Update OpenPAM to openpam-20130907 (Nummularia), including a fix for

CVE-2014-3879: - Better dynamic loader, supports specifying modules without ".so" prefix. - Improve documentation. - openpam_subst, openpam_readword and openpam_readlinev helpers - PAM_HOST item for better password prompts - user_prompt, authtok_prompt and oldauthtok_prompt module options - pamtest(1) program for testing policies and modules
2014-06-10 13:17:42 +00:00 · 2014-06-10 13:17:42 +00:00 · b6c7847ef0
commit b6c7847ef0
parent 18fbce822f
16 changed files with 192 additions and 226 deletions
--- a/security/openpam/Makefile
+++ b/security/openpam/Makefile
@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.20 2014/05/29 23:37:20 wiz Exp $
+# $NetBSD: Makefile,v 1.21 2014/06/10 13:17:42 joerg Exp $

-DISTNAME=	openpam-20071221
-PKGREVISION=	4
+DISTNAME=	openpam-20130907
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=openpam/}

@ -19,6 +18,8 @@ CONFIGURE_ARGS+=	--without-pam-su
 CONFIGURE_ARGS+=	--with-pam-unix
 CONFIGURE_ARGS+=	--with-modules-dir=${PREFIX}/lib/security

+CPPFLAGS+=		-DSYSCONFDIR=\"$(PKG_SYSCONFDIR)\"
+
 OWN_DIRS=		${PKG_SYSCONFDIR}/pam.d

 .include "../../mk/dlopen.buildlink3.mk"
--- a/security/openpam/PLIST
+++ b/security/openpam/PLIST
@ -1,6 +1,6 @@
-@comment $NetBSD: PLIST,v 1.6 2009/06/14 18:13:34 joerg Exp $
-include/security/openpam.h
+@comment $NetBSD: PLIST,v 1.7 2014/06/10 13:17:42 joerg Exp $
 include/security/openpam_attr.h
+include/security/openpam.h
 include/security/openpam_version.h
 include/security/pam_appl.h
 include/security/pam_constants.h
@ -14,12 +14,18 @@ man/man3/openpam.3
 man/man3/openpam_borrow_cred.3
 man/man3/openpam_free_data.3
 man/man3/openpam_free_envlist.3
+man/man3/openpam_get_feature.3
 man/man3/openpam_get_option.3
 man/man3/openpam_log.3
 man/man3/openpam_nullconv.3
 man/man3/openpam_readline.3
+man/man3/openpam_readlinev.3
+man/man3/openpam_readword.3
 man/man3/openpam_restore_cred.3
+man/man3/openpam_set_feature.3
 man/man3/openpam_set_option.3
+man/man3/openpam_straddch.3
+man/man3/openpam_subst.3
 man/man3/openpam_ttyconv.3
 man/man3/pam.3
 man/man3/pam_acct_mgmt.3
@ -31,18 +37,18 @@ man/man3/pam_end.3
 man/man3/pam_error.3
 man/man3/pam_get_authtok.3
 man/man3/pam_get_data.3
-man/man3/pam_get_item.3
-man/man3/pam_get_user.3
 man/man3/pam_getenv.3
 man/man3/pam_getenvlist.3
+man/man3/pam_get_item.3
+man/man3/pam_get_user.3
 man/man3/pam_info.3
 man/man3/pam_open_session.3
 man/man3/pam_prompt.3
 man/man3/pam_putenv.3
-man/man3/pam_set_data.3
-man/man3/pam_set_item.3
 man/man3/pam_setcred.3
+man/man3/pam_set_data.3
 man/man3/pam_setenv.3
+man/man3/pam_set_item.3
 man/man3/pam_sm_acct_mgmt.3
 man/man3/pam_sm_authenticate.3
 man/man3/pam_sm_chauthtok.3
--- a/security/openpam/distinfo
+++ b/security/openpam/distinfo
@ -1,14 +1,9 @@
-$NetBSD: distinfo,v 1.8 2011/12/13 15:57:08 spz Exp $
+$NetBSD: distinfo,v 1.9 2014/06/10 13:17:42 joerg Exp $

-SHA1 (openpam-20071221.tar.gz) = 43d41fa4a86199077c4fe193c52c59365f4c317e
-RMD160 (openpam-20071221.tar.gz) = cd8f7e94984693b0f892f226bfed6a3f9b24ec72
-Size (openpam-20071221.tar.gz) = 396932 bytes
-SHA1 (patch-ab) = 2405cccb175e58914e36a26ac8aa896a1334b145
-SHA1 (patch-ac) = 72fb5ffb67edf9892e6c2db5485fdf51ea4b50ce
-SHA1 (patch-ad) = 08b0dbd2d84c4239ea898f137d2f0ed7f7476d74
-SHA1 (patch-ae) = 4f31bdde2cca94377c4e3ac8e4d42512764b3fac
-SHA1 (patch-af) = 1879c2450cd72152573248b60bdad056ad13a5e2
-SHA1 (patch-ag) = c46e5e2ce53765c5f593735bb0daf9cdf03eab13
-SHA1 (patch-ah) = 5cef165a6986e0146f75cc4aa4fe5c0adc2d5042
-SHA1 (patch-ai) = ebd22192a6b34161feac281ade41340493142e2b
-SHA1 (patch-aj) = f106a68e24fabae7353ea4480c75ba84097ec606
+SHA1 (openpam-20130907.tar.gz) = c6d33913c2e90b463ef8ecc04358a14e6467c11f
+RMD160 (openpam-20130907.tar.gz) = 501c36f07b78bece4a96b21acadef659a68634f1
+Size (openpam-20130907.tar.gz) = 459949 bytes
+SHA1 (patch-bin_openpam__dump__policy_openpam__dump__policy.c) = 8485ecba73ec4f1fe3c5133d9f00cc74788534af
+SHA1 (patch-lib_libpam_openpam__configure.c) = 0d2d6b3bcb4ab86b253fbe13c751e8c5c8607ee0
+SHA1 (patch-lib_libpam_openpam__constants.c) = 7dd63e288408939a73057b3e4d90382983c1d559
+SHA1 (patch-lib_libpam_openpam__ctype.h) = 14866f4cfbdd5c6f67f97d4f3755a4e80782cce0
--- a/security/openpam/patches/patch-ab
+++ b/security/openpam/patches/patch-ab
@ -1,65 +0,0 @@
-$NetBSD: patch-ab,v 1.4 2011/12/13 15:57:08 spz Exp $
-
- pkgsrcification
- prevention of CVE-2011-4122 taken from NetBSD src
-
--- lib/openpam_configure.c.orig	2007-12-21 11:36:24.000000000 +0000
-+++ lib/openpam_configure.c
-@@ -70,7 +70,7 @@ static int
- match_word(const char *str, const char *word)
- {
- 
-	while (*str && tolower(*str) == tolower(*word))
-+	while (*str && tolower((unsigned char)*str) == tolower((unsigned char)*word))
- 		++str, ++word;
- 	return (*str == ' ' && *word == '\0');
- }
-@@ -194,7 +194,7 @@ openpam_read_chain(pam_handle_t *pamh,
- 		}
- 
- 		/* allocate new entry */
-		if ((this = calloc(1, sizeof *this)) == NULL)
-+		if ((this = calloc((size_t)1, sizeof *this)) == NULL)
- 			goto syserr;
- 
- 		/* control flag */
-@@ -230,7 +230,7 @@ openpam_read_chain(pam_handle_t *pamh,
- 			++this->optc;
- 			q = next_word(q);
- 		}
-		this->optv = calloc(this->optc + 1, sizeof(char *));
-+		this->optv = calloc((size_t)(this->optc + 1), sizeof(char *));
- 		if (this->optv == NULL)
- 			goto syserr;
- 		for (i = 0; i < this->optc; ++i) {
-@@ -263,11 +263,13 @@ openpam_read_chain(pam_handle_t *pamh,
- 	return (-1);
- }
- 
-+#ifndef SYSCONFDIR
-+#define SYSCONFDIR	"/usr/local/etc"
-+#endif
-+
- static const char *openpam_policy_path[] = {
-	"/etc/pam.d/",
-	"/etc/pam.conf",
-	"/usr/local/etc/pam.d/",
-	"/usr/local/etc/pam.conf",
-+	SYSCONFDIR "/pam.d/",
-+	SYSCONFDIR "/pam.conf",
- 	NULL
- };
- 
-@@ -285,6 +287,12 @@ openpam_load_chain(pam_handle_t *pamh,
- 	size_t len;
- 	int r;
- 
-+	/* Don't allow an escape from policy_path. */
-+	if (strchr(service, '/') != NULL) {
-+		openpam_log(PAM_LOG_ERROR, "illegal service \"%s\"", service);
-+		return (-PAM_SYSTEM_ERR);
-+	}
-+
- 	for (path = openpam_policy_path; *path != NULL; ++path) {
- 		len = strlen(*path);
- 		if ((*path)[len - 1] == '/') {
--- a/security/openpam/patches/patch-ac
+++ b/security/openpam/patches/patch-ac
@ -1,21 +0,0 @@
-$NetBSD: patch-ac,v 1.3 2008/02/18 16:48:12 jlam Exp $
-
--- lib/Makefile.in.orig	2007-12-21 06:44:28.000000000 -0500
-+++ lib/Makefile.in
-@@ -116,7 +116,7 @@ CC = @CC@
- CCDEPMODE = @CCDEPMODE@
- CFLAGS = @CFLAGS@
- CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-+CPPFLAGS = @CPPFLAGS@ -DSYSCONFDIR=\"$(sysconfdir)\"
- CRYPT_LIBS = @CRYPT_LIBS@
- CXX = @CXX@
- CXXCPP = @CXXCPP@
-@@ -267,7 +267,6 @@ libpam_la_SOURCES = \
- 	pam_vprompt.c \
- 	$(NULL)
- 
-libpam_la_CFLAGS = -DOPENPAM_MODULES_DIR='"@OPENPAM_MODULES_DIR@/"'
- libpam_la_LDFLAGS = -no-undefined -version-info @LIB_MAJ@ @DL_LIBS@
- EXTRA_DIST = \
- 	pam_authenticate_secondary.c \
--- a/security/openpam/patches/patch-ad
+++ b/security/openpam/patches/patch-ad
@ -1,13 +0,0 @@
-$NetBSD: patch-ad,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/Makefile.am.orig	2007-06-03 16:26:18.000000000 -0400
-+++ lib/Makefile.am
-@@ -52,8 +52,6 @@ libpam_la_SOURCES = \
- 	pam_vprompt.c \
- 	$(NULL)
- 
-libpam_la_CFLAGS = -DOPENPAM_MODULES_DIR='"@OPENPAM_MODULES_DIR@/"'
-
- libpam_la_LDFLAGS = -no-undefined -version-info @LIB_MAJ@ @DL_LIBS@
- 
- EXTRA_DIST = \
--- a/security/openpam/patches/patch-ae
+++ b/security/openpam/patches/patch-ae
@ -1,13 +0,0 @@
-$NetBSD: patch-ae,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/openpam_borrow_cred.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/openpam_borrow_cred.c
-@@ -73,7 +73,7 @@ openpam_borrow_cred(pam_handle_t *pamh,
- 		    (int)geteuid());
- 		RETURNC(PAM_PERM_DENIED);
- 	}
-	scred = calloc(1, sizeof *scred);
-+	scred = calloc((size_t)1, sizeof *scred);
- 	if (scred == NULL)
- 		RETURNC(PAM_BUF_ERR);
- 	scred->euid = geteuid();
--- a/security/openpam/patches/patch-af
+++ b/security/openpam/patches/patch-af
@ -1,22 +0,0 @@
-$NetBSD: patch-af,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/openpam_dynamic.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/openpam_dynamic.c
-@@ -64,7 +64,7 @@ openpam_dynamic(const char *path)
- 	int i;
- 
- 	dlh = NULL;
-	if ((module = calloc(1, sizeof *module)) == NULL)
-+	if ((module = calloc((size_t)1, sizeof *module)) == NULL)
- 		goto buf_err;
- 
- 	/* Prepend the standard prefix if not an absolute pathname. */
-@@ -74,7 +74,7 @@ openpam_dynamic(const char *path)
- 		prefix = "";
- 
- 	/* try versioned module first, then unversioned module */
-	if (asprintf(&vpath, "%s%s.%d", prefix, path, LIB_MAJ) < 0)
-+	if (asprintf(&vpath, "%s/%s.%d", prefix, path, LIB_MAJ) < 0)
- 		goto buf_err;
- 	if ((dlh = dlopen(vpath, RTLD_NOW)) == NULL) {
- 		openpam_log(PAM_LOG_DEBUG, "%s: %s", vpath, dlerror());
--- a/security/openpam/patches/patch-ag
+++ b/security/openpam/patches/patch-ag
@ -1,31 +0,0 @@
-$NetBSD: patch-ag,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/openpam_readline.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/openpam_readline.c
-@@ -57,7 +57,7 @@ openpam_readline(FILE *f, int *lineno, s
- 	size_t len, size;
- 	int ch;
- 
-	if ((line = malloc(MIN_LINE_LENGTH)) == NULL)
-+	if ((line = malloc((size_t)MIN_LINE_LENGTH)) == NULL)
- 		return (NULL);
- 	size = MIN_LINE_LENGTH;
- 	len = 0;
-@@ -84,7 +84,7 @@ openpam_readline(FILE *f, int *lineno, s
- 		/* eof */
- 		if (ch == EOF) {
- 			/* remove trailing whitespace */
-			while (len > 0 && isspace((int)line[len - 1]))
-+			while (len > 0 && isspace((unsigned char)line[len - 1]))
- 				--len;
- 			line[len] = '\0';
- 			if (len == 0)
-@@ -97,7 +97,7 @@ openpam_readline(FILE *f, int *lineno, s
- 				++*lineno;
- 
- 			/* remove trailing whitespace */
-			while (len > 0 && isspace((int)line[len - 1]))
-+			while (len > 0 && isspace((unsigned char)line[len - 1]))
- 				--len;
- 			line[len] = '\0';
- 			/* skip blank lines */
--- a/security/openpam/patches/patch-ah
+++ b/security/openpam/patches/patch-ah
@ -1,13 +0,0 @@
-$NetBSD: patch-ah,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/pam_putenv.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/pam_putenv.c
-@@ -65,7 +65,7 @@ pam_putenv(pam_handle_t *pamh,
- 		RETURNC(PAM_SYSTEM_ERR);
- 
- 	/* see if the variable is already in the environment */
-	if ((i = openpam_findenv(pamh, namevalue, p - namevalue)) >= 0) {
-+	if ((i = openpam_findenv(pamh, namevalue, (size_t)(p - namevalue))) >= 0) {
- 		if ((p = strdup(namevalue)) == NULL)
- 			RETURNC(PAM_BUF_ERR);
- 		FREE(pamh->env[i]);
--- a/security/openpam/patches/patch-ai
+++ b/security/openpam/patches/patch-ai
@ -1,13 +0,0 @@
-$NetBSD: patch-ai,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/pam_start.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/pam_start.c
-@@ -58,7 +58,7 @@ pam_start(const char *service,
- 	int r;
- 
- 	ENTER();
-	if ((ph = calloc(1, sizeof *ph)) == NULL)
-+	if ((ph = calloc((size_t)1, sizeof *ph)) == NULL)
- 		RETURNC(PAM_BUF_ERR);
- 	if ((r = pam_set_item(ph, PAM_SERVICE, service)) != PAM_SUCCESS)
- 		goto fail;
--- a/security/openpam/patches/patch-aj
+++ b/security/openpam/patches/patch-aj
@ -1,13 +0,0 @@
-$NetBSD: patch-aj,v 1.1 2008/02/18 18:22:18 jlam Exp $
-
--- lib/pam_vprompt.c.orig	2007-12-21 06:36:24.000000000 -0500
-+++ lib/pam_vprompt.c
-@@ -73,7 +73,7 @@ pam_vprompt(const pam_handle_t *pamh,
- 		openpam_log(PAM_LOG_ERROR, "no conversation function");
- 		RETURNC(PAM_SYSTEM_ERR);
- 	}
-	vsnprintf(msgbuf, PAM_MAX_MSG_SIZE, fmt, ap);
-+	vsnprintf(msgbuf, (size_t)PAM_MAX_MSG_SIZE, fmt, ap);
- 	msg.msg_style = style;
- 	msg.msg = msgbuf;
- 	msgp = &msg;
--- a/security/openpam/patches/patch-bin_openpamdumppolicy_openpamdumppolicy.c
+++ b/security/openpam/patches/patch-bin_openpamdumppolicy_openpamdumppolicy.c
@ -0,0 +1,13 @@
+$NetBSD: patch-bin_openpam__dump__policy_openpam__dump__policy.c,v 1.1 2014/06/10 13:17:42 joerg Exp $
+
+--- bin/openpam_dump_policy/openpam_dump_policy.c.orig	2013-09-07 13:28:00.000000000 +0000
+++ bin/openpam_dump_policy/openpam_dump_policy.c
+@@ -64,7 +64,7 @@ openpam_facility_index_name(pam_facility
+ 	if (asprintf(&name, "PAM_%s", facility) == -1)
+ 		return (NULL);
+ 	for (p = name + 4; *p; ++p)
+-		*p = toupper(*p);
+		*p = toupper((unsigned char)*p);
+ 	return (name);
+ }
+ 
--- a/security/openpam/patches/patch-lib_libpam_openpam__configure.c
+++ b/security/openpam/patches/patch-lib_libpam_openpam__configure.c
@ -0,0 +1,125 @@
+$NetBSD: patch-lib_libpam_openpam__configure.c,v 1.1 2014/06/10 13:17:42 joerg Exp $
+
+--- lib/libpam/openpam_configure.c.orig	2013-09-07 13:28:00.000000000 +0000
+++ lib/libpam/openpam_configure.c
+@@ -1,6 +1,6 @@
+ /*-
+  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
+  * All rights reserved.
+  *
+  * This software was developed for the FreeBSD Project by ThinkSec AS and
+@@ -193,6 +193,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid facility",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 		if (facility != fclt && facility != PAM_FACILITY_ANY) {
+@@ -208,18 +209,28 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 				openpam_log(PAM_LOG_ERROR,
+ 				    "%s(%d): missing or invalid service name",
+ 				    filename, lineno);
+				errno = EINVAL;
+ 				goto fail;
+ 			}
+ 			if (wordv[i] != NULL) {
+ 				openpam_log(PAM_LOG_ERROR,
+ 				    "%s(%d): garbage at end of line",
+ 				    filename, lineno);
+				errno = EINVAL;
+ 				goto fail;
+ 			}
+ 			ret = openpam_load_chain(pamh, servicename, fclt);
+ 			FREEV(wordc, wordv);
+-			if (ret < 0)
+			if (ret < 0) {
+				/*
+				 * Bogus errno, but this ensures that the
+				 * outer loop does not just ignore the
+				 * error and keep searching.
+				 */
+				if (errno == ENOENT)
+					errno = EINVAL;
+ 				goto fail;
+			}
+ 			continue;
+ 		}
+ 
+@@ -229,6 +240,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid control flag",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 
+@@ -238,6 +250,7 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 			openpam_log(PAM_LOG_ERROR,
+ 			    "%s(%d): missing or invalid module name",
+ 			    filename, lineno);
+			errno = EINVAL;
+ 			goto fail;
+ 		}
+ 
+@@ -247,8 +260,11 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 		this->flag = ctlf;
+ 
+ 		/* load module */
+-		if ((this->module = openpam_load_module(modulename)) == NULL)
+		if ((this->module = openpam_load_module(modulename)) == NULL) {
+			if (errno == ENOENT)
+				errno = ENOEXEC;
+ 			goto fail;
+		}
+ 
+ 		/*
+ 		 * The remaining items in wordv are the module's
+@@ -281,7 +297,11 @@ openpam_parse_chain(pam_handle_t *pamh,
+ 	 * The loop ended because openpam_readword() returned NULL, which
+ 	 * can happen for four different reasons: an I/O error (ferror(f)
+ 	 * is true), a memory allocation failure (ferror(f) is false,
+-	 * errno is non-zero)
+	 * feof(f) is false, errno is non-zero), the file ended with an
+	 * unterminated quote or backslash escape (ferror(f) is false,
+	 * feof(f) is true, errno is non-zero), or the end of the file was
+	 * reached without error (ferror(f) is false, feof(f) is true,
+	 * errno is zero).
+ 	 */
+ 	if (ferror(f) || errno != 0)
+ 		goto syserr;
+@@ -402,6 +422,9 @@ openpam_load_chain(pam_handle_t *pamh,
+ 		}
+ 		ret = openpam_load_file(pamh, service, facility,
+ 		    filename, style);
+		/* success */
+		if (ret > 0)
+			RETURNN(ret);
+ 		/* the file exists, but an error occurred */
+ 		if (ret == -1 && errno != ENOENT)
+ 			RETURNN(ret);
+@@ -411,7 +434,8 @@ openpam_load_chain(pam_handle_t *pamh,
+ 	}
+ 
+ 	/* no hit */
+-	RETURNN(0);
+	errno = ENOENT;
+	RETURNN(-1);
+ }
+ 
+ /*
+@@ -432,8 +456,10 @@ openpam_configure(pam_handle_t *pamh,
+ 		openpam_log(PAM_LOG_ERROR, "invalid service name");
+ 		RETURNC(PAM_SYSTEM_ERR);
+ 	}
+-	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
+-		goto load_err;
+	if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+		if (errno != ENOENT)
+			goto load_err;
+	}
+ 	for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
+ 		if (pamh->chains[fclt] != NULL)
+ 			continue;
--- a/security/openpam/patches/patch-lib_libpam_openpam__constants.c
+++ b/security/openpam/patches/patch-lib_libpam_openpam__constants.c
@ -0,0 +1,17 @@
+$NetBSD: patch-lib_libpam_openpam__constants.c,v 1.1 2014/06/10 13:17:42 joerg Exp $
+
+--- lib/libpam/openpam_constants.c.orig	2014-06-10 13:01:39.996428375 +0000
+++ lib/libpam/openpam_constants.c
+@@ -127,10 +127,8 @@ const char *pam_sm_func_name[PAM_NUM_PRI
+ };
+ 
+ const char *openpam_policy_path[] = {
+-	"/etc/pam.d/",
+-	"/etc/pam.conf",
+-	"/usr/local/etc/pam.d/",
+-	"/usr/local/etc/pam.conf",
+	SYSCONFDIR "/pam.d/",
+	SYSCONFDIR "/pam.conf",
+ 	NULL
+ };
+ 
--- a/security/openpam/patches/patch-lib_libpam_openpam__ctype.h
+++ b/security/openpam/patches/patch-lib_libpam_openpam__ctype.h
@ -0,0 +1,13 @@
+$NetBSD: patch-lib_libpam_openpam__ctype.h,v 1.1 2014/06/10 13:17:42 joerg Exp $
+
+--- lib/libpam/openpam_ctype.h.orig	2013-09-07 13:28:00.000000000 +0000
+++ lib/libpam/openpam_ctype.h
+@@ -42,7 +42,7 @@
+  * Evaluates to non-zero if the argument is an uppercase letter.
+  */
+ #define is_upper(ch)				\
+-	(ch >= 'A' && ch <= 'A')
+	(ch >= 'A' && ch <= 'Z')
+ 
+ /*
+  * Evaluates to non-zero if the argument is a lowercase letter.