Vendor import of OpenPAM Calamitevendor/openpam/CALAMITE

37 files changed, 3172 insertions, 0 deletions

diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile
new file mode 100644
index 000000000000..1fd90410f290
--- /dev/null
+++ b/contrib/openpam/lib/Makefile
@@ -0,0 +1,85 @@
+#-
+# Copyright (c) 2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+#    products derived from this software without specific prior written
+#    permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+LIB		 = pam
+SHLIB_MAJOR	 = 2
+SHLIB_MINOR	 = 0
+
+WARNS		?= 4
+NO_WERROR	 = yes
+CFLAGS		+= -I${.CURDIR}/../include
+
+SRCS		 =
+SRCS		+= openpam_dispatch.c
+SRCS		+= openpam_findenv.c
+SRCS		+= openpam_load.c
+SRCS		+= openpam_log.c
+SRCS		+= openpam_ttyconv.c
+SRCS		+= pam_acct_mgmt.c
+SRCS		+= pam_authenticate.c
+SRCS		+= pam_chauthtok.c
+SRCS		+= pam_close_session.c
+SRCS		+= pam_end.c
+SRCS		+= pam_error.c
+SRCS		+= pam_get_authtok.c
+SRCS		+= pam_get_data.c
+SRCS		+= pam_get_item.c
+SRCS		+= pam_get_user.c
+SRCS		+= pam_getenv.c
+SRCS		+= pam_getenvlist.c
+SRCS		+= pam_info.c
+SRCS		+= pam_open_session.c
+SRCS		+= pam_prompt.c
+SRCS		+= pam_putenv.c
+SRCS		+= pam_set_data.c
+SRCS		+= pam_set_item.c
+SRCS		+= pam_setcred.c
+SRCS		+= pam_setenv.c
+SRCS		+= pam_start.c
+SRCS		+= pam_strerror.c
+SRCS		+= pam_verror.c
+SRCS		+= pam_vinfo.c
+SRCS		+= pam_vprompt.c
+
+.if 0
+SRCS		+= pam_authenticate_secondary.c
+SRCS		+= pam_get_mapped_authtok.c
+SRCS		+= pam_get_mapped_username.c
+SRCS		+= pam_set_mapped_authtok.c
+SRCS		+= pam_set_mapped_username.c
+.endif
+
+.include <bsd.lib.mk>
diff --git a/contrib/openpam/lib/openpam_dispatch.c b/contrib/openpam/lib/openpam_dispatch.c
new file mode 100644
index 000000000000..9c7c2879cbb2
--- /dev/null
+++ b/contrib/openpam/lib/openpam_dispatch.c
@@ -0,0 +1,203 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#if !defined(OPENPAM_RELAX_CHECKS)
+static void _openpam_check_error_code(int, int);
+#else
+#define _openpam_check_error_code(a, b)
+#endif /* !defined(OPENPAM_RELAX_CHECKS) */
+
+/*
+ * Execute a module chain
+ */
+
+int
+openpam_dispatch(pam_handle_t *pamh,
+	int primitive,
+	int flags)
+{
+	pam_chain_t *chain;
+	int err, fail, r;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* prevent recursion */
+	if (pamh->current != NULL) {
+		openpam_log(PAM_LOG_ERROR, "indirect recursion");
+		return (PAM_ABORT);
+	}
+
+	/* pick a chain */
+	switch (primitive) {
+	case PAM_SM_AUTHENTICATE:
+	case PAM_SM_SETCRED:
+		chain = pamh->chains[PAM_AUTH];
+		break;
+	case PAM_SM_ACCT_MGMT:
+		chain = pamh->chains[PAM_ACCOUNT];
+		break;
+	case PAM_SM_OPEN_SESSION:
+	case PAM_SM_CLOSE_SESSION:
+		chain = pamh->chains[PAM_SESSION];
+		break;
+	case PAM_SM_CHAUTHTOK:
+		chain = pamh->chains[PAM_PASSWORD];
+		break;
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+
+	/* execute */
+	for (err = fail = 0; chain != NULL; chain = chain->next) {
+		if (chain->module->func[primitive] == NULL) {
+			openpam_log(PAM_LOG_ERROR, "%s: no %s()",
+			    chain->module->path, _pam_sm_func_name[primitive]);
+			continue;
+		} else {
+			pamh->current = chain;
+			r = (chain->module->func[primitive])(pamh, flags,
+			    chain->optc, (const char **)chain->optv);
+			pamh->current = NULL;
+			openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
+			    chain->module->path, _pam_sm_func_name[primitive],
+			    pam_strerror(pamh, r));
+		}
+
+		if (r == PAM_IGNORE)
+			continue;
+		if (r == PAM_SUCCESS) {
+			/*
+			 * For pam_setcred(), treat "sufficient" as
+			 * "optional".
+			 *
+			 * Note that Solaris libpam does not terminate
+			 * the chain here if a required module has
+			 * previously failed.  I'm not sure why.
+			 */
+			if (chain->flag == PAM_SUFFICIENT &&
+			    primitive != PAM_SM_SETCRED)
+				break;
+		}
+
+		_openpam_check_error_code(primitive, r);
+
+		/*
+		 * Record the return code from the first module to
+		 * fail.  If a required module fails, record the
+		 * return code from the first required module to fail.
+		 */
+		if (err == 0)
+			err = r;
+		if (chain->flag == PAM_REQUIRED && !fail) {
+			fail = 1;
+			err = r;
+		}
+
+		/*
+		 * If a requisite module fails, terminate the chain
+		 * immediately.
+		 */
+		if (chain->flag == PAM_REQUISITE) {
+			fail = 1;
+			break;
+		}
+	}
+
+	return (fail ? err : PAM_SUCCESS);
+}
+
+#if !defined(OPENPAM_RELAX_CHECKS)
+static void
+_openpam_check_error_code(int primitive, int r)
+{
+	/* common error codes */
+	if (r == PAM_SERVICE_ERR ||
+	    r == PAM_BUF_ERR ||
+	    r == PAM_BUF_ERR ||
+	    r == PAM_CONV_ERR ||
+	    r == PAM_PERM_DENIED)
+		return;
+
+	/* specific error codes */
+	switch (primitive) {
+	case PAM_SM_AUTHENTICATE:
+		if (r == PAM_AUTH_ERR ||
+		    r == PAM_CRED_INSUFFICIENT ||
+		    r == PAM_AUTHINFO_UNAVAIL ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_MAXTRIES)
+			return;
+		break;
+	case PAM_SM_SETCRED:
+		if (r == PAM_CRED_UNAVAIL ||
+		    r == PAM_CRED_EXPIRED ||
+		    r == PAM_USER_UNKNOWN ||
+		    r == PAM_CRED_ERR)
+			return;
+		break;
+	case PAM_SM_ACCT_MGMT:
+		if (r == PAM_USER_UNKNOWN ||
+		    r == PAM_AUTH_ERR ||
+		    r == PAM_NEW_AUTHTOK_REQD ||
+		    r == PAM_ACCT_EXPIRED)
+			return;
+		break;
+	case PAM_SM_OPEN_SESSION:
+	case PAM_SM_CLOSE_SESSION:
+		if (r == PAM_SESSION_ERR)
+			return;
+		break;
+	case PAM_SM_CHAUTHTOK:
+		if (r == PAM_PERM_DENIED ||
+		    r == PAM_AUTHTOK_ERR ||
+		    r == PAM_AUTHTOK_RECOVERY_ERR ||
+		    r == PAM_AUTHTOK_LOCK_BUSY ||
+		    r == PAM_AUTHTOK_DISABLE_AGING)
+			return;
+		break;
+	}
+
+	openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
+	    _pam_sm_func_name[primitive], r);
+}
+#endif /* !defined(OPENPAM_RELAX_CHECKS) */
diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c
new file mode 100644
index 000000000000..c32dd272f32b
--- /dev/null
+++ b/contrib/openpam/lib/openpam_findenv.c
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * Locate an environment variable
+ */
+
+int
+openpam_findenv(pam_handle_t *pamh,
+	const char *name,
+	size_t len)
+{
+	int i;
+
+	if (pamh == NULL)
+		return (-1);
+
+	for (i = 0; i < pamh->env_count; ++i)
+		if (strncmp(pamh->env[i], name, len) == 0 &&
+		    pamh->env[i][len] == '=')
+			return (i);
+	return (-1);
+}
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
new file mode 100644
index 000000000000..59886288e549
--- /dev/null
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -0,0 +1,106 @@
+/*-
+ * Copyright (c) 2001 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#ifndef _OPENPAM_IMPL_H_INCLUDED
+#define _OPENPAM_IMPL_H_INCLUDED
+
+#include <security/openpam.h>
+
+extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES];
+
+/*
+ * Control flags
+ */
+#define PAM_REQUIRED		1
+#define PAM_REQUISITE		2
+#define PAM_SUFFICIENT		3
+#define PAM_OPTIONAL		4
+#define PAM_NUM_CONTROLFLAGS	5
+
+/*
+ * Chains
+ */
+#define PAM_AUTH		0
+#define PAM_ACCOUNT		1
+#define PAM_SESSION		2
+#define PAM_PASSWORD		3
+#define PAM_NUM_CHAINS		4
+
+typedef struct pam_chain pam_chain_t;
+struct pam_chain {
+	pam_module_t	*module;
+	int		 flag;
+	int		 optc;
+	char	       **optv;
+	pam_chain_t	*next;
+};
+
+#define PAM_NUM_ITEMS	       10
+
+typedef struct pam_data pam_data_t;
+struct pam_data {
+	char		*name;
+	void		*data;
+	void		(*cleanup)(pam_handle_t *, void *, int);
+	pam_data_t	*next;
+};
+
+struct pam_handle {
+	char		*service;
+
+	/* chains */
+	pam_chain_t	*chains[PAM_NUM_CHAINS];
+	pam_chain_t	*current;
+
+	/* items and data */
+	void		*item[PAM_NUM_ITEMS];
+	pam_data_t	*module_data;
+
+	/* environment list */
+	char	       **env;
+	int		 env_count;
+	int		 env_size;
+};
+
+#define PAM_OTHER	"other"
+
+int		openpam_dispatch(pam_handle_t *, int, int);
+int		openpam_findenv(pam_handle_t *, const char *, size_t);
+int		openpam_add_module(pam_handle_t *, int, int,
+				   const char *, int, const char **);
+void		openpam_clear_chains(pam_handle_t *);
+
+#endif
diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c
new file mode 100644
index 000000000000..d93895989469
--- /dev/null
+++ b/contrib/openpam/lib/openpam_load.c
@@ -0,0 +1,227 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#ifdef OPENPAM_STATIC_MODULES
+SET_DECLARE(_openpam_modules, pam_module_t);
+#endif
+
+const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
+	"pam_sm_acct_mgmt",
+	"pam_sm_authenticate",
+	"pam_sm_chauthtok",
+	"pam_sm_close_session",
+	"pam_sm_open_session",
+	"pam_sm_setcred"
+};
+
+static pam_module_t *modules;
+
+/*
+ * Load a dynamic module, or locate a static one.  Keep a list of
+ * previously found modules to speed up the process.
+ */
+
+static pam_module_t *
+openpam_load_module(const char *path)
+{
+	pam_module_t *module;
+	void *dlh;
+	int i;
+
+	/* check cache first */
+	for (module = modules; module != NULL; module = module->next)
+		if (strcmp(module->path, path) == 0)
+			goto found;
+
+	/* nope; try to load */
+	if ((dlh = dlopen(path, RTLD_NOW)) == NULL) {
+		openpam_log(PAM_LOG_ERROR, "dlopen(): %s", dlerror());
+	} else {
+		if ((module = calloc(1, sizeof *module)) == NULL)
+			goto buf_err;
+		if ((module->path = strdup(path)) == NULL)
+			goto buf_err;
+		module->dlh = dlh;
+		for (i = 0; i < PAM_NUM_PRIMITIVES; ++i)
+			module->func[i] = dlsym(dlh, _pam_sm_func_name[i]);
+	}
+	openpam_log(PAM_LOG_DEBUG, "%s dynamic %s",
+	    (module == NULL) ? "no" : "using", path);
+
+#ifdef OPENPAM_STATIC_MODULES
+	/* look for a static module */
+	if (module == NULL && strchr(path, '/') == NULL) {
+		pam_module_t **modp;
+		
+		SET_FOREACH(modp, _openpam_modules) {
+			if (strcmp((*modp)->path, path) == 0) {
+				module = *modp;
+				break;
+			}
+		}
+		openpam_log(PAM_LOG_DEBUG, "%s static %s",
+		    (module == NULL) ? "no" : "using", path);
+	}
+#endif
+	if (module == NULL)
+		return (NULL);
+	module->next = modules;
+	module->prev = NULL;
+	modules = module;
+ found:
+	++module->refcount;
+	return (module);
+ buf_err:
+	openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+	dlclose(dlh);
+	free(module);
+	return (NULL);
+}
+
+
+/*
+ * Release a module.
+ * XXX highly thread-unsafe
+ */
+
+static void
+openpam_release_module(pam_module_t *module)
+{
+	if (module == NULL)
+		return;
+	--module->refcount;
+	if (module->refcount > 0)
+		/* still in use */
+		return;
+	if (module->refcount < 0) {
+		openpam_log(PAM_LOG_ERROR, "module %s has negative refcount",
+		    module->path);
+		module->refcount = 0;
+	}
+	if (module->dlh == NULL)
+		/* static module */
+		return;
+	dlclose(module->dlh);
+	if (module->prev != NULL)
+		module->prev->next = module->next;
+	if (module->next != NULL)
+		module->next->prev = module->prev;
+	free(module);
+}
+
+
+/*
+ * Destroy a chain, freeing all its links and releasing the modules
+ * they point to.
+ */
+
+static void
+openpam_destroy_chain(pam_chain_t *chain)
+{
+	if (chain == NULL)
+		return;
+	openpam_destroy_chain(chain->next);
+	chain->next = NULL;
+	while (chain->optc--)
+		free(chain->optv[chain->optc]);
+	free(chain->optv);
+	openpam_release_module(chain->module);
+	free(chain);
+}
+
+/*
+ * Add a module to a chain.
+ */
+
+int
+openpam_add_module(pam_handle_t *pamh,
+	int chain,
+	int flag,
+	const char *modpath,
+	int optc,
+	const char *optv[])
+{
+	pam_chain_t *new, *iterator;
+
+	if ((new = calloc(1, sizeof *new)) == NULL)
+		goto buf_err;
+	if ((new->optv = malloc(sizeof(char *) * (optc + 1))) == NULL)
+		goto buf_err;
+	while (optc--)
+		if ((new->optv[new->optc++] = strdup(*optv++)) == NULL)
+			goto buf_err;
+	new->optv[new->optc] = NULL;
+	new->flag = flag;
+	if ((new->module = openpam_load_module(modpath)) == NULL) {
+		openpam_destroy_chain(new);
+		return (PAM_OPEN_ERR);
+	}
+	if ((iterator = pamh->chains[chain]) != NULL) {
+		while (iterator->next != NULL)
+			iterator = iterator->next;
+		iterator->next = new;
+	} else {
+		pamh->chains[chain] = new;
+	}
+	return (PAM_SUCCESS);
+
+ buf_err:
+	openpam_log(PAM_LOG_ERROR, "%m");
+	openpam_destroy_chain(new);
+	return (PAM_BUF_ERR);
+}
+
+
+/*
+ * Clear the chains and release the modules
+ */
+
+void
+openpam_clear_chains(pam_handle_t *pamh)
+{
+	int i;
+
+	for (i = 0; i < PAM_NUM_CHAINS; ++i)
+		openpam_destroy_chain(pamh->chains[i]);
+}
diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c
new file mode 100644
index 000000000000..d733b690da7b
--- /dev/null
+++ b/contrib/openpam/lib/openpam_log.c
@@ -0,0 +1,117 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#if defined(openpam_log)
+
+/*
+ * Log a message through syslog(3)
+ */
+
+void
+_openpam_log(int level, const char *func, const char *fmt, ...)
+{
+	va_list ap;
+	char *format;
+	int priority;
+
+	switch (level) {
+	case PAM_LOG_DEBUG:
+		priority = LOG_DEBUG;
+		break;
+	case PAM_LOG_VERBOSE:
+		priority = LOG_INFO;
+		break;
+	case PAM_LOG_NOTICE:
+		priority = LOG_NOTICE;
+		break;
+	case PAM_LOG_ERROR:
+		priority = LOG_ERR;
+		break;
+	}
+	va_start(ap, fmt);
+	if ((format = malloc(strlen(func) + strlen(fmt) + 8)) != NULL) {
+		sprintf(format, "in %s(): %s", func, fmt);
+		vsyslog(priority, format, ap);
+		free(format);
+	} else {
+		vsyslog(priority, fmt, ap);
+	}
+	va_end(ap);
+}
+
+#else
+
+/*
+ * If openpam_log isn't defined as a macro, we're on a platform that
+ * doesn't support varadic macros (or it does but we aren't aware of
+ * it).  Do the next best thing.
+ */
+
+void
+openpam_log(int level, const char *fmt, ...)
+{
+	va_list ap;
+	int priority;
+
+	switch (level) {
+	case PAM_LOG_DEBUG:
+		priority = LOG_DEBUG;
+		break;
+	case PAM_LOG_VERBOSE:
+		priority = LOG_INFO;
+		break;
+	case PAM_LOG_NOTICE:
+		priority = LOG_NOTICE;
+		break;
+	case PAM_LOG_ERROR:
+		priority = LOG_ERR;
+		break;
+	}
+	va_start(ap, fmt);
+	vsyslog(priority, fmt, ap);
+	va_end(ap);
+}
+
+#endif
diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c
new file mode 100644
index 000000000000..ac7eecd66fd0
--- /dev/null
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@@ -0,0 +1,131 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * Simple tty-based conversation function.
+ */
+
+int
+openpam_ttyconv(int n,
+	 const struct pam_message **msg,
+	 struct pam_response **resp,
+	 void *data)
+{
+	char buf[PAM_MAX_RESP_SIZE];
+	struct termios tattr;
+	tcflag_t lflag;
+	int fd, err, i;
+	size_t len;
+
+	data = data;
+	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+		return (PAM_CONV_ERR);
+	if ((*resp = calloc(n, sizeof **resp)) == NULL)
+		return (PAM_BUF_ERR);
+	fd = fileno(stdin);
+	for (i = 0; i < n; ++i) {
+		resp[i]->resp_retcode = 0;
+		resp[i]->resp = NULL;
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+		case PAM_PROMPT_ECHO_ON:
+			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+				if (tcgetattr(fd, &tattr) != 0) {
+					openpam_log(PAM_LOG_ERROR,
+					    "tcgetattr(): %m");
+					err = PAM_CONV_ERR;
+					goto fail;
+				}
+				lflag = tattr.c_lflag;
+				tattr.c_lflag &= ~ECHO;
+				if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
+					openpam_log(PAM_LOG_ERROR,
+					    "tcsetattr(): %m");
+					err = PAM_CONV_ERR;
+					goto fail;
+				}
+			}
+			fputs(msg[i]->msg, stderr);
+			buf[0] = '\0';
+			fgets(buf, sizeof buf, stdin);
+			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
+				tattr.c_lflag = lflag;
+				(void)tcsetattr(fd, TCSANOW, &tattr);
+				fputs("\n", stderr);
+			}
+			if (ferror(stdin)) {
+				err = PAM_CONV_ERR;
+				goto fail;
+			}
+			for (len = strlen(buf); len > 0; --len)
+				if (!isspace(buf[len - 1]))
+					break;
+			buf[len] = '\0';
+			if ((resp[i]->resp = strdup(buf)) == NULL) {
+				err = PAM_BUF_ERR;
+				goto fail;
+			}
+			break;
+		case PAM_ERROR_MSG:
+			fputs(msg[i]->msg, stderr);
+			break;
+		case PAM_TEXT_INFO:
+			fputs(msg[i]->msg, stdout);
+			break;
+		default:
+			err = PAM_BUF_ERR;
+			goto fail;
+		}
+	}
+	return (PAM_SUCCESS);
+ fail:
+	while (i)
+		free(resp[--i]);
+	free(*resp);
+	*resp = NULL;
+	return (err);
+}
diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c
new file mode 100644
index 000000000000..d88a24e70962
--- /dev/null
+++ b/contrib/openpam/lib/pam_acct_mgmt.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 32
+ *
+ * Perform PAM account validation procedures
+ */
+
+int
+pam_acct_mgmt(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_ACCT_MGMT, flags));
+}
diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c
new file mode 100644
index 000000000000..d98d1dfa01fe
--- /dev/null
+++ b/contrib/openpam/lib/pam_authenticate.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 34
+ *
+ * Perform authentication within the PAM framework
+ */
+
+int
+pam_authenticate(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags));
+}
diff --git a/contrib/openpam/lib/pam_authenticate_secondary.c b/contrib/openpam/lib/pam_authenticate_secondary.c
new file mode 100644
index 000000000000..37a57fe9c0ca
--- /dev/null
+++ b/contrib/openpam/lib/pam_authenticate_secondary.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_authenticate_secondary(pam_handle_t *pamh,
+	char *target_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	char *target_supp_data,
+	char *target_module_authtok,
+	int flags)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c
new file mode 100644
index 000000000000..c35ed4994c5e
--- /dev/null
+++ b/contrib/openpam/lib/pam_chauthtok.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 38
+ *
+ * Perform password related functions within the PAM framework
+ */
+
+int
+pam_chauthtok(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
+}
diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c
new file mode 100644
index 000000000000..9b2a1aef3a08
--- /dev/null
+++ b/contrib/openpam/lib/pam_close_session.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 40
+ *
+ * Close an existing user session
+ */
+
+int
+pam_close_session(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags));
+}
diff --git a/contrib/openpam/lib/pam_end.c b/contrib/openpam/lib/pam_end.c
new file mode 100644
index 000000000000..0fbfdf872a3f
--- /dev/null
+++ b/contrib/openpam/lib/pam_end.c
@@ -0,0 +1,84 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 42
+ *
+ * Terminate the PAM transaction
+ */
+
+int
+pam_end(pam_handle_t *pamh,
+	int status)
+{
+	pam_data_t *dp;
+	int i;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* clear module data */
+	while ((dp = pamh->module_data) != NULL) {
+		if (dp->cleanup)
+			(dp->cleanup)(pamh, dp->data, status);
+		pamh->module_data = dp->next;
+		free(dp->name);
+		free(dp);
+	}
+
+	/* clear environment */
+	while (pamh->env_count)
+		free(pamh->env[--pamh->env_count]);
+	free(pamh->env);
+
+	/* clear chains */
+	openpam_clear_chains(pamh);
+
+	/* clear items */
+	for (i = 0; i < PAM_NUM_ITEMS; ++i)
+		pam_set_item(pamh, i, NULL);
+
+	free(pamh);
+
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_error.c b/contrib/openpam/lib/pam_error.c
new file mode 100644
index 000000000000..aded8f188759
--- /dev/null
+++ b/contrib/openpam/lib/pam_error.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an error message
+ */
+
+int
+pam_error(pam_handle_t *pamh,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	char *rsp;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap);
+	va_end(ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
new file mode 100644
index 000000000000..741b02d784ba
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -0,0 +1,75 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Retrieve authentication token
+ */
+
+int
+pam_get_authtok(pam_handle_t *pamh,
+	const char **authtok,
+	const char *prompt)
+{
+	char *p, *resp;
+	int r;
+
+	if (pamh == NULL || authtok == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+	if (r == PAM_SUCCESS)
+		return (PAM_SUCCESS);
+	if (prompt == NULL) {
+		if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
+		    (const void **)&p) != PAM_SUCCESS || p == NULL)
+			prompt = "Password:";
+	}
+	r = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp,
+	    "%s", prompt ? prompt : p);
+	if (r != PAM_SUCCESS)
+		return (r);
+	*authtok = resp;
+	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
+}
diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c
new file mode 100644
index 000000000000..8b2b09058b92
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_data.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 43
+ *
+ * Get module information
+ */
+
+int
+pam_get_data(pam_handle_t *pamh,
+	const char *module_data_name,
+	void **data)
+{
+	pam_data_t *dp;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	for (dp = pamh->module_data; dp != NULL; dp = dp->next)
+		if (strcmp(dp->name, module_data_name) == 0) {
+			*data = dp->data;
+			return (PAM_SUCCESS);
+		}
+
+	return (PAM_NO_MODULE_DATA);
+}
diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c
new file mode 100644
index 000000000000..7369c48ef8e4
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_item.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 46
+ *
+ * Get PAM information
+ */
+
+int
+pam_get_item(pam_handle_t *pamh,
+	int item_type,
+	const void **item)
+{
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	switch (item_type) {
+	case PAM_SERVICE:
+	case PAM_USER:
+	case PAM_AUTHTOK:
+	case PAM_OLDAUTHTOK:
+	case PAM_TTY:
+	case PAM_RHOST:
+	case PAM_RUSER:
+	case PAM_CONV:
+	case PAM_USER_PROMPT:
+	case PAM_AUTHTOK_PROMPT:
+		*item = pamh->item[item_type];
+		return (PAM_SUCCESS);
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+}
diff --git a/contrib/openpam/lib/pam_get_mapped_authtok.c b/contrib/openpam/lib/pam_get_mapped_authtok.c
new file mode 100644
index 000000000000..0050c0e32acd
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_mapped_authtok.c
@@ -0,0 +1,49 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_get_mapped_authtok(pam_handle_t *pamh,
+	const char *target_module_username,
+	const char *target_module_type,
+	const char *target_authn_domain,
+	size_t *target_authtok_len,
+	unsigned char **target_module_authtok)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_get_mapped_username.c b/contrib/openpam/lib/pam_get_mapped_username.c
new file mode 100644
index 000000000000..faa78bbeefb1
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_mapped_username.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_get_mapped_username(pam_handle_t *pamh,
+	const char *src_username,
+	const char *src_module_type,
+	const char *src_authn_domain,
+	const char *target_module_type,
+	const char *target_authn_domain,
+	char **target_module_username)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_get_user.c b/contrib/openpam/lib/pam_get_user.c
new file mode 100644
index 000000000000..17572c46b080
--- /dev/null
+++ b/contrib/openpam/lib/pam_get_user.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 52
+ *
+ * Retrieve user name
+ */
+
+int
+pam_get_user(pam_handle_t *pamh,
+	const char **user,
+	const char *prompt)
+{
+	char *p, *resp;
+	int r;
+
+	if (pamh == NULL || user == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	r = pam_get_item(pamh, PAM_USER, (const void **)user);
+	if (r == PAM_SUCCESS)
+		return (PAM_SUCCESS);
+	if (prompt == NULL) {
+		if (pam_get_item(pamh, PAM_USER_PROMPT,
+		    (const void **)&p) != PAM_SUCCESS || p == NULL)
+			prompt = "Login: ";
+	}
+	r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp,
+	    "%s", prompt ? prompt : p);
+	if (r != PAM_SUCCESS)
+		return (r);
+	*user = resp;
+	return (pam_set_item(pamh, PAM_USER, *user));
+}
diff --git a/contrib/openpam/lib/pam_getenv.c b/contrib/openpam/lib/pam_getenv.c
new file mode 100644
index 000000000000..d6bf2194a9e0
--- /dev/null
+++ b/contrib/openpam/lib/pam_getenv.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 44
+ *
+ * Retrieve the value of a PAM environment variable
+ */
+
+char *
+pam_getenv(pam_handle_t *pamh,
+	const char *name)
+{
+	int i;
+
+	if (pamh == NULL)
+		return (NULL);
+
+	/* sanity checks */
+	if (name == NULL || strchr(name, '=') != NULL)
+		return (NULL);
+
+	if ((i = openpam_findenv(pamh, name, strlen(name))) == -1)
+		return (NULL);
+	return (strdup(pamh->env[i]));
+}
diff --git a/contrib/openpam/lib/pam_getenvlist.c b/contrib/openpam/lib/pam_getenvlist.c
new file mode 100644
index 000000000000..4409a891ac82
--- /dev/null
+++ b/contrib/openpam/lib/pam_getenvlist.c
@@ -0,0 +1,70 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 45
+ *
+ * Returns a list of all the PAM environment variables
+ */
+
+char **
+pam_getenvlist(pam_handle_t *pamh)
+{
+	char **envlist;
+	int i;
+
+	if (pamh == NULL)
+		return (NULL);
+
+	if ((envlist = malloc(sizeof(char *) * (pamh->env_count + 1))) == NULL)
+		return (NULL);
+	for (i = 0; i < pamh->env_count; ++i) {
+		if ((envlist[i] = strdup(pamh->env[i])) == NULL) {
+			while (i)
+				free(envlist[--i]);
+			free(envlist);
+			return (NULL);
+		}
+	}
+	return (envlist);
+}
diff --git a/contrib/openpam/lib/pam_info.c b/contrib/openpam/lib/pam_info.c
new file mode 100644
index 000000000000..ce1d2b8fb55d
--- /dev/null
+++ b/contrib/openpam/lib/pam_info.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an information message
+ */
+
+int
+pam_info(pam_handle_t *pamh,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	char *rsp;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, PAM_TEXT_INFO, &rsp, fmt, ap);
+	va_end(ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c
new file mode 100644
index 000000000000..dcbf2b8fa580
--- /dev/null
+++ b/contrib/openpam/lib/pam_open_session.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 54
+ *
+ * Open a user session
+ */
+
+int
+pam_open_session(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags));
+}
diff --git a/contrib/openpam/lib/pam_prompt.c b/contrib/openpam/lib/pam_prompt.c
new file mode 100644
index 000000000000..afc416961096
--- /dev/null
+++ b/contrib/openpam/lib/pam_prompt.c
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Call the conversation function
+ */
+
+int
+pam_prompt(pam_handle_t *pamh,
+	int style,
+	char **resp,
+	const char *fmt,
+	...)
+{
+	va_list ap;
+	int r;
+
+	va_start(ap, fmt);
+	r = pam_vprompt(pamh, style, resp, fmt, ap);
+	va_end(ap);
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c
new file mode 100644
index 000000000000..c8701f3e8ef9
--- /dev/null
+++ b/contrib/openpam/lib/pam_putenv.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 56
+ *
+ * Set the value of an environment variable
+ */
+
+int
+pam_putenv(pam_handle_t *pamh,
+	const char *namevalue)
+{
+	char **env, *p;
+	int i;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* sanity checks */
+	if (namevalue == NULL || (p = strchr(namevalue, '=')) == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* see if the variable is already in the environment */
+	if ((i = openpam_findenv(pamh, namevalue, p - namevalue)) != -1) {
+		if ((p = strdup(namevalue)) == NULL)
+			return (PAM_BUF_ERR);
+		free(pamh->env[i]);
+		pamh->env[i] = p;
+		return (PAM_SUCCESS);
+	}
+
+	/* grow the environment list if necessary */
+	if (pamh->env_count == pamh->env_size) {
+		env = realloc(pamh->env, pamh->env_size * 2 + 1);
+		if (env == NULL)
+			return (PAM_BUF_ERR);
+		pamh->env = env;
+		pamh->env_size = pamh->env_size * 2 + 1;
+	}
+
+	/* add the variable at the end */
+	if ((pamh->env[pamh->env_count] = strdup(namevalue)) == NULL)
+		return (PAM_BUF_ERR);
+	++pamh->env_count;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c
new file mode 100644
index 000000000000..59d57510be70
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_data.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 59
+ *
+ * Set module information
+ */
+
+int
+pam_set_data(pam_handle_t *pamh,
+	const char *module_data_name,
+	void *data,
+	void (*cleanup)(pam_handle_t *pamh,
+		void *data,
+		int pam_end_status))
+{
+	pam_data_t *dp;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	for (dp = pamh->module_data; dp != NULL; dp = dp->next) {
+		if (strcmp(dp->name, module_data_name) == 0) {
+			if (dp->cleanup)
+				(dp->cleanup)(pamh, dp->data, PAM_SUCCESS);
+			dp->data = data;
+			dp->cleanup = cleanup;
+			return (PAM_SUCCESS);
+		}
+	}
+
+	if ((dp = malloc(sizeof *dp)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((dp->name = strdup(module_data_name)) == NULL) {
+		free(data);
+		return (PAM_BUF_ERR);
+	}
+	dp->next = pamh->module_data;
+	pamh->module_data = data;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c
new file mode 100644
index 000000000000..1cebfd55aadd
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_item.c
@@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 60
+ *
+ * Set authentication information
+ */
+
+int
+pam_set_item(pam_handle_t *pamh,
+	int item_type,
+	const void *item)
+{
+	void **slot, *tmp;
+	size_t size;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	slot = &pamh->item[item_type];
+	switch (item_type) {
+	case PAM_SERVICE:
+	case PAM_USER:
+	case PAM_AUTHTOK:
+	case PAM_OLDAUTHTOK:
+	case PAM_TTY:
+	case PAM_RHOST:
+	case PAM_RUSER:
+	case PAM_USER_PROMPT:
+	case PAM_AUTHTOK_PROMPT:
+		size = strlen(*slot) + 1;
+		if (item != NULL)
+			tmp = strdup(item);
+		break;
+	case PAM_CONV:
+		size = sizeof(struct pam_conv);
+		if (item != NULL)
+			tmp = malloc(size);
+		break;
+	default:
+		return (PAM_SYSTEM_ERR);
+	}
+	if (item != NULL && tmp == NULL)
+		return (PAM_BUF_ERR);
+	if (*slot != NULL) {
+		memset(*slot, 0xd0, size);
+		free(*slot);
+	}
+	*slot = tmp;
+	return (PAM_SUCCESS);
+}
diff --git a/contrib/openpam/lib/pam_set_mapped_authtok.c b/contrib/openpam/lib/pam_set_mapped_authtok.c
new file mode 100644
index 000000000000..ad066df65a11
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_mapped_authtok.c
@@ -0,0 +1,49 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_set_mapped_authtok(pam_handle_t *pamh,
+	const char *target_module_username,
+	size_t target_authtok_len,
+	unsigned char *target_module_authtok,
+	const char *target_module_type,
+	const char *target_authn_domain)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_set_mapped_username.c b/contrib/openpam/lib/pam_set_mapped_username.c
new file mode 100644
index 000000000000..fc1298948e3e
--- /dev/null
+++ b/contrib/openpam/lib/pam_set_mapped_username.c
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <security/pam_appl.h>
+
+int
+pam_set_mapped_username(pam_handle_t *pamh,
+	char *src_username,
+	char *src_module_type,
+	char *src_authn_domain,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c
new file mode 100644
index 000000000000..0ea10ff799d4
--- /dev/null
+++ b/contrib/openpam/lib/pam_setcred.c
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 57
+ *
+ * Modify / delete user credentials for an authentication service
+ */
+
+int
+pam_setcred(pam_handle_t *pamh,
+	int flags)
+{
+
+	return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags));
+}
diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c
new file mode 100644
index 000000000000..6165b7cb00df
--- /dev/null
+++ b/contrib/openpam/lib/pam_setenv.c
@@ -0,0 +1,79 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Set the value of an environment variable
+ * Mirrors setenv(3)
+ */
+
+int
+pam_setenv(pam_handle_t *pamh,
+	const char *name,
+	const char *value,
+	int overwrite)
+{
+	char *env;
+	int r;
+
+	if (pamh == NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* sanity checks */
+	if (name == NULL || value == NULL || strchr(name, '=') != NULL)
+		return (PAM_SYSTEM_ERR);
+
+	/* is it already there? */
+	if (!overwrite && openpam_findenv(pamh, name, strlen(name)) != -1)
+		return (PAM_SUCCESS);
+
+	/* set it... */
+	if ((env = malloc(strlen(name) + strlen(value) + 2)) == NULL)
+		return (PAM_BUF_ERR);
+	sprintf(env, "%s=%s", name, value);
+	r = pam_putenv(pamh, env);
+	free(env);
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c
new file mode 100644
index 000000000000..ff9cc32ec5a5
--- /dev/null
+++ b/contrib/openpam/lib/pam_start.c
@@ -0,0 +1,292 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+static int _pam_configure_service(pam_handle_t *pamh, const char *service);
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 89
+ *
+ * Initiate a PAM transaction
+ */
+
+int
+pam_start(const char *service,
+	const char *user,
+	const struct pam_conv *pam_conv,
+	pam_handle_t **pamh)
+{
+	struct pam_handle *ph;
+	int r;
+
+	if ((ph = calloc(1, sizeof *ph)) == NULL)
+		return (PAM_BUF_ERR);
+	if ((r = pam_set_item(ph, PAM_SERVICE, service)) != PAM_SUCCESS)
+		goto fail;
+	if ((r = pam_set_item(ph, PAM_USER, user)) != PAM_SUCCESS)
+		goto fail;
+	if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS)
+		goto fail;
+
+	if ((r = _pam_configure_service(ph, service)) != PAM_SUCCESS &&
+	    r != PAM_BUF_ERR)
+		r = _pam_configure_service(ph, PAM_OTHER);
+	if (r != PAM_SUCCESS)
+		goto fail;
+
+	*pamh = ph;
+	openpam_log(PAM_LOG_DEBUG, "pam_start(\"%s\") succeeded", service);
+	return (PAM_SUCCESS);
+
+ fail:
+	pam_end(ph, r);
+	return (r);
+}
+
+#define PAM_CONF_STYLE	0
+#define PAM_D_STYLE	1
+#define MAX_LINE_LEN	1024
+#define MAX_OPTIONS	256
+
+static int
+_pam_read_policy_file(pam_handle_t *pamh,
+	const char *service,
+	const char *filename,
+	int style)
+{
+	char buf[MAX_LINE_LEN], *p, *q;
+	const char *optv[MAX_OPTIONS + 1];
+	int ch, chain, flag, line, optc, n, r;
+	size_t len;
+	FILE *f;
+
+	n = 0;
+
+	if ((f = fopen(filename, "r")) == NULL) {
+		openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE,
+		    "%s: %m", filename);
+		return (0);
+	}
+	openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s",
+	    service, filename);
+
+	for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) {
+		if ((len = strlen(buf)) == 0)
+			continue;
+
+		/* check for overflow */
+		if (buf[--len] != '\n' && !feof(f)) {
+			openpam_log(PAM_LOG_ERROR, "%s: line %d too long",
+			    filename, line);
+			openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+			    filename, line);
+			while ((ch = fgetc(f)) != EOF)
+				if (ch == '\n')
+					break;
+			continue;
+		}
+
+		/* strip comments and trailing whitespace */
+		if ((p = strchr(buf, '#')) != NULL)
+			len = p - buf ? p - buf - 1 : p - buf;
+		while (len > 0 && isspace(buf[len]))
+			--len;
+		if (len == 0)
+			continue;
+		buf[len] = '\0';
+		p = q = buf;
+
+		/* check service name */
+		if (style == PAM_CONF_STYLE) {
+			for (q = p = buf; *q != '\0' && !isspace(*q); ++q)
+				/* nothing */;
+			if (*q == '\0')
+				goto syntax_error;
+			*q++ = '\0';
+			if (strcmp(p, service) != 0)
+				continue;
+			openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'",
+			    filename, line, service);
+		}
+
+
+		/* get module type */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "auth") == 0) {
+			chain = PAM_AUTH;
+		} else if (strcmp(p, "account") == 0) {
+			chain = PAM_ACCOUNT;
+		} else if (strcmp(p, "session") == 0) {
+			chain = PAM_SESSION;
+		} else if (strcmp(p, "password") == 0) {
+			chain = PAM_PASSWORD;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid module type on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get control flag */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p || *q == '\0')
+			goto syntax_error;
+		*q++ = '\0';
+		if (strcmp(p, "required") == 0) {
+			flag = PAM_REQUIRED;
+		} else if (strcmp(p, "requisite") == 0) {
+			flag = PAM_REQUISITE;
+		} else if (strcmp(p, "sufficient") == 0) {
+			flag = PAM_SUFFICIENT;
+		} else if (strcmp(p, "optional") == 0) {
+			flag = PAM_OPTIONAL;
+		} else {
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: invalid control flag on line %d: '%s'",
+			    filename, line, p);
+			continue;
+		}
+
+		/* get module name */
+		for (p = q; isspace(*p); ++p)
+			/* nothing */;
+		for (q = p; *q != '\0' && !isspace(*q); ++q)
+			/* nothing */;
+		if (q == p)
+			goto syntax_error;
+
+		/* get options */
+		for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) {
+			*q++ = '\0';
+			while (isspace(*q))
+				++q;
+			optv[optc] = q;
+			while (*q != '\0' && !isspace(*q))
+				++q;
+		}
+		optv[optc] = NULL;
+		if (*q != '\0') {
+			*q = '\0';
+			openpam_log(PAM_LOG_ERROR,
+			    "%s: too many options on line %d",
+			    filename, line);
+		}
+
+		/*
+		 * Finally, add the module at the end of the
+		 * appropriate chain and bump the counter.
+		 */
+		r = openpam_add_module(pamh, chain, flag, p, optc, optv);
+		if (r != PAM_SUCCESS)
+			return (-r);
+		++n;
+		continue;
+ syntax_error:
+		openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d",
+		    filename, line);
+		openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]",
+		    filename, line, q);
+		openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d",
+		    filename, line);
+	}
+
+	if (ferror(f))
+		openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
+
+	fclose(f);
+	return (n);
+}
+
+static const char *_pam_policy_path[] = {
+	"/etc/pam.d/",
+	"/etc/pam.conf",
+	"/usr/local/etc/pam.d/",
+	NULL
+};
+
+static int
+_pam_configure_service(pam_handle_t *pamh,
+	const char *service)
+{
+	const char **path;
+	char *filename;
+	size_t len;
+	int r;
+
+	for (path = _pam_policy_path; *path != NULL; ++path) {
+		len = strlen(*path);
+		if ((*path)[len - 1] == '/') {
+			filename = malloc(len + strlen(service) + 1);
+			if (filename == NULL) {
+				openpam_log(PAM_LOG_ERROR, "malloc(): %m");
+				return (PAM_BUF_ERR);
+			}
+			strcpy(filename, *path);
+			strcat(filename, service);
+			r = _pam_read_policy_file(pamh,
+			    service, filename, PAM_D_STYLE);
+			free(filename);
+		} else {
+			r = _pam_read_policy_file(pamh,
+			    service, *path, PAM_CONF_STYLE);
+		}
+		if (r < 0)
+			return (-r);
+		if (r > 0)
+			return (PAM_SUCCESS);
+	}
+
+	return (PAM_SYSTEM_ERR);
+}
diff --git a/contrib/openpam/lib/pam_strerror.c b/contrib/openpam/lib/pam_strerror.c
new file mode 100644
index 000000000000..516374c7346b
--- /dev/null
+++ b/contrib/openpam/lib/pam_strerror.c
@@ -0,0 +1,123 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 92
+ *
+ * Get PAM standard error message string
+ */
+
+const char *
+pam_strerror(pam_handle_t *pamh,
+	int error_number)
+{
+	static char unknown[16];
+
+	pamh = pamh;
+
+	switch (error_number) {
+	case PAM_SUCCESS:
+		return ("success");
+	case PAM_OPEN_ERR:
+		return ("failed to load module");
+	case PAM_SYMBOL_ERR:
+		return ("symbol not found in module");
+	case PAM_SERVICE_ERR:
+		return ("error in service module");
+	case PAM_SYSTEM_ERR:
+		return ("system error");
+	case PAM_BUF_ERR:
+		return ("memory buffer error");
+	case PAM_CONV_ERR:
+		return ("conversation failure");
+	case PAM_PERM_DENIED:
+		return ("permission denied");
+	case PAM_MAXTRIES:
+		return ("maximum number of tries exceeded");
+	case PAM_AUTH_ERR:
+		return ("authentication error");
+	case PAM_NEW_AUTHTOK_REQD:
+		return ("new authentication token required");
+	case PAM_CRED_INSUFFICIENT:
+		return ("insufficient credentials");
+	case PAM_AUTHINFO_UNAVAIL:
+		return ("authentication information is unavailable");
+	case PAM_USER_UNKNOWN:
+		return ("unknown user");
+	case PAM_CRED_UNAVAIL:
+		return ("failed to retrieve user credentials");
+	case PAM_CRED_EXPIRED:
+		return ("user credentials have expired");
+	case PAM_CRED_ERR:
+		return ("failed to set user credentials");
+	case PAM_ACCT_EXPIRED:
+		return ("user accound has expired");
+	case PAM_AUTHTOK_EXPIRED:
+		return ("password has expired");
+	case PAM_SESSION_ERR:
+		return ("session failure");
+	case PAM_AUTHTOK_ERR:
+		return ("authentication token failure");
+	case PAM_AUTHTOK_RECOVERY_ERR:
+		return ("failed to recover old authentication token");
+	case PAM_AUTHTOK_LOCK_BUSY:
+		return ("authentication token lock busy");
+	case PAM_AUTHTOK_DISABLE_AGING:
+		return ("authentication token ageing disabled");
+	case PAM_NO_MODULE_DATA:
+		return ("module data not found");
+	case PAM_IGNORE:
+		return ("ignore this module");
+	case PAM_ABORT:
+		return ("general failure");
+	case PAM_TRY_AGAIN:
+		return ("try again");
+	case PAM_MODULE_UNKNOWN:
+		return ("unknown module type");
+	case PAM_DOMAIN_UNKNOWN:
+		return ("unknown authentication domain");
+	default:
+		snprintf(unknown, sizeof unknown, "#%d", error_number);
+		return (unknown);
+	}
+}
diff --git a/contrib/openpam/lib/pam_verror.c b/contrib/openpam/lib/pam_verror.c
new file mode 100644
index 000000000000..feeaa6ebfcf3
--- /dev/null
+++ b/contrib/openpam/lib/pam_verror.c
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an error message
+ */
+
+int
+pam_verror(pam_handle_t *pamh,
+	const char *fmt,
+	va_list ap)
+{
+	char *rsp;
+	int r;
+
+	r = pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_vinfo.c b/contrib/openpam/lib/pam_vinfo.c
new file mode 100644
index 000000000000..24849985ff13
--- /dev/null
+++ b/contrib/openpam/lib/pam_vinfo.c
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Display an information message
+ */
+
+int
+pam_vinfo(pam_handle_t *pamh,
+	const char *fmt,
+        va_list ap)
+{
+	char *rsp;
+	int r;
+
+	r = pam_vprompt(pamh, PAM_TEXT_INFO, &rsp, fmt, ap);
+	free(rsp); /* ignore response */
+	return (r);
+}
diff --git a/contrib/openpam/lib/pam_vprompt.c b/contrib/openpam/lib/pam_vprompt.c
new file mode 100644
index 000000000000..f090b23653fa
--- /dev/null
+++ b/contrib/openpam/lib/pam_vprompt.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+/*
+ * OpenPAM extension
+ *
+ * Call the conversation function
+ */
+
+int
+pam_vprompt(pam_handle_t *pamh,
+	int style,
+	char **resp,
+	const char *fmt,
+	va_list ap)
+{
+	char msgbuf[PAM_MAX_MSG_SIZE];
+	struct pam_message msg;
+	const struct pam_message *msgp;
+	struct pam_response *rsp;
+	struct pam_conv conv;
+	int r;
+
+	if ((r = pam_get_item(pamh, PAM_CONV, (void *)&conv)) != PAM_SUCCESS)
+		return (r);
+	vsnprintf(msgbuf, PAM_MAX_MSG_SIZE, fmt, ap);
+	msg.msg_style = style;
+	msg.msg = msgbuf;
+	msgp = &msg;
+	r = (conv.conv)(1, &msgp, &rsp, conv.appdata_ptr);
+	*resp = rsp == NULL ? NULL : rsp->resp;
+	free(rsp);
+	return (r);
+}