Merge 4.2p1 to the trunk.

16 files changed, 689 insertions, 165 deletions

diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 0f34f2240..6f5ee2845 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.31 2004/08/15 08:41:00 djm Exp $
+# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
 
-COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-irix.o port-aix.o
+PORTS=port-irix.o port-aix.o port-uw.o
 
 .c.o:
         $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index ff394ec17..b5e3cc52b 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -29,7 +29,7 @@
 
 #include "includes.h"
 
-RCSID("$Id: bsd-cygwin_util.c,v 1.13.4.1 2005/05/25 09:42:40 dtucker Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.14 2005/05/25 09:42:11 dtucker Exp $");
 
 #ifdef HAVE_CYGWIN
 
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 41f92cce9..6ba9bd986 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -18,7 +18,7 @@
 #include "includes.h"
 #include "xmalloc.h"
 
-RCSID("$Id: bsd-misc.c,v 1.26 2005/02/25 23:07:38 dtucker Exp $");
+RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $");
 
 #ifndef HAVE___PROGNAME
 char *__progname;
@@ -212,3 +212,21 @@ mysignal(int sig, mysig_t act)
         return (signal(sig, act));
 #endif
 }
+
+#ifndef HAVE_STRDUP
+char *
+strdup(const char *str)
+{
+        size_t len;
+        char *cp;
+
+        len = strlen(str) + 1;
+        cp = malloc(len);
+        if (cp != NULL)
+                if (strlcpy(cp, str, len) != len) {
+                        free(cp);
+                        return NULL;
+                }
+        return cp;
+}
+#endif
diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h
index 636792ed7..cbcf7f727 100644
--- a/openbsd-compat/fake-rfc2553.h
+++ b/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,4 @@
-/* $Id: fake-rfc2553.h,v 1.10 2005/02/11 07:32:13 dtucker Exp $ */
+/* $Id: fake-rfc2553.h,v 1.12 2005/08/03 05:36:21 dtucker Exp $ */
 
 /*
  * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@@ -114,10 +114,16 @@ struct sockaddr_in6 {
 #endif /* !NI_MAXHOST */
 
 #ifndef EAI_NODATA
-# define EAI_NODATA     1
-# define EAI_MEMORY     2
-# define EAI_NONAME     3
-# define EAI_SYSTEM     4
+# define EAI_NODATA     (INT_MAX - 1)
+#endif
+#ifndef EAI_MEMORY
+# define EAI_MEMORY     (INT_MAX - 2)
+#endif
+#ifndef EAI_NONAME
+# define EAI_NONAME     (INT_MAX - 3)
+#endif
+#ifndef EAI_SYSTEM
+# define EAI_SYSTEM     (INT_MAX - 4)
 #endif
 
 #ifndef HAVE_STRUCT_ADDRINFO
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index 4e869c4df..2016ffe31 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -144,6 +144,8 @@ _getshort(msgp)
         GETSHORT(u, msgp);
         return (u);
 }
+#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
+u_int16_t _getshort(register const u_char *);
 #endif
 
 #ifndef HAVE__GETLONG
@@ -156,6 +158,8 @@ _getlong(msgp)
         GETLONG(u, msgp);
         return (u);
 }
+#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
+u_int32_t _getlong(register const u_char *);
 #endif
 
 int
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 89d1454e0..ba68bc27e 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.26 2004/08/15 08:41:00 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -152,6 +152,10 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
 int snprintf(char *, size_t, const char *, ...);
 #endif 
 
+#ifndef HAVE_STRTONUM
+long long strtonum(const char *, long long, long long, const char **);
+#endif
+
 #ifndef HAVE_VSNPRINTF
 int vsnprintf(char *, size_t, const char *, va_list);
 #endif
@@ -169,5 +173,6 @@ char *shadow_pw(struct passwd *pw);
 #include "bsd-cygwin_util.h"
 #include "port-irix.h"
 #include "port-aix.h"
+#include "port-uw.h"
 
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
new file mode 100644
index 000000000..b690e8fe6
--- /dev/null
+++ b/openbsd-compat/openssl-compat.c
@@ -0,0 +1,46 @@
+/* $Id: openssl-compat.c,v 1.2 2005/06/17 11:15:21 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#define SSH_DONT_REDEF_EVP
+#include "openssl-compat.h"
+
+#ifdef SSH_OLD_EVP
+int
+ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
+    unsigned char *key, unsigned char *iv, int enc)
+{
+        EVP_CipherInit(evp, type, key, iv, enc);
+        return 1;
+}
+
+int
+ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
+{
+        EVP_Cipher(evp, dst, src, len);
+        return 1;
+}
+
+int
+ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
+{
+        EVP_CIPHER_CTX_cleanup(evp);
+        return 1;
+}
+#endif
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
new file mode 100644
index 000000000..d9b2fa55f
--- /dev/null
+++ b/openbsd-compat/openssl-compat.h
@@ -0,0 +1,65 @@
+/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */
+
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+# define SSH_OLD_EVP
+# define EVP_CIPHER_CTX_get_app_data(e)         ((e)->app_data)
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define EVP_aes_128_cbc evp_rijndael
+# define EVP_aes_192_cbc evp_rijndael
+# define EVP_aes_256_cbc evp_rijndael
+extern const EVP_CIPHER *evp_rijndael(void);
+extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+#endif
+
+#if !defined(EVP_CTRL_SET_ACSS_MODE)
+# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+#  define USE_CIPHER_ACSS 1
+extern const EVP_CIPHER *evp_acss(void);
+#  define EVP_acss evp_acss
+# else
+#  define EVP_acss NULL
+# endif
+#endif
+
+/*
+ * insert comment here
+ */
+#ifdef SSH_OLD_EVP
+
+# ifndef SSH_DONT_REDEF_EVP
+
+#  ifdef EVP_Cipher
+#   undef EVP_Cipher
+#  endif
+
+#  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
+#  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
+#  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
+# endif
+
+int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
+    unsigned char *, int);
+int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
+int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
+#endif
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index cf5d4b9a3..81d8124e0 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,7 +1,7 @@
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2003,2004 Darren Tucker.  All rights reserved.
+ * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -42,14 +42,12 @@ static char old_registry[REGISTRY_SIZE] = "";
 # endif
 
 /*
- * AIX has a "usrinfo" area where logname and other stuff is stored - 
+ * AIX has a "usrinfo" area where logname and other stuff is stored -
  * a few applications actually use this and die if it's not set
  *
  * NOTE: TTY= should be set, but since no one uses it and it's hard to
  * acquire due to privsep code.  We will just drop support.
  */
-
-
 void
 aix_usrinfo(struct passwd *pw)
 {
@@ -60,7 +58,7 @@ aix_usrinfo(struct passwd *pw)
         len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
         cp = xmalloc(len);
 
-        i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', 
+        i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
             pw->pw_name, '\0');
         if (usrinfo(SETUINFO, cp, i) == -1)
                 fatal("Couldn't set usrinfo: %s", strerror(errno));
@@ -153,14 +151,14 @@ aix_valid_authentications(const char *user)
 int
 sys_auth_passwd(Authctxt *ctxt, const char *password)
 {
-        char *authmsg = NULL, *msg, *name = ctxt->pw->pw_name;
+        char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
         int authsuccess = 0, expired, reenter, result;
 
         do {
                 result = authenticate((char *)name, (char *)password, &reenter,
                     &authmsg);
                 aix_remove_embedded_newlines(authmsg);  
-                debug3("AIX/authenticate result %d, msg %.100s", result,
+                debug3("AIX/authenticate result %d, authmsg %.100s", result,
                     authmsg);
         } while (reenter);
 
@@ -170,7 +168,7 @@ sys_auth_passwd(Authctxt *ctxt, const char *password)
         if (result == 0) {
                 authsuccess = 1;
 
-                /*
+                /*
                  * Record successful login.  We don't have a pty yet, so just
                  * label the line as "ssh"
                  */
@@ -257,7 +255,7 @@ int
 sys_auth_record_login(const char *user, const char *host, const char *ttynm,
     Buffer *loginmsg)
 {
-        char *msg;
+        char *msg = NULL;
         int success = 0;
 
         aix_setauthdb(user);
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 9e3dce4dd..37b2c12b0 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,8 +1,9 @@
-/* $Id: port-aix.h,v 1.25 2005/03/21 11:46:34 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.26 2005/05/28 10:28:40 dtucker Exp $ */
 
 /*
  *
  * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -47,23 +48,23 @@
 
 /* These should be in the system headers but are not. */
 int usrinfo(int, char *, int);
-#if (HAVE_DECL_SETAUTHDB == 0)
+#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
 int setauthdb(const char *, char *);
 #endif
 /* these may or may not be in the headers depending on the version */
-#if (HAVE_DECL_AUTHENTICATE == 0)
+#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
 int authenticate(char *, char *, int *, char **);
 #endif
-#if (HAVE_DECL_LOGINFAILED == 0)
+#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
 int loginfailed(char *, char *, char *);
 #endif
-#if (HAVE_DECL_LOGINRESTRICTIONS == 0)
+#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
 int loginrestrictions(char *, int, char *, char **);
 #endif
-#if (HAVE_DECL_LOGINSUCCESS == 0)
+#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
 int loginsuccess(char *, char *, char *, char **);
 #endif
-#if (HAVE_DECL_PASSWDEXPIRED == 0)
+#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
 int passwdexpired(char *, char **);
 #endif
 
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
new file mode 100644
index 000000000..d881ff028
--- /dev/null
+++ b/openbsd-compat/port-uw.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2005 The SCO Group. All rights reserved.
+ * Copyright (c) 2005 Tim Rice. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+#include "packet.h"
+#include "buffer.h"
+#include "log.h"
+#include "servconf.h"
+#include "auth.h"
+#include "auth-options.h"
+
+int nischeck(char *);
+
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
+{
+        struct passwd *pw = authctxt->pw;
+        char *encrypted_password;
+        char *salt;
+        int result;
+
+        /* Just use the supplied fake password if authctxt is invalid */
+        char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
+
+        /* Check for users with no password. */
+        if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
+                return (1);
+
+        /* Encrypt the candidate password using the proper salt. */
+        salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
+#ifdef UNIXWARE_LONG_PASSWORDS
+        if (!nischeck(pw->pw_name))
+                encrypted_password = bigcrypt(password, salt);
+        else
+#endif /* UNIXWARE_LONG_PASSWORDS */
+                encrypted_password = xcrypt(password, salt);
+
+        /*
+         * Authentication is accepted if the encrypted passwords
+         * are identical.
+         */
+        result = (strcmp(encrypted_password, pw_password) == 0);
+
+        if (authctxt->valid)
+                free(pw_password);
+        return(result);
+}
+
+#ifdef UNIXWARE_LONG_PASSWORDS
+int
+nischeck(char *namep)
+{
+        char password_file[] = "/etc/passwd";
+        FILE *fd;
+        struct passwd *ent = NULL;
+
+        if ((fd = fopen (password_file, "r")) == NULL) {
+                /*
+                 * If the passwd file has dissapeared we are in a bad state.
+                 * However, returning 0 will send us back through the
+                 * authentication scheme that has checked the ia database for
+                 * passwords earlier.
+                 */
+                return(0);
+        }
+
+        /*
+         * fgetpwent() only reads from password file, so we know for certain
+         * that the user is local.
+         */
+        while (ent = fgetpwent(fd)) {
+                if (strcmp (ent->pw_name, namep) == 0) {
+                        /* Local user */
+                        fclose (fd);
+                        return(0);
+                }
+        }
+
+        fclose (fd);
+        return (1);
+}
+
+#endif /* UNIXWARE_LONG_PASSWORDS */
+
+/*
+        NOTE: ia_get_logpwd() allocates memory for arg 2
+        functions that call shadow_pw() will need to free
+ */
+
+char *
+get_iaf_password(struct passwd *pw)
+{
+        char *pw_password = NULL;
+
+        uinfo_t uinfo;
+        if (!ia_openinfo(pw->pw_name,&uinfo)) {
+                ia_get_logpwd(uinfo, &pw_password);
+                if (pw_password == NULL)
+                        fatal("ia_get_logpwd: Unable to get the shadow passwd");
+                ia_closeinfo(uinfo);
+                return pw_password;
+        }
+        else
+                fatal("ia_openinfo: Unable to open the shadow passwd file");
+}
+#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+
diff --git a/openbsd-compat/port-uw.h b/openbsd-compat/port-uw.h
new file mode 100644
index 000000000..3589b2e44
--- /dev/null
+++ b/openbsd-compat/port-uw.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2005 Tim Rice.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+char * get_iaf_password(struct passwd *pw);
+#endif
+
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index 7f73bd998..8430bec24 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -1,11 +1,7 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
 
 /*
- * Copyright (c) 1994
- *      The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Jan-Simon Pendry.
+ * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -15,14 +11,14 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -36,169 +32,165 @@
 
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
 
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.11 2004/11/30 15:12:59 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
 #include <sys/param.h>
 #include <sys/stat.h>
 
 #include <errno.h>
-#include <fcntl.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 /*
- * MAXSYMLINKS
- */
-#ifndef MAXSYMLINKS
-#define MAXSYMLINKS 5
-#endif
-
-/*
- * char *realpath(const char *path, char resolved_path[MAXPATHLEN]);
+ * char *realpath(const char *path, char resolved[PATH_MAX]);
  *
  * Find the real name of path, by removing all ".", ".." and symlink
  * components.  Returns (resolved) on success, or (NULL) on failure,
  * in which case the path which caused trouble is left in (resolved).
  */
 char *
-realpath(const char *path, char *resolved)
+realpath(const char *path, char resolved[PATH_MAX])
 {
         struct stat sb;
-        int fd, n, needslash, serrno;
-        char *p, *q, wbuf[MAXPATHLEN];
-        int symlinks = 0;
-
-        /* Save the starting point. */
-#ifndef HAVE_FCHDIR
-        char start[MAXPATHLEN];
-        /* this is potentially racy but without fchdir we have no option */
-        if (getcwd(start, sizeof(start)) == NULL) {
-                resolved[0] = '.';
+        char *p, *q, *s;
+        size_t left_len, resolved_len;
+        unsigned symlinks;
+        int serrno, slen;
+        char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
+
+        serrno = errno;
+        symlinks = 0;
+        if (path[0] == '/') {
+                resolved[0] = '/';
                 resolved[1] = '\0';
-                return (NULL);
+                if (path[1] == '\0')
+                        return (resolved);
+                resolved_len = 1;
+                left_len = strlcpy(left, path + 1, sizeof(left));
+        } else {
+                if (getcwd(resolved, PATH_MAX) == NULL) {
+                        strlcpy(resolved, ".", PATH_MAX);
+                        return (NULL);
+                }
+                resolved_len = strlen(resolved);
+                left_len = strlcpy(left, path, sizeof(left));
         }
-#endif
-        if ((fd = open(".", O_RDONLY)) < 0) {
-                resolved[0] = '.';
-                resolved[1] = '\0';
+        if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
+                errno = ENAMETOOLONG;
                 return (NULL);
         }
 
-        /* Convert "." -> "" to optimize away a needless lstat() and chdir() */
-        if (path[0] == '.' && path[1] == '\0')
-                path = "";
-
         /*
-         * Find the dirname and basename from the path to be resolved.
-         * Change directory to the dirname component.
-         * lstat the basename part.
-         *     if it is a symlink, read in the value and loop.
-         *     if it is a directory, then change to that directory.
-         * get the current directory name and append the basename.
+         * Iterate over path components in `left'.
          */
-        if (strlcpy(resolved, path, MAXPATHLEN) >= MAXPATHLEN) {
-                serrno = ENAMETOOLONG;
-                goto err2;
-        }
-loop:
-        q = strrchr(resolved, '/');
-        if (q != NULL) {
-                p = q + 1;
-                if (q == resolved)
-                        q = "/";
-                else {
-                        do {
-                                --q;
-                        } while (q > resolved && *q == '/');
-                        q[1] = '\0';
-                        q = resolved;
+        while (left_len != 0) {
+                /*
+                 * Extract the next path component and adjust `left'
+                 * and its length.
+                 */
+                p = strchr(left, '/');
+                s = p ? p : left + left_len;
+                if (s - left >= sizeof(next_token)) {
+                        errno = ENAMETOOLONG;
+                        return (NULL);
                 }
-                if (chdir(q) < 0)
-                        goto err1;
-        } else
-                p = resolved;
-
-        /* Deal with the last component. */
-        if (*p != '\0' && lstat(p, &sb) == 0) {
-                if (S_ISLNK(sb.st_mode)) {
-                        if (++symlinks > MAXSYMLINKS) {
-                                errno = ELOOP;
-                                goto err1;
+                memcpy(next_token, left, s - left);
+                next_token[s - left] = '\0';
+                left_len -= s - left;
+                if (p != NULL)
+                        memmove(left, s + 1, left_len + 1);
+                if (resolved[resolved_len - 1] != '/') {
+                        if (resolved_len + 1 >= PATH_MAX) {
+                                errno = ENAMETOOLONG;
+                                return (NULL);
                         }
-                        if ((n = readlink(p, resolved, MAXPATHLEN-1)) < 0)
-                                goto err1;
-                        resolved[n] = '\0';
-                        goto loop;
+                        resolved[resolved_len++] = '/';
+                        resolved[resolved_len] = '\0';
                 }
-                if (S_ISDIR(sb.st_mode)) {
-                        if (chdir(p) < 0)
-                                goto err1;
-                        p = "";
+                if (next_token[0] == '\0')
+                        continue;
+                else if (strcmp(next_token, ".") == 0)
+                        continue;
+                else if (strcmp(next_token, "..") == 0) {
+                        /*
+                         * Strip the last path component except when we have
+                         * single "/"
+                         */
+                        if (resolved_len > 1) {
+                                resolved[resolved_len - 1] = '\0';
+                                q = strrchr(resolved, '/') + 1;
+                                *q = '\0';
+                                resolved_len = q - resolved;
+                        }
+                        continue;
                 }
-        }
-
-        /*
-         * Save the last component name and get the full pathname of
-         * the current directory.
-         */
-        if (strlcpy(wbuf, p, sizeof(wbuf)) >= sizeof(wbuf)) {
-                errno = ENAMETOOLONG;
-                goto err1;
-        }
-        if (getcwd(resolved, MAXPATHLEN) == NULL)
-                goto err1;
-
-        /*
-         * Join the two strings together, ensuring that the right thing
-         * happens if the last component is empty, or the dirname is root.
-         */
-        if (resolved[0] == '/' && resolved[1] == '\0')
-                needslash = 0;
-        else
-                needslash = 1;
 
-        if (*wbuf) {
-                if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
+                /*
+                 * Append the next path component and lstat() it. If
+                 * lstat() fails we still can return successfully if
+                 * there are no more path components left.
+                 */
+                resolved_len = strlcat(resolved, next_token, PATH_MAX);
+                if (resolved_len >= PATH_MAX) {
                         errno = ENAMETOOLONG;
-                        goto err1;
+                        return (NULL);
                 }
-                if (needslash) {
-                        if (strlcat(resolved, "/", MAXPATHLEN) >= MAXPATHLEN) {
-                                errno = ENAMETOOLONG;
-                                goto err1;
+                if (lstat(resolved, &sb) != 0) {
+                        if (errno == ENOENT && p == NULL) {
+                                errno = serrno;
+                                return (resolved);
                         }
+                        return (NULL);
                 }
-                if (strlcat(resolved, wbuf, MAXPATHLEN) >= MAXPATHLEN) {
-                        errno = ENAMETOOLONG;
-                        goto err1;
-                }
-        }
+                if (S_ISLNK(sb.st_mode)) {
+                        if (symlinks++ > MAXSYMLINKS) {
+                                errno = ELOOP;
+                                return (NULL);
+                        }
+                        slen = readlink(resolved, symlink, sizeof(symlink) - 1);
+                        if (slen < 0)
+                                return (NULL);
+                        symlink[slen] = '\0';
+                        if (symlink[0] == '/') {
+                                resolved[1] = 0;
+                                resolved_len = 1;
+                        } else if (resolved_len > 1) {
+                                /* Strip the last path component. */
+                                resolved[resolved_len - 1] = '\0';
+                                q = strrchr(resolved, '/') + 1;
+                                *q = '\0';
+                                resolved_len = q - resolved;
+                        }
 
-        /* Go back to where we came from. */
-#ifdef HAVE_FCHDIR
-        if (fchdir(fd) < 0) {
-#else
-        if (chdir(start) < 0) {
-#endif
-                serrno = errno;
-                goto err2;
+                        /*
+                         * If there are any path components left, then
+                         * append them to symlink. The result is placed
+                         * in `left'.
+                         */
+                        if (p != NULL) {
+                                if (symlink[slen - 1] != '/') {
+                                        if (slen + 1 >= sizeof(symlink)) {
+                                                errno = ENAMETOOLONG;
+                                                return (NULL);
+                                        }
+                                        symlink[slen] = '/';
+                                        symlink[slen + 1] = 0;
+                                }
+                                left_len = strlcat(symlink, left, sizeof(left));
+                                if (left_len >= sizeof(left)) {
+                                        errno = ENAMETOOLONG;
+                                        return (NULL);
+                                }
+                        }
+                        left_len = strlcpy(left, symlink, sizeof(left));
+                }
         }
 
-        /* It's okay if the close fails, what's an fd more or less? */
-        (void)close(fd);
+        /*
+         * Remove trailing slash except when the resolved pathname
+         * is a single "/".
+         */
+        if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
+                resolved[resolved_len - 1] = '\0';
         return (resolved);
-
-err1:   serrno = errno;
-#ifdef HAVE_FCHDIR
-        (void)fchdir(fd);
-#else
-        chdir(start);
-#endif
-err2:   (void)close(fd);
-        errno = serrno;
-        return (NULL);
 }
 #endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/openbsd-compat/strtoll.c b/openbsd-compat/strtoll.c
new file mode 100644
index 000000000..60c276f8a
--- /dev/null
+++ b/openbsd-compat/strtoll.c
@@ -0,0 +1,151 @@
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
+
+/*-
+ * Copyright (c) 1992 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTOLL
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+/*
+ * Convert a string to a long long.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+long long
+strtoll(const char *nptr, char **endptr, int base)
+{
+        const char *s;
+        long long acc, cutoff;
+        int c;
+        int neg, any, cutlim;
+
+        /*
+         * Skip white space and pick up leading +/- sign if any.
+         * If base is 0, allow 0x for hex and 0 for octal, else
+         * assume decimal; if base is already 16, allow 0x.
+         */
+        s = nptr;
+        do {
+                c = (unsigned char) *s++;
+        } while (isspace(c));
+        if (c == '-') {
+                neg = 1;
+                c = *s++;
+        } else {
+                neg = 0;
+                if (c == '+')
+                        c = *s++;
+        }
+        if ((base == 0 || base == 16) &&
+            c == '0' && (*s == 'x' || *s == 'X')) {
+                c = s[1];
+                s += 2;
+                base = 16;
+        }
+        if (base == 0)
+                base = c == '0' ? 8 : 10;
+
+        /*
+         * Compute the cutoff value between legal numbers and illegal
+         * numbers.  That is the largest legal value, divided by the
+         * base.  An input number that is greater than this value, if
+         * followed by a legal input character, is too big.  One that
+         * is equal to this value may be valid or not; the limit
+         * between valid and invalid numbers is then based on the last
+         * digit.  For instance, if the range for long longs is
+         * [-9223372036854775808..9223372036854775807] and the input base
+         * is 10, cutoff will be set to 922337203685477580 and cutlim to
+         * either 7 (neg==0) or 8 (neg==1), meaning that if we have
+         * accumulated a value > 922337203685477580, or equal but the
+         * next digit is > 7 (or 8), the number is too big, and we will
+         * return a range error.
+         *
+         * Set any if any `digits' consumed; make it negative to indicate
+         * overflow.
+         */
+        cutoff = neg ? LLONG_MIN : LLONG_MAX;
+        cutlim = cutoff % base;
+        cutoff /= base;
+        if (neg) {
+                if (cutlim > 0) {
+                        cutlim -= base;
+                        cutoff += 1;
+                }
+                cutlim = -cutlim;
+        }
+        for (acc = 0, any = 0;; c = (unsigned char) *s++) {
+                if (isdigit(c))
+                        c -= '0';
+                else if (isalpha(c))
+                        c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+                else
+                        break;
+                if (c >= base)
+                        break;
+                if (any < 0)
+                        continue;
+                if (neg) {
+                        if (acc < cutoff || (acc == cutoff && c > cutlim)) {
+                                any = -1;
+                                acc = LLONG_MIN;
+                                errno = ERANGE;
+                        } else {
+                                any = 1;
+                                acc *= base;
+                                acc -= c;
+                        }
+                } else {
+                        if (acc > cutoff || (acc == cutoff && c > cutlim)) {
+                                any = -1;
+                                acc = LLONG_MAX;
+                                errno = ERANGE;
+                        } else {
+                                any = 1;
+                                acc *= base;
+                                acc += c;
+                        }
+                }
+        }
+        if (endptr != 0)
+                *endptr = (char *) (any ? s - 1 : nptr);
+        return (acc);
+}
+#endif /* HAVE_STRTOLL */
diff --git a/openbsd-compat/strtonum.c b/openbsd-compat/strtonum.c
new file mode 100644
index 000000000..b681ed83b
--- /dev/null
+++ b/openbsd-compat/strtonum.c
@@ -0,0 +1,69 @@
+/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
+
+/*      $OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $    */
+
+/*
+ * Copyright (c) 2004 Ted Unangst and Todd Miller
+ * All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+#ifndef HAVE_STRTONUM
+#include <limits.h>
+
+#define INVALID         1
+#define TOOSMALL        2
+#define TOOLARGE        3
+
+long long
+strtonum(const char *numstr, long long minval, long long maxval,
+    const char **errstrp)
+{
+        long long ll = 0;
+        char *ep;
+        int error = 0;
+        struct errval {
+                const char *errstr;
+                int err;
+        } ev[4] = {
+                { NULL,         0 },
+                { "invalid",    EINVAL },
+                { "too small",  ERANGE },
+                { "too large",  ERANGE },
+        };
+
+        ev[0].err = errno;
+        errno = 0;
+        if (minval > maxval)
+                error = INVALID;
+        else {
+                ll = strtoll(numstr, &ep, 10);
+                if (numstr == ep || *ep != '\0')
+                        error = INVALID;
+                else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
+                        error = TOOSMALL;
+                else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
+                        error = TOOLARGE;
+        }
+        if (errstrp != NULL)
+                *errstrp = ev[error].errstr;
+        errno = ev[error].err;
+        if (error)
+                ll = 0;
+
+        return (ll);
+}
+
+#endif /* HAVE_STRTONUM */
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index c3cea3c86..9afa0b9f2 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -93,6 +93,11 @@ shadow_pw(struct passwd *pw)
         if (spw != NULL)
                 pw_password = spw->sp_pwdp;
 # endif
+
+#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+        return(get_iaf_password(pw));
+#endif
+
 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
         struct passwd_adjunct *spw;
         if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)