* New upstream release (closes: #395507, #397961, #420035). Important

  changes not previously backported to 4.3p2:
  - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
    + On portable OpenSSH, fix a GSSAPI authentication abort that could be
      used to determine the validity of usernames on some platforms.
    + Implemented conditional configuration in sshd_config(5) using the
      "Match" directive. This allows some configuration options to be
      selectively overridden if specific criteria (based on user, group,
      hostname and/or address) are met. So far a useful subset of
      post-authentication options are supported and more are expected to
      be added in future releases.
    + Add support for Diffie-Hellman group exchange key agreement with a
      final hash of SHA256.
    + Added a "ForceCommand" directive to sshd_config(5). Similar to the
      command="..." option accepted in ~/.ssh/authorized_keys, this forces
      the execution of the specified command regardless of what the user
      requested. This is very useful in conjunction with the new "Match"
      option.
    + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
      permitopen="..." authorized_keys option, allowing fine-grained
      control over the port-forwardings that a user is allowed to
      establish.
    + Add optional logging of transactions to sftp-server(8).
    + ssh(1) will now record port numbers for hosts stored in
      ~/.ssh/known_hosts when a non-standard port has been requested
      (closes: #50612).
    + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
      non-zero exit code) when requested port forwardings could not be
      established.
    + Extend sshd_config(5) "SubSystem" declarations to allow the
      specification of command-line arguments.
    + Replacement of all integer overflow susceptible invocations of
      malloc(3) and realloc(3) with overflow-checking equivalents.
    + Many manpage fixes and improvements.
    + Add optional support for OpenSSL hardware accelerators (engines),
      enabled using the --with-ssl-engine configure option.
    + Tokens in configuration files may be double-quoted in order to
      contain spaces (closes: #319639).
    + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
      session exits very quickly (closes: #307890).
    + Fix some incorrect buffer allocation calculations (closes: #410599).
    + ssh-add doesn't ask for a passphrase if key file permissions are too
      liberal (closes: #103677).
    + Likewise, ssh doesn't ask either (closes: #99675).
  - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
    + sshd now allows the enabling and disabling of authentication methods
      on a per user, group, host and network basis via the Match directive
      in sshd_config.
    + Fixed an inconsistent check for a terminal when displaying scp
      progress meter (closes: #257524).
    + Fix "hang on exit" when background processes are running at the time
      of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
  install ChangeLog.gssapi.

47 files changed, 2172 insertions, 159 deletions

diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 3a8703bc1..9f06605d7 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $
+# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
+PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c
index ad040e139..ffa5c8984 100644
--- a/openbsd-compat/basename.c
+++ b/openbsd-compat/basename.c
@@ -20,6 +20,8 @@
 
 #include "includes.h"
 #ifndef HAVE_BASENAME
+#include <errno.h>
+#include <string.h>
 
 char *
 basename(const char *path)
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 7f48fd03a..65afed1e3 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -33,8 +33,14 @@
 #include "includes.h"
 
 #ifndef HAVE_BINDRESVPORT_SA
+#include <sys/types.h>
+#include <sys/socket.h>
 
-#include "includes.h"
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <string.h>
 
 #define STARTPORT 600
 #define ENDPORT (IPPORT_RESERVED - 1)
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
index 1eeb6953b..d45fb182a 100644
--- a/openbsd-compat/bsd-arc4random.c
+++ b/openbsd-compat/bsd-arc4random.c
@@ -15,9 +15,13 @@
  */
 
 #include "includes.h"
-#include "log.h"
 
-RCSID("$Id: bsd-arc4random.c,v 1.10 2005/02/16 02:01:28 djm Exp $");
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdarg.h>
+
+#include "log.h"
 
 #ifndef HAVE_ARC4RANDOM
 
diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c
index 5ca01f80f..00fa0dfd8 100644
--- a/openbsd-compat/bsd-asprintf.c
+++ b/openbsd-compat/bsd-asprintf.c
@@ -21,6 +21,10 @@
 
 #ifndef HAVE_VASPRINTF
 
+#include <errno.h>
+#include <stdarg.h>
+#include <stdlib.h>
+
 #ifndef VA_COPY
 # ifdef HAVE_VA_COPY
 #  define VA_COPY(dest, src) va_copy(dest, src)
@@ -35,7 +39,8 @@
 
 #define INIT_SZ 128
 
-int vasprintf(char **str, const char *fmt, va_list ap)
+int
+vasprintf(char **str, const char *fmt, va_list ap)
 {
         int ret = -1;
         va_list ap2;
@@ -49,7 +54,7 @@ int vasprintf(char **str, const char *fmt, va_list ap)
         ret = vsnprintf(string, INIT_SZ, fmt, ap2);
         if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
                 *str = string;
-        } else if (ret == INT_MAX) { /* shouldn't happen */
+        } else if (ret == INT_MAX || ret < 0) { /* Bad length */
                 goto fail;
         } else {        /* bigger than initial, realloc allowing for nul */
                 len = (size_t)ret + 1;
diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
index 5b7b94ae4..9380b33a7 100644
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,9 +22,14 @@
 #include <sys/param.h>
 #include <unistd.h>
 #include <stdio.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
 #include <limits.h>
 #include <stdlib.h>
 #include <stddef.h>
+#include <string.h>
+#include <unistd.h>
 #ifdef HAVE_DIRENT_H
 # include <dirent.h>
 # define NAMLEN(dirent) strlen((dirent)->d_name)
@@ -46,15 +51,20 @@
 # define OPEN_MAX       256
 #endif
 
-RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
-
-#ifndef lint
-static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
+#if 0
+__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.11 2006/08/17 15:26:54 millert Exp $";
 #endif /* lint */
 
 /*
  * Close all file descriptors greater than or equal to lowfd.
  */
+#ifdef HAVE_FCNTL_CLOSEM
+void
+closefrom(int lowfd)
+{
+    (void) fcntl(lowfd, F_CLOSEM, 0);
+}
+#else
 void
 closefrom(int lowfd)
 {
@@ -67,7 +77,7 @@ closefrom(int lowfd)
 
     /* Check for a /proc/$$/fd directory. */
     len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
-    if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
+    if (len > 0 && (size_t)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
         while ((dent = readdir(dirp)) != NULL) {
             fd = strtol(dent->d_name, &endp, 10);
             if (dent->d_name != endp && *endp == '\0' &&
@@ -95,6 +105,5 @@ closefrom(int lowfd)
             (void) close((int) fd);
     }
 }
-
+#endif /* !HAVE_FCNTL_CLOSEM */
 #endif /* HAVE_CLOSEFROM */
-
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index d1f1c059c..1532c991c 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.c,v 1.14 2005/02/02 06:10:11 dtucker Exp $
+ * $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
  *
  * bsd-cray.c
  *
@@ -52,7 +52,10 @@
 #include <sys/secstat.h>
 #include <sys/stat.h>
 #include <sys/session.h>
+#include <stdarg.h>
 #include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
 #include <pwd.h>
 #include <fcntl.h>
 #include <errno.h>
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index b5e3cc52b..dbf8176b6 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -29,15 +29,25 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
-
 #ifdef HAVE_CYGWIN
 
-#include <fcntl.h>
-#include <stdlib.h>
+#if defined(open) && open == binary_open
+# undef open
+#endif
+#if defined(pipe) && open == binary_pipe
+# undef pipe
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/utsname.h>
 #include <sys/vfs.h>
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
 #include <windows.h>
+
 #include "xmalloc.h"
 #define is_winnt       (GetVersion() < 0x80000000)
 
@@ -45,13 +55,6 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
 #define ntsec_off(c)    ((c) && strstr((c),"nontsec"))
 #define ntea_on(c)      ((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
 
-#if defined(open) && open == binary_open
-# undef open
-#endif
-#if defined(pipe) && open == binary_pipe
-# undef pipe
-#endif
-
 int 
 binary_open(const char *filename, int flags, ...)
 {
@@ -268,9 +271,9 @@ char **
 fetch_windows_environment(void)
 {
         char **e, **p;
-        int i, idx = 0;
+        unsigned int i, idx = 0;
 
-        p = xmalloc((WENV_SIZ + 1) * sizeof(char *));
+        p = xcalloc(WENV_SIZ + 1, sizeof(char *));
         for (e = environ; *e != NULL; ++e) {
                 for (i = 0; i < WENV_SIZ; ++i) {
                         if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c
index fe2edad71..bdae8b637 100644
--- a/openbsd-compat/bsd-getpeereid.c
+++ b/openbsd-compat/bsd-getpeereid.c
@@ -16,10 +16,13 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-getpeereid.c,v 1.3 2004/02/17 05:49:55 djm Exp $");
-
 #if !defined(HAVE_GETPEEREID)
 
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <unistd.h>
+
 #if defined(SO_PEERCRED)
 int
 getpeereid(int s, uid_t *euid, gid_t *gid)
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index d32b054d7..17d731bd2 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -16,9 +16,19 @@
  */
 
 #include "includes.h"
-#include "xmalloc.h"
 
-RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $");
+#ifdef HAVE_SYS_SELECT_H
+# include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#include "xmalloc.h"
 
 #ifndef HAVE___PROGNAME
 char *__progname;
diff --git a/openbsd-compat/bsd-nextstep.c b/openbsd-compat/bsd-nextstep.c
index bd35a3afc..8195af88a 100644
--- a/openbsd-compat/bsd-nextstep.c
+++ b/openbsd-compat/bsd-nextstep.c
@@ -24,8 +24,6 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-nextstep.c,v 1.6 2003/06/01 03:23:57 mouring Exp $");
-
 #ifdef HAVE_NEXT
 #include <errno.h>
 #include <sys/wait.h>
diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c
index 8eb62b7a8..9777eb556 100644
--- a/openbsd-compat/bsd-openpty.c
+++ b/openbsd-compat/bsd-openpty.c
@@ -35,6 +35,21 @@
 #include "includes.h"
 #if !defined(HAVE_OPENPTY)
 
+#include <sys/types.h>
+
+#include <stdlib.h>
+
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_IOCTL_H
+# include <sys/ioctl.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif /* HAVE_UTIL_H */
@@ -46,6 +61,10 @@
 # include <sys/stropts.h>
 #endif
 
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
 #ifndef O_NOCTTY
 #define O_NOCTTY 0
 #endif
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index e4ba154fd..41d2be238 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -85,12 +85,15 @@
  *
  *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
  *    if the C library has some snprintf functions already.
+ *
+ * Damien Miller (djm@mindrot.org) Jan 2007
+ *    Fix integer overflows in return value.
+ *    Make formatting quite a bit faster by inlining dopr_outch()
+ *
  **************************************************************/
 
 #include "includes.h"
 
-RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
-
 #if defined(BROKEN_SNPRINTF)            /* For those with broken snprintf() */
 # undef HAVE_SNPRINTF
 # undef HAVE_VSNPRINTF
@@ -110,6 +113,13 @@ RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
 
 #if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
 
+#include <ctype.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <errno.h>
+
 #ifdef HAVE_LONG_DOUBLE
 # define LDOUBLE long double
 #else
@@ -156,17 +166,28 @@ RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
 # define MAX(p,q) (((p) >= (q)) ? (p) : (q))
 #endif
 
-static size_t dopr(char *buffer, size_t maxlen, const char *format, 
-                   va_list args_in);
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-                    char *value, int flags, int min, int max);
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    long value, int base, int min, int max, int flags);
-static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
-                   LDOUBLE fvalue, int min, int max, int flags);
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
-
-static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
+#define DOPR_OUTCH(buf, pos, buflen, thechar) \
+        do { \
+                if (pos + 1 >= INT_MAX) { \
+                        errno = ERANGE; \
+                        return -1; \
+                } \
+                if (pos < buflen) \
+                        buf[pos] = thechar; \
+                (pos)++; \
+        } while (0)
+
+static int dopr(char *buffer, size_t maxlen, const char *format, 
+    va_list args_in);
+static int fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+    char *value, int flags, int min, int max);
+static int fmtint(char *buffer, size_t *currlen, size_t maxlen,
+    LLONG value, int base, int min, int max, int flags);
+static int fmtfp(char *buffer, size_t *currlen, size_t maxlen,
+    LDOUBLE fvalue, int min, int max, int flags);
+
+static int
+dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
 {
         char ch;
         LLONG value;
@@ -195,8 +216,8 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                 case DP_S_DEFAULT:
                         if (ch == '%') 
                                 state = DP_S_FLAGS;
-                        else 
-                                dopr_outch (buffer, &currlen, maxlen, ch);
+                        else
+                                DOPR_OUTCH(buffer, currlen, maxlen, ch);
                         ch = *format++;
                         break;
                 case DP_S_FLAGS:
@@ -295,7 +316,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = va_arg (args, LLONG);
                                 else
                                         value = va_arg (args, int);
-                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen,
+                                    value, 10, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'o':
                                 flags |= DP_F_UNSIGNED;
@@ -307,7 +330,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (long)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    8, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'u':
                                 flags |= DP_F_UNSIGNED;
@@ -319,7 +344,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (LLONG)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    10, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'X':
                                 flags |= DP_F_UP;
@@ -333,15 +360,18 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         value = (LLONG)va_arg (args, unsigned LLONG);
                                 else
                                         value = (long)va_arg (args, unsigned int);
-                                fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen, value,
+                                    16, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'f':
                                 if (cflags == DP_C_LDOUBLE)
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                /* um, floating point? */
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'E':
                                 flags |= DP_F_UP;
@@ -350,7 +380,9 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'G':
                                 flags |= DP_F_UP;
@@ -359,10 +391,13 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         fvalue = va_arg (args, LDOUBLE);
                                 else
                                         fvalue = va_arg (args, double);
-                                fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                if (fmtfp(buffer, &currlen, maxlen, fvalue,
+                                    min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'c':
-                                dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
+                                DOPR_OUTCH(buffer, currlen, maxlen,
+                                    va_arg (args, int));
                                 break;
                         case 's':
                                 strvalue = va_arg (args, char *);
@@ -371,11 +406,15 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                         max = strlen(strvalue);
                                 }
                                 if (min > 0 && max >= 0 && min > max) max = min;
-                                fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
+                                if (fmtstr(buffer, &currlen, maxlen,
+                                    strvalue, flags, min, max) == -1)
+                                        return -1;
                                 break;
                         case 'p':
                                 strvalue = va_arg (args, void *);
-                                fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
+                                if (fmtint(buffer, &currlen, maxlen,
+                                    (long) strvalue, 16, min, max, flags) == -1)
+                                        return -1;
                                 break;
                         case 'n':
                                 if (cflags == DP_C_SHORT) {
@@ -397,7 +436,7 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                                 }
                                 break;
                         case '%':
-                                dopr_outch (buffer, &currlen, maxlen, ch);
+                                DOPR_OUTCH(buffer, currlen, maxlen, ch);
                                 break;
                         case 'w':
                                 /* not supported yet, treat as next char */
@@ -426,11 +465,12 @@ static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args
                         buffer[maxlen - 1] = '\0';
         }
         
-        return currlen;
+        return currlen < INT_MAX ? (int)currlen : -1;
 }
 
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-                    char *value, int flags, int min, int max)
+static int
+fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+    char *value, int flags, int min, int max)
 {
         int padlen, strln;     /* amount to pad */
         int cnt = 0;
@@ -450,28 +490,31 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
                 padlen = -padlen; /* Left Justify */
         
         while ((padlen > 0) && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --padlen;
                 ++cnt;
         }
         while (*value && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, *value++);
+                DOPR_OUTCH(buffer, *currlen, maxlen, *value);
+                *value++;
                 ++cnt;
         }
         while ((padlen < 0) && (cnt < max)) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++padlen;
                 ++cnt;
         }
+        return 0;
 }
 
 /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
 
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    long value, int base, int min, int max, int flags)
+static int
+fmtint(char *buffer, size_t *currlen, size_t maxlen,
+                    LLONG value, int base, int min, int max, int flags)
 {
         int signvalue = 0;
-        unsigned long uvalue;
+        unsigned LLONG uvalue;
         char convert[20];
         int place = 0;
         int spadlen = 0; /* amount to space pad */
@@ -524,31 +567,34 @@ static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
 
         /* Spaces */
         while (spadlen > 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --spadlen;
         }
 
         /* Sign */
         if (signvalue) 
-                dopr_outch (buffer, currlen, maxlen, signvalue);
+                DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
 
         /* Zeros */
         if (zpadlen > 0) {
                 while (zpadlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --zpadlen;
                 }
         }
 
         /* Digits */
-        while (place > 0) 
-                dopr_outch (buffer, currlen, maxlen, convert[--place]);
+        while (place > 0) {
+                --place;
+                DOPR_OUTCH(buffer, *currlen, maxlen, convert[place]);
+        }
   
         /* Left Justified spaces */
         while (spadlen < 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++spadlen;
         }
+        return 0;
 }
 
 static LDOUBLE abs_val(LDOUBLE value)
@@ -561,13 +607,13 @@ static LDOUBLE abs_val(LDOUBLE value)
         return result;
 }
 
-static LDOUBLE POW10(int exp)
+static LDOUBLE POW10(int val)
 {
         LDOUBLE result = 1;
         
-        while (exp) {
+        while (val) {
                 result *= 10;
-                exp--;
+                val--;
         }
   
         return result;
@@ -601,7 +647,10 @@ static double my_modf(double x0, double *iptr)
         }
 
         if (i == 100) {
-                /* yikes! the number is beyond what we can handle. What do we do? */
+                /*
+                 * yikes! the number is beyond what we can handle.
+                 * What do we do?
+                 */
                 (*iptr) = 0;
                 return 0;
         }
@@ -620,8 +669,9 @@ static double my_modf(double x0, double *iptr)
 }
 
 
-static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
-                   LDOUBLE fvalue, int min, int max, int flags)
+static int
+fmtfp (char *buffer, size_t *currlen, size_t maxlen,
+    LDOUBLE fvalue, int min, int max, int flags)
 {
         int signvalue = 0;
         double ufvalue;
@@ -726,24 +776,26 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
         
         if ((flags & DP_F_ZERO) && (padlen > 0)) {
                 if (signvalue) {
-                        dopr_outch (buffer, currlen, maxlen, signvalue);
+                        DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
                         --padlen;
                         signvalue = 0;
                 }
                 while (padlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --padlen;
                 }
         }
         while (padlen > 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 --padlen;
         }
         if (signvalue) 
-                dopr_outch (buffer, currlen, maxlen, signvalue);
+                DOPR_OUTCH(buffer, *currlen, maxlen, signvalue);
         
-        while (iplace > 0) 
-                dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
+        while (iplace > 0) {
+                --iplace;
+                DOPR_OUTCH(buffer, *currlen, maxlen, iconvert[iplace]);
+        }
 
 #ifdef DEBUG_SNPRINTF
         printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
@@ -754,41 +806,38 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
          * char to print out.
          */
         if (max > 0) {
-                dopr_outch (buffer, currlen, maxlen, '.');
+                DOPR_OUTCH(buffer, *currlen, maxlen, '.');
                 
                 while (zpadlen > 0) {
-                        dopr_outch (buffer, currlen, maxlen, '0');
+                        DOPR_OUTCH(buffer, *currlen, maxlen, '0');
                         --zpadlen;
                 }
 
-                while (fplace > 0) 
-                        dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
+                while (fplace > 0) {
+                        --fplace;
+                        DOPR_OUTCH(buffer, *currlen, maxlen, fconvert[fplace]);
+                }
         }
 
         while (padlen < 0) {
-                dopr_outch (buffer, currlen, maxlen, ' ');
+                DOPR_OUTCH(buffer, *currlen, maxlen, ' ');
                 ++padlen;
         }
-}
-
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
-{
-        if (*currlen < maxlen) {
-                buffer[(*currlen)] = c;
-        }
-        (*currlen)++;
+        return 0;
 }
 #endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
 
 #if !defined(HAVE_VSNPRINTF)
-int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
+int
+vsnprintf (char *str, size_t count, const char *fmt, va_list args)
 {
         return dopr(str, count, fmt, args);
 }
 #endif
 
 #if !defined(HAVE_SNPRINTF)
-int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
+int
+snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
 {
         size_t ret;
         va_list ap;
@@ -799,4 +848,3 @@ int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
         return ret;
 }
 #endif
-
diff --git a/openbsd-compat/bsd-waitpid.c b/openbsd-compat/bsd-waitpid.c
index 93c9ec35e..40e6ffaa8 100644
--- a/openbsd-compat/bsd-waitpid.c
+++ b/openbsd-compat/bsd-waitpid.c
@@ -24,8 +24,6 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-waitpid.c,v 1.5 2003/06/01 03:23:57 mouring Exp $");
-
 #ifndef HAVE_WAITPID 
 #include <errno.h>
 #include <sys/wait.h>
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index f8a0680bf..e3a6886bd 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -34,6 +34,20 @@
 
 #ifndef HAVE_DAEMON
 
+#include <sys/types.h>
+
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+
 int
 daemon(int nochdir, int noclose)
 {
diff --git a/openbsd-compat/fake-rfc2553.c b/openbsd-compat/fake-rfc2553.c
index 0186b5300..b6ea3d21e 100644
--- a/openbsd-compat/fake-rfc2553.c
+++ b/openbsd-compat/fake-rfc2553.c
@@ -37,7 +37,11 @@
 
 #include "includes.h"
 
-RCSID("$Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $");
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
 
 #ifndef HAVE_GETNAMEINFO
 int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, 
diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h
index cbcf7f727..5c2ce5b1b 100644
--- a/openbsd-compat/fake-rfc2553.h
+++ b/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,4 @@
-/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
+/* $Id: fake-rfc2553.h,v 1.13 2006/07/24 03:51:52 djm Exp $ */
 
 /*
  * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@@ -41,7 +41,10 @@
 #define _FAKE_RFC2553_H
 
 #include "includes.h"
-#include "sys/types.h"
+#include <sys/types.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 
 /*
  * First, socket and INET6 related definitions 
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index bea6aea3b..07231d005 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -49,6 +49,12 @@
 
 #ifndef HAVE_GETRRSETBYNAME
 
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
 #include "getrrsetbyname.h"
 
 #if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
@@ -60,6 +66,13 @@ extern int h_errno;
 # undef _THREAD_PRIVATE
 #endif
 #define _THREAD_PRIVATE(a,b,c) (c)
+
+/* to avoid conflicts where a platform already has _res */
+#ifdef _res
+# undef _res
+#endif
+#define _res    _compat_res
+
 struct __res_state _res;
 
 /* Necessary functions and macros */
@@ -290,10 +303,12 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
         }
 
         /* allocate memory for signatures */
-        rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
-        if (rrset->rri_sigs == NULL) {
-                result = ERRSET_NOMEMORY;
-                goto fail;
+        if (rrset->rri_nsigs > 0) {
+                rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+                if (rrset->rri_sigs == NULL) {
+                        result = ERRSET_NOMEMORY;
+                        goto fail;
+                }
         }
 
         /* copy answers & signatures */
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index f6a04ea3f..b3dd2b171 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -34,7 +34,21 @@
 /* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
 
 #include "includes.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <dirent.h>
 #include <ctype.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
+    !defined(GLOB_HAS_GL_MATCHC) || \
+    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
 
 static long
 get_arg_max(void)
@@ -48,9 +62,6 @@ get_arg_max(void)
 #endif
 }
 
-#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC)
-
 /*
  * glob(3) -- a superset of the one defined in POSIX 1003.2.
  *
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index 4fdbfc1ea..9ba07f76e 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -38,7 +38,8 @@
 /* OPENBSD ORIGINAL: include/glob.h */
 
 #if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC)
+    !defined(GLOB_HAS_GL_MATCHC) || \
+    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
 
 #ifndef _GLOB_H_
 #define _GLOB_H_
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index 88e04c520..2285c84df 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -35,6 +35,14 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <ctype.h>
+#include <errno.h>
+#include <unistd.h>
+
 #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
 
 static int _gettemp(char *, int *, int, int);
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 1a3027353..aac2e6cbc 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -31,6 +31,11 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <pwd.h>
+
+#include <sys/socket.h>
+
 /* OpenBSD function replacements */
 #include "base64.h"
 #include "sigact.h"
@@ -38,7 +43,7 @@
 #include "readpassphrase.h"
 #include "vis.h"
 #include "getrrsetbyname.h"
-
+#include "sha2.h"
 
 #ifndef HAVE_BASENAME
 char *basename(const char *path);
@@ -126,13 +131,16 @@ int getgrouplist(const char *, gid_t, gid_t *, int *);
 int BSDgetopt(int argc, char * const *argv, const char *opts);
 #endif
 
+#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
+# include <sys/types.h>
+# include <sys/uio.h>
+int writev(int, struct iovec *, int);
+#endif
 
 /* Home grown routines */
 #include "bsd-misc.h"
 #include "bsd-waitpid.h"
 
-/*#include <sys/types.h> XXX Still needed? * For uid_t, gid_t * */
-
 #ifndef HAVE_GETPEEREID
 int getpeereid(int , uid_t *, gid_t *);
 #endif 
@@ -147,13 +155,14 @@ int asprintf(char **, const char *, ...);
 #endif 
 
 #ifndef HAVE_OPENPTY
+# include <sys/ioctl.h> /* for struct winsize */
 int openpty(int *, int *, char *, struct termios *, struct winsize *);
 #endif /* HAVE_OPENPTY */
 
 /* #include <sys/types.h> XXX needed? For size_t */
 
 #ifndef HAVE_SNPRINTF
-int snprintf(char *, size_t, const char *, ...);
+int snprintf(char *, size_t, SNPRINTF_CONST char *, ...);
 #endif 
 
 #ifndef HAVE_STRTOLL
@@ -164,6 +173,10 @@ long long strtoll(const char *, char **, int);
 long long strtonum(const char *, long long, long long, const char **);
 #endif
 
+#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
+# include <stdarg.h>
+#endif
+
 #ifndef HAVE_VASPRINTF
 int vasprintf(char **, const char *, va_list);
 #endif
@@ -176,16 +189,18 @@ void *xmmap(size_t size);
 char *xcrypt(const char *password, const char *salt);
 char *shadow_pw(struct passwd *pw);
 
-
 /* rfc2553 socket API replacements */
 #include "fake-rfc2553.h"
 
 /* Routines for a single OS platform */
 #include "bsd-cray.h"
 #include "bsd-cygwin_util.h"
-#include "port-irix.h"
+
 #include "port-aix.h"
-#include "port-uw.h"
+#include "port-irix.h"
+#include "port-linux.h"
+#include "port-solaris.h"
 #include "port-tun.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index b690e8fe6..45ebd3f66 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.4 2006/02/22 11:24:47 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -18,7 +18,11 @@
 
 #include "includes.h"
 
-#define SSH_DONT_REDEF_EVP
+#ifdef USE_OPENSSL_ENGINE
+# include <openssl/engine.h>
+#endif
+
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 
 #ifdef SSH_OLD_EVP
@@ -44,3 +48,15 @@ ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
         return 1;
 }
 #endif
+
+#ifdef  USE_OPENSSL_ENGINE
+void
+ssh_SSLeay_add_all_algorithms(void)
+{
+        SSLeay_add_all_algorithms();
+
+        /* Enable use of crypto hardware */
+        ENGINE_load_builtin_engines();
+        ENGINE_register_all_complete();
+}
+#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 8a015ec43..9b5ccff5f 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void);
 # endif
 #endif
 
+/* OpenSSL 0.9.8e returns cipher key len not context key len */
+#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
+# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
+#endif
+
 /*
  * We overload some of the OpenSSL crypto functions with ssh_* equivalents
  * which cater for older and/or less featureful OpenSSL version.
@@ -54,21 +59,27 @@ extern const EVP_CIPHER *evp_acss(void);
  * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
  * implement the ssh_* equivalents.
  */
-#ifdef SSH_OLD_EVP
-
-# ifndef SSH_DONT_REDEF_EVP
+#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 
+# ifdef SSH_OLD_EVP
 #  ifdef EVP_Cipher
 #   undef EVP_Cipher
 #  endif
-
 #  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
 #  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
 #  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif
+# endif /* SSH_OLD_EVP */
+
+# ifdef USE_OPENSSL_ENGINE
+#  ifdef SSLeay_add_all_algorithms
+#   undef SSLeay_add_all_algorithms
+#  endif
+#  define SSLeay_add_all_algorithms()   ssh_SSLeay_add_all_algorithms()
+#endif
 
 int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
     unsigned char *, int);
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
 int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
-#endif
+void ssh_SSLeay_add_all_algorithms(void);
+#endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 81d8124e0..b9fabf61f 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -25,16 +25,36 @@
  *
  */
 #include "includes.h"
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "ssh.h"
 #include "log.h"
-#include "xmalloc.h"
-#include "buffer.h"
 
 #ifdef _AIX
 
+#include <errno.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 #include <uinfo.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 #include <sys/socket.h>
+
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+# include <userpw.h>
+# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
+#  include <sys/audit.h>
+# endif
+# include <usersec.h>
+#endif
+
 #include "port-aix.h"
 
 # ifdef HAVE_SETAUTHDB
@@ -256,15 +276,17 @@ sys_auth_record_login(const char *user, const char *host, const char *ttynm,
     Buffer *loginmsg)
 {
         char *msg = NULL;
+        static int msg_done = 0;
         int success = 0;
 
         aix_setauthdb(user);
         if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
                 success = 1;
-                if (msg != NULL) {
+                if (msg != NULL && loginmsg != NULL && !msg_done) {
                         debug("AIX/loginsuccess: msg %s", msg);
                         buffer_append(loginmsg, msg, strlen(msg));
                         xfree(msg);
+                        msg_done = 1;
                 }
         }
         aix_restoreauthdb();
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 37b2c12b0..5a04bedad 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.27 2006/09/18 13:54:33 dtucker Exp $ */
 
 /*
  *
@@ -31,18 +31,6 @@
 #ifdef HAVE_SYS_SOCKET_H
 # include <sys/socket.h>
 #endif
-#ifdef HAVE_UNISTD_H
-# include <unistd.h>    /* for seteuid() */
-#endif
-
-#ifdef WITH_AIXAUTHENTICATE
-# include <login.h>
-# include <userpw.h>
-# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
-#  include <sys/audit.h>
-# endif
-# include <usersec.h>
-#endif
 
 #include "buffer.h"
 
diff --git a/openbsd-compat/port-irix.c b/openbsd-compat/port-irix.c
index aa6db1cf8..ba751a538 100644
--- a/openbsd-compat/port-irix.c
+++ b/openbsd-compat/port-irix.c
@@ -29,6 +29,10 @@
     defined(WITH_IRIX_JOBS) || \
     defined(WITH_IRIX_ARRAY)
 
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
 #ifdef WITH_IRIX_PROJECT
 # include <proj.h>
 #endif /* WITH_IRIX_PROJECT */
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
new file mode 100644
index 000000000..d153f8fb5
--- /dev/null
+++ b/openbsd-compat/port-linux.c
@@ -0,0 +1,178 @@
+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+
+#ifdef WITH_SELINUX
+#include "log.h"
+#include "port-linux.h"
+
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+static int
+ssh_selinux_enabled(void)
+{
+        static int enabled = -1;
+
+        if (enabled == -1) {
+                enabled = is_selinux_enabled();
+                debug("SELinux support %s", enabled ? "enabled" : "disabled");
+        }
+
+        return (enabled);
+}
+
+/* Return the default security context for the given username */
+static security_context_t
+ssh_selinux_getctxbyname(char *pwname)
+{
+        security_context_t sc;
+        char *sename = NULL, *role = NULL, *lvl = NULL;
+        int r;
+
+#ifdef HAVE_GETSEUSERBYNAME
+        if (getseuserbyname(pwname, &sename, &lvl) != 0)
+                return NULL;
+#else
+        sename = pwname;
+        lvl = NULL;
+#endif
+        if (the_authctxt)
+                role = the_authctxt->role;
+
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+        if (role != NULL && role[0])
+                r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                       &sc);
+        else
+                r = get_default_context_with_level(sename, lvl, NULL, &sc);
+#else
+        if (role != NULL && role[0])
+                r = get_default_context_with_role(sename, role, NULL, &sc);
+        else
+                r = get_default_context(sename, NULL, &sc);
+#endif
+
+        if (r != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: ssh_selinux_getctxbyname: "
+                            "security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to get default SELinux security "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to get default SELinux security "
+                            "context for %s (in enforcing mode)",
+                            __func__, pwname);
+                }
+        }
+
+#ifdef HAVE_GETSEUSERBYNAME
+        if (sename != NULL)
+                xfree(sename);
+        if (lvl != NULL)
+                xfree(lvl);
+#endif
+
+        return (sc);
+}
+
+/* Set the execution context to the default for the specified user */
+void
+ssh_selinux_setup_exec_context(char *pwname)
+{
+        security_context_t user_ctx = NULL;
+
+        if (!ssh_selinux_enabled())
+                return;
+
+        debug3("%s: setting execution context", __func__);
+
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+                        fatal("%s: security_getenforce() failed", __func__);
+                case 0:
+                        error("%s: Failed to set SELinux execution "
+                            "context for %s", __func__, pwname);
+                default:
+                        fatal("%s: Failed to set SELinux execution context "
+                            "for %s (in enforcing mode)", __func__, pwname);
+                }
+        }
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+
+        debug3("%s: done", __func__);
+}
+
+/* Set the TTY context for the specified user */
+void
+ssh_selinux_setup_pty(char *pwname, const char *tty)
+{
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+        security_context_t old_tty_ctx = NULL;
+
+        if (!ssh_selinux_enabled())
+                return;
+
+        debug3("%s: setting TTY context on %s", __func__, tty);
+
+        user_ctx = ssh_selinux_getctxbyname(pwname);
+
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+
+        if (getfilecon(tty, &old_tty_ctx) == -1) {
+                error("%s: getfilecon: %s", __func__, strerror(errno));
+                goto out;
+        }
+
+        if (security_compute_relabel(user_ctx, old_tty_ctx,
+            SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+                error("%s: security_compute_relabel: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        if (setfilecon(tty, new_tty_ctx) != 0)
+                error("%s: setfilecon: %s", __func__, strerror(errno));
+ out:
+        if (new_tty_ctx != NULL)
+                freecon(new_tty_ctx);
+        if (old_tty_ctx != NULL)
+                freecon(old_tty_ctx);
+        if (user_ctx != NULL)
+                freecon(user_ctx);
+        debug3("%s: done", __func__);
+}
+#endif /* WITH_SELINUX */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
new file mode 100644
index 000000000..05e520e1c
--- /dev/null
+++ b/openbsd-compat/port-linux.h
@@ -0,0 +1,27 @@
+/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_LINUX_H
+#define _PORT_LINUX_H
+
+#ifdef WITH_SELINUX
+void ssh_selinux_setup_pty(char *, const char *);
+void ssh_selinux_setup_exec_context(char *);
+#endif
+
+#endif /* ! _PORT_LINUX_H */
diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c
new file mode 100644
index 000000000..2ab64d487
--- /dev/null
+++ b/openbsd-compat/port-solaris.c
@@ -0,0 +1,199 @@
+/* $Id: port-solaris.c,v 1.3 2006/10/31 23:28:49 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+#include "includes.h"
+
+#ifdef USE_SOLARIS_PROCESS_CONTRACTS
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+
+#include <errno.h>
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <libcontract.h>
+#include <sys/contract/process.h>
+#include <sys/ctfs.h>
+
+#include "log.h"
+
+#define CT_TEMPLATE     CTFS_ROOT "/process/template"
+#define CT_LATEST       CTFS_ROOT "/process/latest"
+
+static int tmpl_fd = -1;
+
+/* Lookup the latest process contract */
+static ctid_t
+get_active_process_contract_id(void)
+{
+        int stat_fd;
+        ctid_t ctid = -1;
+        ct_stathdl_t stathdl;
+
+        if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
+                error("%s: Error opening 'latest' process "
+                    "contract: %s", __func__, strerror(errno));
+                return -1;
+        }
+        if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
+                error("%s: Error reading process contract "
+                    "status: %s", __func__, strerror(errno));
+                goto out;
+        }
+        if ((ctid = ct_status_get_id(stathdl)) < 0) {
+                error("%s: Error getting process contract id: %s",
+                    __func__, strerror(errno));
+                goto out;
+        }
+
+        ct_status_free(stathdl);
+ out:
+        close(stat_fd);
+        return ctid;
+}
+
+void
+solaris_contract_pre_fork(void)
+{
+        if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
+                error("%s: open %s: %s", __func__,
+                    CT_TEMPLATE, strerror(errno));
+                return;
+        }
+
+        debug2("%s: setting up process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* First we set the template parameters and event sets. */
+        if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
+                error("%s: Error setting process contract parameter set "
+                    "(pgrponly): %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "fatal events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
+                error("%s: Error setting process contract template "
+                    "critical events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
+                error("%s: Error setting process contract template "
+                    "informative events: %s", __func__, strerror(errno));
+                goto fail;
+        }
+
+        /* Now make this the active template for this process. */
+        if (ct_tmpl_activate(tmpl_fd) != 0) {
+                error("%s: Error activating process contract "
+                    "template: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+}
+
+void
+solaris_contract_post_fork_child()
+{
+        debug2("%s: clearing process contract template on fd %d",
+            __func__, tmpl_fd);
+
+        /* Clear the active template. */
+        if (ct_tmpl_clear(tmpl_fd) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+}
+
+void
+solaris_contract_post_fork_parent(pid_t pid)
+{
+        ctid_t ctid;
+        char ctl_path[256];
+        int r, ctl_fd = -1, stat_fd = -1;
+
+        debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
+
+        if (tmpl_fd == -1)
+                return;
+
+        /* First clear the active template. */
+        if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
+                error("%s: Error clearing active process contract "
+                    "template: %s", __func__, strerror(errno));
+
+        close(tmpl_fd);
+        tmpl_fd = -1;
+
+        /*
+         * If either the fork didn't succeed (pid < 0), or clearing
+         * th active contract failed (r != 0), then we have nothing
+         * more do.
+         */
+        if (r != 0 || pid <= 0)
+                return;
+
+        /* Now lookup and abandon the contract we've created. */
+        ctid = get_active_process_contract_id();
+
+        debug2("%s: abandoning contract id %ld", __func__, ctid);
+
+        snprintf(ctl_path, sizeof(ctl_path),
+            CTFS_ROOT "/process/%ld/ctl", ctid);
+        if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
+                error("%s: Error opening process contract "
+                    "ctl file: %s", __func__, strerror(errno));
+                goto fail;
+        }
+        if (ct_ctl_abandon(ctl_fd) < 0) {
+                error("%s: Error abandoning process contract: %s",
+                    __func__, strerror(errno));
+                goto fail;
+        }
+        close(ctl_fd);
+        return;
+
+ fail:
+        if (tmpl_fd != -1) {
+                close(tmpl_fd);
+                tmpl_fd = -1;
+        }
+        if (stat_fd != -1)
+                close(stat_fd);
+        if (ctl_fd != -1)
+                close(ctl_fd);
+}
+#endif
diff --git a/openbsd-compat/port-solaris.h b/openbsd-compat/port-solaris.h
new file mode 100644
index 000000000..4c324871e
--- /dev/null
+++ b/openbsd-compat/port-solaris.h
@@ -0,0 +1,27 @@
+/* $Id: port-solaris.h,v 1.1 2006/08/30 17:24:42 djm Exp $ */
+
+/*
+ * Copyright (c) 2006 Chad Mynhier.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _PORT_SOLARIS_H
+
+#include <sys/types.h>
+
+void solaris_contract_pre_fork(void);
+void solaris_contract_post_fork_child(void);
+void solaris_contract_post_fork_parent(pid_t pid);
+
+#endif
diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c
index 31921615f..276474db8 100644
--- a/openbsd-compat/port-tun.c
+++ b/openbsd-compat/port-tun.c
@@ -16,9 +16,23 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <sys/ioctl.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netinet/ip.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "log.h"
 #include "misc.h"
-#include "bufaux.h"
+#include "buffer.h"
+#include "channels.h"
 
 /*
  * This is the portable version of the SSH tunnel forwarding, it
@@ -26,6 +40,7 @@
  * settings.
  *
  * SSH_TUN_LINUX        Use the (newer) Linux tun/tap device
+ * SSH_TUN_FREEBSD      Use the FreeBSD tun/tap device
  * SSH_TUN_COMPAT_AF    Translate the OpenBSD address family
  * SSH_TUN_PREPEND_AF   Prepend/remove the address family
  */
@@ -93,7 +108,10 @@ sys_tun_open(int tun, int mode)
 #ifdef SSH_TUN_FREEBSD
 #include <sys/socket.h>
 #include <net/if.h>
+
+#ifdef HAVE_NET_IF_TUN_H
 #include <net/if_tun.h>
+#endif
 
 int
 sys_tun_open(int tun, int mode)
diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h
index 86d9272b4..c53df01fc 100644
--- a/openbsd-compat/port-tun.h
+++ b/openbsd-compat/port-tun.h
@@ -17,7 +17,7 @@
 #ifndef _PORT_TUN_H
 #define _PORT_TUN_H
 
-#include "channels.h"
+struct Channel;
 
 #if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
 # define CUSTOM_SYS_TUN_OPEN
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index c64427121..6f3523902 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -26,15 +26,26 @@
 #include "includes.h"
 
 #ifdef HAVE_LIBIAF
+#include <sys/types.h>
 #ifdef HAVE_CRYPT_H
-#include <crypt.h>
+# include <crypt.h>
 #endif
+#include <pwd.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
+#include "auth-options.h"
 #include "log.h"
 #include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
-#include "auth-options.h"
+#include "ssh.h"
 
 int nischeck(char *);
 
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 919c0174a..11bd8f646 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -27,7 +27,13 @@
 #ifndef HAVE_READPASSPHRASE
 
 #include <termios.h>
+#include <signal.h>
+#include <ctype.h>
+#include <fcntl.h>
 #include <readpassphrase.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
 
 #ifdef TCSASOFT
 # define _T_FLUSH       (TCSAFLUSH|TCSASOFT)
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
new file mode 100644
index 000000000..bcf214bd0
--- /dev/null
+++ b/openbsd-compat/regress/Makefile.in
@@ -0,0 +1,38 @@
+# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
+
+sysconfdir=@sysconfdir@
+piddir=@piddir@
+srcdir=@srcdir@
+top_srcdir=@top_srcdir@
+
+VPATH=@srcdir@
+CC=@CC@
+LD=@LD@
+CFLAGS=@CFLAGS@
+CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+EXEEXT=@EXEEXT@
+LIBCOMPAT=../libopenbsd-compat.a
+LIBS=@LIBS@
+LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
+
+TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
+        strtonumtest$(EXEEXT)
+
+all:    t-exec ${OTHERTESTS}
+
+%$(EXEEXT):     %.c
+        $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
+
+t-exec: $(TESTPROGS)
+        @echo running compat regress tests
+        @for TEST in ""$?; do \
+                echo "run test $${TEST}" ... 1>&2; \
+                ./$${TEST}$(EXEEXT) || exit $$? ; \
+        done
+        @echo finished compat regress tests
+
+clean:
+        rm -f *.o *.a core $(TESTPROGS) valid.out
+
+distclean: clean
+        rm -f Makefile *~
diff --git a/openbsd-compat/regress/closefromtest.c b/openbsd-compat/regress/closefromtest.c
new file mode 100644
index 000000000..feb1b567d
--- /dev/null
+++ b/openbsd-compat/regress/closefromtest.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2006 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define NUM_OPENS 10
+
+void
+fail(char *msg)
+{
+        fprintf(stderr, "closefrom: %s\n", msg);
+        exit(1);
+}
+
+int
+main(void)
+{
+        int i, max, fds[NUM_OPENS];
+        char buf[512];
+
+        for (i = 0; i < NUM_OPENS; i++)
+                if ((fds[i] = open("/dev/null", "r")) == -1)
+                        exit(0);        /* can't test */
+        max = i - 1;
+
+        /* should close last fd only */
+        closefrom(fds[max]);
+        if (close(fds[max]) != -1)
+                fail("failed to close highest fd");
+
+        /* make sure we can still use remaining descriptors */
+        for (i = 0; i < max; i++)
+                if (read(fds[i], buf, sizeof(buf)) == -1)
+                        fail("closed descriptors it should not have");
+
+        /* should close all fds */
+        closefrom(fds[0]);
+        for (i = 0; i < NUM_OPENS; i++)
+                if (close(fds[i]) != -1)
+                        fail("failed to close from lowest fd");
+}
diff --git a/openbsd-compat/regress/snprintftest.c b/openbsd-compat/regress/snprintftest.c
new file mode 100644
index 000000000..4ca63e180
--- /dev/null
+++ b/openbsd-compat/regress/snprintftest.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2005 Darren Tucker
+ * Copyright (c) 2005 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define BUFSZ 2048
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+
+static int failed = 0;
+
+static void
+fail(const char *m)
+{
+        fprintf(stderr, "snprintftest: %s\n", m);
+        failed = 1;
+}
+
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
+{
+        size_t ret;
+        va_list ap;
+
+        va_start(ap, fmt);
+        ret = vsnprintf(str, count, fmt, ap);
+        va_end(ap);
+        return ret;
+}
+
+int
+main(void)
+{
+        char b[5];
+        char *src;
+
+        snprintf(b,5,"123456789");
+        if (b[4] != '\0')
+                fail("snprintf does not correctly terminate long strings");
+
+        /* check for read overrun on unterminated string */
+        if ((src = malloc(BUFSZ)) == NULL) {
+                fail("malloc failed");
+        } else {
+                memset(src, 'a', BUFSZ);
+                snprintf(b, sizeof(b), "%.*s", 1, src);
+                if (strcmp(b, "a") != 0)
+                        fail("failed with length limit '%%.s'");
+        }
+
+        /* check that snprintf and vsnprintf return sane values */
+        if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
+                fail("snprintf does not return required length");
+        if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
+                fail("vsnprintf does not return required length");
+
+        return failed;
+}
diff --git a/openbsd-compat/regress/strduptest.c b/openbsd-compat/regress/strduptest.c
new file mode 100644
index 000000000..7f6d779be
--- /dev/null
+++ b/openbsd-compat/regress/strduptest.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2005 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+static int fail = 0;
+
+void
+test(const char *a)
+{
+        char *b;
+
+        b = strdup(a);
+        if (b == 0) {
+                fail = 1;
+                return;
+        }
+        if (strcmp(a, b) != 0)
+                fail = 1;
+        free(b);
+}
+
+int
+main(void)
+{
+        test("");
+        test("a");
+        test("\0");
+        test("abcdefghijklmnopqrstuvwxyz");
+        return fail;
+}
diff --git a/openbsd-compat/regress/strtonumtest.c b/openbsd-compat/regress/strtonumtest.c
new file mode 100644
index 000000000..cb8585129
--- /dev/null
+++ b/openbsd-compat/regress/strtonumtest.c
@@ -0,0 +1,66 @@
+/*      $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $   */
+/*
+ * Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
+
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int fail;
+
+void
+test(const char *p, long long lb, long long ub, int ok)
+{
+        long long val;
+        const char *q;
+
+        val = strtonum(p, lb, ub, &q);
+        if (ok && q != NULL) {
+                fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
+                fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
+                fail = 1;
+        } else if (!ok && q == NULL) {
+                fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
+                fprintf(stderr, "NUMBER ACCEPTED\n");
+                fail = 1;
+        }
+}
+
+int main(int argc, char *argv[])
+{
+        test("1", 0, 10, 1);
+        test("0", -2, 5, 1);
+        test("0", 2, 5, 0);
+        test("0", 2, LLONG_MAX, 0);
+        test("-2", 0, LLONG_MAX, 0);
+        test("0", -5, LLONG_MAX, 1);
+        test("-3", -3, LLONG_MAX, 1);
+        test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
+        test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
+        test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
+        test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
+        test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+        test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
+        test("-2", 10, -1, 0);
+        test("-2", -10, -1, 1);
+        test("-20", -10, -1, 0);
+        test("20", -10, -1, 0);
+
+        return (fail);
+}
+
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 71cf6e6eb..5b0275ce0 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -35,6 +35,16 @@
 
 #ifndef HAVE_RRESVPORT_AF
 
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
 #if 0
 int
 rresvport(int *alport)
diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c
index 6e2b19bb4..b511f6649 100644
--- a/openbsd-compat/setproctitle.c
+++ b/openbsd-compat/setproctitle.c
@@ -35,10 +35,13 @@
 
 #ifndef HAVE_SETPROCTITLE
 
+#include <stdarg.h>
+#include <stdlib.h>
 #include <unistd.h>
 #ifdef HAVE_SYS_PSTAT_H
 #include <sys/pstat.h>
 #endif
+#include <string.h>
 
 #define SPT_NONE        0       /* don't use it at all */
 #define SPT_PSTAT       1       /* use pstat(PSTAT_SETCMD, ...) */
@@ -80,7 +83,7 @@ compat_init_setproctitle(int argc, char *argv[])
         /* Fail if we can't allocate room for the new environment */
         for (i = 0; envp[i] != NULL; i++)
                 ;
-        if ((environ = malloc(sizeof(*environ) * (i + 1))) == NULL) {
+        if ((environ = calloc(i + 1, sizeof(*environ))) == NULL) {
                 environ = envp; /* put it back */
                 return;
         }
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
new file mode 100755
index 000000000..cf8e0ad66
--- /dev/null
+++ b/openbsd-compat/sha2.c
@@ -0,0 +1,882 @@
+/*      $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */
+
+/*
+ * FILE:        sha2.c
+ * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
+ */
+
+/* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
+
+#include "includes.h"
+
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+#include <sys/types.h>
+#include <string.h>
+#include "sha2.h"
+
+/*
+ * UNROLLED TRANSFORM LOOP NOTE:
+ * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
+ * loop version for the hash transform rounds (defined using macros
+ * later in this file).  Either define on the command line, for example:
+ *
+ *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
+ *
+ * or define below:
+ *
+ *   #define SHA2_UNROLL_TRANSFORM
+ *
+ */
+
+/*** SHA-256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER.  If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivilent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ *   #define LITTLE_ENDIAN 1234
+ *   #define BIG_ENDIAN    4321
+ *
+ * And for little-endian machines, add:
+ *
+ *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *
+ * Or for big-endian machines:
+ *
+ *   #define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define SHA256_SHORT_BLOCK_LENGTH       (SHA256_BLOCK_LENGTH - 8)
+#define SHA384_SHORT_BLOCK_LENGTH       (SHA384_BLOCK_LENGTH - 16)
+#define SHA512_SHORT_BLOCK_LENGTH       (SHA512_BLOCK_LENGTH - 16)
+
+/*** ENDIAN SPECIFIC COPY MACROS **************************************/
+#define BE_8_TO_32(dst, cp) do {                                        \
+        (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) |        \
+            ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24);    \
+} while(0)
+
+#define BE_8_TO_64(dst, cp) do {                                        \
+        (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) |        \
+            ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) |   \
+            ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) |   \
+            ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56);    \
+} while (0)
+
+#define BE_64_TO_8(cp, src) do {                                        \
+        (cp)[0] = (src) >> 56;                                          \
+        (cp)[1] = (src) >> 48;                                          \
+        (cp)[2] = (src) >> 40;                                          \
+        (cp)[3] = (src) >> 32;                                          \
+        (cp)[4] = (src) >> 24;                                          \
+        (cp)[5] = (src) >> 16;                                          \
+        (cp)[6] = (src) >> 8;                                           \
+        (cp)[7] = (src);                                                \
+} while (0)
+
+#define BE_32_TO_8(cp, src) do {                                        \
+        (cp)[0] = (src) >> 24;                                          \
+        (cp)[1] = (src) >> 16;                                          \
+        (cp)[2] = (src) >> 8;                                           \
+        (cp)[3] = (src);                                                \
+} while (0)
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n) do {                                             \
+        (w)[0] += (u_int64_t)(n);                                       \
+        if ((w)[0] < (n)) {                                             \
+                (w)[1]++;                                               \
+        }                                                               \
+} while (0)
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
+ *   S is a ROTATION) because the SHA-256/384/512 description document
+ *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ *   same "backwards" definition.
+ */
+/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
+#define R(b,x)          ((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-256): */
+#define S32(b,x)        (((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x)        (((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-256: */
+#define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
+#define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
+#define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
+#define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x)   (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x)   (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x)   (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
+#define sigma1_512(x)   (S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
+
+
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+/* Hash constant words K for SHA-256: */
+const static u_int32_t K256[64] = {
+        0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+        0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+        0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+        0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+        0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+        0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+        0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+        0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+        0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+        0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+        0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+        0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+        0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+        0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+        0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+        0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+/* Initial hash value H for SHA-256: */
+const static u_int32_t sha256_initial_hash_value[8] = {
+        0x6a09e667UL,
+        0xbb67ae85UL,
+        0x3c6ef372UL,
+        0xa54ff53aUL,
+        0x510e527fUL,
+        0x9b05688cUL,
+        0x1f83d9abUL,
+        0x5be0cd19UL
+};
+
+/* Hash constant words K for SHA-384 and SHA-512: */
+const static u_int64_t K512[80] = {
+        0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+        0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+        0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+        0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+        0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+        0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+        0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+        0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+        0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+        0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+        0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+        0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+        0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+        0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+        0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+        0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+        0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+        0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+        0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+        0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+        0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+        0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+        0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+        0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+        0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+        0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+        0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+        0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+        0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+        0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+        0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+        0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+        0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+        0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+        0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+        0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+        0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+        0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+        0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+        0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+/* Initial hash value H for SHA-384 */
+const static u_int64_t sha384_initial_hash_value[8] = {
+        0xcbbb9d5dc1059ed8ULL,
+        0x629a292a367cd507ULL,
+        0x9159015a3070dd17ULL,
+        0x152fecd8f70e5939ULL,
+        0x67332667ffc00b31ULL,
+        0x8eb44a8768581511ULL,
+        0xdb0c2e0d64f98fa7ULL,
+        0x47b5481dbefa4fa4ULL
+};
+
+/* Initial hash value H for SHA-512 */
+const static u_int64_t sha512_initial_hash_value[8] = {
+        0x6a09e667f3bcc908ULL,
+        0xbb67ae8584caa73bULL,
+        0x3c6ef372fe94f82bULL,
+        0xa54ff53a5f1d36f1ULL,
+        0x510e527fade682d1ULL,
+        0x9b05688c2b3e6c1fULL,
+        0x1f83d9abfb41bd6bULL,
+        0x5be0cd19137e2179ULL
+};
+
+
+/*** SHA-256: *********************************************************/
+void
+SHA256_Init(SHA256_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha256_initial_hash_value,
+            sizeof(sha256_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount = 0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-256 round macros: */
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
+        BE_8_TO_32(W256[j], data);                                          \
+        data += 4;                                                          \
+        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+#define ROUND256(a,b,c,d,e,f,g,h) do {                                      \
+        s0 = W256[(j+1)&0x0f];                                              \
+        s0 = sigma0_256(s0);                                                \
+        s1 = W256[(j+14)&0x0f];                                             \
+        s1 = sigma1_256(s1);                                                \
+        T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +          \
+             (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);                  \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+void
+SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
+{
+        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int32_t       T1, W256[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                /* Rounds 0 to 15 (unrolled): */
+                ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
+                ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
+                ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
+                ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
+                ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
+                ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
+                ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
+                ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
+        } while (j < 16);
+
+        /* Now for the remaining rounds up to 63: */
+        do {
+                ROUND256(a,b,c,d,e,f,g,h);
+                ROUND256(h,a,b,c,d,e,f,g);
+                ROUND256(g,h,a,b,c,d,e,f);
+                ROUND256(f,g,h,a,b,c,d,e);
+                ROUND256(e,f,g,h,a,b,c,d);
+                ROUND256(d,e,f,g,h,a,b,c);
+                ROUND256(c,d,e,f,g,h,a,b);
+                ROUND256(b,c,d,e,f,g,h,a);
+        } while (j < 64);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
+{
+        u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int32_t       T1, T2, W256[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                BE_8_TO_32(W256[j], data);
+                data += 4;
+                /* Apply the SHA-256 compression function to update a..h */
+                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
+                T2 = Sigma0_256(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 16);
+
+        do {
+                /* Part of the message block expansion: */
+                s0 = W256[(j+1)&0x0f];
+                s0 = sigma0_256(s0);
+                s1 = W256[(j+14)&0x0f]; 
+                s1 = sigma1_256(s1);
+
+                /* Apply the SHA-256 compression function to update a..h */
+                T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
+                     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
+                T2 = Sigma0_256(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 64);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
+{
+        size_t  freespace, usedspace;
+
+        /* Calling with no data is valid (we do nothing) */
+        if (len == 0)
+                return;
+
+        usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Calculate how much free space is available in the buffer */
+                freespace = SHA256_BLOCK_LENGTH - usedspace;
+
+                if (len >= freespace) {
+                        /* Fill the buffer completely and process it */
+                        memcpy(&context->buffer[usedspace], data, freespace);
+                        context->bitcount += freespace << 3;
+                        len -= freespace;
+                        data += freespace;
+                        SHA256_Transform(context->state, context->buffer);
+                } else {
+                        /* The buffer is not yet full */
+                        memcpy(&context->buffer[usedspace], data, len);
+                        context->bitcount += len << 3;
+                        /* Clean up: */
+                        usedspace = freespace = 0;
+                        return;
+                }
+        }
+        while (len >= SHA256_BLOCK_LENGTH) {
+                /* Process as many complete blocks as we can */
+                SHA256_Transform(context->state, data);
+                context->bitcount += SHA256_BLOCK_LENGTH << 3;
+                len -= SHA256_BLOCK_LENGTH;
+                data += SHA256_BLOCK_LENGTH;
+        }
+        if (len > 0) {
+                /* There's left-overs, so save 'em */
+                memcpy(context->buffer, data, len);
+                context->bitcount += len << 3;
+        }
+        /* Clean up: */
+        usedspace = freespace = 0;
+}
+
+void
+SHA256_Pad(SHA256_CTX *context)
+{
+        unsigned int    usedspace;
+
+        usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Begin padding with a 1 bit: */
+                context->buffer[usedspace++] = 0x80;
+
+                if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
+                        /* Set-up for the last transform: */
+                        memset(&context->buffer[usedspace], 0,
+                            SHA256_SHORT_BLOCK_LENGTH - usedspace);
+                } else {
+                        if (usedspace < SHA256_BLOCK_LENGTH) {
+                                memset(&context->buffer[usedspace], 0,
+                                    SHA256_BLOCK_LENGTH - usedspace);
+                        }
+                        /* Do second-to-last transform: */
+                        SHA256_Transform(context->state, context->buffer);
+
+                        /* Prepare for last transform: */
+                        memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
+                }
+        } else {
+                /* Set-up for the last transform: */
+                memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
+
+                /* Begin padding with a 1 bit: */
+                *context->buffer = 0x80;
+        }
+        /* Store the length of input data (in bits) in big endian format: */
+        BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
+            context->bitcount);
+
+        /* Final transform: */
+        SHA256_Transform(context->state, context->buffer);
+
+        /* Clean up: */
+        usedspace = 0;
+}
+
+void
+SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
+{
+        SHA256_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 8; i++)
+                        BE_32_TO_8(digest + i * 4, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
+#endif
+                memset(context, 0, sizeof(*context));
+        }
+}
+
+
+/*** SHA-512: *********************************************************/
+void
+SHA512_Init(SHA512_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha512_initial_hash_value,
+            sizeof(sha512_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount[0] = context->bitcount[1] =  0;
+}
+
+#ifdef SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-512 round macros: */
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
+        BE_8_TO_64(W512[j], data);                                          \
+        data += 8;                                                          \
+        T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+
+#define ROUND512(a,b,c,d,e,f,g,h) do {                                      \
+        s0 = W512[(j+1)&0x0f];                                              \
+        s0 = sigma0_512(s0);                                                \
+        s1 = W512[(j+14)&0x0f];                                             \
+        s1 = sigma1_512(s1);                                                \
+        T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +          \
+             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);                  \
+        (d) += T1;                                                          \
+        (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
+        j++;                                                                \
+} while(0)
+
+void
+SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
+{
+        u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int64_t       T1, W512[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                /* Rounds 0 to 15 (unrolled): */
+                ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
+                ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
+                ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
+                ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
+                ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
+                ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
+                ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
+                ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
+        } while (j < 16);
+
+        /* Now for the remaining rounds up to 79: */
+        do {
+                ROUND512(a,b,c,d,e,f,g,h);
+                ROUND512(h,a,b,c,d,e,f,g);
+                ROUND512(g,h,a,b,c,d,e,f);
+                ROUND512(f,g,h,a,b,c,d,e);
+                ROUND512(e,f,g,h,a,b,c,d);
+                ROUND512(d,e,f,g,h,a,b,c);
+                ROUND512(c,d,e,f,g,h,a,b);
+                ROUND512(b,c,d,e,f,g,h,a);
+        } while (j < 80);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = 0;
+}
+
+#else /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
+{
+        u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
+        u_int64_t       T1, T2, W512[16];
+        int             j;
+
+        /* Initialize registers with the prev. intermediate value */
+        a = state[0];
+        b = state[1];
+        c = state[2];
+        d = state[3];
+        e = state[4];
+        f = state[5];
+        g = state[6];
+        h = state[7];
+
+        j = 0;
+        do {
+                BE_8_TO_64(W512[j], data);
+                data += 8;
+                /* Apply the SHA-512 compression function to update a..h */
+                T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+                T2 = Sigma0_512(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 16);
+
+        do {
+                /* Part of the message block expansion: */
+                s0 = W512[(j+1)&0x0f];
+                s0 = sigma0_512(s0);
+                s1 = W512[(j+14)&0x0f];
+                s1 =  sigma1_512(s1);
+
+                /* Apply the SHA-512 compression function to update a..h */
+                T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+                     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+                T2 = Sigma0_512(a) + Maj(a, b, c);
+                h = g;
+                g = f;
+                f = e;
+                e = d + T1;
+                d = c;
+                c = b;
+                b = a;
+                a = T1 + T2;
+
+                j++;
+        } while (j < 80);
+
+        /* Compute the current intermediate hash value */
+        state[0] += a;
+        state[1] += b;
+        state[2] += c;
+        state[3] += d;
+        state[4] += e;
+        state[5] += f;
+        state[6] += g;
+        state[7] += h;
+
+        /* Clean up */
+        a = b = c = d = e = f = g = h = T1 = T2 = 0;
+}
+
+#endif /* SHA2_UNROLL_TRANSFORM */
+
+void
+SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
+{
+        size_t  freespace, usedspace;
+
+        /* Calling with no data is valid (we do nothing) */
+        if (len == 0)
+                return;
+
+        usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Calculate how much free space is available in the buffer */
+                freespace = SHA512_BLOCK_LENGTH - usedspace;
+
+                if (len >= freespace) {
+                        /* Fill the buffer completely and process it */
+                        memcpy(&context->buffer[usedspace], data, freespace);
+                        ADDINC128(context->bitcount, freespace << 3);
+                        len -= freespace;
+                        data += freespace;
+                        SHA512_Transform(context->state, context->buffer);
+                } else {
+                        /* The buffer is not yet full */
+                        memcpy(&context->buffer[usedspace], data, len);
+                        ADDINC128(context->bitcount, len << 3);
+                        /* Clean up: */
+                        usedspace = freespace = 0;
+                        return;
+                }
+        }
+        while (len >= SHA512_BLOCK_LENGTH) {
+                /* Process as many complete blocks as we can */
+                SHA512_Transform(context->state, data);
+                ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
+                len -= SHA512_BLOCK_LENGTH;
+                data += SHA512_BLOCK_LENGTH;
+        }
+        if (len > 0) {
+                /* There's left-overs, so save 'em */
+                memcpy(context->buffer, data, len);
+                ADDINC128(context->bitcount, len << 3);
+        }
+        /* Clean up: */
+        usedspace = freespace = 0;
+}
+
+void
+SHA512_Pad(SHA512_CTX *context)
+{
+        unsigned int    usedspace;
+
+        usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
+        if (usedspace > 0) {
+                /* Begin padding with a 1 bit: */
+                context->buffer[usedspace++] = 0x80;
+
+                if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
+                        /* Set-up for the last transform: */
+                        memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
+                } else {
+                        if (usedspace < SHA512_BLOCK_LENGTH) {
+                                memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
+                        }
+                        /* Do second-to-last transform: */
+                        SHA512_Transform(context->state, context->buffer);
+
+                        /* And set-up for the last transform: */
+                        memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
+                }
+        } else {
+                /* Prepare for final transform: */
+                memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
+
+                /* Begin padding with a 1 bit: */
+                *context->buffer = 0x80;
+        }
+        /* Store the length of input data (in bits) in big endian format: */
+        BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
+            context->bitcount[1]);
+        BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
+            context->bitcount[0]);
+
+        /* Final transform: */
+        SHA512_Transform(context->state, context->buffer);
+
+        /* Clean up: */
+        usedspace = 0;
+}
+
+void
+SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
+{
+        SHA512_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 8; i++)
+                        BE_64_TO_8(digest + i * 8, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
+#endif
+                memset(context, 0, sizeof(*context));
+        }
+}
+
+
+#if 0
+/*** SHA-384: *********************************************************/
+void
+SHA384_Init(SHA384_CTX *context)
+{
+        if (context == NULL)
+                return;
+        memcpy(context->state, sha384_initial_hash_value,
+            sizeof(sha384_initial_hash_value));
+        memset(context->buffer, 0, sizeof(context->buffer));
+        context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+__weak_alias(SHA384_Transform, SHA512_Transform);
+__weak_alias(SHA384_Update, SHA512_Update);
+__weak_alias(SHA384_Pad, SHA512_Pad);
+
+void
+SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
+{
+        SHA384_Pad(context);
+
+        /* If no digest buffer is passed, we don't bother doing this: */
+        if (digest != NULL) {
+#if BYTE_ORDER == LITTLE_ENDIAN
+                int     i;
+
+                /* Convert TO host byte order */
+                for (i = 0; i < 6; i++)
+                        BE_64_TO_8(digest + i * 8, context->state[i]);
+#else
+                memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
+#endif
+        }
+
+        /* Zero out state data */
+        memset(context, 0, sizeof(*context));
+}
+#endif
+
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h
new file mode 100755
index 000000000..821f2dd6c
--- /dev/null
+++ b/openbsd-compat/sha2.h
@@ -0,0 +1,133 @@
+/*      $OpenBSD: sha2.h,v 1.6 2004/06/22 01:57:30 jfb Exp $    */
+
+/*
+ * FILE:        sha2.h
+ * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
+ * 
+ * Copyright (c) 2000-2001, Aaron D. Gifford
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
+ */
+
+/* OPENBSD ORIGINAL: include/sha2.h */
+
+#ifndef _SSHSHA2_H
+#define _SSHSHA2_H
+
+#include "includes.h"
+
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+#define SHA256_BLOCK_LENGTH             64
+#define SHA256_DIGEST_LENGTH            32
+#define SHA256_DIGEST_STRING_LENGTH     (SHA256_DIGEST_LENGTH * 2 + 1)
+#define SHA384_BLOCK_LENGTH             128
+#define SHA384_DIGEST_LENGTH            48
+#define SHA384_DIGEST_STRING_LENGTH     (SHA384_DIGEST_LENGTH * 2 + 1)
+#define SHA512_BLOCK_LENGTH             128
+#define SHA512_DIGEST_LENGTH            64
+#define SHA512_DIGEST_STRING_LENGTH     (SHA512_DIGEST_LENGTH * 2 + 1)
+
+
+/*** SHA-256/384/512 Context Structures *******************************/
+typedef struct _SHA256_CTX {
+        u_int32_t       state[8];
+        u_int64_t       bitcount;
+        u_int8_t        buffer[SHA256_BLOCK_LENGTH];
+} SHA256_CTX;
+typedef struct _SHA512_CTX {
+        u_int64_t       state[8];
+        u_int64_t       bitcount[2];
+        u_int8_t        buffer[SHA512_BLOCK_LENGTH];
+} SHA512_CTX;
+
+#if 0
+typedef SHA512_CTX SHA384_CTX;
+#endif
+
+void SHA256_Init(SHA256_CTX *);
+void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
+void SHA256_Update(SHA256_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA256_Pad(SHA256_CTX *);
+void SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], SHA256_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
+char *SHA256_End(SHA256_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
+char *SHA256_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
+
+#if 0
+void SHA384_Init(SHA384_CTX *);
+void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
+void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA384_Pad(SHA384_CTX *);
+void SHA384_Final(u_int8_t [SHA384_DIGEST_LENGTH], SHA384_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
+char *SHA384_End(SHA384_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
+char *SHA384_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
+#endif /* 0 */
+
+void SHA512_Init(SHA512_CTX *);
+void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
+void SHA512_Update(SHA512_CTX *, const u_int8_t *, size_t)
+        __attribute__((__bounded__(__string__,2,3)));
+void SHA512_Pad(SHA512_CTX *);
+void SHA512_Final(u_int8_t [SHA512_DIGEST_LENGTH], SHA512_CTX *)
+        __attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
+char *SHA512_End(SHA512_CTX *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_File(const char *, char *)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_FileChunk(const char *, char *, off_t, off_t)
+        __attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
+char *SHA512_Data(const u_int8_t *, size_t, char *)
+        __attribute__((__bounded__(__string__,1,2)))
+        __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
+
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
+
+#endif /* _SSHSHA2_H */
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
index 8ad0d0058..87f2f24b2 100644
--- a/openbsd-compat/strtonum.c
+++ b/openbsd-compat/strtonum.c
@@ -20,8 +20,11 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
 
 #include "includes.h"
+
 #ifndef HAVE_STRTONUM
+#include <stdlib.h>
 #include <limits.h>
+#include <errno.h>
 
 #define INVALID         1
 #define TOOSMALL        2
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 9afa0b9f2..14899321f 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -24,6 +24,10 @@
 
 #include "includes.h"
 
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+
 # ifdef HAVE_CRYPT_H
 #  include <crypt.h>
 # endif
diff --git a/openbsd-compat/xmmap.c b/openbsd-compat/xmmap.c
index 74e8a8b13..0fb23269b 100644
--- a/openbsd-compat/xmmap.c
+++ b/openbsd-compat/xmmap.c
@@ -23,21 +23,31 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: xmmap.c,v 1.6 2004/10/06 13:15:44 dtucker Exp $ */
+/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
 
 #include "includes.h"
 
+#include <sys/types.h>
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
+#include <sys/stat.h>
+
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
 
 #include "log.h"
 
 void *xmmap(size_t size)
 {
+#ifdef HAVE_MMAP
         void *address;
 
-#ifdef HAVE_MMAP
 # ifdef MAP_ANON
         address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
             -1, (off_t)0);