13 files changed, 415 insertions, 34 deletions

diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index fb49e30f5..54628e260 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -37,6 +37,9 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdarg.h>
+#include <stdlib.h>
+#include <wchar.h>
+#include <wctype.h>
 
 #include "xmalloc.h"
 
@@ -117,4 +120,150 @@ free_windows_environment(char **p)
         free(p);
 }
 
+/*
+ * Returns true if the given string matches the pattern (which may contain ?
+ * and * as wildcards), and zero if it does not match.
+ *
+ * The Cygwin version of this function must be case-insensitive and take
+ * Unicode characters into account.
+ */
+
+static int
+__match_pattern (const wchar_t *s, const wchar_t *pattern)
+{
+        for (;;) {
+                /* If at end of pattern, accept if also at end of string. */
+                if (!*pattern)
+                        return !*s;
+
+                if (*pattern == '*') {
+                        /* Skip the asterisk. */
+                        pattern++;
+
+                        /* If at end of pattern, accept immediately. */
+                        if (!*pattern)
+                                return 1;
+
+                        /* If next character in pattern is known, optimize. */
+                        if (*pattern != '?' && *pattern != '*') {
+                                /*
+                                 * Look instances of the next character in
+                                 * pattern, and try to match starting from
+                                 * those.
+                                 */
+                                for (; *s; s++)
+                                        if (*s == *pattern &&
+                                            __match_pattern(s + 1, pattern + 1))
+                                                return 1;
+                                /* Failed. */
+                                return 0;
+                        }
+                        /*
+                         * Move ahead one character at a time and try to
+                         * match at each position.
+                         */
+                        for (; *s; s++)
+                                if (__match_pattern(s, pattern))
+                                        return 1;
+                        /* Failed. */
+                        return 0;
+                }
+                /*
+                 * There must be at least one more character in the string.
+                 * If we are at the end, fail.
+                 */
+                if (!*s)
+                        return 0;
+
+                /* Check if the next character of the string is acceptable. */
+                if (*pattern != '?' && towlower(*pattern) != towlower(*s))
+                        return 0;
+
+                /* Move to the next character, both in string and in pattern. */
+                s++;
+                pattern++;
+        }
+        /* NOTREACHED */
+}
+
+static int
+_match_pattern(const char *s, const char *pattern)
+{
+        wchar_t *ws;
+        wchar_t *wpattern;
+        size_t len;
+        int ret;
+
+        if ((len = mbstowcs(NULL, s, 0)) < 0)
+                return 0;
+        ws = (wchar_t *) xcalloc(len + 1, sizeof (wchar_t));
+        mbstowcs(ws, s, len + 1);
+        if ((len = mbstowcs(NULL, pattern, 0)) < 0)
+                return 0;
+        wpattern = (wchar_t *) xcalloc(len + 1, sizeof (wchar_t));
+        mbstowcs(wpattern, pattern, len + 1);
+        ret = __match_pattern (ws, wpattern);
+        free(ws);
+        free(wpattern);
+        return ret;
+}
+
+/*
+ * Tries to match the string against the
+ * comma-separated sequence of subpatterns (each possibly preceded by ! to
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
+ */
+int
+cygwin_ug_match_pattern_list(const char *string, const char *pattern)
+{
+        char sub[1024];
+        int negated;
+        int got_positive;
+        u_int i, subi, len = strlen(pattern);
+
+        got_positive = 0;
+        for (i = 0; i < len;) {
+                /* Check if the subpattern is negated. */
+                if (pattern[i] == '!') {
+                        negated = 1;
+                        i++;
+                } else
+                        negated = 0;
+
+                /*
+                 * Extract the subpattern up to a comma or end.  Convert the
+                 * subpattern to lowercase.
+                 */
+                for (subi = 0;
+                    i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
+                    subi++, i++)
+                        sub[subi] = pattern[i];
+                /* If subpattern too long, return failure (no match). */
+                if (subi >= sizeof(sub) - 1)
+                        return 0;
+
+                /* If the subpattern was terminated by a comma, then skip it. */
+                if (i < len && pattern[i] == ',')
+                        i++;
+
+                /* Null-terminate the subpattern. */
+                sub[subi] = '\0';
+
+                /* Try to match the subpattern against the string. */
+                if (_match_pattern(string, sub)) {
+                        if (negated)
+                                return -1;              /* Negative */
+                        else
+                                got_positive = 1;       /* Positive */
+                }
+        }
+
+        /*
+         * Return success if got a positive match.  If there was a negative
+         * match, we have already returned -1 and never get here.
+         */
+        return got_positive;
+}
+
 #endif /* HAVE_CYGWIN */
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 202c055db..55c5a5b81 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -55,6 +55,7 @@ int binary_open(const char *, int , ...);
 int check_ntsec(const char *);
 char **fetch_windows_environment(void);
 void free_windows_environment(char **);
+int cygwin_ug_match_pattern_list(const char *, const char *);
 
 #ifndef NO_BINARY_OPEN
 #define open binary_open
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 5d7540a70..aa1c7d7a3 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -25,6 +25,7 @@
 # include <sys/time.h>
 #endif
 
+#include <fcntl.h>
 #include <string.h>
 #include <signal.h>
 #include <stdlib.h>
@@ -117,6 +118,106 @@ int utimes(char *filename, struct timeval *tvp)
 }
 #endif
 
+#ifndef HAVE_UTIMENSAT
+/*
+ * A limited implementation of utimensat() that only implements the
+ * functionality used by OpenSSH, currently only AT_FDCWD and
+ * AT_SYMLINK_NOFOLLOW.
+ */
+int
+utimensat(int fd, const char *path, const struct timespec times[2],
+    int flag)
+{
+        struct timeval tv[2];
+        int ret, oflags = O_WRONLY;
+
+        tv[0].tv_sec = times[0].tv_sec;
+        tv[0].tv_usec = times[0].tv_nsec / 1000;
+        tv[1].tv_sec = times[1].tv_sec;
+        tv[1].tv_usec = times[1].tv_nsec / 1000;
+
+        if (fd != AT_FDCWD) {
+                errno = ENOSYS;
+                return -1;
+        }
+# ifndef HAVE_FUTIMES
+        return utimes(path, tv);
+# else
+#  ifdef O_NOFOLLOW
+        if (flag & AT_SYMLINK_NOFOLLOW)
+                oflags |= O_NOFOLLOW;
+#  endif /* O_NOFOLLOW */
+        if ((fd = open(path, oflags)) == -1)
+                return -1;
+        ret = futimes(fd, tv);
+        close(fd);
+        return ret;
+# endif
+}
+#endif
+
+#ifndef HAVE_FCHOWNAT
+/*
+ * A limited implementation of fchownat() that only implements the
+ * functionality used by OpenSSH, currently only AT_FDCWD and
+ * AT_SYMLINK_NOFOLLOW.
+ */
+int
+fchownat(int fd, const char *path, uid_t owner, gid_t group, int flag)
+{
+        int ret, oflags = O_WRONLY;
+
+        if (fd != AT_FDCWD) {
+                errno = ENOSYS;
+                return -1;
+        }
+# ifndef HAVE_FCHOWN
+        return chown(pathname, owner, group);
+# else
+#  ifdef O_NOFOLLOW
+        if (flag & AT_SYMLINK_NOFOLLOW)
+                oflags |= O_NOFOLLOW;
+#  endif /* O_NOFOLLOW */
+        if ((fd = open(path, oflags)) == -1)
+                return -1;
+        ret = fchown(fd, owner, group);
+        close(fd);
+        return ret;
+# endif
+}
+#endif
+
+#ifndef HAVE_FCHMODAT
+/*
+ * A limited implementation of fchmodat() that only implements the
+ * functionality used by OpenSSH, currently only AT_FDCWD and
+ * AT_SYMLINK_NOFOLLOW.
+ */
+int
+fchmodat(int fd, const char *path, mode_t mode, int flag)
+{
+        int ret, oflags = O_WRONLY;
+
+        if (fd != AT_FDCWD) {
+                errno = ENOSYS;
+                return -1;
+        }
+# ifndef HAVE_FCHMOD
+        return chown(pathname, owner, group);
+# else
+#  ifdef O_NOFOLLOW
+        if (flag & AT_SYMLINK_NOFOLLOW)
+                oflags |= O_NOFOLLOW;
+#  endif /* O_NOFOLLOW */
+        if ((fd = open(path, oflags)) == -1)
+                return -1;
+        ret = fchmod(fd, mode);
+        close(fd);
+        return ret;
+# endif
+}
+#endif
+
 #ifndef HAVE_TRUNCATE
 int truncate(const char *path, off_t length)
 {
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index 52ec52853..cb158cd5c 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -64,6 +64,26 @@ struct timeval {
 int utimes(char *, struct timeval *);
 #endif /* HAVE_UTIMES */
 
+#ifndef HAVE_UTIMENSAT
+/* start with the high bits and work down to minimise risk of overlap */
+# ifndef AT_SYMLINK_NOFOLLOW
+#  define AT_SYMLINK_NOFOLLOW 0x80000000
+# endif
+int utimensat(int, const char *, const struct timespec[2], int);
+#endif
+
+#ifndef AT_FDCWD
+# define AT_FDCWD (-2)
+#endif
+
+#ifndef HAVE_FCHMODAT
+int fchmodat(int, const char *, mode_t, int);
+#endif
+
+#ifndef HAVE_FCHOWNAT
+int fchownat(int, const char *, uid_t, gid_t, int);
+#endif
+
 #ifndef HAVE_TRUNCATE
 int truncate (const char *, off_t);
 #endif /* HAVE_TRUNCATE */
diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
index de3e64a63..ae00ff593 100644
--- a/openbsd-compat/libressl-api-compat.c
+++ b/openbsd-compat/libressl-api-compat.c
@@ -152,7 +152,9 @@
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
+#ifdef OPENSSL_HAS_ECC
 #include <openssl/ecdsa.h>
+#endif
 #include <openssl/dh.h>
 
 #ifndef HAVE_DSA_GET0_PQG
@@ -417,6 +419,7 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
 }
 #endif /* HAVE_DSA_SIG_SET0 */
 
+#ifdef OPENSSL_HAS_ECC
 #ifndef HAVE_ECDSA_SIG_GET0
 void
 ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
@@ -442,6 +445,7 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
         return 1;
 }
 #endif /* HAVE_ECDSA_SIG_SET0 */
+#endif /* OPENSSL_HAS_ECC */
 
 #ifndef HAVE_DH_GET0_PQG
 void
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index f5c833bf2..865aaee53 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -61,6 +61,7 @@ void closefrom(int);
 #endif
 
 #ifndef HAVE_GETLINE
+#include <stdio.h>
 ssize_t getline(char **, size_t *, FILE *);
 #endif
 
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index ea0b0c9fb..c1749210d 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -66,23 +66,31 @@ ssh_compatible_openssl(long headerver, long libver)
         return 0;
 }
 
-#ifdef  USE_OPENSSL_ENGINE
 void
-ssh_OpenSSL_add_all_algorithms(void)
+ssh_libcrypto_init(void)
 {
+#if defined(HAVE_OPENSSL_INIT_CRYPTO) && \
+      defined(OPENSSL_INIT_ADD_ALL_CIPHERS) && \
+      defined(OPENSSL_INIT_ADD_ALL_DIGESTS)
+        OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+            OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+#elif defined(HAVE_OPENSSL_ADD_ALL_ALGORITHMS)
         OpenSSL_add_all_algorithms();
+#endif
 
+#ifdef  USE_OPENSSL_ENGINE
         /* Enable use of crypto hardware */
         ENGINE_load_builtin_engines();
         ENGINE_register_all_complete();
 
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
-        OPENSSL_config(NULL);
-#else
+        /* Load the libcrypto config file to pick up engines defined there */
+# if defined(HAVE_OPENSSL_INIT_CRYPTO) && defined(OPENSSL_INIT_LOAD_CONFIG)
         OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
             OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG, NULL);
-#endif
+# else
+        OPENSSL_config(NULL);
+# endif
+#endif /* USE_OPENSSL_ENGINE */
 }
-#endif
 
 #endif /* WITH_OPENSSL */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 9e0264c04..917bc6f7c 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -21,16 +21,32 @@
 #ifdef WITH_OPENSSL
 
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
+#ifdef OPENSSL_HAS_ECC
 #include <openssl/ecdsa.h>
+#endif
 #include <openssl/dh.h>
 
 int ssh_compatible_openssl(long, long);
+void ssh_libcrypto_init(void);
+
+#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
+# error OpenSSL 1.0.1 or greater is required
+#endif
+
+#ifndef OPENSSL_VERSION
+# define OPENSSL_VERSION        SSLEAY_VERSION
+#endif
+
+#ifndef HAVE_OPENSSL_VERSION
+# define OpenSSL_version(x)     SSLeay_version(x)
+#endif
 
-#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
-# error OpenSSL 0.9.8f or greater is required
+#ifndef HAVE_OPENSSL_VERSION_NUM
+# define OpenSSL_version_num    SSLeay
 #endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10000001L
@@ -77,27 +93,6 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 # endif
 #endif
 
-/*
- * We overload some of the OpenSSL crypto functions with ssh_* equivalents
- * to automatically handle OpenSSL engine initialisation.
- *
- * In order for the compat library to call the real functions, it must
- * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
- * implement the ssh_* equivalents.
- */
-#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
-
-# ifdef USE_OPENSSL_ENGINE
-#  ifdef OpenSSL_add_all_algorithms
-#   undef OpenSSL_add_all_algorithms
-#  endif
-#  define OpenSSL_add_all_algorithms()  ssh_OpenSSL_add_all_algorithms()
-# endif
-
-void ssh_OpenSSL_add_all_algorithms(void);
-
-#endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
-
 /* LibreSSL/OpenSSL 1.1x API compat */
 #ifndef HAVE_DSA_GET0_PQG
 void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
@@ -161,6 +156,7 @@ void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 #endif /* DSA_SIG_SET0 */
 
+#ifdef OPENSSL_HAS_ECC
 #ifndef HAVE_ECDSA_SIG_GET0
 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 #endif /* HAVE_ECDSA_SIG_GET0 */
@@ -168,6 +164,7 @@ void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 #ifndef HAVE_ECDSA_SIG_SET0
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 #endif /* HAVE_ECDSA_SIG_SET0 */
+#endif /* OPENSSL_HAS_ECC */
 
 #ifndef HAVE_DH_GET0_PQG
 void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 943177c70..fc80dc39f 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -313,7 +313,8 @@ sys_auth_get_lastlogin_msg(const char *user, uid_t uid)
  * record_failed_login: generic "login failed" interface function
  */
 void
-record_failed_login(const char *user, const char *hostname, const char *ttyname)
+record_failed_login(struct ssh *ssh, const char *user, const char *hostname,
+    const char *ttyname)
 {
         if (geteuid() != 0)
                 return;
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 748c0e4e3..904de3096 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -30,6 +30,7 @@
 # include <sys/socket.h>
 #endif
 
+struct ssh;
 struct sshbuf;
 
 /* These should be in the system headers but are not. */
@@ -89,8 +90,8 @@ void aix_usrinfo(struct passwd *);
 # define CUSTOM_SYS_AUTH_ALLOWED_USER 1
 int sys_auth_allowed_user(struct passwd *, struct sshbuf *);
 # define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
-int sys_auth_record_login(const char *, const char *,
-    const char *, struct sshbuf *);
+int sys_auth_record_login(const char *, const char *, const char *,
+    struct sshbuf *);
 # define CUSTOM_SYS_AUTH_GET_LASTLOGIN_MSG
 char *sys_auth_get_lastlogin_msg(const char *, uid_t);
 # define CUSTOM_FAILED_LOGIN 1
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index 529331be5..c5aae61e2 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -14,7 +14,7 @@ LIBS=@LIBS@
 LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
 
 TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
-        strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
+        strtonumtest$(EXEEXT) opensslvertest$(EXEEXT) utimensattest$(EXEEXT)
 
 all:    t-exec ${OTHERTESTS}
 
diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
new file mode 100644
index 000000000..a7bc7634b
--- /dev/null
+++ b/openbsd-compat/regress/utimensattest.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2019 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define TMPFILE "utimensat.tmp"
+#define TMPFILE2 "utimensat.tmp2"
+
+#ifndef AT_SYMLINK_NOFOLLOW
+# define AT_SYMLINK_NOFOLLOW 0x80000000
+#endif
+
+int utimensat(int, const char *, const struct timespec[2], int);
+
+void
+fail(char *msg, long expect, long got)
+{
+        int saved_errno = errno;
+
+        if (expect == got && got == 0)
+                fprintf(stderr, "utimensat: %s: %s\n", msg,
+                     strerror(saved_errno));
+        else
+                fprintf(stderr, "utimensat: %s: expected %ld got %ld\n",
+                     msg, expect, got);
+        exit(1);
+}
+
+int
+main(void)
+{
+        int fd;
+        struct stat sb;
+        struct timespec ts[2];
+
+        if ((fd = open(TMPFILE, O_CREAT, 0600)) == -1)
+                fail("open", 0, 0);
+        close(fd);
+
+        ts[0].tv_sec = 12345678;
+        ts[0].tv_nsec = 23456789;
+        ts[1].tv_sec = 34567890;
+        ts[1].tv_nsec = 45678901;
+        if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) == -1)
+                fail("utimensat", 0, 0);
+
+        if (stat(TMPFILE, &sb) == -1)
+                fail("stat", 0, 0 );
+        if (sb.st_atime != 12345678)
+                fail("st_atime", 0, 0 );
+        if (sb.st_mtime != 34567890)
+                fail("st_mtime", 0, 0 );
+#if 0
+        /*
+         * Results expected to be rounded to the nearest microsecond.
+         * Depends on timestamp precision in kernel and filesystem so
+         * disabled by default.
+         */
+        if (sb.st_atim.tv_nsec != 23456000)
+                fail("atim.tv_nsec", 23456000, sb.st_atim.tv_nsec);
+        if (sb.st_mtim.tv_nsec != 45678000)
+                fail("mtim.tv_nsec", 45678000, sb.st_mtim.tv_nsec);
+#endif
+
+        if (rename(TMPFILE, TMPFILE2) == -1)
+                fail("rename", 0, 0);
+        if (symlink(TMPFILE2, TMPFILE) == -1)
+                fail("symlink", 0, 0);
+
+        if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1)
+                fail("utimensat followed symlink", 0, 0);
+
+        if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0))
+                fail("unlink", 0, 0);
+        exit(0);
+}
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index af93d6814..5108f394c 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -81,6 +81,7 @@
 #undef SIMPLEQ_EMPTY
 #undef SIMPLEQ_NEXT
 #undef SIMPLEQ_FOREACH
+#undef SIMPLEQ_FOREACH_SAFE
 #undef SIMPLEQ_INIT
 #undef SIMPLEQ_INSERT_HEAD
 #undef SIMPLEQ_INSERT_TAIL