred.3
index 25780db..dd05b44 100644
--- a/contrib/openpam/doc/man/openpam_borrow_cred.3
+++ b/contrib/openpam/doc/man/openpam_borrow_cred.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_BORROW_CRED 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_borrow_cred "pam_handle_t *pamh" "const struct passwd *pwd"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_borrow_cred
 function saves the current credentials and
 switches to those of the user specified by its
 .Fa pwd
@@ -62,7 +62,7 @@ The original credentials can be restored using
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_borrow_cred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -81,15 +81,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_borrow_cred
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_borrow_cred
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_free_data.3 b/contrib/openpam/doc/man/openpam_free_data.3
index b32a345..4d9e0ee 100644
--- a/contrib/openpam/doc/man/openpam_free_data.3
+++ b/contrib/openpam/doc/man/openpam_free_data.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_FREE_DATA 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_free_data "pam_handle_t *pamh" "void *data" "int status"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_free_data
 function is a cleanup function suitable for
 passing to
 .Xr pam_set_data 3 .
@@ -64,15 +64,15 @@ argument to
 .Xr pam_set_data 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_free_data
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_free_data
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_free_envlist.3 b/contrib/openpam/doc/man/openpam_free_envlist.3
index 0c1976a..cf8c585 100644
--- a/contrib/openpam/doc/man/openpam_free_envlist.3
+++ b/contrib/openpam/doc/man/openpam_free_envlist.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_FREE_ENVLIST 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_free_envlist "char **envlist"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_free_envlist
 function is a convenience function which
 frees all the environment variables in an environment list, and the
 list itself.
@@ -62,12 +62,11 @@ It is suitable for freeing the return value from
 .Xr pam_getenvlist 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_free_envlist
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
-.Fx
-Project by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.Fn openpam_free_envlist
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_get_feature.3 b/contrib/openpam/doc/man/openpam_get_feature.3
new file mode 100644
index 0000000..e63ef0c
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_get_feature.3
@@ -0,0 +1,105 @@
+.\"-
+.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" Network Associates Laboratories, the Security Research Division of
+.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd May 26, 2012
+.Dt OPENPAM_GET_FEATURE 3
+.Os
+.Sh NAME
+.Nm openpam_get_feature
+.Nd query the state of an optional feature
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In sys/types.h
+.In security/pam_appl.h
+.In security/openpam.h
+.Ft "int"
+.Fn openpam_get_feature "int feature" "int *onoff"
+.Sh DESCRIPTION
+.Bf Sy
+This function is experimental and may be modified or removed in a future release without further warning.
+.Ef
+.Pp
+The
+.Fn openpam_get_feature
+function stores the current state of the
+specified feature in the variable pointed to by its
+.Fa onoff
+argument.
+.Pp
+The following features are recognized:
+.Bl -tag -width 18n
+.It Dv OPENPAM_RESTRICT_SERVICE_NAME
+Disallow path separators in service names.
+This feature is enabled by default.
+Disabling it allows the application to specify the path to
+the desired policy file directly.
+.It Dv OPENPAM_VERIFY_POLICY_FILE
+Verify the ownership and permissions of the policy file
+and the path leading up to it.
+This feature is enabled by default.
+.It Dv OPENPAM_RESTRICT_MODULE_NAME
+Disallow path separators in module names.
+This feature is disabled by default.
+Enabling it prevents the use of modules in non-standard
+locations.
+.It Dv OPENPAM_VERIFY_MODULE_FILE
+Verify the ownership and permissions of each loadable
+module and the path leading up to it.
+This feature is enabled by default.
+.El
+.Sh RETURN VALUES
+The
+.Fn openpam_get_feature
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_SYMBOL_ERR
+Invalid symbol.
+.El
+.Sh SEE ALSO
+.Xr openpam_set_feature 3 ,
+.Xr pam 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+The
+.Fn openpam_get_feature
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Fn openpam_get_feature
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_get_option.3 b/contrib/openpam/doc/man/openpam_get_option.3
index d656612..68a6b2e 100644
--- a/contrib/openpam/doc/man/openpam_get_option.3
+++ b/contrib/openpam/doc/man/openpam_get_option.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_GET_OPTION 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_get_option "pam_handle_t *pamh" "const char *option"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_get_option
 function returns the value of the specified
 option in the context of the currently executing service module, or
 .Dv NULL
@@ -58,7 +58,7 @@ if the option is not set or no module is currently executing.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_get_option
 function returns
 .Dv NULL
 on failure.
@@ -67,15 +67,15 @@ on failure.
 .Xr pam 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_get_option
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_get_option
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_log.3 b/contrib/openpam/doc/man/openpam_log.3
index adfc006..e5e3192 100644
--- a/contrib/openpam/doc/man/openpam_log.3
+++ b/contrib/openpam/doc/man/openpam_log.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_LOG 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_log "int level" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_log
 function logs messages using
 .Xr syslog 3 .
 It is primarily intended for internal use by the library and modules.
@@ -60,6 +60,9 @@ The
 argument indicates the importance of the message.
 The following levels are defined:
 .Bl -tag -width 18n
+.It Dv PAM_LOG_LIBDEBUG
+Debugging messages.
+For internal use only.
 .It Dv PAM_LOG_DEBUG
 Debugging messages.
 These messages are normally not logged unless the global
@@ -101,15 +104,15 @@ corresponding arguments.
 .Xr syslog 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_log
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_log
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_nullconv.3 b/contrib/openpam/doc/man/openpam_nullconv.3
index 1873cba..f5194d3 100644
--- a/contrib/openpam/doc/man/openpam_nullconv.3
+++ b/contrib/openpam/doc/man/openpam_nullconv.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_NULLCONV 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_nullconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_nullconv
 function is a null conversation function suitable
 for applications that want to use PAM but don't support interactive
 dialog with the user.
@@ -71,7 +71,7 @@ try to query the user.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_nullconv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_CONV_ERR
@@ -88,15 +88,15 @@ Conversation failure.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_nullconv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_nullconv
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_readline.3 b/contrib/openpam/doc/man/openpam_readline.3
index cf7ab47..32dd55b 100644
--- a/contrib/openpam/doc/man/openpam_readline.3
+++ b/contrib/openpam/doc/man/openpam_readline.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_READLINE 3
 .Os
 .Sh NAME
@@ -44,27 +44,32 @@
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
+.In stdio.h
 .In security/pam_appl.h
 .In security/openpam.h
 .Ft "char *"
 .Fn openpam_readline "FILE *f" "int *lineno" "size_t *lenp"
 .Sh DESCRIPTION
+.Bf Sy
+This function is deprecated and may be removed in a future release without further warning.
 The
-.Nm
+.Fn openpam_readlinev
+function may be used to achieve similar results.
+.Ef
+.Pp
+The
+.Fn openpam_readline
 function reads a line from a file, and returns it
 in a NUL-terminated buffer allocated with
 .Xr malloc 3 .
 .Pp
 The
-.Nm
+.Fn openpam_readline
 function performs a certain amount of processing
 on the data it reads:
 .Bl -bullet
 .It
-Comments (introduced by a hash sign) are stripped, as is leading and
-trailing whitespace.
-.It
-Any amount of linear whitespace is collapsed to a single space.
+Comments (introduced by a hash sign) are stripped.
 .It
 Blank lines are ignored.
 .It
@@ -89,27 +94,28 @@ terminating NUL character) is stored in the variable it points to.
 The caller is responsible for releasing the returned buffer by passing
 it to
 .Xr free 3 .
+.Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_readline
 function returns
 .Dv NULL
 on failure.
 .Sh SEE ALSO
-.Xr free 3 ,
-.Xr malloc 3 ,
+.Xr openpam_readlinev 3 ,
+.Xr openpam_readword 3 ,
 .Xr pam 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_readline
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_readline
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_readlinev.3 b/contrib/openpam/doc/man/openpam_readlinev.3
new file mode 100644
index 0000000..f2ba1a6
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_readlinev.3
@@ -0,0 +1,159 @@
+.\"-
+.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" Network Associates Laboratories, the Security Research Division of
+.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd May 26, 2012
+.Dt OPENPAM_READLINEV 3
+.Os
+.Sh NAME
+.Nm openpam_readlinev
+.Nd read a line from a file and split it into words
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In sys/types.h
+.In stdio.h
+.In security/pam_appl.h
+.In security/openpam.h
+.Ft "char **"
+.Fn openpam_readlinev "FILE *f" "int *lineno" "int *lenp"
+.Sh DESCRIPTION
+The
+.Fn openpam_readlinev
+function reads a line from a file, splits it
+into words according to the rules described in the
+.Xr openpam_readword 3
+manual page, and returns a list of those words.
+.Pp
+If
+.Fa lineno
+is not
+.Dv NULL ,
+the integer variable it points to is
+incremented every time a newline character is read.
+This includes quoted or escaped newline characters and the newline
+character at the end of the line.
+.Pp
+If
+.Fa lenp
+is not
+.Dv NULL ,
+the number of words on the line is stored in the
+variable to which it points.
+.Sh RETURN VALUES
+If successful, the
+.Fn openpam_readlinev
+function returns a pointer to a
+dynamically allocated array of pointers to individual dynamically
+allocated NUL-terminated strings, each containing a single word, in the
+order in which they were encountered on the line.
+The array is terminated by a
+.Dv NULL
+pointer.
+.Pp
+The caller is responsible for freeing both the array and the individual
+strings by passing each of them to
+.Xr free 3 .
+.Pp
+If the end of the line was reached before any words were read,
+.Fn openpam_readlinev
+returns a pointer to a dynamically allocated array
+containing a single
+.Dv NULL
+pointer.
+.Pp
+The
+.Fn openpam_readlinev
+function can fail and return
+.Dv NULL
+for one of
+four reasons:
+.Bl -bullet
+.It
+The end of the file was reached before any words were read;
+.Va errno
+is
+zero,
+.Xr ferror 3
+returns zero, and
+.Xr feof 3
+returns a non-zero value.
+.It
+The end of the file was reached while a quote or backslash escape
+was in effect;
+.Va errno
+is set to
+.Dv EINVAL ,
+.Xr ferror 3
+returns zero, and
+.Xr feof 3
+returns a non-zero value.
+.It
+An error occurred while reading from the file;
+.Va errno
+is non-zero,
+.Xr ferror 3
+returns a non-zero value and
+.Xr feof 3
+returns zero.
+.It
+A
+.Xr malloc 3
+or
+.Xr realloc 3
+call failed;
+.Va errno
+is set to
+.Dv ENOMEM ,
+.Xr ferror 3
+returns a non-zero value, and
+.Xr feof 3
+may or may not return
+a non-zero value.
+.El
+.Sh SEE ALSO
+.Xr openpam_readline 3 ,
+.Xr openpam_readword 3 ,
+.Xr pam 3
+.Sh STANDARDS
+The
+.Fn openpam_readlinev
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Fn openpam_readlinev
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_readword.3 b/contrib/openpam/doc/man/openpam_readword.3
new file mode 100644
index 0000000..6f5f58d
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_readword.3
@@ -0,0 +1,152 @@
+.\"-
+.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" Network Associates Laboratories, the Security Research Division of
+.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd May 26, 2012
+.Dt OPENPAM_READWORD 3
+.Os
+.Sh NAME
+.Nm openpam_readword
+.Nd read a word from a file, respecting shell quoting rules
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In sys/types.h
+.In stdio.h
+.In security/pam_appl.h
+.In security/openpam.h
+.Ft "char *"
+.Fn openpam_readword "FILE *f" "int *lineno" "size_t *lenp"
+.Sh DESCRIPTION
+The
+.Fn openpam_readword
+function reads the next word from a file, and
+returns it in a NUL-terminated buffer allocated with
+.Xr malloc 3 .
+.Pp
+A word is a sequence of non-whitespace characters.
+However, whitespace characters can be included in a word if quoted or
+escaped according to the following rules:
+.Bl -bullet
+.It
+An unescaped single or double quote introduces a quoted string,
+which ends when the same quote character is encountered a second
+time.
+The quotes themselves are stripped.
+.It
+Within a single- or double-quoted string, all whitespace characters,
+including the newline character, are preserved as-is.
+.It
+Outside a quoted string, a backslash escapes the next character,
+which is preserved as-is, unless that character is a newline, in
+which case it is discarded and reading continues at the beginning of
+the next line as if the backslash and newline had not been there.
+In all cases, the backslash itself is discarded.
+.It
+Within a single-quoted string, double quotes and backslashes are
+preserved as-is.
+.It
+Within a double-quoted string, a single quote is preserved as-is,
+and a backslash is preserved as-is unless used to escape a double
+quote.
+.El
+.Pp
+In addition, if the first non-whitespace character on the line is a
+hash character (#), the rest of the line is discarded.
+If a hash character occurs within a word, however, it is preserved
+as-is.
+A backslash at the end of a comment does cause line continuation.
+.Pp
+If
+.Fa lineno
+is not
+.Dv NULL ,
+the integer variable it points to is
+incremented every time a quoted or escaped newline character is read.
+.Pp
+If
+.Fa lenp
+is not
+.Dv NULL ,
+the length of the word (after quotes and
+backslashes have been removed) is stored in the variable it points to.
+.Sh RETURN VALUES
+If successful, the
+.Fn openpam_readword
+function returns a pointer to a
+dynamically allocated NUL-terminated string containing the first word
+encountered on the line.
+.Pp
+The caller is responsible for releasing the returned buffer by passing
+it to
+.Xr free 3 .
+.Pp
+If
+.Fn openpam_readword
+reaches the end of the line or file before any
+characters are copied to the word, it returns
+.Dv NULL .
+In the former
+case, the newline is pushed back to the file.
+.Pp
+If
+.Fn openpam_readword
+reaches the end of the file while a quote or
+backslash escape is in effect, it sets
+.Va errno
+to
+.Dv EINVAL
+and returns
+.Dv NULL .
+.Sh IMPLEMENTATION NOTES
+The parsing rules are intended to be equivalent to the normal POSIX
+shell quoting rules.
+Any discrepancy is a bug and should be reported to the author along
+with sample input that can be used to reproduce the error.
+.Pp
+.Sh SEE ALSO
+.Xr openpam_readline 3 ,
+.Xr openpam_readlinev 3 ,
+.Xr pam 3
+.Sh STANDARDS
+The
+.Fn openpam_readword
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Fn openpam_readword
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_restore_cred.3 b/contrib/openpam/doc/man/openpam_restore_cred.3
index 12ff8b8..d088ded 100644
--- a/contrib/openpam/doc/man/openpam_restore_cred.3
+++ b/contrib/openpam/doc/man/openpam_restore_cred.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_RESTORE_CRED 3
 .Os
 .Sh NAME
@@ -50,13 +50,13 @@
 .Fn openpam_restore_cred "pam_handle_t *pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_restore_cred
 function restores the credentials saved by
 .Xr openpam_borrow_cred 3 .
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_restore_cred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_NO_MODULE_DATA
@@ -73,15 +73,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_restore_cred
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_restore_cred
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_set_feature.3 b/contrib/openpam/doc/man/openpam_set_feature.3
new file mode 100644
index 0000000..8356dec
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_set_feature.3
@@ -0,0 +1,87 @@
+.\"-
+.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" Network Associates Laboratories, the Security Research Division of
+.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd May 26, 2012
+.Dt OPENPAM_SET_FEATURE 3
+.Os
+.Sh NAME
+.Nm openpam_set_feature
+.Nd enable or disable an optional feature
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In sys/types.h
+.In security/pam_appl.h
+.In security/openpam.h
+.Ft "int"
+.Fn openpam_set_feature "int feature" "int onoff"
+.Sh DESCRIPTION
+.Bf Sy
+This function is experimental and may be modified or removed in a future release without further warning.
+.Ef
+.Pp
+The
+.Fn openpam_set_feature
+function sets the state of the specified
+feature to the value specified by the
+.Fa onoff
+argument.
+See
+.Xr openpam_get_feature 3
+for a list of recognized features.
+.Pp
+.Sh RETURN VALUES
+The
+.Fn openpam_set_feature
+function returns one of the following values:
+.Bl -tag -width 18n
+.It Bq Er PAM_SYMBOL_ERR
+Invalid symbol.
+.El
+.Sh SEE ALSO
+.Xr openpam_get_feature 3 ,
+.Xr pam 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+The
+.Fn openpam_set_feature
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Fn openpam_set_feature
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_set_option.3 b/contrib/openpam/doc/man/openpam_set_option.3
index f186c00..b1e2267 100644
--- a/contrib/openpam/doc/man/openpam_set_option.3
+++ b/contrib/openpam/doc/man/openpam_set_option.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_SET_OPTION 3
 .Os
 .Sh NAME
@@ -50,13 +50,13 @@
 .Fn openpam_set_option "pam_handle_t *pamh" "const char *option" "const char *value"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_set_option
 function sets the specified option in the
 context of the currently executing service module.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_set_option
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -70,15 +70,15 @@ System error.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_set_option
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_set_option
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/openpam_straddch.3 b/contrib/openpam/doc/man/openpam_straddch.3
new file mode 100644
index 0000000..c555824
--- /dev/null
+++ b/contrib/openpam/doc/man/openpam_straddch.3
@@ -0,0 +1,122 @@
+.\"-
+.\" Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+.\" Copyright (c) 2004-2011 Dag-Erling Smørgrav
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by ThinkSec AS and
+.\" Network Associates Laboratories, the Security Research Division of
+.\" Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"    products derived from this software without specific prior written
+.\"    permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd May 26, 2012
+.Dt OPENPAM_STRADDCH 3
+.Os
+.Sh NAME
+.Nm openpam_straddch
+.Nd add a character to a string, expanding the buffer if needed
+.Sh LIBRARY
+.Lb libpam
+.Sh SYNOPSIS
+.In sys/types.h
+.In security/pam_appl.h
+.In security/openpam.h
+.Ft "int"
+.Fn openpam_straddch "char **str" "size_t *size" "size_t *len" "int ch"
+.Sh DESCRIPTION
+The
+.Fn openpam_straddch
+function appends a character to a dynamically
+allocated NUL-terminated buffer, reallocating the buffer as needed.
+.Pp
+The
+.Fa str
+argument points to a variable containing either a pointer to
+an existing buffer or
+.Dv NULL .
+If the value of the variable pointed to by
+.Fa str
+is
+.Dv NULL ,
+a new buffer
+is allocated.
+.Pp
+The
+.Fa size
+and
+.Fa len
+argument point to variables used to hold the size
+of the buffer and the length of the string it contains, respectively.
+.Pp
+If a new buffer is allocated or an existing buffer is reallocated to
+make room for the additional character,
+.Fa str
+and
+.Fa size
+are updated
+accordingly.
+.Pp
+The
+.Fn openpam_straddch
+function ensures that the buffer is always
+NUL-terminated.
+.Pp
+If the
+.Fn openpam_straddch
+function is successful, it increments the
+integer variable pointed to by
+.Fa len
+and returns 0.
+Otherwise, it leaves the variables pointed to by
+.Fa str ,
+.Fa size
+and
+.Fa len
+unmodified, sets
+.Va errno
+to
+.Dv ENOMEM
+and returns -1.
+.Pp
+.Sh RETURN VALUES
+The
+.Fn openpam_straddch
+function returns 0 on success and -1 on failure.
+.Sh SEE ALSO
+.Xr pam 3 ,
+.Xr pam_strerror 3
+.Sh STANDARDS
+The
+.Fn openpam_straddch
+function is an OpenPAM extension.
+.Sh AUTHORS
+The
+.Fn openpam_straddch
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_subst.3 b/contrib/openpam/doc/man/openpam_subst.3
index 565b3e0..47297c9 100644
--- a/contrib/openpam/doc/man/openpam_subst.3
+++ b/contrib/openpam/doc/man/openpam_subst.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_SUBST 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn openpam_subst "const pam_handle_t *pamh" "char *buf" "size_t *bufsize" "const char *template"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_subst
 function expands a string, substituting PAM item
 values for all occurrences of specific substitution codes.
 The
@@ -73,12 +73,12 @@ string,
 .Fa bufsize
 is updated to reflect the amount of space required to
 hold the entire string, and
-.Nm
+.Fn openpam_subst
 returns
 .Dv PAM_TRY_AGAIN .
 .Pp
 If
-.Nm
+.Fn openpam_subst
 fails for any other reason, the
 .Fa bufsize
 argument is
@@ -112,10 +112,9 @@ Replaced by the current value of the
 .Dv PAM_USER
 item.
 .El
-.Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_subst
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYSTEM_ERR
@@ -131,12 +130,11 @@ Try again.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_subst
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
-.Fx
-Project by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+.Fn openpam_subst
+function and this manual page were
+developed by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/openpam_ttyconv.3 b/contrib/openpam/doc/man/openpam_ttyconv.3
index b2cd9d9..3e97cb4 100644
--- a/contrib/openpam/doc/man/openpam_ttyconv.3
+++ b/contrib/openpam/doc/man/openpam_ttyconv.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt OPENPAM_TTYCONV 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn openpam_ttyconv "int n" "const struct pam_message **msg" "struct pam_response **resp" "void *data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn openpam_ttyconv
 function is a standard conversation function
 suitable for use on TTY devices.
 It should be adequate for the needs of most text-based interactive
 programs.
 .Pp
 The
-.Nm
+.Fn openpam_ttyconv
 function allows the application to specify a
 timeout for user input by setting the global integer variable
 .Va openpam_ttyconv_timeout
@@ -65,7 +65,7 @@ to the length of the timeout in seconds.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn openpam_ttyconv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -83,15 +83,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn openpam_ttyconv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn openpam_ttyconv
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam.3 b/contrib/openpam/doc/man/pam.3
index 11befcd..196a3c7 100644
--- a/contrib/openpam/doc/man/pam.3
+++ b/contrib/openpam/doc/man/pam.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM 3
 .Os
 .Sh NAME
@@ -291,3 +291,6 @@ Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
+.Pp
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/pam.conf.5 b/contrib/openpam/doc/man/pam.conf.5
index 3669f92..d5f80d5 100644
--- a/contrib/openpam/doc/man/pam.conf.5
+++ b/contrib/openpam/doc/man/pam.conf.5
@@ -26,9 +26,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pam.conf.5 485 2011-11-03 16:57:37Z des $
+.\" $Id: pam.conf.5 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd November 3, 2011
+.Dd May 26, 2012
 .Dt PAM.CONF 5
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@ decreasing order of preference:
 .Pp
 If none of these locations contains a policy for the given service,
 the
-.Dv default
+.Dq Dv other
 policy is used instead, if it exists.
 .Pp
 Entries in per-service policy files must be of one of the two forms
@@ -177,5 +177,5 @@ DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Pp
-This manual page was written by
-.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/pam_acct_mgmt.3 b/contrib/openpam/doc/man/pam_acct_mgmt.3
index 9410048..f79c464 100644
--- a/contrib/openpam/doc/man/pam_acct_mgmt.3
+++ b/contrib/openpam/doc/man/pam_acct_mgmt.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_ACCT_MGMT 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_acct_mgmt "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_acct_mgmt
 function verifies and enforces account restrictions
 after the user has been authenticated.
 .Pp
@@ -65,12 +65,12 @@ Fail if the user's authentication token is null.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_acct_mgmt
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_acct_mgmt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -104,11 +104,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_acct_mgmt
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_authenticate.3 b/contrib/openpam/doc/man/pam_authenticate.3
index 8263280..c521a38 100644
--- a/contrib/openpam/doc/man/pam_authenticate.3
+++ b/contrib/openpam/doc/man/pam_authenticate.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_AUTHENTICATE 3
 .Os
 .Sh NAME
@@ -49,14 +49,14 @@
 .Fn pam_authenticate "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_authenticate
 function attempts to authenticate the user
 associated with the pam context specified by the
 .Fa pamh
 argument.
 .Pp
 The application is free to call
-.Nm
+.Fn pam_authenticate
 as many times as it
 wishes, but some modules may maintain an internal retry counter and
 return
@@ -75,12 +75,12 @@ Fail if the user's authentication token is null.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_authenticate
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_authenticate
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -118,11 +118,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_authenticate
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_chauthtok.3 b/contrib/openpam/doc/man/pam_chauthtok.3
index 5823866..11647e7 100644
--- a/contrib/openpam/doc/man/pam_chauthtok.3
+++ b/contrib/openpam/doc/man/pam_chauthtok.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_CHAUTHTOK 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_chauthtok "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_chauthtok
 function attempts to change the authentication token
 for the user associated with the pam context specified by the
 .Fa pamh
@@ -67,12 +67,12 @@ Change only those authentication tokens that have expired.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_chauthtok
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_chauthtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -110,11 +110,11 @@ Try again.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_chauthtok
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_close_session.3 b/contrib/openpam/doc/man/pam_close_session.3
index 43e4b03..dba62e8 100644
--- a/contrib/openpam/doc/man/pam_close_session.3
+++ b/contrib/openpam/doc/man/pam_close_session.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_CLOSE_SESSION 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_close_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_close_session
 function tears down the user session previously
 set up by
 .Xr pam_open_session 3 .
@@ -64,12 +64,12 @@ Do not emit any messages.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_close_session
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_close_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -100,11 +100,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_close_session
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_conv.3 b/contrib/openpam/doc/man/pam_conv.3
index 6b6e697..a1b121b 100644
--- a/contrib/openpam/doc/man/pam_conv.3
+++ b/contrib/openpam/doc/man/pam_conv.3
@@ -32,9 +32,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: pam_conv.3 437 2011-09-13 12:00:13Z des $
+.\" $Id: pam_conv.3 610 2012-05-26 14:03:45Z des $
 .\"
-.Dd June 16, 2005
+.Dd May 26, 2012
 .Dt PAM_CONV 3
 .Os
 .Sh NAME
@@ -181,3 +181,6 @@ the Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
+.Pp
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\(/orgrav Aq des@des.no .
diff --git a/contrib/openpam/doc/man/pam_end.3 b/contrib/openpam/doc/man/pam_end.3
index 66e2871..0d66912 100644
--- a/contrib/openpam/doc/man/pam_end.3
+++ b/contrib/openpam/doc/man/pam_end.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_END 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_end "pam_handle_t *pamh" "int status"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_end
 function terminates a PAM transaction and destroys the
 corresponding PAM context, releasing all resources allocated to it.
 .Pp
@@ -57,11 +57,10 @@ The
 .Fa status
 argument should be set to the error code returned by the
 last API call before the call to
-.Nm
-.
+.Fn pam_end .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_end
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYSTEM_ERR
@@ -77,11 +76,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_end
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_error.3 b/contrib/openpam/doc/man/pam_error.3
index c957409..6767772 100644
--- a/contrib/openpam/doc/man/pam_error.3
+++ b/contrib/openpam/doc/man/pam_error.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_ERROR 3
 .Os
 .Sh NAME
@@ -49,13 +49,13 @@
 .Fn pam_error "const pam_handle_t *pamh" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_error
 function displays an error message through the
 intermediary of the given PAM context's conversation function.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_error
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -73,15 +73,15 @@ System error.
 .Xr pam_verror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_error
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_error
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_get_authtok.3 b/contrib/openpam/doc/man/pam_get_authtok.3
index 7f0c804..84c133d 100644
--- a/contrib/openpam/doc/man/pam_get_authtok.3
+++ b/contrib/openpam/doc/man/pam_get_authtok.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_AUTHTOK 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_get_authtok "pam_handle_t *pamh" "int item" "const char **authtok" "const char *prompt"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_authtok
 function returns the cached authentication token,
 or prompts the user if no token is currently cached.
 Either way, a pointer to the authentication token is stored in the
@@ -89,7 +89,7 @@ before it is
 passed to the conversation function.
 .Pp
 If
-.Nm
+.Fn pam_get_authtok
 is called from a module and the
 .Dv authtok_prompt
 /
@@ -110,17 +110,17 @@ is set to
 and there is a non-null
 .Dv PAM_OLDAUTHTOK
 item,
-.Nm
+.Fn pam_get_authtok
 will ask the user to confirm the new token by
 retyping it.
 If there is a mismatch,
-.Nm
+.Fn pam_get_authtok
 will return
 .Dv PAM_TRY_AGAIN .
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_authtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -140,15 +140,15 @@ Try again.
 .Xr pam_strerror 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_get_authtok
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_get_authtok
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_get_data.3 b/contrib/openpam/doc/man/pam_get_data.3
index 49fae05..db4b723 100644
--- a/contrib/openpam/doc/man/pam_get_data.3
+++ b/contrib/openpam/doc/man/pam_get_data.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_DATA 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_get_data "const pam_handle_t *pamh" "const char *module_data_name" "const void **data"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_data
 function looks up the opaque object associated with
 the string specified by the
 .Fa module_data_name
@@ -61,7 +61,7 @@ A pointer to the object is stored in the location pointed to by the
 .Fa data
 argument.
 If
-.Nm
+.Fn pam_get_data
 fails, the
 .Fa data
 argument is untouched.
@@ -72,7 +72,7 @@ are useful for managing
 data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_data
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_NO_MODULE_DATA
@@ -91,11 +91,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_get_data
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_get_item.3 b/contrib/openpam/doc/man/pam_get_item.3
index 1244a77..aaa1bad 100644
--- a/contrib/openpam/doc/man/pam_get_item.3
+++ b/contrib/openpam/doc/man/pam_get_item.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_ITEM 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_get_item "const pam_handle_t *pamh" "int item_type" "const void **item"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_item
 function stores a pointer to the item specified by
 the
 .Fa item_type
@@ -60,7 +60,7 @@ The item is retrieved from the PAM context specified by the
 .Fa pamh
 argument.
 If
-.Nm
+.Fn pam_get_item
 fails, the
 .Fa item
 argument is untouched.
@@ -107,7 +107,7 @@ for a description of
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_item
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_SYMBOL_ERR
@@ -127,11 +127,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_get_item
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_get_user.3 b/contrib/openpam/doc/man/pam_get_user.3
index 8f3b426..448f418 100644
--- a/contrib/openpam/doc/man/pam_get_user.3
+++ b/contrib/openpam/doc/man/pam_get_user.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GET_USER 3
 .Os
 .Sh NAME
@@ -49,13 +49,13 @@
 .Fn pam_get_user "pam_handle_t *pamh" "const char **user" "const char *prompt"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_get_user
 function returns the name of the target user, as
 specified to
 .Xr pam_start 3 .
 If no user was specified, nor set using
 .Xr pam_set_item 3 ,
-.Nm
+.Fn pam_get_user
 will prompt for a user name.
 Either way, a pointer to the user name is stored in the location
 pointed to by the
@@ -80,7 +80,7 @@ before it is
 passed to the conversation function.
 .Pp
 If
-.Nm
+.Fn pam_get_user
 is called from a module and the
 .Dv user_prompt
 option is
@@ -93,7 +93,7 @@ item.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_get_user
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -118,11 +118,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_get_user
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_getenv.3 b/contrib/openpam/doc/man/pam_getenv.3
index ebd2992..1f0df73 100644
--- a/contrib/openpam/doc/man/pam_getenv.3
+++ b/contrib/openpam/doc/man/pam_getenv.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GETENV 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_getenv "pam_handle_t *pamh" "const char *name"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_getenv
 function returns the value of an environment variable.
 Its semantics are similar to those of
 .Xr getenv 3 ,
@@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_getenv
 function returns
 .Dv NULL
 on failure.
@@ -75,11 +75,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_getenv
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_getenvlist.3 b/contrib/openpam/doc/man/pam_getenvlist.3
index a034c8e..9af3784 100644
--- a/contrib/openpam/doc/man/pam_getenvlist.3
+++ b/contrib/openpam/doc/man/pam_getenvlist.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_GETENVLIST 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_getenvlist "pam_handle_t *pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_getenvlist
 function returns a copy of the given PAM context's
 environment list as a pointer to an array of strings.
 The last element in the array is
@@ -77,7 +77,7 @@ after use:
 .Ed
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_getenvlist
 function returns
 .Dv NULL
 on failure.
@@ -96,11 +96,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_getenvlist
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_info.3 b/contrib/openpam/doc/man/pam_info.3
index 08bf200..c08b574 100644
--- a/contrib/openpam/doc/man/pam_info.3
+++ b/contrib/openpam/doc/man/pam_info.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_INFO 3
 .Os
 .Sh NAME
@@ -49,13 +49,13 @@
 .Fn pam_info "const pam_handle_t *pamh" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_info
 function displays an informational message through the
 intermediary of the given PAM context's conversation function.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_info
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -73,15 +73,15 @@ System error.
 .Xr pam_vinfo 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_info
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_info
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_open_session.3 b/contrib/openpam/doc/man/pam_open_session.3
index 13811c7..1cde0e4 100644
--- a/contrib/openpam/doc/man/pam_open_session.3
+++ b/contrib/openpam/doc/man/pam_open_session.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_OPEN_SESSION 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_open_session "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_open_session
 sets up a user session for a previously
 authenticated user.
 The session should later be torn down by a call to
@@ -65,12 +65,12 @@ Do not emit any messages.
 .El
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_open_session
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_open_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -101,11 +101,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_open_session
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_prompt.3 b/contrib/openpam/doc/man/pam_prompt.3
index 20574f2..0ff7742 100644
--- a/contrib/openpam/doc/man/pam_prompt.3
+++ b/contrib/openpam/doc/man/pam_prompt.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_PROMPT 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_prompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "..."
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_prompt
 function constructs a message from the specified format
 string and arguments and passes it to the given PAM context's
 conversation function.
@@ -67,7 +67,7 @@ for further details.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_prompt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -85,15 +85,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_prompt
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_prompt
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_putenv.3 b/contrib/openpam/doc/man/pam_putenv.3
index e69816a..4e9c693 100644
--- a/contrib/openpam/doc/man/pam_putenv.3
+++ b/contrib/openpam/doc/man/pam_putenv.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_PUTENV 3
 .Os
 .Sh NAME
@@ -49,8 +49,8 @@
 .Fn pam_putenv "pam_handle_t *pamh" "const char *namevalue"
 .Sh DESCRIPTION
 The
-.Nm
-function sets a environment variable.
+.Fn pam_putenv
+function sets an environment variable.
 Its semantics are similar to those of
 .Xr putenv 3 ,
 but it modifies the PAM
@@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_putenv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -80,11 +80,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_putenv
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_set_data.3 b/contrib/openpam/doc/man/pam_set_data.3
index ce4d63d0..c02ae2e 100644
--- a/contrib/openpam/doc/man/pam_set_data.3
+++ b/contrib/openpam/doc/man/pam_set_data.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SET_DATA 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_set_data "pam_handle_t *pamh" "const char *module_data_name" "void *data" "void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status)"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_set_data
 function associates a pointer to an opaque object
 with an arbitrary string specified by the
 .Fa module_data_name
@@ -71,7 +71,7 @@ are useful for managing
 data that are meaningful only to a particular service module.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_set_data
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -90,11 +90,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_set_data
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_set_item.3 b/contrib/openpam/doc/man/pam_set_item.3
index 9f4e78d..668c4f3 100644
--- a/contrib/openpam/doc/man/pam_set_item.3
+++ b/contrib/openpam/doc/man/pam_set_item.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SET_ITEM 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_set_item "pam_handle_t *pamh" "int item_type" "const void *item"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_set_item
 function sets the item specified by the
 .Fa item_type
 argument to a copy of the object pointed to by the
@@ -63,7 +63,7 @@ See
 for a list of recognized item types.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_set_item
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -84,11 +84,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_set_item
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_setcred.3 b/contrib/openpam/doc/man/pam_setcred.3
index 1e0a246..a4f8249 100644
--- a/contrib/openpam/doc/man/pam_setcred.3
+++ b/contrib/openpam/doc/man/pam_setcred.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SETCRED 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_setcred "pam_handle_t *pamh" "int flags"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_setcred
 function manages the application's credentials.
 .Pp
 The
@@ -72,12 +72,12 @@ Refresh credentials.
 The latter four are mutually exclusive.
 .Pp
 If any other bits are set,
-.Nm
+.Fn pam_setcred
 will return
 .Dv PAM_SYMBOL_ERR .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_setcred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -113,11 +113,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_setcred
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_setenv.3 b/contrib/openpam/doc/man/pam_setenv.3
index 43906ef..e3b9c13 100644
--- a/contrib/openpam/doc/man/pam_setenv.3
+++ b/contrib/openpam/doc/man/pam_setenv.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SETENV 3
 .Os
 .Sh NAME
@@ -49,8 +49,8 @@
 .Fn pam_setenv "pam_handle_t *pamh" "const char *name" "const char *value" "int overwrite"
 .Sh DESCRIPTION
 The
-.Nm
-function sets a environment variable.
+.Fn pam_setenv
+function sets an environment variable.
 Its semantics are similar to those of
 .Xr setenv 3 ,
 but it modifies the PAM
@@ -58,7 +58,7 @@ context's environment list instead of the application's.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_setenv
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -75,15 +75,15 @@ System error.
 .Xr setenv 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_setenv
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_setenv
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3 b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
index 22e1980..35dd05b 100644
--- a/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
+++ b/contrib/openpam/doc/man/pam_sm_acct_mgmt.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_ACCT_MGMT 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn pam_sm_acct_mgmt "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_acct_mgmt
 function is the service module's implementation
 of the
 .Xr pam_acct_mgmt 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_acct_mgmt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -94,11 +94,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_acct_mgmt
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_authenticate.3 b/contrib/openpam/doc/man/pam_sm_authenticate.3
index e41a70a..4c27bb7 100644
--- a/contrib/openpam/doc/man/pam_sm_authenticate.3
+++ b/contrib/openpam/doc/man/pam_sm_authenticate.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_AUTHENTICATE 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn pam_sm_authenticate "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_authenticate
 function is the service module's
 implementation of the
 .Xr pam_authenticate 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_authenticate
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -96,11 +96,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_authenticate
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_chauthtok.3 b/contrib/openpam/doc/man/pam_sm_chauthtok.3
index bc3f461..8e28b05 100644
--- a/contrib/openpam/doc/man/pam_sm_chauthtok.3
+++ b/contrib/openpam/doc/man/pam_sm_chauthtok.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_CHAUTHTOK 3
 .Os
 .Sh NAME
@@ -50,7 +50,7 @@
 .Fn pam_sm_chauthtok "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_chauthtok
 function is the service module's implementation
 of the
 .Xr pam_chauthtok 3
@@ -67,7 +67,7 @@ with the
 flag set.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_chauthtok
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -106,11 +106,11 @@ Try again.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_chauthtok
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_close_session.3 b/contrib/openpam/doc/man/pam_sm_close_session.3
index 3b1f57e..bfb5d87 100644
--- a/contrib/openpam/doc/man/pam_sm_close_session.3
+++ b/contrib/openpam/doc/man/pam_sm_close_session.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_CLOSE_SESSION 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn pam_sm_close_session "pam_handle_t *pamh" "int flags" "int args" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_close_session
 function is the service module's
 implementation of the
 .Xr pam_close_session 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_close_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -88,11 +88,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_close_session
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_open_session.3 b/contrib/openpam/doc/man/pam_sm_open_session.3
index cdfe4d4..b92fb45 100644
--- a/contrib/openpam/doc/man/pam_sm_open_session.3
+++ b/contrib/openpam/doc/man/pam_sm_open_session.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_OPEN_SESSION 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn pam_sm_open_session "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_open_session
 function is the service module's
 implementation of the
 .Xr pam_open_session 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_open_session
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -88,11 +88,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_open_session
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_sm_setcred.3 b/contrib/openpam/doc/man/pam_sm_setcred.3
index 6d5c52f..19b192e 100644
--- a/contrib/openpam/doc/man/pam_sm_setcred.3
+++ b/contrib/openpam/doc/man/pam_sm_setcred.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_SM_SETCRED 3
 .Os
 .Sh NAME
@@ -50,14 +50,14 @@
 .Fn pam_sm_setcred "pam_handle_t *pamh" "int flags" "int argc" "const char **argv"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_sm_setcred
 function is the service module's implementation of
 the
 .Xr pam_setcred 3
 API function.
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_sm_setcred
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_ABORT
@@ -94,11 +94,11 @@ Unknown user.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_sm_setcred
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_start.3 b/contrib/openpam/doc/man/pam_start.3
index eaa9f05..4e28d3e 100644
--- a/contrib/openpam/doc/man/pam_start.3
+++ b/contrib/openpam/doc/man/pam_start.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_START 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_start "const char *service" "const char *user" "const struct pam_conv *pam_conv" "pam_handle_t **pamh"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_start
 function creates and initializes a PAM context.
 .Pp
 The
@@ -78,7 +78,7 @@ for details.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_start
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -99,11 +99,11 @@ System error.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_start
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_strerror.3 b/contrib/openpam/doc/man/pam_strerror.3
index 9003102..5b24b68 100644
--- a/contrib/openpam/doc/man/pam_strerror.3
+++ b/contrib/openpam/doc/man/pam_strerror.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_STRERROR 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_strerror "const pam_handle_t *pamh" "int error_number"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_strerror
 function returns a pointer to a string containing a
 textual description of the error indicated by the
 .Fa error_number
@@ -64,7 +64,7 @@ or
 .Dv NULL .
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_strerror
 function returns
 .Dv NULL
 on failure.
@@ -78,11 +78,11 @@ on failure.
 .Re
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_strerror
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_verror.3 b/contrib/openpam/doc/man/pam_verror.3
index 4987da3..d4a8cc5 100644
--- a/contrib/openpam/doc/man/pam_verror.3
+++ b/contrib/openpam/doc/man/pam_verror.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VERROR 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_verror "const pam_handle_t *pamh" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_verror
 function passes its arguments to
 .Xr pam_vprompt 3
 with a
@@ -59,7 +59,7 @@ and discards the response.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_verror
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -77,15 +77,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_verror
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_verror
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_vinfo.3 b/contrib/openpam/doc/man/pam_vinfo.3
index c2ac5b0..3e10b50 100644
--- a/contrib/openpam/doc/man/pam_vinfo.3
+++ b/contrib/openpam/doc/man/pam_vinfo.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VINFO 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_vinfo "const pam_handle_t *pamh" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_vinfo
 function passes its arguments to
 .Xr pam_vprompt 3
 with a
@@ -59,7 +59,7 @@ and discards the response.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_vinfo
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -77,15 +77,15 @@ System error.
 .Xr pam_vprompt 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_vinfo
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_vinfo
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/doc/man/pam_vprompt.3 b/contrib/openpam/doc/man/pam_vprompt.3
index 381008d..c3d8b32 100644
--- a/contrib/openpam/doc/man/pam_vprompt.3
+++ b/contrib/openpam/doc/man/pam_vprompt.3
@@ -34,7 +34,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd December 18, 2011
+.Dd May 26, 2012
 .Dt PAM_VPROMPT 3
 .Os
 .Sh NAME
@@ -49,7 +49,7 @@
 .Fn pam_vprompt "const pam_handle_t *pamh" "int style" "char **resp" "const char *fmt" "va_list ap"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn pam_vprompt
 function constructs a string from the
 .Fa fmt
 and
@@ -93,7 +93,7 @@ If they do, they may be truncated.
 .Pp
 .Sh RETURN VALUES
 The
-.Nm
+.Fn pam_vprompt
 function returns one of the following values:
 .Bl -tag -width 18n
 .It Bq Er PAM_BUF_ERR
@@ -114,15 +114,15 @@ System error.
 .Xr vsnprintf 3
 .Sh STANDARDS
 The
-.Nm
+.Fn pam_vprompt
 function is an OpenPAM extension.
 .Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
+.Fn pam_vprompt
+function and this manual page were
+developed for the
 .Fx
-Project by
-ThinkSec AS and Network Associates Laboratories, the
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
diff --git a/contrib/openpam/include/security/openpam.h b/contrib/openpam/include/security/openpam.h
index 0c896a4..4ba8b95 100644
--- a/contrib/openpam/include/security/openpam.h
+++ b/contrib/openpam/include/security/openpam.h
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam.h 455 2011-10-29 18:31:11Z des $
+ * $Id: openpam.h 605 2012-04-20 11:05:10Z des $
  */
 
 #ifndef SECURITY_OPENPAM_H_INCLUDED
@@ -157,12 +157,49 @@ openpam_readline(FILE *_f,
 	int *_lineno,
 	size_t *_lenp)
 	OPENPAM_NONNULL((1));
+
+char **
+openpam_readlinev(FILE *_f,
+	int *_lineno,
+	int *_lenp)
+	OPENPAM_NONNULL((1));
+
+char *
+openpam_readword(FILE *_f,
+	int *_lineno,
+	size_t *_lenp)
+	OPENPAM_NONNULL((1));
 #endif
 
+int
+openpam_straddch(char **_str,
+	size_t *_sizep,
+	size_t *_lenp,
+	int ch)
+	OPENPAM_NONNULL((1));
+
+/*
+ * Enable / disable optional features
+ */
+enum {
+	OPENPAM_RESTRICT_SERVICE_NAME,
+	OPENPAM_VERIFY_POLICY_FILE,
+	OPENPAM_RESTRICT_MODULE_NAME,
+	OPENPAM_VERIFY_MODULE_FILE,
+	OPENPAM_NUM_FEATURES
+};
+
+int
+openpam_set_feature(int _feature, int _onoff);
+
+int
+openpam_get_feature(int _feature, int *_onoff);
+
 /*
  * Log levels
  */
 enum {
+	PAM_LOG_LIBDEBUG = -1,
 	PAM_LOG_DEBUG,
 	PAM_LOG_VERBOSE,
 	PAM_LOG_NOTICE,
@@ -196,8 +233,8 @@ _openpam_log(int _level,
 void
 openpam_log(int _level,
 	const char *_format,
- 	...)
- 	OPENPAM_FORMAT ((__printf__, 2, 3))
+	...)
+	OPENPAM_FORMAT ((__printf__, 2, 3))
 	OPENPAM_NONNULL((2));
 #endif
 
diff --git a/contrib/openpam/include/security/openpam_version.h b/contrib/openpam/include/security/openpam_version.h
index ed1c1de..d50d913 100644
--- a/contrib/openpam/include/security/openpam_version.h
+++ b/contrib/openpam/include/security/openpam_version.h
@@ -32,14 +32,14 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_version.h 505 2011-12-18 14:13:08Z des $
+ * $Id: openpam_version.h 609 2012-05-26 13:57:45Z des $
  */
 
 #ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED
 #define SECURITY_OPENPAM_VERSION_H_INCLUDED
 
 #define OPENPAM
-#define OPENPAM_VERSION	20111218
-#define OPENPAM_RELEASE	"Lycopsida"
+#define OPENPAM_VERSION	20120526
+#define OPENPAM_RELEASE	"Micrampelis"
 
 #endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */
diff --git a/contrib/openpam/lib/Makefile.am b/contrib/openpam/lib/Makefile.am
index 3a2e60e..9ce2d2f 100644
--- a/contrib/openpam/lib/Makefile.am
+++ b/contrib/openpam/lib/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am 499 2011-11-22 11:51:50Z des $
+# $Id: Makefile.am 602 2012-04-15 17:31:15Z des $
 
 NULL =
 
@@ -8,8 +8,11 @@ lib_LTLIBRARIES = libpam.la
 
 noinst_HEADERS = \
 	openpam_constants.h \
+	openpam_ctype.h \
 	openpam_debug.h \
+	openpam_features.h \
 	openpam_impl.h \
+	openpam_strlcat.h \
 	openpam_strlcmp.h \
 	openpam_strlcpy.h
 
@@ -20,17 +23,23 @@ libpam_la_SOURCES = \
 	openpam_constants.c \
 	openpam_dispatch.c \
 	openpam_dynamic.c \
+	openpam_features.c \
 	openpam_findenv.c \
 	openpam_free_data.c \
 	openpam_free_envlist.c \
+	openpam_get_feature.c \
 	openpam_get_option.c \
 	openpam_load.c \
 	openpam_log.c \
 	openpam_nullconv.c \
 	openpam_readline.c \
+	openpam_readlinev.c \
+	openpam_readword.c \
 	openpam_restore_cred.c \
 	openpam_set_option.c \
+	openpam_set_feature.c \
 	openpam_static.c \
+	openpam_straddch.c \
 	openpam_subst.c \
 	openpam_ttyconv.c \
 	pam_acct_mgmt.c \
diff --git a/contrib/openpam/lib/Makefile.in b/contrib/openpam/lib/Makefile.in
index 0052ce2..353fbab 100644
--- a/contrib/openpam/lib/Makefile.in
+++ b/contrib/openpam/lib/Makefile.in
@@ -15,7 +15,7 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am 499 2011-11-22 11:51:50Z des $
+# $Id: Makefile.am 602 2012-04-15 17:31:15Z des $
 
 
 VPATH = @srcdir@
@@ -76,11 +76,13 @@ am__objects_1 =
 am_libpam_la_OBJECTS = openpam_borrow_cred.lo \
 	openpam_check_owner_perms.lo openpam_configure.lo \
 	openpam_constants.lo openpam_dispatch.lo openpam_dynamic.lo \
-	openpam_findenv.lo openpam_free_data.lo \
-	openpam_free_envlist.lo openpam_get_option.lo openpam_load.lo \
-	openpam_log.lo openpam_nullconv.lo openpam_readline.lo \
-	openpam_restore_cred.lo openpam_set_option.lo \
-	openpam_static.lo openpam_subst.lo openpam_ttyconv.lo \
+	openpam_features.lo openpam_findenv.lo openpam_free_data.lo \
+	openpam_free_envlist.lo openpam_get_feature.lo \
+	openpam_get_option.lo openpam_load.lo openpam_log.lo \
+	openpam_nullconv.lo openpam_readline.lo openpam_readlinev.lo \
+	openpam_readword.lo openpam_restore_cred.lo \
+	openpam_set_option.lo openpam_set_feature.lo openpam_static.lo \
+	openpam_straddch.lo openpam_subst.lo openpam_ttyconv.lo \
 	pam_acct_mgmt.lo pam_authenticate.lo pam_chauthtok.lo \
 	pam_close_session.lo pam_end.lo pam_error.lo \
 	pam_get_authtok.lo pam_get_data.lo pam_get_item.lo \
@@ -234,8 +236,11 @@ INCLUDES = -I$(top_srcdir)/include
 lib_LTLIBRARIES = libpam.la
 noinst_HEADERS = \
 	openpam_constants.h \
+	openpam_ctype.h \
 	openpam_debug.h \
+	openpam_features.h \
 	openpam_impl.h \
+	openpam_strlcat.h \
 	openpam_strlcmp.h \
 	openpam_strlcpy.h
 
@@ -246,17 +251,23 @@ libpam_la_SOURCES = \
 	openpam_constants.c \
 	openpam_dispatch.c \
 	openpam_dynamic.c \
+	openpam_features.c \
 	openpam_findenv.c \
 	openpam_free_data.c \
 	openpam_free_envlist.c \
+	openpam_get_feature.c \
 	openpam_get_option.c \
 	openpam_load.c \
 	openpam_log.c \
 	openpam_nullconv.c \
 	openpam_readline.c \
+	openpam_readlinev.c \
+	openpam_readword.c \
 	openpam_restore_cred.c \
 	openpam_set_option.c \
+	openpam_set_feature.c \
 	openpam_static.c \
+	openpam_straddch.c \
 	openpam_subst.c \
 	openpam_ttyconv.c \
 	pam_acct_mgmt.c \
@@ -387,17 +398,23 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_constants.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dispatch.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_dynamic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_features.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_findenv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_free_data.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_free_envlist.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_get_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_get_option.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_load.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_log.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_nullconv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readline.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readlinev.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_readword.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_restore_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_set_feature.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_set_option.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_static.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_straddch.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_subst.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openpam_ttyconv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_acct_mgmt.Plo@am__quote@
diff --git a/contrib/openpam/lib/openpam_check_owner_perms.c b/contrib/openpam/lib/openpam_check_owner_perms.c
index 9d64ed6..d3b2ca9 100644
--- a/contrib/openpam/lib/openpam_check_owner_perms.c
+++ b/contrib/openpam/lib/openpam_check_owner_perms.c
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_check_owner_perms.c 499 2011-11-22 11:51:50Z des $
+ * $Id: openpam_check_owner_perms.c 543 2012-03-31 22:11:34Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -67,6 +70,12 @@ openpam_check_desc_owner_perms(const char *name, int fd)
 		errno = serrno;
 		return (-1);
 	}
+	if (!S_ISREG(sb.st_mode)) {
+		openpam_log(PAM_LOG_ERROR,
+		    "%s: not a regular file", name);
+		errno = EINVAL;
+		return (-1);
+	}
 	if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
 	    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 		openpam_log(PAM_LOG_ERROR,
@@ -84,7 +93,7 @@ openpam_check_desc_owner_perms(const char *name, int fd)
  * up to it are owned by either root or the arbitrator and that they are
  * not writable by group or other.
  *
- * Note that openpam_check_file_owner_perms() should be used instead if
+ * Note that openpam_check_desc_owner_perms() should be used instead if
  * possible to avoid a race between the ownership / permission check and
  * the actual open().
  */
@@ -95,8 +104,9 @@ openpam_check_path_owner_perms(const char *path)
 	uid_t root, arbitrator;
 	char pathbuf[PATH_MAX];
 	struct stat sb;
-	int len, serrno;
+	int len, serrno, tip;
 
+	tip = 1;
 	root = 0;
 	arbitrator = geteuid();
 	if (realpath(path, pathbuf) == NULL)
@@ -111,6 +121,12 @@ openpam_check_path_owner_perms(const char *path)
 			}
 			return (-1);
 		}
+		if (tip && !S_ISREG(sb.st_mode)) {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: not a regular file", pathbuf);
+			errno = EINVAL;
+			return (-1);
+		}
 		if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
 		    (sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
 			openpam_log(PAM_LOG_ERROR,
@@ -120,6 +136,7 @@ openpam_check_path_owner_perms(const char *path)
 		}
 		while (--len > 0 && pathbuf[len] != '/')
 			pathbuf[len] = '\0';
+		tip = 0;
 	}
 	return (0);
 }
diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c
index bef7817..778bec8 100644
--- a/contrib/openpam/lib/openpam_configure.c
+++ b/contrib/openpam/lib/openpam_configure.c
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2011 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2012 Dag-Erling Smørgrav
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -32,13 +32,15 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_configure.c 500 2011-11-22 12:07:03Z des $
+ * $Id: openpam_configure.c 601 2012-04-14 20:37:45Z des $
  */
 
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 
+#include <sys/param.h>
+
 #include <ctype.h>
 #include <errno.h>
 #include <stdio.h>
@@ -48,389 +50,183 @@
 #include <security/pam_appl.h>
 
 #include "openpam_impl.h"
-#include "openpam_strlcmp.h"
+#include "openpam_ctype.h"
+#include "openpam_strlcat.h"
+#include "openpam_strlcpy.h"
 
 static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t);
 
 /*
- * Evaluates to non-zero if the argument is a linear whitespace character.
- */
-#define is_lws(ch)				\
-	(ch == ' ' || ch == '\t')
-
-/*
- * Evaluates to non-zero if the argument is a printable ASCII character.
- * Assumes that the execution character set is a superset of ASCII.
- */
-#define is_p(ch) \
-	(ch >= '!' && ch <= '~')
-
-/*
- * Returns non-zero if the argument belongs to the POSIX Portable Filename
- * Character Set.  Assumes that the execution character set is a superset
- * of ASCII.
- */
-#define is_pfcs(ch)				\
-	((ch >= '0' && ch <= '9') ||		\
-	 (ch >= 'A' && ch <= 'Z') ||		\
-	 (ch >= 'a' && ch <= 'z') ||		\
-	 ch == '.' || ch == '_' || ch == '-')
-
-/*
- * Parse the service name.
- *
- * Returns the length of the service name, or 0 if the end of the string
- * was reached or a disallowed non-whitespace character was encountered.
+ * Validate a service name.
  *
- * If parse_service_name() is successful, it updates *service to point to
- * the first character of the service name and *line to point one
- * character past the end.  If it reaches the end of the string, it
- * updates *line to point to the terminating NUL character and leaves
- * *service unmodified.  In all other cases, it leaves both *line and
- * *service unmodified.
- *
- * Allowed characters are all characters in the POSIX portable filename
- * character set.
+ * Returns a non-zero value if the argument points to a NUL-terminated
+ * string consisting entirely of characters in the POSIX portable filename
+ * character set, excluding the path separator character.
  */
 static int
-parse_service_name(char **line, char **service)
+valid_service_name(const char *name)
 {
-	char *b, *e;
+	const char *p;
 
-	for (b = *line; *b && is_lws(*b); ++b)
-		/* nothing */ ;
-	if (!*b) {
-		*line = b;
-		return (0);
+	if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) {
+		/* path separator not allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p))
+				return (0);
+	} else {
+		/* path separator allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p) && *p != '/')
+				return (0);
 	}
-	for (e = b; *e && !is_lws(*e); ++e)
-		if (!is_pfcs(*e))
-			return (0);
-	if (e == b)
-		return (0);
-	*line = e;
-	*service = b;
-	return (e - b);
+	return (1);
 }
 
 /*
  * Parse the facility name.
  *
- * Returns the corresponding pam_facility_t value, or -1 if the end of the
- * string was reached, a disallowed non-whitespace character was
- * encountered, or the first word was not a recognized facility name.
- *
- * If parse_facility_name() is successful, it updates *line to point one
- * character past the end of the facility name.  If it reaches the end of
- * the string, it updates *line to point to the terminating NUL character.
- * In all other cases, it leaves *line unmodified.
+ * Returns the corresponding pam_facility_t value, or -1 if the argument
+ * is not a valid facility name.
  */
 static pam_facility_t
-parse_facility_name(char **line)
+parse_facility_name(const char *name)
 {
-	char *b, *e;
 	int i;
 
-	for (b = *line; *b && is_lws(*b); ++b)
-		/* nothing */ ;
-	if (!*b) {
-		*line = b;
-		return ((pam_facility_t)-1);
-	}
-	for (e = b; *e && !is_lws(*e); ++e)
-		/* nothing */ ;
-	if (e == b)
-		return ((pam_facility_t)-1);
 	for (i = 0; i < PAM_NUM_FACILITIES; ++i)
-		if (strlcmp(pam_facility_name[i], b, e - b) == 0)
-			break;
-	if (i == PAM_NUM_FACILITIES)
-		return ((pam_facility_t)-1);
-	*line = e;
-	return (i);
-}
-
-/*
- * Parse the word "include".
- *
- * If the next word on the line is "include", parse_include() updates
- * *line to point one character past "include" and returns 1.  Otherwise,
- * it leaves *line unmodified and returns 0.
- */
-static int
-parse_include(char **line)
-{
-	char *b, *e;
-
-	for (b = *line; *b && is_lws(*b); ++b)
-		/* nothing */ ;
-	if (!*b) {
-		*line = b;
-		return (-1);
-	}
-	for (e = b; *e && !is_lws(*e); ++e)
-		/* nothing */ ;
-	if (e == b)
-		return (0);
-	if (strlcmp("include", b, e - b) != 0)
-		return (0);
-	*line = e;
-	return (1);
+		if (strcmp(pam_facility_name[i], name) == 0)
+			return (i);
+	return ((pam_facility_t)-1);
 }
 
 /*
  * Parse the control flag.
  *
- * Returns the corresponding pam_control_t value, or -1 if the end of the
- * string was reached, a disallowed non-whitespace character was
- * encountered, or the first word was not a recognized control flag.
- *
- * If parse_control_flag() is successful, it updates *line to point one
- * character past the end of the control flag.  If it reaches the end of
- * the string, it updates *line to point to the terminating NUL character.
- * In all other cases, it leaves *line unmodified.
+ * Returns the corresponding pam_control_t value, or -1 if the argument is
+ * not a valid control flag name.
  */
 static pam_control_t
-parse_control_flag(char **line)
+parse_control_flag(const char *name)
 {
-	char *b, *e;
 	int i;
 
-	for (b = *line; *b && is_lws(*b); ++b)
-		/* nothing */ ;
-	if (!*b) {
-		*line = b;
-		return ((pam_control_t)-1);
-	}
-	for (e = b; *e && !is_lws(*e); ++e)
-		/* nothing */ ;
-	if (e == b)
-		return ((pam_control_t)-1);
 	for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i)
-		if (strlcmp(pam_control_flag_name[i], b, e - b) == 0)
-			break;
-	if (i == PAM_NUM_CONTROL_FLAGS)
-		return ((pam_control_t)-1);
-	*line = e;
-	return (i);
+		if (strcmp(pam_control_flag_name[i], name) == 0)
+			return (i);
+	return ((pam_control_t)-1);
 }
 
 /*
- * Parse a file name.
- *
- * Returns the length of the file name, or 0 if the end of the string was
- * reached or a disallowed non-whitespace character was encountered.
+ * Validate a file name.
  *
- * If parse_filename() is successful, it updates *filename to point to the
- * first character of the filename and *line to point one character past
- * the end.  If it reaches the end of the string, it updates *line to
- * point to the terminating NUL character and leaves *filename unmodified.
- * In all other cases, it leaves both *line and *filename unmodified.
- *
- * Allowed characters are all characters in the POSIX portable filename
- * character set, plus the path separator (forward slash).
+ * Returns a non-zero value if the argument points to a NUL-terminated
+ * string consisting entirely of characters in the POSIX portable filename
+ * character set, including the path separator character.
  */
 static int
-parse_filename(char **line, char **filename)
+valid_module_name(const char *name)
 {
-	char *b, *e;
-
-	for (b = *line; *b && is_lws(*b); ++b)
-		/* nothing */ ;
-	if (!*b) {
-		*line = b;
-		return (0);
-	}
-	for (e = b; *e && !is_lws(*e); ++e)
-		if (!is_pfcs(*e) && *e != '/')
-			return (0);
-	if (e == b)
-		return (0);
-	*line = e;
-	*filename = b;
-	return (e - b);
-}
+	const char *p;
 
-/*
- * Parse an option.
- *
- * Returns a dynamically allocated string containing the next module
- * option, or NULL if the end of the string was reached or a disallowed
- * non-whitespace character was encountered.
- *
- * If parse_option() is successful, it updates *line to point one
- * character past the end of the option.  If it reaches the end of the
- * string, it updates *line to point to the terminating NUL character.  In
- * all other cases, it leaves *line unmodified.
- *
- * If parse_option() fails to allocate memory, it will return NULL and set
- * errno to a non-zero value.
- *
- * Allowed characters for option names are all characters in the POSIX
- * portable filename character set.  Allowed characters for option values
- * are any printable non-whitespace characters.  The option value may be
- * quoted in either single or double quotes, in which case space
- * characters and whichever quote character was not used are allowed.
- * Note that the entire value must be quoted, not just part of it.
- */
-static char *
-parse_option(char **line)
-{
-	char *nb, *ne, *vb, *ve;
-	unsigned char q = 0;
-	char *option;
-	size_t size;
-
-	errno = 0;
-	for (nb = *line; *nb && is_lws(*nb); ++nb)
-		/* nothing */ ;
-	if (!*nb) {
-		*line = nb;
-		return (NULL);
-	}
-	for (ne = nb; *ne && !is_lws(*ne) && *ne != '='; ++ne)
-		if (!is_pfcs(*ne))
-			return (NULL);
-	if (ne == nb)
-		return (NULL);
-	if (*ne == '=') {
-		vb = ne + 1;
-		if (*vb == '"' || *vb == '\'')
-			q = *vb++;
-		for (ve = vb;
-		     *ve && *ve != q && (is_p(*ve) || (q && is_lws(*ve)));
-		     ++ve)
-			/* nothing */ ;
-		if (q && *ve != q)
-			/* non-printable character or missing endquote */
-			return (NULL);
-		if (q && *(ve + 1) && !is_lws(*(ve + 1)))
-			/* garbage after value */
-			return (NULL);
+	if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) {
+		/* path separator not allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p))
+				return (0);
 	} else {
-		vb = ve = ne;
+		/* path separator allowed */
+		for (p = name; *p != '\0'; ++p)
+			if (!is_pfcs(*p) && *p != '/')
+				return (0);
 	}
-	size = (ne - nb) + 1;
-	if (ve > vb)
-		size += (ve - vb) + 1;
-	if ((option = malloc(size)) == NULL)
-		return (NULL);
-	strncpy(option, nb, ne - nb);
-	if (ve > vb) {
-		option[ne - nb] = '=';
-		strncpy(option + (ne - nb) + 1, vb, ve - vb);
-	}
-	option[size - 1] = '\0';
-	*line = q ? ve + 1 : ve;
-	return (option);
-}
-
-/*
- * Consume trailing whitespace.
- *
- * If there are no non-whitespace characters left on the line, parse_eol()
- * updates *line to point at the terminating NUL character and returns 0.
- * Otherwise, it leaves *line unmodified and returns a non-zero value.
- */
-static int
-parse_eol(char **line)
-{
-	char *p;
-
-	for (p = *line; *p && is_lws(*p); ++p)
-		/* nothing */ ;
-	if (*p)
-		return ((unsigned char)*p);
-	*line = p;
-	return (0);
+	return (1);
 }
 
 typedef enum { pam_conf_style, pam_d_style } openpam_style_t;
 
 /*
  * Extracts given chains from a policy file.
+ *
+ * Returns the number of policy entries which were found for the specified
+ * service and facility, or -1 if a system error occurred or a syntax
+ * error was encountered.
  */
 static int
 openpam_parse_chain(pam_handle_t *pamh,
 	const char *service,
 	pam_facility_t facility,
+	FILE *f,
 	const char *filename,
 	openpam_style_t style)
 {
 	pam_chain_t *this, **next;
 	pam_facility_t fclt;
 	pam_control_t ctlf;
-	char *line0, *line, *str, *name;
-	char *option, **optv;
-	int len, lineno, ret;
-	FILE *f;
+	char *name, *servicename, *modulename;
+	int count, lineno, ret, serrno;
+	char **wordv, *word;
+	int i, wordc;
 
-	if ((f = fopen(filename, "r")) == NULL) {
-		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
-		    "%s: %m", filename);
-		return (PAM_SUCCESS);
-	}
-	if (openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
-		fclose(f);
-		return (PAM_SYSTEM_ERR);
-	}
+	count = 0;
 	this = NULL;
 	name = NULL;
 	lineno = 0;
-	while ((line0 = line = openpam_readline(f, &lineno, NULL)) != NULL) {
-		/* get service name if necessary */
-		if (style == pam_conf_style) {
-			if ((len = parse_service_name(&line, &str)) == 0) {
-				openpam_log(PAM_LOG_NOTICE,
-				    "%s(%d): invalid service name (ignored)",
-				    filename, lineno);
-				FREE(line0);
-				continue;
-			}
-			if (strlcmp(service, str, len) != 0) {
-				FREE(line0);
-				continue;
-			}
+	wordc = 0;
+	wordv = NULL;
+	while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) {
+		/* blank line? */
+		if (wordc == 0) {
+			FREEV(wordc, wordv);
+			continue;
 		}
+		i = 0;
 
-		/* get facility name */
-		if ((fclt = parse_facility_name(&line)) == (pam_facility_t)-1) {
+		/* check service name if necessary */
+		if (style == pam_conf_style &&
+		    strcmp(wordv[i++], service) != 0) {
+			FREEV(wordc, wordv);
+			continue;
+		}
+
+		/* check facility name */
+		if ((word = wordv[i++]) == NULL ||
+		    (fclt = parse_facility_name(word)) == (pam_facility_t)-1) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid facility",
 			    filename, lineno);
 			goto fail;
 		}
 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
-			FREE(line0);
+			FREEV(wordc, wordv);
 			continue;
 		}
 
 		/* check for "include" */
-		if (parse_include(&line)) {
-			if ((len = parse_service_name(&line, &str)) == 0) {
+		if ((word = wordv[i++]) != NULL &&
+		    strcmp(word, "include") == 0) {
+			if ((servicename = wordv[i++]) == NULL ||
+			    !valid_service_name(servicename)) {
 				openpam_log(PAM_LOG_ERROR,
-				    "%s(%d): missing or invalid filename",
+				    "%s(%d): missing or invalid service name",
 				    filename, lineno);
 				goto fail;
 			}
-			if ((name = strndup(str, len)) == NULL)
-				goto syserr;
-			if (parse_eol(&line) != 0) {
+			if (wordv[i] != NULL) {
 				openpam_log(PAM_LOG_ERROR,
 				    "%s(%d): garbage at end of line",
 				    filename, lineno);
 				goto fail;
 			}
-			ret = openpam_load_chain(pamh, name, fclt);
-			FREE(name);
-			if (ret != PAM_SUCCESS)
+			ret = openpam_load_chain(pamh, servicename, fclt);
+			FREEV(wordc, wordv);
+			if (ret < 0)
 				goto fail;
-			FREE(line0);
 			continue;
 		}
 
 		/* get control flag */
-		if ((ctlf = parse_control_flag(&line)) == (pam_control_t)-1) {
+		if (word == NULL || /* same word we compared to "include" */
+		    (ctlf = parse_control_flag(word)) == (pam_control_t)-1) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid control flag",
 			    filename, lineno);
@@ -438,73 +234,76 @@ openpam_parse_chain(pam_handle_t *pamh,
 		}
 
 		/* get module name */
-		if ((len = parse_filename(&line, &str)) == 0) {
+		if ((modulename = wordv[i++]) == NULL ||
+		    !valid_module_name(modulename)) {
 			openpam_log(PAM_LOG_ERROR,
 			    "%s(%d): missing or invalid module name",
 			    filename, lineno);
 			goto fail;
 		}
-		if ((name = strndup(str, len)) == NULL)
-			goto syserr;
 
 		/* allocate new entry */
 		if ((this = calloc(1, sizeof *this)) == NULL)
 			goto syserr;
 		this->flag = ctlf;
 
-		/* get module options */
-		if ((this->optv = malloc(sizeof *optv)) == NULL)
-			goto syserr;
-		this->optc = 0;
-		while ((option = parse_option(&line)) != NULL) {
-			optv = realloc(this->optv,
-			    (this->optc + 2) * sizeof *optv);
-			if (optv == NULL)
-				goto syserr;
-			this->optv = optv;
-			this->optv[this->optc++] = option;
-		}
-		this->optv[this->optc] = NULL;
-		if (*line != '\0') {
-			openpam_log(PAM_LOG_ERROR,
-			    "%s(%d): syntax error in module options",
-			    filename, lineno);
-			goto fail;
-		}
-
 		/* load module */
-		this->module = openpam_load_module(name);
-		FREE(name);
-		if (this->module == NULL)
+		if ((this->module = openpam_load_module(modulename)) == NULL)
 			goto fail;
 
+		/*
+		 * The remaining items in wordv are the module's
+		 * arguments.  We could set this->optv = wordv + i, but
+		 * then free(this->optv) wouldn't work.  Instead, we free
+		 * the words we've already consumed, shift the rest up,
+		 * and clear the tail end of the array.
+		 */
+		this->optc = wordc - i;
+		for (i = 0; i < wordc - this->optc; ++i) {
+			FREE(wordv[i]);
+			wordv[i] = wordv[wordc - this->optc + i];
+			wordv[wordc - this->optc + i] = NULL;
+		}
+		this->optv = wordv;
+		wordv = NULL;
+		wordc = 0;
+
 		/* hook it up */
 		for (next = &pamh->chains[fclt]; *next != NULL;
 		     next = &(*next)->next)
 			/* nothing */ ;
 		*next = this;
 		this = NULL;
-
-		/* next please... */
-		FREE(line0);
+		++count;
 	}
-	if (!feof(f))
+	/*
+	 * The loop ended because openpam_readword() returned NULL, which
+	 * can happen for four different reasons: an I/O error (ferror(f)
+	 * is true), a memory allocation failure (ferror(f) is false,
+	 * errno is non-zero)
+	 */
+	if (ferror(f) || errno != 0)
 		goto syserr;
+	if (!feof(f))
+		goto fail;
 	fclose(f);
-	return (PAM_SUCCESS);
+	return (count);
 syserr:
+	serrno = errno;
 	openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
+	errno = serrno;
+	/* fall through */
 fail:
-	if (this && this->optc) {
-		while (this->optc--)
-			FREE(this->optv[this->optc]);
-		FREE(this->optv);
-	}
+	serrno = errno;
+	if (this && this->optc && this->optv)
+		FREEV(this->optc, this->optv);
 	FREE(this);
-	FREE(line0);
+	FREEV(wordc, wordv);
+	FREE(wordv);
 	FREE(name);
 	fclose(f);
-	return (PAM_SYSTEM_ERR);
+	errno = serrno;
+	return (-1);
 }
 
 static const char *openpam_policy_path[] = {
@@ -516,44 +315,110 @@ static const char *openpam_policy_path[] = {
 };
 
 /*
+ * Read the specified chains from the specified file.
+ *
+ * Returns 0 if the file exists but does not contain any matching lines.
+ *
+ * Returns -1 and sets errno to ENOENT if the file does not exist.
+ *
+ * Returns -1 and sets errno to some other non-zero value if the file
+ * exists but is unsafe or unreadable, or an I/O error occurs.
+ */
+static int
+openpam_load_file(pam_handle_t *pamh,
+	const char *service,
+	pam_facility_t facility,
+	const char *filename,
+	openpam_style_t style)
+{
+	FILE *f;
+	int ret, serrno;
+
+	/* attempt to open the file */
+	if ((f = fopen(filename, "r")) == NULL) {
+		serrno = errno;
+		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR,
+		    "%s: %m", filename);
+		errno = serrno;
+		RETURNN(-1);
+	} else {
+		openpam_log(PAM_LOG_DEBUG, "found %s", filename);
+	}
+
+	/* verify type, ownership and permissions */
+	if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) &&
+	    openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
+		/* already logged the cause */
+		serrno = errno;
+		fclose(f);
+		errno = serrno;
+		RETURNN(-1);
+	}
+
+	/* parse the file */
+	ret = openpam_parse_chain(pamh, service, facility,
+	    f, filename, style);
+	RETURNN(ret);
+}
+
+/*
  * Locates the policy file for a given service and reads the given chains
  * from it.
+ *
+ * Returns the number of policy entries which were found for the specified
+ * service and facility, or -1 if a system error occurred or a syntax
+ * error was encountered.
  */
 static int
 openpam_load_chain(pam_handle_t *pamh,
 	const char *service,
 	pam_facility_t facility)
 {
-	const char **path;
-	char *filename;
+	const char *p, **path;
+	char filename[PATH_MAX];
 	size_t len;
+	openpam_style_t style;
 	int ret;
 
-	/* don't allow to escape from policy_path */
-	if (strchr(service, '/')) {
-		openpam_log(PAM_LOG_ERROR, "invalid service name: %s",
-		    service);
-		return (-PAM_SYSTEM_ERR);
+	ENTERS(facility < 0 ? "any" : pam_facility_name[facility]);
+
+	/* either absolute or relative to cwd */
+	if (strchr(service, '/') != NULL) {
+		if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0)
+			style = pam_conf_style;
+		else
+			style = pam_d_style;
+		ret = openpam_load_file(pamh, service, facility,
+		    service, style);
+		RETURNN(ret);
 	}
 
+	/* search standard locations */
 	for (path = openpam_policy_path; *path != NULL; ++path) {
-		len = strlen(*path);
-		if ((*path)[len - 1] == '/') {
-			if (asprintf(&filename, "%s%s", *path, service) < 0) {
-				openpam_log(PAM_LOG_ERROR, "asprintf(): %m");
-				return (PAM_BUF_ERR);
+		/* construct filename */
+		len = strlcpy(filename, *path, sizeof filename);
+		if (filename[len - 1] == '/') {
+			len = strlcat(filename, service, sizeof filename);
+			if (len >= sizeof filename) {
+				errno = ENAMETOOLONG;
+				RETURNN(-1);
 			}
-			ret = openpam_parse_chain(pamh, service, facility,
-			    filename, pam_d_style);
-			FREE(filename);
+			style = pam_d_style;
 		} else {
-			ret = openpam_parse_chain(pamh, service, facility,
-			    *path, pam_conf_style);
+			style = pam_conf_style;
 		}
-		if (ret != PAM_SUCCESS)
-			return (ret);
+		ret = openpam_load_file(pamh, service, facility,
+		    filename, style);
+		/* the file exists, but an error occurred */
+		if (ret == -1 && errno != ENOENT)
+			RETURNN(ret);
+		/* in pam.d style, an empty file counts as a hit */
+		if (ret == 0 && style == pam_d_style)
+			RETURNN(ret);
 	}
-	return (PAM_SUCCESS);
+
+	/* no hit */
+	RETURNN(0);
 }
 
 /*
@@ -567,25 +432,27 @@ openpam_configure(pam_handle_t *pamh,
 	const char *service)
 {
 	pam_facility_t fclt;
-	const char *p;
+	int serrno;
 
-	for (p = service; *p; ++p)
-		if (!is_pfcs(*p))
-			return (PAM_SYSTEM_ERR);
-
-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) != PAM_SUCCESS)
+	ENTERS(service);
+	if (!valid_service_name(service)) {
+		openpam_log(PAM_LOG_ERROR, "invalid service name");
+		RETURNC(PAM_SYSTEM_ERR);
+	}
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
 		goto load_err;
-
 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
 		if (pamh->chains[fclt] != NULL)
 			continue;
-		if (openpam_load_chain(pamh, PAM_OTHER, fclt) != PAM_SUCCESS)
+		if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
 			goto load_err;
 	}
-	return (PAM_SUCCESS);
+	RETURNC(PAM_SUCCESS);
 load_err:
+	serrno = errno;
 	openpam_clear_chains(pamh->chains);
-	return (PAM_SYSTEM_ERR);
+	errno = serrno;
+	RETURNC(PAM_SYSTEM_ERR);
 }
 
 /*
diff --git a/contrib/openpam/lib/openpam_constants.h b/contrib/openpam/lib/openpam_constants.h
index b923179..a7d6ce8 100644
--- a/contrib/openpam/lib/openpam_constants.h
+++ b/contrib/openpam/lib/openpam_constants.h
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,11 +27,11 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_constants.h 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_constants.h 606 2012-04-20 11:06:38Z des $
  */
 
-#ifndef OPENPAM_CONSTANTS_INCLUDED
-#define OPENPAM_CONSTANTS_INCLUDED
+#ifndef OPENPAM_CONSTANTS_H_INCLUDED
+#define OPENPAM_CONSTANTS_H_INCLUDED
 
 extern const char *pam_err_name[PAM_NUM_ERRORS];
 extern const char *pam_item_name[PAM_NUM_ITEMS];
diff --git a/contrib/openpam/lib/openpam_ctype.h b/contrib/openpam/lib/openpam_ctype.h
new file mode 100644
index 0000000..b3ec846
--- /dev/null
+++ b/contrib/openpam/lib/openpam_ctype.h
@@ -0,0 +1,68 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_ctype.h 578 2012-04-06 00:45:59Z des $
+ */
+
+#ifndef OPENPAM_CTYPE_H_INCLUDED
+#define OPENPAM_CTYPE_H_INCLUDED
+
+/*
+ * Evaluates to non-zero if the argument is a linear whitespace character.
+ * For the purposes of this macro, the definition of linear whitespace is
+ * extended to include the form feed and carraige return characters.
+ */
+#define is_lws(ch)				\
+	(ch == ' ' || ch == '\t' || ch == '\f' || ch == '\r')
+
+/*
+ * Evaluates to non-zero if the argument is a whitespace character.
+ */
+#define is_ws(ch)				\
+	(is_lws(ch) || ch == '\n')
+
+/*
+ * Evaluates to non-zero if the argument is a printable ASCII character.
+ * Assumes that the execution character set is a superset of ASCII.
+ */
+#define is_p(ch) \
+	(ch >= '!' && ch <= '~')
+
+/*
+ * Returns non-zero if the argument belongs to the POSIX Portable Filename
+ * Character Set.  Assumes that the execution character set is a superset
+ * of ASCII.
+ */
+#define is_pfcs(ch)				\
+	((ch >= '0' && ch <= '9') ||		\
+	 (ch >= 'A' && ch <= 'Z') ||		\
+	 (ch >= 'a' && ch <= 'z') ||		\
+	 ch == '.' || ch == '_' || ch == '-')
+
+#endif
diff --git a/contrib/openpam/lib/openpam_debug.h b/contrib/openpam/lib/openpam_debug.h
index ef2884d..050783e 100644
--- a/contrib/openpam/lib/openpam_debug.h
+++ b/contrib/openpam/lib/openpam_debug.h
@@ -32,60 +32,68 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_debug.h 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_debug.h 606 2012-04-20 11:06:38Z des $
  */
 
-#ifndef OPENPAM_DEBUG_INCLUDED
-#define OPENPAM_DEBUG_INCLUDED
+#ifndef OPENPAM_DEBUG_H_INCLUDED
+#define OPENPAM_DEBUG_H_INCLUDED
 
 #ifdef OPENPAM_DEBUG
-#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
+#define ENTER() openpam_log(PAM_LOG_LIBDEBUG, "entering")
 #define ENTERI(i) do { \
 	int i_ = (i); \
 	if (i_ > 0 && i_ < PAM_NUM_ITEMS) \
-		openpam_log(PAM_LOG_DEBUG, "entering: %s", pam_item_name[i_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", pam_item_name[i_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: %d", i_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", i_); \
 } while (0)
 #define ENTERN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "entering: %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", n_); \
 } while (0)
 #define ENTERS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "entering: '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: '%s'", s_); \
 } while (0)
-#define	RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
+#define ENTERF(f) do { \
+	int f_ = (f); \
+	if (f_ >= 0 && f_ <= OPENPAM_NUM_FEATURES) \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", \
+		    openpam_features[f_].name); \
+	else \
+		openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", f_); \
+} while (0)
+#define	RETURNV() openpam_log(PAM_LOG_LIBDEBUG, "returning")
 #define RETURNC(c) do { \
 	int c_ = (c); \
 	if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \
-		openpam_log(PAM_LOG_DEBUG, "returning %s", pam_err_name[c_]); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %s", pam_err_name[c_]); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %d!", c_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %d!", c_); \
 	return (c_); \
 } while (0)
 #define	RETURNN(n) do { \
 	int n_ = (n); \
-	openpam_log(PAM_LOG_DEBUG, "returning %d", n_); \
+	openpam_log(PAM_LOG_LIBDEBUG, "returning %d", n_); \
 	return (n_); \
 } while (0)
 #define	RETURNP(p) do { \
-	const void *p_ = (p); \
+	void *p_ = (p); \
 	if (p_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning %p", p_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning %p", p_); \
 	return (p_); \
 } while (0)
 #define	RETURNS(s) do { \
 	const char *s_ = (s); \
 	if (s_ == NULL) \
-		openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
 	else \
-		openpam_log(PAM_LOG_DEBUG, "returning '%s'", s_); \
+		openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", s_); \
 	return (s_); \
 } while (0)
 #else
@@ -93,6 +101,7 @@
 #define ENTERI(i)
 #define ENTERN(n)
 #define ENTERS(s)
+#define ENTERF(f)
 #define RETURNV() return
 #define RETURNC(c) return (c)
 #define RETURNN(n) return (n)
diff --git a/contrib/openpam/lib/openpam_dynamic.c b/contrib/openpam/lib/openpam_dynamic.c
index d44174f..1dfc1ac 100644
--- a/contrib/openpam/lib/openpam_dynamic.c
+++ b/contrib/openpam/lib/openpam_dynamic.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_dynamic.c 502 2011-12-18 13:59:22Z des $
+ * $Id: openpam_dynamic.c 607 2012-04-20 11:09:37Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -40,6 +40,7 @@
 #endif
 
 #include <dlfcn.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -60,15 +61,50 @@
  * Perform sanity checks and attempt to load a module
  */
 
+#ifdef HAVE_FDLOPEN
 static void *
 try_dlopen(const char *modfn)
 {
+	void *dlh;
+	int fd;
 
-	if (openpam_check_path_owner_perms(modfn) != 0)
+	if ((fd = open(modfn, O_RDONLY)) < 0)
+		return (NULL);
+	if (OPENPAM_FEATURE(VERIFY_MODULE_FILE) &&
+	    openpam_check_desc_owner_perms(modfn, fd) != 0) {
+		close(fd);
+		return (NULL);
+	}
+	if ((dlh = fdlopen(fd, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
+		close(fd);
+		errno = 0;
+		return (NULL);
+	}
+	close(fd);
+	return (dlh);
+}
+#else
+static void *
+try_dlopen(const char *modfn)
+{
+	int check_module_file;
+	void *dlh;
+
+	openpam_get_feature(OPENPAM_VERIFY_MODULE_FILE,
+	    &check_module_file);
+	if (check_module_file &&
+	    openpam_check_path_owner_perms(modfn) != 0)
+		return (NULL);
+	if ((dlh = dlopen(modfn, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
+		errno = 0;
 		return (NULL);
-	return (dlopen(modfn, RTLD_NOW));
+	}
+	return (dlh);
 }
-    
+#endif
+
 /*
  * OpenPAM internal
  *
@@ -100,9 +136,6 @@ openpam_dynamic(const char *path)
 		*strrchr(vpath, '.') = '\0';
 		dlh = try_dlopen(vpath);
 	}
-	serrno = errno;
-	FREE(vpath);
-	errno = serrno;
 	if (dlh == NULL)
 		goto err;
 	if ((module = calloc(1, sizeof *module)) == NULL)
@@ -112,19 +145,41 @@ openpam_dynamic(const char *path)
 	module->dlh = dlh;
 	dlmodule = dlsym(dlh, "_pam_module");
 	for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
-		module->func[i] = dlmodule ? dlmodule->func[i] :
-		    (pam_func_t)dlsym(dlh, pam_sm_func_name[i]);
-		if (module->func[i] == NULL)
-			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
-			    path, pam_sm_func_name[i], dlerror());
+		if (dlmodule) {
+			module->func[i] = dlmodule->func[i];
+		} else {
+			module->func[i] =
+			    (pam_func_t)dlsym(dlh, pam_sm_func_name[i]);
+			/*
+			 * This openpam_log() call is a major source of
+			 * log spam, and the cases that matter are caught
+			 * and logged in openpam_dispatch().  This would
+			 * be less problematic if dlerror() returned an
+			 * error code so we could log an error only when
+			 * dlsym() failed for a reason other than "no such
+			 * symbol".
+			 */
+#if 0
+			if (module->func[i] == NULL)
+				openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
+				    path, pam_sm_func_name[i], dlerror());
+#endif
+		}
 	}
+	FREE(vpath);
 	return (module);
 buf_err:
+	serrno = errno;
 	if (dlh != NULL)
 		dlclose(dlh);
 	FREE(module);
+	errno = serrno;
 err:
-	openpam_log(PAM_LOG_ERROR, "%m");
+	serrno = errno;
+	if (errno != 0)
+		openpam_log(PAM_LOG_ERROR, "%s: %m", vpath);
+	FREE(vpath);
+	errno = serrno;
 	return (NULL);
 }
 
diff --git a/contrib/openpam/lib/openpam_features.c b/contrib/openpam/lib/openpam_features.c
new file mode 100644
index 0000000..586fc2a
--- /dev/null
+++ b/contrib/openpam/lib/openpam_features.c
@@ -0,0 +1,69 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_features.c 608 2012-05-17 16:00:13Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define STRUCT_OPENPAM_FEATURE(name, descr, dflt)	\
+	[OPENPAM_##name] = {				\
+		"OPENPAM_" #name,			\
+		descr,					\
+		dflt					\
+	}
+
+struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = {
+	STRUCT_OPENPAM_FEATURE(
+	    RESTRICT_SERVICE_NAME,
+	    "Disallow path separators in service names",
+	    1
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    VERIFY_POLICY_FILE,
+	    "Verify ownership and permissions of policy files",
+	    1
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    RESTRICT_MODULE_NAME,
+	    "Disallow path separators in module names",
+	    0
+	),
+	STRUCT_OPENPAM_FEATURE(
+	    VERIFY_MODULE_FILE,
+	    "Verify ownership and permissions of module files",
+	    1
+	),
+};
diff --git a/contrib/openpam/lib/openpam_features.h b/contrib/openpam/lib/openpam_features.h
new file mode 100644
index 0000000..227b1a9
--- /dev/null
+++ b/contrib/openpam/lib/openpam_features.h
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef OPENPAM_FEATURES_H_INCLUDED
+#define OPENPAM_FEATURES_H_INCLUDED
+
+struct openpam_feature {
+	const char *name;
+	const char *desc;
+	int onoff;
+};
+
+extern struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES];
+
+/* shortcut for internal use */
+#define OPENPAM_FEATURE(f) \
+	openpam_features[OPENPAM_##f].onoff
+
+#endif
diff --git a/contrib/openpam/lib/openpam_get_feature.c b/contrib/openpam/lib/openpam_get_feature.c
new file mode 100644
index 0000000..b552357
--- /dev/null
+++ b/contrib/openpam/lib/openpam_get_feature.c
@@ -0,0 +1,99 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_get_feature.c 608 2012-05-17 16:00:13Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Query the state of an optional feature.
+ */
+
+int
+openpam_get_feature(int feature, int *onoff)
+{
+
+	ENTERF(feature);
+	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
+		RETURNC(PAM_SYMBOL_ERR);
+	*onoff = openpam_features[feature].onoff;
+	RETURNC(PAM_SUCCESS);
+}
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ */
+
+/**
+ * EXPERIMENTAL
+ *
+ * The =openpam_get_feature function stores the current state of the
+ * specified feature in the variable pointed to by its =onoff argument.
+ *
+ * The following features are recognized:
+ *
+ *	=OPENPAM_RESTRICT_SERVICE_NAME:
+ *		Disallow path separators in service names.
+ *		This feature is enabled by default.
+ *		Disabling it allows the application to specify the path to
+ *		the desired policy file directly.
+ *
+ *	=OPENPAM_VERIFY_POLICY_FILE:
+ *		Verify the ownership and permissions of the policy file
+ *		and the path leading up to it.
+ *		This feature is enabled by default.
+ *
+ *	=OPENPAM_RESTRICT_MODULE_NAME:
+ *		Disallow path separators in module names.
+ *		This feature is disabled by default.
+ *		Enabling it prevents the use of modules in non-standard
+ *		locations.
+ *
+ *	=OPENPAM_VERIFY_MODULE_FILE:
+ *		Verify the ownership and permissions of each loadable
+ *		module and the path leading up to it.
+ *		This feature is enabled by default.
+ *
+ *
+ * >openpam_set_feature
+ *
+ * AUTHOR DES
+ */
diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c
index b5faa87..1f62d21 100644
--- a/contrib/openpam/lib/openpam_get_option.c
+++ b/contrib/openpam/lib/openpam_get_option.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_get_option.c 482 2011-11-03 16:33:02Z des $
+ * $Id: openpam_get_option.c 531 2012-03-31 14:24:37Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -44,7 +44,6 @@
 #include <string.h>
 
 #include <security/pam_appl.h>
-#include <security/openpam.h>
 
 #include "openpam_impl.h"
 
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
index ba4d455..9e8b45f 100644
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_impl.h 499 2011-11-22 11:51:50Z des $
+ * $Id: openpam_impl.h 594 2012-04-14 14:18:41Z des $
  */
 
 #ifndef OPENPAM_IMPL_H_INCLUDED
@@ -157,9 +157,23 @@ pam_module_t	*openpam_static(const char *);
 #endif
 pam_module_t	*openpam_dynamic(const char *);
 
-#define	FREE(p) do { free((p)); (p) = NULL; } while (0)
+#define	FREE(p)					\
+	do {					\
+		free(p);			\
+		(p) = NULL;			\
+	} while (0)
+
+#define FREEV(c, v)				\
+	do {					\
+		while (c) {			\
+			--(c);			\
+			FREE((v)[(c)]);		\
+		}				\
+		FREE(v);			\
+	} while (0)
 
 #include "openpam_constants.h"
 #include "openpam_debug.h"
+#include "openpam_features.h"
 
 #endif
diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c
index 0eb8ea7..871d1a8 100644
--- a/contrib/openpam/lib/openpam_load.c
+++ b/contrib/openpam/lib/openpam_load.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_load.c 491 2011-11-12 00:12:32Z des $
+ * $Id: openpam_load.c 547 2012-04-01 15:01:21Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -108,9 +108,7 @@ openpam_destroy_chain(pam_chain_t *chain)
 		return;
 	openpam_destroy_chain(chain->next);
 	chain->next = NULL;
-	while (chain->optc--)
-		FREE(chain->optv[chain->optc]);
-	FREE(chain->optv);
+	FREEV(chain->optc, chain->optv);
 	openpam_release_module(chain->module);
 	chain->module = NULL;
 	FREE(chain);
diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c
index 9e3d28b..2b89f6c 100644
--- a/contrib/openpam/lib/openpam_log.c
+++ b/contrib/openpam/lib/openpam_log.c
@@ -32,18 +32,17 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_log.c 437 2011-09-13 12:00:13Z des $
+ * $Id: openpam_log.c 544 2012-03-31 22:47:15Z des $
  */
 
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
 
-#include <ctype.h>
+#include <errno.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <syslog.h>
 
 #include <security/pam_appl.h>
@@ -71,6 +70,7 @@ openpam_log(int level, const char *fmt, ...)
 	int priority;
 
 	switch (level) {
+	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@@ -100,8 +100,10 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 	va_list ap;
 	char *format;
 	int priority;
+	int serrno;
 
 	switch (level) {
+	case PAM_LOG_LIBDEBUG:
 	case PAM_LOG_DEBUG:
 		if (!openpam_debug)
 			return;
@@ -119,10 +121,13 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
 		break;
 	}
 	va_start(ap, fmt);
+	serrno = errno;
 	if (asprintf(&format, "in %s(): %s", func, fmt) > 0) {
+		errno = serrno;
 		vsyslog(priority, format, ap);
 		FREE(format);
 	} else {
+		errno = serrno;
 		vsyslog(priority, fmt, ap);
 	}
 	va_end(ap);
@@ -137,6 +142,9 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
  * The =level argument indicates the importance of the message.
  * The following levels are defined:
  *
+ *	=PAM_LOG_LIBDEBUG:
+ *		Debugging messages.
+ *		For internal use only.
  *	=PAM_LOG_DEBUG:
  *		Debugging messages.
  *		These messages are normally not logged unless the global
diff --git a/contrib/openpam/lib/openpam_readline.c b/contrib/openpam/lib/openpam_readline.c
index 9cc8cc1..014acfb 100644
--- a/contrib/openpam/lib/openpam_readline.c
+++ b/contrib/openpam/lib/openpam_readline.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_readline.c 473 2011-11-03 10:48:25Z des $
+ * $Id: openpam_readline.c 596 2012-04-14 14:52:40Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -44,6 +44,7 @@
 #include <stdlib.h>
 
 #include <security/pam_appl.h>
+
 #include "openpam_impl.h"
 
 #define MIN_LINE_LENGTH 128
@@ -61,22 +62,11 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 	size_t len, size;
 	int ch;
 
-	if ((line = malloc(MIN_LINE_LENGTH)) == NULL)
+	if ((line = malloc(size = MIN_LINE_LENGTH)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "malloc(): %m");
 		return (NULL);
-	size = MIN_LINE_LENGTH;
+	}
 	len = 0;
-
-#define line_putch(ch) do { \
-	if (len >= size - 1) { \
-		char *tmp = realloc(line, size *= 2); \
-		if (tmp == NULL) \
-			goto fail; \
-		line = tmp; \
-	} \
-	line[len++] = ch; \
-	line[len] = '\0'; \
-} while (0)
-
 	for (;;) {
 		ch = fgetc(f);
 		/* strip comment */
@@ -105,26 +95,15 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
 			/* done */
 			break;
 		}
-		/* whitespace */
-		if (isspace(ch)) {
-			/* ignore leading whitespace */
-			/* collapse linear whitespace */
-			if (len > 0 && line[len - 1] != ' ')
-				line_putch(' ');
-			continue;
-		}
 		/* anything else */
-		line_putch(ch);
+		if (openpam_straddch(&line, &size, &len, ch) != 0)
+			goto fail;
 	}
-
-	/* remove trailing whitespace */
-	while (len > 0 && isspace((unsigned char)line[len - 1]))
-		--len;
-	line[len] = '\0';
 	if (len == 0)
 		goto fail;
 	if (lenp != NULL)
 		*lenp = len;
+	openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", line);
 	return (line);
 fail:
 	FREE(line);
@@ -132,16 +111,18 @@ fail:
 }
 
 /**
+ * DEPRECATED openpam_readlinev
+ *
  * The =openpam_readline function reads a line from a file, and returns it
- * in a NUL-terminated buffer allocated with =malloc.
+ * in a NUL-terminated buffer allocated with =!malloc.
  *
  * The =openpam_readline function performs a certain amount of processing
  * on the data it reads:
  *
- *  - Comments (introduced by a hash sign) are stripped, as is leading and
- *    trailing whitespace.
- *  - Any amount of linear whitespace is collapsed to a single space.
+ *  - Comments (introduced by a hash sign) are stripped.
+ *
  *  - Blank lines are ignored.
+ *
  *  - If a line ends in a backslash, the backslash is stripped and the
  *    next line is appended.
  *
@@ -152,5 +133,8 @@ fail:
  * terminating NUL character) is stored in the variable it points to.
  *
  * The caller is responsible for releasing the returned buffer by passing
- * it to =free.
+ * it to =!free.
+ *
+ * >openpam_readlinev
+ * >openpam_readword
  */
diff --git a/contrib/openpam/lib/openpam_readlinev.c b/contrib/openpam/lib/openpam_readlinev.c
new file mode 100644
index 0000000..5a43b61
--- /dev/null
+++ b/contrib/openpam/lib/openpam_readlinev.c
@@ -0,0 +1,156 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_readlinev.c 588 2012-04-08 11:52:25Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define MIN_WORDV_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Read a line from a file and split it into words.
+ */
+
+char **
+openpam_readlinev(FILE *f, int *lineno, int *lenp)
+{
+	char *word, **wordv, **tmp;
+	size_t wordlen, wordvsize;
+	int ch, serrno, wordvlen;
+
+	wordvsize = MIN_WORDV_SIZE;
+	wordvlen = 0;
+	if ((wordv = malloc(wordvsize * sizeof *wordv)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+		errno = ENOMEM;
+		return (NULL);
+	}
+	wordv[wordvlen] = NULL;
+	while ((word = openpam_readword(f, lineno, &wordlen)) != NULL) {
+		if ((unsigned int)wordvlen + 1 >= wordvsize) {
+			/* need to expand the array */
+			wordvsize *= 2;
+			tmp = realloc(wordv, wordvsize * sizeof *wordv);
+			if (tmp == NULL) {
+				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+				errno = ENOMEM;
+				break;
+			}
+			wordv = tmp;
+		}
+		/* insert our word */
+		wordv[wordvlen++] = word;
+		wordv[wordvlen] = NULL;
+	}
+	if (errno != 0) {
+		/* I/O error or out of memory */
+		serrno = errno;
+		while (wordvlen--)
+			free(wordv[wordvlen]);
+		free(wordv);
+		errno = serrno;
+		return (NULL);
+	}
+	/* assert(!ferror(f)) */
+	ch = fgetc(f);
+	/* assert(ch == EOF || ch == '\n') */
+	if (ch == EOF && wordvlen == 0) {
+		free(wordv);
+		return (NULL);
+	}
+	if (ch == '\n' && lineno != NULL)
+		++*lineno;
+	if (lenp != NULL)
+		*lenp = wordvlen;
+	return (wordv);
+}
+
+/**
+ * The =openpam_readlinev function reads a line from a file, splits it
+ * into words according to the rules described in the =openpam_readword
+ * manual page, and returns a list of those words.
+ *
+ * If =lineno is not =NULL, the integer variable it points to is
+ * incremented every time a newline character is read.
+ * This includes quoted or escaped newline characters and the newline
+ * character at the end of the line.
+ *
+ * If =lenp is not =NULL, the number of words on the line is stored in the
+ * variable to which it points.
+ *
+ * RETURN VALUES
+ *
+ * If successful, the =openpam_readlinev function returns a pointer to a
+ * dynamically allocated array of pointers to individual dynamically
+ * allocated NUL-terminated strings, each containing a single word, in the
+ * order in which they were encountered on the line.
+ * The array is terminated by a =NULL pointer.
+ *
+ * The caller is responsible for freeing both the array and the individual
+ * strings by passing each of them to =!free.
+ *
+ * If the end of the line was reached before any words were read,
+ * =openpam_readlinev returns a pointer to a dynamically allocated array
+ * containing a single =NULL pointer.
+ *
+ * The =openpam_readlinev function can fail and return =NULL for one of
+ * four reasons:
+ *
+ *  - The end of the file was reached before any words were read; :errno is
+ *    zero, =!ferror returns zero, and =!feof returns a non-zero value.
+ *
+ *  - The end of the file was reached while a quote or backslash escape
+ *    was in effect; :errno is set to =EINVAL, =!ferror returns zero, and
+ *    =!feof returns a non-zero value.
+ *
+ *  - An error occurred while reading from the file; :errno is non-zero,
+ *    =!ferror returns a non-zero value and =!feof returns zero.
+ *
+ *  - A =!malloc or =!realloc call failed; :errno is set to =ENOMEM,
+ *    =!ferror returns a non-zero value, and =!feof may or may not return
+ *    a non-zero value.
+ *
+ * >openpam_readline
+ * >openpam_readword
+ *
+ * AUTHOR DES
+ */
diff --git a/contrib/openpam/lib/openpam_readword.c b/contrib/openpam/lib/openpam_readword.c
new file mode 100644
index 0000000..74a4d46
--- /dev/null
+++ b/contrib/openpam/lib/openpam_readword.c
@@ -0,0 +1,207 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_readword.c 588 2012-04-08 11:52:25Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+#include "openpam_ctype.h"
+
+#define MIN_WORD_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Read a word from a file, respecting shell quoting rules.
+ */
+
+char *
+openpam_readword(FILE *f, int *lineno, size_t *lenp)
+{
+	char *word;
+	size_t size, len;
+	int ch, comment, escape, quote;
+	int serrno;
+
+	errno = 0;
+
+	/* skip initial whitespace */
+	comment = 0;
+	while ((ch = getc(f)) != EOF && ch != '\n') {
+		if (ch == '#')
+			comment = 1;
+		if (!is_lws(ch) && !comment)
+			break;
+	}
+	if (ch == EOF)
+		return (NULL);
+	ungetc(ch, f);
+	if (ch == '\n')
+		return (NULL);
+
+	word = NULL;
+	size = len = 0;
+	escape = quote = 0;
+	while ((ch = fgetc(f)) != EOF && (!is_ws(ch) || quote || escape)) {
+		if (ch == '\\' && !escape && quote != '\'') {
+			/* escape next character */
+			escape = ch;
+		} else if ((ch == '\'' || ch == '"') && !quote && !escape) {
+			/* begin quote */
+			quote = ch;
+			/* edge case: empty quoted string */
+			if (word == NULL && (word = malloc(1)) == NULL) {
+				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+				errno = ENOMEM;
+				return (NULL);
+			}
+			*word = '\0';
+			size = 1;
+		} else if (ch == quote && !escape) {
+			/* end quote */
+			quote = 0;
+		} else if (ch == '\n' && escape && quote != '\'') {
+			/* line continuation */
+			escape = 0;
+		} else {
+			if (escape && quote && ch != '\\' && ch != quote &&
+			    openpam_straddch(&word, &size, &len, '\\') != 0) {
+				free(word);
+				errno = ENOMEM;
+				return (NULL);
+			}
+			if (openpam_straddch(&word, &size, &len, ch) != 0) {
+				free(word);
+				errno = ENOMEM;
+				return (NULL);
+			}
+			escape = 0;
+		}
+		if (lineno != NULL && ch == '\n')
+			++*lineno;
+	}
+	if (ch == EOF && ferror(f)) {
+		serrno = errno;
+		free(word);
+		errno = serrno;
+		return (NULL);
+	}
+	if (ch == EOF && (escape || quote)) {
+		/* Missing escaped character or closing quote. */
+		openpam_log(PAM_LOG_ERROR, "unexpected end of file");
+		free(word);
+		errno = EINVAL;
+		return (NULL);
+	}
+	ungetc(ch, f);
+	if (lenp != NULL)
+		*lenp = len;
+	return (word);
+}
+
+/**
+ * The =openpam_readword function reads the next word from a file, and
+ * returns it in a NUL-terminated buffer allocated with =!malloc.
+ *
+ * A word is a sequence of non-whitespace characters.
+ * However, whitespace characters can be included in a word if quoted or
+ * escaped according to the following rules:
+ *
+ *  - An unescaped single or double quote introduces a quoted string,
+ *    which ends when the same quote character is encountered a second
+ *    time.
+ *    The quotes themselves are stripped.
+ *
+ *  - Within a single- or double-quoted string, all whitespace characters,
+ *    including the newline character, are preserved as-is.
+ *
+ *  - Outside a quoted string, a backslash escapes the next character,
+ *    which is preserved as-is, unless that character is a newline, in
+ *    which case it is discarded and reading continues at the beginning of
+ *    the next line as if the backslash and newline had not been there.
+ *    In all cases, the backslash itself is discarded.
+ *
+ *  - Within a single-quoted string, double quotes and backslashes are
+ *    preserved as-is.
+ *
+ *  - Within a double-quoted string, a single quote is preserved as-is,
+ *    and a backslash is preserved as-is unless used to escape a double
+ *    quote.
+ *
+ * In addition, if the first non-whitespace character on the line is a
+ * hash character (#), the rest of the line is discarded.
+ * If a hash character occurs within a word, however, it is preserved
+ * as-is.
+ * A backslash at the end of a comment does cause line continuation.
+ *
+ * If =lineno is not =NULL, the integer variable it points to is
+ * incremented every time a quoted or escaped newline character is read.
+ *
+ * If =lenp is not =NULL, the length of the word (after quotes and
+ * backslashes have been removed) is stored in the variable it points to.
+ *
+ * RETURN VALUES
+ *
+ * If successful, the =openpam_readword function returns a pointer to a
+ * dynamically allocated NUL-terminated string containing the first word
+ * encountered on the line.
+ *
+ * The caller is responsible for releasing the returned buffer by passing
+ * it to =!free.
+ *
+ * If =openpam_readword reaches the end of the line or file before any
+ * characters are copied to the word, it returns =NULL.  In the former
+ * case, the newline is pushed back to the file.
+ *
+ * If =openpam_readword reaches the end of the file while a quote or
+ * backslash escape is in effect, it sets :errno to =EINVAL and returns
+ * =NULL.
+ *
+ * IMPLEMENTATION NOTES
+ *
+ * The parsing rules are intended to be equivalent to the normal POSIX
+ * shell quoting rules.
+ * Any discrepancy is a bug and should be reported to the author along
+ * with sample input that can be used to reproduce the error.
+ *
+ * >openpam_readline
+ * >openpam_readlinev
+ *
+ * AUTHOR DES
+ */
diff --git a/contrib/openpam/lib/openpam_set_feature.c b/contrib/openpam/lib/openpam_set_feature.c
new file mode 100644
index 0000000..4f6a4a5
--- /dev/null
+++ b/contrib/openpam/lib/openpam_set_feature.c
@@ -0,0 +1,75 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_set_feature.c 608 2012-05-17 16:00:13Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Enable or disable an optional feature.
+ */
+
+int
+openpam_set_feature(int feature, int onoff)
+{
+
+	ENTERF(feature);
+	if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
+		RETURNC(PAM_SYMBOL_ERR);
+	openpam_features[feature].onoff = onoff;
+	RETURNC(PAM_SUCCESS);
+}
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ */
+
+/**
+ * EXPERIMENTAL
+ *
+ * The =openpam_set_feature function sets the state of the specified
+ * feature to the value specified by the =onoff argument.
+ * See =openpam_get_feature for a list of recognized features.
+ *
+ * >openpam_get_feature
+ *
+ * AUTHOR DES
+ */
diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c
index c7cb1c7..1712a71 100644
--- a/contrib/openpam/lib/openpam_set_option.c
+++ b/contrib/openpam/lib/openpam_set_option.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_set_option.c 482 2011-11-03 16:33:02Z des $
+ * $Id: openpam_set_option.c 532 2012-03-31 14:24:53Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -46,7 +46,6 @@
 #include <string.h>
 
 #include <security/pam_appl.h>
-#include <security/openpam.h>
 
 #include "openpam_impl.h"
 
diff --git a/contrib/openpam/lib/openpam_straddch.c b/contrib/openpam/lib/openpam_straddch.c
new file mode 100644
index 0000000..9845cc6
--- /dev/null
+++ b/contrib/openpam/lib/openpam_straddch.c
@@ -0,0 +1,111 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_straddch.c 568 2012-04-05 14:35:53Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <errno.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#define MIN_STR_SIZE	32
+
+/*
+ * OpenPAM extension
+ *
+ * Add a character to a string, expanding the buffer if needed.
+ */
+
+int
+openpam_straddch(char **str, size_t *size, size_t *len, int ch)
+{
+	size_t tmpsize;
+	char *tmpstr;
+
+	if (*str == NULL) {
+		/* initial allocation */
+		tmpsize = MIN_STR_SIZE;
+		if ((tmpstr = malloc(tmpsize)) == NULL) {
+			openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+			errno = ENOMEM;
+			return (-1);
+		}
+		*str = tmpstr;
+		*size = tmpsize;
+		*len = 0;
+	} else if (*len + 1 >= *size) {
+		/* additional space required */
+		tmpsize = *size * 2;
+		if ((tmpstr = realloc(*str, tmpsize)) == NULL) {
+			openpam_log(PAM_LOG_ERROR, "realloc(): %m");
+			errno = ENOMEM;
+			return (-1);
+		}
+		*size = tmpsize;
+		*str = tmpstr;
+	}
+	(*str)[*len] = ch;
+	++*len;
+	(*str)[*len] = '\0';
+	return (0);
+}
+
+/**
+ * The =openpam_straddch function appends a character to a dynamically
+ * allocated NUL-terminated buffer, reallocating the buffer as needed.
+ *
+ * The =str argument points to a variable containing either a pointer to
+ * an existing buffer or =NULL.
+ * If the value of the variable pointed to by =str is =NULL, a new buffer
+ * is allocated.
+ *
+ * The =size and =len argument point to variables used to hold the size
+ * of the buffer and the length of the string it contains, respectively.
+ *
+ * If a new buffer is allocated or an existing buffer is reallocated to
+ * make room for the additional character, =str and =size are updated
+ * accordingly.
+ *
+ * The =openpam_straddch function ensures that the buffer is always
+ * NUL-terminated.
+ *
+ * If the =openpam_straddch function is successful, it increments the
+ * integer variable pointed to by =len and returns 0.
+ * Otherwise, it leaves the variables pointed to by =str, =size and =len
+ * unmodified, sets :errno to =ENOMEM and returns -1.
+ *
+ * AUTHOR DES
+ */
diff --git a/contrib/openpam/lib/openpam_strlcat.h b/contrib/openpam/lib/openpam_strlcat.h
new file mode 100644
index 0000000..1f26693
--- /dev/null
+++ b/contrib/openpam/lib/openpam_strlcat.h
@@ -0,0 +1,54 @@
+/*-
+ * Copyright (c) 2011 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: openpam_strlcat.h 578 2012-04-06 00:45:59Z des $
+ */
+
+#ifndef OPENPAM_STRLCAT_H_INCLUDED
+#define OPENPAM_STRLCAT_H_INCLUDED
+
+#ifndef HAVE_STRLCAT
+/* like strcat(3), but always NUL-terminates; returns strlen(src) */
+static size_t
+strlcat(char *dst, const char *src, size_t size)
+{
+	size_t len;
+
+	for (len = 0; *dst && size > 1; ++len, --size)
+		dst++;
+	for (; *src && size > 1; ++len, --size)
+		*dst++ = *src++;
+	*dst = '\0';
+	while (*src)
+		++len, ++src;
+	return (len);
+}
+#endif
+
+#endif
diff --git a/contrib/openpam/lib/openpam_strlcmp.h b/contrib/openpam/lib/openpam_strlcmp.h
index c692225..2a78e0f 100644
--- a/contrib/openpam/lib/openpam_strlcmp.h
+++ b/contrib/openpam/lib/openpam_strlcmp.h
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_strlcmp.h 475 2011-11-03 15:29:24Z des $
+ * $Id: openpam_strlcmp.h 578 2012-04-06 00:45:59Z des $
  */
 
 #ifndef OPENPAM_STRLCMP_H_INCLUDED
diff --git a/contrib/openpam/lib/openpam_strlcpy.h b/contrib/openpam/lib/openpam_strlcpy.h
index 921653b..9c65548 100644
--- a/contrib/openpam/lib/openpam_strlcpy.h
+++ b/contrib/openpam/lib/openpam_strlcpy.h
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_strlcpy.h 492 2011-11-20 02:04:17Z des $
+ * $Id: openpam_strlcpy.h 578 2012-04-06 00:45:59Z des $
  */
 
 #ifndef OPENPAM_STRLCPY_H_INCLUDED
@@ -32,7 +35,7 @@
 
 #ifndef HAVE_STRLCPY
 /* like strcpy(3), but always NUL-terminates; returns strlen(src) */
-size_t
+static size_t
 strlcpy(char *dst, const char *src, size_t size)
 {
 	size_t len;
diff --git a/contrib/openpam/lib/openpam_subst.c b/contrib/openpam/lib/openpam_subst.c
index d54b827..bab7a78 100644
--- a/contrib/openpam/lib/openpam_subst.c
+++ b/contrib/openpam/lib/openpam_subst.c
@@ -11,6 +11,9 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -24,7 +27,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_subst.c 461 2011-11-02 14:00:38Z des $
+ * $Id: openpam_subst.c 543 2012-03-31 22:11:34Z des $
  */
 
 #ifdef HAVE_CONFIG_H
diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c
index ec078f4..14a324d 100644
--- a/contrib/openpam/lib/openpam_ttyconv.c
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: openpam_ttyconv.c 437 2011-09-13 12:00:13Z des $
+ * $Id: openpam_ttyconv.c 527 2012-02-26 03:23:59Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -69,17 +69,17 @@ prompt(const char *msg)
 {
 	char buf[PAM_MAX_RESP_SIZE];
 	struct sigaction action, saved_action;
-	sigset_t saved_sigset, sigset;
+	sigset_t saved_sigset, the_sigset;
 	unsigned int saved_alarm;
 	int eof, error, fd;
 	size_t len;
 	char *retval;
 	char ch;
 
-	sigemptyset(&sigset);
-	sigaddset(&sigset, SIGINT);
-	sigaddset(&sigset, SIGTSTP);
-	sigprocmask(SIG_SETMASK, &sigset, &saved_sigset);
+	sigemptyset(&the_sigset);
+	sigaddset(&the_sigset, SIGINT);
+	sigaddset(&the_sigset, SIGTSTP);
+	sigprocmask(SIG_SETMASK, &the_sigset, &saved_sigset);
 	action.sa_handler = &timeout;
 	action.sa_flags = 0;
 	sigemptyset(&action.sa_mask);
diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
index a0613ef..1a3aebc 100644
--- a/contrib/openpam/lib/pam_get_authtok.c
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: pam_get_authtok.c 455 2011-10-29 18:31:11Z des $
+ * $Id: pam_get_authtok.c 510 2011-12-31 13:14:23Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -50,6 +50,7 @@
 #include "openpam_impl.h"
 
 static const char authtok_prompt[] = "Password:";
+static const char authtok_prompt_remote[] = "Password for %u@%h:";
 static const char oldauthtok_prompt[] = "Old Password:";
 static const char newauthtok_prompt[] = "New Password:";
 
@@ -69,6 +70,7 @@ pam_get_authtok(pam_handle_t *pamh,
 	size_t prompt_size;
 	const void *oldauthtok, *prevauthtok, *promptp;
 	const char *prompt_option, *default_prompt;
+	const void *lhost, *rhost;
 	char *resp, *resp2;
 	int pitem, r, style, twice;
 
@@ -82,6 +84,14 @@ pam_get_authtok(pam_handle_t *pamh,
 		pitem = PAM_AUTHTOK_PROMPT;
 		prompt_option = "authtok_prompt";
 		default_prompt = authtok_prompt;
+		r = pam_get_item(pamh, PAM_RHOST, &rhost);
+		if (r == PAM_SUCCESS && rhost != NULL) {
+			r = pam_get_item(pamh, PAM_HOST, &lhost);
+			if (r == PAM_SUCCESS && lhost != NULL) {
+				if (strcmp(rhost, lhost) != 0)
+					default_prompt = authtok_prompt_remote;
+			}
+		}
 		r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok);
 		if (r == PAM_SUCCESS && oldauthtok != NULL) {
 			default_prompt = newauthtok_prompt;
diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c
index 369066d..e1f0bc3 100644
--- a/contrib/openpam/lib/pam_putenv.c
+++ b/contrib/openpam/lib/pam_putenv.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: pam_putenv.c 437 2011-09-13 12:00:13Z des $
+ * $Id: pam_putenv.c 539 2012-03-31 20:53:22Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -102,7 +102,7 @@ pam_putenv(pam_handle_t *pamh,
  */
 
 /**
- * The =pam_putenv function sets a environment variable.
+ * The =pam_putenv function sets an environment variable.
  * Its semantics are similar to those of =putenv, but it modifies the PAM
  * context's environment list instead of the application's.
  *
diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c
index fbe6a8f..6fd4c10 100644
--- a/contrib/openpam/lib/pam_setenv.c
+++ b/contrib/openpam/lib/pam_setenv.c
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: pam_setenv.c 437 2011-09-13 12:00:13Z des $
+ * $Id: pam_setenv.c 539 2012-03-31 20:53:22Z des $
  */
 
 #ifdef HAVE_CONFIG_H
@@ -92,7 +92,7 @@ pam_setenv(pam_handle_t *pamh,
  */
 
 /**
- * The =pam_setenv function sets a environment variable.
+ * The =pam_setenv function sets an environment variable.
  * Its semantics are similar to those of =setenv, but it modifies the PAM
  * context's environment list instead of the application's.
  *
diff --git a/contrib/openpam/ltmain.sh b/contrib/openpam/ltmain.sh
index 6dfcfd5..16ddbf8 100755
--- a/contrib/openpam/ltmain.sh
+++ b/contrib/openpam/ltmain.sh
@@ -1,9 +1,9 @@
 
-# libtool (GNU libtool) 2.4
+# libtool (GNU libtool) 2.4.2
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008, 2009, 2010 Free Software Foundation, Inc.
+# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -41,6 +41,7 @@
 #       --quiet, --silent    don't print informational messages
 #       --no-quiet, --no-silent
 #                            print informational messages (default)
+#       --no-warn            don't display warning messages
 #       --tag=TAG            use configuration variables from tag TAG
 #   -v, --verbose            print more informational messages than default
 #       --no-verbose         don't print the extra informational messages
@@ -69,7 +70,7 @@
 #         compiler:		$LTCC
 #         compiler flags:		$LTCFLAGS
 #         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4
+#         $progname:	(GNU libtool) 2.4.2
 #         automake:	$automake_version
 #         autoconf:	$autoconf_version
 #
@@ -79,9 +80,9 @@
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4
+VERSION=2.4.2
 TIMESTAMP=""
-package_revision=1.3293
+package_revision=1.3337
 
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
@@ -136,15 +137,10 @@ progpath="$0"
 
 : ${CP="cp -f"}
 test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
-: ${EGREP="grep -E"}
-: ${FGREP="grep -F"}
-: ${GREP="grep"}
-: ${LN_S="ln -s"}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
-: ${SED="sed"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
 : ${Xsed="$SED -e 1s/^X//"}
 
@@ -387,7 +383,7 @@ case $progpath in
      ;;
   *)
      save_IFS="$IFS"
-     IFS=:
+     IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
        IFS="$save_IFS"
        test -x "$progdir/$progname" && break
@@ -771,8 +767,8 @@ func_help ()
 	s*\$LTCFLAGS*'"$LTCFLAGS"'*
 	s*\$LD*'"$LD"'*
 	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(automake --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(autoconf --version) 2>/dev/null |$SED 1q`"'/
+	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
+	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
 	p
 	d
      }
@@ -1052,6 +1048,7 @@ opt_finish=false
 opt_help=false
 opt_help_all=false
 opt_silent=:
+opt_warning=:
 opt_verbose=:
 opt_silent=false
 opt_verbose=false
@@ -1120,6 +1117,10 @@ esac
 			opt_silent=false
 func_append preserve_args " $opt"
 			;;
+      --no-warning|--no-warn)
+			opt_warning=false
+func_append preserve_args " $opt"
+			;;
       --no-verbose)
 			opt_verbose=false
 func_append preserve_args " $opt"
@@ -2089,7 +2090,7 @@ func_mode_compile ()
     *.[cCFSifmso] | \
     *.ada | *.adb | *.ads | *.asm | \
     *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \
-    *.[fF][09]? | *.for | *.java | *.obj | *.sx | *.cu | *.cup)
+    *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup)
       func_xform "$libobj"
       libobj=$func_xform_result
       ;;
@@ -3231,11 +3232,13 @@ func_mode_install ()
 
       # Set up the ranlib parameters.
       oldlib="$destdir/$name"
+      func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+      tool_oldlib=$func_to_tool_file_result
 
       func_show_eval "$install_prog \$file \$oldlib" 'exit $?'
 
       if test -n "$stripme" && test -n "$old_striplib"; then
-	func_show_eval "$old_striplib $oldlib" 'exit $?'
+	func_show_eval "$old_striplib $tool_oldlib" 'exit $?'
       fi
 
       # Do each command in the postinstall commands.
@@ -3500,7 +3503,7 @@ static const void *lt_preloaded_setup() {
 	  # linked before any other PIC object.  But we must not use
 	  # pic_flag when linking with -static.  The problem exists in
 	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	  *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
 	    pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;;
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
@@ -4015,14 +4018,17 @@ func_exec_program_core ()
 # launches target application with the remaining arguments.
 func_exec_program ()
 {
-  for lt_wr_arg
-  do
-    case \$lt_wr_arg in
-    --lt-*) ;;
-    *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
-    esac
-    shift
-  done
+  case \" \$* \" in
+  *\\ --lt-*)
+    for lt_wr_arg
+    do
+      case \$lt_wr_arg in
+      --lt-*) ;;
+      *) set x \"\$@\" \"\$lt_wr_arg\"; shift;;
+      esac
+      shift
+    done ;;
+  esac
   func_exec_program_core \${1+\"\$@\"}
 }
 
@@ -5090,9 +5096,15 @@ void lt_dump_script (FILE* f)
 {
 EOF
 	    func_emit_wrapper yes |
-              $SED -e 's/\([\\"]\)/\\\1/g' \
-	           -e 's/^/  fputs ("/' -e 's/$/\\n", f);/'
-
+	      $SED -n -e '
+s/^\(.\{79\}\)\(..*\)/\1\
+\2/
+h
+s/\([\\"]\)/\\\1/g
+s/$/\\n/
+s/\([^\n]*\).*/  fputs ("\1", f);/p
+g
+D'
             cat <<"EOF"
 }
 EOF
@@ -5677,7 +5689,8 @@ func_mode_link ()
 	continue
 	;;
 
-      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+      -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+      |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	func_append compiler_flags " $arg"
 	func_append compile_command " $arg"
 	func_append finalize_command " $arg"
@@ -6181,7 +6194,8 @@ func_mode_link ()
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
+        |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
@@ -6882,7 +6896,7 @@ func_mode_link ()
 	         test "$hardcode_direct_absolute" = no; then
 		add="$dir/$linklib"
 	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
+		add_dir="-L$absdir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
@@ -7367,6 +7381,7 @@ func_mode_link ()
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
+	  # correct linux to gnu/linux during the next big refactor
 	  darwin|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
@@ -7483,7 +7498,7 @@ func_mode_link ()
 	  versuffix="$major.$revision"
 	  ;;
 
-	linux)
+	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
 	  versuffix="$major.$age.$revision"
@@ -8071,6 +8086,11 @@ EOF
 
       # Test again, we may have decided not to build it any more
       if test "$build_libtool_libs" = yes; then
+	# Remove ${wl} instances when linking with ld.
+	# FIXME: should test the right _cmds variable.
+	case $archive_cmds in
+	  *\$LD\ *) wl= ;;
+        esac
 	if test "$hardcode_into_libs" = yes; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
@@ -8101,7 +8121,7 @@ EOF
 	    elif test -n "$runpath_var"; then
 	      case "$perm_rpath " in
 	      *" $libdir "*) ;;
-	      *) func_apped perm_rpath " $libdir" ;;
+	      *) func_append perm_rpath " $libdir" ;;
 	      esac
 	    fi
 	  done
@@ -8109,11 +8129,7 @@ EOF
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
+	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
 	    # We should set the runpath_var.
@@ -9203,6 +9219,8 @@ EOF
 	    esac
 	  done
 	fi
+	func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
+	tool_oldlib=$func_to_tool_file_result
 	eval cmds=\"$old_archive_cmds\"
 
 	func_len " $cmds"
@@ -9312,7 +9330,8 @@ EOF
 	      *.la)
 		func_basename "$deplib"
 		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		func_resolve_sysroot "$deplib"
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
 		  func_fatal_error "\`$deplib' is not a valid libtool archive"
 		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
diff --git a/contrib/openpam/misc/gendoc.pl b/contrib/openpam/misc/gendoc.pl
index 7b76672..4ce2d39 100644
--- a/contrib/openpam/misc/gendoc.pl
+++ b/contrib/openpam/misc/gendoc.pl
@@ -33,7 +33,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $Id: gendoc.pl 465 2011-11-02 20:34:26Z des $
+# $Id: gendoc.pl 599 2012-04-14 15:06:41Z des $
 #
 
 use strict;
@@ -81,12 +81,15 @@ $COPYRIGHT = ".\\\"-
 .\\\"";
 
 %AUTHORS = (
-    THINKSEC => "ThinkSec AS and Network Associates Laboratories, the
+    THINKSEC => "developed for the
+.Fx
+Project by ThinkSec AS and Network Associates Laboratories, the
 Security Research Division of Network Associates, Inc.\\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.",
-    DES => ".An Dag-Erling Sm\\(/orgrav Aq des\@FreeBSD.org .",
+    DES => "developed by
+.An Dag-Erling Sm\\(/orgrav Aq des\@des.no .",
 );
 
 %PAMERR = (
@@ -136,6 +139,9 @@ sub parse_source($) {
     my $inlist;
     my $intaglist;
     my $inliteral;
+    my $customrv;
+    my $deprecated;
+    my $experimental;
     my %xref;
     my @errors;
     my $author;
@@ -154,10 +160,18 @@ sub parse_source($) {
 	if ($source =~ m/^ \* NOPARSE\s*$/m);
 
     $author = 'THINKSEC';
-    if ($source =~ s/^ \* AUTHOR\s+(.*?)\s*$//m) {
+    if ($source =~ s/^ \* AUTHOR\s+(\w*)\s*$//m) {
 	$author = $1;
     }
 
+    if ($source =~ s/^ \* DEPRECATED\s*(\w*)\s*$//m) {
+	$deprecated = $1 // 0;
+    }
+
+    if ($source =~ s/^ \* EXPERIMENTAL\s*$//m) {
+	$experimental = 1;
+    }
+
     $func = $fn;
     $func =~ s,^(?:.*/)?([^/]+)\.c$,$1,;
     if ($source !~ m,\n \* ([\S ]+)\n \*/\n\n([\S ]+)\n$func\((.*?)\)\n\{,s) {
@@ -195,7 +209,7 @@ sub parse_source($) {
     # separate argument names with |
     $argnames =~ s/\" \"/|/g;
     # and surround with ()
-    $argnames =~ s/^\"(.*)\"$/($1)/;
+    $argnames =~ s/^\"(.*)\"$/$1/;
     # $argnames is now a regexp that matches argument names
     $inliteral = $inlist = $intaglist = 0;
     foreach (split("\n", $source)) {
@@ -211,12 +225,19 @@ sub parse_source($) {
 	s/\\(.)/$1/gs;
 	if (m/^$/) {
 	    # paragraph separator
+	    if ($inlist || $intaglist) {
+		# either a blank line between list items, or a blank
+		# line after the final list item.  The latter case
+		# will be handled further down.
+		next;
+	    }
+	    if ($man =~ m/\n\.Sh [^\n]+\n$/s) {
+		# a blank line after a section header
+		next;
+	    }
 	    if ($man ne "" && $man !~ m/\.Pp\n$/s) {
 		if ($inliteral) {
 		    $man .= "\0\n";
-		} elsif ($inlist || $intaglist) {
-		    $man .= ".El\n.Pp\n";
-		    $inlist = $intaglist = 0;
 		} else {
 		    $man .= ".Pp\n";
 		}
@@ -229,6 +250,14 @@ sub parse_source($) {
 	    ++$xref{$sect}->{$page};
 	    next;
 	}
+	if (s/^([A-Z][0-9A-Z -]+)$/.Sh $1/) {
+	    if ($1 eq "RETURN VALUES") {
+		$customrv = $1;
+	    }
+	    $man =~ s/\n\.Pp$/\n/s;
+	    $man .= "$_\n";
+	    next;
+	}
 	if (s/^\s+-\s+//) {
 	    # item in bullet list
 	    if ($inliteral) {
@@ -286,11 +315,12 @@ sub parse_source($) {
 	    $man .= "$_\n";
 	    next;
 	}
-	s/\s*=$func\b\s*/\n.Nm\n/gs;
-	s/\s*=$argnames\b\s*/\n.Fa $1\n/gs;
+	s/\s*=($func)\b\s*/\n.Fn $1\n/gs;
+	s/\s*=($argnames)\b\s*/\n.Fa $1\n/gs;
 	s/\s*=(struct \w+(?: \*)?)\b\s*/\n.Vt $1\n/gs;
 	s/\s*:([a-z_]+)\b\s*/\n.Va $1\n/gs;
 	s/\s*;([a-z_]+)\b\s*/\n.Dv $1\n/gs;
+	s/\s*=!([a-z_]+)\b\s*/\n.Xr $1 3\n/gs;
 	while (s/\s*=([a-z_]+)\b\s*/\n.Xr $1 3\n/s) {
 	    ++$xref{3}->{$1};
 	}
@@ -311,7 +341,7 @@ sub parse_source($) {
 	    $inliteral = 0;
 	}
 	$man =~ s/\%/\\&\%/gs;
-	$man =~ s/(\n\.[A-Z][a-z] [\w ]+)\n([\.,:;-]\S*)\s*/$1 $2\n/gs;
+	$man =~ s/(\n\.[A-Z][a-z] [\w ]+)\n([.,:;-])\s+/$1 $2\n/gs;
 	$man =~ s/\s*$/\n/gm;
 	$man =~ s/\n+/\n/gs;
 	$man =~ s/\0//gs;
@@ -331,6 +361,9 @@ sub parse_source($) {
 	'xref'		=> \%xref,
 	'errors'	=> \@errors,
 	'author'	=> $author,
+	'customrv'	=> $customrv,
+	'deprecated'	=> $deprecated,
+	'experimental'	=> $experimental,
     };
     if ($source =~ m/^ \* NODOC\s*$/m) {
 	$FUNCTIONS{$func}->{'nodoc'} = 1;
@@ -437,49 +470,75 @@ sub gendoc($) {
 .Lb libpam
 .Sh SYNOPSIS
 .In sys/types.h
-.In security/pam_appl.h
+";
+    if ($func->{'args'} =~ m/\bFILE \*\b/) {
+	$mdoc .= ".In stdio.h\n";
+    }
+    $mdoc .= ".In security/pam_appl.h
 ";
     if ($func->{'name'} =~ m/_sm_/) {
-	$mdoc .= ".In security/pam_modules.h\n"
+	$mdoc .= ".In security/pam_modules.h\n";
     }
     if ($func->{'name'} =~ m/openpam/) {
-	$mdoc .= ".In security/openpam.h\n"
+	$mdoc .= ".In security/openpam.h\n";
     }
     $mdoc .= ".Ft \"$func->{'type'}\"
 .Fn $func->{'name'} $func->{'args'}
 .Sh DESCRIPTION
-$func->{'man'}
 ";
-    if ($func->{'type'} eq "int") {
+    if (defined($func->{'deprecated'})) {
+	$mdoc .= ".Bf Sy\n" .
+	    "This function is deprecated and may be removed " .
+	    "in a future release without further warning.\n";
+	if ($func->{'deprecated'}) {
+	    $mdoc .= "The\n.Fn $func->{'deprecated'}\nfunction " .
+		"may be used to achieve similar results.\n";
+	}
+	$mdoc .= ".Ef\n.Pp\n";
+    }
+    if ($func->{'experimental'}) {
+	$mdoc .= ".Bf Sy\n" .
+	    "This function is experimental and may be modified or removed " .
+	    "in a future release without further warning.\n";
+	$mdoc .= ".Ef\n.Pp\n";
+    }
+    $mdoc .= "$func->{'man'}\n";
+    my @errors = @{$func->{'errors'}};
+    if ($func->{'customrv'}) {
+	# leave it
+    } elsif ($func->{'type'} eq "int" && @errors) {
 	$mdoc .= ".Sh RETURN VALUES
 The
-.Nm
+.Fn $func->{'name'}
 function returns one of the following values:
 .Bl -tag -width 18n
 ";
-	my @errors = @{$func->{'errors'}};
-	warn("$func->{'name'}(): no error specification\n")
-	    unless(@errors);
 	foreach (@errors) {
 	    $mdoc .= ".It Bq Er $_\n$PAMERR{$_}.\n";
 	}
 	$mdoc .= ".El\n";
-    } else {
-	if ($func->{'type'} =~ m/\*$/) {
-	    $mdoc .= ".Sh RETURN VALUES
+    } elsif ($func->{'type'} eq "int") {
+	$mdoc .= ".Sh RETURN VALUES
+The
+.Fn $func->{'name'}
+function returns 0 on success and -1 on failure.
+";
+    } elsif ($func->{'type'} =~ m/\*$/) {
+	$mdoc .= ".Sh RETURN VALUES
 The
-.Nm
+.Fn $func->{'name'}
 function returns
 .Dv NULL
 on failure.
 ";
-	}
+    } elsif ($func->{'type'} ne "void") {
+	warn("$func->{'name'}(): no error specification\n");
     }
     $mdoc .= ".Sh SEE ALSO\n" . genxref($func->{'xref'});
     $mdoc .= ".Sh STANDARDS\n";
     if ($func->{'openpam'}) {
 	$mdoc .= "The
-.Nm
+.Fn $func->{'name'}
 function is an OpenPAM extension.
 ";
     } else {
@@ -491,10 +550,9 @@ function is an OpenPAM extension.
     }
     $mdoc .= ".Sh AUTHORS
 The
-.Nm
-function and this manual page were developed for the
-.Fx
-Project by\n" . $AUTHORS{$func->{'author'} // 'THINKSEC_DARPA'} . "\n";
+.Fn $func->{'name'}
+function and this manual page were\n";
+    $mdoc .= $AUTHORS{$func->{'author'} // 'THINKSEC_DARPA'} . "\n";
     $fn = "$func->{'name'}.3";
     if (open(FILE, ">", $fn)) {
 	print(FILE $mdoc);
@@ -608,6 +666,9 @@ Security Research Division of Network Associates, Inc.\\& under
 DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
+.Pp
+The OpenPAM library is maintained by
+.An Dag-Erling Sm\\(/orgrav Aq des\@des.no .
 ";
     close(FILE);
 }
diff --git a/contrib/openpam/pamgdb.in b/contrib/openpam/pamgdb.in
new file mode 100644
index 0000000..2ec2d65
--- /dev/null
+++ b/contrib/openpam/pamgdb.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $Id: pamgdb.in 583 2012-04-07 18:56:13Z des $
+#
+
+srcdir="@abs_top_srcdir@"
+builddir="@abs_top_builddir@"
+
+# Make sure we get the right version of libpam
+pam_libdir="${builddir}/lib/.libs"
+LD_LIBRARY_PATH="${pam_libdir}:${LD_LIBRARY_PATH}"
+LD_LIBRARY_PATH="${LD_LIBRARY_PATH%:}"
+export LD_LIBRARY_PATH
+
+# DWIM, assuming that the first positional argument is the name of the
+# program to debug rather than a gdb option.
+prog="$1"
+if expr "${prog}" : ".*/.*" >/dev/null ; then
+	# The first argument is an absolute or relative path.  There
+	# is a good chance that it points to the wrapper script
+	# generated by libtool rather than the actual binary.
+	altprog="${prog%/*}/.libs/${prog##*/}"
+	if [ -x "${altprog}" ] ; then
+		shift
+		set "${altprog}" "$@"
+	fi
+elif expr "${prog}" : "[a-z.-][a-z.-]*" >/dev/null ; then
+	# The first argument is just the name of the program.  Look for
+	# it in the build directory.
+	for libdir in $(find "${builddir}" -type d -name .libs -print) ; do
+		altprog="${libdir}/${prog}"
+		if [ -x "${altprog}" ] ; then
+			shift
+			set "${altprog}" "$@"
+			break
+		fi
+	done
+fi
+
+# Let's go!
+exec gdb "$@"
diff --git a/contrib/openpam/t/Makefile.am b/contrib/openpam/t/Makefile.am
new file mode 100644
index 0000000..a3f596d
--- /dev/null
+++ b/contrib/openpam/t/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am 572 2012-04-05 15:41:44Z des $
+
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
+
+noinst_HEADERS = t.h
+
+# tests
+TESTS = t_openpam_readword t_openpam_readlinev
+check_PROGRAMS = $(TESTS)
+
+# libt - common support code
+check_LIBRARIES = libt.a
+libt_a_SOURCES = t_main.c
+
+# link with libpam and libt
+LDADD = libt.a $(top_builddir)/lib/libpam.la
diff --git a/contrib/openpam/t/Makefile.in b/contrib/openpam/t/Makefile.in
new file mode 100644
index 0000000..e71618b
--- /dev/null
+++ b/contrib/openpam/t/Makefile.in
@@ -0,0 +1,605 @@
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# $Id: Makefile.am 572 2012-04-05 15:41:44Z des $
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = t_openpam_readword$(EXEEXT) t_openpam_readlinev$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = t
+DIST_COMMON = $(noinst_HEADERS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+ARFLAGS = cru
+libt_a_AR = $(AR) $(ARFLAGS)
+libt_a_LIBADD =
+am_libt_a_OBJECTS = t_main.$(OBJEXT)
+libt_a_OBJECTS = $(am_libt_a_OBJECTS)
+am__EXEEXT_1 = t_openpam_readword$(EXEEXT) \
+	t_openpam_readlinev$(EXEEXT)
+t_openpam_readlinev_SOURCES = t_openpam_readlinev.c
+t_openpam_readlinev_OBJECTS = t_openpam_readlinev.$(OBJEXT)
+t_openpam_readlinev_LDADD = $(LDADD)
+t_openpam_readlinev_DEPENDENCIES = libt.a \
+	$(top_builddir)/lib/libpam.la
+t_openpam_readword_SOURCES = t_openpam_readword.c
+t_openpam_readword_OBJECTS = t_openpam_readword.$(OBJEXT)
+t_openpam_readword_LDADD = $(LDADD)
+t_openpam_readword_DEPENDENCIES = libt.a $(top_builddir)/lib/libpam.la
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libt_a_SOURCES) t_openpam_readlinev.c t_openpam_readword.c
+DIST_SOURCES = $(libt_a_SOURCES) t_openpam_readlinev.c \
+	t_openpam_readword.c
+HEADERS = $(noinst_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors = \
+red=; grn=; lgn=; blu=; std=
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPT_LIBS = @CRYPT_LIBS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DL_LIBS = @DL_LIBS@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIB_MAJ = @LIB_MAJ@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENPAM_MODULES_DIR = @OPENPAM_MODULES_DIR@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+INCLUDES = -I$(top_srcdir)/include -I$(top_srcdir)/lib
+noinst_HEADERS = t.h
+
+# libt - common support code
+check_LIBRARIES = libt.a
+libt_a_SOURCES = t_main.c
+
+# link with libpam and libt
+LDADD = libt.a $(top_builddir)/lib/libpam.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign t/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign t/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkLIBRARIES:
+	-test -z "$(check_LIBRARIES)" || rm -f $(check_LIBRARIES)
+libt.a: $(libt_a_OBJECTS) $(libt_a_DEPENDENCIES) 
+	-rm -f libt.a
+	$(libt_a_AR) libt.a $(libt_a_OBJECTS) $(libt_a_LIBADD)
+	$(RANLIB) libt.a
+
+clean-checkPROGRAMS:
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+t_openpam_readlinev$(EXEEXT): $(t_openpam_readlinev_OBJECTS) $(t_openpam_readlinev_DEPENDENCIES) 
+	@rm -f t_openpam_readlinev$(EXEEXT)
+	$(LINK) $(t_openpam_readlinev_OBJECTS) $(t_openpam_readlinev_LDADD) $(LIBS)
+t_openpam_readword$(EXEEXT): $(t_openpam_readword_OBJECTS) $(t_openpam_readword_DEPENDENCIES) 
+	@rm -f t_openpam_readword$(EXEEXT)
+	$(LINK) $(t_openpam_readword_OBJECTS) $(t_openpam_readword_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t_main.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t_openpam_readlinev.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t_openpam_readword.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    echo "$$grn$$dashes"; \
+	  else \
+	    echo "$$red$$dashes"; \
+	  fi; \
+	  echo "$$banner"; \
+	  test -z "$$skipped" || echo "$$skipped"; \
+	  test -z "$$report" || echo "$$report"; \
+	  echo "$$dashes$$std"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) $(check_LIBRARIES) $(check_PROGRAMS)
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile $(HEADERS)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
+	clean-checkLIBRARIES clean-checkPROGRAMS clean-generic \
+	clean-libtool ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/contrib/openpam/t/t.h b/contrib/openpam/t/t.h
new file mode 100644
index 0000000..4805b76
--- /dev/null
+++ b/contrib/openpam/t/t.h
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: t.h 578 2012-04-06 00:45:59Z des $
+ */
+
+#ifndef T_H_INCLUDED
+#define T_H_INCLUDED
+
+#include <security/openpam_attr.h>
+
+struct t_test {
+	int (*func)(void);
+	const char *desc;
+};
+
+#define T_FUNC(n, d)				\
+	static int t_ ## n ## _func(void);	\
+	static const struct t_test t_ ## n =	\
+	    { t_ ## n ## _func, d };		\
+	static int t_ ## n ## _func(void)
+
+#define T(n)					\
+	&t_ ## n
+
+extern const char *t_progname;
+
+const struct t_test **t_prepare(int, char **);
+void t_cleanup(void);
+
+void t_verbose(const char *, ...)
+	OPENPAM_FORMAT((__printf__, 1, 2));
+
+#endif
diff --git a/contrib/openpam/t/t_main.c b/contrib/openpam/t/t_main.c
new file mode 100644
index 0000000..6a29b0a
--- /dev/null
+++ b/contrib/openpam/t/t_main.c
@@ -0,0 +1,119 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: t_main.c 578 2012-04-06 00:45:59Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <err.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "t.h"
+
+const char *t_progname;
+
+static int verbose;
+
+void
+t_verbose(const char *fmt, ...)
+{
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+	}
+}
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "usage: [-v] %s\n", t_progname);
+	exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+	const struct t_test **t_plan;
+	const char *desc;
+	int n, pass, fail;
+	int opt;
+
+	if ((t_progname = strrchr(argv[0], '/')) != NULL)
+		t_progname++; /* one past the slash */
+	else
+		t_progname = argv[0];
+
+	while ((opt = getopt(argc, argv, "v")) != -1)
+		switch (opt) {
+		case 'v':
+			verbose = 1;
+			break;
+		default:
+			usage();
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	/* prepare the test plan */
+	if ((t_plan = t_prepare(argc, argv)) == NULL)
+		errx(1, "no plan\n");
+
+	/* count the tests */
+	for (n = 0; t_plan[n] != NULL; ++n)
+		/* nothing */;
+	printf("1..%d\n", n);
+
+	/* run the tests */
+	for (n = pass = fail = 0; t_plan[n] != NULL; ++n) {
+		desc = t_plan[n]->desc ? t_plan[n]->desc : "no description";
+		if ((*t_plan[n]->func)()) {
+			printf("ok %d - %s\n", n + 1, desc);
+			++pass;
+		} else {
+			printf("not ok %d - %s\n", n + 1, desc);
+			++fail;
+		}
+	}
+
+	/* clean up and exit */
+	t_cleanup();
+	exit(fail > 0 ? 1 : 0);
+}
diff --git a/contrib/openpam/t/t_openpam_readlinev.c b/contrib/openpam/t/t_openpam_readlinev.c
new file mode 100644
index 0000000..bb0ff90
--- /dev/null
+++ b/contrib/openpam/t/t_openpam_readlinev.c
@@ -0,0 +1,342 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: t_openpam_readlinev.c 581 2012-04-06 01:08:37Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+#include "t.h"
+
+static char filename[1024];
+static FILE *f;
+
+/*
+ * Open the temp file and immediately unlink it so it doesn't leak in case
+ * of premature exit.
+ */
+static void
+orlv_open(void)
+{
+	int fd;
+
+	if ((fd = open(filename, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0)
+		err(1, "%s(): %s", __func__, filename);
+	if ((f = fdopen(fd, "r+")) == NULL)
+		err(1, "%s(): %s", __func__, filename);
+	if (unlink(filename) < 0)
+		err(1, "%s(): %s", __func__, filename);
+}
+
+/*
+ * Write text to the temp file.
+ */
+static void
+orlv_output(const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	vfprintf(f, fmt, ap);
+	va_end(ap);
+	if (ferror(f))
+		err(1, "%s", filename);
+}
+
+/*
+ * Rewind the temp file.
+ */
+static void
+orlv_rewind(void)
+{
+
+	errno = 0;
+	rewind(f);
+	if (errno != 0)
+		err(1, "%s(): %s", __func__, filename);
+}
+
+/*
+ * Read a line from the temp file and verify that the result matches our
+ * expectations: whether a line was read at all, how many and which words
+ * it contained, how many lines were read (in case of quoted or escaped
+ * newlines) and whether we reached the end of the file.
+ */
+static int
+orlv_expect(const char **expectedv, int lines, int eof)
+{
+	int expectedc, gotc, i, lineno = 0;
+	char **gotv;
+
+	expectedc = 0;
+	if (expectedv != NULL)
+		while (expectedv[expectedc] != NULL)
+			++expectedc;
+	gotv = openpam_readlinev(f, &lineno, &gotc);
+	if (ferror(f))
+		err(1, "%s(): %s", __func__, filename);
+	if (expectedv != NULL && gotv == NULL) {
+		t_verbose("expected %d words, got nothing\n", expectedc);
+		return (0);
+	}
+	if (expectedv == NULL && gotv != NULL) {
+		t_verbose("expected nothing, got %d words\n", gotc);
+		FREEV(gotc, gotv);
+		return (0);
+	}
+	if (expectedv != NULL && gotv != NULL) {
+		if (expectedc != gotc) {
+			t_verbose("expected %d words, got %d\n",
+			    expectedc, gotc);
+			FREEV(gotc, gotv);
+			return (0);
+		}
+		for (i = 0; i < gotc; ++i) {
+			if (strcmp(expectedv[i], gotv[i]) != 0) {
+				t_verbose("word %d: expected <<%s>>, "
+				    "got <<%s>>\n", i, expectedv[i], gotv[i]);
+				FREEV(gotc, gotv);
+				return (0);
+			}
+		}
+		FREEV(gotc, gotv);
+	}
+	if (lineno != lines) {
+		t_verbose("expected to advance %d lines, advanced %d lines\n",
+		    lines, lineno);
+		return (0);
+	}
+	if (eof && !feof(f)) {
+		t_verbose("expected EOF, but didn't get it\n");
+		return (0);
+	}
+	if (!eof && feof(f)) {
+		t_verbose("didn't expect EOF, but got it anyway\n");
+		return (0);
+	}
+	return (1);
+}
+
+/*
+ * Close the temp file.
+ */
+void
+orlv_close(void)
+{
+
+	if (fclose(f) != 0)
+		err(1, "%s(): %s", __func__, filename);
+	f = NULL;
+}
+
+/***************************************************************************
+ * Commonly-used lines
+ */
+
+static const char *empty[] = {
+	NULL
+};
+
+static const char *hello[] = {
+	"hello",
+	NULL
+};
+
+static const char *hello_world[] = {
+	"hello",
+	"world",
+	NULL
+};
+
+
+/***************************************************************************
+ * Lines without words
+ */
+
+T_FUNC(empty_input, "empty input")
+{
+	int ret;
+
+	orlv_open();
+	ret = orlv_expect(NULL, 0 /*lines*/, 1 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(empty_line, "empty line")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output("\n");
+	orlv_rewind();
+	ret = orlv_expect(empty, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(unterminated_empty_line, "unterminated empty line")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output(" ");
+	orlv_rewind();
+	ret = orlv_expect(NULL, 0 /*lines*/, 1 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(whitespace, "whitespace")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output(" \n");
+	orlv_rewind();
+	ret = orlv_expect(empty, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(comment, "comment")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output("# comment\n");
+	orlv_rewind();
+	ret = orlv_expect(empty, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(whitespace_before_comment, "whitespace before comment")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output(" # comment\n");
+	orlv_rewind();
+	ret = orlv_expect(empty, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Simple words
+ */
+
+T_FUNC(one_word, "one word")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output("hello\n");
+	orlv_rewind();
+	ret = orlv_expect(hello, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(two_words, "two words")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output("hello world\n");
+	orlv_rewind();
+	ret = orlv_expect(hello_world, 1 /*lines*/, 0 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+T_FUNC(unterminated_line, "unterminated line")
+{
+	int ret;
+
+	orlv_open();
+	orlv_output("hello world");
+	orlv_rewind();
+	ret = orlv_expect(hello_world, 0 /*lines*/, 1 /*eof*/);
+	orlv_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Boilerplate
+ */
+
+const struct t_test *t_plan[] = {
+	T(empty_input),
+	T(empty_line),
+	T(unterminated_empty_line),
+	T(whitespace),
+	T(comment),
+	T(whitespace_before_comment),
+
+	T(one_word),
+	T(two_words),
+	T(unterminated_line),
+
+	NULL
+};
+
+const struct t_test **
+t_prepare(int argc, char *argv[])
+{
+
+	(void)argc;
+	(void)argv;
+	snprintf(filename, sizeof filename, "%s.%d.tmp", t_progname, getpid());
+	if (filename == NULL)
+		err(1, "asprintf()");
+	return (t_plan);
+}
+
+void
+t_cleanup(void)
+{
+}
diff --git a/contrib/openpam/t/t_openpam_readword.c b/contrib/openpam/t/t_openpam_readword.c
new file mode 100644
index 0000000..2135d8b
--- /dev/null
+++ b/contrib/openpam/t/t_openpam_readword.c
@@ -0,0 +1,829 @@
+/*-
+ * Copyright (c) 2012 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer
+ *    in this position and unchanged.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: t_openpam_readword.c 584 2012-04-07 22:47:16Z des $
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "t.h"
+
+static char filename[1024];
+static FILE *f;
+
+/*
+ * Open the temp file and immediately unlink it so it doesn't leak in case
+ * of premature exit.
+ */
+static void
+orw_open(void)
+{
+	int fd;
+
+	if ((fd = open(filename, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0)
+		err(1, "%s(): %s", __func__, filename);
+	if ((f = fdopen(fd, "r+")) == NULL)
+		err(1, "%s(): %s", __func__, filename);
+	if (unlink(filename) < 0)
+		err(1, "%s(): %s", __func__, filename);
+}
+
+/*
+ * Write text to the temp file.
+ */
+static void
+orw_output(const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	vfprintf(f, fmt, ap);
+	va_end(ap);
+	if (ferror(f))
+		err(1, "%s", filename);
+}
+
+/*
+ * Rewind the temp file.
+ */
+static void
+orw_rewind(void)
+{
+
+	errno = 0;
+	rewind(f);
+	if (errno != 0)
+		err(1, "%s(): %s", __func__, filename);
+}
+
+/*
+ * Read a word from the temp file and verify that the result matches our
+ * expectations: whether a word was read at all, how many lines were read
+ * (in case of quoted or escaped newlines), whether we reached the end of
+ * the file and whether we reached the end of the line.
+ */
+static int
+orw_expect(const char *expected, int lines, int eof, int eol)
+{
+	int ch, lineno = 0;
+	char *got;
+	size_t len;
+
+	got = openpam_readword(f, &lineno, &len);
+	if (ferror(f))
+		err(1, "%s(): %s", __func__, filename);
+	if (expected != NULL && got == NULL) {
+		t_verbose("expected <<%s>>, got nothing\n", expected);
+		return (0);
+	}
+	if (expected == NULL && got != NULL) {
+		t_verbose("expected nothing, got <<%s>>\n", got);
+		return (0);
+	}
+	if (expected != NULL && got != NULL && strcmp(expected, got) != 0) {
+		t_verbose("expected <<%s>>, got <<%s>>\n", expected, got);
+		return (0);
+	}
+	if (lineno != lines) {
+		t_verbose("expected to advance %d lines, advanced %d lines\n",
+		    lines, lineno);
+		return (0);
+	}
+	if (eof && !feof(f)) {
+		t_verbose("expected EOF, but didn't get it\n");
+		return (0);
+	}
+	if (!eof && feof(f)) {
+		t_verbose("didn't expect EOF, but got it anyway\n");
+		return (0);
+	}
+	ch = fgetc(f);
+	if (ferror(f))
+		err(1, "%s(): %s", __func__, filename);
+	if (eol && ch != '\n') {
+		t_verbose("expected EOL, but didn't get it\n");
+		return (0);
+	}
+	if (!eol && ch == '\n') {
+		t_verbose("didn't expect EOL, but got it anyway\n");
+		return (0);
+	}
+	if (ch != EOF)
+		ungetc(ch, f);
+	return (1);
+}
+
+/*
+ * Close the temp file.
+ */
+void
+orw_close(void)
+{
+
+	if (fclose(f) != 0)
+		err(1, "%s(): %s", __func__, filename);
+	f = NULL;
+}
+
+
+/***************************************************************************
+ * Lines without words
+ */
+
+T_FUNC(empty_input, "empty input")
+{
+	int ret;
+
+	orw_open();
+	ret = orw_expect(NULL, 0 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(empty_line, "empty line")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\n");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(unterminated_line, "unterminated line")
+{
+	int ret;
+
+	orw_open();
+	orw_output(" ");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_whitespace, "single whitespace")
+{
+	int ret;
+
+	orw_open();
+	orw_output(" \n");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(multiple_whitespace, "multiple whitespace")
+{
+	int ret;
+
+	orw_open();
+	orw_output(" \t\r\n");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(comment, "comment")
+{
+	int ret;
+
+	orw_open();
+	orw_output("# comment\n");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(whitespace_before_comment, "whitespace before comment")
+{
+	int ret;
+
+	orw_open();
+	orw_output(" # comment\n");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Simple cases - no quotes or escapes
+ */
+
+T_FUNC(single_word, "single word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output("%s\n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_whitespace_before_word, "single whitespace before word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output(" %s\n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(double_whitespace_before_word, "double whitespace before word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output("  %s\n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_whitespace_after_word, "single whitespace after word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output("%s \n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(double_whitespace_after_word, "double whitespace after word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output("%s  \n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(comment_after_word, "comment after word")
+{
+	const char *word = "hello";
+	int ret;
+
+	orw_open();
+	orw_output("%s # comment\n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect(NULL, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(word_containing_hash, "word containing hash")
+{
+	const char *word = "hello#world";
+	int ret;
+
+	orw_open();
+	orw_output("%s\n", word);
+	orw_rewind();
+	ret = orw_expect(word, 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(two_words, "two words")
+{
+	const char *word[] = { "hello", "world" };
+	int ret;
+
+	orw_open();
+	orw_output("%s %s\n", word[0], word[1]);
+	orw_rewind();
+	ret = orw_expect(word[0], 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect(word[1], 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Escapes
+ */
+
+T_FUNC(naked_escape, "naked escape")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_escape, "escaped escape")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\\\\n");
+	orw_rewind();
+	ret = orw_expect("\\", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_whitespace, "escaped whitespace")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\  \\\t \\\r \\\n\n");
+	orw_rewind();
+	ret = orw_expect(" ", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\t", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\r", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    /* this last one is a line continuation */
+	    orw_expect(NULL, 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_newline_before_word, "escaped newline before word")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\\nhello world\n");
+	orw_rewind();
+	ret = orw_expect("hello", 1 /*lines*/, 0 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_newline_within_word, "escaped newline within word")
+{
+	int ret;
+
+	orw_open();
+	orw_output("hello\\\nworld\n");
+	orw_rewind();
+	ret = orw_expect("helloworld", 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_newline_after_word, "escaped newline after word")
+{
+	int ret;
+
+	orw_open();
+	orw_output("hello\\\n world\n");
+	orw_rewind();
+	ret = orw_expect("hello", 1 /*lines*/, 0 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_letter, "escaped letter")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\z\n");
+	orw_rewind();
+	ret = orw_expect("z", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Quotes
+ */
+
+T_FUNC(naked_single_quote, "naked single quote")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(naked_double_quote, "naked double quote")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"");
+	orw_rewind();
+	ret = orw_expect(NULL, 0 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(empty_single_quotes, "empty single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("''\n");
+	orw_rewind();
+	ret = orw_expect("", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(empty_double_quotes, "empty double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\"\n");
+	orw_rewind();
+	ret = orw_expect("", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_quotes_within_double_quotes, "single quotes within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"' '\"\n");
+	orw_rewind();
+	ret = orw_expect("' '", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(double_quotes_within_single_quotes, "double quotes within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\" \"'\n");
+	orw_rewind();
+	ret = orw_expect("\" \"", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_quoted_whitespace, "single-quoted whitespace")
+{
+	int ret;
+
+	orw_open();
+	orw_output("' ' '\t' '\r' '\n'\n");
+	orw_rewind();
+	ret = orw_expect(" ", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\t", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\r", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\n", 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(double_quoted_whitespace, "double-quoted whitespace")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\" \" \"\t\" \"\r\" \"\n\"\n");
+	orw_rewind();
+	ret = orw_expect(" ", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\t", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\r", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\n", 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(single_quoted_words, "single-quoted words")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'hello world'\n");
+	orw_rewind();
+	ret = orw_expect("hello world", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(double_quoted_words, "double-quoted words")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"hello world\"\n");
+	orw_rewind();
+	ret = orw_expect("hello world", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Combinations of escape and quotes
+ */
+
+T_FUNC(escaped_single_quote,
+    "escaped single quote")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\'\n");
+	orw_rewind();
+	ret = orw_expect("'", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_double_quote,
+    "escaped double quote")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\\\"\n");
+	orw_rewind();
+	ret = orw_expect("\"", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_whitespace_within_single_quotes,
+    "escaped whitespace within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\\ ' '\\\t' '\\\r' '\\\n'\n");
+	orw_rewind();
+	ret = orw_expect("\\ ", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\\\t", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\\\r", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\\\n", 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_whitespace_within_double_quotes,
+    "escaped whitespace within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\\ \" \"\\\t\" \"\\\r\" \"\\\n\"\n");
+	orw_rewind();
+	ret = orw_expect("\\ ", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\\\t", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    orw_expect("\\\r", 0 /*lines*/, 0 /*eof*/, 0 /*eol*/) &&
+	    /* this last one is a line continuation */
+	    orw_expect("", 1 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_letter_within_single_quotes,
+    "escaped letter within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\\z'\n");
+	orw_rewind();
+	ret = orw_expect("\\z", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_letter_within_double_quotes,
+    "escaped letter within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\\z\"\n");
+	orw_rewind();
+	ret = orw_expect("\\z", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_escape_within_single_quotes,
+    "escaped escape within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\\\\'\n");
+	orw_rewind();
+	ret = orw_expect("\\\\", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_escape_within_double_quotes,
+    "escaped escape within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\\\\\"\n");
+	orw_rewind();
+	ret = orw_expect("\\", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_single_quote_within_single_quotes,
+    "escaped single quote within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\\''\n");
+	orw_rewind();
+	ret = orw_expect(NULL, 1 /*lines*/, 1 /*eof*/, 0 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_double_quote_within_single_quotes,
+    "escaped double quote within single quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("'\\\"'\n");
+	orw_rewind();
+	ret = orw_expect("\\\"", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_single_quote_within_double_quotes,
+    "escaped single quote within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\\'\"\n");
+	orw_rewind();
+	ret = orw_expect("\\'", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+T_FUNC(escaped_double_quote_within_double_quotes,
+    "escaped double quote within double quotes")
+{
+	int ret;
+
+	orw_open();
+	orw_output("\"\\\"\"\n");
+	orw_rewind();
+	ret = orw_expect("\"", 0 /*lines*/, 0 /*eof*/, 1 /*eol*/);
+	orw_close();
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Boilerplate
+ */
+
+const struct t_test *t_plan[] = {
+	T(empty_input),
+	T(empty_line),
+	T(single_whitespace),
+	T(multiple_whitespace),
+	T(comment),
+	T(whitespace_before_comment),
+
+	T(single_word),
+	T(single_whitespace_before_word),
+	T(double_whitespace_before_word),
+	T(single_whitespace_after_word),
+	T(double_whitespace_after_word),
+	T(comment_after_word),
+	T(word_containing_hash),
+	T(two_words),
+
+	T(naked_escape),
+	T(escaped_escape),
+	T(escaped_whitespace),
+	T(escaped_newline_before_word),
+	T(escaped_newline_within_word),
+	T(escaped_newline_after_word),
+	T(escaped_letter),
+
+	T(naked_single_quote),
+	T(naked_double_quote),
+	T(empty_single_quotes),
+	T(empty_double_quotes),
+	T(single_quotes_within_double_quotes),
+	T(double_quotes_within_single_quotes),
+	T(single_quoted_whitespace),
+	T(double_quoted_whitespace),
+	T(single_quoted_words),
+	T(double_quoted_words),
+
+	T(escaped_single_quote),
+	T(escaped_double_quote),
+	T(escaped_whitespace_within_single_quotes),
+	T(escaped_whitespace_within_double_quotes),
+	T(escaped_letter_within_single_quotes),
+	T(escaped_letter_within_double_quotes),
+	T(escaped_escape_within_single_quotes),
+	T(escaped_escape_within_double_quotes),
+	T(escaped_single_quote_within_single_quotes),
+	T(escaped_double_quote_within_single_quotes),
+	T(escaped_single_quote_within_double_quotes),
+	T(escaped_double_quote_within_double_quotes),
+
+	NULL
+};
+
+const struct t_test **
+t_prepare(int argc, char *argv[])
+{
+
+	(void)argc;
+	(void)argv;
+	snprintf(filename, sizeof filename, "%s.%d.tmp", t_progname, getpid());
+	if (filename == NULL)
+		err(1, "asprintf()");
+	return (t_plan);
+}
+
+void
+t_cleanup(void)
+{
+}