* New upstream release (http://www.openssh.org/txt/release-6.0).

  - Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections
    (closes: #643312, #650512).
  - Add a new privilege separation sandbox implementation for Linux's new
    seccomp sandbox, automatically enabled on platforms that support it.
    (Note: privilege separation sandboxing is still experimental.)

19 files changed, 623 insertions, 194 deletions

diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 41b22d837..196a81d13 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.46 2010/10/07 11:19:24 djm Exp $
+# $Id: Makefile.in,v 1.48 2011/11/04 00:25:25 dtucker Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,9 +16,9 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o timingsafe_bcmp.o vis.o
 
-COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 9eedc88d2..6befc016f 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -76,6 +76,7 @@ static struct wenv {
         { NL("OS=") },
         { NL("PATH=") },
         { NL("PATHEXT=") },
+        { NL("PROGRAMFILES=") },
         { NL("SYSTEMDRIVE=") },
         { NL("SYSTEMROOT=") },
         { NL("WINDIR=") }
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 48f64b740..d223792d7 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-cygwin_util.h,v 1.13 2011/08/17 01:31:09 djm Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.14 2012/03/30 03:07:07 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001, 2011 Corinna Vinschen <vinschen@redhat.com>
@@ -40,6 +40,12 @@
 #include <sys/cygwin.h>
 #include <io.h>
 
+/* Make sure _WIN32 isn't defined later in the code, otherwise headers from
+   other packages might get the wrong idea about the target system. */
+#ifdef _WIN32
+#undef _WIN32
+#endif
+
 int binary_open(const char *, int , ...);
 int check_ntsec(const char *);
 char **fetch_windows_environment(void);
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index e70c3f9e9..e37175625 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-misc.h,v 1.19 2010/11/08 22:26:23 tim Exp $ */
+/* $Id: bsd-misc.h,v 1.20 2012/02/14 18:03:31 tim Exp $ */
 
 /*
  * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
@@ -86,7 +86,7 @@ int tcsendbreak(int, int);
 #endif
 
 #ifndef HAVE_UNSETENV
-void unsetenv(const char *);
+int unsetenv(const char *);
 #endif
 
 /* wrapper for signal interface */
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index 711cb9cd5..3edbb9cba 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
+/*      from OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp */
 /*
  * Copyright (c) 1989, 1991, 1993
  *      The Regents of the University of California.  All rights reserved.
diff --git a/openbsd-compat/getgrouplist.c b/openbsd-compat/getgrouplist.c
index a57d7d388..3afcb9281 100644
--- a/openbsd-compat/getgrouplist.c
+++ b/openbsd-compat/getgrouplist.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
+/*      from OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp */
 /*
  * Copyright (c) 1991, 1993
  *      The Regents of the University of California.  All rights reserved.
diff --git a/openbsd-compat/getrrsetbyname-ldns.c b/openbsd-compat/getrrsetbyname-ldns.c
new file mode 100644
index 000000000..8ce5678c9
--- /dev/null
+++ b/openbsd-compat/getrrsetbyname-ldns.c
@@ -0,0 +1,284 @@
+/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
+
+/*
+ * Copyright (c) 2007 Simon Vallet / Genoscope <svallet@genoscope.cns.fr>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#if !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS)
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <ldns/ldns.h>
+
+#include "getrrsetbyname.h"
+#include "log.h"
+#include "xmalloc.h"
+
+#define malloc(x)       (xmalloc(x))
+#define calloc(x, y)    (xcalloc((x),(y)))
+#define free(x)         (xfree(x))
+
+int
+getrrsetbyname(const char *hostname, unsigned int rdclass,
+               unsigned int rdtype, unsigned int flags,
+               struct rrsetinfo **res)
+{
+        int result;
+        unsigned int i, j, index_ans, index_sig;
+        struct rrsetinfo *rrset = NULL;
+        struct rdatainfo *rdata;
+        size_t len;
+        ldns_resolver *ldns_res;
+        ldns_rdf *domain = NULL;
+        ldns_pkt *pkt = NULL;
+        ldns_rr_list *rrsigs = NULL, *rrdata = NULL;
+        ldns_status err;
+        ldns_rr *rr;
+
+        /* check for invalid class and type */
+        if (rdclass > 0xffff || rdtype > 0xffff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+
+        /* don't allow queries of class or type ANY */
+        if (rdclass == 0xff || rdtype == 0xff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+
+        /* don't allow flags yet, unimplemented */
+        if (flags) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+
+        /* Initialize resolver from resolv.conf */
+        domain = ldns_dname_new_frm_str(hostname);
+        if ((err = ldns_resolver_new_frm_file(&ldns_res, NULL)) != \
+            LDNS_STATUS_OK) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+
+#ifdef LDNS_DEBUG
+        ldns_resolver_set_debug(ldns_res, true);
+#endif /* LDNS_DEBUG */
+
+        ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC */
+
+        /* make query */
+        pkt = ldns_resolver_query(ldns_res, domain, rdtype, rdclass, LDNS_RD);
+
+        /*** TODO: finer errcodes -- see original **/
+        if (!pkt || ldns_pkt_ancount(pkt) < 1) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+
+        /* initialize rrset */
+        rrset = calloc(1, sizeof(struct rrsetinfo));
+        if (rrset == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+
+        rrdata = ldns_pkt_rr_list_by_type(pkt, rdtype, LDNS_SECTION_ANSWER);
+        rrset->rri_nrdatas = ldns_rr_list_rr_count(rrdata);
+        if (!rrset->rri_nrdatas) {
+                result = ERRSET_NODATA;
+                goto fail;
+        }
+
+        /* copy name from answer section */
+        len = ldns_rdf_size(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0)));
+        if ((rrset->rri_name = malloc(len)) == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        memcpy(rrset->rri_name,
+            ldns_rdf_data(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))), len);
+
+        rrset->rri_rdclass = ldns_rr_get_class(ldns_rr_list_rr(rrdata, 0));
+        rrset->rri_rdtype = ldns_rr_get_type(ldns_rr_list_rr(rrdata, 0));
+        rrset->rri_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrdata, 0));
+
+        debug2("ldns: got %u answers from DNS", rrset->rri_nrdatas);
+
+        /* Check for authenticated data */
+        if (ldns_pkt_ad(pkt)) {
+                rrset->rri_flags |= RRSET_VALIDATED;
+        } else { /* AD is not set, try autonomous validation */
+                ldns_rr_list * trusted_keys = ldns_rr_list_new();
+
+                debug2("ldns: trying to validate RRset");
+                /* Get eventual sigs */
+                rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG,
+                    LDNS_SECTION_ANSWER);
+
+                rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs);
+                debug2("ldns: got %u signature(s) (RRTYPE %u) from DNS",
+                       rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG);
+
+                if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs,
+                     trusted_keys)) == LDNS_STATUS_OK) {
+                        rrset->rri_flags |= RRSET_VALIDATED;
+                        debug2("ldns: RRset is signed with a valid key");
+                } else {
+                        debug2("ldns: RRset validation failed: %s",
+                            ldns_get_errorstr_by_id(err));
+                }
+
+                ldns_rr_list_deep_free(trusted_keys);
+        }
+
+        /* allocate memory for answers */
+        rrset->rri_rdatas = calloc(rrset->rri_nrdatas,
+           sizeof(struct rdatainfo));
+
+        if (rrset->rri_rdatas == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+
+        /* allocate memory for signatures */
+        if (rrset->rri_nsigs > 0) {
+                rrset->rri_sigs = calloc(rrset->rri_nsigs,
+                    sizeof(struct rdatainfo));
+
+                if (rrset->rri_sigs == NULL) {
+                        result = ERRSET_NOMEMORY;
+                        goto fail;
+                }
+        }
+
+        /* copy answers & signatures */
+        for (i=0, index_ans=0, index_sig=0; i< pkt->_header->_ancount; i++) {
+                rdata = NULL;
+                rr = ldns_rr_list_rr(ldns_pkt_answer(pkt), i);
+
+                if (ldns_rr_get_class(rr) == rrset->rri_rdclass &&
+                    ldns_rr_get_type(rr) == rrset->rri_rdtype) {
+                        rdata = &rrset->rri_rdatas[index_ans++];
+                }
+
+                if (rr->_rr_class == rrset->rri_rdclass &&
+                    rr->_rr_type == LDNS_RR_TYPE_RRSIG) {
+                        rdata = &rrset->rri_sigs[index_sig++];
+                }
+
+                if (rdata) {
+                        size_t rdata_offset = 0;
+
+                        rdata->rdi_length = 0;
+                        for (j=0; j< rr->_rd_count; j++) {
+                                rdata->rdi_length +=
+                                    ldns_rdf_size(ldns_rr_rdf(rr, j));
+                        }
+
+                        rdata->rdi_data = malloc(rdata->rdi_length);
+                        if (rdata->rdi_data == NULL) {
+                                result = ERRSET_NOMEMORY;
+                                goto fail;
+                        }
+
+                        /* Re-create the raw DNS RDATA */
+                        for (j=0; j< rr->_rd_count; j++) {
+                                len = ldns_rdf_size(ldns_rr_rdf(rr, j));
+                                memcpy(rdata->rdi_data + rdata_offset,
+                                       ldns_rdf_data(ldns_rr_rdf(rr, j)), len);
+                                rdata_offset += len;
+                        }
+                }
+        }
+
+        *res = rrset;
+        result = ERRSET_SUCCESS;
+
+fail:
+        /* freerrset(rrset); */
+        ldns_rdf_deep_free(domain);
+        ldns_pkt_free(pkt);
+        ldns_rr_list_deep_free(rrsigs);
+        ldns_rr_list_deep_free(rrdata);
+        ldns_resolver_deep_free(ldns_res);
+
+        return result;
+}
+
+
+void
+freerrset(struct rrsetinfo *rrset)
+{
+        u_int16_t i;
+
+        if (rrset == NULL)
+                return;
+
+        if (rrset->rri_rdatas) {
+                for (i = 0; i < rrset->rri_nrdatas; i++) {
+                        if (rrset->rri_rdatas[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_rdatas[i].rdi_data);
+                }
+                free(rrset->rri_rdatas);
+        }
+
+        if (rrset->rri_sigs) {
+                for (i = 0; i < rrset->rri_nsigs; i++) {
+                        if (rrset->rri_sigs[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_sigs[i].rdi_data);
+                }
+                free(rrset->rri_sigs);
+        }
+
+        if (rrset->rri_name)
+                free(rrset->rri_name);
+        free(rrset);
+}
+
+
+#endif /* !defined (HAVE_GETRRSETBYNAME) && defined (HAVE_LDNS) */
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 011821198..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -47,7 +47,7 @@
 
 #include "includes.h"
 
-#ifndef HAVE_GETRRSETBYNAME
+#if !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS)
 
 #include <stdlib.h>
 #include <string.h>
@@ -607,4 +607,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
         return (n);
 }
 
-#endif /* !defined(HAVE_GETRRSETBYNAME) */
+#endif /*  !defined (HAVE_GETRRSETBYNAME) && !defined (HAVE_LDNS) */
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index 0341225cd..742b4b954 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: glob.c,v 1.35 2011/01/12 01:53:14 djm Exp $ */
+/*      $OpenBSD: glob.c,v 1.38 2011/09/22 06:27:29 djm Exp $ */
 /*
  * Copyright (c) 1989, 1993
  *      The Regents of the University of California.  All rights reserved.
@@ -66,6 +66,7 @@
 #include <dirent.h>
 #include <ctype.h>
 #include <errno.h>
+#include <limits.h>
 #include <pwd.h>
 #include <stdlib.h>
 #include <string.h>
@@ -132,13 +133,22 @@ typedef char Char;
 #define GLOB_LIMIT_STAT         128
 #define GLOB_LIMIT_READDIR      16384
 
+/* Limit of recursion during matching attempts. */
+#define GLOB_LIMIT_RECUR        64
+
 struct glob_lim {
         size_t  glim_malloc;
         size_t  glim_stat;
         size_t  glim_readdir;
 };
 
+struct glob_path_stat {
+        char            *gps_path;
+        struct stat     *gps_stat;
+};
+
 static int       compare(const void *, const void *);
+static int       compare_gps(const void *, const void *);
 static int       g_Ctoc(const Char *, char *, u_int);
 static int       g_lstat(Char *, struct stat *, glob_t *);
 static DIR      *g_opendir(Char *, glob_t *);
@@ -158,7 +168,7 @@ static const Char *
 static int       globexp1(const Char *, glob_t *, struct glob_lim *);
 static int       globexp2(const Char *, const Char *, glob_t *,
                     struct glob_lim *);
-static int       match(Char *, Char *, Char *);
+static int       match(Char *, Char *, Char *, int);
 #ifdef DEBUG
 static void      qprintf(const char *, Char *);
 #endif
@@ -172,6 +182,9 @@ glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
         Char *bufnext, *bufend, patbuf[MAXPATHLEN];
         struct glob_lim limit = { 0, 0, 0 };
 
+        if (strnlen(pattern, PATH_MAX) == PATH_MAX)
+                return(GLOB_NOMATCH);
+
         patnext = (u_char *) pattern;
         if (!(flags & GLOB_APPEND)) {
                 pglob->gl_pathc = 0;
@@ -548,9 +561,32 @@ glob0(const Char *pattern, glob_t *pglob, struct glob_lim *limitp)
                 else
                         return(GLOB_NOMATCH);
         }
-        if (!(pglob->gl_flags & GLOB_NOSORT))
-                qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
-                    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
+        if (!(pglob->gl_flags & GLOB_NOSORT)) {
+                if ((pglob->gl_flags & GLOB_KEEPSTAT)) {
+                        /* Keep the paths and stat info synced during sort */
+                        struct glob_path_stat *path_stat;
+                        int i;
+                        int n = pglob->gl_pathc - oldpathc;
+                        int o = pglob->gl_offs + oldpathc;
+
+                        if ((path_stat = calloc(n, sizeof(*path_stat))) == NULL)
+                                return GLOB_NOSPACE;
+                        for (i = 0; i < n; i++) {
+                                path_stat[i].gps_path = pglob->gl_pathv[o + i];
+                                path_stat[i].gps_stat = pglob->gl_statv[o + i];
+                        }
+                        qsort(path_stat, n, sizeof(*path_stat), compare_gps);
+                        for (i = 0; i < n; i++) {
+                                pglob->gl_pathv[o + i] = path_stat[i].gps_path;
+                                pglob->gl_statv[o + i] = path_stat[i].gps_stat;
+                        }
+                        free(path_stat);
+                } else {
+                        qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
+                            pglob->gl_pathc - oldpathc, sizeof(char *),
+                            compare);
+                }
+        }
         return(0);
 }
 
@@ -561,6 +597,15 @@ compare(const void *p, const void *q)
 }
 
 static int
+compare_gps(const void *_p, const void *_q)
+{
+        const struct glob_path_stat *p = (const struct glob_path_stat *)_p;
+        const struct glob_path_stat *q = (const struct glob_path_stat *)_q;
+
+        return(strcmp(p->gps_path, q->gps_path));
+}
+
+static int
 glob1(Char *pattern, Char *pattern_last, glob_t *pglob, struct glob_lim *limitp)
 {
         Char pathbuf[MAXPATHLEN];
@@ -697,7 +742,8 @@ glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
                         errno = 0;
                         *pathend++ = SEP;
                         *pathend = EOS;
-                        return(GLOB_NOSPACE);
+                        err = GLOB_NOSPACE;
+                        break;
                 }
 
                 /* Initial DOT must be matched literally. */
@@ -713,7 +759,7 @@ glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
                         break;
                 }
 
-                if (!match(pathend, pattern, restpattern)) {
+                if (!match(pathend, pattern, restpattern, GLOB_LIMIT_RECUR)) {
                         *pathend = EOS;
                         continue;
                 }
@@ -850,19 +896,24 @@ globextend(const Char *path, glob_t *pglob, struct glob_lim *limitp,
  * pattern causes a recursion level.
  */
 static int
-match(Char *name, Char *pat, Char *patend)
+match(Char *name, Char *pat, Char *patend, int recur)
 {
         int ok, negate_range;
         Char c, k;
 
+        if (recur-- == 0)
+                return(GLOB_NOSPACE);
+
         while (pat < patend) {
                 c = *pat++;
                 switch (c & M_MASK) {
                 case M_ALL:
+                        while (pat < patend && (*pat & M_MASK) == M_ALL)
+                                pat++;  /* eat consecutive '*' */
                         if (pat == patend)
                                 return(1);
                         do {
-                            if (match(name, pat, patend))
+                            if (match(name, pat, patend, recur))
                                     return(1);
                         } while (*name++ != EOS);
                         return(0);
diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c
index e7ca4b7f8..3259037ba 100644
--- a/openbsd-compat/inet_ntop.c
+++ b/openbsd-compat/inet_ntop.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $     */
+/*      $OpenBSD: inet_ntop.c,v 1.8 2008/12/09 19:38:38 otto Exp $      */
 
 /* Copyright (c) 1996 by Internet Software Consortium.
  *
@@ -57,13 +57,13 @@ static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
  *      Paul Vixie, 1996.
  */
 const char *
-inet_ntop(int af, const void *src, char *dst, size_t size)
+inet_ntop(int af, const void *src, char *dst, socklen_t size)
 {
         switch (af) {
         case AF_INET:
-                return (inet_ntop4(src, dst, size));
+                return (inet_ntop4(src, dst, (size_t)size));
         case AF_INET6:
-                return (inet_ntop6(src, dst, size));
+                return (inet_ntop6(src, dst, (size_t)size));
         default:
                 errno = EAFNOSUPPORT;
                 return (NULL);
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index 2285c84df..4eb52f421 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -1,34 +1,22 @@
 /* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
 /* Changes: Removed mktemp */
 
-/*      $OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
+/*      $OpenBSD: mktemp.c,v 1.30 2010/03/21 23:09:30 schwarze Exp $ */
 /*
- * Copyright (c) 1987, 1993
- *      The Regents of the University of California.  All rights reserved.
+ * Copyright (c) 1996-1998, 2008 Theo de Raadt
+ * Copyright (c) 1997, 2008-2009 Todd C. Miller
  *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
 /* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
@@ -37,142 +25,117 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
-
+#include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
 #include <ctype.h>
-#include <errno.h>
 #include <unistd.h>
 
 #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
 
-static int _gettemp(char *, int *, int, int);
+#define MKTEMP_NAME     0
+#define MKTEMP_FILE     1
+#define MKTEMP_DIR      2
 
-int
-mkstemps(char *path, int slen)
+#define TEMPCHARS       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+#define NUM_CHARS       (sizeof(TEMPCHARS) - 1)
+
+static int
+mktemp_internal(char *path, int slen, int mode)
 {
+        char *start, *cp, *ep;
+        const char *tempchars = TEMPCHARS;
+        unsigned int r, tries;
+        struct stat sb;
+        size_t len;
         int fd;
 
-        return (_gettemp(path, &fd, 0, slen) ? fd : -1);
+        len = strlen(path);
+        if (len == 0 || slen < 0 || (size_t)slen >= len) {
+                errno = EINVAL;
+                return(-1);
+        }
+        ep = path + len - slen;
+
+        tries = 1;
+        for (start = ep; start > path && start[-1] == 'X'; start--) {
+                if (tries < INT_MAX / NUM_CHARS)
+                        tries *= NUM_CHARS;
+        }
+        tries *= 2;
+
+        do {
+                for (cp = start; cp != ep; cp++) {
+                        r = arc4random_uniform(NUM_CHARS);
+                        *cp = tempchars[r];
+                }
+
+                switch (mode) {
+                case MKTEMP_NAME:
+                        if (lstat(path, &sb) != 0)
+                                return(errno == ENOENT ? 0 : -1);
+                        break;
+                case MKTEMP_FILE:
+                        fd = open(path, O_CREAT|O_EXCL|O_RDWR, S_IRUSR|S_IWUSR);
+                        if (fd != -1 || errno != EEXIST)
+                                return(fd);
+                        break;
+                case MKTEMP_DIR:
+                        if (mkdir(path, S_IRUSR|S_IWUSR|S_IXUSR) == 0)
+                                return(0);
+                        if (errno != EEXIST)
+                                return(-1);
+                        break;
+                }
+        } while (--tries);
+
+        errno = EEXIST;
+        return(-1);
 }
 
-int
-mkstemp(char *path)
-{
-        int fd;
+#if 0
+char *_mktemp(char *);
 
-        return (_gettemp(path, &fd, 0, 0) ? fd : -1);
+char *
+_mktemp(char *path)
+{
+        if (mktemp_internal(path, 0, MKTEMP_NAME) == -1)
+                return(NULL);
+        return(path);
 }
 
+__warn_references(mktemp,
+    "warning: mktemp() possibly used unsafely; consider using mkstemp()");
+
 char *
-mkdtemp(char *path)
+mktemp(char *path)
 {
-        return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
+        return(_mktemp(path));
 }
+#endif
 
-static int
-_gettemp(path, doopen, domkdir, slen)
-        char *path;
-        register int *doopen;
-        int domkdir;
-        int slen;
+int
+mkstemp(char *path)
 {
-        register char *start, *trv, *suffp;
-        struct stat sbuf;
-        int rval;
-        pid_t pid;
+        return(mktemp_internal(path, 0, MKTEMP_FILE));
+}
 
-        if (doopen && domkdir) {
-                errno = EINVAL;
-                return(0);
-        }
+int
+mkstemps(char *path, int slen)
+{
+        return(mktemp_internal(path, slen, MKTEMP_FILE));
+}
 
-        for (trv = path; *trv; ++trv)
-                ;
-        trv -= slen;
-        suffp = trv;
-        --trv;
-        if (trv < path) {
-                errno = EINVAL;
-                return (0);
-        }
-        pid = getpid();
-        while (trv >= path && *trv == 'X' && pid != 0) {
-                *trv-- = (pid % 10) + '0';
-                pid /= 10;
-        }
-        while (trv >= path && *trv == 'X') {
-                char c;
-
-                pid = (arc4random() & 0xffff) % (26+26);
-                if (pid < 26)
-                        c = pid + 'A';
-                else
-                        c = (pid - 26) + 'a';
-                *trv-- = c;
-        }
-        start = trv + 1;
-
-        /*
-         * check the target directory; if you have six X's and it
-         * doesn't exist this runs for a *very* long time.
-         */
-        if (doopen || domkdir) {
-                for (;; --trv) {
-                        if (trv <= path)
-                                break;
-                        if (*trv == '/') {
-                                *trv = '\0';
-                                rval = stat(path, &sbuf);
-                                *trv = '/';
-                                if (rval != 0)
-                                        return(0);
-                                if (!S_ISDIR(sbuf.st_mode)) {
-                                        errno = ENOTDIR;
-                                        return(0);
-                                }
-                                break;
-                        }
-                }
-        }
+char *
+mkdtemp(char *path)
+{
+        int error;
 
-        for (;;) {
-                if (doopen) {
-                        if ((*doopen =
-                            open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
-                                return(1);
-                        if (errno != EEXIST)
-                                return(0);
-                } else if (domkdir) {
-                        if (mkdir(path, 0700) == 0)
-                                return(1);
-                        if (errno != EEXIST)
-                                return(0);
-                } else if (lstat(path, &sbuf))
-                        return(errno == ENOENT ? 1 : 0);
-
-                /* tricky little algorithm for backward compatibility */
-                for (trv = start;;) {
-                        if (!*trv)
-                                return (0);
-                        if (*trv == 'Z') {
-                                if (trv == suffp)
-                                        return (0);
-                                *trv++ = 'a';
-                        } else {
-                                if (isdigit(*trv))
-                                        *trv = 'a';
-                                else if (*trv == 'z')   /* inc from z to A */
-                                        *trv = 'A';
-                                else {
-                                        if (trv == suffp)
-                                                return (0);
-                                        ++*trv;
-                                }
-                                break;
-                        }
-                }
-        }
-        /*NOTREACHED*/
+        error = mktemp_internal(path, 0, MKTEMP_DIR);
+        return(error ? NULL : path);
 }
 
 #endif /* !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) */
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 77c5ed2b1..807acf626 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.51 2010/10/07 10:25:29 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.52 2011/09/23 01:16:11 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -116,7 +116,7 @@ char *inet_ntoa(struct in_addr in);
 #endif
 
 #ifndef HAVE_INET_NTOP
-const char *inet_ntop(int af, const void *src, char *dst, size_t size);
+const char *inet_ntop(int af, const void *src, char *dst, socklen_t size);
 #endif
 
 #ifndef HAVE_INET_ATON
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index c5fc24eb4..a151eff38 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.19 2011/05/10 01:13:38 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.20 2012/01/17 03:03:39 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -130,5 +130,10 @@ int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
 int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
 void ssh_OpenSSL_add_all_algorithms(void);
+
+# ifndef HAVE_HMAC_CTX_INIT
+#  define HMAC_CTX_init(a)
+# endif
+
 #endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
 
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index ef91e4446..2b8a14a59 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */
+/* $Id: port-linux.c,v 1.17 2012/03/08 23:25:18 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -99,6 +99,7 @@ ssh_selinux_getctxbyname(char *pwname, const char *role)
                 case 0:
                         error("%s: Failed to get default SELinux security "
                             "context for %s", __func__, pwname);
+                        sc = NULL;
                         break;
                 default:
                         fatal("%s: Failed to get default SELinux security "
@@ -114,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname, const char *role)
                 xfree(lvl);
 #endif
 
-        return (sc);
+        return sc;
 }
 
 /* Set the execution context to the default for the specified user */
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index e2a8b6dd3..373b701d9 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
+/*      $OpenBSD: setenv.c,v 1.13 2010/08/23 22:31:50 millert Exp $ */
 /*
  * Copyright (c) 1987 Regents of the University of California.
  * All rights reserved.
@@ -31,35 +31,38 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
 
 #include "includes.h"
+
 #if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
 
+#include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
 extern char **environ;
+static char **lastenv;                          /* last value of environ */
 
 /* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
 /*
  * __findenv --
  *      Returns pointer to value associated with name, if any, else NULL.
+ *      Starts searching within the environmental array at offset.
  *      Sets offset to be the offset of the name/value combination in the
- *      environmental array, for use by setenv(3) and unsetenv(3).
+ *      environmental array, for use by putenv(3), setenv(3) and unsetenv(3).
  *      Explicitly removes '=' in argument name.
+ *
+ *      This routine *should* be a static; don't use it.
  */
 static char *
-__findenv(const char *name, size_t *offset)
+__findenv(const char *name, int len, int *offset)
 {
         extern char **environ;
-        int len, i;
+        int i;
         const char *np;
         char **p, *cp;
 
         if (name == NULL || environ == NULL)
                 return (NULL);
-        for (np = name; *np && *np != '='; ++np)
-                ;
-        len = np - name;
-        for (p = environ; (cp = *p) != NULL; ++p) {
+        for (p = environ + *offset; (cp = *p) != NULL; ++p) {
                 for (np = name, i = len; i && *cp; i--)
                         if (*cp++ != *np++)
                                 break;
@@ -71,6 +74,54 @@ __findenv(const char *name, size_t *offset)
         return (NULL);
 }
 
+#if 0 /* nothing uses putenv */
+/*
+ * putenv --
+ *      Add a name=value string directly to the environmental, replacing
+ *      any current value.
+ */
+int
+putenv(char *str)
+{
+        char **P, *cp;
+        size_t cnt;
+        int offset = 0;
+
+        for (cp = str; *cp && *cp != '='; ++cp)
+                ;
+        if (*cp != '=') {
+                errno = EINVAL;
+                return (-1);                    /* missing `=' in string */
+        }
+
+        if (__findenv(str, (int)(cp - str), &offset) != NULL) {
+                environ[offset++] = str;
+                /* could be set multiple times */
+                while (__findenv(str, (int)(cp - str), &offset)) {
+                        for (P = &environ[offset];; ++P)
+                                if (!(*P = *(P + 1)))
+                                        break;
+                }
+                return (0);
+        }
+
+        /* create new slot for string */
+        for (P = environ; *P != NULL; P++)
+                ;
+        cnt = P - environ;
+        P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+        if (!P)
+                return (-1);
+        if (lastenv != environ)
+                memcpy(P, environ, cnt * sizeof(char *));
+        lastenv = environ = P;
+        environ[cnt] = str;
+        environ[cnt + 1] = NULL;
+        return (0);
+}
+
+#endif
+
 #ifndef HAVE_SETENV
 /*
  * setenv --
@@ -80,24 +131,39 @@ __findenv(const char *name, size_t *offset)
 int
 setenv(const char *name, const char *value, int rewrite)
 {
-        static char **lastenv;                  /* last value of environ */
-        char *C;
-        size_t l_value, offset;
+        char *C, **P;
+        const char *np;
+        int l_value, offset = 0;
+
+        for (np = name; *np && *np != '='; ++np)
+                ;
+#ifdef notyet
+        if (*np) {
+                errno = EINVAL;
+                return (-1);                    /* has `=' in name */
+        }
+#endif
 
-        if (*value == '=')                      /* no `=' in value */
-                ++value;
         l_value = strlen(value);
-        if ((C = __findenv(name, &offset))) {   /* find if already exists */
+        if ((C = __findenv(name, (int)(np - name), &offset)) != NULL) {
+                int tmpoff = offset + 1;
                 if (!rewrite)
                         return (0);
+#if 0 /* XXX - existing entry may not be writable */
                 if (strlen(C) >= l_value) {     /* old larger; copy over */
                         while ((*C++ = *value++))
                                 ;
                         return (0);
                 }
+#endif
+                /* could be set multiple times */
+                while (__findenv(name, (int)(np - name), &tmpoff)) {
+                        for (P = &environ[tmpoff];; ++P)
+                                if (!(*P = *(P + 1)))
+                                        break;
+                }
         } else {                                        /* create new slot */
                 size_t cnt;
-                char **P;
 
                 for (P = environ; *P != NULL; P++)
                         ;
@@ -111,10 +177,8 @@ setenv(const char *name, const char *value, int rewrite)
                 offset = cnt;
                 environ[cnt + 1] = NULL;
         }
-        for (C = (char *)name; *C && *C != '='; ++C)
-                ;                               /* no `=' in name */
         if (!(environ[offset] =                 /* name + `=' + value */
-            malloc((size_t)((int)(C - name) + l_value + 2))))
+            malloc((size_t)((int)(np - name) + l_value + 2))))
                 return (-1);
         for (C = environ[offset]; (*C = *name++) && *C != '='; ++C)
                 ;
@@ -122,6 +186,7 @@ setenv(const char *name, const char *value, int rewrite)
                 ;
         return (0);
 }
+
 #endif /* HAVE_SETENV */
 
 #ifndef HAVE_UNSETENV
@@ -129,17 +194,33 @@ setenv(const char *name, const char *value, int rewrite)
  * unsetenv(name) --
  *      Delete environmental variable "name".
  */
-void
+int
 unsetenv(const char *name)
 {
         char **P;
-        size_t offset;
+        const char *np;
+        int offset = 0;
 
-        while (__findenv(name, &offset))        /* if set multiple times */
+        if (!name || !*name) {
+                errno = EINVAL;
+                return (-1);
+        }
+        for (np = name; *np && *np != '='; ++np)
+                ;
+        if (*np) {
+                errno = EINVAL;
+                return (-1);                    /* has `=' in name */
+        }
+
+        /* could be set multiple times */
+        while (__findenv(name, (int)(np - name), &offset)) {
                 for (P = &environ[offset];; ++P)
                         if (!(*P = *(P + 1)))
                                 break;
+        }
+        return (0);
 }
 #endif /* HAVE_UNSETENV */
 
 #endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */
+
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
index cf8e0ad66..f5bf74d1f 100755..100644
--- a/openbsd-compat/sha2.c
+++ b/openbsd-compat/sha2.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */
+/*      from OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp       */
 
 /*
  * FILE:        sha2.c
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h
index 821f2dd6c..73e94f150 100755..100644
--- a/openbsd-compat/sha2.h
+++ b/openbsd-compat/sha2.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sha2.h,v 1.6 2004/06/22 01:57:30 jfb Exp $    */
+/*      OpenBSD: sha2.h,v 1.6 2004/06/22 01:57:30 jfb Exp       */
 
 /*
  * FILE:        sha2.h
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index 679a5b291..b4b1b6015 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $      */
+/*      $OpenBSD: strlcpy.c,v 1.11 2006/05/05 15:27:38 millert Exp $    */
 
 /*
  * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -37,11 +37,11 @@ strlcpy(char *dst, const char *src, size_t siz)
         size_t n = siz;
 
         /* Copy as many bytes as will fit */
-        if (n != 0 && --n != 0) {
-                do {
-                        if ((*d++ = *s++) == 0)
+        if (n != 0) {
+                while (--n != 0) {
+                        if ((*d++ = *s++) == '\0')
                                 break;
-                } while (--n != 0);
+                }
         }
 
         /* Not enough room in dst, add NUL and traverse rest of src */
diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
new file mode 100644
index 000000000..93d515595
--- /dev/null
+++ b/openbsd-compat/strnlen.c
@@ -0,0 +1,37 @@
+/*      $OpenBSD: strnlen.c,v 1.3 2010/06/02 12:58:12 millert Exp $     */
+
+/*
+ * Copyright (c) 2010 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/string/strnlen.c */
+
+#include "config.h"
+#ifndef HAVE_STRNLEN
+#include <sys/types.h>
+
+#include <string.h>
+
+size_t
+strnlen(const char *str, size_t maxlen)
+{
+        const char *cp;
+
+        for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
+                ;
+
+        return (size_t)(cp - str);
+}
+#endif