pam-krb5: Import/add pam-krb5 from eyeire.orgvendor/pam-krb5/4.11vendor/pam-krb5

From https://www.eyrie.org/~eagle/software/pam-krb5/:

pam-krb5 provides a Kerberos PAM module that supports authentication,
user ticket cache handling, simple authorization (via .k5login or
checking Kerberos principals against local usernames), and password
changing. It can be configured through either options in the PAM
configuration itself or through entries in the system krb5.conf file,
and it tries to work around PAM implementation flaws in commonly-used
PAM-enabled applications such as OpenSSH and xdm. It supports both
PKINIT and FAST to the extent that the underlying Kerberos libraries
support these features.

The reason for this import is to provide an MIT KRB5 compatible
pam_krb5 PAM module. The existing pam_krb5 in FreeBS only works
with Heimdal.

Sponsored by:	The FreeBSD Foundation

176 files changed, 15173 insertions, 0 deletions

diff --git a/tests/README b/tests/README
new file mode 100644
index 000000000000..186d2d5699b1
--- /dev/null
+++ b/tests/README
@@ -0,0 +1,252 @@
+                            Writing TAP Tests
+
+Introduction
+
+    This is a guide for users of the C TAP Harness package or similar
+    TAP-based test harnesses explaining how to write tests.  If your
+    package uses C TAP Harness as the test suite driver, you may want to
+    copy this document to an appropriate file name in your test suite as
+    documentation for contributors.
+
+About TAP
+
+    TAP is the Test Anything Protocol, a protocol for communication
+    between test cases and a test harness.  This is the protocol used by
+    Perl for its internal test suite and for nearly all Perl modules,
+    since it's the format used by the build tools for Perl modules to run
+    tests and report their results.
+
+    A TAP-based test suite works with a somewhat different set of
+    assumptions than an xUnit test suite.  In TAP, each test case is a
+    separate program.  That program, when run, must produce output in the
+    following format:
+
+        1..4
+        ok 1 - the first test
+        ok 2
+        # a diagnostic, ignored by the harness
+        not ok 3 - a failing test
+        ok 4 # skip a skipped test
+
+    The output should all go to standard output.  The first line specifies
+    the number of tests to be run, and then each test produces output that
+    looks like either "ok <n>" or "not ok <n>" depending on whether the
+    test succeeded or failed.  Additional information about the test can
+    be provided after the "ok <n>" or "not ok <n>", but is optional.
+    Additional diagnostics and information can be provided in lines
+    beginning with a "#".
+
+    Processing directives are supported after the "ok <n>" or "not ok <n>"
+    and start with a "#".  The main one of interest is "# skip" which says
+    that the test was skipped rather than successful and optionally gives
+    the reason.  Also supported is "# todo", which normally annotates a
+    failing test and indicates that test is expected to fail, optionally
+    providing a reason for why.
+
+    There are three more special cases.  First, the initial line stating
+    the number of tests to run, called the plan, may appear at the end of
+    the output instead of the beginning.  This can be useful if the number
+    of tests to run is not known in advance.  Second, a plan in the form:
+
+        1..0 # skip entire test case skipped
+
+    can be given instead, which indicates that this entire test case has
+    been skipped (generally because it depends on facilities or optional
+    configuration which is not present).  Finally, if the test case
+    encounters a fatal error, it should print the text:
+
+        Bail out!
+
+    on standard output, optionally followed by an error message, and then
+    exit.  This tells the harness that the test aborted unexpectedly.
+
+    The exit status of a successful test case should always be 0.  The
+    harness will report the test as "dubious" if all the tests appeared to
+    succeed but it exited with a non-zero status.
+
+Writing TAP Tests
+
+  Environment
+
+    One of the special features of C TAP Harness is the environment that
+    it sets up for your test cases.  If your test program is called under
+    the runtests driver, the environment variables C_TAP_SOURCE and
+    C_TAP_BUILD will be set to the top of the test directory in the source
+    tree and the top of the build tree, respectively.  You can use those
+    environment variables to locate additional test data, programs and
+    libraries built as part of your software build, and other supporting
+    information needed by tests.
+
+    The C and shell TAP libraries support a test_file_path() function,
+    which looks for a file under the build tree and then under the source
+    tree, using the C_TAP_BUILD and C_TAP_SOURCE environment variables,
+    and return the full path to the file.  This can be used to locate
+    supporting data files.  They also support a test_tmpdir() function
+    that returns a directory that can be used for temporary files during
+    tests.
+
+  Perl
+
+    Since TAP is the native test framework for Perl, writing TAP tests in
+    Perl is very easy and extremely well-supported.  If you've never
+    written tests in Perl before, start by reading the documentation for
+    Test::Tutorial and Test::Simple, which walks you through the basics,
+    including the TAP output syntax.  Then, the best Perl module to use
+    for serious testing is Test::More, which provides a lot of additional
+    functions over Test::Simple including support for skipping tests,
+    bailing out, and not planning tests in advance.  See the documentation
+    of Test::More for all the details and lots of examples.
+
+    C TAP Harness can run Perl test scripts directly and interpret the
+    results correctly, and similarly the Perl Test::Harness module and
+    prove command can run TAP tests written in other languages using, for
+    example, the TAP library that comes with C TAP Harness.  You can, if
+    you wish, use the library that comes with C TAP Harness but use prove
+    instead of runtests for running the test suite.
+
+  C
+
+    C TAP Harness provides a basic TAP library that takes away most of the
+    pain of writing TAP test cases in C.  A C test case should start with
+    a call to plan(), passing in the number of tests to run.  Then, each
+    test should use is_int(), is_string(), is_double(), or is_hex() as
+    appropriate to compare expected and seen values, or ok() to do a
+    simpler boolean test.  The is_*() functions take expected and seen
+    values and then a printf-style format string explaining the test
+    (which may be NULL).  ok() takes a boolean and then the printf-style
+    string.
+
+    Here's a complete example test program that uses the C TAP library:
+
+        #include <stddef.h>
+        #include <tap/basic.h>
+
+        int
+        main(void)
+        {
+            plan(4);
+
+            ok(1, "the first test");
+            is_int(42, 42, NULL);
+            diag("a diagnostic, ignored by the harness");
+            ok(0, "a failing test");
+            skip("a skipped test");
+
+            return 0;
+        }
+
+    This test program produces the output shown above in the section on
+    TAP and demonstrates most of the functions.  The other functions of
+    interest are sysdiag() (like diag() but adds strerror() results),
+    bail() and sysbail() for fatal errors, skip_block() to skip a whole
+    block of tests, and skip_all() which is called instead of plan() to
+    skip an entire test case.
+
+    The C TAP library also provides plan_lazy(), which can be called
+    instead of plan().  If plan_lazy() is called, the library will keep
+    track of how many test results are reported and will print out the
+    plan at the end of execution of the program.  This should normally be
+    avoided since the test may appear to be successful even if it exits
+    prematurely, but it can make writing tests easier in some
+    circumstances.
+
+    Complete API documentation for the basic C TAP library that comes with
+    C TAP Harness is available at:
+
+        <https://www.eyrie.org/~eagle/software/c-tap-harness/>
+
+    It's common to need additional test functions and utility functions
+    for your C tests, particularly if you have to set up and tear down a
+    test environment for your test programs, and it's useful to have them
+    all in the libtap library so that you only have to link your test
+    programs with one library.  Rather than editing tap/basic.c and
+    tap/basic.h to add those additional functions, add additional *.c and
+    *.h files into the tap directory with the function implementations and
+    prototypes, and then add those additional objects to the library.
+    That way, you can update tap/basic.c and tap/basic.h from subsequent
+    releases of C TAP Harness without having to merge changes with your
+    own code.
+
+    Libraries of additional useful TAP test functions are available in
+    rra-c-util at:
+
+        <https://www.eyrie.org/~eagle/software/rra-c-util/>
+
+    Some of the code there is particularly useful when testing programs
+    that require Kerberos keys.
+
+    If you implement new test functions that compare an expected and seen
+    value, it's best to name them is_<something> and take the expected
+    value, the seen value, and then a printf-style format string and
+    possible arguments to match the calling convention of the functions
+    provided by C TAP Harness.
+
+  Shell
+
+    C TAP Harness provides a library of shell functions to make it easier
+    to write TAP tests in shell.  That library includes much of the same
+    functionality as the C TAP library, but takes its parameters in a
+    somewhat different order to make better use of shell features.
+
+    The libtap.sh file should be installed in a directory named tap in
+    your test suite area.  It can then be loaded by tests written in shell
+    using the environment set up by runtests with:
+
+        . "$C_TAP_SOURCE"/tap/libtap.sh
+
+    Here is a complete test case written in shell which produces the same
+    output as the TAP sample above:
+
+        #!/bin/sh
+
+        . "$C_TAP_SOURCE"/tap/libtap.sh
+        cd "$C_TAP_BUILD"
+
+        plan 4
+        ok 'the first test' true
+        ok '' [ 42 -eq 42 ]
+        diag a diagnostic, ignored by the harness
+        ok '' false
+        skip 'a skipped test'
+
+    The shell framework doesn't provide the is_* functions, so you'll use
+    the ok function more.  It takes a string describing the text and then
+    treats all of its remaining arguments as a condition, evaluated the
+    same way as the arguments to the "if" statement.  If that condition
+    evaluates to true, the test passes; otherwise, the test fails.
+
+    The plan, plan_lazy, diag, and bail functions work the same as with
+    the C library.  skip takes a string and skips the next test with that
+    explanation.  skip_block takes a count and a string and skips that
+    many tests with that explanation.  skip_all takes an optional reason
+    and skips the entire test case.
+
+    Since it's common for shell programs to want to test the output of
+    commands, there's an additional function ok_program provided by the
+    shell test library.  It takes the test description string, the
+    expected exit status, the expected program output, and then treats the
+    rest of its arguments as the program to run.  That program is run with
+    standard error and standard output combined, and then its exit status
+    and output are tested against the provided values.
+
+    A utility function, strip_colon_error, is provided that runs the
+    command given as its arguments and strips text following a colon and a
+    space from the output (unless there is no whitespace on the line
+    before the colon and the space, normally indicating a prefix of the
+    program name).  This function can be used to wrap commands that are
+    expected to fail with output that has a system- or locale-specific
+    error message appended, such as the output of strerror().
+
+License
+
+    This file is part of the documentation of C TAP Harness, which can be
+    found at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+
+    Copyright 2010, 2016 Russ Allbery <eagle@eyrie.org>
+
+    Copying and distribution of this file, with or without modification,
+    are permitted in any medium without royalty provided the copyright
+    notice and this notice are preserved.  This file is offered as-is,
+    without any warranty.
+
+    SPDX-License-Identifier: FSFAP
diff --git a/tests/TESTS b/tests/TESTS
new file mode 100644
index 000000000000..f9036b1569c4
--- /dev/null
+++ b/tests/TESTS
@@ -0,0 +1,46 @@
+# Test list for pam-krb5.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2017, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2011-2012
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice and
+# this notice are preserved.  This file is offered as-is, without any
+# warranty.
+#
+# SPDX-License-Identifier: FSFAP
+
+# Exclude the tests that use the pkinit.so MIT Kerberos module from valgrind
+# testing (module/fast-anon and module/pkinit) because they cause valgrind to
+# go into an infinite loop.
+
+docs/pod
+docs/pod-spelling
+docs/spdx-license
+module/alt-auth         valgrind
+module/bad-authtok      valgrind
+module/basic            valgrind
+module/cache            valgrind
+module/cache-cleanup    valgrind
+module/expired          valgrind
+module/fast             valgrind
+module/fast-anon
+module/long             valgrind
+module/no-cache         valgrind
+module/pam-user         valgrind
+module/password         valgrind
+module/pkinit
+module/realm            valgrind
+module/stacked          valgrind
+pam-util/args           valgrind
+pam-util/fakepam        valgrind
+pam-util/logging        valgrind
+pam-util/options        valgrind
+pam-util/vector         valgrind
+portable/asprintf       valgrind
+portable/mkstemp        valgrind
+portable/strndup        valgrind
+style/obsolete-strings
+valgrind/logs
diff --git a/tests/config/README b/tests/config/README
new file mode 100644
index 000000000000..a034b35b6b0d
--- /dev/null
+++ b/tests/config/README
@@ -0,0 +1,70 @@
+This directory contains configuration required to run the complete
+pam-krb5 test suite.  If there is no configuration in this directory, many
+of the tests will be skipped.  To enable the full test suite, create the
+following files:
+
+admin-keytab
+
+    A keytab for a principal (in the same realm as the test principal
+    configured in password) that has admin access to inspect and modify
+    that test principal.  For an MIT Kerberos KDC, it needs "mci"
+    permissions in kadm5.acl for that principal.  For a Heimdal KDC, it
+    needs "cpw,list,modify" permissions (obviously, "all" will do).  This
+    file is optional; if not present, the tests requiring admin
+    modification of a principal will be skipped.
+
+krb5.conf
+
+    This is optional and not required if the Kerberos realm used for
+    testing is configured in DNS or your system krb5.conf file and that
+    file is in either /etc/krb5.conf or /usr/local/etc/krb5.conf.
+    Otherwise, create a krb5.conf file that contains the realm information
+    (KDC, kpasswd server, and admin server) for the realm you're using for
+    testing.  You don't need to worry about setting the default realm;
+    this will be done automatically in the generated file used by the test
+    suite.
+
+keytab
+
+    An optional keytab for a principal, which generally should be in the
+    same realm as the user configured in the password file.  This is used
+    to test FAST support with a ticket cache.
+
+password
+
+    This file should contain two lines.  The first line is the
+    fully-qualified principal (including the realm) of a Kerberos
+    principal to use for testing authentication.  The second line is the
+    password for that principal.
+
+    If the realm of the principal is not configured in either DNS or in
+    your system krb5.conf file (/usr/local/etc/krb5.conf or
+    /etc/krb5.conf) with the KDC, kpasswd server, and admin server, you
+    will need to also provide a krb5.conf file in this directory.  See
+    below.
+
+pkinit-cert
+
+    Certificate and private key (concatenated together) for PKINIT
+    authentication for the user listed in the pkinit-principal file.
+    Optional; PKINIT checks will be skipped if this file isn't present.
+
+pkinit-principal
+
+    Principal to use to test PKINIT authentication.  Must be the Kerberos
+    identity corresponding to the certificate and private key given in
+    pkinit-cert.  Optional; PKINIT checks will be skipped if this file
+    isn't present.
+
+-----
+
+Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+Copyright 2011-2012
+    The Board of Trustees of the Leland Stanford Junior University
+
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice and
+this notice are preserved.  This file is offered as-is, without any
+warranty.
+
+SPDX-License-Identifier: FSFAP
diff --git a/tests/data/cppcheck.supp b/tests/data/cppcheck.supp
new file mode 100644
index 000000000000..00734778b256
--- /dev/null
+++ b/tests/data/cppcheck.supp
@@ -0,0 +1,72 @@
+// Suppressions file for cppcheck.  -*- conf -*-
+//
+// This includes suppressions for all of my projects, including files that
+// aren't in rra-c-util, for ease of sharing between projects.  The ones that
+// don't apply to a particular project should hopefully be harmless.
+//
+// To determine the correct suppression to add for a new error, run cppcheck
+// with the --xml flag and then add a suppression for the error id, file
+// location, and line.
+//
+// Copyright 2018-2021 Russ Allbery <eagle@eyrie.org>
+//
+// Copying and distribution of this file, with or without modification, are
+// permitted in any medium without royalty provided the copyright notice and
+// this notice are preserved.  This file is offered as-is, without any
+// warranty.
+//
+// SPDX-License-Identifier: FSFAP
+
+// I like declaring variables at the top of a function rather than cluttering
+// every if and loop body with declarations.
+variableScope
+
+// strlen of a constant string is more maintainable code than hard-coding the
+// string length.
+constArgument:tests/runtests.c:804
+
+// False positive due to recursive function.
+knownConditionTrueFalse:portable/getopt.c:146
+
+// Bug in cppcheck 2.3.  cppcheck can't see the assignment because of the
+// void * cast.
+knownConditionTrueFalse:portable/k_haspag.c:61
+
+// False positive since the string comes from a command-line define.
+knownConditionTrueFalse:tests/tap/process.c:415
+knownConditionTrueFalse:tests/tap/remctl.c:79
+
+// Stored in the returned ai struct, but cppcheck can't see the assignment
+// because of the struct sockaddr * cast.
+memleak:portable/getaddrinfo.c:236
+
+// Bug in cppcheck 1.89 (fixed in 2.3).  The address of this variable is
+// passed to a Windows function (albeit through a cast).
+nullPointer:portable/winsock.c:61
+
+// Bug in cppcheck 2.3.
+nullPointerRedundantCheck:portable/krb5-profile.c:61
+
+// Bug in cppcheck 2.3.
+nullPointerRedundantCheck:portable/krb5-renew.c:82
+nullPointerRedundantCheck:portable/krb5-renew.c:83
+
+// Setting the variable to NULL explicitly after deallocation.
+redundantAssignment:tests/pam-util/options-t.c
+
+// (remctl) Bug in cppcheck 1.89 (fixed in 2.3).  The address of these
+// variables are passed to a PHP function.
+uninitvar:php/php_remctl.c:119
+uninitvar:php/php_remctl.c:123
+uninitvar:php/php_remctl.c:315
+uninitvar:php/php5_remctl.c:125
+uninitvar:php/php5_remctl.c:129
+uninitvar:php/php5_remctl.c:321
+
+// (remctl) Bug in cppcheck 1.82.  A pointer to this array is stored in a
+// struct that's passed to another function.
+redundantAssignment:tests/server/acl-t.c
+
+// (pam-krb5) cppcheck doesn't recognize the unused attribute on labels.
+unusedLabel:module/auth.c:895
+unusedLabelConfiguration:module/auth.c:895
diff --git a/tests/data/generate-krb5-conf b/tests/data/generate-krb5-conf
new file mode 100755
index 000000000000..712a933d40ba
--- /dev/null
+++ b/tests/data/generate-krb5-conf
@@ -0,0 +1,86 @@
+#!/bin/sh
+
+# Generate a krb5.conf file in the current directory for testing purposes.
+# Takes one command-line argument: the default realm to use.  Strips out the
+# entire [appdefaults] section to avoid picking up any local configuration and
+# sets the default realm as indicated.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2006-2008, 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+set -e
+
+# Load the test library.
+. "$C_TAP_SOURCE/tap/libtap.sh"
+cd "$C_TAP_BUILD"
+
+# If there is no default realm specified on the command line, we leave the
+# realm information alone.
+realm="$1"
+
+# Locate the krb5.conf file to use as a base.  Prefer the one in the test
+# configuration area, if it exists.
+krb5conf=`test_file_path config/krb5.conf`
+if [ -z "$krb5conf" ] ; then
+    for p in /etc/krb5.conf /usr/local/etc/krb5.conf ; do
+        if [ -r "$p" ] ; then
+            krb5conf="$p"
+            break
+        fi
+    done
+fi
+if [ -z "$krb5conf" ] ; then
+    echo 'no krb5.conf found, see test instructions' >&2
+    exit 1
+fi
+
+# We found a krb5.conf file.  Generate our munged one.
+mkdir -p tmp
+awk '
+    BEGIN                             { skip = 0 }
+    /^ *\[appdefaults\]/              { skip = 1 }
+    !/^ *\[appdefaults\]/ && / *\[/   { skip = 0 }
+
+    { if (skip == 0) print }
+' "$krb5conf" > tmp/krb5.conf.tmp
+if [ -n "$realm" ] ; then
+    pattern='^[ 	]*default_realm.*='
+    if grep "$pattern" tmp/krb5.conf.tmp >/dev/null 2>/dev/null; then
+        sed -e "s/\\(default_realm.*=\\) .*/\\1 $realm/" \
+            tmp/krb5.conf.tmp >tmp/krb5.conf
+    else
+        (
+            cat tmp/krb5.conf.tmp
+            echo "[libdefaults]"
+            echo "    default_realm = $realm"
+        ) >tmp/krb5.conf
+    fi
+    rm tmp/krb5.conf.tmp
+else
+    mv tmp/krb5.conf.tmp tmp/krb5.conf
+fi
diff --git a/tests/data/krb5-pam.conf b/tests/data/krb5-pam.conf
new file mode 100644
index 000000000000..57887882c954
--- /dev/null
+++ b/tests/data/krb5-pam.conf
@@ -0,0 +1,30 @@
+# Test krb5.conf file for PAM option parsing.
+
+[appdefaults]
+    FOO.COM = {
+        program = /bin/false
+    }
+    BAR.COM = {
+        program = echo /bin/true
+    }
+    testing = {
+        minimum_uid = 1000
+        ignore_root = false
+        expires = 30m
+        FOO.COM = {
+            cells = foo.com,bar.com
+        }
+        BAR.COM = {
+            cells = bar.com foo.com
+        }
+    }
+    other-test = {
+        minimum_uid = -1000
+    }
+    bad-number = {
+        minimum_uid = 1000foo
+    }
+    bad-time = {
+        expires = ft87
+    }
+    debug = true
diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
new file mode 100644
index 000000000000..57887882c954
--- /dev/null
+++ b/tests/data/krb5.conf
@@ -0,0 +1,30 @@
+# Test krb5.conf file for PAM option parsing.
+
+[appdefaults]
+    FOO.COM = {
+        program = /bin/false
+    }
+    BAR.COM = {
+        program = echo /bin/true
+    }
+    testing = {
+        minimum_uid = 1000
+        ignore_root = false
+        expires = 30m
+        FOO.COM = {
+            cells = foo.com,bar.com
+        }
+        BAR.COM = {
+            cells = bar.com foo.com
+        }
+    }
+    other-test = {
+        minimum_uid = -1000
+    }
+    bad-number = {
+        minimum_uid = 1000foo
+    }
+    bad-time = {
+        expires = ft87
+    }
+    debug = true
diff --git a/tests/data/perl.conf b/tests/data/perl.conf
new file mode 100644
index 000000000000..699ef3a9123a
--- /dev/null
+++ b/tests/data/perl.conf
@@ -0,0 +1,19 @@
+# Configuration for Perl tests.  -*- perl -*-
+
+# Ignore these top-level directories for perlcritic testing.
+@CRITIC_IGNORE = qw();
+
+# Add this directory (or a .libs subdirectory) relative to the top of the
+# source tree to LD_LIBRARY_PATH when checking the syntax of Perl modules.
+# This may be required to pick up libraries that are used by in-tree Perl
+# modules.
+#$LIBRARY_PATH = 'lib';
+
+# Default minimum version requirement for included Perl scripts.
+$MINIMUM_VERSION = '5.006';
+
+# Minimum version exceptions for specific top-level directories.
+%MINIMUM_VERSION = ();
+
+# File must end with this line.
+1;
diff --git a/tests/data/scripts/alt-auth/basic b/tests/data/scripts/alt-auth/basic
new file mode 100644
index 000000000000..92628e98cd8f
--- /dev/null
+++ b/tests/data/scripts/alt-auth/basic
@@ -0,0 +1,19 @@
+# Test simplest case of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/basic-debug b/tests/data/scripts/alt-auth/basic-debug
new file mode 100644
index 000000000000..325a8117284c
--- /dev/null
+++ b/tests/data/scripts/alt-auth/basic-debug
@@ -0,0 +1,25 @@
+# Test simplest case of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_first_pass no_ccache debug
+    account = alt_auth_map=%1 no_ccache debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to %1
+    DEBUG (user %u) alternate authentication successful
+    INFO user %u authenticated as %1
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG pam_sm_acct_mgmt: exit (success)
diff --git a/tests/data/scripts/alt-auth/fail b/tests/data/scripts/alt-auth/fail
new file mode 100644
index 000000000000..ec2145f3098f
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fail
@@ -0,0 +1,19 @@
+# Test failure of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus force_first_pass no_ccache
+    account = alt_auth_map=bogus no_ccache
+
+[run]
+    authenticate  = PAM_AUTHINFO_UNAVAIL
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/alt-auth/fail-debug b/tests/data/scripts/alt-auth/fail-debug
new file mode 100644
index 000000000000..ae96bb148e6a
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fail-debug
@@ -0,0 +1,28 @@
+# Test failure of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus force_first_pass no_ccache debug
+    account = alt_auth_map=bogus no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTHINFO_UNAVAIL
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to bogus@%2
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    DEBUG (user %u) attempting authentication as %u@%2
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
diff --git a/tests/data/scripts/alt-auth/fallback b/tests/data/scripts/alt-auth/fallback
new file mode 100644
index 000000000000..a0ee7a3d4292
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback
@@ -0,0 +1,25 @@
+# Test alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user no_ccache
+    account = alt_auth_map=%%s/unknown-user no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/fallback-debug b/tests/data/scripts/alt-auth/fallback-debug
new file mode 100644
index 000000000000..f63741a60a16
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback-debug
@@ -0,0 +1,38 @@
+# Test alternative authentication principal with debug logging.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user no_ccache debug
+    account = alt_auth_map=%%s/unknown-user no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping %u to %0/unknown-user@%2
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    DEBUG (user %u) attempting authentication as %u
+    DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/alt-auth/fallback-realm b/tests/data/scripts/alt-auth/fallback-realm
new file mode 100644
index 000000000000..0eef10fd5056
--- /dev/null
+++ b/tests/data/scripts/alt-auth/fallback-realm
@@ -0,0 +1,25 @@
+# Test alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache
+    account = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/force b/tests/data/scripts/alt-auth/force
new file mode 100644
index 000000000000..4ad34f6f1fe4
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force
@@ -0,0 +1,19 @@
+# Test forced alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/force-fail-debug b/tests/data/scripts/alt-auth/force-fail-debug
new file mode 100644
index 000000000000..cc077b1a4743
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force-fail-debug
@@ -0,0 +1,26 @@
+# Test failure of forced authentication principal (no fallback).  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache debug
+    account = alt_auth_map=%1 no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) mapping bogus-nonexistent-account to %1
+    DEBUG /^\(user %u\) alternate authentication failed: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
diff --git a/tests/data/scripts/alt-auth/force-fallback b/tests/data/scripts/alt-auth/force-fallback
new file mode 100644
index 000000000000..b93b04175ed5
--- /dev/null
+++ b/tests/data/scripts/alt-auth/force-fallback
@@ -0,0 +1,25 @@
+# Test forced alternative authentication with fallback.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s/unknown-user force_alt_auth no_ccache
+    account = alt_auth_map=%%s/unknown-user no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/alt-auth/only b/tests/data/scripts/alt-auth/only
new file mode 100644
index 000000000000..7761fc7fd0ce
--- /dev/null
+++ b/tests/data/scripts/alt-auth/only
@@ -0,0 +1,19 @@
+# Test required alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%1 only_alt_auth force_first_pass no_ccache
+    account = alt_auth_map=%1 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/only-fail b/tests/data/scripts/alt-auth/only-fail
new file mode 100644
index 000000000000..5c2831614928
--- /dev/null
+++ b/tests/data/scripts/alt-auth/only-fail
@@ -0,0 +1,22 @@
+# Test failure of required alternative authentication.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=bogus only_alt_auth no_ccache
+    account = alt_auth_map=bogus no_ccache
+
+[run]
+    authenticate  = PAM_USER_UNKNOWN
+    acct_mgmt     = PAM_IGNORE
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/alt-auth/username-map b/tests/data/scripts/alt-auth/username-map
new file mode 100644
index 000000000000..7f28a670344b
--- /dev/null
+++ b/tests/data/scripts/alt-auth/username-map
@@ -0,0 +1,19 @@
+# Test username mapping of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%%s@%2 force_first_pass no_ccache
+    account = alt_auth_map=%%s@%2 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/alt-auth/username-map-prefix b/tests/data/scripts/alt-auth/username-map-prefix
new file mode 100644
index 000000000000..5e83fc888d77
--- /dev/null
+++ b/tests/data/scripts/alt-auth/username-map-prefix
@@ -0,0 +1,19 @@
+# Test username mapping of alternative authentication principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = alt_auth_map=%3%%s@%2 force_first_pass no_ccache
+    account = alt_auth_map=%3%%s@%2 no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %1
diff --git a/tests/data/scripts/bad-authtok/no-prompt b/tests/data/scripts/bad-authtok/no-prompt
new file mode 100644
index 000000000000..e0c10cc69804
--- /dev/null
+++ b/tests/data/scripts/bad-authtok/no-prompt
@@ -0,0 +1,25 @@
+# Defer prompting to the Kerberos library after bad authtok.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache no_prompt try_first_pass
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = /^(%u's Password|Password for %u): $/|%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/bad-authtok/try-first b/tests/data/scripts/bad-authtok/try-first
new file mode 100644
index 000000000000..cde6153efaeb
--- /dev/null
+++ b/tests/data/scripts/bad-authtok/try-first
@@ -0,0 +1,25 @@
+# Test try_first_pass with a bad initial AUTHTOK.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = try_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/bad-authtok/try-first-debug b/tests/data/scripts/bad-authtok/try-first-debug
new file mode 100644
index 000000000000..c76ce7ac89dd
--- /dev/null
+++ b/tests/data/scripts/bad-authtok/try-first-debug
@@ -0,0 +1,36 @@
+# Test try_first_pass with a bad initial AUTHTOK and debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = try_first_pass no_ccache debug
+    account = no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %u
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    DEBUG (user %u) attempting authentication as %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/bad-authtok/use-first b/tests/data/scripts/bad-authtok/use-first
new file mode 100644
index 000000000000..62d55ca2146f
--- /dev/null
+++ b/tests/data/scripts/bad-authtok/use-first
@@ -0,0 +1,22 @@
+# Test use_first_pass with a bad initial AUTHTOK.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = use_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/bad-authtok/use-first-debug b/tests/data/scripts/bad-authtok/use-first-debug
new file mode 100644
index 000000000000..4346d2395cb0
--- /dev/null
+++ b/tests/data/scripts/bad-authtok/use-first-debug
@@ -0,0 +1,33 @@
+# Test use_first_pass with a bad initial AUTHTOK and debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = use_first_pass no_ccache debug
+    account = no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %u
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/basic/force-first b/tests/data/scripts/basic/force-first
new file mode 100644
index 000000000000..792d737ba7c3
--- /dev/null
+++ b/tests/data/scripts/basic/force-first
@@ -0,0 +1,22 @@
+# Test force_first_pass without an authtok.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/basic/force-first-debug b/tests/data/scripts/basic/force-first-debug
new file mode 100644
index 000000000000..539345316183
--- /dev/null
+++ b/tests/data/scripts/basic/force-first-debug
@@ -0,0 +1,32 @@
+# Test force_first_pass without an authtok.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache debug
+    account = no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) no stored password
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/basic/ignore-root b/tests/data/scripts/basic/ignore-root
new file mode 100644
index 000000000000..bfbfee5c86df
--- /dev/null
+++ b/tests/data/scripts/basic/ignore-root
@@ -0,0 +1,16 @@
+# Test account and session behavior for ignored root user.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_root
+    password = ignore_root
+
+[run]
+    authenticate            = PAM_USER_UNKNOWN
+    chauthtok(PRELIM_CHECK) = PAM_IGNORE
diff --git a/tests/data/scripts/basic/ignore-root-debug b/tests/data/scripts/basic/ignore-root-debug
new file mode 100644
index 000000000000..2ffd33c16229
--- /dev/null
+++ b/tests/data/scripts/basic/ignore-root-debug
@@ -0,0 +1,24 @@
+# Test account and session behavior for ignored root user.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_root debug
+    password = ignore_root debug
+
+[run]
+    authenticate            = PAM_USER_UNKNOWN
+    chauthtok(PRELIM_CHECK) = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user root) ignoring root user
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG ignoring root user
+    DEBUG pam_sm_chauthtok: exit (ignore)
diff --git a/tests/data/scripts/basic/minimum-uid b/tests/data/scripts/basic/minimum-uid
new file mode 100644
index 000000000000..e56161041306
--- /dev/null
+++ b/tests/data/scripts/basic/minimum-uid
@@ -0,0 +1,13 @@
+# Test account and session behavior for minimum UID.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = minimum_uid=%1
+    password = minimum_uid=%1
+
+[run]
+    authenticate            = PAM_USER_UNKNOWN
+    chauthtok(PRELIM_CHECK) = PAM_IGNORE
diff --git a/tests/data/scripts/basic/minimum-uid-debug b/tests/data/scripts/basic/minimum-uid-debug
new file mode 100644
index 000000000000..c20e43d55ac8
--- /dev/null
+++ b/tests/data/scripts/basic/minimum-uid-debug
@@ -0,0 +1,21 @@
+# Test account and session behavior for minimum UID (debug).  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = minimum_uid=%1 debug
+    password = minimum_uid=%1 debug
+
+[run]
+    authenticate            = PAM_USER_UNKNOWN
+    chauthtok(PRELIM_CHECK) = PAM_IGNORE
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) ignoring low-UID user (%0 < %1)
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG ignoring low-UID user (%0 < %1)
+    DEBUG pam_sm_chauthtok: exit (ignore)
diff --git a/tests/data/scripts/basic/no-context b/tests/data/scripts/basic/no-context
new file mode 100644
index 000000000000..5629422e23d9
--- /dev/null
+++ b/tests/data/scripts/basic/no-context
@@ -0,0 +1,17 @@
+# Test account and session behavior with no context.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    acct_mgmt                  = PAM_IGNORE
+    setcred(DELETE_CRED)       = PAM_SUCCESS
+    setcred(ESTABLISH_CRED)    = PAM_SUCCESS
+    setcred(REFRESH_CRED)      = PAM_SUCCESS
+    setcred(REINITIALIZE_CRED) = PAM_SUCCESS
+    open_session               = PAM_IGNORE
+    close_session              = PAM_SUCCESS
diff --git a/tests/data/scripts/basic/no-context-debug b/tests/data/scripts/basic/no-context-debug
new file mode 100644
index 000000000000..4bdeee727ed7
--- /dev/null
+++ b/tests/data/scripts/basic/no-context-debug
@@ -0,0 +1,47 @@
+# Test account and session behavior with no context.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = debug
+    account = debug
+    session = debug
+
+[run]
+    acct_mgmt                  = PAM_IGNORE
+    setcred(DELETE_CRED)       = PAM_SUCCESS
+    setcred(ESTABLISH_CRED)    = PAM_SUCCESS
+    setcred(REFRESH_CRED)      = PAM_SUCCESS
+    setcred(REINITIALIZE_CRED) = PAM_SUCCESS
+    open_session               = PAM_IGNORE
+    close_session              = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG pam_sm_setcred: entry (delete)
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG pam_sm_setcred: entry (establish)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG pam_sm_setcred: entry (refresh)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG pam_sm_setcred: entry (reinit)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_open_session: exit (ignore)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/cache-cleanup/auth-only b/tests/data/scripts/cache-cleanup/auth-only
new file mode 100644
index 000000000000..c29608f3c8da
--- /dev/null
+++ b/tests/data/scripts/cache-cleanup/auth-only
@@ -0,0 +1,17 @@
+# Test authentication only with ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass ignore_k5login ccache_dir=FILE:%1
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/cache/basic b/tests/data/scripts/cache/basic
new file mode 100644
index 000000000000..6b1042f3084b
--- /dev/null
+++ b/tests/data/scripts/cache/basic
@@ -0,0 +1,21 @@
+# Test basic authentication with ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass ignore_k5login
+    account = ignore_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/cache/end-data-silent b/tests/data/scripts/cache/end-data-silent
new file mode 100644
index 000000000000..f172008bc574
--- /dev/null
+++ b/tests/data/scripts/cache/end-data-silent
@@ -0,0 +1,27 @@
+# Test pam_end with PAM_DATA_SILENT.  -*- conf -*-
+#
+# Passing PAM_DATA_SILENT to pam_end should cause the credential cache to not
+# be deleted (under the assumption that pam_end is being called in a forked
+# process and will be called again in the parent to clean up resources).
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020-2021 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass ignore_k5login
+    account = ignore_k5login
+
+[run]
+    authenticate = PAM_SUCCESS
+    acct_mgmt    = PAM_SUCCESS
+    open_session = PAM_SUCCESS
+
+[end]
+    flags = PAM_DATA_SILENT
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/cache/open-session b/tests/data/scripts/cache/open-session
new file mode 100644
index 000000000000..83e48c36511e
--- /dev/null
+++ b/tests/data/scripts/cache/open-session
@@ -0,0 +1,20 @@
+# Test authentication with ticket cache, open session.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass ignore_k5login
+    account = ignore_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/cache/search-k5login b/tests/data/scripts/cache/search-k5login
new file mode 100644
index 000000000000..b87c28147edb
--- /dev/null
+++ b/tests/data/scripts/cache/search-k5login
@@ -0,0 +1,20 @@
+# Test authentication with search_k5login, open session.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass search_k5login
+    account = search_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/cache/search-k5login-debug b/tests/data/scripts/cache/search-k5login-debug
new file mode 100644
index 000000000000..eb50b9e47eaf
--- /dev/null
+++ b/tests/data/scripts/cache/search-k5login-debug
@@ -0,0 +1,34 @@
+# Test authentication with search_k5login and debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass search_k5login debug
+    account = search_k5login debug
+    session = debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) retrieving principal from cache
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/expired/basic-heimdal b/tests/data/scripts/expired/basic-heimdal
new file mode 100644
index 000000000000..2b4f471cf247
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal
@@ -0,0 +1,31 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2017, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login
+    account  = ignore_k5login
+    password = ignore_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Password has expired
+    info     = Your password will expire at %1
+    info     = Changing password
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+    info     = Success: Password changed
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-heimdal-debug b/tests/data/scripts/expired/basic-heimdal-debug
new file mode 100644
index 000000000000..a18cc00c71a9
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal-debug
@@ -0,0 +1,44 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2017, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login debug
+    account  = ignore_k5login debug
+    password = ignore_k5login debug
+    session  = debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Password has expired
+    info     = Your password will expire at %1
+    info     = Changing password
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+    info     = Success: Password changed
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) retrieving principal from cache
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/expired/basic-heimdal-flag-silent b/tests/data/scripts/expired/basic-heimdal-flag-silent
new file mode 100644
index 000000000000..58e065b485bb
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal-flag-silent
@@ -0,0 +1,27 @@
+# Test default handling of expired passwords with PAM_SILENT.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login
+    account  = ignore_k5login
+    password = ignore_k5login
+
+[run]
+    authenticate(SILENT)  = PAM_SUCCESS
+    acct_mgmt(SILENT)     = PAM_SUCCESS
+    open_session(SILENT)  = PAM_SUCCESS
+    close_session(SILENT) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-heimdal-old b/tests/data/scripts/expired/basic-heimdal-old
new file mode 100644
index 000000000000..dd67ec44df7c
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal-old
@@ -0,0 +1,30 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login
+    account  = ignore_k5login
+    password = ignore_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Your password will expire at %1
+    info     = Changing password
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+    info     = Success: Password changed
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-heimdal-old-debug b/tests/data/scripts/expired/basic-heimdal-old-debug
new file mode 100644
index 000000000000..53267f5fac62
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal-old-debug
@@ -0,0 +1,43 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login debug
+    account  = ignore_k5login debug
+    password = ignore_k5login debug
+    session  = debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Your password will expire at %1
+    info     = Changing password
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+    info     = Success: Password changed
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) retrieving principal from cache
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/expired/basic-heimdal-silent b/tests/data/scripts/expired/basic-heimdal-silent
new file mode 100644
index 000000000000..028d5fe382f6
--- /dev/null
+++ b/tests/data/scripts/expired/basic-heimdal-silent
@@ -0,0 +1,27 @@
+# Test default handling of expired passwords with silent.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login silent
+    account  = ignore_k5login silent
+    password = ignore_k5login silent
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    echo_off = New password: |%n
+    echo_off = Repeat new password: |%n
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-mit b/tests/data/scripts/expired/basic-mit
new file mode 100644
index 000000000000..9611381b4ce9
--- /dev/null
+++ b/tests/data/scripts/expired/basic-mit
@@ -0,0 +1,28 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login
+    account  = ignore_k5login
+    password = ignore_k5login
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Password expired.  You must change it now.
+    echo_off = Enter new password: |%n
+    echo_off = Enter it again: |%n
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-mit-debug b/tests/data/scripts/expired/basic-mit-debug
new file mode 100644
index 000000000000..5b58b25b8ec2
--- /dev/null
+++ b/tests/data/scripts/expired/basic-mit-debug
@@ -0,0 +1,41 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login debug
+    account  = ignore_k5login debug
+    password = ignore_k5login debug
+    session  = debug
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    info     = Password expired.  You must change it now.
+    echo_off = Enter new password: |%n
+    echo_off = Enter it again: |%n
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) retrieving principal from cache
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/expired/basic-mit-flag-silent b/tests/data/scripts/expired/basic-mit-flag-silent
new file mode 100644
index 000000000000..a13bffdeea44
--- /dev/null
+++ b/tests/data/scripts/expired/basic-mit-flag-silent
@@ -0,0 +1,27 @@
+# Test default handling of expired passwords with PAM_SILENT.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login
+    account  = ignore_k5login
+    password = ignore_k5login
+
+[run]
+    authenticate(SILENT)  = PAM_SUCCESS
+    acct_mgmt(SILENT)     = PAM_SUCCESS
+    open_session(SILENT)  = PAM_SUCCESS
+    close_session(SILENT) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    echo_off = Enter new password: |%n
+    echo_off = Enter it again: |%n
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/basic-mit-silent b/tests/data/scripts/expired/basic-mit-silent
new file mode 100644
index 000000000000..7dea2b7bdd4e
--- /dev/null
+++ b/tests/data/scripts/expired/basic-mit-silent
@@ -0,0 +1,27 @@
+# Test default handling of expired passwords with silent.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = ignore_k5login silent
+    account  = ignore_k5login silent
+    password = ignore_k5login silent
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+    echo_off = Enter new password: |%n
+    echo_off = Enter it again: |%n
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/defer-mit b/tests/data/scripts/expired/defer-mit
new file mode 100644
index 000000000000..7403edbfdbbf
--- /dev/null
+++ b/tests/data/scripts/expired/defer-mit
@@ -0,0 +1,33 @@
+# Test deferring handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = defer_pwchange use_first_pass
+    account  = ignore_k5login
+    password = ignore_k5login use_first_pass
+
+[run]
+    authenticate              = PAM_SUCCESS
+    acct_mgmt                 = PAM_NEW_AUTHTOK_REQD
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+    acct_mgmt                 = PAM_SUCCESS
+    open_session              = PAM_SUCCESS
+    close_session             = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    INFO user %u authenticated as %0 (expired)
+    INFO user %u account password is expired
+    INFO user %u changed Kerberos password
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/expired/defer-mit-debug b/tests/data/scripts/expired/defer-mit-debug
new file mode 100644
index 000000000000..c637f39402f7
--- /dev/null
+++ b/tests/data/scripts/expired/defer-mit-debug
@@ -0,0 +1,57 @@
+# Test deferring handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth     = defer_pwchange use_first_pass debug
+    account  = ignore_k5login debug
+    password = ignore_k5login use_first_pass debug
+    session  = debug
+
+[run]
+    authenticate              = PAM_SUCCESS
+    acct_mgmt                 = PAM_NEW_AUTHTOK_REQD
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+    acct_mgmt                 = PAM_SUCCESS
+    open_session              = PAM_SUCCESS
+    close_session             = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    DEBUG (user %u) krb5_get_init_creds_password: Password has expired
+    DEBUG (user %u) expired account, deferring failure
+    INFO user %u authenticated as %0 (expired)
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    INFO user %u account password is expired
+    DEBUG pam_sm_acct_mgmt: exit (failure)
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    INFO user %u changed Kerberos password
+    DEBUG (user %u) obtaining credentials with new password
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG (user %u) retrieving principal from cache
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/expired/fail b/tests/data/scripts/expired/fail
new file mode 100644
index 000000000000..566b4b9c73dc
--- /dev/null
+++ b/tests/data/scripts/expired/fail
@@ -0,0 +1,20 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = ignore_k5login fail_pwchange
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/expired/fail-debug b/tests/data/scripts/expired/fail-debug
new file mode 100644
index 000000000000..7f464b4ed89f
--- /dev/null
+++ b/tests/data/scripts/expired/fail-debug
@@ -0,0 +1,24 @@
+# Test default handling of expired passwords.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = ignore_k5login fail_pwchange debug
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %0
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
diff --git a/tests/data/scripts/fast/anonymous b/tests/data/scripts/fast/anonymous
new file mode 100644
index 000000000000..5f725ae63dcf
--- /dev/null
+++ b/tests/data/scripts/fast/anonymous
@@ -0,0 +1,17 @@
+# Test anonymous FAST.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache anon_fast
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %0
diff --git a/tests/data/scripts/fast/anonymous-debug b/tests/data/scripts/fast/anonymous-debug
new file mode 100644
index 000000000000..48fd1eadd581
--- /dev/null
+++ b/tests/data/scripts/fast/anonymous-debug
@@ -0,0 +1,22 @@
+# Test FAST with an existing ticket cache, with debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache anon_fast debug
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) anonymous authentication for FAST succeeded
+    DEBUG /^\(user %u\) setting FAST credential cache to MEMORY:/
+    DEBUG (user %u) attempting authentication as %0
+    INFO user %u authenticated as %0
+    DEBUG pam_sm_authenticate: exit (success)
diff --git a/tests/data/scripts/fast/ccache b/tests/data/scripts/fast/ccache
new file mode 100644
index 000000000000..32e5eaa92465
--- /dev/null
+++ b/tests/data/scripts/fast/ccache
@@ -0,0 +1,17 @@
+# Test FAST with an existing ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache fast_ccache=%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/fast/ccache-debug b/tests/data/scripts/fast/ccache-debug
new file mode 100644
index 000000000000..f3788f2fc1c7
--- /dev/null
+++ b/tests/data/scripts/fast/ccache-debug
@@ -0,0 +1,21 @@
+# Test FAST with an existing ticket cache, with debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache fast_ccache=%0 debug
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) setting FAST credential cache to %0
+    DEBUG (user %u) attempting authentication as %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
diff --git a/tests/data/scripts/fast/no-ccache b/tests/data/scripts/fast/no-ccache
new file mode 100644
index 000000000000..71d4e2d494cf
--- /dev/null
+++ b/tests/data/scripts/fast/no-ccache
@@ -0,0 +1,17 @@
+# Test FAST with an existing ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache fast_ccache=%0BAD
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/fast/no-ccache-debug b/tests/data/scripts/fast/no-ccache-debug
new file mode 100644
index 000000000000..743ad5559538
--- /dev/null
+++ b/tests/data/scripts/fast/no-ccache-debug
@@ -0,0 +1,21 @@
+# Test FAST with an existing ticket cache, with debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache fast_ccache=%0BAD debug
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG /^\(user %u\) failed to get principal from FAST ccache %0BAD: /
+    DEBUG (user %u) attempting authentication as %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
diff --git a/tests/data/scripts/long/password b/tests/data/scripts/long/password
new file mode 100644
index 000000000000..e8183976c004
--- /dev/null
+++ b/tests/data/scripts/long/password
@@ -0,0 +1,14 @@
+# Test authentication with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/long/password-debug b/tests/data/scripts/long/password-debug
new file mode 100644
index 000000000000..832c19340485
--- /dev/null
+++ b/tests/data/scripts/long/password-debug
@@ -0,0 +1,20 @@
+# Test excessively long password handling with debug logging.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = debug
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
diff --git a/tests/data/scripts/long/use-first b/tests/data/scripts/long/use-first
new file mode 100644
index 000000000000..b68800485d04
--- /dev/null
+++ b/tests/data/scripts/long/use-first
@@ -0,0 +1,14 @@
+# Test use_first_pass with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = use_first_pass
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/long/use-first-debug b/tests/data/scripts/long/use-first-debug
new file mode 100644
index 000000000000..72747e81f40c
--- /dev/null
+++ b/tests/data/scripts/long/use-first-debug
@@ -0,0 +1,17 @@
+# Test use_first_pass with a long password and debug.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = use_first_pass debug
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
diff --git a/tests/data/scripts/no-cache/no-prompt b/tests/data/scripts/no-cache/no-prompt
new file mode 100644
index 000000000000..1eef2f26b4ee
--- /dev/null
+++ b/tests/data/scripts/no-cache/no-prompt
@@ -0,0 +1,25 @@
+# Defer prompting to the Kerberos library.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache no_prompt
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = /^(%u's Password|Password for %u): $/|%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/no-prompt-try b/tests/data/scripts/no-cache/no-prompt-try
new file mode 100644
index 000000000000..1d632a96f9e6
--- /dev/null
+++ b/tests/data/scripts/no-cache/no-prompt-try
@@ -0,0 +1,25 @@
+# Defer prompting to the Kerberos library w/try_first_pass.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache no_prompt try_first_pass
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = /^(%u's Password|Password for %u): $/|%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/no-prompt-use b/tests/data/scripts/no-cache/no-prompt-use
new file mode 100644
index 000000000000..76ef388465d2
--- /dev/null
+++ b/tests/data/scripts/no-cache/no-prompt-use
@@ -0,0 +1,25 @@
+# Defer prompting to the Kerberos library w/use_first_pass.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache no_prompt
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = /^(%u's Password|Password for %u): $/|%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/prompt b/tests/data/scripts/no-cache/prompt
new file mode 100644
index 000000000000..b0eb0d9ca57b
--- /dev/null
+++ b/tests/data/scripts/no-cache/prompt
@@ -0,0 +1,25 @@
+# Test basic auth w/prompting without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/prompt-expose b/tests/data/scripts/no-cache/prompt-expose
new file mode 100644
index 000000000000..a3365cc69754
--- /dev/null
+++ b/tests/data/scripts/no-cache/prompt-expose
@@ -0,0 +1,25 @@
+# Test basic auth w/prompting without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = expose_account no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password for %u: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/prompt-fail b/tests/data/scripts/no-cache/prompt-fail
new file mode 100644
index 000000000000..376b0f911997
--- /dev/null
+++ b/tests/data/scripts/no-cache/prompt-fail
@@ -0,0 +1,25 @@
+# Test failed password authentication.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |BAD%p
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/no-cache/prompt-fail-debug b/tests/data/scripts/no-cache/prompt-fail-debug
new file mode 100644
index 000000000000..9c9a7a406b4b
--- /dev/null
+++ b/tests/data/scripts/no-cache/prompt-fail-debug
@@ -0,0 +1,36 @@
+# Test failed password authentication with debug logging.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache debug
+    account = no_ccache debug
+    session = no_ccache debug
+
+[run]
+    authenticate  = PAM_AUTH_ERR
+    acct_mgmt     = PAM_IGNORE
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |BAD%p
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %u
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/no-cache/prompt-principal b/tests/data/scripts/no-cache/prompt-principal
new file mode 100644
index 000000000000..5e7278f1e92d
--- /dev/null
+++ b/tests/data/scripts/no-cache/prompt-principal
@@ -0,0 +1,26 @@
+# Test prompting for principal without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = prompt_principal no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_on = Principal: |%u
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/try-first b/tests/data/scripts/no-cache/try-first
new file mode 100644
index 000000000000..366801e9a078
--- /dev/null
+++ b/tests/data/scripts/no-cache/try-first
@@ -0,0 +1,25 @@
+# Test basic auth w/no AUTHTOK and try_first_pass.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = try_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/no-cache/use-first b/tests/data/scripts/no-cache/use-first
new file mode 100644
index 000000000000..028009fd7ba7
--- /dev/null
+++ b/tests/data/scripts/no-cache/use-first
@@ -0,0 +1,25 @@
+# Test basic auth w/no AUTHTOK and use_first_pass.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = use_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pam-user/no-update b/tests/data/scripts/pam-user/no-update
new file mode 100644
index 000000000000..36520bb4f332
--- /dev/null
+++ b/tests/data/scripts/pam-user/no-update
@@ -0,0 +1,20 @@
+# PAM_USER updates disabled.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache no_update_user
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pam-user/update b/tests/data/scripts/pam-user/update
new file mode 100644
index 000000000000..11d404a02144
--- /dev/null
+++ b/tests/data/scripts/pam-user/update
@@ -0,0 +1,20 @@
+# PAM_USER updates.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %0 authenticated as %1
diff --git a/tests/data/scripts/password/authtok b/tests/data/scripts/password/authtok
new file mode 100644
index 000000000000..9f6a39935b2d
--- /dev/null
+++ b/tests/data/scripts/password/authtok
@@ -0,0 +1,21 @@
+# Test password change with new authtok set but not old.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/authtok-force b/tests/data/scripts/password/authtok-force
new file mode 100644
index 000000000000..3bc0b598521b
--- /dev/null
+++ b/tests/data/scripts/password/authtok-force
@@ -0,0 +1,18 @@
+# Test password change with new authtok set but not old.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok force_first_pass
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/authtok-too-long b/tests/data/scripts/password/authtok-too-long
new file mode 100644
index 000000000000..df81e24977b3
--- /dev/null
+++ b/tests/data/scripts/password/authtok-too-long
@@ -0,0 +1,17 @@
+# Test use_authtok with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
diff --git a/tests/data/scripts/password/authtok-too-long-debug b/tests/data/scripts/password/authtok-too-long-debug
new file mode 100644
index 000000000000..cb38e8861102
--- /dev/null
+++ b/tests/data/scripts/password/authtok-too-long-debug
@@ -0,0 +1,23 @@
+# Test use_authtok with an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = use_authtok debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    DEBUG pam_sm_chauthtok: exit (failure)
diff --git a/tests/data/scripts/password/banner b/tests/data/scripts/password/banner
new file mode 100644
index 000000000000..98c899c26af5
--- /dev/null
+++ b/tests/data/scripts/password/banner
@@ -0,0 +1,23 @@
+# Test password change with a modified banner.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = banner=realm
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current realm password: |%p
+    echo_off = Enter new realm password: |%n
+    echo_off = Retype new realm password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/banner-expose b/tests/data/scripts/password/banner-expose
new file mode 100644
index 000000000000..595fa0380b22
--- /dev/null
+++ b/tests/data/scripts/password/banner-expose
@@ -0,0 +1,23 @@
+# Test password change with banner and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account banner=realm
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current realm password for %0: |%p
+    echo_off = Enter new realm password for %0: |%n
+    echo_off = Retype new realm password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/basic b/tests/data/scripts/password/basic
new file mode 100644
index 000000000000..5cb68267ce26
--- /dev/null
+++ b/tests/data/scripts/password/basic
@@ -0,0 +1,20 @@
+# Test password change with prompting.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/basic-debug b/tests/data/scripts/password/basic-debug
new file mode 100644
index 000000000000..ca1c86b9c2c9
--- /dev/null
+++ b/tests/data/scripts/password/basic-debug
@@ -0,0 +1,28 @@
+# Test password change with prompting and debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    INFO user %u changed Kerberos password
+    DEBUG pam_sm_chauthtok: exit (success)
diff --git a/tests/data/scripts/password/expose b/tests/data/scripts/password/expose
new file mode 100644
index 000000000000..a82c1bd0b78d
--- /dev/null
+++ b/tests/data/scripts/password/expose
@@ -0,0 +1,23 @@
+# Test password change with prompting and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current Kerberos password for %0: |%p
+    echo_off = Enter new Kerberos password for %0: |%n
+    echo_off = Retype new Kerberos password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/ignore b/tests/data/scripts/password/ignore
new file mode 100644
index 000000000000..023cf5656f67
--- /dev/null
+++ b/tests/data/scripts/password/ignore
@@ -0,0 +1,18 @@
+# Test password prompt saving for ignored users.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = ignore_root
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_IGNORE
+    chauthtok(UPDATE_AUTHTOK) = PAM_IGNORE
+
+[prompts]
+    echo_off = Enter new password: |%n
+    echo_off = Retype new password: |%n
+
+[output]
diff --git a/tests/data/scripts/password/no-banner b/tests/data/scripts/password/no-banner
new file mode 100644
index 000000000000..9cabbd8ec5f9
--- /dev/null
+++ b/tests/data/scripts/password/no-banner
@@ -0,0 +1,23 @@
+# Test password change with no identifying banner.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = banner=
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current password: |%p
+    echo_off = Enter new password: |%n
+    echo_off = Retype new password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/no-banner-expose b/tests/data/scripts/password/no-banner-expose
new file mode 100644
index 000000000000..3a5b944887bd
--- /dev/null
+++ b/tests/data/scripts/password/no-banner-expose
@@ -0,0 +1,23 @@
+# Test password change with no banner and expose_account.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = expose_account banner=
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_off = Current password for %0: |%p
+    echo_off = Enter new password for %0: |%n
+    echo_off = Retype new password for %0: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/prompt-principal b/tests/data/scripts/password/prompt-principal
new file mode 100644
index 000000000000..1e7274eb058e
--- /dev/null
+++ b/tests/data/scripts/password/prompt-principal
@@ -0,0 +1,24 @@
+# Test password change with prompting and prompt_principal.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = prompt_principal
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
+
+[prompts]
+    echo_on = Principal: |%u
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+    echo_off = Retype new Kerberos password: |%n
+
+[output]
+    INFO user %u changed Kerberos password
diff --git a/tests/data/scripts/password/too-long b/tests/data/scripts/password/too-long
new file mode 100644
index 000000000000..4dbabd5db11e
--- /dev/null
+++ b/tests/data/scripts/password/too-long
@@ -0,0 +1,15 @@
+# Test password change to an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+
+[output]
diff --git a/tests/data/scripts/password/too-long-debug b/tests/data/scripts/password/too-long-debug
new file mode 100644
index 000000000000..18b4ed608612
--- /dev/null
+++ b/tests/data/scripts/password/too-long-debug
@@ -0,0 +1,24 @@
+# Test password change to an excessively long password.  -*- conf -*-
+#
+# Copyright 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    password = debug
+
+[run]
+    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
+    chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR
+
+[prompts]
+    echo_off = Current Kerberos password: |%p
+    echo_off = Enter new Kerberos password: |%n
+
+[output]
+    DEBUG pam_sm_chauthtok: entry (prelim)
+    DEBUG (user %u) attempting authentication as %0 for kadmin/changepw
+    DEBUG pam_sm_chauthtok: exit (success)
+    DEBUG pam_sm_chauthtok: entry (update)
+    DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/
+    DEBUG pam_sm_chauthtok: exit (failure)
diff --git a/tests/data/scripts/pkinit/basic b/tests/data/scripts/pkinit/basic
new file mode 100644
index 000000000000..713bf0af1ce1
--- /dev/null
+++ b/tests/data/scripts/pkinit/basic
@@ -0,0 +1,22 @@
+# Test PKINIT auth without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache use_pkinit pkinit_user=FILE:%0
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/basic-debug b/tests/data/scripts/pkinit/basic-debug
new file mode 100644
index 000000000000..92a3fcf934d6
--- /dev/null
+++ b/tests/data/scripts/pkinit/basic-debug
@@ -0,0 +1,30 @@
+# Test PKINIT auth without saving a ticket cache w/debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = debug no_ccache use_pkinit pkinit_user=FILE:%0
+    account = debug no_ccache
+    session = debug no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG pam_sm_acct_mgmt: exit (success)
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/pkinit/no-use-pkinit b/tests/data/scripts/pkinit/no-use-pkinit
new file mode 100644
index 000000000000..ead640bcc4a0
--- /dev/null
+++ b/tests/data/scripts/pkinit/no-use-pkinit
@@ -0,0 +1,18 @@
+# Test for unsupported use_pkinit.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache use_pkinit
+
+[run]
+    authenticate = PAM_AUTHINFO_UNAVAIL
+
+[output]
+    ERR use_pkinit requested but PKINIT not available or cannot be enforced
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/pkinit/pin-mit b/tests/data/scripts/pkinit/pin-mit
new file mode 100644
index 000000000000..9791ebc2ace6
--- /dev/null
+++ b/tests/data/scripts/pkinit/pin-mit
@@ -0,0 +1,20 @@
+# Test PKINIT auth with a PIN prompt.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache use_pkinit pkinit_user=PKCS12:%0
+
+[run]
+    authenticate  = PAM_SUCCESS
+
+[prompts]
+    echo_off = Pass phrase for %0: |%1
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/preauth-opt-mit b/tests/data/scripts/pkinit/preauth-opt-mit
new file mode 100644
index 000000000000..4602d18c7556
--- /dev/null
+++ b/tests/data/scripts/pkinit/preauth-opt-mit
@@ -0,0 +1,17 @@
+# Test PKINIT auth with MIT preauth options.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache try_pkinit preauth_opt=X509_user_identity=FILE:%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/prompt-try b/tests/data/scripts/pkinit/prompt-try
new file mode 100644
index 000000000000..723a228847e3
--- /dev/null
+++ b/tests/data/scripts/pkinit/prompt-try
@@ -0,0 +1,20 @@
+# Test try_pkinit with an initial prompt.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache try_pkinit pkinit_user=FILE:%0 pkinit_prompt
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[prompts]
+    echo_off = Insert smart card if desired, then press Enter: |
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/prompt-use b/tests/data/scripts/pkinit/prompt-use
new file mode 100644
index 000000000000..0b341d5d73ce
--- /dev/null
+++ b/tests/data/scripts/pkinit/prompt-use
@@ -0,0 +1,20 @@
+# Test use_pkinit with an initial prompt.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache use_pkinit pkinit_user=FILE:%0 pkinit_prompt
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[prompts]
+    echo_off = Insert smart card and press Enter: |
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/try-pkinit b/tests/data/scripts/pkinit/try-pkinit
new file mode 100644
index 000000000000..13b7bcf76653
--- /dev/null
+++ b/tests/data/scripts/pkinit/try-pkinit
@@ -0,0 +1,17 @@
+# Test optional PKINIT auth without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = no_ccache try_pkinit pkinit_user=FILE:%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/pkinit/try-pkinit-debug b/tests/data/scripts/pkinit/try-pkinit-debug
new file mode 100644
index 000000000000..c721395abd07
--- /dev/null
+++ b/tests/data/scripts/pkinit/try-pkinit-debug
@@ -0,0 +1,19 @@
+# Test optional PKINIT auth w/debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = debug no_ccache try_pkinit pkinit_user=FILE:%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
diff --git a/tests/data/scripts/pkinit/try-pkinit-debug-mit b/tests/data/scripts/pkinit/try-pkinit-debug-mit
new file mode 100644
index 000000000000..2c8c966bdc03
--- /dev/null
+++ b/tests/data/scripts/pkinit/try-pkinit-debug-mit
@@ -0,0 +1,20 @@
+# Test optional PKINIT auth w/debug.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = debug no_ccache try_pkinit pkinit_user=FILE:%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %u
+    INFO user %u authenticated as %u
+    DEBUG pam_sm_authenticate: exit (success)
diff --git a/tests/data/scripts/realm/fail-bad-user-realm b/tests/data/scripts/realm/fail-bad-user-realm
new file mode 100644
index 000000000000..d30bec6f1f33
--- /dev/null
+++ b/tests/data/scripts/realm/fail-bad-user-realm
@@ -0,0 +1,17 @@
+# Test authentication failure with different user_realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache user_realm=%0
+
+[run]
+    authenticate = PAM_AUTHINFO_UNAVAIL
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/realm/fail-no-realm b/tests/data/scripts/realm/fail-no-realm
new file mode 100644
index 000000000000..87b59aab49f2
--- /dev/null
+++ b/tests/data/scripts/realm/fail-no-realm
@@ -0,0 +1,17 @@
+# Test authentication failure due to wrong realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache
+
+[run]
+    authenticate = PAM_AUTHINFO_UNAVAIL
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/realm/fail-no-realm-debug b/tests/data/scripts/realm/fail-no-realm-debug
new file mode 100644
index 000000000000..5ef2ce588177
--- /dev/null
+++ b/tests/data/scripts/realm/fail-no-realm-debug
@@ -0,0 +1,21 @@
+# Test authentication failure due to wrong realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache debug
+
+[run]
+    authenticate = PAM_AUTHINFO_UNAVAIL
+
+[output]
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) attempting authentication as %u@%0
+    DEBUG /^\(user %u\) krb5_get_init_creds_password: /
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
diff --git a/tests/data/scripts/realm/fail-realm b/tests/data/scripts/realm/fail-realm
new file mode 100644
index 000000000000..6dfe6a044354
--- /dev/null
+++ b/tests/data/scripts/realm/fail-realm
@@ -0,0 +1,17 @@
+# Test authentication failure with different realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache realm=%0
+
+[run]
+    authenticate = PAM_AUTHINFO_UNAVAIL
+
+[output]
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/realm/fail-user-realm b/tests/data/scripts/realm/fail-user-realm
new file mode 100644
index 000000000000..c97324c2d028
--- /dev/null
+++ b/tests/data/scripts/realm/fail-user-realm
@@ -0,0 +1,18 @@
+# Test authentication failure with different user_realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache user_realm=%0
+
+[run]
+    authenticate = PAM_AUTH_ERR
+
+[output]
+    ERR /^\(user %u\) cannot convert principal to user: /
+    NOTICE failed authorization check; logname=%u uid=%i euid=%i tty= ruser= rhost=
diff --git a/tests/data/scripts/realm/pass-realm b/tests/data/scripts/realm/pass-realm
new file mode 100644
index 000000000000..91136c9bfc1c
--- /dev/null
+++ b/tests/data/scripts/realm/pass-realm
@@ -0,0 +1,17 @@
+# Test authentication success with different realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache realm=%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u@%0
diff --git a/tests/data/scripts/realm/pass-user-realm b/tests/data/scripts/realm/pass-user-realm
new file mode 100644
index 000000000000..86007c2d4d26
--- /dev/null
+++ b/tests/data/scripts/realm/pass-user-realm
@@ -0,0 +1,17 @@
+# Test authentication success with different user_realm.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth = force_first_pass no_ccache user_realm=%0
+
+[run]
+    authenticate = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u@%0
diff --git a/tests/data/scripts/stacked/auth-only b/tests/data/scripts/stacked/auth-only
new file mode 100644
index 000000000000..46d3308ac0e4
--- /dev/null
+++ b/tests/data/scripts/stacked/auth-only
@@ -0,0 +1,18 @@
+# Test basic authentication without setcred.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/stacked/basic b/tests/data/scripts/stacked/basic
new file mode 100644
index 000000000000..a05640d278bf
--- /dev/null
+++ b/tests/data/scripts/stacked/basic
@@ -0,0 +1,22 @@
+# Test basic authentication without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/stacked/prompt b/tests/data/scripts/stacked/prompt
new file mode 100644
index 000000000000..b0eb0d9ca57b
--- /dev/null
+++ b/tests/data/scripts/stacked/prompt
@@ -0,0 +1,25 @@
+# Test basic auth w/prompting without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_off = Password: |%p
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/stacked/prompt-principal b/tests/data/scripts/stacked/prompt-principal
new file mode 100644
index 000000000000..b416671875c7
--- /dev/null
+++ b/tests/data/scripts/stacked/prompt-principal
@@ -0,0 +1,25 @@
+# Test prompting for principal without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = prompt_principal force_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[prompts]
+    echo_on = Principal: |%u
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/stacked/try-first b/tests/data/scripts/stacked/try-first
new file mode 100644
index 000000000000..3a14b7584bc1
--- /dev/null
+++ b/tests/data/scripts/stacked/try-first
@@ -0,0 +1,22 @@
+# Test try_first_pass without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = try_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/stacked/use-first b/tests/data/scripts/stacked/use-first
new file mode 100644
index 000000000000..29c5c5c4188d
--- /dev/null
+++ b/tests/data/scripts/stacked/use-first
@@ -0,0 +1,22 @@
+# Test use_first_pass without saving a ticket cache.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = use_first_pass no_ccache
+    account = no_ccache
+    session = no_ccache
+
+[run]
+    authenticate  = PAM_SUCCESS
+    acct_mgmt     = PAM_SUCCESS
+    open_session  = PAM_SUCCESS
+    close_session = PAM_SUCCESS
+
+[output]
+    INFO user %u authenticated as %u
diff --git a/tests/data/scripts/trace/supported b/tests/data/scripts/trace/supported
new file mode 100644
index 000000000000..f67c389735ff
--- /dev/null
+++ b/tests/data/scripts/trace/supported
@@ -0,0 +1,58 @@
+# Basic test of enabling trace logging.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache trace=%0 debug
+    account = no_ccache trace=%0 debug
+    session = no_ccache trace=%0 debug
+
+[run]
+    authenticate               = PAM_AUTH_ERR
+    acct_mgmt                  = PAM_IGNORE
+    setcred(DELETE_CRED)       = PAM_SUCCESS
+    setcred(ESTABLISH_CRED)    = PAM_SUCCESS
+    setcred(REFRESH_CRED)      = PAM_SUCCESS
+    setcred(REINITIALIZE_CRED) = PAM_SUCCESS
+    open_session               = PAM_SUCCESS
+    close_session              = PAM_SUCCESS
+
+[output]
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) no stored password
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_setcred: entry (delete)
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_setcred: entry (establish)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_setcred: entry (refresh)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_setcred: entry (reinit)
+    DEBUG no context found, creating one
+    DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login
+    DEBUG pam_sm_setcred: exit (success)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    DEBUG enabled trace logging to %0
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/scripts/trace/unsupported b/tests/data/scripts/trace/unsupported
new file mode 100644
index 000000000000..2100c34fc2f5
--- /dev/null
+++ b/tests/data/scripts/trace/unsupported
@@ -0,0 +1,52 @@
+# Basic test of attempting trace logging when not supported.  -*- conf -*-
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2010-2011
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# SPDX-License-Identifier: BSD-3-clause or GPL-1+
+
+[options]
+    auth    = force_first_pass no_ccache trace=%0 debug
+    account = no_ccache trace=%0 debug
+    session = no_ccache trace=%0 debug
+
+[run]
+    authenticate               = PAM_AUTH_ERR
+    acct_mgmt                  = PAM_IGNORE
+    setcred(DELETE_CRED)       = PAM_SUCCESS
+    setcred(ESTABLISH_CRED)    = PAM_SUCCESS
+    setcred(REFRESH_CRED)      = PAM_SUCCESS
+    setcred(REINITIALIZE_CRED) = PAM_SUCCESS
+    open_session               = PAM_SUCCESS
+    close_session              = PAM_SUCCESS
+
+[output]
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_authenticate: entry
+    DEBUG (user %u) no stored password
+    NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost=
+    DEBUG pam_sm_authenticate: exit (failure)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_acct_mgmt: entry
+    DEBUG skipping non-Kerberos login
+    DEBUG pam_sm_acct_mgmt: exit (ignore)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_setcred: entry (delete)
+    DEBUG pam_sm_setcred: exit (success)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_setcred: entry (establish)
+    DEBUG pam_sm_setcred: exit (success)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_setcred: entry (refresh)
+    DEBUG pam_sm_setcred: exit (success)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_setcred: entry (reinit)
+    DEBUG pam_sm_setcred: exit (success)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_open_session: entry
+    DEBUG pam_sm_open_session: exit (success)
+    ERR trace logging requested but not supported
+    DEBUG pam_sm_close_session: entry
+    DEBUG pam_sm_close_session: exit (success)
diff --git a/tests/data/valgrind.supp b/tests/data/valgrind.supp
new file mode 100644
index 000000000000..6e987803f5e2
--- /dev/null
+++ b/tests/data/valgrind.supp
@@ -0,0 +1,242 @@
+# -*- conf -*-
+#
+# This is a valgrind suppression file for analysis of test suite results.
+#
+# Suppress a variety of apparent memory leaks in various Kerberos
+# implementations due to one-time instantiation of data, and a few other
+# artifacts of the test suite for rra-c-util portability and utility code
+# and related software.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2017-2018, 2020 Russ Allbery <eagle@eyrie.org>
+# Copyright 2011-2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+{
+   dlopen-dlerror
+   Memcheck:Leak
+   fun:calloc
+   fun:_dlerror_run
+}
+{
+   fakeroot-msgsnd
+   Memcheck:Param
+   msgsnd(msgp->mtext)
+   fun:msgsnd
+   fun:send_fakem
+   fun:send_get_fakem
+   obj:*/libfakeroot-sysv.so
+}
+{
+   heimdal-base-once
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:heim_base_once_f
+}
+{
+   heimdal-gss-config
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:krb5_config_parse_debug
+}
+{
+   heimdal-gss-config-2
+   Memcheck:Leak
+   fun:*alloc
+   fun:_krb5_config_get_entry
+}
+{
+   heimdal-gss-cred
+   Memcheck:Leak
+   fun:calloc
+   obj:*libgssapi.so.*
+   obj:*libgssapi.so.*
+   fun:gss_acquire_cred
+}
+{
+   heimdal-gss-krb5-init
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:_gsskrb5_init
+}
+{
+   heimdal-gss-load-mech
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:_gss_load_mech
+}
+{
+   heimdal-krb5-init-context-once
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:init_context_once
+}
+{
+   heimdal-krb5-reg-plugins-once
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:krb5_plugin_register
+   fun:reg_def_plugins_once
+}
+{
+   heimdal-krb5-openssl-init
+   Memcheck:Leak
+   fun:*alloc
+   obj:*
+   fun:CRYPTO_*alloc
+}
+{
+   mit-gss-ccache
+   Memcheck:Leak
+   fun:*alloc
+   fun:krb5int_setspecific
+   fun:kg_set_ccache_name
+   fun:gss_krb5int_ccache_name
+}
+{
+   mit-gss-ccache-2
+   Memcheck:Leak
+   fun:*alloc
+   fun:strdup
+   fun:kg_set_ccache_name
+   fun:gss_krb5int_ccache_name
+}
+{
+   mit-gss-error
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:krb5_gss_save_error_string
+}
+{
+   mit-gss-mechs
+   Memcheck:Leak
+   fun:glob
+   fun:loadConfigFiles
+   fun:updateMechList
+   fun:build_mechSet
+   fun:gss_indicate_mechs
+}
+{
+   mit-kadmin-ovku-error
+   Memcheck:Leak
+   fun:*alloc*
+   fun:initialize_ovku_error_table_r
+}
+{
+   mit-krb5-changepw
+   Memcheck:Leak
+   fun:*alloc
+   fun:change_set_password
+   fun:krb5_change_password
+   fun:krb5_get_init_creds_password
+}
+{
+   mit-krb5-pkinit-openssl-init
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:krb5_init_preauth_context
+}
+{
+   mit-krb5-pkinit-openssl-request
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:krb5_preauth_request_context_init
+}
+{
+   mit-krb5-pkinit-openssl-request-2
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:k5_preauth_request_context_init
+}
+{
+   mit-krb5-plugin-dirs
+   Memcheck:Leak
+   fun:calloc
+   fun:krb5int_open_plugin_dirs
+}
+{
+   mit-krb5-plugin-dlerror
+   Memcheck:Leak
+   fun:calloc
+   fun:_dlerror_run
+   ...
+   fun:krb5int_open_plugin
+}
+{
+   mit-krb5-plugin-register
+   Memcheck:Leak
+   fun:malloc
+   fun:strdup
+   fun:register_module.isra.1
+}
+{
+   mit-krb5-preauth-init
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:k5_init_preauth_context
+}
+{
+   mit-krb5-preauth-init
+   Memcheck:Leak
+   fun:strdup
+   fun:add_to_list
+   fun:profile_get_values
+   ...
+   fun:clpreauth_prep_questions
+}
+{
+   mit-krb5-preauth-init-2
+   Memcheck:Leak
+   fun:*alloc
+   fun:init_list
+   fun:profile_get_values
+   ...
+   fun:clpreauth_prep_questions
+}
+{
+   mit-krb5-profile
+   Memcheck:Leak
+   fun:*alloc
+   ...
+   fun:profile_open_file
+}
+{
+   portable-setenv
+   Memcheck:Leak
+   fun:malloc
+   fun:test_setenv
+}
diff --git a/tests/docs/pod-spelling-t b/tests/docs/pod-spelling-t
new file mode 100755
index 000000000000..2ea5bf3ba6ee
--- /dev/null
+++ b/tests/docs/pod-spelling-t
@@ -0,0 +1,55 @@
+#!/usr/bin/perl
+#
+# Checks all POD files in the tree for spelling errors using Test::Spelling.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016, 2019, 2021 Russ Allbery <eagle@eyrie.org>
+# Copyright 2012-2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+use 5.010;
+use strict;
+use warnings;
+
+use lib "$ENV{C_TAP_SOURCE}/tap/perl";
+
+use Test::RRA qw(skip_unless_author use_prereq);
+use Test::RRA::Automake qw(automake_setup perl_dirs);
+
+use Test::More;
+
+# Only run this test for the module author since the required stopwords are
+# too sensitive to the exact spell-checking program and dictionary.
+skip_unless_author('Spelling tests');
+
+# Load prerequisite modules.
+use_prereq('Test::Spelling');
+
+# Set up Automake testing.
+automake_setup();
+
+# Run the tests.
+all_pod_files_spelling_ok(perl_dirs());
diff --git a/tests/docs/pod-t b/tests/docs/pod-t
new file mode 100755
index 000000000000..be21ddf01cea
--- /dev/null
+++ b/tests/docs/pod-t
@@ -0,0 +1,56 @@
+#!/usr/bin/perl
+#
+# Check all POD documents in the tree, except for any embedded Perl module
+# distribution, for POD formatting errors.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016, 2019, 2021 Russ Allbery <eagle@eyrie.org>
+# Copyright 2012-2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+use 5.010;
+use strict;
+use warnings;
+
+use lib "$ENV{C_TAP_SOURCE}/tap/perl";
+
+use Test::RRA qw(skip_unless_automated use_prereq);
+use Test::RRA::Automake qw(automake_setup perl_dirs);
+
+use Test::More;
+
+# Skip this test for normal user installs, since we normally pre-generate all
+# of the documentation and the end user doesn't care.
+skip_unless_automated('POD syntax tests');
+
+# Load prerequisite modules.
+use_prereq('Test::Pod');
+
+# Set up Automake testing.
+automake_setup();
+
+# Run the tests.
+all_pod_files_ok(perl_dirs());
diff --git a/tests/docs/spdx-license-t b/tests/docs/spdx-license-t
new file mode 100755
index 000000000000..2841835fb69a
--- /dev/null
+++ b/tests/docs/spdx-license-t
@@ -0,0 +1,149 @@
+#!/usr/bin/perl
+#
+# Check source files for SPDX-License-Identifier fields.
+#
+# Examine all source files in a distribution to check that they contain an
+# SPDX-License-Identifier field.  This does not check the syntax or whether
+# the identifiers are valid.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Copyright 2018-2021 Russ Allbery <eagle@eyrie.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+use 5.010;
+use strict;
+use warnings;
+
+use lib "$ENV{C_TAP_SOURCE}/tap/perl";
+
+use Test::RRA qw(skip_unless_automated);
+use Test::RRA::Automake qw(all_files automake_setup);
+
+use File::Basename qw(basename);
+use Test::More;
+
+# File name (the file without any directory component) and path patterns to
+# skip for this check.
+## no critic (RegularExpressions::ProhibitFixedStringMatches)
+my @IGNORE = (
+    qr{ \A LICENSE \z }xms,             # Generated file with no license itself
+    qr{ \A (NEWS|THANKS|TODO) \z }xms,  # Package license should be fine
+    qr{ \A README ( [.] .* )? \z }xms,  # Package license should be fine
+    qr{ \A (Makefile|libtool) \z }xms,  # Generated file
+    qr{ ~ \z }xms,                      # Backup files
+    qr{ [.] l?a \z }xms,                # Created by libtool
+    qr{ [.] o \z }xms,                  # Compiler objects
+    qr{ [.] output \z }xms,             # Test data
+);
+my @IGNORE_PATHS = (
+    qr{ \A debian/ }xms,                       # Found in debian/* branches
+    qr{ \A docs/metadata/ }xms,                # Package license should be fine
+    qr{ \A docs/protocol[.](html|txt) \z }xms, # Generated by xml2rfc
+    qr{ \A m4/ (libtool|lt.*) [.] m4 \z }xms,  # Files from Libtool
+    qr{ \A perl/Build \z }xms,                 # Perl build files
+    qr{ \A perl/MANIFEST \z }xms,              # Perl build files
+    qr{ \A perl/MYMETA [.] }xms,               # Perl build files
+    qr{ \A perl/blib/ }xms,                    # Perl build files
+    qr{ \A perl/cover_db/ }xms,                # Perl test files
+    qr{ \A perl/_build }xms,                   # Perl build files
+    qr{ \A php/Makefile [.] global \z }xms,    # Created by phpize
+    qr{ \A php/autom4te [.] cache/ }xms,       # Created by phpize
+    qr{ \A php/acinclude [.] m4 \z }xms,       # Created by phpize
+    qr{ \A php/build/ }xms,                    # Created by phpize
+    qr{ \A php/config [.] (guess|sub) \z }xms, # Created by phpize
+    qr{ \A php/configure [.] (ac|in) \z }xms,  # Created by phpize
+    qr{ \A php/ltmain [.] sh \z }xms,          # Created by phpize
+    qr{ \A php/run-tests [.] php \z }xms,      # Created by phpize
+    qr{ \A python/ .* [.] egg-info/ }xms,      # Python build files
+    qr{ \A tests/config/ (?!README) }xms,      # Test configuration
+    qr{ \A tests/tmp/ }xms,                    # Temporary test files
+);
+## use critic
+
+# Only run this test during automated testing, since failure doesn't indicate
+# any user-noticable flaw in the package itself.
+skip_unless_automated('SPDX identifier tests');
+
+# Set up Automake testing.
+automake_setup();
+
+# Check a single file for an occurrence of the string.
+#
+# $path - Path to the file
+#
+# Returns: undef
+sub check_file {
+    my ($path) = @_;
+    my $filename = basename($path);
+
+    # Ignore files in the whitelist and binary files.
+    for my $pattern (@IGNORE) {
+        return if $filename =~ $pattern;
+    }
+    for my $pattern (@IGNORE_PATHS) {
+        return if $path =~ $pattern;
+    }
+    return if !-T $path;
+
+    # Scan the file.
+    my ($saw_legacy_notice, $saw_spdx, $skip_spdx);
+    open(my $file, '<', $path) or BAIL_OUT("Cannot open $path: $!");
+    while (defined(my $line = <$file>)) {
+        if ($line =~ m{ Generated [ ] by [ ] libtool [ ] }xms) {
+            close($file) or BAIL_OUT("Cannot close $path: $!");
+            return;
+        }
+        if ($line =~ m{ \b See \s+ LICENSE \s+ for \s+ licensing }xms) {
+            $saw_legacy_notice = 1;
+        }
+        if ($line =~ m{ \b SPDX-License-Identifier: \s+ \S+ }xms) {
+            $saw_spdx = 1;
+            last;
+        }
+        if ($line =~ m{ no \s SPDX-License-Identifier \s registered }xms) {
+            $skip_spdx = 1;
+            last;
+        }
+    }
+    close($file) or BAIL_OUT("Cannot close $path: $!");
+
+    # If there is a legacy license notice, report a failure regardless of file
+    # size.  Otherwise, skip files under 1KB.  They can be rolled up into the
+    # overall project license and the license notice may be a substantial
+    # portion of the file size.
+    if ($saw_legacy_notice) {
+        ok(!$saw_legacy_notice, "$path has legacy license notice");
+    } else {
+        ok($saw_spdx || $skip_spdx || -s $path < 1024, $path);
+    }
+    return;
+}
+
+# Scan every file.  We don't declare a plan since we skip a lot of files and
+# don't want to precalculate the file list.
+my @paths = all_files();
+for my $path (@paths) {
+    check_file($path);
+}
+done_testing();
diff --git a/tests/fakepam/README b/tests/fakepam/README
new file mode 100644
index 000000000000..f7522cc1d66e
--- /dev/null
+++ b/tests/fakepam/README
@@ -0,0 +1,276 @@
+                          PAM Testing Framework
+
+Overview
+
+    The files in this directory provide a shim PAM library that's used for
+    testing and a test framework used to exercise a PAM module.
+
+    This library and its include files define the minimum amount
+    of the PAM module interface so that PAM modules can be tested without
+    such problems as needing configuration files in /etc/pam.d or needing
+    changes to the system configuration to run a testing PAM module
+    instead of the normal system PAM modules.
+
+    The goal of this library is that all PAM code should be able to be
+    left unchanged and the code just linked with the fakepam library
+    rather than the regular PAM library.  The testing code can then call
+    pam_start and pam_end as defined in the fakepam/pam.h header file and
+    inspect internal PAM state as needed.
+
+    The library also provides an interface to exercise a PAM module via an
+    interaction script, so that as much of the testing process as possible
+    is moved into simple text files instead of C code.  That test script
+    format supports specifying the PAM configuration, the PAM interfaces
+    to run, the expected prompts and replies, and the expected log
+    messages.  That interface is defined in fakepam/script.h.
+
+Fake PAM Library
+
+    Unfortunately, the standard PAM library for most operating systems
+    does not provide a reasonable testing framework.  The primary problem
+    is configuration: the PAM library usually hard-codes a configuration
+    location such as /etc/pam.conf or /etc/pam.d/<application>.  But there
+    are other problems as well, such as capturing logging rather than
+    having it go to syslog and inspecting PAM internal state to make sure
+    that it's updated properly by the module.
+
+    This library implements some of the same API as the system PAM library
+    and uses the system PAM library headers, but the underlying
+    implementation does not call the system PAM library or dynamically
+    load modules.  Instead, it's meant to be linked into a single
+    executable along with the implementation of a PAM module.  It does not
+    provide most of the application-level PAM interfaces (so one cannot
+    link a PAM-using application against it), just the interfaces called
+    by a module.  The caller of the library can then call the module API
+    (such as pam_sm_authenticate) directly.
+
+    All of the internal state maintained by the PAM library is made
+    available to the test program linked with this library.  See
+    fakepam/pam.h for the data structures.  This allows verification that
+    the PAM module is setting the internal PAM state properly.
+
+  User Handling
+
+    In order to write good test suites, one often has to be able to
+    authenticate as a variety of users, but PAM modules may expect the
+    authenticating user to exist on the system.  The fakepam library
+    provides a pam_modutil_getpwnam (if available) or a getpwnam
+    implementation that returns information for a single user (and user
+    unknown for everyone else).  To set the information for the one valid
+    user, call the pam_set_pwd function and provide a struct passwd that
+    will be returned by pam_modutil_getpwnam.
+
+    The fakepam library also provides a replacement krb5_kuserok function
+    for testing PAM modules that use Kerberos.  This source file should
+    only be included in packages that are building with Kerberos.  It
+    implements the same functionality as the default krb5_kuserok
+    function, but looks for .k5login in the home directory configured by
+    the test framework instead of using getpwnam.
+
+    Only those two functions are intercepted, so if the module looks up
+    users in other ways, it may still bypass the fakepam library and look
+    at system users.
+
+  Output Handling
+
+    The fakepam library intercepts the PAM functions that would normally
+    log to syslog and instead accumulates the output in a static string
+    variable.  To retrieve the logging output so far, call pam_output,
+    which returns a struct of all the output strings up to that point and
+    resets the accumulated output.
+
+Scripted PAM Testing
+
+    Also provided as part of the fakepam library is a test framework for
+    testing PAM modules.  This test framework allows most of the testing
+    process to be encapsulated in a text configuration file per test,
+    rather than in a tedious set of checks and calls written in C.
+
+  Test API
+
+    The basic test API is to call either run_script (to run a single test
+    script) or run_script_dir (to run all scripts in a particular
+    directory).  Both take a configuration struct that controls how the
+    PAM library is set up and called.
+
+    That configuration struct takes the following elements:
+
+    user
+        The user as which to authenticate, passed into pam_start and also
+        substituted for the %u escape.  This should match the user whose
+        home directory information is configured using pam_set_pwd if that
+        function is in use.
+
+    password
+        Only used for the %p escape.  This is not used to set the
+        authentication token in the PAM library (see authtok below).
+
+    newpass
+        Only used for the %n escape.
+
+    extra
+        An array of up to 10 additional strings used by the %0 through %9
+        escapes when parsing the configuration file, as discussed below.
+
+    authtok
+        Sets the default value of the PAM_AUTHTOK data item.  This will be
+        set immediately after initializing the PAM library and before
+        calling any PAM module functions.
+
+    authtok
+        Like authtok, but for the PAM_OLDAUTHTOK data item.
+
+    callback
+        This, and the associated data element, specifies a callback that's
+        called at the end of processing of the script before calling
+        pam_end.  This can be used to inspect and verify the internal
+        state of PAM.  The data element is an opaque pointer passed into
+        the callback.
+
+  Test Script Basic Format
+
+    Test scripts are composed of one or more sections.  Each section
+    begins with:
+
+        [<section>]
+
+    starting in column 1, where <section> is the name of the section.  The
+    valid section types and the format of their contents are described
+    below.
+
+    Blank lines and lines starting with # are ignored.
+
+    Several strings undergo %-escape expansion as mentioned below.  For
+    any such string, the following escapes are supported:
+
+        %i      Current UID (not the UID of the target user)
+        %n      New password
+        %p      Password
+        %u      Username
+        %0      extra[0]
+        ...
+        %9      extra[9]
+
+    All of these are set in the script_config struct.
+
+    Regular expression matching is supported for output lines and for
+    prompts.  To mark an expected prompt or output line as a regular
+    expression, it must begin and end with a slash (/).  Slashes inside
+    the regular expression do not need to be escaped.  If regular
+    expression support is not available in the C library, those matching
+    tests will be skipped.
+
+  The [options] Section
+
+    The [options] section contains the PAM configuration that will be
+    passed to the module.  These are the options that are normally listed
+    in the PAM configuration file after the name of the module.  The
+    syntax of this section is one or more lines of the form:
+
+        <group> = <options>
+
+    where <group> is one of "account", "auth", "password", or "session".
+    The options are space-delimited and may be either option names or
+    option=value pairs.
+
+  The [run] Section
+
+    The [run] section specifies what PAM interfaces to call.  It consists
+    of one or more lines in the format:
+
+        <call> = <status>
+
+    where <call> is the PAM call to make and <status> is the status code
+    that it should return.  <call> is one of the PAM module interface
+    functions without the leading "pam_sm_", so one of "acct_mgmt",
+    "authenticate", "setcred", "chauthtok", "open_session", or
+    "close_session".  The return status is one of the PAM constants
+    defined for return status, such as PAM_IGNORE or PAM_SUCCESS.  The
+    test framework will ensure that the PAM call returns the appropriate
+    status.
+
+    The <call> may be optionally followed by an open parentheses and then
+    a list of flags separated by |, or syntactically:
+
+        <call>(<flag>|<flag>|...) = <status>
+
+    In this form, rather than passing a flags value of 0 to the PAM call,
+    the test framework will pass the combination of the provided flags.
+    The flags are PAM constants without the leading PAM_, so (for example)
+    DELETE_CRED, ESTABLISH_CRED, REFRESH_CRED, or REINITIALIZE_CRED for
+    the "setcred" call.
+
+    As a special case, <call> may be "end" to specify flags to pass to the
+    pam_end call (such as PAM_DATA_SILENT).
+
+  The [end] Section
+
+    The [end] section defines how to call pam_end.  It currently takes
+    only one setting, flags, the syntax of which is:
+
+        flags = <flag>|<flag>
+
+    This allows PAM_DATA_SILENT or other flags to be passed to pam_end
+    when running the test script.
+
+  The [output] Section
+
+    The [output] section defines the logging output expected from the
+    module.  It consists of zero or more lines in the format:
+
+        <priority> <output>
+        <priority> /<regex>/
+
+    where <priority> is a syslog priority and <output> is the remaining
+    output or a regular expression to match against the output.  Valid
+    values for <priority> are DEBUG, INFO, NOTICE, ERR, and CRIT.
+    <output> and <regex> may contain spaces and undergoes %-escape
+    expansion.
+
+    The replacement values are taken from the script_config struct passed
+    as a parameter to run_script or run_script_dir.
+
+    If the [output] section is missing entirely, the test framework will
+    expect there to be no logging output from the PAM module.
+
+    This defines the logging output, not the prompts returned through the
+    conversation function.  For that, see the next section.
+
+  The [prompts] Section
+
+    The [prompts] section defines the prompts that the PAM module is
+    expected to send via the conversation function, and the responses that
+    the test harness will send back (if any).  This consists of zero or
+    more lines in one of the following formats:
+
+        <type> = <prompt>
+        <type> = /<prompt>/
+        <type> = <prompt>|<response>
+        <type> = /<prompt>/|<response>
+
+    The <type> is the style of prompt, chosen from "echo_off", "echo_on",
+    "error_msg", and "info".  The <prompt> is the actual prompt sent and
+    undergoes %-escape expansion.  It may be enclosed in slashes (/) to
+    indicate that it's a regular expression instead of literal text.  The
+    <response> if present (and its presence is signaled by the |
+    character) contains the response sent back by the test framework and
+    also undergoes %-escape expansion.  The response starts with the final
+    | character on the line, so <prompt> regular expressions may freely
+    use | inside the regular expression.
+
+    If the [prompts] section is present and empty, the test harness will
+    check that the PAM module does not send any prompts.  If the [prompts]
+    section is absent entirely, the conversation function passed to the
+    PAM module will be NULL.
+
+License
+
+    This file is part of the documentation of rra-c-util, which can be
+    found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+
+    Copyright 2011-2012, 2020-2021 Russ Allbery <eagle@eyrie.org>
+
+    Copying and distribution of this file, with or without modification,
+    are permitted in any medium without royalty provided the copyright
+    notice and this notice are preserved.  This file is offered as-is,
+    without any warranty.
diff --git a/tests/fakepam/config.c b/tests/fakepam/config.c
new file mode 100644
index 000000000000..8e0685604d55
--- /dev/null
+++ b/tests/fakepam/config.c
@@ -0,0 +1,766 @@
+/*
+ * Run a PAM interaction script for testing.
+ *
+ * Provides an interface that loads a PAM interaction script from a file and
+ * runs through that script, calling the internal PAM module functions and
+ * checking their results.  This allows automation of PAM testing through
+ * external data files instead of coding everything in C.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017-2018, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <dirent.h>
+#include <errno.h>
+#include <syslog.h>
+
+#include <tests/fakepam/internal.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+/* Used for enumerating arrays. */
+#define ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
+
+/* Mapping of strings to PAM function pointers and group numbers. */
+static const struct {
+    const char *name;
+    pam_call call;
+    enum group_type group;
+} CALLS[] = {
+    /* clang-format off */
+    {"acct_mgmt",     pam_sm_acct_mgmt,     GROUP_ACCOUNT },
+    {"authenticate",  pam_sm_authenticate,  GROUP_AUTH    },
+    {"setcred",       pam_sm_setcred,       GROUP_AUTH    },
+    {"chauthtok",     pam_sm_chauthtok,     GROUP_PASSWORD},
+    {"open_session",  pam_sm_open_session,  GROUP_SESSION },
+    {"close_session", pam_sm_close_session, GROUP_SESSION },
+    /* clang-format on */
+};
+
+/* Mapping of PAM flag names without the leading PAM_ to values. */
+static const struct {
+    const char *name;
+    int value;
+} FLAGS[] = {
+    /* clang-format off */
+    {"CHANGE_EXPIRED_AUTHTOK", PAM_CHANGE_EXPIRED_AUTHTOK},
+    {"DELETE_CRED",            PAM_DELETE_CRED           },
+    {"DISALLOW_NULL_AUTHTOK",  PAM_DISALLOW_NULL_AUTHTOK },
+    {"ESTABLISH_CRED",         PAM_ESTABLISH_CRED        },
+    {"PRELIM_CHECK",           PAM_PRELIM_CHECK          },
+    {"REFRESH_CRED",           PAM_REFRESH_CRED          },
+    {"REINITIALIZE_CRED",      PAM_REINITIALIZE_CRED     },
+    {"SILENT",                 PAM_SILENT                },
+    {"UPDATE_AUTHTOK",         PAM_UPDATE_AUTHTOK        },
+    /* clang-format on */
+};
+
+/* Mapping of strings to PAM groups. */
+static const struct {
+    const char *name;
+    enum group_type group;
+} GROUPS[] = {
+    /* clang-format off */
+    {"account",  GROUP_ACCOUNT },
+    {"auth",     GROUP_AUTH    },
+    {"password", GROUP_PASSWORD},
+    {"session",  GROUP_SESSION },
+    /* clang-format on */
+};
+
+/* Mapping of strings to PAM return values. */
+static const struct {
+    const char *name;
+    int status;
+} RETURNS[] = {
+    /* clang-format off */
+    {"PAM_AUTH_ERR",         PAM_AUTH_ERR        },
+    {"PAM_AUTHINFO_UNAVAIL", PAM_AUTHINFO_UNAVAIL},
+    {"PAM_AUTHTOK_ERR",      PAM_AUTHTOK_ERR     },
+    {"PAM_DATA_SILENT",      PAM_DATA_SILENT     },
+    {"PAM_IGNORE",           PAM_IGNORE          },
+    {"PAM_NEW_AUTHTOK_REQD", PAM_NEW_AUTHTOK_REQD},
+    {"PAM_SESSION_ERR",      PAM_SESSION_ERR     },
+    {"PAM_SUCCESS",          PAM_SUCCESS         },
+    {"PAM_USER_UNKNOWN",     PAM_USER_UNKNOWN    },
+    /* clang-format on */
+};
+
+/* Mapping of PAM prompt styles to their values. */
+static const struct {
+    const char *name;
+    int style;
+} STYLES[] = {
+    /* clang-format off */
+    {"echo_off",  PAM_PROMPT_ECHO_OFF},
+    {"echo_on",   PAM_PROMPT_ECHO_ON },
+    {"error_msg", PAM_ERROR_MSG      },
+    {"info",      PAM_TEXT_INFO      },
+    /* clang-format on */
+};
+
+/* Mappings of strings to syslog priorities. */
+static const struct {
+    const char *name;
+    int priority;
+} PRIORITIES[] = {
+    /* clang-format off */
+    {"DEBUG",  LOG_DEBUG },
+    {"INFO",   LOG_INFO  },
+    {"NOTICE", LOG_NOTICE},
+    {"ERR",    LOG_ERR   },
+    {"CRIT",   LOG_CRIT  },
+    /* clang-format on */
+};
+
+
+/*
+ * Given a pointer to a string, skip any leading whitespace and return a
+ * pointer to the first non-whitespace character.
+ */
+static char *
+skip_whitespace(char *p)
+{
+    while (isspace((unsigned char) (*p)))
+        p++;
+    return p;
+}
+
+
+/*
+ * Read a line from a file into a BUFSIZ buffer, failing if the line was too
+ * long to fit into the buffer, and returns a copy of that line in newly
+ * allocated memory.  Ignores blank lines and comments.  Caller is responsible
+ * for freeing.  Returns NULL on end of file and fails on read errors.
+ */
+static char *
+readline(FILE *file)
+{
+    char buffer[BUFSIZ];
+    char *line, *first;
+
+    do {
+        line = fgets(buffer, sizeof(buffer), file);
+        if (line == NULL) {
+            if (feof(file))
+                return NULL;
+            sysbail("cannot read line from script");
+        }
+        if (buffer[strlen(buffer) - 1] != '\n')
+            bail("script line too long");
+        buffer[strlen(buffer) - 1] = '\0';
+        first = skip_whitespace(buffer);
+    } while (first[0] == '#' || first[0] == '\0');
+    line = bstrdup(buffer);
+    return line;
+}
+
+
+/*
+ * Given the name of a PAM call, map it to a call enum.  This is used later in
+ * switch statements to determine which function to call.  Fails on any
+ * unrecognized string.  If the optional second argument is not NULL, also
+ * store the group number in that argument.
+ */
+static pam_call
+string_to_call(const char *name, enum group_type *group)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(CALLS); i++)
+        if (strcmp(name, CALLS[i].name) == 0) {
+            if (group != NULL)
+                *group = CALLS[i].group;
+            return CALLS[i].call;
+        }
+    bail("unrecognized PAM call %s", name);
+}
+
+
+/*
+ * Given a PAM flag value without the leading PAM_, map it to the numeric
+ * value of that flag.  Fails on any unrecognized string.
+ */
+static int
+string_to_flag(const char *name)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(FLAGS); i++)
+        if (strcmp(name, FLAGS[i].name) == 0)
+            return FLAGS[i].value;
+    bail("unrecognized PAM flag %s", name);
+}
+
+
+/*
+ * Given a PAM group name, map it to the array index for the options array for
+ * that group.  Fails on any unrecognized string.
+ */
+static enum group_type
+string_to_group(const char *name)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(GROUPS); i++)
+        if (strcmp(name, GROUPS[i].name) == 0)
+            return GROUPS[i].group;
+    bail("unrecognized PAM group %s", name);
+}
+
+
+/*
+ * Given a syslog priority name, map it to the numeric value of that priority.
+ * Fails on any unrecognized string.
+ */
+static int
+string_to_priority(const char *name)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(PRIORITIES); i++)
+        if (strcmp(name, PRIORITIES[i].name) == 0)
+            return PRIORITIES[i].priority;
+    bail("unrecognized syslog priority %s", name);
+}
+
+
+/*
+ * Given a PAM return status, map it to the actual expected value.  Fails on
+ * any unrecognized string.
+ */
+static int
+string_to_status(const char *name)
+{
+    size_t i;
+
+    if (name == NULL)
+        bail("no PAM status on line");
+    for (i = 0; i < ARRAY_SIZE(RETURNS); i++)
+        if (strcmp(name, RETURNS[i].name) == 0)
+            return RETURNS[i].status;
+    bail("unrecognized PAM status %s", name);
+}
+
+
+/*
+ * Given a PAM prompt style value without the leading PAM_PROMPT_, map it to
+ * the numeric value of that flag.  Fails on any unrecognized string.
+ */
+static int
+string_to_style(const char *name)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(STYLES); i++)
+        if (strcmp(name, STYLES[i].name) == 0)
+            return STYLES[i].style;
+    bail("unrecognized PAM prompt style %s", name);
+}
+
+
+/*
+ * We found a section delimiter while parsing another section.  Rewind our
+ * input file back before the section delimiter so that we'll read it again.
+ * Takes the length of the line we read, which is used to determine how far to
+ * rewind.
+ */
+static void
+rewind_section(FILE *script, size_t length)
+{
+    if (fseek(script, -length - 1, SEEK_CUR) != 0)
+        sysbail("cannot rewind file");
+}
+
+
+/*
+ * Given a string that may contain %-escapes, expand it into the resulting
+ * value.  The following escapes are supported:
+ *
+ *     %i   current UID (not target user UID)
+ *     %n   new password
+ *     %p   password
+ *     %u   username
+ *     %0   user-supplied string
+ *     ...
+ *     %9   user-supplied string
+ *
+ * The %* escape is preserved as-is, as it has to be interpreted at the time
+ * of checking output.  Returns the expanded string in newly-allocated memory.
+ */
+static char *
+expand_string(const char *template, const struct script_config *config)
+{
+    size_t length = 0;
+    const char *p, *extra;
+    char *output, *out;
+    char *uid = NULL;
+
+    length = 0;
+    for (p = template; *p != '\0'; p++) {
+        if (*p != '%')
+            length++;
+        else {
+            p++;
+            switch (*p) {
+            case 'i':
+                if (uid == NULL)
+                    basprintf(&uid, "%lu", (unsigned long) getuid());
+                length += strlen(uid);
+                break;
+            case 'n':
+                if (config->newpass == NULL)
+                    bail("new password not set");
+                length += strlen(config->newpass);
+                break;
+            case 'p':
+                if (config->password == NULL)
+                    bail("password not set");
+                length += strlen(config->password);
+                break;
+            case 'u':
+                length += strlen(config->user);
+                break;
+            case '0':
+            case '1':
+            case '2':
+            case '3':
+            case '4':
+            case '5':
+            case '6':
+            case '7':
+            case '8':
+            case '9':
+                if (config->extra[*p - '0'] == NULL)
+                    bail("extra script parameter %%%c not set", *p);
+                length += strlen(config->extra[*p - '0']);
+                break;
+            case '*':
+                length += 2;
+                break;
+            default:
+                length++;
+                break;
+            }
+        }
+    }
+    output = bmalloc(length + 1);
+    for (p = template, out = output; *p != '\0'; p++) {
+        if (*p != '%')
+            *out++ = *p;
+        else {
+            p++;
+            switch (*p) {
+            case 'i':
+                assert(uid != NULL);
+                memcpy(out, uid, strlen(uid));
+                out += strlen(uid);
+                break;
+            case 'n':
+                memcpy(out, config->newpass, strlen(config->newpass));
+                out += strlen(config->newpass);
+                break;
+            case 'p':
+                memcpy(out, config->password, strlen(config->password));
+                out += strlen(config->password);
+                break;
+            case 'u':
+                memcpy(out, config->user, strlen(config->user));
+                out += strlen(config->user);
+                break;
+            case '0':
+            case '1':
+            case '2':
+            case '3':
+            case '4':
+            case '5':
+            case '6':
+            case '7':
+            case '8':
+            case '9':
+                extra = config->extra[*p - '0'];
+                memcpy(out, extra, strlen(extra));
+                out += strlen(extra);
+                break;
+            case '*':
+                *out++ = '%';
+                *out++ = '*';
+                break;
+            default:
+                *out++ = *p;
+                break;
+            }
+        }
+    }
+    *out = '\0';
+    free(uid);
+    return output;
+}
+
+
+/*
+ * Given a whitespace-delimited string of PAM options, split it into an argv
+ * array and argc count and store it in the provided option struct.
+ */
+static void
+split_options(char *string, struct options *options,
+              const struct script_config *config)
+{
+    char *opt;
+    size_t size, count;
+
+    for (opt = strtok(string, " "); opt != NULL; opt = strtok(NULL, " ")) {
+        if (options->argv == NULL) {
+            options->argv = bcalloc(2, sizeof(const char *));
+            options->argv[0] = expand_string(opt, config);
+            options->argc = 1;
+        } else {
+            count = (options->argc + 2);
+            size = sizeof(const char *);
+            options->argv = breallocarray(options->argv, count, size);
+            options->argv[options->argc] = expand_string(opt, config);
+            options->argv[options->argc + 1] = NULL;
+            options->argc++;
+        }
+    }
+}
+
+
+/*
+ * Parse the options section of a PAM script.  This consists of one or more
+ * lines in the format:
+ *
+ *     <group> = <options>
+ *
+ * where options are either option names or option=value pairs, where the
+ * value may not contain whitespace.  Returns an options struct, which stores
+ * argc and argv values for each group.
+ *
+ * Takes the work struct as an argument and puts values into its array.
+ */
+static void
+parse_options(FILE *script, struct work *work,
+              const struct script_config *config)
+{
+    char *line, *group, *token;
+    size_t length = 0;
+    enum group_type type;
+
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        length = strlen(line);
+        group = strtok(line, " ");
+        if (group == NULL)
+            bail("malformed script line");
+        if (group[0] == '[')
+            break;
+        type = string_to_group(group);
+        token = strtok(NULL, " ");
+        if (token == NULL)
+            bail("malformed action line");
+        if (strcmp(token, "=") != 0)
+            bail("malformed action line near %s", token);
+        token = strtok(NULL, "");
+        split_options(token, &work->options[type], config);
+        free(line);
+    }
+    if (line != NULL) {
+        free(line);
+        rewind_section(script, length);
+    }
+}
+
+
+/*
+ * Parse the call portion of a PAM call in the run section of a PAM script.
+ * This handles parsing the PAM flags that optionally may be given as part of
+ * the call.  Takes the token representing the call and a pointer to the
+ * action struct to fill in with the call and the option flags.
+ */
+static void
+parse_call(char *token, struct action *action)
+{
+    char *flags, *flag;
+
+    action->flags = 0;
+    flags = strchr(token, '(');
+    if (flags != NULL) {
+        *flags = '\0';
+        flags++;
+        for (flag = strtok(flags, "|,)"); flag != NULL;
+             flag = strtok(NULL, "|,)")) {
+            action->flags |= string_to_flag(flag);
+        }
+    }
+    action->call = string_to_call(token, &action->group);
+}
+
+
+/*
+ * Parse the run section of a PAM script.  This consists of one or more lines
+ * in the format:
+ *
+ *     <call> = <status>
+ *
+ * where <call> is a PAM call and <status> is what it should return.  Returns
+ * a linked list of actions.  Fails on any error in parsing.
+ */
+static struct action *
+parse_run(FILE *script)
+{
+    struct action *head = NULL, *current = NULL, *next;
+    char *line, *token, *call;
+    size_t length = 0;
+
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        length = strlen(line);
+        token = strtok(line, " ");
+        if (token[0] == '[')
+            break;
+        next = bmalloc(sizeof(struct action));
+        next->next = NULL;
+        if (head == NULL)
+            head = next;
+        else
+            current->next = next;
+        next->name = bstrdup(token);
+        call = token;
+        token = strtok(NULL, " ");
+        if (token == NULL)
+            bail("malformed action line");
+        if (strcmp(token, "=") != 0)
+            bail("malformed action line near %s", token);
+        token = strtok(NULL, " ");
+        next->status = string_to_status(token);
+        parse_call(call, next);
+        free(line);
+        current = next;
+    }
+    if (head == NULL)
+        bail("empty run section in script");
+    if (line != NULL) {
+        free(line);
+        rewind_section(script, length);
+    }
+    return head;
+}
+
+
+/*
+ * Parse the end section of a PAM script.  There is one supported line in the
+ * format:
+ *
+ *     flags = <flag>|<flag>
+ *
+ * where <flag> is a flag to pass to pam_end.  Returns the flags.
+ */
+static int
+parse_end(FILE *script)
+{
+    char *line, *token, *flag;
+    size_t length = 0;
+    int flags = PAM_SUCCESS;
+
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        length = strlen(line);
+        token = strtok(line, " ");
+        if (token[0] == '[')
+            break;
+        if (strcmp(token, "flags") != 0)
+            bail("unknown end setting %s", token);
+        token = strtok(NULL, " ");
+        if (token == NULL)
+            bail("malformed end line");
+        if (strcmp(token, "=") != 0)
+            bail("malformed end line near %s", token);
+        token = strtok(NULL, " ");
+        flag = strtok(token, "|");
+        while (flag != NULL) {
+            flags |= string_to_status(flag);
+            flag = strtok(NULL, "|");
+        }
+        free(line);
+    }
+    if (line != NULL) {
+        free(line);
+        rewind_section(script, length);
+    }
+    return flags;
+}
+
+
+/*
+ * Parse the output section of a PAM script.  This consists of zero or more
+ * lines in the format:
+ *
+ *     PRIORITY some output information
+ *     PRIORITY /output regex/
+ *
+ * where PRIORITY is replaced by the numeric syslog priority corresponding to
+ * that priority and the rest of the output undergoes %-esacape expansion.
+ * Returns the accumulated output as a vector.
+ */
+static struct output *
+parse_output(FILE *script, const struct script_config *config)
+{
+    char *line, *token, *message;
+    struct output *output;
+    int priority;
+
+    output = output_new();
+    if (output == NULL)
+        sysbail("cannot allocate vector");
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        token = strtok(line, " ");
+        priority = string_to_priority(token);
+        token = strtok(NULL, "");
+        if (token == NULL)
+            bail("malformed line %s", line);
+        message = expand_string(token, config);
+        output_add(output, priority, message);
+        free(message);
+        free(line);
+    }
+    return output;
+}
+
+
+/*
+ * Parse the prompts section of a PAM script.  This consists of zero or more
+ * lines in one of the formats:
+ *
+ *     type = prompt
+ *     type = /prompt/
+ *     type = prompt|response
+ *     type = /prompt/|response
+ *
+ * If the type is error_msg or info, there is no response.  Otherwise,
+ * everything after the last | is taken to be the response that should be
+ * provided to that prompt.  The response undergoes %-escape expansion.
+ */
+static struct prompts *
+parse_prompts(FILE *script, const struct script_config *config)
+{
+    struct prompts *prompts = NULL;
+    struct prompt *prompt;
+    char *line, *token, *style, *end;
+    size_t size, count, i;
+    size_t length = 0;
+
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        length = strlen(line);
+        token = strtok(line, " ");
+        if (token[0] == '[')
+            break;
+        if (prompts == NULL) {
+            prompts = bcalloc(1, sizeof(struct prompts));
+            prompts->prompts = bcalloc(1, sizeof(struct prompt));
+            prompts->allocated = 1;
+        } else if (prompts->allocated == prompts->size) {
+            count = prompts->allocated * 2;
+            size = sizeof(struct prompt);
+            prompts->prompts = breallocarray(prompts->prompts, count, size);
+            prompts->allocated = count;
+            for (i = prompts->size; i < prompts->allocated; i++) {
+                prompts->prompts[i].prompt = NULL;
+                prompts->prompts[i].response = NULL;
+            }
+        }
+        prompt = &prompts->prompts[prompts->size];
+        style = token;
+        token = strtok(NULL, " ");
+        if (token == NULL)
+            bail("malformed prompt line");
+        if (strcmp(token, "=") != 0)
+            bail("malformed prompt line near %s", token);
+        prompt->style = string_to_style(style);
+        token = strtok(NULL, "");
+        if (prompt->style == PAM_ERROR_MSG || prompt->style == PAM_TEXT_INFO)
+            prompt->prompt = expand_string(token, config);
+        else {
+            end = strrchr(token, '|');
+            if (end == NULL)
+                bail("malformed prompt line near %s", token);
+            *end = '\0';
+            prompt->prompt = expand_string(token, config);
+            token = end + 1;
+            prompt->response = expand_string(token, config);
+        }
+        prompts->size++;
+        free(line);
+    }
+    if (line != NULL) {
+        free(line);
+        rewind_section(script, length);
+    }
+    return prompts;
+}
+
+
+/*
+ * Parse a PAM interaction script.  This handles parsing of the top-level
+ * section markers and dispatches the parsing to other functions.  Returns the
+ * total work to do as a work struct.
+ */
+struct work *
+parse_script(FILE *script, const struct script_config *config)
+{
+    struct work *work;
+    char *line, *token;
+
+    work = bmalloc(sizeof(struct work));
+    memset(work, 0, sizeof(struct work));
+    work->end_flags = PAM_SUCCESS;
+    for (line = readline(script); line != NULL; line = readline(script)) {
+        token = strtok(line, " ");
+        if (token[0] != '[')
+            bail("line outside of section: %s", line);
+        if (strcmp(token, "[options]") == 0)
+            parse_options(script, work, config);
+        else if (strcmp(token, "[run]") == 0)
+            work->actions = parse_run(script);
+        else if (strcmp(token, "[end]") == 0)
+            work->end_flags = parse_end(script);
+        else if (strcmp(token, "[output]") == 0)
+            work->output = parse_output(script, config);
+        else if (strcmp(token, "[prompts]") == 0)
+            work->prompts = parse_prompts(script, config);
+        else
+            bail("unknown section: %s", token);
+        free(line);
+    }
+    if (work->actions == NULL)
+        bail("no run section defined");
+    return work;
+}
diff --git a/tests/fakepam/data.c b/tests/fakepam/data.c
new file mode 100644
index 000000000000..0650d59e9b75
--- /dev/null
+++ b/tests/fakepam/data.c
@@ -0,0 +1,356 @@
+/*
+ * Data manipulation functions for the fake PAM library, used for testing.
+ *
+ * This file contains the implementation of pam_get_* and pam_set_* for the
+ * various data items supported by the PAM library, plus the PAM environment
+ * manipulation functions.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2011, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/pam.h>
+
+/* Used for unused parameters to silence gcc warnings. */
+#define UNUSED __attribute__((__unused__))
+
+
+/*
+ * Return a stored PAM data element in the provided data variable.  As a
+ * special case, if the data is NULL, pretend it doesn't exist.
+ */
+int
+pam_get_data(const pam_handle_t *pamh, const char *name, const void **data)
+{
+    struct fakepam_data *item;
+
+    for (item = pamh->data; item != NULL; item = item->next)
+        if (strcmp(item->name, name) == 0) {
+            if (item->data == NULL)
+                return PAM_NO_MODULE_DATA;
+            *data = item->data;
+            return PAM_SUCCESS;
+        }
+    return PAM_NO_MODULE_DATA;
+}
+
+
+/*
+ * Store a data item.  Replaces the existing data item (calling its cleanup)
+ * if it is already set; otherwise, add a new data item.
+ */
+int
+pam_set_data(pam_handle_t *pamh, const char *item, void *data,
+             void (*cleanup)(pam_handle_t *, void *, int))
+{
+    struct fakepam_data *p;
+
+    for (p = pamh->data; p != NULL; p = p->next)
+        if (strcmp(p->name, item) == 0) {
+            if (p->cleanup != NULL)
+                p->cleanup(pamh, p->data, PAM_DATA_REPLACE);
+            p->data = data;
+            p->cleanup = cleanup;
+            return PAM_SUCCESS;
+        }
+    p = malloc(sizeof(struct fakepam_data));
+    if (p == NULL)
+        return PAM_BUF_ERR;
+    p->name = strdup(item);
+    if (p->name == NULL) {
+        free(p);
+        return PAM_BUF_ERR;
+    }
+    p->data = data;
+    p->cleanup = cleanup;
+    p->next = pamh->data;
+    pamh->data = p;
+    return PAM_SUCCESS;
+}
+
+
+/*
+ * Retrieve a PAM item.  Currently, this only supports a limited subset of the
+ * possible items.
+ */
+int
+pam_get_item(const pam_handle_t *pamh, int item, PAM_CONST void **data)
+{
+    switch (item) {
+    case PAM_AUTHTOK:
+        *data = pamh->authtok;
+        return PAM_SUCCESS;
+    case PAM_CONV:
+        if (pamh->conversation) {
+            *data = pamh->conversation;
+            return PAM_SUCCESS;
+        } else {
+            return PAM_BAD_ITEM;
+        }
+    case PAM_OLDAUTHTOK:
+        *data = pamh->oldauthtok;
+        return PAM_SUCCESS;
+    case PAM_RHOST:
+        *data = (PAM_CONST char *) pamh->rhost;
+        return PAM_SUCCESS;
+    case PAM_RUSER:
+        *data = (PAM_CONST char *) pamh->ruser;
+        return PAM_SUCCESS;
+    case PAM_SERVICE:
+        *data = (PAM_CONST char *) pamh->service;
+        return PAM_SUCCESS;
+    case PAM_TTY:
+        *data = (PAM_CONST char *) pamh->tty;
+        return PAM_SUCCESS;
+    case PAM_USER:
+        *data = (PAM_CONST char *) pamh->user;
+        return PAM_SUCCESS;
+    case PAM_USER_PROMPT:
+        *data = "login: ";
+        return PAM_SUCCESS;
+    default:
+        return PAM_BAD_ITEM;
+    }
+}
+
+
+/*
+ * Set a PAM item.  Currently only PAM_USER is supported.
+ */
+int
+pam_set_item(pam_handle_t *pamh, int item, PAM_CONST void *data)
+{
+    switch (item) {
+    case PAM_AUTHTOK:
+        free(pamh->authtok);
+        pamh->authtok = strdup(data);
+        if (pamh->authtok == NULL)
+            return PAM_BUF_ERR;
+        return PAM_SUCCESS;
+    case PAM_OLDAUTHTOK:
+        free(pamh->oldauthtok);
+        pamh->oldauthtok = strdup(data);
+        if (pamh->oldauthtok == NULL)
+            return PAM_BUF_ERR;
+        return PAM_SUCCESS;
+    case PAM_RHOST:
+        free(pamh->rhost);
+        pamh->rhost = strdup(data);
+        if (pamh->rhost == NULL)
+            return PAM_BUF_ERR;
+        return PAM_SUCCESS;
+    case PAM_RUSER:
+        free(pamh->ruser);
+        pamh->ruser = strdup(data);
+        if (pamh->ruser == NULL)
+            return PAM_BUF_ERR;
+        return PAM_SUCCESS;
+    case PAM_TTY:
+        free(pamh->tty);
+        pamh->tty = strdup(data);
+        if (pamh->tty == NULL)
+            return PAM_BUF_ERR;
+        return PAM_SUCCESS;
+    case PAM_USER:
+        pamh->user = (const char *) data;
+        return PAM_SUCCESS;
+    default:
+        return PAM_BAD_ITEM;
+    }
+}
+
+
+/*
+ * Return the user for the PAM context.
+ */
+int
+pam_get_user(pam_handle_t *pamh, PAM_CONST char **user,
+             const char *prompt UNUSED)
+{
+    if (pamh->user == NULL)
+        return PAM_CONV_ERR;
+    else {
+        *user = (PAM_CONST char *) pamh->user;
+        return PAM_SUCCESS;
+    }
+}
+
+
+/*
+ * Return a setting in the PAM environment.
+ */
+PAM_CONST char *
+pam_getenv(pam_handle_t *pamh, const char *name)
+{
+    size_t i;
+
+    if (pamh->environ == NULL)
+        return NULL;
+    for (i = 0; pamh->environ[i] != NULL; i++)
+        if (strncmp(name, pamh->environ[i], strlen(name)) == 0
+            && pamh->environ[i][strlen(name)] == '=')
+            return pamh->environ[i] + strlen(name) + 1;
+    return NULL;
+}
+
+
+/*
+ * Return a newly malloc'd copy of the complete PAM environment.  This must be
+ * freed by the caller.
+ */
+char **
+pam_getenvlist(pam_handle_t *pamh)
+{
+    char **env;
+    size_t i;
+
+    if (pamh->environ == NULL) {
+        pamh->environ = malloc(sizeof(char *));
+        if (pamh->environ == NULL)
+            return NULL;
+        pamh->environ[0] = NULL;
+    }
+    for (i = 0; pamh->environ[i] != NULL; i++)
+        ;
+    env = calloc(i + 1, sizeof(char *));
+    if (env == NULL)
+        return NULL;
+    for (i = 0; pamh->environ[i] != NULL; i++) {
+        env[i] = strdup(pamh->environ[i]);
+        if (env[i] == NULL)
+            goto fail;
+    }
+    env[i] = NULL;
+    return env;
+
+fail:
+    for (i = 0; env[i] != NULL; i++)
+        free(env[i]);
+    free(env);
+    return NULL;
+}
+
+
+/*
+ * Add a setting to the PAM environment.  If there is another existing
+ * variable with the same value, the value is replaced, unless the setting
+ * doesn't end in an equal sign.  If it doesn't end in an equal sign, any
+ * existing environment variable of that name is removed.  This follows the
+ * Linux PAM semantics.
+ *
+ * On HP-UX, there is no separate PAM environment, so the module just uses the
+ * main environment.  For our tests to work on that platform, we therefore
+ * have to do the same thing.
+ */
+#ifdef HAVE_PAM_GETENV
+int
+pam_putenv(pam_handle_t *pamh, const char *setting)
+{
+    char *copy = NULL;
+    const char *equals;
+    size_t namelen;
+    bool delete = false;
+    bool found = false;
+    size_t i, j;
+    char **env;
+
+    equals = strchr(setting, '=');
+    if (equals != NULL)
+        namelen = equals - setting;
+    else {
+        delete = true;
+        namelen = strlen(setting);
+    }
+    if (!delete) {
+        copy = strdup(setting);
+        if (copy == NULL)
+            return PAM_BUF_ERR;
+    }
+
+    /* Handle the first call to pam_putenv. */
+    if (pamh->environ == NULL) {
+        if (delete)
+            return PAM_BAD_ITEM;
+        pamh->environ = calloc(2, sizeof(char *));
+        if (pamh->environ == NULL) {
+            free(copy);
+            return PAM_BUF_ERR;
+        }
+        pamh->environ[0] = copy;
+        pamh->environ[1] = NULL;
+        return PAM_SUCCESS;
+    }
+
+    /*
+     * We have an existing array.  See if we're replacing a value, deleting a
+     * value, or adding a new one.  When deleting, waste a bit of memory but
+     * save some time by not bothering to reduce the size of the array.
+     */
+    for (i = 0; pamh->environ[i] != NULL; i++)
+        if (strncmp(setting, pamh->environ[i], namelen) == 0
+            && pamh->environ[i][namelen] == '=') {
+            if (delete) {
+                free(pamh->environ[i]);
+                for (j = i + 1; pamh->environ[j] != NULL; i++, j++)
+                    pamh->environ[i] = pamh->environ[j];
+                pamh->environ[i] = NULL;
+            } else {
+                free(pamh->environ[i]);
+                pamh->environ[i] = copy;
+            }
+            found = true;
+            break;
+        }
+    if (!found) {
+        if (delete)
+            return PAM_BAD_ITEM;
+        env = reallocarray(pamh->environ, (i + 2), sizeof(char *));
+        if (env == NULL) {
+            free(copy);
+            return PAM_BUF_ERR;
+        }
+        pamh->environ = env;
+        pamh->environ[i] = copy;
+        pamh->environ[i + 1] = NULL;
+    }
+    return PAM_SUCCESS;
+}
+
+#else /* !HAVE_PAM_GETENV */
+
+int
+pam_putenv(pam_handle_t *pamh UNUSED, const char *setting)
+{
+    return putenv((char *) setting);
+}
+
+#endif /* !HAVE_PAM_GETENV */
diff --git a/tests/fakepam/general.c b/tests/fakepam/general.c
new file mode 100644
index 000000000000..0f11bb2f7995
--- /dev/null
+++ b/tests/fakepam/general.c
@@ -0,0 +1,151 @@
+/*
+ * Interface for fake PAM library, used for testing.
+ *
+ * This contains the basic public interfaces for the fake PAM library, used
+ * for testing, and some general utility functions.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2011, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <errno.h>
+#include <pwd.h>
+
+#include <tests/fakepam/pam.h>
+
+/* Stores the static struct passwd returned by getpwnam if the name matches. */
+static struct passwd *pwd_info = NULL;
+
+/* Used for unused parameters to silence gcc warnings. */
+#define UNUSED __attribute__((__unused__))
+
+
+/*
+ * Initializes the pam_handle_t data structure.  This function is only called
+ * from test programs, not from any of the module code.  We can put anything
+ * we want in this structure, since it's opaque to the regular code.
+ */
+int
+pam_start(const char *service_name, const char *user,
+          const struct pam_conv *pam_conversation, pam_handle_t **pamh)
+{
+    struct pam_handle *handle;
+
+    handle = calloc(1, sizeof(struct pam_handle));
+    if (handle == NULL)
+        return PAM_BUF_ERR;
+    handle->service = service_name;
+    handle->user = user;
+    handle->conversation = pam_conversation;
+    *pamh = handle;
+    return PAM_SUCCESS;
+}
+
+
+/*
+ * Free the pam_handle_t data structure and related resources.  This is
+ * important to test the data cleanups.  Freeing the memory is not strictly
+ * required since it's only used for testing, but it helps keep our memory
+ * usage clean so that we can run the test suite under valgrind.
+ */
+int
+pam_end(pam_handle_t *pamh, int status)
+{
+    struct fakepam_data *item, *next;
+    size_t i;
+
+    if (pamh->environ != NULL) {
+        for (i = 0; pamh->environ[i] != NULL; i++)
+            free(pamh->environ[i]);
+        free(pamh->environ);
+    }
+    free(pamh->authtok);
+    free(pamh->oldauthtok);
+    free(pamh->rhost);
+    free(pamh->ruser);
+    free(pamh->tty);
+    for (item = pamh->data; item != NULL;) {
+        if (item->cleanup != NULL)
+            item->cleanup(pamh, item->data, status);
+        free(item->name);
+        next = item->next;
+        free(item);
+        item = next;
+    }
+    free(pamh);
+    return PAM_SUCCESS;
+}
+
+
+/*
+ * Interface specific to this fake PAM library to set the struct passwd that's
+ * returned by getpwnam queries if the name matches.
+ */
+void
+pam_set_pwd(struct passwd *pwd)
+{
+    pwd_info = pwd;
+}
+
+
+/*
+ * For testing purposes, we want to be able to intercept getpwnam.  This is
+ * fairly easy on platforms that have pam_modutil_getpwnam, since then our
+ * code will always call that function and we can provide an implementation
+ * that does whatever we want.  For platforms that don't have that function,
+ * we'll try to intercept the C library getpwnam function.
+ *
+ * We store only one struct passwd data structure statically.  If the user
+ * we're looking up matches that, we return it; otherwise, we return NULL.
+ */
+#ifdef HAVE_PAM_MODUTIL_GETPWNAM
+struct passwd *
+pam_modutil_getpwnam(pam_handle_t *pamh UNUSED, const char *name)
+{
+    if (pwd_info != NULL && strcmp(pwd_info->pw_name, name) == 0)
+        return pwd_info;
+    else {
+        errno = 0;
+        return NULL;
+    }
+}
+#else
+struct passwd *
+getpwnam(const char *name)
+{
+    if (pwd_info != NULL && strcmp(pwd_info->pw_name, name) == 0)
+        return pwd_info;
+    else {
+        errno = 0;
+        return NULL;
+    }
+}
+#endif
diff --git a/tests/fakepam/internal.h b/tests/fakepam/internal.h
new file mode 100644
index 000000000000..3c6fedacd45e
--- /dev/null
+++ b/tests/fakepam/internal.h
@@ -0,0 +1,119 @@
+/*
+ * Internal data types and prototypes for the fake PAM test framework.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2021 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef FAKEPAM_INTERNAL_H
+#define FAKEPAM_INTERNAL_H 1
+
+#include <portable/pam.h>
+#include <sys/types.h>
+
+/* Forward declarations to avoid unnecessary includes. */
+struct output;
+struct script_config;
+
+/* The type of a PAM module call. */
+typedef int (*pam_call)(pam_handle_t *, int, int, const char **);
+
+/* The possible PAM groups as element numbers in an array of options. */
+enum group_type
+{
+    GROUP_ACCOUNT = 0,
+    GROUP_AUTH = 1,
+    GROUP_PASSWORD = 2,
+    GROUP_SESSION = 3,
+};
+
+/* Holds a PAM argc and argv. */
+struct options {
+    char **argv;
+    int argc;
+};
+
+/*
+ * Holds a linked list of actions: a PAM call that should return some
+ * status.
+ */
+struct action {
+    char *name;
+    pam_call call;
+    int flags;
+    enum group_type group;
+    int status;
+    struct action *next;
+};
+
+/* Holds an expected PAM prompt style, the prompt, and the response. */
+struct prompt {
+    int style;
+    char *prompt;
+    char *response;
+};
+
+/* Holds an array of PAM prompts and the current index into that array. */
+struct prompts {
+    struct prompt *prompts;
+    size_t size;
+    size_t allocated;
+    size_t current;
+};
+
+/*
+ * Holds the complete set of things that we should do, configuration for them,
+ * and expected output and return values.
+ */
+struct work {
+    struct options options[4];
+    struct action *actions;
+    struct prompts *prompts;
+    struct output *output;
+    int end_flags;
+};
+
+BEGIN_DECLS
+
+
+/* Create a new output struct. */
+struct output *output_new(void);
+
+/* Add a new output line (with numeric priority) to an output struct. */
+void output_add(struct output *, int, const char *);
+
+
+/*
+ * Parse a PAM interaction script.  Returns the total work to do as a work
+ * struct.
+ */
+struct work *parse_script(FILE *, const struct script_config *);
+
+END_DECLS
+
+#endif /* !FAKEPAM_API_H */
diff --git a/tests/fakepam/kuserok.c b/tests/fakepam/kuserok.c
new file mode 100644
index 000000000000..d66bc1d03acc
--- /dev/null
+++ b/tests/fakepam/kuserok.c
@@ -0,0 +1,119 @@
+/*
+ * Replacement for krb5_kuserok for testing.
+ *
+ * This is a reimplementation of krb5_kuserok that uses the replacement
+ * getpwnam function and the special passwd struct internal to the fake PAM
+ * module to locate .k5login.  The default Kerberos krb5_kuserok always calls
+ * the system getpwnam, which we may not be able to intercept, and will
+ * therefore fail because it can't locate the .k5login file for the test user
+ * (or succeed oddly because it finds some random file on the testing system).
+ *
+ * This implementation is drastically simplified from the Kerberos library
+ * version, and much less secure (which shouldn't matter since it's only
+ * acting on test data).
+ *
+ * This is an optional part of the fake PAM library and can be omitted when
+ * testing modules that don't use Kerberos.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/tap/string.h>
+
+
+/*
+ * Given a Kerberos principal representing the authenticated identity and the
+ * username of the local account, return true if that principal is authorized
+ * to log on to that account.  The principal is authorized if the .k5login
+ * file does not exist and the user matches the localname form of the
+ * principal, or if the file does exist and the principal is listed in it.
+ *
+ * This version retrieves the home directory from the internal fake PAM
+ * library path.
+ */
+krb5_boolean
+krb5_kuserok(krb5_context ctx, krb5_principal princ, const char *user)
+{
+    char *principal, *path;
+    struct passwd *pwd;
+    FILE *file;
+    krb5_error_code code;
+    char buffer[BUFSIZ];
+    bool found = false;
+#ifdef HAVE_PAM_MODUTIL_GETPWNAM
+    struct pam_handle pamh;
+#endif
+
+    /*
+     * Find .k5login and confirm if it exists.  If it doesn't, fall back on
+     * krb5_aname_to_localname.
+     */
+#ifdef HAVE_PAM_MODUTIL_GETPWNAM
+    memset(&pamh, 0, sizeof(pamh));
+    pwd = pam_modutil_getpwnam(&pamh, user);
+#else
+    pwd = getpwnam(user);
+#endif
+    if (pwd == NULL)
+        return false;
+    basprintf(&path, "%s/.k5login", pwd->pw_dir);
+    if (access(path, R_OK) < 0) {
+        free(path);
+        code = krb5_aname_to_localname(ctx, princ, sizeof(buffer), buffer);
+        return (code == 0 && strcmp(buffer, user) == 0);
+    }
+    file = fopen(path, "r");
+    if (file == NULL) {
+        free(path);
+        return false;
+    }
+    free(path);
+
+    /* .k5login exists.  Scan it for the principal. */
+    if (krb5_unparse_name(ctx, princ, &principal) != 0) {
+        fclose(file);
+        return false;
+    }
+    while (!found && (fgets(buffer, sizeof(buffer), file) != NULL)) {
+        if (buffer[strlen(buffer) - 1] == '\n')
+            buffer[strlen(buffer) - 1] = '\0';
+        if (strcmp(buffer, principal) == 0)
+            found = true;
+    }
+    fclose(file);
+    krb5_free_unparsed_name(ctx, principal);
+    return found;
+}
diff --git a/tests/fakepam/logging.c b/tests/fakepam/logging.c
new file mode 100644
index 000000000000..c3a3fa044576
--- /dev/null
+++ b/tests/fakepam/logging.c
@@ -0,0 +1,183 @@
+/*
+ * Logging functions for the fake PAM library, used for testing.
+ *
+ * This file contains the implementation of pam_syslog and pam_vsyslog, which
+ * log to an internal buffer rather than to syslog, and the testing function
+ * used to recover that buffer.  It also includes the pam_strerror
+ * implementation.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2012, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/internal.h>
+#include <tests/fakepam/pam.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+/* Used for unused parameters to silence gcc warnings. */
+#define UNUSED __attribute__((__unused__))
+
+/* The struct used to accumulate log messages. */
+static struct output *messages = NULL;
+
+
+/*
+ * Allocate a new, empty output struct and call bail if memory allocation
+ * fails.
+ */
+struct output *
+output_new(void)
+{
+    struct output *output;
+
+    output = bmalloc(sizeof(struct output));
+    output->count = 0;
+    output->allocated = 1;
+    output->lines = bmalloc(sizeof(output->lines[0]));
+    output->lines[0].line = NULL;
+    return output;
+}
+
+
+/*
+ * Add a new output line to the output struct, resizing the array as
+ * necessary.  Calls bail if memory allocation fails.
+ */
+void
+output_add(struct output *output, int priority, const char *string)
+{
+    size_t next = output->count;
+    size_t size, n;
+
+    if (output->count == output->allocated) {
+        n = output->allocated + 1;
+        size = sizeof(output->lines[0]);
+        output->lines = breallocarray(output->lines, n, size);
+        output->allocated = n;
+    }
+    output->lines[next].priority = priority;
+    output->lines[next].line = bstrdup(string);
+    output->count++;
+}
+
+
+/*
+ * Return the error string associated with the PAM error code.  We do this as
+ * a giant case statement so that we don't assume anything about the error
+ * codes used by the system PAM library.
+ */
+const char *
+pam_strerror(PAM_STRERROR_CONST pam_handle_t *pamh UNUSED, int code)
+{
+    /* clang-format off */
+    switch (code) {
+    case PAM_SUCCESS:     return "No error";
+    case PAM_OPEN_ERR:    return "Failure loading service module";
+    case PAM_SYMBOL_ERR:  return "Symbol not found";
+    case PAM_SERVICE_ERR: return "Error in service module";
+    case PAM_SYSTEM_ERR:  return "System error";
+    case PAM_BUF_ERR:     return "Memory buffer error";
+    default:              return "Unknown error";
+    }
+    /* clang-format on */
+}
+
+
+/*
+ * Log a message using variadic arguments.  Just a wrapper around
+ * pam_vsyslog.
+ */
+void
+pam_syslog(const pam_handle_t *pamh, int priority, const char *format, ...)
+{
+    va_list args;
+
+    va_start(args, format);
+    pam_vsyslog(pamh, priority, format, args);
+    va_end(args);
+}
+
+
+/*
+ * Log a PAM error message with a given priority.  Just appends the priority,
+ * a space, and the error message, followed by a newline, to the internal
+ * buffer, allocating new space if needed.  Ignore memory allocation failures;
+ * we have no way of reporting them, but the tests will fail due to missing
+ * output.
+ */
+void
+pam_vsyslog(const pam_handle_t *pamh UNUSED, int priority, const char *format,
+            va_list args)
+{
+    char *message = NULL;
+
+    bvasprintf(&message, format, args);
+    if (messages == NULL)
+        messages = output_new();
+    output_add(messages, priority, message);
+    free(message);
+}
+
+
+/*
+ * Used by test code.  Returns the accumulated messages in an output struct
+ * and starts a new one.  Caller is responsible for freeing with
+ * pam_output_free.
+ */
+struct output *
+pam_output(void)
+{
+    struct output *output;
+
+    output = messages;
+    messages = NULL;
+    return output;
+}
+
+
+/*
+ * Free an output struct.
+ */
+void
+pam_output_free(struct output *output)
+{
+    size_t i;
+
+    if (output == NULL)
+        return;
+    for (i = 0; i < output->count; i++)
+        if (output->lines[i].line != NULL)
+            free(output->lines[i].line);
+    free(output->lines);
+    free(output);
+}
diff --git a/tests/fakepam/pam.h b/tests/fakepam/pam.h
new file mode 100644
index 000000000000..41f508e0f31f
--- /dev/null
+++ b/tests/fakepam/pam.h
@@ -0,0 +1,101 @@
+/*
+ * Testing interfaces to the fake PAM library.
+ *
+ * This header defines the interfaces to the fake PAM library that are used by
+ * test code to initialize the library and recover test data from it.  We
+ * don't define any interface that we're going to duplicate from the main PAM
+ * API.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef FAKEPAM_PAM_H
+#define FAKEPAM_PAM_H 1
+
+#include <config.h>
+#include <portable/macros.h>
+#include <portable/pam.h>
+
+/* Used inside the fake PAM library to hold data items. */
+struct fakepam_data {
+    char *name;
+    void *data;
+    void (*cleanup)(pam_handle_t *, void *, int);
+    struct fakepam_data *next;
+};
+
+/* This is an opaque data structure, so we can put whatever we want in it. */
+struct pam_handle {
+    const char *service;
+    const char *user;
+    char *authtok;
+    char *oldauthtok;
+    char *rhost;
+    char *ruser;
+    char *tty;
+    const struct pam_conv *conversation;
+    char **environ;
+    struct fakepam_data *data;
+    struct passwd *pwd;
+};
+
+/*
+ * Used to accumulate output from the PAM module.  Each call to a logging
+ * function will result in an additional line added to the array, and count
+ * will hold the total.
+ */
+struct output {
+    size_t count;
+    size_t allocated;
+    struct {
+        int priority;
+        char *line;
+    } * lines;
+};
+
+BEGIN_DECLS
+
+/*
+ * Sets the struct passwd returned by getpwnam calls.  The last struct passed
+ * to this function will be returned provided the pw_name matches.
+ */
+void pam_set_pwd(struct passwd *pwd);
+
+/*
+ * Returns the accumulated messages logged with pam_syslog or pam_vsyslog
+ * since the last call to pam_output and then clears the output.  Returns
+ * newly allocated memory that the caller is responsible for freeing with
+ * pam_output_free, or NULL if no output has been logged since the last call
+ * or since startup.
+ */
+struct output *pam_output(void);
+void pam_output_free(struct output *);
+
+END_DECLS
+
+#endif /* !FAKEPAM_API_H */
diff --git a/tests/fakepam/script.c b/tests/fakepam/script.c
new file mode 100644
index 000000000000..6f3812577960
--- /dev/null
+++ b/tests/fakepam/script.c
@@ -0,0 +1,411 @@
+/*
+ * Run a PAM interaction script for testing.
+ *
+ * Provides an interface that loads a PAM interaction script from a file and
+ * runs through that script, calling the internal PAM module functions and
+ * checking their results.  This allows automation of PAM testing through
+ * external data files instead of coding everything in C.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2016, 2018, 2020-2021 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <ctype.h>
+#include <dirent.h>
+#include <errno.h>
+#ifdef HAVE_REGCOMP
+#    include <regex.h>
+#endif
+#include <syslog.h>
+
+#include <tests/fakepam/internal.h>
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/macros.h>
+#include <tests/tap/string.h>
+
+
+/*
+ * Compare a regex to a string.  If regular expression support isn't
+ * available, we skip this test.
+ */
+#ifdef HAVE_REGCOMP
+static void __attribute__((__format__(printf, 3, 4)))
+like(const char *wanted, const char *seen, const char *format, ...)
+{
+    va_list args;
+    regex_t regex;
+    char err[BUFSIZ];
+    int status;
+
+    if (seen == NULL) {
+        fflush(stderr);
+        printf("# wanted: /%s/\n#   seen: (null)\n", wanted);
+        va_start(args, format);
+        okv(0, format, args);
+        va_end(args);
+        return;
+    }
+    memset(&regex, 0, sizeof(regex));
+    status = regcomp(&regex, wanted, REG_EXTENDED | REG_NOSUB);
+    if (status != 0) {
+        regerror(status, &regex, err, sizeof(err));
+        bail("invalid regex /%s/: %s", wanted, err);
+    }
+    status = regexec(&regex, seen, 0, NULL, 0);
+    switch (status) {
+    case 0:
+        va_start(args, format);
+        okv(1, format, args);
+        va_end(args);
+        break;
+    case REG_NOMATCH:
+        printf("# wanted: /%s/\n#   seen: %s\n", wanted, seen);
+        va_start(args, format);
+        okv(0, format, args);
+        va_end(args);
+        break;
+    default:
+        regerror(status, &regex, err, sizeof(err));
+        bail("regexec failed for regex /%s/: %s", wanted, err);
+    }
+    regfree(&regex);
+}
+#else  /* !HAVE_REGCOMP */
+static void
+like(const char *wanted, const char *seen, const char *format UNUSED, ...)
+{
+    diag("wanted /%s/", wanted);
+    diag("  seen %s", seen);
+    skip("regex support not available");
+}
+#endif /* !HAVE_REGCOMP */
+
+
+/*
+ * Compare an expected string with a seen string, used by both output checking
+ * and prompt checking.  This is a separate function because the expected
+ * string may be a regex, determined by seeing if it starts and ends with a
+ * slash (/), which may require a regex comparison.
+ *
+ * Eventually calls either is_string or ok to report results via TAP.
+ */
+static void __attribute__((__format__(printf, 3, 4)))
+compare_string(char *wanted, char *seen, const char *format, ...)
+{
+    va_list args;
+    char *comment, *regex;
+    size_t length;
+
+    /* Format the comment since we need it regardless. */
+    va_start(args, format);
+    bvasprintf(&comment, format, args);
+    va_end(args);
+
+    /* Check whether the wanted string is a regex. */
+    length = strlen(wanted);
+    if (wanted[0] == '/' && wanted[length - 1] == '/') {
+        regex = bstrndup(wanted + 1, length - 2);
+        like(regex, seen, "%s", comment);
+        free(regex);
+    } else {
+        is_string(wanted, seen, "%s", comment);
+    }
+    free(comment);
+}
+
+
+/*
+ * The PAM conversation function.  Takes the prompts struct from the
+ * configuration and interacts appropriately.  If a prompt is of the expected
+ * type but not the expected string, it still responds; if it's not of the
+ * expected type, it returns PAM_CONV_ERR.
+ *
+ * Currently only handles a single prompt at a time.
+ */
+static int
+converse(int num_msg, const struct pam_message **msg,
+         struct pam_response **resp, void *appdata_ptr)
+{
+    struct prompts *prompts = appdata_ptr;
+    struct prompt *prompt;
+    char *message;
+    size_t length;
+    int i;
+
+    *resp = bcalloc(num_msg, sizeof(struct pam_response));
+    for (i = 0; i < num_msg; i++) {
+        message = bstrdup(msg[i]->msg);
+
+        /* Remove newlines for comparison purposes. */
+        length = strlen(message);
+        while (length > 0 && message[length - 1] == '\n')
+            message[length-- - 1] = '\0';
+
+        /* Check if we've gotten too many prompts but quietly ignore them. */
+        if (prompts->current >= prompts->size) {
+            diag("unexpected prompt: %s", message);
+            free(message);
+            ok(0, "more prompts than expected");
+            continue;
+        }
+
+        /* Be sure everything matches and return the response, if any. */
+        prompt = &prompts->prompts[prompts->current];
+        is_int(prompt->style, msg[i]->msg_style, "style of prompt %lu",
+               (unsigned long) prompts->current + 1);
+        compare_string(prompt->prompt, message, "value of prompt %lu",
+                       (unsigned long) prompts->current + 1);
+        free(message);
+        prompts->current++;
+        if (prompt->style == msg[i]->msg_style && prompt->response != NULL) {
+            (*resp)[i].resp = bstrdup(prompt->response);
+            (*resp)[i].resp_retcode = 0;
+        }
+    }
+
+    /*
+     * Always return success even if the prompts don't match.  Otherwise,
+     * we're likely to abort the conversation in the middle and possibly
+     * leave passwords set incorrectly.
+     */
+    return PAM_SUCCESS;
+}
+
+
+/*
+ * Check the actual PAM output against the expected output.  We divide the
+ * expected and seen output into separate lines and compare each one so that
+ * we can handle regular expressions and the output priority.
+ */
+static void
+check_output(const struct output *wanted, const struct output *seen)
+{
+    size_t i;
+
+    if (wanted == NULL && seen == NULL)
+        ok(1, "no output");
+    else if (wanted == NULL) {
+        for (i = 0; i < seen->count; i++)
+            diag("unexpected: (%d) %s", seen->lines[i].priority,
+                 seen->lines[i].line);
+        ok(0, "no output");
+    } else if (seen == NULL) {
+        for (i = 0; i < wanted->count; i++) {
+            is_int(wanted->lines[i].priority, 0, "output priority %lu",
+                   (unsigned long) i + 1);
+            is_string(wanted->lines[i].line, NULL, "output line %lu",
+                      (unsigned long) i + 1);
+        }
+    } else {
+        for (i = 0; i < wanted->count && i < seen->count; i++) {
+            is_int(wanted->lines[i].priority, seen->lines[i].priority,
+                   "output priority %lu", (unsigned long) i + 1);
+            compare_string(wanted->lines[i].line, seen->lines[i].line,
+                           "output line %lu", (unsigned long) i + 1);
+        }
+        if (wanted->count > seen->count)
+            for (i = seen->count; i < wanted->count; i++) {
+                is_int(wanted->lines[i].priority, 0, "output priority %lu",
+                       (unsigned long) i + 1);
+                is_string(wanted->lines[i].line, NULL, "output line %lu",
+                          (unsigned long) i + 1);
+            }
+        if (seen->count > wanted->count) {
+            for (i = wanted->count; i < seen->count; i++)
+                diag("unexpected: (%d) %s", seen->lines[i].priority,
+                     seen->lines[i].line);
+            ok(0, "unexpected output lines");
+        } else {
+            ok(1, "no excess output");
+        }
+    }
+}
+
+
+/*
+ * The core of the work.  Given the path to a PAM interaction script, which
+ * may be relative to C_TAP_SOURCE or C_TAP_BUILD, the user (may be NULL), and
+ * the stored password (may be NULL), run that script, outputting the results
+ * in TAP format.
+ */
+void
+run_script(const char *file, const struct script_config *config)
+{
+    char *path;
+    struct output *output;
+    FILE *script;
+    struct work *work;
+    struct options *opts;
+    struct action *action, *oaction;
+    struct pam_conv conv = {NULL, NULL};
+    pam_handle_t *pamh;
+    int status;
+    size_t i, j;
+    const char *argv_empty[] = {NULL};
+
+    /* Open and parse the script. */
+    if (access(file, R_OK) == 0)
+        path = bstrdup(file);
+    else {
+        path = test_file_path(file);
+        if (path == NULL)
+            bail("cannot find PAM script %s", file);
+    }
+    script = fopen(path, "r");
+    if (script == NULL)
+        sysbail("cannot open %s", path);
+    work = parse_script(script, config);
+    fclose(script);
+    diag("Starting %s", file);
+    if (work->prompts != NULL) {
+        conv.conv = converse;
+        conv.appdata_ptr = work->prompts;
+    }
+
+    /* Initialize PAM. */
+    status = pam_start("test", config->user, &conv, &pamh);
+    if (status != PAM_SUCCESS)
+        sysbail("cannot create PAM handle");
+    if (config->authtok != NULL)
+        pamh->authtok = bstrdup(config->authtok);
+    if (config->oldauthtok != NULL)
+        pamh->oldauthtok = bstrdup(config->oldauthtok);
+
+    /* Run the actions and check their return status. */
+    for (action = work->actions; action != NULL; action = action->next) {
+        if (work->options[action->group].argv == NULL)
+            status = (*action->call)(pamh, action->flags, 0, argv_empty);
+        else {
+            opts = &work->options[action->group];
+            status = (*action->call)(pamh, action->flags, opts->argc,
+                                     (const char **) opts->argv);
+        }
+        is_int(action->status, status, "status for %s", action->name);
+    }
+    output = pam_output();
+    check_output(work->output, output);
+    pam_output_free(output);
+
+    /* If we have a test callback, call it now. */
+    if (config->callback != NULL)
+        config->callback(pamh, config, config->data);
+
+    /* Free memory and return. */
+    pam_end(pamh, work->end_flags);
+    action = work->actions;
+    while (action != NULL) {
+        free(action->name);
+        oaction = action;
+        action = action->next;
+        free(oaction);
+    }
+    for (i = 0; i < ARRAY_SIZE(work->options); i++)
+        if (work->options[i].argv != NULL) {
+            for (j = 0; work->options[i].argv[j] != NULL; j++)
+                free(work->options[i].argv[j]);
+            free(work->options[i].argv);
+        }
+    if (work->output)
+        pam_output_free(work->output);
+    if (work->prompts != NULL) {
+        for (i = 0; i < work->prompts->size; i++) {
+            free(work->prompts->prompts[i].prompt);
+            free(work->prompts->prompts[i].response);
+        }
+        free(work->prompts->prompts);
+        free(work->prompts);
+    }
+    free(work);
+    free(path);
+}
+
+
+/*
+ * Check a filename for acceptable characters.  Returns true if the file
+ * consists solely of [a-zA-Z0-9-] and false otherwise.
+ */
+static bool
+valid_filename(const char *filename)
+{
+    const char *p;
+
+    for (p = filename; *p != '\0'; p++) {
+        if (*p >= 'A' && *p <= 'Z')
+            continue;
+        if (*p >= 'a' && *p <= 'z')
+            continue;
+        if (*p >= '0' && *p <= '9')
+            continue;
+        if (*p == '-')
+            continue;
+        return false;
+    }
+    return true;
+}
+
+
+/*
+ * The same as run_script, but run every script found in the given directory,
+ * skipping file names that contain characters other than alphanumerics and -.
+ */
+void
+run_script_dir(const char *dir, const struct script_config *config)
+{
+    DIR *handle;
+    struct dirent *entry;
+    const char *path;
+    char *file;
+
+    if (access(dir, R_OK) == 0)
+        path = dir;
+    else
+        path = test_file_path(dir);
+    handle = opendir(path);
+    if (handle == NULL)
+        sysbail("cannot open directory %s", dir);
+    errno = 0;
+    while ((entry = readdir(handle)) != NULL) {
+        if (!valid_filename(entry->d_name))
+            continue;
+        basprintf(&file, "%s/%s", path, entry->d_name);
+        run_script(file, config);
+        free(file);
+        errno = 0;
+    }
+    if (errno != 0)
+        sysbail("cannot read directory %s", dir);
+    closedir(handle);
+    if (path != dir)
+        test_file_path_free((char *) path);
+}
diff --git a/tests/fakepam/script.h b/tests/fakepam/script.h
new file mode 100644
index 000000000000..c99fc12f55d2
--- /dev/null
+++ b/tests/fakepam/script.h
@@ -0,0 +1,82 @@
+/*
+ * PAM interaction script API.
+ *
+ * Provides an interface that loads a PAM interaction script from a file and
+ * runs through that script, calling the internal PAM module functions and
+ * checking their results.  This allows automation of PAM testing through
+ * external data files instead of coding everything in C.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2016 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TESTS_MODULE_SCRIPT_H
+#define TESTS_MODULE_SCRIPT_H 1
+
+#include <portable/pam.h>
+
+#include <tests/tap/basic.h>
+
+/* A test callback called after PAM functions are run but before pam_end. */
+struct script_config;
+typedef void (*script_callback)(pam_handle_t *, const struct script_config *,
+                                void *);
+
+/* Configuration for the PAM interaction script API. */
+struct script_config {
+    const char *user;         /* Username to pass into pam_start (%u). */
+    const char *password;     /* Substituted for %p in prompts. */
+    const char *newpass;      /* Substituted for %n in prompts. */
+    const char *extra[10];    /* Substituted for %0-%9 in logging. */
+    const char *authtok;      /* Stored as AUTHTOK before PAM. */
+    const char *oldauthtok;   /* Stored as OLDAUTHTOK before PAM. */
+    script_callback callback; /* Called after PAM, before pam_end. */
+    void *data;               /* Passed to the callback function. */
+};
+
+BEGIN_DECLS
+
+/*
+ * Given the file name of an interaction script (which may be a full path or
+ * relative to C_TAP_SOURCE or C_TAP_BUILD) and configuration containing other
+ * parameters such as the user, run that script, reporting the results via the
+ * TAP format.
+ */
+void run_script(const char *file, const struct script_config *)
+    __attribute__((__nonnull__));
+
+/*
+ * The same as run_script, but run every script found in the given directory,
+ * skipping file names that contain characters other than alphanumerics and -.
+ */
+void run_script_dir(const char *dir, const struct script_config *)
+    __attribute__((__nonnull__));
+
+END_DECLS
+
+#endif /* !TESTS_MODULE_SCRIPT_H */
diff --git a/tests/module/alt-auth-t.c b/tests/module/alt-auth-t.c
new file mode 100644
index 000000000000..df32ff941001
--- /dev/null
+++ b/tests/module/alt-auth-t.c
@@ -0,0 +1,117 @@
+/*
+ * Tests for the alt_auth_map functionality in libpam-krb5.
+ *
+ * This test case tests the variations of the alt_auth_map functionality for
+ * both authentication and account management.  It requires a Kerberos
+ * configuration, but does not attempt to save a session ticket cache (to
+ * avoid requiring user configuration).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    char *user;
+
+    /*
+     * Load the Kerberos principal and password from a file, but set the
+     * principal as extra[0] and use something else bogus as the user.  We
+     * want to test that alt_auth_map works when there's no relationship
+     * between the mapped principal and the user.
+     */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = "bogus-nonexistent-account";
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->username;
+    config.extra[1] = krbconf->userprinc;
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+    config.extra[2] = "bogus.example.com";
+
+    /* Test without password prompting. */
+    plan_lazy();
+    run_script("data/scripts/alt-auth/basic", &config);
+    run_script("data/scripts/alt-auth/basic-debug", &config);
+    run_script("data/scripts/alt-auth/fail", &config);
+    run_script("data/scripts/alt-auth/fail-debug", &config);
+    run_script("data/scripts/alt-auth/force", &config);
+    run_script("data/scripts/alt-auth/only", &config);
+
+    /*
+     * If the alternate account exists but the password is incorrect, we
+     * should not fall back to the regular account.  Test with debug so that
+     * we don't need two principals configured.
+     */
+    config.authtok = "bogus incorrect password";
+    run_script("data/scripts/alt-auth/force-fail-debug", &config);
+
+    /*
+     * Switch to our correct user (but wrong realm) realm to test username
+     * mapping to a different realm.
+     */
+    config.authtok = krbconf->password;
+    config.user = krbconf->username;
+    config.extra[2] = krbconf->realm;
+    run_script("data/scripts/alt-auth/username-map", &config);
+
+    /*
+     * Split the username into two parts, one in the PAM configuration and one
+     * in the real username, so that we can test interpolation of the username
+     * when %s isn't the first token.
+     */
+    config.user = &krbconf->username[1];
+    user = bstrndup(krbconf->username, 1);
+    config.extra[3] = user;
+    run_script("data/scripts/alt-auth/username-map-prefix", &config);
+    free(user);
+    config.extra[3] = NULL;
+
+    /*
+     * Ensure that we don't add the realm of the authentication username when
+     * the alt_auth_map already includes a realm.
+     */
+    basprintf(&user, "%s@foo.example.com", krbconf->username);
+    config.user = user;
+    diag("re-running username-map with fully-qualified PAM user");
+    run_script("data/scripts/alt-auth/username-map", &config);
+    free(user);
+
+    /*
+     * Add the password and make the user match our authentication principal,
+     * and then test fallback to normal authentication when alternative
+     * authentication fails.
+     */
+    config.user = krbconf->userprinc;
+    config.password = krbconf->password;
+    config.extra[2] = krbconf->realm;
+    run_script("data/scripts/alt-auth/fallback", &config);
+    run_script("data/scripts/alt-auth/fallback-debug", &config);
+    run_script("data/scripts/alt-auth/fallback-realm", &config);
+    run_script("data/scripts/alt-auth/force-fallback", &config);
+    run_script("data/scripts/alt-auth/only-fail", &config);
+
+    return 0;
+}
diff --git a/tests/module/bad-authtok-t.c b/tests/module/bad-authtok-t.c
new file mode 100644
index 000000000000..385dd5946849
--- /dev/null
+++ b/tests/module/bad-authtok-t.c
@@ -0,0 +1,53 @@
+/*
+ * Authentication tests for the pam-krb5 module with an incorrect AUTHTOK.
+ *
+ * This test case includes tests that require Kerberos to be configured and a
+ * username and password available and that run with an incorrect AUTHTOK
+ * already set.  They test various prompting fallback cases.  They don't write
+ * a ticket cache (which requires additional work to test the cache
+ * ownership).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->userprinc;
+    config.password = krbconf->password;
+
+    /* Set the authtok to something bogus. */
+    config.authtok = "BAD PASSWORD THAT WILL NOT WORK";
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    plan_lazy();
+    run_script_dir("data/scripts/bad-authtok", &config);
+
+    return 0;
+}
diff --git a/tests/module/basic-t.c b/tests/module/basic-t.c
new file mode 100644
index 000000000000..cacad5906ffb
--- /dev/null
+++ b/tests/module/basic-t.c
@@ -0,0 +1,67 @@
+/*
+ * Basic tests for the pam-krb5 module.
+ *
+ * This test case includes all tests that can be done without having Kerberos
+ * configured and a username and password available, and without any special
+ * configuration.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct passwd pwd;
+    char *uid;
+    char *uidplus;
+
+    plan_lazy();
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that this test will run on any system.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    /* Create a fake passwd struct for our user. */
+    memset(&pwd, 0, sizeof(pwd));
+    pwd.pw_name = (char *) "root";
+    pwd.pw_uid = getuid();
+    pwd.pw_gid = getgid();
+    pam_set_pwd(&pwd);
+
+    /*
+     * Attempt login as the root user to test ignore_root.  Set our current
+     * UID and a UID one larger for testing minimum_uid.
+     */
+    basprintf(&uid, "%lu", (unsigned long) pwd.pw_uid);
+    basprintf(&uidplus, "%lu", (unsigned long) pwd.pw_uid + 1);
+    memset(&config, 0, sizeof(config));
+    config.user = "root";
+    config.extra[0] = uid;
+    config.extra[1] = uidplus;
+
+    run_script_dir("data/scripts/basic", &config);
+
+    free(uid);
+    free(uidplus);
+    return 0;
+}
diff --git a/tests/module/cache-cleanup-t.c b/tests/module/cache-cleanup-t.c
new file mode 100644
index 000000000000..8b5012fc3507
--- /dev/null
+++ b/tests/module/cache-cleanup-t.c
@@ -0,0 +1,104 @@
+/*
+ * Test for properly cleaning up ticket caches.
+ *
+ * Verify that the temporary Kerberos ticket cache generated during
+ * authentication is cleaned up on pam_end, even if no session was opened.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <dirent.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    DIR *tmpdir;
+    struct dirent *file;
+    char *tmppath, *path;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+
+    /* Generate a testing krb5.conf file. */
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Get the temporary directory and store that as the %1 substitution. */
+    tmppath = test_tmpdir();
+    config.extra[1] = tmppath;
+
+    plan_lazy();
+
+    /*
+     * We need to ensure that the only thing in the test temporary directory
+     * is the krb5.conf file that we generated and any valgrind logs, since
+     * we're going to check for cleanup by looking for any out-of-place files.
+     */
+    tmpdir = opendir(tmppath);
+    if (tmpdir == NULL)
+        sysbail("cannot open directory %s", tmppath);
+    while ((file = readdir(tmpdir)) != NULL) {
+        if (strcmp(file->d_name, ".") == 0 || strcmp(file->d_name, "..") == 0)
+            continue;
+        if (strcmp(file->d_name, "krb5.conf") == 0)
+            continue;
+        if (strcmp(file->d_name, "valgrind") == 0)
+            continue;
+        basprintf(&path, "%s/%s", tmppath, file->d_name);
+        if (unlink(path) < 0)
+            sysbail("cannot delete temporary file %s", path);
+        free(path);
+    }
+    closedir(tmpdir);
+
+    /*
+     * Authenticate only, call pam_end, and be sure the ticket cache is
+     * gone.  The auth-only script sets ccache_dir to the temporary directory,
+     * so the module will create a temporary ticket cache there and then
+     * should clean it up.
+     */
+    run_script("data/scripts/cache-cleanup/auth-only", &config);
+    path = NULL;
+    tmpdir = opendir(tmppath);
+    if (tmpdir == NULL)
+        sysbail("cannot open directory %s", tmppath);
+    while ((file = readdir(tmpdir)) != NULL) {
+        if (strcmp(file->d_name, ".") == 0 || strcmp(file->d_name, "..") == 0)
+            continue;
+        if (strcmp(file->d_name, "krb5.conf") == 0)
+            continue;
+        if (strcmp(file->d_name, "valgrind") == 0)
+            continue;
+        if (path == NULL)
+            basprintf(&path, "%s/%s", tmppath, file->d_name);
+    }
+    closedir(tmpdir);
+    if (path != NULL)
+        diag("found stray temporary file %s", path);
+    ok(path == NULL, "ticket cache cleaned up");
+    if (path != NULL)
+        free(path);
+
+    test_tmpdir_free(tmppath);
+    return 0;
+}
diff --git a/tests/module/cache-t.c b/tests/module/cache-t.c
new file mode 100644
index 000000000000..8ec82df7c460
--- /dev/null
+++ b/tests/module/cache-t.c
@@ -0,0 +1,210 @@
+/*
+ * Authentication tests for the pam-krb5 module with ticket cache.
+ *
+ * This test case includes all tests that require Kerberos to be configured, a
+ * username and password available, and a ticket cache created, but with the
+ * PAM module running as the same user for which the ticket cache will be
+ * created (so without setuid and with chown doing nothing).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020-2021 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011, 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+#include <sys/stat.h>
+#include <time.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+/* Additional data used by the cache check callback. */
+struct extra {
+    char *realm;
+    char *cache_path;
+};
+
+
+/*
+ * PAM test callback to check whether we created a ticket cache and the ticket
+ * cache is for the correct user.
+ */
+static void
+check_cache(const char *file, const struct script_config *config,
+            const struct extra *extra)
+{
+    struct stat st;
+    krb5_error_code code;
+    krb5_context ctx = NULL;
+    krb5_ccache ccache = NULL;
+    krb5_principal princ = NULL;
+    krb5_principal tgtprinc = NULL;
+    krb5_creds in, out;
+    char *principal = NULL;
+
+    /* Check ownership and permissions. */
+    is_int(0, stat(file, &st), "cache exists");
+    is_int(getuid(), st.st_uid, "...with correct UID");
+    is_int(getgid(), st.st_gid, "...with correct GID");
+    is_int(0600, (st.st_mode & 0777), "...with correct permissions");
+
+    /* Check the existence of the ticket cache and its principal. */
+    code = krb5_init_context(&ctx);
+    if (code != 0)
+        bail("cannot create Kerberos context");
+    code = krb5_cc_resolve(ctx, file, &ccache);
+    is_int(0, code, "able to resolve Kerberos ticket cache");
+    code = krb5_cc_get_principal(ctx, ccache, &princ);
+    is_int(0, code, "able to get principal");
+    code = krb5_unparse_name(ctx, princ, &principal);
+    is_int(0, code, "...and principal is valid");
+    is_string(config->extra[0], principal, "...and matches our principal");
+
+    /* Retrieve the krbtgt for the realm and check properties. */
+    code = krb5_build_principal_ext(
+        ctx, &tgtprinc, (unsigned int) strlen(extra->realm), extra->realm,
+        KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, strlen(extra->realm), extra->realm,
+        NULL);
+    if (code != 0)
+        bail("cannot create krbtgt principal name");
+    memset(&in, 0, sizeof(in));
+    memset(&out, 0, sizeof(out));
+    in.server = tgtprinc;
+    in.client = princ;
+    code = krb5_cc_retrieve_cred(ctx, ccache, KRB5_TC_MATCH_SRV_NAMEONLY, &in,
+                                 &out);
+    is_int(0, code, "able to get krbtgt credentials");
+    ok(out.times.endtime > time(NULL) + 30 * 60, "...good for 30 minutes");
+    krb5_free_cred_contents(ctx, &out);
+
+    /* Close things and release memory. */
+    krb5_free_principal(ctx, tgtprinc);
+    krb5_free_unparsed_name(ctx, principal);
+    krb5_free_principal(ctx, princ);
+    krb5_cc_close(ctx, ccache);
+    krb5_free_context(ctx);
+}
+
+
+/*
+ * Same as check_cache except unlink the ticket cache afterwards.  Used to
+ * check the ticket cache in cases where the PAM module will not clean it up
+ * afterwards, such as calling pam_end with PAM_DATA_SILENT.
+ */
+static void
+check_cache_callback(pam_handle_t *pamh, const struct script_config *config,
+                     void *data)
+{
+    struct extra *extra = data;
+    const char *cache, *file;
+    char *prefix;
+
+    cache = pam_getenv(pamh, "KRB5CCNAME");
+    ok(cache != NULL, "KRB5CCNAME is set in PAM environment");
+    if (cache == NULL)
+        return;
+    basprintf(&prefix, "FILE:/tmp/krb5cc_%lu_", (unsigned long) getuid());
+    diag("KRB5CCNAME = %s", cache);
+    ok(strncmp(prefix, cache, strlen(prefix)) == 0,
+       "cache file name prefix is correct");
+    free(prefix);
+    file = cache + strlen("FILE:");
+    extra->cache_path = bstrdup(file);
+    check_cache(file, config, extra);
+}
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    char *k5login;
+    struct extra extra;
+    struct passwd pwd;
+    FILE *file;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    extra.realm = krbconf->realm;
+    extra.cache_path = NULL;
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+
+    /* Generate a testing krb5.conf file. */
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Create a fake passwd struct for our user. */
+    memset(&pwd, 0, sizeof(pwd));
+    pwd.pw_name = krbconf->username;
+    pwd.pw_uid = getuid();
+    pwd.pw_gid = getgid();
+    basprintf(&pwd.pw_dir, "%s/tmp", getenv("BUILD"));
+    pam_set_pwd(&pwd);
+
+    plan_lazy();
+
+    /* Basic test. */
+    run_script("data/scripts/cache/basic", &config);
+
+    /* Check the cache status before the session is closed. */
+    config.callback = check_cache_callback;
+    config.data = &extra;
+    run_script("data/scripts/cache/open-session", &config);
+    free(extra.cache_path);
+    extra.cache_path = NULL;
+
+    /*
+     * Try again but passing PAM_DATA_SILENT to pam_end.  This should leave
+     * the ticket cache intact.
+     */
+    run_script("data/scripts/cache/end-data-silent", &config);
+    check_cache(extra.cache_path, &config, &extra);
+    if (unlink(extra.cache_path) < 0)
+        sysdiag("unable to unlink temporary cache %s", extra.cache_path);
+    free(extra.cache_path);
+    extra.cache_path = NULL;
+
+    /* Change the authenticating user and test search_k5login. */
+    pwd.pw_name = (char *) "testuser";
+    pam_set_pwd(&pwd);
+    config.user = "testuser";
+    basprintf(&k5login, "%s/.k5login", pwd.pw_dir);
+    file = fopen(k5login, "w");
+    if (file == NULL)
+        sysbail("cannot create %s", k5login);
+    if (fprintf(file, "%s\n", krbconf->userprinc) < 0)
+        sysbail("cannot write to %s", k5login);
+    if (fclose(file) < 0)
+        sysbail("cannot flush %s", k5login);
+    run_script("data/scripts/cache/search-k5login", &config);
+    free(extra.cache_path);
+    extra.cache_path = NULL;
+    config.callback = NULL;
+    run_script("data/scripts/cache/search-k5login-debug", &config);
+    unlink(k5login);
+    free(k5login);
+
+    /* Test search_k5login when no .k5login file exists. */
+    pwd.pw_name = krbconf->username;
+    pam_set_pwd(&pwd);
+    config.user = krbconf->username;
+    diag("testing search_k5login with no .k5login file");
+    run_script("data/scripts/cache/search-k5login", &config);
+
+    free(pwd.pw_dir);
+    return 0;
+}
diff --git a/tests/module/expired-t.c b/tests/module/expired-t.c
new file mode 100644
index 000000000000..01a1892a0d04
--- /dev/null
+++ b/tests/module/expired-t.c
@@ -0,0 +1,175 @@
+/*
+ * Tests for the pam-krb5 module with an expired password.
+ *
+ * This test case checks correct handling of an account whose password has
+ * expired and the multiple different paths the module can take for handling
+ * that case.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+#include <time.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kadmin.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    char *newpass, *date;
+    struct passwd pwd;
+    time_t now;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.password = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+
+    /*
+     * Ensure we can expire the password.  Heimdal has a prompt for the
+     * expiration time, so save that to use as a substitution in the script.
+     */
+    now = time(NULL) - 1;
+    if (!kerberos_expire_password(krbconf->userprinc, now))
+        skip_all("kadmin not configured or kadmin mismatch");
+    date = bstrdup(ctime(&now));
+    date[strlen(date) - 1] = '\0';
+    config.extra[1] = date;
+
+    /* Generate a testing krb5.conf file. */
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Create a fake passwd struct for our user. */
+    memset(&pwd, 0, sizeof(pwd));
+    pwd.pw_name = krbconf->username;
+    pwd.pw_uid = getuid();
+    pwd.pw_gid = getgid();
+    basprintf(&pwd.pw_dir, "%s/tmp", getenv("BUILD"));
+    pam_set_pwd(&pwd);
+
+    /*
+     * We'll be changing the password to something new.  This needs to be
+     * sufficiently random that it's unlikely to fall afoul of password
+     * strength checking.
+     */
+    basprintf(&newpass, "ngh1,a%lu nn9af6", (unsigned long) getpid());
+    config.newpass = newpass;
+
+    plan_lazy();
+
+    /*
+     * Default behavior.  We have to distinguish between two versions of
+     * Heimdal for testing because the prompts changed substantially.  Use the
+     * existence of krb5_principal_set_comp_string to distinguish because it
+     * was introduced at the same time.
+     */
+#ifdef HAVE_KRB5_HEIMDAL
+#    ifdef HAVE_KRB5_PRINCIPAL_SET_COMP_STRING
+    run_script("data/scripts/expired/basic-heimdal", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-heimdal-debug", &config);
+#    else
+    run_script("data/scripts/expired/basic-heimdal-old", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-heimdal-old-debug", &config);
+#    endif
+#else
+    run_script("data/scripts/expired/basic-mit", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-mit-debug", &config);
+#endif
+
+    /* Test again with PAM_SILENT, specified two ways. */
+#ifdef HAVE_KRB5_HEIMDAL
+    config.newpass = newpass;
+    config.password = krbconf->password;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-heimdal-silent", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-heimdal-flag-silent", &config);
+#else
+    config.newpass = newpass;
+    config.password = krbconf->password;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-mit-silent", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/basic-mit-flag-silent", &config);
+#endif
+
+    /*
+     * We can only run the remaining checks if we can suppress the Kerberos
+     * library behavior of prompting for a new password when the password has
+     * expired.
+     */
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT
+
+    /* Check the forced failure behavior. */
+    run_script("data/scripts/expired/fail", &config);
+    run_script("data/scripts/expired/fail-debug", &config);
+
+    /*
+     * Defer the error to the account management check.
+     *
+     * Skip this check on Heimdal currently (Heimdal 7.4.0) because its
+     * implementation of krb5_get_init_creds_opt_set_change_password_prompt is
+     * incomplete.  See <https://github.com/heimdal/heimdal/issues/322>.
+     */
+#    ifdef HAVE_KRB5_HEIMDAL
+    skip_block(2, "deferring password changes broken in Heimdal");
+#    else
+    config.newpass = newpass;
+    config.password = krbconf->password;
+    config.authtok = krbconf->password;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/defer-mit", &config);
+    config.newpass = krbconf->password;
+    config.password = newpass;
+    config.authtok = newpass;
+    kerberos_expire_password(krbconf->userprinc, now);
+    run_script("data/scripts/expired/defer-mit-debug", &config);
+#    endif
+
+#else /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */
+
+    /* Mention that we skipped something for the record. */
+    skip_block(4, "cannot disable library password prompting");
+
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */
+
+    /* In case we ran into some error, try to unexpire the password. */
+    kerberos_expire_password(krbconf->userprinc, 0);
+
+    free(date);
+    free(newpass);
+    free(pwd.pw_dir);
+    return 0;
+}
diff --git a/tests/module/fast-anon-t.c b/tests/module/fast-anon-t.c
new file mode 100644
index 000000000000..6355a5154f69
--- /dev/null
+++ b/tests/module/fast-anon-t.c
@@ -0,0 +1,108 @@
+/*
+ * Tests for anonymous FAST support in pam-krb5.
+ *
+ * Tests for anonymous Flexible Authentication Secure Tunneling, a mechanism
+ * for improving the preauthentication part of the Kerberos protocol and
+ * protecting it against various attacks.
+ *
+ * This is broken out from the other FAST tests because it uses PKINIT, and
+ * PKINIT code cannot be tested under valgrind with MIT Kerberos due to some
+ * bug in valgrind.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+
+
+/*
+ * Test whether anonymous authentication works.  If this doesn't, we need to
+ * skip the tests of anonymous FAST.
+ */
+static bool
+anon_fast_works(void)
+{
+    krb5_context ctx;
+    krb5_error_code retval;
+    krb5_principal princ = NULL;
+    char *realm;
+    krb5_creds creds;
+    krb5_get_init_creds_opt *opts = NULL;
+
+    /* Construct the anonymous principal name. */
+    retval = krb5_init_context(&ctx);
+    if (retval != 0)
+        bail("cannot initialize Kerberos");
+    retval = krb5_get_default_realm(ctx, &realm);
+    if (retval != 0)
+        bail("cannot get default realm");
+    retval = krb5_build_principal_ext(
+        ctx, &princ, (unsigned int) strlen(realm), realm,
+        strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
+        strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
+    if (retval != 0)
+        bail("cannot construct anonymous principal");
+    krb5_free_default_realm(ctx, realm);
+
+    /* Obtain the credentials. */
+    memset(&creds, 0, sizeof(creds));
+    retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
+    if (retval != 0)
+        bail("cannot create credential options");
+    krb5_get_init_creds_opt_set_anonymous(opts, 1);
+    krb5_get_init_creds_opt_set_tkt_life(opts, 60);
+    retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL, NULL,
+                                          0, NULL, opts);
+
+    /* Clean up. */
+    if (princ != NULL)
+        krb5_free_principal(ctx, princ);
+    if (opts != NULL)
+        krb5_get_init_creds_opt_free(ctx, opts);
+    krb5_free_cred_contents(ctx, &creds);
+
+    /* Return whether authentication succeeded. */
+    return (retval == 0);
+}
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Skip the test if FAST is not available. */
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME
+    skip_all("FAST support not available");
+#endif
+
+    /* Initialize Kerberos configuration. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Skip the test if anonymous PKINIT doesn't work. */
+    if (!anon_fast_works())
+        skip_all("anonymous PKINIT failed");
+
+    /* Test anonymous FAST. */
+    plan_lazy();
+    run_script("data/scripts/fast/anonymous", &config);
+    run_script("data/scripts/fast/anonymous-debug", &config);
+
+    return 0;
+}
diff --git a/tests/module/fast-t.c b/tests/module/fast-t.c
new file mode 100644
index 000000000000..51fee27098c8
--- /dev/null
+++ b/tests/module/fast-t.c
@@ -0,0 +1,57 @@
+/*
+ * Tests for authenticated FAST support in pam-krb5.
+ *
+ * Tests for Flexible Authentication Secure Tunneling, a mechanism for
+ * improving the preauthentication part of the Kerberos protocol and
+ * protecting it against various attacks.  This tests authenticated FAST;
+ * anonymous FAST is tested separately.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Skip the test if FAST is not available. */
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME
+    skip_all("FAST support not available");
+#endif
+
+    /* Initialize Kerberos configuration. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_BOTH);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->userprinc;
+    config.authtok = krbconf->password;
+    config.extra[0] = krbconf->cache;
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    /* Test fast_ccache */
+    plan_lazy();
+    run_script("data/scripts/fast/ccache", &config);
+    run_script("data/scripts/fast/ccache-debug", &config);
+    run_script("data/scripts/fast/no-ccache", &config);
+    run_script("data/scripts/fast/no-ccache-debug", &config);
+
+    return 0;
+}
diff --git a/tests/module/long-t.c b/tests/module/long-t.c
new file mode 100644
index 000000000000..73614b0f6ec9
--- /dev/null
+++ b/tests/module/long-t.c
@@ -0,0 +1,46 @@
+/*
+ * Excessively long password tests for the pam-krb5 module.
+ *
+ * This test case includes all tests for excessively long passwords that can
+ * be done without having Kerberos configured and a username and password
+ * available.
+ *
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    char *password;
+
+    plan_lazy();
+
+    memset(&config, 0, sizeof(config));
+    config.user = "test";
+
+    /* Test a password that is too long. */
+    password = bcalloc_type(PAM_MAX_RESP_SIZE + 1, char);
+    memset(password, 'a', PAM_MAX_RESP_SIZE);
+    config.password = password;
+    run_script("data/scripts/long/password", &config);
+    run_script("data/scripts/long/password-debug", &config);
+
+    /* Test a stored authtok that's too long. */
+    config.authtok = password;
+    config.password = "testing";
+    run_script("data/scripts/long/use-first", &config);
+    run_script("data/scripts/long/use-first-debug", &config);
+
+    free(password);
+    return 0;
+}
diff --git a/tests/module/no-cache-t.c b/tests/module/no-cache-t.c
new file mode 100644
index 000000000000..8b282d1de397
--- /dev/null
+++ b/tests/module/no-cache-t.c
@@ -0,0 +1,47 @@
+/*
+ * Authentication tests for the pam-krb5 module without a ticket cache.
+ *
+ * This test case includes tests that require Kerberos to be configured and a
+ * username and password available, but which don't write a ticket cache
+ * (which requires additional work to test the cache ownership).  This test
+ * does not set AUTHTOK.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011, 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->userprinc;
+    config.password = krbconf->password;
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    plan_lazy();
+    run_script_dir("data/scripts/no-cache", &config);
+
+    return 0;
+}
diff --git a/tests/module/pam-user-t.c b/tests/module/pam-user-t.c
new file mode 100644
index 000000000000..72cc21eebae3
--- /dev/null
+++ b/tests/module/pam-user-t.c
@@ -0,0 +1,80 @@
+/*
+ * Tests for PAM_USER handling.
+ *
+ * This test case includes tests that require Kerberos to be configured and a
+ * username and password available, but which don't write a ticket cache
+ * (which requires additional work to test the cache ownership).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/macros.h>
+
+
+/*
+ * Callback to check that PAM_USER matches the desired value, passed in as the
+ * data parameter.
+ */
+static void
+check_pam_user(pam_handle_t *pamh, const struct script_config *config UNUSED,
+               void *data)
+{
+    int retval;
+    const char *name = NULL;
+    const char *expected = data;
+
+    retval = pam_get_item(pamh, PAM_USER, (PAM_CONST void **) &name);
+    is_int(PAM_SUCCESS, retval, "Found PAM_USER");
+    is_string(expected, name, "...matching %s", expected);
+}
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.password = krbconf->password;
+    config.callback = check_pam_user;
+    config.extra[0] = krbconf->username;
+    config.extra[1] = krbconf->userprinc;
+
+    /*
+     * Generate a testing krb5.conf file matching the realm of the Kerberos
+     * configuration so that canonicalization will work.
+     */
+    kerberos_generate_conf(krbconf->realm);
+
+    /* Declare our plan. */
+    plan_lazy();
+
+    /* Authentication without a realm.  No canonicalization. */
+    config.user = krbconf->username;
+    config.data = krbconf->username;
+    run_script("data/scripts/pam-user/update", &config);
+
+    /* Authentication with the local realm.  Should be canonicalized. */
+    config.user = krbconf->userprinc;
+    run_script("data/scripts/pam-user/update", &config);
+
+    /*
+     * Now, test again with user updates disabled.  The PAM_USER value should
+     * now not be canonicalized.
+     */
+    config.data = krbconf->userprinc;
+    run_script("data/scripts/pam-user/no-update", &config);
+
+    return 0;
+}
diff --git a/tests/module/password-t.c b/tests/module/password-t.c
new file mode 100644
index 000000000000..bdf9762bc6cb
--- /dev/null
+++ b/tests/module/password-t.c
@@ -0,0 +1,152 @@
+/*
+ * Authentication tests for the pam-krb5 module with ticket cache.
+ *
+ * This test case includes all tests that require Kerberos to be configured, a
+ * username and password available, and a ticket cache created, but with the
+ * PAM module running as the same user for which the ticket cache will be
+ * created (so without setuid and with chown doing nothing).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+#include <sys/stat.h>
+#include <time.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/macros.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+static void
+check_authtok(pam_handle_t *pamh, const struct script_config *config,
+              void *data UNUSED)
+{
+    int retval;
+    const char *authtok;
+
+    retval = pam_get_item(pamh, PAM_AUTHTOK, (PAM_CONST void **) &authtok);
+    is_int(PAM_SUCCESS, retval, "Found PAM_AUTHTOK");
+    is_string(config->newpass, authtok, "...and it is correct");
+}
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    char *newpass;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.password = krbconf->password;
+    config.extra[0] = krbconf->userprinc;
+
+    /* Generate a testing krb5.conf file. */
+    kerberos_generate_conf(krbconf->realm);
+
+    plan_lazy();
+
+    /*
+     * First test trying to change the password to something that's
+     * excessively long.
+     */
+    newpass = bcalloc_type(PAM_MAX_RESP_SIZE + 1, char);
+    memset(newpass, 'a', PAM_MAX_RESP_SIZE);
+    config.newpass = newpass;
+    run_script("data/scripts/password/too-long", &config);
+    run_script("data/scripts/password/too-long-debug", &config);
+
+    /* Test use_authtok with an excessively long password. */
+    config.newpass = NULL;
+    config.authtok = newpass;
+    run_script("data/scripts/password/authtok-too-long", &config);
+    run_script("data/scripts/password/authtok-too-long-debug", &config);
+
+    /*
+     * Change the password to something new.  This needs to be sufficiently
+     * random that it's unlikely to fall afoul of password strength checking.
+     */
+    free(newpass);
+    config.authtok = NULL;
+    basprintf(&newpass, "ngh1,a%lu nn9af6%lu", (unsigned long) getpid(),
+              (unsigned long) time(NULL));
+    config.newpass = newpass;
+    run_script("data/scripts/password/basic", &config);
+    config.password = newpass;
+    config.newpass = krbconf->password;
+    run_script("data/scripts/password/basic-debug", &config);
+
+    /* Test prompt_principal with password change. */
+    config.password = krbconf->password;
+    config.newpass = newpass;
+    run_script("data/scripts/password/prompt-principal", &config);
+
+    /* Change the password back and test expose-account. */
+    config.password = newpass;
+    config.newpass = krbconf->password;
+    run_script("data/scripts/password/expose", &config);
+
+    /*
+     * Test two banner settings by changing the password and then changing it
+     * back again.
+     */
+    config.password = krbconf->password;
+    config.newpass = newpass;
+    run_script("data/scripts/password/banner", &config);
+    config.password = newpass;
+    config.newpass = krbconf->password;
+    run_script("data/scripts/password/no-banner", &config);
+
+    /* Do the same, but with expose_account set as well. */
+    config.password = krbconf->password;
+    config.newpass = newpass;
+    run_script("data/scripts/password/banner-expose", &config);
+    config.password = newpass;
+    config.newpass = krbconf->password;
+    run_script("data/scripts/password/no-banner-expose", &config);
+
+    /* Test use_authtok. */
+    config.password = krbconf->password;
+    config.newpass = NULL;
+    config.authtok = newpass;
+    run_script("data/scripts/password/authtok", &config);
+
+    /* Test use_authtok with force_first_pass. */
+    config.password = NULL;
+    config.authtok = krbconf->password;
+    config.oldauthtok = newpass;
+    run_script("data/scripts/password/authtok-force", &config);
+
+    /*
+     * Ensure PAM_AUTHTOK and PAM_OLDAUTHTOK are set even if the user is
+     * ignored.
+     */
+    config.user = "root";
+    config.authtok = NULL;
+    config.oldauthtok = NULL;
+    config.password = "old-password";
+    config.newpass = "new-password";
+    config.callback = check_authtok;
+    run_script("data/scripts/password/ignore", &config);
+
+    free(newpass);
+    return 0;
+}
diff --git a/tests/module/pkinit-t.c b/tests/module/pkinit-t.c
new file mode 100644
index 000000000000..6bbb6993b2af
--- /dev/null
+++ b/tests/module/pkinit-t.c
@@ -0,0 +1,98 @@
+/*
+ * PKINIT authentication tests for the pam-krb5 module.
+ *
+ * This test case includes tests that require a PKINIT certificate, but which
+ * don't write a Kerberos ticket cache.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+    const char **generate_pkcs12;
+    char *tmpdir, *pkcs12_path;
+#endif
+
+    /* Load the Kerberos principal and certificate path. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PKINIT);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->pkinit_principal;
+    config.extra[0] = krbconf->pkinit_cert;
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    /* Check things that are the same with both Kerberos implementations. */
+    plan_lazy();
+    run_script("data/scripts/pkinit/basic", &config);
+    run_script("data/scripts/pkinit/basic-debug", &config);
+    run_script("data/scripts/pkinit/prompt-use", &config);
+    run_script("data/scripts/pkinit/prompt-try", &config);
+    run_script("data/scripts/pkinit/try-pkinit", &config);
+
+    /* Debugging output is a little different between the implementations. */
+#ifdef HAVE_KRB5_HEIMDAL
+    run_script("data/scripts/pkinit/try-pkinit-debug", &config);
+#else
+    run_script("data/scripts/pkinit/try-pkinit-debug-mit", &config);
+#endif
+
+    /* Only MIT Kerberos supports setting preauth options. */
+#ifdef HAVE_KRB5_MIT
+    run_script("data/scripts/pkinit/preauth-opt-mit", &config);
+#endif
+
+    /*
+     * If OpenSSL is available, test prompting with MIT Kerberos since we have
+     * to implement the prompting for the use_pkinit case ourselves.  To do
+     * this, convert the input PKINIT certificate to a PKCS12 file with a
+     * password.
+     */
+#if defined(HAVE_KRB5_MIT) && defined(PATH_OPENSSL)
+    tmpdir = test_tmpdir();
+    basprintf(&pkcs12_path, "%s/%s", tmpdir, "pkinit-pkcs12");
+    generate_pkcs12 = bcalloc_type(10, const char *);
+    generate_pkcs12[0] = PATH_OPENSSL;
+    generate_pkcs12[1] = "pkcs12";
+    generate_pkcs12[2] = "-export";
+    generate_pkcs12[3] = "-in";
+    generate_pkcs12[4] = krbconf->pkinit_cert;
+    generate_pkcs12[5] = "-password";
+    generate_pkcs12[6] = "pass:some-password";
+    generate_pkcs12[7] = "-out";
+    generate_pkcs12[8] = pkcs12_path;
+    generate_pkcs12[9] = NULL;
+    run_setup(generate_pkcs12);
+    free(generate_pkcs12);
+    config.extra[0] = pkcs12_path;
+    config.extra[1] = "some-password";
+    run_script("data/scripts/pkinit/pin-mit", &config);
+    unlink(pkcs12_path);
+    free(pkcs12_path);
+    test_tmpdir_free(tmpdir);
+#endif /* HAVE_KRB5_MIT && PATH_OPENSSL */
+
+    return 0;
+}
diff --git a/tests/module/realm-t.c b/tests/module/realm-t.c
new file mode 100644
index 000000000000..d5643ca1f3e5
--- /dev/null
+++ b/tests/module/realm-t.c
@@ -0,0 +1,87 @@
+/*
+ * Authentication tests for realm support in pam-krb5.
+ *
+ * Test the realm and user_realm option in the PAM configuration, which is
+ * special in several ways since it influences krb5.conf parsing and is read
+ * out of order in the initial configuration.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/krb5.h>
+#include <portable/system.h>
+
+#include <pwd.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+    struct passwd pwd;
+    FILE *file;
+    char *k5login;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->username;
+    config.authtok = krbconf->password;
+
+    /* Don't keep track of the tests in each script. */
+    plan_lazy();
+
+    /* Start with a nonexistent default realm for authentication failure. */
+    kerberos_generate_conf("bogus.example.com");
+    config.extra[0] = "bogus.example.com";
+    run_script("data/scripts/realm/fail-no-realm", &config);
+    run_script("data/scripts/realm/fail-no-realm-debug", &config);
+
+    /* Running a script that sets realm properly should pass. */
+    config.extra[0] = krbconf->realm;
+    run_script("data/scripts/realm/pass-realm", &config);
+
+    /* Setting user_realm should continue to fail due to no .k5login file. */
+    run_script("data/scripts/realm/fail-user-realm", &config);
+
+    /* If we add a .k5login file for the user, user_realm should work. */
+    pwd.pw_name = krbconf->username;
+    pwd.pw_uid = getuid();
+    pwd.pw_gid = getgid();
+    pwd.pw_dir = test_tmpdir();
+    pam_set_pwd(&pwd);
+    basprintf(&k5login, "%s/.k5login", pwd.pw_dir);
+    file = fopen(k5login, "w");
+    if (file == NULL)
+        sysbail("cannot create %s", k5login);
+    if (fprintf(file, "%s\n", krbconf->userprinc) < 0)
+        sysbail("cannot write to %s", k5login);
+    if (fclose(file) < 0)
+        sysbail("cannot flush %s", k5login);
+    run_script("data/scripts/realm/pass-user-realm", &config);
+    pam_set_pwd(NULL);
+    unlink(k5login);
+    free(k5login);
+    test_tmpdir_free(pwd.pw_dir);
+
+    /* Switch to the correct realm, but set the wrong realm in PAM. */
+    kerberos_generate_conf(krbconf->realm);
+    config.extra[0] = "bogus.example.com";
+    run_script("data/scripts/realm/fail-realm", &config);
+    run_script("data/scripts/realm/fail-bad-user-realm", &config);
+
+    return 0;
+}
diff --git a/tests/module/stacked-t.c b/tests/module/stacked-t.c
new file mode 100644
index 000000000000..ef8e70885ecb
--- /dev/null
+++ b/tests/module/stacked-t.c
@@ -0,0 +1,50 @@
+/*
+ * Authentication tests for the pam-krb5 module with an existing AUTHTOK.
+ *
+ * This test case includes tests that require Kerberos to be configured and a
+ * username and password available and that run with AUTHTOK already set, but
+ * which don't write a ticket cache (which requires additional work to test
+ * the cache ownership).
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    struct kerberos_config *krbconf;
+
+    /* Load the Kerberos principal and password from a file. */
+    krbconf = kerberos_setup(TAP_KRB_NEEDS_PASSWORD);
+    memset(&config, 0, sizeof(config));
+    config.user = krbconf->userprinc;
+    config.password = krbconf->password;
+    config.authtok = krbconf->password;
+
+    /*
+     * Generate a testing krb5.conf file with a nonexistent default realm so
+     * that we can be sure that our principals will stay fully-qualified in
+     * the logs.
+     */
+    kerberos_generate_conf("bogus.example.com");
+
+    plan_lazy();
+    run_script_dir("data/scripts/stacked", &config);
+
+    return 0;
+}
diff --git a/tests/module/trace-t.c b/tests/module/trace-t.c
new file mode 100644
index 000000000000..db3aa67f9e24
--- /dev/null
+++ b/tests/module/trace-t.c
@@ -0,0 +1,48 @@
+/*
+ * Tests for trace logging in the pam-krb5 module.
+ *
+ * Checks that trace logging is handled properly.  This is currently very
+ * simple and just checks that the file is created.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * SPDX-License-Identifier: BSD-3-clause or GPL-1+
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/script.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct script_config config;
+    char *tmpdir, *trace;
+
+    plan_lazy();
+
+    memset(&config, 0, sizeof(config));
+    config.user = "testuser";
+    tmpdir = test_tmpdir();
+    basprintf(&trace, "%s/trace", tmpdir);
+    config.extra[0] = trace;
+#ifdef HAVE_KRB5_SET_TRACE_FILENAME
+    run_script("data/scripts/trace/supported", &config);
+    is_int(0, access(trace, F_OK), "Trace file was created");
+    unlink(trace);
+#else
+    run_script("data/scripts/trace/unsupported", &config);
+    is_int(-1, access(trace, F_OK), "Trace file does not exist");
+#endif
+
+    free(trace);
+    test_tmpdir_free(tmpdir);
+    return 0;
+}
diff --git a/tests/pam-util/args-t.c b/tests/pam-util/args-t.c
new file mode 100644
index 000000000000..4ec102e511ed
--- /dev/null
+++ b/tests/pam-util/args-t.c
@@ -0,0 +1,86 @@
+/*
+ * PAM utility argument initialization test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010, 2012-2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <pam-util/args.h>
+#include <tests/fakepam/pam.h>
+#include <tests/tap/basic.h>
+
+
+int
+main(void)
+{
+    pam_handle_t *pamh;
+    struct pam_conv conv = {NULL, NULL};
+    struct pam_args *args;
+
+    plan(12);
+
+    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
+        sysbail("Fake PAM initialization failed");
+    args = putil_args_new(pamh, 0);
+    ok(args != NULL, "New args struct is not NULL");
+    if (args == NULL)
+        ok_block(7, 0, "...args struct is NULL");
+    else {
+        ok(args->pamh == pamh, "...and pamh is correct");
+        ok(args->config == NULL, "...and config is NULL");
+        ok(args->user == NULL, "...and user is NULL");
+        is_int(args->debug, false, "...and debug is false");
+        is_int(args->silent, false, "...and silent is false");
+#ifdef HAVE_KRB5
+        ok(args->ctx != NULL, "...and the Kerberos context is initialized");
+        ok(args->realm == NULL, "...and realm is NULL");
+#else
+        skip_block(2, "Kerberos support not configured");
+#endif
+    }
+    putil_args_free(args);
+    ok(1, "Freeing the args struct works");
+
+    args = putil_args_new(pamh, PAM_SILENT);
+    ok(args != NULL, "New args struct with PAM_SILENT is not NULL");
+    if (args == NULL)
+        ok(0, "...args is NULL");
+    else
+        is_int(args->silent, true, "...and silent is true");
+    putil_args_free(args);
+
+    putil_args_free(NULL);
+    ok(1, "Freeing a NULL args struct works");
+
+    pam_end(pamh, 0);
+
+    return 0;
+}
diff --git a/tests/pam-util/fakepam-t.c b/tests/pam-util/fakepam-t.c
new file mode 100644
index 000000000000..1e09c5fdde75
--- /dev/null
+++ b/tests/pam-util/fakepam-t.c
@@ -0,0 +1,121 @@
+/*
+ * Fake PAM library test suite.
+ *
+ * This is not actually a test for the pam-util layer, but rather is a test
+ * for the trickier components of the fake PAM library that in turn is used to
+ * test the pam-util layer and PAM modules.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010, 2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <tests/fakepam/pam.h>
+#include <tests/tap/basic.h>
+
+
+int
+main(void)
+{
+    pam_handle_t *pamh;
+    struct pam_conv conv = {NULL, NULL};
+    char **env;
+    size_t i;
+
+    /*
+     * Skip this test if the native PAM library doesn't support a PAM
+     * environment, since we "break" pam_putenv to mirror the native behavior
+     * in that case.
+     */
+#ifndef HAVE_PAM_GETENV
+    skip_all("system doesn't support PAM environment");
+#endif
+
+    plan(33);
+
+    /* Basic environment manipulation. */
+    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
+        sysbail("Fake PAM initialization failed");
+    is_int(PAM_BAD_ITEM, pam_putenv(pamh, "TEST"), "delete when NULL");
+    ok(pam_getenv(pamh, "TEST") == NULL, "getenv when NULL");
+    env = pam_getenvlist(pamh);
+    ok(env != NULL, "getenvlist when NULL returns non-NULL");
+    if (env == NULL)
+        bail("pam_getenvlist returned NULL");
+    is_string(NULL, env[0], "...but first element is NULL");
+    for (i = 0; env[i] != NULL; i++)
+        free(env[i]);
+    free(env);
+
+    /* putenv and getenv. */
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "TEST=foo"), "putenv TEST");
+    is_string("foo", pam_getenv(pamh, "TEST"), "getenv TEST");
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "FOO=bar"), "putenv FOO");
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "BAR=baz"), "putenv BAR");
+    is_string("foo", pam_getenv(pamh, "TEST"), "getenv TEST");
+    is_string("bar", pam_getenv(pamh, "FOO"), "getenv FOO");
+    is_string("baz", pam_getenv(pamh, "BAR"), "getenv BAR");
+    ok(pam_getenv(pamh, "BAZ") == NULL, "getenv BAZ is NULL");
+
+    /* Replacing and deleting environment variables. */
+    is_int(PAM_BAD_ITEM, pam_putenv(pamh, "BAZ"), "putenv nonexistent delete");
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "FOO=foo"), "putenv replace");
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "FOON=bar=n"), "putenv prefix");
+    is_string("foo", pam_getenv(pamh, "FOO"), "getenv FOO");
+    is_string("bar=n", pam_getenv(pamh, "FOON"), "getenv FOON");
+    is_int(PAM_BAD_ITEM, pam_putenv(pamh, "FO"), "putenv delete FO");
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "FOO"), "putenv delete FOO");
+    ok(pam_getenv(pamh, "FOO") == NULL, "getenv FOO is NULL");
+    is_string("bar=n", pam_getenv(pamh, "FOON"), "getenv FOON");
+    is_string("baz", pam_getenv(pamh, "BAR"), "getenv BAR");
+
+    /* pam_getenvlist. */
+    env = pam_getenvlist(pamh);
+    ok(env != NULL, "getenvlist not NULL");
+    if (env == NULL)
+        bail("pam_getenvlist returned NULL");
+    is_string("TEST=foo", env[0], "getenvlist TEST");
+    is_string("BAR=baz", env[1], "getenvlist BAR");
+    is_string("FOON=bar=n", env[2], "getenvlist FOON");
+    ok(env[3] == NULL, "getenvlist length");
+    for (i = 0; env[i] != NULL; i++)
+        free(env[i]);
+    free(env);
+    is_int(PAM_SUCCESS, pam_putenv(pamh, "FOO=foo"), "putenv FOO");
+    is_string("TEST=foo", pamh->environ[0], "pamh environ TEST");
+    is_string("BAR=baz", pamh->environ[1], "pamh environ BAR");
+    is_string("FOON=bar=n", pamh->environ[2], "pamh environ FOON");
+    is_string("FOO=foo", pamh->environ[3], "pamh environ FOO");
+    ok(pamh->environ[4] == NULL, "pamh environ length");
+
+    pam_end(pamh, 0);
+
+    return 0;
+}
diff --git a/tests/pam-util/logging-t.c b/tests/pam-util/logging-t.c
new file mode 100644
index 000000000000..84072bd6b91a
--- /dev/null
+++ b/tests/pam-util/logging-t.c
@@ -0,0 +1,146 @@
+/*
+ * PAM logging test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <syslog.h>
+
+#include <pam-util/args.h>
+#include <pam-util/logging.h>
+#include <tests/fakepam/pam.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+/* Test a normal PAM logging function. */
+#define TEST(func, p, n)                                          \
+    do {                                                          \
+        (func)(args, "%s", "foo");                                \
+        seen = pam_output();                                      \
+        is_int((p), seen->lines[0].priority, "priority %d", (p)); \
+        is_string("foo", seen->lines[0].line, "line %s", (n));    \
+        pam_output_free(seen);                                    \
+    } while (0)
+
+/* Test a PAM error logging function. */
+#define TEST_PAM(func, c, p, n)                                   \
+    do {                                                          \
+        (func)(args, (c), "%s", "bar");                           \
+        if ((c) == PAM_SUCCESS)                                   \
+            expected = strdup("bar");                             \
+        else                                                      \
+            basprintf(&expected, "%s: %s", "bar",                 \
+                      pam_strerror(args->pamh, c));               \
+        seen = pam_output();                                      \
+        is_int((p), seen->lines[0].priority, "priority %s", (n)); \
+        is_string(expected, seen->lines[0].line, "line %s", (n)); \
+        pam_output_free(seen);                                    \
+        free(expected);                                           \
+    } while (0)
+
+/* Test a PAM Kerberos error logging function .*/
+#define TEST_KRB5(func, p, n)                                             \
+    do {                                                                  \
+        const char *msg;                                                  \
+                                                                          \
+        code = krb5_parse_name(args->ctx, "foo@bar@EXAMPLE.COM", &princ); \
+        (func)(args, code, "%s", "krb");                                  \
+        code = krb5_parse_name(args->ctx, "foo@bar@EXAMPLE.COM", &princ); \
+        msg = krb5_get_error_message(args->ctx, code);                    \
+        basprintf(&expected, "%s: %s", "krb", msg);                       \
+        seen = pam_output();                                              \
+        is_int((p), seen->lines[0].priority, "priority %s", (n));         \
+        is_string(expected, seen->lines[0].line, "line %s", (n));         \
+        pam_output_free(seen);                                            \
+        free(expected);                                                   \
+        krb5_free_error_message(args->ctx, msg);                          \
+    } while (0)
+
+
+int
+main(void)
+{
+    pam_handle_t *pamh;
+    struct pam_args *args;
+    struct pam_conv conv = {NULL, NULL};
+    char *expected;
+    struct output *seen;
+#ifdef HAVE_KRB5
+    krb5_error_code code;
+    krb5_principal princ;
+#endif
+
+    plan(27);
+
+    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
+        sysbail("Fake PAM initialization failed");
+    args = putil_args_new(pamh, 0);
+    if (args == NULL)
+        bail("cannot create PAM argument struct");
+    TEST(putil_crit, LOG_CRIT, "putil_crit");
+    TEST(putil_err, LOG_ERR, "putil_err");
+    putil_debug(args, "%s", "foo");
+    ok(pam_output() == NULL, "putil_debug without debug on");
+    args->debug = true;
+    TEST(putil_debug, LOG_DEBUG, "putil_debug");
+    args->debug = false;
+
+    TEST_PAM(putil_crit_pam, PAM_SYSTEM_ERR, LOG_CRIT, "putil_crit_pam S");
+    TEST_PAM(putil_crit_pam, PAM_BUF_ERR, LOG_CRIT, "putil_crit_pam B");
+    TEST_PAM(putil_crit_pam, PAM_SUCCESS, LOG_CRIT, "putil_crit_pam ok");
+    TEST_PAM(putil_err_pam, PAM_SYSTEM_ERR, LOG_ERR, "putil_err_pam");
+    putil_debug_pam(args, PAM_SYSTEM_ERR, "%s", "bar");
+    ok(pam_output() == NULL, "putil_debug_pam without debug on");
+    args->debug = true;
+    TEST_PAM(putil_debug_pam, PAM_SYSTEM_ERR, LOG_DEBUG, "putil_debug_pam");
+    TEST_PAM(putil_debug_pam, PAM_SUCCESS, LOG_DEBUG, "putil_debug_pam ok");
+    args->debug = false;
+
+#ifdef HAVE_KRB5
+    TEST_KRB5(putil_crit_krb5, LOG_CRIT, "putil_crit_krb5");
+    TEST_KRB5(putil_err_krb5, LOG_ERR, "putil_err_krb5");
+    code = krb5_parse_name(args->ctx, "foo@bar@EXAMPLE.COM", &princ);
+    putil_debug_krb5(args, code, "%s", "krb");
+    ok(pam_output() == NULL, "putil_debug_krb5 without debug on");
+    args->debug = true;
+    TEST_KRB5(putil_debug_krb5, LOG_DEBUG, "putil_debug_krb5");
+    args->debug = false;
+#else
+    skip_block(4, "not built with Kerberos support");
+#endif
+
+    putil_args_free(args);
+    pam_end(pamh, 0);
+
+    return 0;
+}
diff --git a/tests/pam-util/options-t.c b/tests/pam-util/options-t.c
new file mode 100644
index 000000000000..f8b76730fb2d
--- /dev/null
+++ b/tests/pam-util/options-t.c
@@ -0,0 +1,458 @@
+/*
+ * PAM option parsing test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/pam.h>
+#include <portable/system.h>
+
+#include <syslog.h>
+
+#include <pam-util/args.h>
+#include <pam-util/options.h>
+#include <pam-util/vector.h>
+#include <tests/fakepam/pam.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+/* The configuration struct we will use for testing. */
+struct pam_config {
+    struct vector *cells;
+    bool debug;
+#ifdef HAVE_KRB5
+    krb5_deltat expires;
+#else
+    long expires;
+#endif
+    bool ignore_root;
+    long minimum_uid;
+    char *program;
+};
+
+#define K(name) (#name), offsetof(struct pam_config, name)
+
+/* The rules specifying the configuration options. */
+static struct option options[] = {
+    /* clang-format off */
+    { K(cells),       true,  LIST   (NULL)  },
+    { K(debug),       true,  BOOL   (false) },
+    { K(expires),     true,  TIME   (10)    },
+    { K(ignore_root), false, BOOL   (true)  },
+    { K(minimum_uid), true,  NUMBER (0)     },
+    { K(program),     true,  STRING (NULL)  },
+    /* clang-format on */
+};
+static const size_t optlen = sizeof(options) / sizeof(options[0]);
+
+/*
+ * A macro used to parse the various ways of spelling booleans.  This reuses
+ * the argv_bool variable, setting it to the first value provided and then
+ * calling putil_args_parse() on it.  It then checks whether the provided
+ * config option is set to the expected value.
+ */
+#define TEST_BOOL(a, c, v)                                              \
+    do {                                                                \
+        argv_bool[0] = (a);                                             \
+        status = putil_args_parse(args, 1, argv_bool, options, optlen); \
+        ok(status, "Parse of %s", (a));                                 \
+        is_int((v), (c), "...and value is correct");                    \
+        ok(pam_output() == NULL, "...and no output");                   \
+    } while (0)
+
+/*
+ * A macro used to test error reporting from putil_args_parse().  This reuses
+ * the argv_err variable, setting it to the first value provided and then
+ * calling putil_args_parse() on it.  It then recovers the error message and
+ * expects it to match the severity and error message given.
+ */
+#define TEST_ERROR(a, p, e)                                                  \
+    do {                                                                     \
+        argv_err[0] = (a);                                                   \
+        status = putil_args_parse(args, 1, argv_err, options, optlen);       \
+        ok(status, "Parse of %s", (a));                                      \
+        seen = pam_output();                                                 \
+        if (seen == NULL)                                                    \
+            ok_block(2, false, "...no error output");                        \
+        else {                                                               \
+            is_int((p), seen->lines[0].priority, "...priority for %s", (a)); \
+            is_string((e), seen->lines[0].line, "...error for %s", (a));     \
+        }                                                                    \
+        pam_output_free(seen);                                               \
+    } while (0)
+
+
+/*
+ * Allocate and initialize a new struct config.
+ */
+static struct pam_config *
+config_new(void)
+{
+    return bcalloc(1, sizeof(struct pam_config));
+}
+
+
+/*
+ * Free a struct config and all of its members.
+ */
+static void
+config_free(struct pam_config *config)
+{
+    if (config == NULL)
+        return;
+    vector_free(config->cells);
+    free(config->program);
+    free(config);
+}
+
+
+int
+main(void)
+{
+    pam_handle_t *pamh;
+    struct pam_args *args;
+    struct pam_conv conv = {NULL, NULL};
+    bool status;
+    struct vector *cells;
+    char *program;
+    struct output *seen;
+    const char *argv_bool[2] = {NULL, NULL};
+    const char *argv_err[2] = {NULL, NULL};
+    const char *argv_empty[] = {NULL};
+#ifdef HAVE_KRB5
+    const char *argv_all[] = {"cells=stanford.edu,ir.stanford.edu",
+                              "debug",
+                              "expires=1d",
+                              "ignore_root",
+                              "minimum_uid=1000",
+                              "program=/bin/true"};
+    char *krb5conf;
+#else
+    const char *argv_all[] = {"cells=stanford.edu,ir.stanford.edu",
+                              "debug",
+                              "expires=86400",
+                              "ignore_root",
+                              "minimum_uid=1000",
+                              "program=/bin/true"};
+#endif
+
+    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
+        sysbail("cannot create pam_handle_t");
+    args = putil_args_new(pamh, 0);
+    if (args == NULL)
+        bail("cannot create PAM argument struct");
+
+    plan(161);
+
+    /* First, check just the defaults. */
+    args->config = config_new();
+    status = putil_args_defaults(args, options, optlen);
+    ok(status, "Setting the defaults");
+    ok(args->config->cells == NULL, "...cells default");
+    is_int(false, args->config->debug, "...debug default");
+    is_int(10, args->config->expires, "...expires default");
+    is_int(true, args->config->ignore_root, "...ignore_root default");
+    is_int(0, args->config->minimum_uid, "...minimum_uid default");
+    ok(args->config->program == NULL, "...program default");
+
+    /* Now parse an empty set of PAM arguments.  Nothing should change. */
+    status = putil_args_parse(args, 0, argv_empty, options, optlen);
+    ok(status, "Parse of empty argv");
+    ok(args->config->cells == NULL, "...cells still default");
+    is_int(false, args->config->debug, "...debug still default");
+    is_int(10, args->config->expires, "...expires default");
+    is_int(true, args->config->ignore_root, "...ignore_root still default");
+    is_int(0, args->config->minimum_uid, "...minimum_uid still default");
+    ok(args->config->program == NULL, "...program still default");
+
+    /* Now, check setting everything. */
+    status = putil_args_parse(args, 6, argv_all, options, optlen);
+    ok(status, "Parse of full argv");
+    if (args->config->cells == NULL)
+        ok_block(4, false, "...cells is set");
+    else {
+        ok(args->config->cells != NULL, "...cells is set");
+        is_int(2, args->config->cells->count, "...with two cells");
+        is_string("stanford.edu", args->config->cells->strings[0],
+                  "...first is stanford.edu");
+        is_string("ir.stanford.edu", args->config->cells->strings[1],
+                  "...second is ir.stanford.edu");
+    }
+    is_int(true, args->config->debug, "...debug is set");
+    is_int(86400, args->config->expires, "...expires is set");
+    is_int(true, args->config->ignore_root, "...ignore_root is set");
+    is_int(1000, args->config->minimum_uid, "...minimum_uid is set");
+    is_string("/bin/true", args->config->program, "...program is set");
+    config_free(args->config);
+    args->config = NULL;
+
+    /* Test deep copying of defaults. */
+    cells = vector_new();
+    if (cells == NULL)
+        sysbail("cannot allocate memory");
+    vector_add(cells, "foo.com");
+    vector_add(cells, "bar.com");
+    options[0].defaults.list = cells;
+    program = strdup("/bin/false");
+    if (program == NULL)
+        sysbail("cannot allocate memory");
+    options[5].defaults.string = program;
+    args->config = config_new();
+    status = putil_args_defaults(args, options, optlen);
+    ok(status, "Setting defaults with new defaults");
+    if (args->config->cells == NULL)
+        ok_block(4, false, "...cells is set");
+    else {
+        ok(args->config->cells != NULL, "...cells is set");
+        is_int(2, args->config->cells->count, "...with two cells");
+        is_string("foo.com", args->config->cells->strings[0],
+                  "...first is foo.com");
+        is_string("bar.com", args->config->cells->strings[1],
+                  "...second is bar.com");
+    }
+    is_string("/bin/false", args->config->program, "...program is /bin/false");
+    status = putil_args_parse(args, 6, argv_all, options, optlen);
+    ok(status, "Parse of full argv after defaults");
+    if (args->config->cells == NULL)
+        ok_block(4, false, "...cells is set");
+    else {
+        ok(args->config->cells != NULL, "...cells is set");
+        is_int(2, args->config->cells->count, "...with two cells");
+        is_string("stanford.edu", args->config->cells->strings[0],
+                  "...first is stanford.edu");
+        is_string("ir.stanford.edu", args->config->cells->strings[1],
+                  "...second is ir.stanford.edu");
+    }
+    is_int(true, args->config->debug, "...debug is set");
+    is_int(86400, args->config->expires, "...expires is set");
+    is_int(true, args->config->ignore_root, "...ignore_root is set");
+    is_int(1000, args->config->minimum_uid, "...minimum_uid is set");
+    is_string("/bin/true", args->config->program, "...program is set");
+    is_string("foo.com", cells->strings[0], "...first cell after parse");
+    is_string("bar.com", cells->strings[1], "...second cell after parse");
+    is_string("/bin/false", program, "...string after parse");
+    config_free(args->config);
+    args->config = NULL;
+    is_string("foo.com", cells->strings[0], "...first cell after free");
+    is_string("bar.com", cells->strings[1], "...second cell after free");
+    is_string("/bin/false", program, "...string after free");
+    options[0].defaults.list = NULL;
+    options[5].defaults.string = NULL;
+    vector_free(cells);
+    free(program);
+
+    /* Test specifying the default for a vector parameter as a string. */
+    options[0].type = TYPE_STRLIST;
+    options[0].defaults.string = "foo.com,bar.com";
+    args->config = config_new();
+    status = putil_args_defaults(args, options, optlen);
+    ok(status, "Setting defaults with string default for vector");
+    if (args->config->cells == NULL)
+        ok_block(4, false, "...cells is set");
+    else {
+        ok(args->config->cells != NULL, "...cells is set");
+        is_int(2, args->config->cells->count, "...with two cells");
+        is_string("foo.com", args->config->cells->strings[0],
+                  "...first is foo.com");
+        is_string("bar.com", args->config->cells->strings[1],
+                  "...second is bar.com");
+    }
+    config_free(args->config);
+    args->config = NULL;
+    options[0].type = TYPE_LIST;
+    options[0].defaults.string = NULL;
+
+    /* Should be no errors so far. */
+    ok(pam_output() == NULL, "No errors so far");
+
+    /* Test various ways of spelling booleans. */
+    args->config = config_new();
+    TEST_BOOL("debug", args->config->debug, true);
+    TEST_BOOL("debug=false", args->config->debug, false);
+    TEST_BOOL("debug=true", args->config->debug, true);
+    TEST_BOOL("debug=no", args->config->debug, false);
+    TEST_BOOL("debug=yes", args->config->debug, true);
+    TEST_BOOL("debug=off", args->config->debug, false);
+    TEST_BOOL("debug=on", args->config->debug, true);
+    TEST_BOOL("debug=0", args->config->debug, false);
+    TEST_BOOL("debug=1", args->config->debug, true);
+    TEST_BOOL("debug=False", args->config->debug, false);
+    TEST_BOOL("debug=trUe", args->config->debug, true);
+    TEST_BOOL("debug=No", args->config->debug, false);
+    TEST_BOOL("debug=Yes", args->config->debug, true);
+    TEST_BOOL("debug=OFF", args->config->debug, false);
+    TEST_BOOL("debug=ON", args->config->debug, true);
+    config_free(args->config);
+    args->config = NULL;
+
+    /* Test for various parsing errors. */
+    args->config = config_new();
+    TEST_ERROR("debug=", LOG_ERR, "invalid boolean in setting: debug=");
+    TEST_ERROR("debug=truth", LOG_ERR,
+               "invalid boolean in setting: debug=truth");
+    TEST_ERROR("minimum_uid", LOG_ERR, "value missing for option minimum_uid");
+    TEST_ERROR("minimum_uid=", LOG_ERR,
+               "value missing for option minimum_uid=");
+    TEST_ERROR("minimum_uid=foo", LOG_ERR,
+               "invalid number in setting: minimum_uid=foo");
+    TEST_ERROR("minimum_uid=1000foo", LOG_ERR,
+               "invalid number in setting: minimum_uid=1000foo");
+    TEST_ERROR("program", LOG_ERR, "value missing for option program");
+    TEST_ERROR("cells", LOG_ERR, "value missing for option cells");
+    config_free(args->config);
+    args->config = NULL;
+
+#ifdef HAVE_KRB5
+
+    /* Test for Kerberos krb5.conf option parsing. */
+    krb5conf = test_file_path("data/krb5-pam.conf");
+    if (krb5conf == NULL)
+        bail("cannot find data/krb5-pam.conf");
+    if (setenv("KRB5_CONFIG", krb5conf, 1) < 0)
+        sysbail("cannot set KRB5_CONFIG");
+    krb5_free_context(args->ctx);
+    status = krb5_init_context(&args->ctx);
+    if (status != 0)
+        bail("cannot parse test krb5.conf file");
+    args->config = config_new();
+    status = putil_args_defaults(args, options, optlen);
+    ok(status, "Setting the defaults");
+    status = putil_args_krb5(args, "testing", options, optlen);
+    ok(status, "Options from krb5.conf");
+    ok(args->config->cells == NULL, "...cells default");
+    is_int(true, args->config->debug, "...debug set from krb5.conf");
+    is_int(1800, args->config->expires, "...expires set from krb5.conf");
+    is_int(true, args->config->ignore_root, "...ignore_root default");
+    is_int(1000, args->config->minimum_uid,
+           "...minimum_uid set from krb5.conf");
+    ok(args->config->program == NULL, "...program default");
+    status = putil_args_krb5(args, "other-test", options, optlen);
+    ok(status, "Options from krb5.conf (other-test)");
+    is_int(-1000, args->config->minimum_uid,
+           "...minimum_uid set from krb5.conf other-test");
+
+    /* Test with a realm set, which should expose more settings. */
+    krb5_free_context(args->ctx);
+    status = krb5_init_context(&args->ctx);
+    if (status != 0)
+        bail("cannot parse test krb5.conf file");
+    args->realm = strdup("FOO.COM");
+    if (args->realm == NULL)
+        sysbail("cannot allocate memory");
+    status = putil_args_krb5(args, "testing", options, optlen);
+    ok(status, "Options from krb5.conf with FOO.COM");
+    is_int(2, args->config->cells->count, "...cells count from krb5.conf");
+    is_string("foo.com", args->config->cells->strings[0],
+              "...first cell from krb5.conf");
+    is_string("bar.com", args->config->cells->strings[1],
+              "...second cell from krb5.conf");
+    is_int(true, args->config->debug, "...debug set from krb5.conf");
+    is_int(1800, args->config->expires, "...expires set from krb5.conf");
+    is_int(true, args->config->ignore_root, "...ignore_root default");
+    is_int(1000, args->config->minimum_uid,
+           "...minimum_uid set from krb5.conf");
+    is_string("/bin/false", args->config->program,
+              "...program from krb5.conf");
+
+    /* Test with a different realm. */
+    free(args->realm);
+    args->realm = strdup("BAR.COM");
+    if (args->realm == NULL)
+        sysbail("cannot allocate memory");
+    status = putil_args_krb5(args, "testing", options, optlen);
+    ok(status, "Options from krb5.conf with BAR.COM");
+    is_int(2, args->config->cells->count, "...cells count from krb5.conf");
+    is_string("bar.com", args->config->cells->strings[0],
+              "...first cell from krb5.conf");
+    is_string("foo.com", args->config->cells->strings[1],
+              "...second cell from krb5.conf");
+    is_int(true, args->config->debug, "...debug set from krb5.conf");
+    is_int(1800, args->config->expires, "...expires set from krb5.conf");
+    is_int(true, args->config->ignore_root, "...ignore_root default");
+    is_int(1000, args->config->minimum_uid,
+           "...minimum_uid set from krb5.conf");
+    is_string("echo /bin/true", args->config->program,
+              "...program from krb5.conf");
+    config_free(args->config);
+    args->config = config_new();
+    status = putil_args_krb5(args, "other-test", options, optlen);
+    ok(status, "Options from krb5.conf (other-test with realm)");
+    ok(args->config->cells == NULL, "...cells is NULL");
+    is_string("echo /bin/true", args->config->program,
+              "...program from krb5.conf");
+    config_free(args->config);
+    args->config = NULL;
+
+    /* Test for time parsing errors. */
+    args->config = config_new();
+    TEST_ERROR("expires=ft87", LOG_ERR,
+               "bad time value in setting: expires=ft87");
+    config_free(args->config);
+
+    /* Test error reporting from the krb5.conf parser. */
+    args->config = config_new();
+    status = putil_args_krb5(args, "bad-number", options, optlen);
+    ok(status, "Options from krb5.conf (bad-number)");
+    seen = pam_output();
+    is_string("invalid number in krb5.conf setting for minimum_uid: 1000foo",
+              seen->lines[0].line, "...and correct error reported");
+    is_int(LOG_ERR, seen->lines[0].priority, "...with correct priority");
+    pam_output_free(seen);
+    config_free(args->config);
+    args->config = NULL;
+
+    /* Test error reporting on times from the krb5.conf parser. */
+    args->config = config_new();
+    status = putil_args_krb5(args, "bad-time", options, optlen);
+    ok(status, "Options from krb5.conf (bad-time)");
+    seen = pam_output();
+    if (seen == NULL)
+        ok_block(2, false, "...no error output");
+    else {
+        is_string("invalid time in krb5.conf setting for expires: ft87",
+                  seen->lines[0].line, "...and correct error reported");
+        is_int(LOG_ERR, seen->lines[0].priority, "...with correct priority");
+    }
+    pam_output_free(seen);
+    config_free(args->config);
+    args->config = NULL;
+
+    test_file_path_free(krb5conf);
+
+#else /* !HAVE_KRB5 */
+
+    skip_block(37, "Kerberos support not configured");
+
+#endif
+
+    putil_args_free(args);
+    pam_end(pamh, 0);
+    return 0;
+}
diff --git a/tests/pam-util/vector-t.c b/tests/pam-util/vector-t.c
new file mode 100644
index 000000000000..d7b87e36d8f4
--- /dev/null
+++ b/tests/pam-util/vector-t.c
@@ -0,0 +1,149 @@
+/*
+ * PAM utility vector library test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2014, 2016, 2018-2019 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2010-2011, 2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Copying and distribution of this file, with or without modification, are
+ * permitted in any medium without royalty provided the copyright notice and
+ * this notice are preserved.  This file is offered as-is, without any
+ * warranty.
+ *
+ * SPDX-License-Identifier: FSFAP
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <sys/wait.h>
+
+#include <pam-util/vector.h>
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+
+int
+main(void)
+{
+    struct vector *vector, *ovector, *copy;
+    char *command, *string;
+    const char *env[2];
+    pid_t child;
+    size_t i;
+    const char cstring[] = "This is a\ttest.  ";
+
+    plan(60);
+
+    vector = vector_new();
+    ok(vector != NULL, "vector_new returns non-NULL");
+    if (vector == NULL)
+        bail("vector_new returned NULL");
+    ok(vector_add(vector, cstring), "vector_add succeeds");
+    is_int(1, vector->count, "vector_add increases count");
+    ok(vector->strings[0] != cstring, "...and allocated new memory");
+    ok(vector_resize(vector, 4), "vector_resize succeeds");
+    is_int(4, vector->allocated, "vector_resize works");
+    ok(vector_add(vector, cstring), "vector_add #2");
+    ok(vector_add(vector, cstring), "vector_add #3");
+    ok(vector_add(vector, cstring), "vector_add #4");
+    is_int(4, vector->allocated, "...and no reallocation when adding strings");
+    is_int(4, vector->count, "...and the count matches");
+    is_string(cstring, vector->strings[0], "added the right string");
+    is_string(cstring, vector->strings[1], "added the right string");
+    is_string(cstring, vector->strings[2], "added the right string");
+    is_string(cstring, vector->strings[3], "added the right string");
+    ok(vector->strings[1] != vector->strings[2], "each pointer is different");
+    ok(vector->strings[2] != vector->strings[3], "each pointer is different");
+    ok(vector->strings[3] != vector->strings[0], "each pointer is different");
+    ok(vector->strings[0] != cstring, "each pointer is different");
+    copy = vector_copy(vector);
+    ok(copy != NULL, "vector_copy returns non-NULL");
+    if (copy == NULL)
+        bail("vector_copy returned NULL");
+    is_int(4, copy->count, "...and has right count");
+    is_int(4, copy->allocated, "...and has right allocated count");
+    for (i = 0; i < 4; i++) {
+        is_string(cstring, copy->strings[i], "...and string %lu is right",
+                  (unsigned long) i);
+        ok(copy->strings[i] != vector->strings[i],
+           "...and pointer %lu is different", (unsigned long) i);
+    }
+    vector_free(copy);
+    vector_clear(vector);
+    is_int(0, vector->count, "vector_clear works");
+    is_int(4, vector->allocated, "...but doesn't free the allocation");
+    string = strdup(cstring);
+    if (string == NULL)
+        sysbail("cannot allocate memory");
+    ok(vector_add(vector, cstring), "vector_add succeeds");
+    ok(vector_add(vector, string), "vector_add succeeds");
+    is_int(2, vector->count, "added two strings to the vector");
+    ok(vector->strings[1] != string, "...and the pointers are different");
+    ok(vector_resize(vector, 1), "vector_resize succeeds");
+    is_int(1, vector->count, "vector_resize shrinks the vector");
+    ok(vector->strings[0] != cstring, "...and the pointer is different");
+    vector_free(vector);
+    free(string);
+
+    vector = vector_split_multi("foo, bar, baz", ", ", NULL);
+    ok(vector != NULL, "vector_split_multi returns non-NULL");
+    if (vector == NULL)
+        bail("vector_split_multi returned NULL");
+    is_int(3, vector->count, "vector_split_multi returns right count");
+    is_string("foo", vector->strings[0], "...first string");
+    is_string("bar", vector->strings[1], "...second string");
+    is_string("baz", vector->strings[2], "...third string");
+    ovector = vector;
+    vector = vector_split_multi("", ", ", vector);
+    ok(vector != NULL, "reuse of vector doesn't return NULL");
+    ok(vector == ovector, "...and reuses the same vector pointer");
+    is_int(0, vector->count, "vector_split_multi reuse with empty string");
+    is_int(3, vector->allocated, "...and doesn't free allocation");
+    vector = vector_split_multi(",,,  foo,   ", ", ", vector);
+    ok(vector != NULL, "reuse of vector doesn't return NULL");
+    is_int(1, vector->count, "vector_split_multi with extra separators");
+    is_string("foo", vector->strings[0], "...first string");
+    vector = vector_split_multi(", ,  ", ", ", vector);
+    is_int(0, vector->count, "vector_split_multi with only separators");
+    vector_free(vector);
+
+    vector = vector_new();
+    ok(vector_add(vector, "/bin/sh"), "vector_add succeeds");
+    ok(vector_add(vector, "-c"), "vector_add succeeds");
+    basprintf(&command, "echo ok %lu - vector_exec", testnum++);
+    ok(vector_add(vector, command), "vector_add succeeds");
+    child = fork();
+    if (child < 0)
+        sysbail("unable to fork");
+    else if (child == 0)
+        if (vector_exec("/bin/sh", vector) < 0)
+            sysdiag("unable to exec /bin/sh");
+    waitpid(child, NULL, 0);
+    vector_free(vector);
+    free(command);
+
+    vector = vector_new();
+    ok(vector_add(vector, "/bin/sh"), "vector_add succeeds");
+    ok(vector_add(vector, "-c"), "vector_add succeeds");
+    ok(vector_add(vector, "echo ok $NUMBER - vector_exec_env"),
+       "vector_add succeeds");
+    basprintf(&string, "NUMBER=%lu", testnum++);
+    env[0] = string;
+    env[1] = NULL;
+    child = fork();
+    if (child < 0)
+        sysbail("unable to fork");
+    else if (child == 0)
+        if (vector_exec_env("/bin/sh", vector, env) < 0)
+            sysdiag("unable to exec /bin/sh");
+    waitpid(child, NULL, 0);
+    vector_free(vector);
+    free(string);
+
+    return 0;
+}
diff --git a/tests/portable/asprintf-t.c b/tests/portable/asprintf-t.c
new file mode 100644
index 000000000000..3b10a6622c31
--- /dev/null
+++ b/tests/portable/asprintf-t.c
@@ -0,0 +1,69 @@
+/*
+ * asprintf and vasprintf test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2014, 2018 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2006-2009, 2011
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Copying and distribution of this file, with or without modification, are
+ * permitted in any medium without royalty provided the copyright notice and
+ * this notice are preserved.  This file is offered as-is, without any
+ * warranty.
+ *
+ * SPDX-License-Identifier: FSFAP
+ */
+
+#include <config.h>
+#include <portable/macros.h>
+#include <portable/system.h>
+
+#include <tests/tap/basic.h>
+
+int test_asprintf(char **, const char *, ...)
+    __attribute__((__format__(printf, 2, 3)));
+int test_vasprintf(char **, const char *, va_list)
+    __attribute__((__format__(printf, 2, 0)));
+
+static int __attribute__((__format__(printf, 2, 3)))
+vatest(char **result, const char *format, ...)
+{
+    va_list args;
+    int status;
+
+    va_start(args, format);
+    status = test_vasprintf(result, format, args);
+    va_end(args);
+    return status;
+}
+
+int
+main(void)
+{
+    char *result = NULL;
+
+    plan(12);
+
+    is_int(7, test_asprintf(&result, "%s", "testing"), "asprintf length");
+    is_string("testing", result, "asprintf result");
+    free(result);
+    ok(3, "free asprintf");
+    is_int(0, test_asprintf(&result, "%s", ""), "asprintf empty length");
+    is_string("", result, "asprintf empty string");
+    free(result);
+    ok(6, "free asprintf of empty string");
+
+    is_int(6, vatest(&result, "%d %s", 2, "test"), "vasprintf length");
+    is_string("2 test", result, "vasprintf result");
+    free(result);
+    ok(9, "free vasprintf");
+    is_int(0, vatest(&result, "%s", ""), "vasprintf empty length");
+    is_string("", result, "vasprintf empty string");
+    free(result);
+    ok(12, "free vasprintf of empty string");
+
+    return 0;
+}
diff --git a/tests/portable/asprintf.c b/tests/portable/asprintf.c
new file mode 100644
index 000000000000..221c9932c5cd
--- /dev/null
+++ b/tests/portable/asprintf.c
@@ -0,0 +1,2 @@
+#define TESTING 1
+#include <portable/asprintf.c>
diff --git a/tests/portable/mkstemp-t.c b/tests/portable/mkstemp-t.c
new file mode 100644
index 000000000000..dc268210f063
--- /dev/null
+++ b/tests/portable/mkstemp-t.c
@@ -0,0 +1,81 @@
+/*
+ * mkstemp test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2009, 2011
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Copying and distribution of this file, with or without modification, are
+ * permitted in any medium without royalty provided the copyright notice and
+ * this notice are preserved.  This file is offered as-is, without any
+ * warranty.
+ *
+ * SPDX-License-Identifier: FSFAP
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <errno.h>
+#include <sys/stat.h>
+
+#include <tests/tap/basic.h>
+
+int test_mkstemp(char *template);
+
+int
+main(void)
+{
+    int fd;
+    char template[] = "tsXXXXXXX";
+    char tooshort[] = "XXXXX";
+    char bad1[] = "/foo/barXXXXX";
+    char bad2[] = "/foo/barXXXXXX.out";
+    char buffer[256];
+    struct stat st1, st2;
+    ssize_t length;
+
+    plan(20);
+
+    /* First, test a few error messages. */
+    errno = 0;
+    is_int(-1, test_mkstemp(tooshort), "too short of template");
+    is_int(EINVAL, errno, "...with correct errno");
+    is_string("XXXXX", tooshort, "...and template didn't change");
+    errno = 0;
+    is_int(-1, test_mkstemp(bad1), "bad template");
+    is_int(EINVAL, errno, "...with correct errno");
+    is_string("/foo/barXXXXX", bad1, "...and template didn't change");
+    errno = 0;
+    is_int(-1, test_mkstemp(bad2), "template doesn't end in XXXXXX");
+    is_int(EINVAL, errno, "...with correct errno");
+    is_string("/foo/barXXXXXX.out", bad2, "...and template didn't change");
+    errno = 0;
+
+    /* Now try creating a real file. */
+    fd = test_mkstemp(template);
+    ok(fd >= 0, "mkstemp works with valid template");
+    ok(strcmp(template, "tsXXXXXXX") != 0, "...and template changed");
+    ok(strncmp(template, "tsX", 3) == 0, "...and didn't touch first X");
+    ok(access(template, F_OK) == 0, "...and the file exists");
+
+    /* Make sure that it's the same file as template refers to now. */
+    ok(stat(template, &st1) == 0, "...and stat of template works");
+    ok(fstat(fd, &st2) == 0, "...and stat of open file descriptor works");
+    ok(st1.st_ino == st2.st_ino, "...and they're the same file");
+    unlink(template);
+
+    /* Make sure the open mode is correct. */
+    length = strlen(template);
+    is_int(length, write(fd, template, length), "write to open file works");
+    ok(lseek(fd, 0, SEEK_SET) == 0, "...and rewind works");
+    is_int(length, read(fd, buffer, length), "...and the data is there");
+    buffer[length] = '\0';
+    is_string(template, buffer, "...and matches what we wrote");
+    close(fd);
+
+    return 0;
+}
diff --git a/tests/portable/mkstemp.c b/tests/portable/mkstemp.c
new file mode 100644
index 000000000000..4632d3de86ed
--- /dev/null
+++ b/tests/portable/mkstemp.c
@@ -0,0 +1,2 @@
+#define TESTING 1
+#include <portable/mkstemp.c>
diff --git a/tests/portable/strndup-t.c b/tests/portable/strndup-t.c
new file mode 100644
index 000000000000..9bf28a31beec
--- /dev/null
+++ b/tests/portable/strndup-t.c
@@ -0,0 +1,60 @@
+/*
+ * strndup test suite.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2018 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Copying and distribution of this file, with or without modification, are
+ * permitted in any medium without royalty provided the copyright notice and
+ * this notice are preserved.  This file is offered as-is, without any
+ * warranty.
+ *
+ * SPDX-License-Identifier: FSFAP
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <errno.h>
+
+#include <tests/tap/basic.h>
+
+char *test_strndup(const char *, size_t);
+
+
+int
+main(void)
+{
+    char buffer[3];
+    char *result;
+
+    plan(7);
+
+    result = test_strndup("foo", 8);
+    is_string("foo", result, "strndup longer than string");
+    free(result);
+    result = test_strndup("foo", 2);
+    is_string("fo", result, "strndup shorter than string");
+    free(result);
+    result = test_strndup("foo", 3);
+    is_string("foo", result, "strndup same size as string");
+    free(result);
+    result = test_strndup("foo", 0);
+    is_string("", result, "strndup of size 0");
+    free(result);
+    memcpy(buffer, "foo", 3);
+    result = test_strndup(buffer, 3);
+    is_string("foo", result, "strndup of non-nul-terminated string");
+    free(result);
+    errno = 0;
+    result = test_strndup(NULL, 0);
+    is_string(NULL, result, "strndup of NULL");
+    is_int(errno, EINVAL, "...and returns EINVAL");
+
+    return 0;
+}
diff --git a/tests/portable/strndup.c b/tests/portable/strndup.c
new file mode 100644
index 000000000000..99c3bc13a744
--- /dev/null
+++ b/tests/portable/strndup.c
@@ -0,0 +1,2 @@
+#define TESTING 1
+#include <portable/strndup.c>
diff --git a/tests/runtests.c b/tests/runtests.c
new file mode 100644
index 000000000000..54ec1c93d08b
--- /dev/null
+++ b/tests/runtests.c
@@ -0,0 +1,1782 @@
+/*
+ * Run a set of tests, reporting results.
+ *
+ * Test suite driver that runs a set of tests implementing a subset of the
+ * Test Anything Protocol (TAP) and reports the results.
+ *
+ * Any bug reports, bug fixes, and improvements are very much welcome and
+ * should be sent to the e-mail address below.  This program is part of C TAP
+ * Harness <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+ *
+ * Copyright 2000-2001, 2004, 2006-2019 Russ Allbery <eagle@eyrie.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+/*
+ * Usage:
+ *
+ *      runtests [-hv] [-b <build-dir>] [-s <source-dir>] -l <test-list>
+ *      runtests [-hv] [-b <build-dir>] [-s <source-dir>] <test> [<test> ...]
+ *      runtests -o [-h] [-b <build-dir>] [-s <source-dir>] <test>
+ *
+ * In the first case, expects a list of executables located in the given file,
+ * one line per executable, possibly followed by a space-separated list of
+ * options.  For each one, runs it as part of a test suite, reporting results.
+ * In the second case, use the same infrastructure, but run only the tests
+ * listed on the command line.
+ *
+ * Test output should start with a line containing the number of tests
+ * (numbered from 1 to this number), optionally preceded by "1..", although
+ * that line may be given anywhere in the output.  Each additional line should
+ * be in the following format:
+ *
+ *      ok <number>
+ *      not ok <number>
+ *      ok <number> # skip
+ *      not ok <number> # todo
+ *
+ * where <number> is the number of the test.  An optional comment is permitted
+ * after the number if preceded by whitespace.  ok indicates success, not ok
+ * indicates failure.  "# skip" and "# todo" are a special cases of a comment,
+ * and must start with exactly that formatting.  They indicate the test was
+ * skipped for some reason (maybe because it doesn't apply to this platform)
+ * or is testing something known to currently fail.  The text following either
+ * "# skip" or "# todo" and whitespace is the reason.
+ *
+ * As a special case, the first line of the output may be in the form:
+ *
+ *      1..0 # skip some reason
+ *
+ * which indicates that this entire test case should be skipped and gives a
+ * reason.
+ *
+ * Any other lines are ignored, although for compliance with the TAP protocol
+ * all lines other than the ones in the above format should be sent to
+ * standard error rather than standard output and start with #.
+ *
+ * This is a subset of TAP as documented in Test::Harness::TAP or
+ * TAP::Parser::Grammar, which comes with Perl.
+ *
+ * If the -o option is given, instead run a single test and display all of its
+ * output.  This is intended for use with failing tests so that the person
+ * running the test suite can get more details about what failed.
+ *
+ * If built with the C preprocessor symbols C_TAP_SOURCE and C_TAP_BUILD
+ * defined, C TAP Harness will export those values in the environment so that
+ * tests can find the source and build directory and will look for tests under
+ * both directories.  These paths can also be set with the -b and -s
+ * command-line options, which will override anything set at build time.
+ *
+ * If the -v option is given, or the C_TAP_VERBOSE environment variable is set,
+ * display the full output of each test as it runs rather than showing a
+ * summary of the results of each test.
+ */
+
+/* Required for fdopen(), getopt(), and putenv(). */
+#if defined(__STRICT_ANSI__) || defined(PEDANTIC)
+#    ifndef _XOPEN_SOURCE
+#        define _XOPEN_SOURCE 500
+#    endif
+#endif
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <unistd.h>
+
+/* sys/time.h must be included before sys/resource.h on some platforms. */
+#include <sys/resource.h>
+
+/* AIX 6.1 (and possibly later) doesn't have WCOREDUMP. */
+#ifndef WCOREDUMP
+#    define WCOREDUMP(status) ((unsigned) (status) &0x80)
+#endif
+
+/*
+ * POSIX requires that these be defined in <unistd.h>, but they're not always
+ * available.  If one of them has been defined, all the rest almost certainly
+ * have.
+ */
+#ifndef STDIN_FILENO
+#    define STDIN_FILENO  0
+#    define STDOUT_FILENO 1
+#    define STDERR_FILENO 2
+#endif
+
+/*
+ * Used for iterating through arrays.  Returns the number of elements in the
+ * array (useful for a < upper bound in a for loop).
+ */
+#define ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
+
+/*
+ * The source and build versions of the tests directory.  This is used to set
+ * the C_TAP_SOURCE and C_TAP_BUILD environment variables (and the SOURCE and
+ * BUILD environment variables set for backward compatibility) and find test
+ * programs, if set.  Normally, this should be set as part of the build
+ * process to the test subdirectories of $(abs_top_srcdir) and
+ * $(abs_top_builddir) respectively.
+ */
+#ifndef C_TAP_SOURCE
+#    define C_TAP_SOURCE NULL
+#endif
+#ifndef C_TAP_BUILD
+#    define C_TAP_BUILD NULL
+#endif
+
+/* Test status codes. */
+enum test_status
+{
+    TEST_FAIL,
+    TEST_PASS,
+    TEST_SKIP,
+    TEST_INVALID
+};
+
+/* Really, just a boolean, but this is more self-documenting. */
+enum test_verbose
+{
+    CONCISE = 0,
+    VERBOSE = 1
+};
+
+/* Indicates the state of our plan. */
+enum plan_status
+{
+    PLAN_INIT,    /* Nothing seen yet. */
+    PLAN_FIRST,   /* Plan seen before any tests. */
+    PLAN_PENDING, /* Test seen and no plan yet. */
+    PLAN_FINAL    /* Plan seen after some tests. */
+};
+
+/* Error exit statuses for test processes. */
+#define CHILDERR_DUP    100 /* Couldn't redirect stderr or stdout. */
+#define CHILDERR_EXEC   101 /* Couldn't exec child process. */
+#define CHILDERR_STDIN  102 /* Couldn't open stdin file. */
+#define CHILDERR_STDERR 103 /* Couldn't open stderr file. */
+
+/* Structure to hold data for a set of tests. */
+struct testset {
+    char *file;                /* The file name of the test. */
+    char **command;            /* The argv vector to run the command. */
+    enum plan_status plan;     /* The status of our plan. */
+    unsigned long count;       /* Expected count of tests. */
+    unsigned long current;     /* The last seen test number. */
+    unsigned int length;       /* The length of the last status message. */
+    unsigned long passed;      /* Count of passing tests. */
+    unsigned long failed;      /* Count of failing lists. */
+    unsigned long skipped;     /* Count of skipped tests (passed). */
+    unsigned long allocated;   /* The size of the results table. */
+    enum test_status *results; /* Table of results by test number. */
+    unsigned int aborted;      /* Whether the set was aborted. */
+    unsigned int reported;     /* Whether the results were reported. */
+    int status;                /* The exit status of the test. */
+    unsigned int all_skipped;  /* Whether all tests were skipped. */
+    char *reason;              /* Why all tests were skipped. */
+};
+
+/* Structure to hold a linked list of test sets. */
+struct testlist {
+    struct testset *ts;
+    struct testlist *next;
+};
+
+/*
+ * Usage message.  Should be used as a printf format with four arguments: the
+ * path to runtests, given three times, and the usage_description.  This is
+ * split into variables to satisfy the pedantic ISO C90 limit on strings.
+ */
+static const char usage_message[] = "\
+Usage: %s [-hv] [-b <build-dir>] [-s <source-dir>] <test> ...\n\
+       %s [-hv] [-b <build-dir>] [-s <source-dir>] -l <test-list>\n\
+       %s -o [-h] [-b <build-dir>] [-s <source-dir>] <test>\n\
+\n\
+Options:\n\
+    -b <build-dir>      Set the build directory to <build-dir>\n\
+%s";
+static const char usage_extra[] = "\
+    -l <list>           Take the list of tests to run from <test-list>\n\
+    -o                  Run a single test rather than a list of tests\n\
+    -s <source-dir>     Set the source directory to <source-dir>\n\
+    -v                  Show the full output of each test\n\
+\n\
+runtests normally runs each test listed on the command line.  With the -l\n\
+option, it instead runs every test listed in a file.  With the -o option,\n\
+it instead runs a single test and shows its complete output.\n";
+
+/*
+ * Header used for test output.  %s is replaced by the file name of the list
+ * of tests.
+ */
+static const char banner[] = "\n\
+Running all tests listed in %s.  If any tests fail, run the failing\n\
+test program with runtests -o to see more details.\n\n";
+
+/* Header for reports of failed tests. */
+static const char header[] = "\n\
+Failed Set                 Fail/Total (%) Skip Stat  Failing Tests\n\
+-------------------------- -------------- ---- ----  ------------------------";
+
+/* Include the file name and line number in malloc failures. */
+#define xcalloc(n, type) \
+    ((type *) x_calloc((n), sizeof(type), __FILE__, __LINE__))
+#define xmalloc(size)     ((char *) x_malloc((size), __FILE__, __LINE__))
+#define xstrdup(p)        x_strdup((p), __FILE__, __LINE__)
+#define xstrndup(p, size) x_strndup((p), (size), __FILE__, __LINE__)
+#define xreallocarray(p, n, type) \
+    ((type *) x_reallocarray((p), (n), sizeof(type), __FILE__, __LINE__))
+
+/*
+ * __attribute__ is available in gcc 2.5 and later, but only with gcc 2.7
+ * could you use the __format__ form of the attributes, which is what we use
+ * (to avoid confusion with other macros).
+ */
+#ifndef __attribute__
+#    if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 7)
+#        define __attribute__(spec) /* empty */
+#    endif
+#endif
+
+/*
+ * We use __alloc_size__, but it was only available in fairly recent versions
+ * of GCC.  Suppress warnings about the unknown attribute if GCC is too old.
+ * We know that we're GCC at this point, so we can use the GCC variadic macro
+ * extension, which will still work with versions of GCC too old to have C99
+ * variadic macro support.
+ */
+#if !defined(__attribute__) && !defined(__alloc_size__)
+#    if defined(__GNUC__) && !defined(__clang__)
+#        if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 3)
+#            define __alloc_size__(spec, args...) /* empty */
+#        endif
+#    endif
+#endif
+
+/*
+ * LLVM and Clang pretend to be GCC but don't support all of the __attribute__
+ * settings that GCC does.  For them, suppress warnings about unknown
+ * attributes on declarations.  This unfortunately will affect the entire
+ * compilation context, but there's no push and pop available.
+ */
+#if !defined(__attribute__) && (defined(__llvm__) || defined(__clang__))
+#    pragma GCC diagnostic ignored "-Wattributes"
+#endif
+
+/* Declare internal functions that benefit from compiler attributes. */
+static void die(const char *, ...)
+    __attribute__((__nonnull__, __noreturn__, __format__(printf, 1, 2)));
+static void sysdie(const char *, ...)
+    __attribute__((__nonnull__, __noreturn__, __format__(printf, 1, 2)));
+static void *x_calloc(size_t, size_t, const char *, int)
+    __attribute__((__alloc_size__(1, 2), __malloc__, __nonnull__));
+static void *x_malloc(size_t, const char *, int)
+    __attribute__((__alloc_size__(1), __malloc__, __nonnull__));
+static void *x_reallocarray(void *, size_t, size_t, const char *, int)
+    __attribute__((__alloc_size__(2, 3), __malloc__, __nonnull__(4)));
+static char *x_strdup(const char *, const char *, int)
+    __attribute__((__malloc__, __nonnull__));
+static char *x_strndup(const char *, size_t, const char *, int)
+    __attribute__((__malloc__, __nonnull__));
+
+
+/*
+ * Report a fatal error and exit.
+ */
+static void
+die(const char *format, ...)
+{
+    va_list args;
+
+    fflush(stdout);
+    fprintf(stderr, "runtests: ");
+    va_start(args, format);
+    vfprintf(stderr, format, args);
+    va_end(args);
+    fprintf(stderr, "\n");
+    exit(1);
+}
+
+
+/*
+ * Report a fatal error, including the results of strerror, and exit.
+ */
+static void
+sysdie(const char *format, ...)
+{
+    int oerrno;
+    va_list args;
+
+    oerrno = errno;
+    fflush(stdout);
+    fprintf(stderr, "runtests: ");
+    va_start(args, format);
+    vfprintf(stderr, format, args);
+    va_end(args);
+    fprintf(stderr, ": %s\n", strerror(oerrno));
+    exit(1);
+}
+
+
+/*
+ * Allocate zeroed memory, reporting a fatal error and exiting on failure.
+ */
+static void *
+x_calloc(size_t n, size_t size, const char *file, int line)
+{
+    void *p;
+
+    n = (n > 0) ? n : 1;
+    size = (size > 0) ? size : 1;
+    p = calloc(n, size);
+    if (p == NULL)
+        sysdie("failed to calloc %lu bytes at %s line %d",
+               (unsigned long) size, file, line);
+    return p;
+}
+
+
+/*
+ * Allocate memory, reporting a fatal error and exiting on failure.
+ */
+static void *
+x_malloc(size_t size, const char *file, int line)
+{
+    void *p;
+
+    p = malloc(size);
+    if (p == NULL)
+        sysdie("failed to malloc %lu bytes at %s line %d",
+               (unsigned long) size, file, line);
+    return p;
+}
+
+
+/*
+ * Reallocate memory, reporting a fatal error and exiting on failure.
+ *
+ * We should technically use SIZE_MAX here for the overflow check, but
+ * SIZE_MAX is C99 and we're only assuming C89 + SUSv3, which does not
+ * guarantee that it exists.  They do guarantee that UINT_MAX exists, and we
+ * can assume that UINT_MAX <= SIZE_MAX.  And we should not be allocating
+ * anything anywhere near that large.
+ *
+ * (In theory, C89 and C99 permit size_t to be smaller than unsigned int, but
+ * I disbelieve in the existence of such systems and they will have to cope
+ * without overflow checks.)
+ */
+static void *
+x_reallocarray(void *p, size_t n, size_t size, const char *file, int line)
+{
+    n = (n > 0) ? n : 1;
+    size = (size > 0) ? size : 1;
+
+    if (n > 0 && UINT_MAX / n <= size)
+        sysdie("realloc too large at %s line %d", file, line);
+    p = realloc(p, n * size);
+    if (p == NULL)
+        sysdie("failed to realloc %lu bytes at %s line %d",
+               (unsigned long) (n * size), file, line);
+    return p;
+}
+
+
+/*
+ * Copy a string, reporting a fatal error and exiting on failure.
+ */
+static char *
+x_strdup(const char *s, const char *file, int line)
+{
+    char *p;
+    size_t len;
+
+    len = strlen(s) + 1;
+    p = (char *) malloc(len);
+    if (p == NULL)
+        sysdie("failed to strdup %lu bytes at %s line %d", (unsigned long) len,
+               file, line);
+    memcpy(p, s, len);
+    return p;
+}
+
+
+/*
+ * Copy the first n characters of a string, reporting a fatal error and
+ * existing on failure.
+ *
+ * Avoid using the system strndup function since it may not exist (on Mac OS
+ * X, for example), and there's no need to introduce another portability
+ * requirement.
+ */
+char *
+x_strndup(const char *s, size_t size, const char *file, int line)
+{
+    const char *p;
+    size_t len;
+    char *copy;
+
+    /* Don't assume that the source string is nul-terminated. */
+    for (p = s; (size_t)(p - s) < size && *p != '\0'; p++)
+        ;
+    len = (size_t)(p - s);
+    copy = (char *) malloc(len + 1);
+    if (copy == NULL)
+        sysdie("failed to strndup %lu bytes at %s line %d",
+               (unsigned long) len, file, line);
+    memcpy(copy, s, len);
+    copy[len] = '\0';
+    return copy;
+}
+
+
+/*
+ * Form a new string by concatenating multiple strings.  The arguments must be
+ * terminated by (const char *) 0.
+ *
+ * This function only exists because we can't assume asprintf.  We can't
+ * simulate asprintf with snprintf because we're only assuming SUSv3, which
+ * does not require that snprintf with a NULL buffer return the required
+ * length.  When those constraints are relaxed, this should be ripped out and
+ * replaced with asprintf or a more trivial replacement with snprintf.
+ */
+static char *
+concat(const char *first, ...)
+{
+    va_list args;
+    char *result;
+    const char *string;
+    size_t offset;
+    size_t length = 0;
+
+    /*
+     * Find the total memory required.  Ensure we don't overflow length.  We
+     * aren't guaranteed to have SIZE_MAX, so use UINT_MAX as an acceptable
+     * substitute (see the x_nrealloc comments).
+     */
+    va_start(args, first);
+    for (string = first; string != NULL; string = va_arg(args, const char *)) {
+        if (length >= UINT_MAX - strlen(string)) {
+            errno = EINVAL;
+            sysdie("strings too long in concat");
+        }
+        length += strlen(string);
+    }
+    va_end(args);
+    length++;
+
+    /* Create the string. */
+    result = xmalloc(length);
+    va_start(args, first);
+    offset = 0;
+    for (string = first; string != NULL; string = va_arg(args, const char *)) {
+        memcpy(result + offset, string, strlen(string));
+        offset += strlen(string);
+    }
+    va_end(args);
+    result[offset] = '\0';
+    return result;
+}
+
+
+/*
+ * Given a struct timeval, return the number of seconds it represents as a
+ * double.  Use difftime() to convert a time_t to a double.
+ */
+static double
+tv_seconds(const struct timeval *tv)
+{
+    return difftime(tv->tv_sec, 0) + (double) tv->tv_usec * 1e-6;
+}
+
+
+/*
+ * Given two struct timevals, return the difference in seconds.
+ */
+static double
+tv_diff(const struct timeval *tv1, const struct timeval *tv0)
+{
+    return tv_seconds(tv1) - tv_seconds(tv0);
+}
+
+
+/*
+ * Given two struct timevals, return the sum in seconds as a double.
+ */
+static double
+tv_sum(const struct timeval *tv1, const struct timeval *tv2)
+{
+    return tv_seconds(tv1) + tv_seconds(tv2);
+}
+
+
+/*
+ * Given a pointer to a string, skip any leading whitespace and return a
+ * pointer to the first non-whitespace character.
+ */
+static const char *
+skip_whitespace(const char *p)
+{
+    while (isspace((unsigned char) (*p)))
+        p++;
+    return p;
+}
+
+
+/*
+ * Given a pointer to a string, skip any non-whitespace characters and return
+ * a pointer to the first whitespace character, or to the end of the string.
+ */
+static const char *
+skip_non_whitespace(const char *p)
+{
+    while (*p != '\0' && !isspace((unsigned char) (*p)))
+        p++;
+    return p;
+}
+
+
+/*
+ * Start a program, connecting its stdout to a pipe on our end and its stderr
+ * to /dev/null, and storing the file descriptor to read from in the two
+ * argument.  Returns the PID of the new process.  Errors are fatal.
+ */
+static pid_t
+test_start(char *const *command, int *fd)
+{
+    int fds[2], infd, errfd;
+    pid_t child;
+
+    /* Create a pipe used to capture the output from the test program. */
+    if (pipe(fds) == -1) {
+        puts("ABORTED");
+        fflush(stdout);
+        sysdie("can't create pipe");
+    }
+
+    /* Fork a child process, massage the file descriptors, and exec. */
+    child = fork();
+    switch (child) {
+    case -1:
+        puts("ABORTED");
+        fflush(stdout);
+        sysdie("can't fork");
+
+    /* In the child.  Set up our standard output. */
+    case 0:
+        close(fds[0]);
+        close(STDOUT_FILENO);
+        if (dup2(fds[1], STDOUT_FILENO) < 0)
+            _exit(CHILDERR_DUP);
+        close(fds[1]);
+
+        /* Point standard input at /dev/null. */
+        close(STDIN_FILENO);
+        infd = open("/dev/null", O_RDONLY);
+        if (infd < 0)
+            _exit(CHILDERR_STDIN);
+        if (infd != STDIN_FILENO) {
+            if (dup2(infd, STDIN_FILENO) < 0)
+                _exit(CHILDERR_DUP);
+            close(infd);
+        }
+
+        /* Point standard error at /dev/null. */
+        close(STDERR_FILENO);
+        errfd = open("/dev/null", O_WRONLY);
+        if (errfd < 0)
+            _exit(CHILDERR_STDERR);
+        if (errfd != STDERR_FILENO) {
+            if (dup2(errfd, STDERR_FILENO) < 0)
+                _exit(CHILDERR_DUP);
+            close(errfd);
+        }
+
+        /* Now, exec our process. */
+        if (execv(command[0], command) == -1)
+            _exit(CHILDERR_EXEC);
+        break;
+
+    /* In parent.  Close the extra file descriptor. */
+    default:
+        close(fds[1]);
+        break;
+    }
+    *fd = fds[0];
+    return child;
+}
+
+
+/*
+ * Back up over the output saying what test we were executing.
+ */
+static void
+test_backspace(struct testset *ts)
+{
+    unsigned int i;
+
+    if (!isatty(STDOUT_FILENO))
+        return;
+    for (i = 0; i < ts->length; i++)
+        putchar('\b');
+    for (i = 0; i < ts->length; i++)
+        putchar(' ');
+    for (i = 0; i < ts->length; i++)
+        putchar('\b');
+    ts->length = 0;
+}
+
+
+/*
+ * Allocate or resize the array of test results to be large enough to contain
+ * the test number in.
+ */
+static void
+resize_results(struct testset *ts, unsigned long n)
+{
+    unsigned long i;
+    size_t s;
+
+    /* If there's already enough space, return quickly. */
+    if (n <= ts->allocated)
+        return;
+
+    /*
+     * If no space has been allocated, do the initial allocation.  Otherwise,
+     * resize.  Start with 32 test cases and then add 1024 with each resize to
+     * try to reduce the number of reallocations.
+     */
+    if (ts->allocated == 0) {
+        s = (n > 32) ? n : 32;
+        ts->results = xcalloc(s, enum test_status);
+    } else {
+        s = (n > ts->allocated + 1024) ? n : ts->allocated + 1024;
+        ts->results = xreallocarray(ts->results, s, enum test_status);
+    }
+
+    /* Set the results for the newly-allocated test array. */
+    for (i = ts->allocated; i < s; i++)
+        ts->results[i] = TEST_INVALID;
+    ts->allocated = s;
+}
+
+
+/*
+ * Report an invalid test number and set the appropriate flags.  Pulled into a
+ * separate function since we do this in several places.
+ */
+static void
+invalid_test_number(struct testset *ts, long n, enum test_verbose verbose)
+{
+    if (!verbose)
+        test_backspace(ts);
+    printf("ABORTED (invalid test number %ld)\n", n);
+    ts->aborted = 1;
+    ts->reported = 1;
+}
+
+
+/*
+ * Read the plan line of test output, which should contain the range of test
+ * numbers.  We may initialize the testset structure here if we haven't yet
+ * seen a test.  Return true if initialization succeeded and the test should
+ * continue, false otherwise.
+ */
+static int
+test_plan(const char *line, struct testset *ts, enum test_verbose verbose)
+{
+    long n;
+
+    /*
+     * Accept a plan without the leading 1.. for compatibility with older
+     * versions of runtests.  This will only be allowed if we've not yet seen
+     * a test result.
+     */
+    line = skip_whitespace(line);
+    if (strncmp(line, "1..", 3) == 0)
+        line += 3;
+
+    /*
+     * Get the count and check it for validity.
+     *
+     * If we have something of the form "1..0 # skip foo", the whole file was
+     * skipped; record that.  If we do skip the whole file, zero out all of
+     * our statistics, since they're no longer relevant.
+     *
+     * strtol is called with a second argument to advance the line pointer
+     * past the count to make it simpler to detect the # skip case.
+     */
+    n = strtol(line, (char **) &line, 10);
+    if (n == 0) {
+        line = skip_whitespace(line);
+        if (*line == '#') {
+            line = skip_whitespace(line + 1);
+            if (strncasecmp(line, "skip", 4) == 0) {
+                line = skip_whitespace(line + 4);
+                if (*line != '\0') {
+                    ts->reason = xstrdup(line);
+                    ts->reason[strlen(ts->reason) - 1] = '\0';
+                }
+                ts->all_skipped = 1;
+                ts->aborted = 1;
+                ts->count = 0;
+                ts->passed = 0;
+                ts->skipped = 0;
+                ts->failed = 0;
+                return 0;
+            }
+        }
+    }
+    if (n <= 0) {
+        puts("ABORTED (invalid test count)");
+        ts->aborted = 1;
+        ts->reported = 1;
+        return 0;
+    }
+
+    /*
+     * If we are doing lazy planning, check the plan against the largest test
+     * number that we saw and fail now if we saw a check outside the plan
+     * range.
+     */
+    if (ts->plan == PLAN_PENDING && (unsigned long) n < ts->count) {
+        invalid_test_number(ts, (long) ts->count, verbose);
+        return 0;
+    }
+
+    /*
+     * Otherwise, allocated or resize the results if needed and update count,
+     * and then record that we've seen a plan.
+     */
+    resize_results(ts, (unsigned long) n);
+    ts->count = (unsigned long) n;
+    if (ts->plan == PLAN_INIT)
+        ts->plan = PLAN_FIRST;
+    else if (ts->plan == PLAN_PENDING)
+        ts->plan = PLAN_FINAL;
+    return 1;
+}
+
+
+/*
+ * Given a single line of output from a test, parse it and return the success
+ * status of that test.  Anything printed to stdout not matching the form
+ * /^(not )?ok \d+/ is ignored.  Sets ts->current to the test number that just
+ * reported status.
+ */
+static void
+test_checkline(const char *line, struct testset *ts, enum test_verbose verbose)
+{
+    enum test_status status = TEST_PASS;
+    const char *bail;
+    char *end;
+    long number;
+    unsigned long current;
+    int outlen;
+
+    /* Before anything, check for a test abort. */
+    bail = strstr(line, "Bail out!");
+    if (bail != NULL) {
+        bail = skip_whitespace(bail + strlen("Bail out!"));
+        if (*bail != '\0') {
+            size_t length;
+
+            length = strlen(bail);
+            if (bail[length - 1] == '\n')
+                length--;
+            if (!verbose)
+                test_backspace(ts);
+            printf("ABORTED (%.*s)\n", (int) length, bail);
+            ts->reported = 1;
+        }
+        ts->aborted = 1;
+        return;
+    }
+
+    /*
+     * If the given line isn't newline-terminated, it was too big for an
+     * fgets(), which means ignore it.
+     */
+    if (line[strlen(line) - 1] != '\n')
+        return;
+
+    /* If the line begins with a hash mark, ignore it. */
+    if (line[0] == '#')
+        return;
+
+    /* If we haven't yet seen a plan, look for one. */
+    if (ts->plan == PLAN_INIT && isdigit((unsigned char) (*line))) {
+        if (!test_plan(line, ts, verbose))
+            return;
+    } else if (strncmp(line, "1..", 3) == 0) {
+        if (ts->plan == PLAN_PENDING) {
+            if (!test_plan(line, ts, verbose))
+                return;
+        } else {
+            if (!verbose)
+                test_backspace(ts);
+            puts("ABORTED (multiple plans)");
+            ts->aborted = 1;
+            ts->reported = 1;
+            return;
+        }
+    }
+
+    /* Parse the line, ignoring something we can't parse. */
+    if (strncmp(line, "not ", 4) == 0) {
+        status = TEST_FAIL;
+        line += 4;
+    }
+    if (strncmp(line, "ok", 2) != 0)
+        return;
+    line = skip_whitespace(line + 2);
+    errno = 0;
+    number = strtol(line, &end, 10);
+    if (errno != 0 || end == line)
+        current = ts->current + 1;
+    else if (number <= 0) {
+        invalid_test_number(ts, number, verbose);
+        return;
+    } else
+        current = (unsigned long) number;
+    if (current > ts->count && ts->plan == PLAN_FIRST) {
+        invalid_test_number(ts, (long) current, verbose);
+        return;
+    }
+
+    /* We have a valid test result.  Tweak the results array if needed. */
+    if (ts->plan == PLAN_INIT || ts->plan == PLAN_PENDING) {
+        ts->plan = PLAN_PENDING;
+        resize_results(ts, current);
+        if (current > ts->count)
+            ts->count = current;
+    }
+
+    /*
+     * Handle directives.  We should probably do something more interesting
+     * with unexpected passes of todo tests.
+     */
+    while (isdigit((unsigned char) (*line)))
+        line++;
+    line = skip_whitespace(line);
+    if (*line == '#') {
+        line = skip_whitespace(line + 1);
+        if (strncasecmp(line, "skip", 4) == 0)
+            status = TEST_SKIP;
+        if (strncasecmp(line, "todo", 4) == 0)
+            status = (status == TEST_FAIL) ? TEST_SKIP : TEST_FAIL;
+    }
+
+    /* Make sure that the test number is in range and not a duplicate. */
+    if (ts->results[current - 1] != TEST_INVALID) {
+        if (!verbose)
+            test_backspace(ts);
+        printf("ABORTED (duplicate test number %lu)\n", current);
+        ts->aborted = 1;
+        ts->reported = 1;
+        return;
+    }
+
+    /* Good results.  Increment our various counters. */
+    switch (status) {
+    case TEST_PASS:
+        ts->passed++;
+        break;
+    case TEST_FAIL:
+        ts->failed++;
+        break;
+    case TEST_SKIP:
+        ts->skipped++;
+        break;
+    case TEST_INVALID:
+        break;
+    }
+    ts->current = current;
+    ts->results[current - 1] = status;
+    if (!verbose && isatty(STDOUT_FILENO)) {
+        test_backspace(ts);
+        if (ts->plan == PLAN_PENDING)
+            outlen = printf("%lu/?", current);
+        else
+            outlen = printf("%lu/%lu", current, ts->count);
+        ts->length = (outlen >= 0) ? (unsigned int) outlen : 0;
+        fflush(stdout);
+    }
+}
+
+
+/*
+ * Print out a range of test numbers, returning the number of characters it
+ * took up.  Takes the first number, the last number, the number of characters
+ * already printed on the line, and the limit of number of characters the line
+ * can hold.  Add a comma and a space before the range if chars indicates that
+ * something has already been printed on the line, and print ... instead if
+ * chars plus the space needed would go over the limit (use a limit of 0 to
+ * disable this).
+ */
+static unsigned int
+test_print_range(unsigned long first, unsigned long last, unsigned long chars,
+                 unsigned int limit)
+{
+    unsigned int needed = 0;
+    unsigned long n;
+
+    for (n = first; n > 0; n /= 10)
+        needed++;
+    if (last > first) {
+        for (n = last; n > 0; n /= 10)
+            needed++;
+        needed++;
+    }
+    if (chars > 0)
+        needed += 2;
+    if (limit > 0 && chars + needed > limit) {
+        needed = 0;
+        if (chars <= limit) {
+            if (chars > 0) {
+                printf(", ");
+                needed += 2;
+            }
+            printf("...");
+            needed += 3;
+        }
+    } else {
+        if (chars > 0)
+            printf(", ");
+        if (last > first)
+            printf("%lu-", first);
+        printf("%lu", last);
+    }
+    return needed;
+}
+
+
+/*
+ * Summarize a single test set.  The second argument is 0 if the set exited
+ * cleanly, a positive integer representing the exit status if it exited
+ * with a non-zero status, and a negative integer representing the signal
+ * that terminated it if it was killed by a signal.
+ */
+static void
+test_summarize(struct testset *ts, int status)
+{
+    unsigned long i;
+    unsigned long missing = 0;
+    unsigned long failed = 0;
+    unsigned long first = 0;
+    unsigned long last = 0;
+
+    if (ts->aborted) {
+        fputs("ABORTED", stdout);
+        if (ts->count > 0)
+            printf(" (passed %lu/%lu)", ts->passed, ts->count - ts->skipped);
+    } else {
+        for (i = 0; i < ts->count; i++) {
+            if (ts->results[i] == TEST_INVALID) {
+                if (missing == 0)
+                    fputs("MISSED ", stdout);
+                if (first && i == last)
+                    last = i + 1;
+                else {
+                    if (first)
+                        test_print_range(first, last, missing - 1, 0);
+                    missing++;
+                    first = i + 1;
+                    last = i + 1;
+                }
+            }
+        }
+        if (first)
+            test_print_range(first, last, missing - 1, 0);
+        first = 0;
+        last = 0;
+        for (i = 0; i < ts->count; i++) {
+            if (ts->results[i] == TEST_FAIL) {
+                if (missing && !failed)
+                    fputs("; ", stdout);
+                if (failed == 0)
+                    fputs("FAILED ", stdout);
+                if (first && i == last)
+                    last = i + 1;
+                else {
+                    if (first)
+                        test_print_range(first, last, failed - 1, 0);
+                    failed++;
+                    first = i + 1;
+                    last = i + 1;
+                }
+            }
+        }
+        if (first)
+            test_print_range(first, last, failed - 1, 0);
+        if (!missing && !failed) {
+            fputs(!status ? "ok" : "dubious", stdout);
+            if (ts->skipped > 0) {
+                if (ts->skipped == 1)
+                    printf(" (skipped %lu test)", ts->skipped);
+                else
+                    printf(" (skipped %lu tests)", ts->skipped);
+            }
+        }
+    }
+    if (status > 0)
+        printf(" (exit status %d)", status);
+    else if (status < 0)
+        printf(" (killed by signal %d%s)", -status,
+               WCOREDUMP(ts->status) ? ", core dumped" : "");
+    putchar('\n');
+}
+
+
+/*
+ * Given a test set, analyze the results, classify the exit status, handle a
+ * few special error messages, and then pass it along to test_summarize() for
+ * the regular output.  Returns true if the test set ran successfully and all
+ * tests passed or were skipped, false otherwise.
+ */
+static int
+test_analyze(struct testset *ts)
+{
+    if (ts->reported)
+        return 0;
+    if (ts->all_skipped) {
+        if (ts->reason == NULL)
+            puts("skipped");
+        else
+            printf("skipped (%s)\n", ts->reason);
+        return 1;
+    } else if (WIFEXITED(ts->status) && WEXITSTATUS(ts->status) != 0) {
+        switch (WEXITSTATUS(ts->status)) {
+        case CHILDERR_DUP:
+            if (!ts->reported)
+                puts("ABORTED (can't dup file descriptors)");
+            break;
+        case CHILDERR_EXEC:
+            if (!ts->reported)
+                puts("ABORTED (execution failed -- not found?)");
+            break;
+        case CHILDERR_STDIN:
+        case CHILDERR_STDERR:
+            if (!ts->reported)
+                puts("ABORTED (can't open /dev/null)");
+            break;
+        default:
+            test_summarize(ts, WEXITSTATUS(ts->status));
+            break;
+        }
+        return 0;
+    } else if (WIFSIGNALED(ts->status)) {
+        test_summarize(ts, -WTERMSIG(ts->status));
+        return 0;
+    } else if (ts->plan != PLAN_FIRST && ts->plan != PLAN_FINAL) {
+        puts("ABORTED (no valid test plan)");
+        ts->aborted = 1;
+        return 0;
+    } else {
+        test_summarize(ts, 0);
+        return (ts->failed == 0);
+    }
+}
+
+
+/*
+ * Runs a single test set, accumulating and then reporting the results.
+ * Returns true if the test set was successfully run and all tests passed,
+ * false otherwise.
+ */
+static int
+test_run(struct testset *ts, enum test_verbose verbose)
+{
+    pid_t testpid, child;
+    int outfd, status;
+    unsigned long i;
+    FILE *output;
+    char buffer[BUFSIZ];
+
+    /* Run the test program. */
+    testpid = test_start(ts->command, &outfd);
+    output = fdopen(outfd, "r");
+    if (!output) {
+        puts("ABORTED");
+        fflush(stdout);
+        sysdie("fdopen failed");
+    }
+
+    /*
+     * Pass each line of output to test_checkline(), and print the line if
+     * verbosity is requested.
+     */
+    while (!ts->aborted && fgets(buffer, sizeof(buffer), output)) {
+        if (verbose)
+            printf("%s", buffer);
+        test_checkline(buffer, ts, verbose);
+    }
+    if (ferror(output) || ts->plan == PLAN_INIT)
+        ts->aborted = 1;
+    if (!verbose)
+        test_backspace(ts);
+
+    /*
+     * Consume the rest of the test output, close the output descriptor,
+     * retrieve the exit status, and pass that information to test_analyze()
+     * for eventual output.
+     */
+    while (fgets(buffer, sizeof(buffer), output))
+        if (verbose)
+            printf("%s", buffer);
+    fclose(output);
+    child = waitpid(testpid, &ts->status, 0);
+    if (child == (pid_t) -1) {
+        if (!ts->reported) {
+            puts("ABORTED");
+            fflush(stdout);
+        }
+        sysdie("waitpid for %u failed", (unsigned int) testpid);
+    }
+    if (ts->all_skipped)
+        ts->aborted = 0;
+    status = test_analyze(ts);
+
+    /* Convert missing tests to failed tests. */
+    for (i = 0; i < ts->count; i++) {
+        if (ts->results[i] == TEST_INVALID) {
+            ts->failed++;
+            ts->results[i] = TEST_FAIL;
+            status = 0;
+        }
+    }
+    return status;
+}
+
+
+/* Summarize a list of test failures. */
+static void
+test_fail_summary(const struct testlist *fails)
+{
+    struct testset *ts;
+    unsigned int chars;
+    unsigned long i, first, last, total;
+    double failed;
+
+    puts(header);
+
+    /* Failed Set                 Fail/Total (%) Skip Stat  Failing (25)
+       -------------------------- -------------- ---- ----  -------------- */
+    for (; fails; fails = fails->next) {
+        ts = fails->ts;
+        total = ts->count - ts->skipped;
+        failed = (double) ts->failed;
+        printf("%-26.26s %4lu/%-4lu %3.0f%% %4lu ", ts->file, ts->failed,
+               total, total ? (failed * 100.0) / (double) total : 0,
+               ts->skipped);
+        if (WIFEXITED(ts->status))
+            printf("%4d  ", WEXITSTATUS(ts->status));
+        else
+            printf("  --  ");
+        if (ts->aborted) {
+            puts("aborted");
+            continue;
+        }
+        chars = 0;
+        first = 0;
+        last = 0;
+        for (i = 0; i < ts->count; i++) {
+            if (ts->results[i] == TEST_FAIL) {
+                if (first != 0 && i == last)
+                    last = i + 1;
+                else {
+                    if (first != 0)
+                        chars += test_print_range(first, last, chars, 19);
+                    first = i + 1;
+                    last = i + 1;
+                }
+            }
+        }
+        if (first != 0)
+            test_print_range(first, last, chars, 19);
+        putchar('\n');
+    }
+}
+
+
+/*
+ * Check whether a given file path is a valid test.  Currently, this checks
+ * whether it is executable and is a regular file.  Returns true or false.
+ */
+static int
+is_valid_test(const char *path)
+{
+    struct stat st;
+
+    if (access(path, X_OK) < 0)
+        return 0;
+    if (stat(path, &st) < 0)
+        return 0;
+    if (!S_ISREG(st.st_mode))
+        return 0;
+    return 1;
+}
+
+
+/*
+ * Given the name of a test, a pointer to the testset struct, and the source
+ * and build directories, find the test.  We try first relative to the current
+ * directory, then in the build directory (if not NULL), then in the source
+ * directory.  In each of those directories, we first try a "-t" extension and
+ * then a ".t" extension.  When we find an executable program, we return the
+ * path to that program.  If none of those paths are executable, just fill in
+ * the name of the test as is.
+ *
+ * The caller is responsible for freeing the path member of the testset
+ * struct.
+ */
+static char *
+find_test(const char *name, const char *source, const char *build)
+{
+    char *path = NULL;
+    const char *bases[3], *suffix, *base;
+    unsigned int i, j;
+    const char *suffixes[3] = {"-t", ".t", ""};
+
+    /* Possible base directories. */
+    bases[0] = ".";
+    bases[1] = build;
+    bases[2] = source;
+
+    /* Try each suffix with each base. */
+    for (i = 0; i < ARRAY_SIZE(suffixes); i++) {
+        suffix = suffixes[i];
+        for (j = 0; j < ARRAY_SIZE(bases); j++) {
+            base = bases[j];
+            if (base == NULL)
+                continue;
+            path = concat(base, "/", name, suffix, (const char *) 0);
+            if (is_valid_test(path))
+                return path;
+            free(path);
+            path = NULL;
+        }
+    }
+    if (path == NULL)
+        path = xstrdup(name);
+    return path;
+}
+
+
+/*
+ * Parse a single line of a test list and store the test name and command to
+ * execute it in the given testset struct.
+ *
+ * Normally, each line is just the name of the test, which is located in the
+ * test directory and turned into a command to run.  However, each line may
+ * have whitespace-separated options, which change the command that's run.
+ * Current supported options are:
+ *
+ * valgrind
+ *     Run the test under valgrind if C_TAP_VALGRIND is set.  The contents
+ *     of that environment variable are taken as the valgrind command (with
+ *     options) to run.  The command is parsed with a simple split on
+ *     whitespace and no quoting is supported.
+ *
+ * libtool
+ *     If running under valgrind, use libtool to invoke valgrind.  This avoids
+ *     running valgrind on the wrapper shell script generated by libtool.  If
+ *     set, C_TAP_LIBTOOL must be set to the full path to the libtool program
+ *     to use to run valgrind and thus the test.  Ignored if the test isn't
+ *     being run under valgrind.
+ */
+static void
+parse_test_list_line(const char *line, struct testset *ts, const char *source,
+                     const char *build)
+{
+    const char *p, *end, *option, *libtool;
+    const char *valgrind = NULL;
+    unsigned int use_libtool = 0;
+    unsigned int use_valgrind = 0;
+    size_t len, i;
+
+    /* Determine the name of the test. */
+    p = skip_non_whitespace(line);
+    ts->file = xstrndup(line, p - line);
+
+    /* Check if any test options are set. */
+    p = skip_whitespace(p);
+    while (*p != '\0') {
+        end = skip_non_whitespace(p);
+        if (strncmp(p, "libtool", end - p) == 0) {
+            use_libtool = 1;
+        } else if (strncmp(p, "valgrind", end - p) == 0) {
+            valgrind = getenv("C_TAP_VALGRIND");
+            use_valgrind = (valgrind != NULL);
+        } else {
+            option = xstrndup(p, end - p);
+            die("unknown test list option %s", option);
+        }
+        p = skip_whitespace(end);
+    }
+
+    /* Construct the argv to run the test.  First, find the length. */
+    len = 1;
+    if (use_valgrind && valgrind != NULL) {
+        p = skip_whitespace(valgrind);
+        while (*p != '\0') {
+            len++;
+            p = skip_whitespace(skip_non_whitespace(p));
+        }
+        if (use_libtool)
+            len += 2;
+    }
+
+    /* Now, build the command. */
+    ts->command = xcalloc(len + 1, char *);
+    i = 0;
+    if (use_valgrind && valgrind != NULL) {
+        if (use_libtool) {
+            libtool = getenv("C_TAP_LIBTOOL");
+            if (libtool == NULL)
+                die("valgrind with libtool requested, but C_TAP_LIBTOOL is not"
+                    " set");
+            ts->command[i++] = xstrdup(libtool);
+            ts->command[i++] = xstrdup("--mode=execute");
+        }
+        p = skip_whitespace(valgrind);
+        while (*p != '\0') {
+            end = skip_non_whitespace(p);
+            ts->command[i++] = xstrndup(p, end - p);
+            p = skip_whitespace(end);
+        }
+    }
+    if (i != len - 1)
+        die("internal error while constructing command line");
+    ts->command[i++] = find_test(ts->file, source, build);
+    ts->command[i] = NULL;
+}
+
+
+/*
+ * Read a list of tests from a file, returning the list of tests as a struct
+ * testlist, or NULL if there were no tests (such as a file containing only
+ * comments).  Reports an error to standard error and exits if the list of
+ * tests cannot be read.
+ */
+static struct testlist *
+read_test_list(const char *filename, const char *source, const char *build)
+{
+    FILE *file;
+    unsigned int line;
+    size_t length;
+    char buffer[BUFSIZ];
+    const char *start;
+    struct testlist *listhead, *current;
+
+    /* Create the initial container list that will hold our results. */
+    listhead = xcalloc(1, struct testlist);
+    current = NULL;
+
+    /*
+     * Open our file of tests to run and read it line by line, creating a new
+     * struct testlist and struct testset for each line.
+     */
+    file = fopen(filename, "r");
+    if (file == NULL)
+        sysdie("can't open %s", filename);
+    line = 0;
+    while (fgets(buffer, sizeof(buffer), file)) {
+        line++;
+        length = strlen(buffer) - 1;
+        if (buffer[length] != '\n') {
+            fprintf(stderr, "%s:%u: line too long\n", filename, line);
+            exit(1);
+        }
+        buffer[length] = '\0';
+
+        /* Skip comments, leading spaces, and blank lines. */
+        start = skip_whitespace(buffer);
+        if (strlen(start) == 0)
+            continue;
+        if (start[0] == '#')
+            continue;
+
+        /* Allocate the new testset structure. */
+        if (current == NULL)
+            current = listhead;
+        else {
+            current->next = xcalloc(1, struct testlist);
+            current = current->next;
+        }
+        current->ts = xcalloc(1, struct testset);
+        current->ts->plan = PLAN_INIT;
+
+        /* Parse the line and store the results in the testset struct. */
+        parse_test_list_line(start, current->ts, source, build);
+    }
+    fclose(file);
+
+    /* If there were no tests, current is still NULL. */
+    if (current == NULL) {
+        free(listhead);
+        return NULL;
+    }
+
+    /* Return the results. */
+    return listhead;
+}
+
+
+/*
+ * Build a list of tests from command line arguments.  Takes the argv and argc
+ * representing the command line arguments and returns a newly allocated test
+ * list, or NULL if there were no tests.  The caller is responsible for
+ * freeing.
+ */
+static struct testlist *
+build_test_list(char *argv[], int argc, const char *source, const char *build)
+{
+    int i;
+    struct testlist *listhead, *current;
+
+    /* Create the initial container list that will hold our results. */
+    listhead = xcalloc(1, struct testlist);
+    current = NULL;
+
+    /* Walk the list of arguments and create test sets for them. */
+    for (i = 0; i < argc; i++) {
+        if (current == NULL)
+            current = listhead;
+        else {
+            current->next = xcalloc(1, struct testlist);
+            current = current->next;
+        }
+        current->ts = xcalloc(1, struct testset);
+        current->ts->plan = PLAN_INIT;
+        current->ts->file = xstrdup(argv[i]);
+        current->ts->command = xcalloc(2, char *);
+        current->ts->command[0] = find_test(current->ts->file, source, build);
+        current->ts->command[1] = NULL;
+    }
+
+    /* If there were no tests, current is still NULL. */
+    if (current == NULL) {
+        free(listhead);
+        return NULL;
+    }
+
+    /* Return the results. */
+    return listhead;
+}
+
+
+/* Free a struct testset. */
+static void
+free_testset(struct testset *ts)
+{
+    size_t i;
+
+    free(ts->file);
+    for (i = 0; ts->command[i] != NULL; i++)
+        free(ts->command[i]);
+    free(ts->command);
+    free(ts->results);
+    free(ts->reason);
+    free(ts);
+}
+
+
+/*
+ * Run a batch of tests.  Takes two additional parameters: the root of the
+ * source directory and the root of the build directory.  Test programs will
+ * be first searched for in the current directory, then the build directory,
+ * then the source directory.  Returns true iff all tests passed, and always
+ * frees the test list that's passed in.
+ */
+static int
+test_batch(struct testlist *tests, enum test_verbose verbose)
+{
+    size_t length, i;
+    size_t longest = 0;
+    unsigned int count = 0;
+    struct testset *ts;
+    struct timeval start, end;
+    struct rusage stats;
+    struct testlist *failhead = NULL;
+    struct testlist *failtail = NULL;
+    struct testlist *current, *next;
+    int succeeded;
+    unsigned long total = 0;
+    unsigned long passed = 0;
+    unsigned long skipped = 0;
+    unsigned long failed = 0;
+    unsigned long aborted = 0;
+
+    /* Walk the list of tests to find the longest name. */
+    for (current = tests; current != NULL; current = current->next) {
+        length = strlen(current->ts->file);
+        if (length > longest)
+            longest = length;
+    }
+
+    /*
+     * Add two to longest and round up to the nearest tab stop.  This is how
+     * wide the column for printing the current test name will be.
+     */
+    longest += 2;
+    if (longest % 8)
+        longest += 8 - (longest % 8);
+
+    /* Start the wall clock timer. */
+    gettimeofday(&start, NULL);
+
+    /* Now, plow through our tests again, running each one. */
+    for (current = tests; current != NULL; current = current->next) {
+        ts = current->ts;
+
+        /* Print out the name of the test file. */
+        fputs(ts->file, stdout);
+        if (verbose)
+            fputs("\n\n", stdout);
+        else
+            for (i = strlen(ts->file); i < longest; i++)
+                putchar('.');
+        if (isatty(STDOUT_FILENO))
+            fflush(stdout);
+
+        /* Run the test. */
+        succeeded = test_run(ts, verbose);
+        fflush(stdout);
+        if (verbose)
+            putchar('\n');
+
+        /* Record cumulative statistics. */
+        aborted += ts->aborted;
+        total += ts->count + ts->all_skipped;
+        passed += ts->passed;
+        skipped += ts->skipped + ts->all_skipped;
+        failed += ts->failed;
+        count++;
+
+        /* If the test fails, we shuffle it over to the fail list. */
+        if (!succeeded) {
+            if (failhead == NULL) {
+                failhead = xcalloc(1, struct testlist);
+                failtail = failhead;
+            } else {
+                failtail->next = xcalloc(1, struct testlist);
+                failtail = failtail->next;
+            }
+            failtail->ts = ts;
+            failtail->next = NULL;
+        }
+    }
+    total -= skipped;
+
+    /* Stop the timer and get our child resource statistics. */
+    gettimeofday(&end, NULL);
+    getrusage(RUSAGE_CHILDREN, &stats);
+
+    /* Summarize the failures and free the failure list. */
+    if (failhead != NULL) {
+        test_fail_summary(failhead);
+        while (failhead != NULL) {
+            next = failhead->next;
+            free(failhead);
+            failhead = next;
+        }
+    }
+
+    /* Free the memory used by the test lists. */
+    while (tests != NULL) {
+        next = tests->next;
+        free_testset(tests->ts);
+        free(tests);
+        tests = next;
+    }
+
+    /* Print out the final test summary. */
+    putchar('\n');
+    if (aborted != 0) {
+        if (aborted == 1)
+            printf("Aborted %lu test set", aborted);
+        else
+            printf("Aborted %lu test sets", aborted);
+        printf(", passed %lu/%lu tests", passed, total);
+    } else if (failed == 0)
+        fputs("All tests successful", stdout);
+    else
+        printf("Failed %lu/%lu tests, %.2f%% okay", failed, total,
+               (double) (total - failed) * 100.0 / (double) total);
+    if (skipped != 0) {
+        if (skipped == 1)
+            printf(", %lu test skipped", skipped);
+        else
+            printf(", %lu tests skipped", skipped);
+    }
+    puts(".");
+    printf("Files=%u,  Tests=%lu", count, total);
+    printf(",  %.2f seconds", tv_diff(&end, &start));
+    printf(" (%.2f usr + %.2f sys = %.2f CPU)\n", tv_seconds(&stats.ru_utime),
+           tv_seconds(&stats.ru_stime),
+           tv_sum(&stats.ru_utime, &stats.ru_stime));
+    return (failed == 0 && aborted == 0);
+}
+
+
+/*
+ * Run a single test case.  This involves just running the test program after
+ * having done the environment setup and finding the test program.
+ */
+static void
+test_single(const char *program, const char *source, const char *build)
+{
+    char *path;
+
+    path = find_test(program, source, build);
+    if (execl(path, path, (char *) 0) == -1)
+        sysdie("cannot exec %s", path);
+}
+
+
+/*
+ * Main routine.  Set the C_TAP_SOURCE, C_TAP_BUILD, SOURCE, and BUILD
+ * environment variables and then, given a file listing tests, run each test
+ * listed.
+ */
+int
+main(int argc, char *argv[])
+{
+    int option;
+    int status = 0;
+    int single = 0;
+    enum test_verbose verbose = CONCISE;
+    char *c_tap_source_env = NULL;
+    char *c_tap_build_env = NULL;
+    char *source_env = NULL;
+    char *build_env = NULL;
+    const char *program;
+    const char *shortlist;
+    const char *list = NULL;
+    const char *source = C_TAP_SOURCE;
+    const char *build = C_TAP_BUILD;
+    struct testlist *tests;
+
+    program = argv[0];
+    while ((option = getopt(argc, argv, "b:hl:os:v")) != EOF) {
+        switch (option) {
+        case 'b':
+            build = optarg;
+            break;
+        case 'h':
+            printf(usage_message, program, program, program, usage_extra);
+            exit(0);
+        case 'l':
+            list = optarg;
+            break;
+        case 'o':
+            single = 1;
+            break;
+        case 's':
+            source = optarg;
+            break;
+        case 'v':
+            verbose = VERBOSE;
+            break;
+        default:
+            exit(1);
+        }
+    }
+    argv += optind;
+    argc -= optind;
+    if ((list == NULL && argc < 1) || (list != NULL && argc > 0)) {
+        fprintf(stderr, usage_message, program, program, program, usage_extra);
+        exit(1);
+    }
+
+    /*
+     * If C_TAP_VERBOSE is set in the environment, that also turns on verbose
+     * mode.
+     */
+    if (getenv("C_TAP_VERBOSE") != NULL)
+        verbose = VERBOSE;
+
+    /*
+     * Set C_TAP_SOURCE and C_TAP_BUILD environment variables.  Also set
+     * SOURCE and BUILD for backward compatibility, although we're trying to
+     * migrate to the ones with a C_TAP_* prefix.
+     */
+    if (source != NULL) {
+        c_tap_source_env = concat("C_TAP_SOURCE=", source, (const char *) 0);
+        if (putenv(c_tap_source_env) != 0)
+            sysdie("cannot set C_TAP_SOURCE in the environment");
+        source_env = concat("SOURCE=", source, (const char *) 0);
+        if (putenv(source_env) != 0)
+            sysdie("cannot set SOURCE in the environment");
+    }
+    if (build != NULL) {
+        c_tap_build_env = concat("C_TAP_BUILD=", build, (const char *) 0);
+        if (putenv(c_tap_build_env) != 0)
+            sysdie("cannot set C_TAP_BUILD in the environment");
+        build_env = concat("BUILD=", build, (const char *) 0);
+        if (putenv(build_env) != 0)
+            sysdie("cannot set BUILD in the environment");
+    }
+
+    /* Run the tests as instructed. */
+    if (single)
+        test_single(argv[0], source, build);
+    else if (list != NULL) {
+        shortlist = strrchr(list, '/');
+        if (shortlist == NULL)
+            shortlist = list;
+        else
+            shortlist++;
+        printf(banner, shortlist);
+        tests = read_test_list(list, source, build);
+        status = test_batch(tests, verbose) ? 0 : 1;
+    } else {
+        tests = build_test_list(argv, argc, source, build);
+        status = test_batch(tests, verbose) ? 0 : 1;
+    }
+
+    /* For valgrind cleanliness, free all our memory. */
+    if (source_env != NULL) {
+        putenv((char *) "C_TAP_SOURCE=");
+        putenv((char *) "SOURCE=");
+        free(c_tap_source_env);
+        free(source_env);
+    }
+    if (build_env != NULL) {
+        putenv((char *) "C_TAP_BUILD=");
+        putenv((char *) "BUILD=");
+        free(c_tap_build_env);
+        free(build_env);
+    }
+    exit(status);
+}
diff --git a/tests/style/obsolete-strings-t b/tests/style/obsolete-strings-t
new file mode 100755
index 000000000000..430f07219cef
--- /dev/null
+++ b/tests/style/obsolete-strings-t
@@ -0,0 +1,104 @@
+#!/usr/bin/perl
+#
+# Check for obsolete strings in source files.
+#
+# Examine all source files in a distribution for obsolete strings and report
+# on files that fail this check.  This catches various transitions I want to
+# do globally in all my packages, like changing my personal URLs to https.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Copyright 2016, 2018-2020 Russ Allbery <eagle@eyrie.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+use 5.010;
+use strict;
+use warnings;
+
+use lib "$ENV{C_TAP_SOURCE}/tap/perl";
+
+use Test::RRA qw(skip_unless_author);
+use Test::RRA::Automake qw(all_files automake_setup);
+
+use File::Basename qw(basename);
+use Test::More;
+
+# Bad patterns to search for.
+my @BAD_REGEXES = (qr{ http:// \S+ [.]eyrie[.]org }xms);
+my @BAD_STRINGS = qw(rra@stanford.edu RRA_MAINTAINER_TESTS);
+
+# File names to exclude from this check.
+my %EXCLUDE
+  = map { $_ => 1 } qw(NEWS changelog obsolete-strings.t obsolete-strings-t);
+
+# Only run this test for the package author, since it doesn't indicate any
+# user-noticable flaw in the package itself.
+skip_unless_author('Obsolete strings tests');
+
+# Set up Automake testing.
+automake_setup();
+
+# Check a single file for one of the bad patterns.
+#
+# $path - Path to the file
+#
+# Returns: undef
+sub check_file {
+    my ($path) = @_;
+    my $filename = basename($path);
+
+    # Ignore excluded and binary files.
+    return if $EXCLUDE{$filename};
+    return if !-T $path;
+
+    # Scan the file.
+    open(my $fh, '<', $path) or BAIL_OUT("Cannot open $path");
+    while (defined(my $line = <$fh>)) {
+        for my $regex (@BAD_REGEXES) {
+            if ($line =~ $regex) {
+                ok(0, "$path contains $regex");
+                close($fh) or BAIL_OUT("Cannot close $path");
+                return;
+            }
+        }
+        for my $string (@BAD_STRINGS) {
+            if (index($line, $string) != -1) {
+                ok(0, "$path contains $string");
+                close($fh) or BAIL_OUT("Cannot close $path");
+                return;
+            }
+        }
+    }
+    close($fh) or BAIL_OUT("Cannot close $path");
+    ok(1, $path);
+    return;
+}
+
+# Scan every file for any of the bad patterns or strings.  We don't declare a
+# plan since we skip a lot of files and don't want to precalculate the file
+# list.
+my @paths = all_files();
+for my $path (@paths) {
+    check_file($path);
+}
+done_testing();
diff --git a/tests/tap/basic.c b/tests/tap/basic.c
new file mode 100644
index 000000000000..b5f42d0211a4
--- /dev/null
+++ b/tests/tap/basic.c
@@ -0,0 +1,1029 @@
+/*
+ * Some utility routines for writing tests.
+ *
+ * Here are a variety of utility routines for writing tests compatible with
+ * the TAP protocol.  All routines of the form ok() or is*() take a test
+ * number and some number of appropriate arguments, check to be sure the
+ * results match the expected output using the arguments, and print out
+ * something appropriate for that test number.  Other utility routines help in
+ * constructing more complex tests, skipping tests, reporting errors, setting
+ * up the TAP output format, or finding things in the test environment.
+ *
+ * This file is part of C TAP Harness.  The current version plus supporting
+ * documentation is at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2009-2019 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2001-2002, 2004-2008, 2011-2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef _WIN32
+#    include <direct.h>
+#else
+#    include <sys/stat.h>
+#endif
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <tests/tap/basic.h>
+
+/* Windows provides mkdir and rmdir under different names. */
+#ifdef _WIN32
+#    define mkdir(p, m) _mkdir(p)
+#    define rmdir(p)    _rmdir(p)
+#endif
+
+/*
+ * The test count.  Always contains the number that will be used for the next
+ * test status.  This is exported to callers of the library.
+ */
+unsigned long testnum = 1;
+
+/*
+ * Status information stored so that we can give a test summary at the end of
+ * the test case.  We store the planned final test and the count of failures.
+ * We can get the highest test count from testnum.
+ */
+static unsigned long _planned = 0;
+static unsigned long _failed = 0;
+
+/*
+ * Store the PID of the process that called plan() and only summarize
+ * results when that process exits, so as to not misreport results in forked
+ * processes.
+ */
+static pid_t _process = 0;
+
+/*
+ * If true, we're doing lazy planning and will print out the plan based on the
+ * last test number at the end of testing.
+ */
+static int _lazy = 0;
+
+/*
+ * If true, the test was aborted by calling bail().  Currently, this is only
+ * used to ensure that we pass a false value to any cleanup functions even if
+ * all tests to that point have passed.
+ */
+static int _aborted = 0;
+
+/*
+ * Registered cleanup functions.  These are stored as a linked list and run in
+ * registered order by finish when the test program exits.  Each function is
+ * passed a boolean value indicating whether all tests were successful.
+ */
+struct cleanup_func {
+    test_cleanup_func func;
+    test_cleanup_func_with_data func_with_data;
+    void *data;
+    struct cleanup_func *next;
+};
+static struct cleanup_func *cleanup_funcs = NULL;
+
+/*
+ * Registered diag files.  Any output found in these files will be printed out
+ * as if it were passed to diag() before any other output we do.  This allows
+ * background processes to log to a file and have that output interleaved with
+ * the test output.
+ */
+struct diag_file {
+    char *name;
+    FILE *file;
+    char *buffer;
+    size_t bufsize;
+    struct diag_file *next;
+};
+static struct diag_file *diag_files = NULL;
+
+/*
+ * Print a specified prefix and then the test description.  Handles turning
+ * the argument list into a va_args structure suitable for passing to
+ * print_desc, which has to be done in a macro.  Assumes that format is the
+ * argument immediately before the variadic arguments.
+ */
+#define PRINT_DESC(prefix, format)  \
+    do {                            \
+        if (format != NULL) {       \
+            va_list args;           \
+            printf("%s", prefix);   \
+            va_start(args, format); \
+            vprintf(format, args);  \
+            va_end(args);           \
+        }                           \
+    } while (0)
+
+
+/*
+ * Form a new string by concatenating multiple strings.  The arguments must be
+ * terminated by (const char *) 0.
+ *
+ * This function only exists because we can't assume asprintf.  We can't
+ * simulate asprintf with snprintf because we're only assuming SUSv3, which
+ * does not require that snprintf with a NULL buffer return the required
+ * length.  When those constraints are relaxed, this should be ripped out and
+ * replaced with asprintf or a more trivial replacement with snprintf.
+ */
+static char *
+concat(const char *first, ...)
+{
+    va_list args;
+    char *result;
+    const char *string;
+    size_t offset;
+    size_t length = 0;
+
+    /*
+     * Find the total memory required.  Ensure we don't overflow length.  See
+     * the comment for breallocarray for why we're using UINT_MAX here.
+     */
+    va_start(args, first);
+    for (string = first; string != NULL; string = va_arg(args, const char *)) {
+        if (length >= UINT_MAX - strlen(string))
+            bail("strings too long in concat");
+        length += strlen(string);
+    }
+    va_end(args);
+    length++;
+
+    /* Create the string. */
+    result = bcalloc_type(length, char);
+    va_start(args, first);
+    offset = 0;
+    for (string = first; string != NULL; string = va_arg(args, const char *)) {
+        memcpy(result + offset, string, strlen(string));
+        offset += strlen(string);
+    }
+    va_end(args);
+    result[offset] = '\0';
+    return result;
+}
+
+
+/*
+ * Helper function for check_diag_files to handle a single line in a diag
+ * file.
+ *
+ * The general scheme here used is as follows: read one line of output.  If we
+ * get NULL, check for an error.  If there was one, bail out of the test
+ * program; otherwise, return, and the enclosing loop will check for EOF.
+ *
+ * If we get some data, see if it ends in a newline.  If it doesn't end in a
+ * newline, we have one of two cases: our buffer isn't large enough, in which
+ * case we resize it and try again, or we have incomplete data in the file, in
+ * which case we rewind the file and will try again next time.
+ *
+ * Returns a boolean indicating whether the last line was incomplete.
+ */
+static int
+handle_diag_file_line(struct diag_file *file, fpos_t where)
+{
+    int size;
+    size_t length;
+
+    /* Read the next line from the file. */
+    size = file->bufsize > INT_MAX ? INT_MAX : (int) file->bufsize;
+    if (fgets(file->buffer, size, file->file) == NULL) {
+        if (ferror(file->file))
+            sysbail("cannot read from %s", file->name);
+        return 0;
+    }
+
+    /*
+     * See if the line ends in a newline.  If not, see which error case we
+     * have.
+     */
+    length = strlen(file->buffer);
+    if (file->buffer[length - 1] != '\n') {
+        int incomplete = 0;
+
+        /* Check whether we ran out of buffer space and resize if so. */
+        if (length < file->bufsize - 1)
+            incomplete = 1;
+        else {
+            file->bufsize += BUFSIZ;
+            file->buffer =
+                breallocarray_type(file->buffer, file->bufsize, char);
+        }
+
+        /*
+         * On either incomplete lines or too small of a buffer, rewind
+         * and read the file again (on the next pass, if incomplete).
+         * It's simpler than trying to double-buffer the file.
+         */
+        if (fsetpos(file->file, &where) < 0)
+            sysbail("cannot set position in %s", file->name);
+        return incomplete;
+    }
+
+    /* We saw a complete line.  Print it out. */
+    printf("# %s", file->buffer);
+    return 0;
+}
+
+
+/*
+ * Check all registered diag_files for any output.  We only print out the
+ * output if we see a complete line; otherwise, we wait for the next newline.
+ */
+static void
+check_diag_files(void)
+{
+    struct diag_file *file;
+    fpos_t where;
+    int incomplete;
+
+    /*
+     * Walk through each file and read each line of output available.
+     */
+    for (file = diag_files; file != NULL; file = file->next) {
+        clearerr(file->file);
+
+        /* Store the current position in case we have to rewind. */
+        if (fgetpos(file->file, &where) < 0)
+            sysbail("cannot get position in %s", file->name);
+
+        /* Continue until we get EOF or an incomplete line of data. */
+        incomplete = 0;
+        while (!feof(file->file) && !incomplete) {
+            incomplete = handle_diag_file_line(file, where);
+        }
+    }
+}
+
+
+/*
+ * Our exit handler.  Called on completion of the test to report a summary of
+ * results provided we're still in the original process.  This also handles
+ * printing out the plan if we used plan_lazy(), although that's suppressed if
+ * we never ran a test (due to an early bail, for example), and running any
+ * registered cleanup functions.
+ */
+static void
+finish(void)
+{
+    int success, primary;
+    struct cleanup_func *current;
+    unsigned long highest = testnum - 1;
+    struct diag_file *file, *tmp;
+
+    /* Check for pending diag_file output. */
+    check_diag_files();
+
+    /* Free the diag_files. */
+    file = diag_files;
+    while (file != NULL) {
+        tmp = file;
+        file = file->next;
+        fclose(tmp->file);
+        free(tmp->name);
+        free(tmp->buffer);
+        free(tmp);
+    }
+    diag_files = NULL;
+
+    /*
+     * Determine whether all tests were successful, which is needed before
+     * calling cleanup functions since we pass that fact to the functions.
+     */
+    if (_planned == 0 && _lazy)
+        _planned = highest;
+    success = (!_aborted && _planned == highest && _failed == 0);
+
+    /*
+     * If there are any registered cleanup functions, we run those first.  We
+     * always run them, even if we didn't run a test.  Don't do anything
+     * except free the diag_files and call cleanup functions if we aren't the
+     * primary process (the process in which plan or plan_lazy was called),
+     * and tell the cleanup functions that fact.
+     */
+    primary = (_process == 0 || getpid() == _process);
+    while (cleanup_funcs != NULL) {
+        if (cleanup_funcs->func_with_data) {
+            void *data = cleanup_funcs->data;
+
+            cleanup_funcs->func_with_data(success, primary, data);
+        } else {
+            cleanup_funcs->func(success, primary);
+        }
+        current = cleanup_funcs;
+        cleanup_funcs = cleanup_funcs->next;
+        free(current);
+    }
+    if (!primary)
+        return;
+
+    /* Don't do anything further if we never planned a test. */
+    if (_planned == 0)
+        return;
+
+    /* If we're aborting due to bail, don't print summaries. */
+    if (_aborted)
+        return;
+
+    /* Print out the lazy plan if needed. */
+    fflush(stderr);
+    if (_lazy && _planned > 0)
+        printf("1..%lu\n", _planned);
+
+    /* Print out a summary of the results. */
+    if (_planned > highest)
+        diag("Looks like you planned %lu test%s but only ran %lu", _planned,
+             (_planned > 1 ? "s" : ""), highest);
+    else if (_planned < highest)
+        diag("Looks like you planned %lu test%s but ran %lu extra", _planned,
+             (_planned > 1 ? "s" : ""), highest - _planned);
+    else if (_failed > 0)
+        diag("Looks like you failed %lu test%s of %lu", _failed,
+             (_failed > 1 ? "s" : ""), _planned);
+    else if (_planned != 1)
+        diag("All %lu tests successful or skipped", _planned);
+    else
+        diag("%lu test successful or skipped", _planned);
+}
+
+
+/*
+ * Initialize things.  Turns on line buffering on stdout and then prints out
+ * the number of tests in the test suite.  We intentionally don't check for
+ * pending diag_file output here, since it should really come after the plan.
+ */
+void
+plan(unsigned long count)
+{
+    if (setvbuf(stdout, NULL, _IOLBF, BUFSIZ) != 0)
+        sysdiag("cannot set stdout to line buffered");
+    fflush(stderr);
+    printf("1..%lu\n", count);
+    testnum = 1;
+    _planned = count;
+    _process = getpid();
+    if (atexit(finish) != 0) {
+        sysdiag("cannot register exit handler");
+        diag("cleanups will not be run");
+    }
+}
+
+
+/*
+ * Initialize things for lazy planning, where we'll automatically print out a
+ * plan at the end of the program.  Turns on line buffering on stdout as well.
+ */
+void
+plan_lazy(void)
+{
+    if (setvbuf(stdout, NULL, _IOLBF, BUFSIZ) != 0)
+        sysdiag("cannot set stdout to line buffered");
+    testnum = 1;
+    _process = getpid();
+    _lazy = 1;
+    if (atexit(finish) != 0)
+        sysbail("cannot register exit handler to display plan");
+}
+
+
+/*
+ * Skip the entire test suite and exits.  Should be called instead of plan(),
+ * not after it, since it prints out a special plan line.  Ignore diag_file
+ * output here, since it's not clear if it's allowed before the plan.
+ */
+void
+skip_all(const char *format, ...)
+{
+    fflush(stderr);
+    printf("1..0 # skip");
+    PRINT_DESC(" ", format);
+    putchar('\n');
+    exit(0);
+}
+
+
+/*
+ * Takes a boolean success value and assumes the test passes if that value
+ * is true and fails if that value is false.
+ */
+int
+ok(int success, const char *format, ...)
+{
+    fflush(stderr);
+    check_diag_files();
+    printf("%sok %lu", success ? "" : "not ", testnum++);
+    if (!success)
+        _failed++;
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Same as ok(), but takes the format arguments as a va_list.
+ */
+int
+okv(int success, const char *format, va_list args)
+{
+    fflush(stderr);
+    check_diag_files();
+    printf("%sok %lu", success ? "" : "not ", testnum++);
+    if (!success)
+        _failed++;
+    if (format != NULL) {
+        printf(" - ");
+        vprintf(format, args);
+    }
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Skip a test.
+ */
+void
+skip(const char *reason, ...)
+{
+    fflush(stderr);
+    check_diag_files();
+    printf("ok %lu # skip", testnum++);
+    PRINT_DESC(" ", reason);
+    putchar('\n');
+}
+
+
+/*
+ * Report the same status on the next count tests.
+ */
+int
+ok_block(unsigned long count, int success, const char *format, ...)
+{
+    unsigned long i;
+
+    fflush(stderr);
+    check_diag_files();
+    for (i = 0; i < count; i++) {
+        printf("%sok %lu", success ? "" : "not ", testnum++);
+        if (!success)
+            _failed++;
+        PRINT_DESC(" - ", format);
+        putchar('\n');
+    }
+    return success;
+}
+
+
+/*
+ * Skip the next count tests.
+ */
+void
+skip_block(unsigned long count, const char *reason, ...)
+{
+    unsigned long i;
+
+    fflush(stderr);
+    check_diag_files();
+    for (i = 0; i < count; i++) {
+        printf("ok %lu # skip", testnum++);
+        PRINT_DESC(" ", reason);
+        putchar('\n');
+    }
+}
+
+
+/*
+ * Takes two boolean values and requires the truth value of both match.
+ */
+int
+is_bool(int left, int right, const char *format, ...)
+{
+    int success;
+
+    fflush(stderr);
+    check_diag_files();
+    success = (!!left == !!right);
+    if (success)
+        printf("ok %lu", testnum++);
+    else {
+        diag(" left: %s", !!left ? "true" : "false");
+        diag("right: %s", !!right ? "true" : "false");
+        printf("not ok %lu", testnum++);
+        _failed++;
+    }
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Takes two integer values and requires they match.
+ */
+int
+is_int(long left, long right, const char *format, ...)
+{
+    int success;
+
+    fflush(stderr);
+    check_diag_files();
+    success = (left == right);
+    if (success)
+        printf("ok %lu", testnum++);
+    else {
+        diag(" left: %ld", left);
+        diag("right: %ld", right);
+        printf("not ok %lu", testnum++);
+        _failed++;
+    }
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Takes two strings and requires they match (using strcmp).  NULL arguments
+ * are permitted and handled correctly.
+ */
+int
+is_string(const char *left, const char *right, const char *format, ...)
+{
+    int success;
+
+    fflush(stderr);
+    check_diag_files();
+
+    /* Compare the strings, being careful of NULL. */
+    if (left == NULL)
+        success = (right == NULL);
+    else if (right == NULL)
+        success = 0;
+    else
+        success = (strcmp(left, right) == 0);
+
+    /* Report the results. */
+    if (success)
+        printf("ok %lu", testnum++);
+    else {
+        diag(" left: %s", left == NULL ? "(null)" : left);
+        diag("right: %s", right == NULL ? "(null)" : right);
+        printf("not ok %lu", testnum++);
+        _failed++;
+    }
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Takes two unsigned longs and requires they match.  On failure, reports them
+ * in hex.
+ */
+int
+is_hex(unsigned long left, unsigned long right, const char *format, ...)
+{
+    int success;
+
+    fflush(stderr);
+    check_diag_files();
+    success = (left == right);
+    if (success)
+        printf("ok %lu", testnum++);
+    else {
+        diag(" left: %lx", (unsigned long) left);
+        diag("right: %lx", (unsigned long) right);
+        printf("not ok %lu", testnum++);
+        _failed++;
+    }
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Takes pointers to a regions of memory and requires that len bytes from each
+ * match.  Otherwise reports any bytes which didn't match.
+ */
+int
+is_blob(const void *left, const void *right, size_t len, const char *format,
+        ...)
+{
+    int success;
+    size_t i;
+
+    fflush(stderr);
+    check_diag_files();
+    success = (memcmp(left, right, len) == 0);
+    if (success)
+        printf("ok %lu", testnum++);
+    else {
+        const unsigned char *left_c = (const unsigned char *) left;
+        const unsigned char *right_c = (const unsigned char *) right;
+
+        for (i = 0; i < len; i++) {
+            if (left_c[i] != right_c[i])
+                diag("offset %lu: left %02x, right %02x", (unsigned long) i,
+                     left_c[i], right_c[i]);
+        }
+        printf("not ok %lu", testnum++);
+        _failed++;
+    }
+    PRINT_DESC(" - ", format);
+    putchar('\n');
+    return success;
+}
+
+
+/*
+ * Bail out with an error.
+ */
+void
+bail(const char *format, ...)
+{
+    va_list args;
+
+    _aborted = 1;
+    fflush(stderr);
+    check_diag_files();
+    fflush(stdout);
+    printf("Bail out! ");
+    va_start(args, format);
+    vprintf(format, args);
+    va_end(args);
+    printf("\n");
+    exit(255);
+}
+
+
+/*
+ * Bail out with an error, appending strerror(errno).
+ */
+void
+sysbail(const char *format, ...)
+{
+    va_list args;
+    int oerrno = errno;
+
+    _aborted = 1;
+    fflush(stderr);
+    check_diag_files();
+    fflush(stdout);
+    printf("Bail out! ");
+    va_start(args, format);
+    vprintf(format, args);
+    va_end(args);
+    printf(": %s\n", strerror(oerrno));
+    exit(255);
+}
+
+
+/*
+ * Report a diagnostic to stderr.  Always returns 1 to allow embedding in
+ * compound statements.
+ */
+int
+diag(const char *format, ...)
+{
+    va_list args;
+
+    fflush(stderr);
+    check_diag_files();
+    fflush(stdout);
+    printf("# ");
+    va_start(args, format);
+    vprintf(format, args);
+    va_end(args);
+    printf("\n");
+    return 1;
+}
+
+
+/*
+ * Report a diagnostic to stderr, appending strerror(errno).  Always returns 1
+ * to allow embedding in compound statements.
+ */
+int
+sysdiag(const char *format, ...)
+{
+    va_list args;
+    int oerrno = errno;
+
+    fflush(stderr);
+    check_diag_files();
+    fflush(stdout);
+    printf("# ");
+    va_start(args, format);
+    vprintf(format, args);
+    va_end(args);
+    printf(": %s\n", strerror(oerrno));
+    return 1;
+}
+
+
+/*
+ * Register a new file for diag_file processing.
+ */
+void
+diag_file_add(const char *name)
+{
+    struct diag_file *file, *prev;
+
+    file = bcalloc_type(1, struct diag_file);
+    file->name = bstrdup(name);
+    file->file = fopen(file->name, "r");
+    if (file->file == NULL)
+        sysbail("cannot open %s", name);
+    file->buffer = bcalloc_type(BUFSIZ, char);
+    file->bufsize = BUFSIZ;
+    if (diag_files == NULL)
+        diag_files = file;
+    else {
+        for (prev = diag_files; prev->next != NULL; prev = prev->next)
+            ;
+        prev->next = file;
+    }
+}
+
+
+/*
+ * Remove a file from diag_file processing.  If the file is not found, do
+ * nothing, since there are some situations where it can be removed twice
+ * (such as if it's removed from a cleanup function, since cleanup functions
+ * are called after freeing all the diag_files).
+ */
+void
+diag_file_remove(const char *name)
+{
+    struct diag_file *file;
+    struct diag_file **prev = &diag_files;
+
+    for (file = diag_files; file != NULL; file = file->next) {
+        if (strcmp(file->name, name) == 0) {
+            *prev = file->next;
+            fclose(file->file);
+            free(file->name);
+            free(file->buffer);
+            free(file);
+            return;
+        }
+        prev = &file->next;
+    }
+}
+
+
+/*
+ * Allocate cleared memory, reporting a fatal error with bail on failure.
+ */
+void *
+bcalloc(size_t n, size_t size)
+{
+    void *p;
+
+    p = calloc(n, size);
+    if (p == NULL)
+        sysbail("failed to calloc %lu", (unsigned long) (n * size));
+    return p;
+}
+
+
+/*
+ * Allocate memory, reporting a fatal error with bail on failure.
+ */
+void *
+bmalloc(size_t size)
+{
+    void *p;
+
+    p = malloc(size);
+    if (p == NULL)
+        sysbail("failed to malloc %lu", (unsigned long) size);
+    return p;
+}
+
+
+/*
+ * Reallocate memory, reporting a fatal error with bail on failure.
+ */
+void *
+brealloc(void *p, size_t size)
+{
+    p = realloc(p, size);
+    if (p == NULL)
+        sysbail("failed to realloc %lu bytes", (unsigned long) size);
+    return p;
+}
+
+
+/*
+ * The same as brealloc, but determine the size by multiplying an element
+ * count by a size, similar to calloc.  The multiplication is checked for
+ * integer overflow.
+ *
+ * We should technically use SIZE_MAX here for the overflow check, but
+ * SIZE_MAX is C99 and we're only assuming C89 + SUSv3, which does not
+ * guarantee that it exists.  They do guarantee that UINT_MAX exists, and we
+ * can assume that UINT_MAX <= SIZE_MAX.
+ *
+ * (In theory, C89 and C99 permit size_t to be smaller than unsigned int, but
+ * I disbelieve in the existence of such systems and they will have to cope
+ * without overflow checks.)
+ */
+void *
+breallocarray(void *p, size_t n, size_t size)
+{
+    if (n > 0 && UINT_MAX / n <= size)
+        bail("reallocarray too large");
+    if (n == 0)
+        n = 1;
+    p = realloc(p, n * size);
+    if (p == NULL)
+        sysbail("failed to realloc %lu bytes", (unsigned long) (n * size));
+    return p;
+}
+
+
+/*
+ * Copy a string, reporting a fatal error with bail on failure.
+ */
+char *
+bstrdup(const char *s)
+{
+    char *p;
+    size_t len;
+
+    len = strlen(s) + 1;
+    p = (char *) malloc(len);
+    if (p == NULL)
+        sysbail("failed to strdup %lu bytes", (unsigned long) len);
+    memcpy(p, s, len);
+    return p;
+}
+
+
+/*
+ * Copy up to n characters of a string, reporting a fatal error with bail on
+ * failure.  Don't use the system strndup function, since it may not exist and
+ * the TAP library doesn't assume any portability support.
+ */
+char *
+bstrndup(const char *s, size_t n)
+{
+    const char *p;
+    char *copy;
+    size_t length;
+
+    /* Don't assume that the source string is nul-terminated. */
+    for (p = s; (size_t)(p - s) < n && *p != '\0'; p++)
+        ;
+    length = (size_t)(p - s);
+    copy = (char *) malloc(length + 1);
+    if (copy == NULL)
+        sysbail("failed to strndup %lu bytes", (unsigned long) length);
+    memcpy(copy, s, length);
+    copy[length] = '\0';
+    return copy;
+}
+
+
+/*
+ * Locate a test file.  Given the partial path to a file, look under
+ * C_TAP_BUILD and then C_TAP_SOURCE for the file and return the full path to
+ * the file.  Returns NULL if the file doesn't exist.  A non-NULL return
+ * should be freed with test_file_path_free().
+ */
+char *
+test_file_path(const char *file)
+{
+    char *base;
+    char *path = NULL;
+    const char *envs[] = {"C_TAP_BUILD", "C_TAP_SOURCE", NULL};
+    int i;
+
+    for (i = 0; envs[i] != NULL; i++) {
+        base = getenv(envs[i]);
+        if (base == NULL)
+            continue;
+        path = concat(base, "/", file, (const char *) 0);
+        if (access(path, R_OK) == 0)
+            break;
+        free(path);
+        path = NULL;
+    }
+    return path;
+}
+
+
+/*
+ * Free a path returned from test_file_path().  This function exists primarily
+ * for Windows, where memory must be freed from the same library domain that
+ * it was allocated from.
+ */
+void
+test_file_path_free(char *path)
+{
+    free(path);
+}
+
+
+/*
+ * Create a temporary directory, tmp, under C_TAP_BUILD if set and the current
+ * directory if it does not.  Returns the path to the temporary directory in
+ * newly allocated memory, and calls bail on any failure.  The return value
+ * should be freed with test_tmpdir_free.
+ *
+ * This function uses sprintf because it attempts to be independent of all
+ * other portability layers.  The use immediately after a memory allocation
+ * should be safe without using snprintf or strlcpy/strlcat.
+ */
+char *
+test_tmpdir(void)
+{
+    const char *build;
+    char *path = NULL;
+
+    build = getenv("C_TAP_BUILD");
+    if (build == NULL)
+        build = ".";
+    path = concat(build, "/tmp", (const char *) 0);
+    if (access(path, X_OK) < 0)
+        if (mkdir(path, 0777) < 0)
+            sysbail("error creating temporary directory %s", path);
+    return path;
+}
+
+
+/*
+ * Free a path returned from test_tmpdir() and attempt to remove the
+ * directory.  If we can't delete the directory, don't worry; something else
+ * that hasn't yet cleaned up may still be using it.
+ */
+void
+test_tmpdir_free(char *path)
+{
+    if (path != NULL)
+        rmdir(path);
+    free(path);
+}
+
+static void
+register_cleanup(test_cleanup_func func,
+                 test_cleanup_func_with_data func_with_data, void *data)
+{
+    struct cleanup_func *cleanup, **last;
+
+    cleanup = bcalloc_type(1, struct cleanup_func);
+    cleanup->func = func;
+    cleanup->func_with_data = func_with_data;
+    cleanup->data = data;
+    cleanup->next = NULL;
+    last = &cleanup_funcs;
+    while (*last != NULL)
+        last = &(*last)->next;
+    *last = cleanup;
+}
+
+/*
+ * Register a cleanup function that is called when testing ends.  All such
+ * registered functions will be run by finish.
+ */
+void
+test_cleanup_register(test_cleanup_func func)
+{
+    register_cleanup(func, NULL, NULL);
+}
+
+/*
+ * Same as above, but also allows an opaque pointer to be passed to the cleanup
+ * function.
+ */
+void
+test_cleanup_register_with_data(test_cleanup_func_with_data func, void *data)
+{
+    register_cleanup(NULL, func, data);
+}
diff --git a/tests/tap/basic.h b/tests/tap/basic.h
new file mode 100644
index 000000000000..45f15f2892a7
--- /dev/null
+++ b/tests/tap/basic.h
@@ -0,0 +1,192 @@
+/*
+ * Basic utility routines for the TAP protocol.
+ *
+ * This file is part of C TAP Harness.  The current version plus supporting
+ * documentation is at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2009-2019 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2001-2002, 2004-2008, 2011-2012, 2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_BASIC_H
+#define TAP_BASIC_H 1
+
+#include <stdarg.h> /* va_list */
+#include <stddef.h> /* size_t */
+#include <tests/tap/macros.h>
+
+/*
+ * Used for iterating through arrays.  ARRAY_SIZE returns the number of
+ * elements in the array (useful for a < upper bound in a for loop) and
+ * ARRAY_END returns a pointer to the element past the end (ISO C99 makes it
+ * legal to refer to such a pointer as long as it's never dereferenced).
+ */
+#define ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
+#define ARRAY_END(array)  (&(array)[ARRAY_SIZE(array)])
+
+BEGIN_DECLS
+
+/*
+ * The test count.  Always contains the number that will be used for the next
+ * test status.
+ */
+extern unsigned long testnum;
+
+/* Print out the number of tests and set standard output to line buffered. */
+void plan(unsigned long count);
+
+/*
+ * Prepare for lazy planning, in which the plan will be printed automatically
+ * at the end of the test program.
+ */
+void plan_lazy(void);
+
+/* Skip the entire test suite.  Call instead of plan. */
+void skip_all(const char *format, ...)
+    __attribute__((__noreturn__, __format__(printf, 1, 2)));
+
+/*
+ * Basic reporting functions.  The okv() function is the same as ok() but
+ * takes the test description as a va_list to make it easier to reuse the
+ * reporting infrastructure when writing new tests.  ok() and okv() return the
+ * value of the success argument.
+ */
+int ok(int success, const char *format, ...)
+    __attribute__((__format__(printf, 2, 3)));
+int okv(int success, const char *format, va_list args)
+    __attribute__((__format__(printf, 2, 0)));
+void skip(const char *reason, ...) __attribute__((__format__(printf, 1, 2)));
+
+/*
+ * Report the same status on, or skip, the next count tests.  ok_block()
+ * returns the value of the success argument.
+ */
+int ok_block(unsigned long count, int success, const char *format, ...)
+    __attribute__((__format__(printf, 3, 4)));
+void skip_block(unsigned long count, const char *reason, ...)
+    __attribute__((__format__(printf, 2, 3)));
+
+/*
+ * Compare two values.  Returns true if the test passes and false if it fails.
+ * is_bool takes an int since the bool type isn't fully portable yet, but
+ * interprets both arguments for their truth value, not for their numeric
+ * value.
+ */
+int is_bool(int, int, const char *format, ...)
+    __attribute__((__format__(printf, 3, 4)));
+int is_int(long, long, const char *format, ...)
+    __attribute__((__format__(printf, 3, 4)));
+int is_string(const char *, const char *, const char *format, ...)
+    __attribute__((__format__(printf, 3, 4)));
+int is_hex(unsigned long, unsigned long, const char *format, ...)
+    __attribute__((__format__(printf, 3, 4)));
+int is_blob(const void *, const void *, size_t, const char *format, ...)
+    __attribute__((__format__(printf, 4, 5)));
+
+/* Bail out with an error.  sysbail appends strerror(errno). */
+void bail(const char *format, ...)
+    __attribute__((__noreturn__, __nonnull__, __format__(printf, 1, 2)));
+void sysbail(const char *format, ...)
+    __attribute__((__noreturn__, __nonnull__, __format__(printf, 1, 2)));
+
+/* Report a diagnostic to stderr prefixed with #. */
+int diag(const char *format, ...)
+    __attribute__((__nonnull__, __format__(printf, 1, 2)));
+int sysdiag(const char *format, ...)
+    __attribute__((__nonnull__, __format__(printf, 1, 2)));
+
+/*
+ * Register or unregister a file that contains supplementary diagnostics.
+ * Before any other output, all registered files will be read, line by line,
+ * and each line will be reported as a diagnostic as if it were passed to
+ * diag().  Nul characters are not supported in these files and will result in
+ * truncated output.
+ */
+void diag_file_add(const char *file) __attribute__((__nonnull__));
+void diag_file_remove(const char *file) __attribute__((__nonnull__));
+
+/* Allocate memory, reporting a fatal error with bail on failure. */
+void *bcalloc(size_t, size_t)
+    __attribute__((__alloc_size__(1, 2), __malloc__, __warn_unused_result__));
+void *bmalloc(size_t)
+    __attribute__((__alloc_size__(1), __malloc__, __warn_unused_result__));
+void *breallocarray(void *, size_t, size_t)
+    __attribute__((__alloc_size__(2, 3), __malloc__, __warn_unused_result__));
+void *brealloc(void *, size_t)
+    __attribute__((__alloc_size__(2), __malloc__, __warn_unused_result__));
+char *bstrdup(const char *)
+    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+char *bstrndup(const char *, size_t)
+    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+
+/*
+ * Macros that cast the return value from b* memory functions, making them
+ * usable in C++ code and providing some additional type safety.
+ */
+#define bcalloc_type(n, type) ((type *) bcalloc((n), sizeof(type)))
+#define breallocarray_type(p, n, type) \
+    ((type *) breallocarray((p), (n), sizeof(type)))
+
+/*
+ * Find a test file under C_TAP_BUILD or C_TAP_SOURCE, returning the full
+ * path.  The returned path should be freed with test_file_path_free().
+ */
+char *test_file_path(const char *file)
+    __attribute__((__malloc__, __nonnull__, __warn_unused_result__));
+void test_file_path_free(char *path);
+
+/*
+ * Create a temporary directory relative to C_TAP_BUILD and return the path.
+ * The returned path should be freed with test_tmpdir_free().
+ */
+char *test_tmpdir(void) __attribute__((__malloc__, __warn_unused_result__));
+void test_tmpdir_free(char *path);
+
+/*
+ * Register a cleanup function that is called when testing ends.  All such
+ * registered functions will be run during atexit handling (and are therefore
+ * subject to all the same constraints and caveats as atexit functions).
+ *
+ * The function must return void and will be passed two arguments: an int that
+ * will be true if the test completed successfully and false otherwise, and an
+ * int that will be true if the cleanup function is run in the primary process
+ * (the one that called plan or plan_lazy) and false otherwise.  If
+ * test_cleanup_register_with_data is used instead, a generic pointer can be
+ * provided and will be passed to the cleanup function as a third argument.
+ *
+ * test_cleanup_register_with_data is the better API and should have been the
+ * only API.  test_cleanup_register was an API error preserved for backward
+ * cmpatibility.
+ */
+typedef void (*test_cleanup_func)(int, int);
+typedef void (*test_cleanup_func_with_data)(int, int, void *);
+
+void test_cleanup_register(test_cleanup_func) __attribute__((__nonnull__));
+void test_cleanup_register_with_data(test_cleanup_func_with_data, void *)
+    __attribute__((__nonnull__));
+
+END_DECLS
+
+#endif /* TAP_BASIC_H */
diff --git a/tests/tap/kadmin.c b/tests/tap/kadmin.c
new file mode 100644
index 000000000000..8e70f9d0ec27
--- /dev/null
+++ b/tests/tap/kadmin.c
@@ -0,0 +1,138 @@
+/*
+ * Kerberos test setup requiring the kadmin API.
+ *
+ * This file collects Kerberos test setup functions that use the kadmin API to
+ * put principals into particular configurations for testing.  Currently, the
+ * only implemented functionality is to mark a password as expired.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#ifdef HAVE_KADM5CLNT
+#    include <portable/kadmin.h>
+#    include <portable/krb5.h>
+#endif
+#include <portable/system.h>
+
+#include <time.h>
+
+#include <tests/tap/basic.h>
+#include <tests/tap/kadmin.h>
+#include <tests/tap/kerberos.h>
+
+/* Used for unused parameters to silence gcc warnings. */
+#define UNUSED __attribute__((__unused__))
+
+
+/*
+ * Given the principal to set an expiration on, set that principal to have an
+ * expired password.  This requires that the realm admin server be configured
+ * either in DNS (with SRV records) or in krb5.conf (possibly the one
+ * KRB5_CONFIG is pointing to).  Authentication is done using the keytab
+ * stored in config/admin-keytab.
+ *
+ * Returns true on success.  Returns false if necessary configuration is
+ * missing so that the caller can choose whether to call bail or skip_all.  If
+ * the configuration is present but the operation fails, bails.
+ */
+#ifdef HAVE_KADM5CLNT
+bool
+kerberos_expire_password(const char *principal, time_t expires)
+{
+    char *path, *user;
+    const char *realm;
+    krb5_context ctx;
+    krb5_principal admin = NULL;
+    krb5_principal princ = NULL;
+    kadm5_ret_t code;
+    kadm5_config_params params;
+    kadm5_principal_ent_rec ent;
+    void *handle;
+    bool okay = false;
+
+    /* Set up for making our call. */
+    path = test_file_path("config/admin-keytab");
+    if (path == NULL)
+        return false;
+    code = krb5_init_context(&ctx);
+    if (code != 0)
+        bail_krb5(ctx, code, "error initializing Kerberos");
+    admin = kerberos_keytab_principal(ctx, path);
+    realm = krb5_principal_get_realm(ctx, admin);
+    code = krb5_set_default_realm(ctx, realm);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot set default realm");
+    code = krb5_unparse_name(ctx, admin, &user);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot unparse admin principal");
+    code = krb5_parse_name(ctx, principal, &princ);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot parse principal %s", principal);
+
+    /*
+     * If the actual kadmin calls fail, we may be built with MIT Kerberos
+     * against a Heimdal server or vice versa.  Return false to skip the
+     * tests.
+     */
+    memset(&params, 0, sizeof(params));
+    params.realm = (char *) realm;
+    params.mask = KADM5_CONFIG_REALM;
+    code = kadm5_init_with_skey_ctx(ctx, user, path, KADM5_ADMIN_SERVICE,
+                                    &params, KADM5_STRUCT_VERSION,
+                                    KADM5_API_VERSION, &handle);
+    if (code != 0) {
+        diag_krb5(ctx, code, "error initializing kadmin");
+        goto done;
+    }
+    memset(&ent, 0, sizeof(ent));
+    ent.principal = princ;
+    ent.pw_expiration = (krb5_timestamp) expires;
+    code = kadm5_modify_principal(handle, &ent, KADM5_PW_EXPIRATION);
+    if (code == 0)
+        okay = true;
+    else
+        diag_krb5(ctx, code, "error setting password expiration");
+
+done:
+    kadm5_destroy(handle);
+    krb5_free_unparsed_name(ctx, user);
+    krb5_free_principal(ctx, admin);
+    krb5_free_principal(ctx, princ);
+    krb5_free_context(ctx);
+    test_file_path_free(path);
+    return okay;
+}
+#else  /* !HAVE_KADM5CLNT */
+bool
+kerberos_expire_password(const char *principal UNUSED, time_t expires UNUSED)
+{
+    return false;
+}
+#endif /* !HAVE_KADM5CLNT */
diff --git a/tests/tap/kadmin.h b/tests/tap/kadmin.h
new file mode 100644
index 000000000000..c4dc657237da
--- /dev/null
+++ b/tests/tap/kadmin.h
@@ -0,0 +1,58 @@
+/*
+ * Utility functions for tests needing Kerberos admin actions.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011, 2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_KADMIN_H
+#define TAP_KADMIN_H 1
+
+#include <config.h>
+#include <portable/stdbool.h>
+
+#include <time.h>
+
+#include <tests/tap/macros.h>
+
+BEGIN_DECLS
+
+/*
+ * Given the principal to set an expiration on and the expiration time, set
+ * that principal's key to expire at that time.  Authentication is done using
+ * the keytab stored in config/admin-keytab.
+ *
+ * Returns true on success.  Returns false if necessary configuration is
+ * missing so that the caller can choose whether to call bail or skip_all.  If
+ * the configuration is present but the operation fails, bails.
+ */
+bool kerberos_expire_password(const char *, time_t)
+    __attribute__((__nonnull__));
+
+END_DECLS
+
+#endif /* !TAP_KADMIN_H */
diff --git a/tests/tap/kerberos.c b/tests/tap/kerberos.c
new file mode 100644
index 000000000000..765d80290a64
--- /dev/null
+++ b/tests/tap/kerberos.c
@@ -0,0 +1,544 @@
+/*
+ * Utility functions for tests that use Kerberos.
+ *
+ * The core function is kerberos_setup, which loads Kerberos test
+ * configuration and returns a struct of information.  It also supports
+ * obtaining initial tickets from the configured keytab and setting up
+ * KRB5CCNAME and KRB5_KTNAME if a Kerberos keytab is present.  Also included
+ * are utility functions for setting up a krb5.conf file and reporting
+ * Kerberos errors or warnings during testing.
+ *
+ * Some of the functionality here is only available if the Kerberos libraries
+ * are available.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2006-2007, 2009-2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#ifdef HAVE_KRB5
+#    include <portable/krb5.h>
+#endif
+#include <portable/system.h>
+
+#include <sys/stat.h>
+
+#include <tests/tap/basic.h>
+#include <tests/tap/kerberos.h>
+#include <tests/tap/macros.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+/*
+ * Disable the requirement that format strings be literals, since it's easier
+ * to handle the possible patterns for kinit commands as an array.
+ */
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 2) || defined(__clang__)
+#    pragma GCC diagnostic ignored "-Wformat-nonliteral"
+#endif
+
+
+/*
+ * These variables hold the allocated configuration struct, the environment to
+ * point to a different Kerberos ticket cache, keytab, and configuration file,
+ * and the temporary directories used.  We store them so that we can free them
+ * on exit for cleaner valgrind output, making it easier to find real memory
+ * leaks in the tested programs.
+ */
+static struct kerberos_config *config = NULL;
+static char *krb5ccname = NULL;
+static char *krb5_ktname = NULL;
+static char *krb5_config = NULL;
+static char *tmpdir_ticket = NULL;
+static char *tmpdir_conf = NULL;
+
+
+/*
+ * Obtain Kerberos tickets and fill in the principal config entry.
+ *
+ * There are two implementations of this function, one if we have native
+ * Kerberos libraries available and one if we don't.  Uses keytab to obtain
+ * credentials, and fills in the cache member of the provided config struct.
+ */
+#ifdef HAVE_KRB5
+
+static void
+kerberos_kinit(void)
+{
+    char *name, *krbtgt;
+    krb5_error_code code;
+    krb5_context ctx;
+    krb5_ccache ccache;
+    krb5_principal kprinc;
+    krb5_keytab keytab;
+    krb5_get_init_creds_opt *opts;
+    krb5_creds creds;
+    const char *realm;
+
+    /*
+     * Determine the principal corresponding to that keytab.  We copy the
+     * memory to ensure that it's allocated in the right memory domain on
+     * systems where that may matter (like Windows).
+     */
+    code = krb5_init_context(&ctx);
+    if (code != 0)
+        bail_krb5(ctx, code, "error initializing Kerberos");
+    kprinc = kerberos_keytab_principal(ctx, config->keytab);
+    code = krb5_unparse_name(ctx, kprinc, &name);
+    if (code != 0)
+        bail_krb5(ctx, code, "error unparsing name");
+    krb5_free_principal(ctx, kprinc);
+    config->principal = bstrdup(name);
+    krb5_free_unparsed_name(ctx, name);
+
+    /* Now do the Kerberos initialization. */
+    code = krb5_cc_default(ctx, &ccache);
+    if (code != 0)
+        bail_krb5(ctx, code, "error setting ticket cache");
+    code = krb5_parse_name(ctx, config->principal, &kprinc);
+    if (code != 0)
+        bail_krb5(ctx, code, "error parsing principal %s", config->principal);
+    realm = krb5_principal_get_realm(ctx, kprinc);
+    basprintf(&krbtgt, "krbtgt/%s@%s", realm, realm);
+    code = krb5_kt_resolve(ctx, config->keytab, &keytab);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot open keytab %s", config->keytab);
+    code = krb5_get_init_creds_opt_alloc(ctx, &opts);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot allocate credential options");
+    krb5_get_init_creds_opt_set_default_flags(ctx, NULL, realm, opts);
+    krb5_get_init_creds_opt_set_forwardable(opts, 0);
+    krb5_get_init_creds_opt_set_proxiable(opts, 0);
+    code = krb5_get_init_creds_keytab(ctx, &creds, kprinc, keytab, 0, krbtgt,
+                                      opts);
+    if (code != 0)
+        bail_krb5(ctx, code, "cannot get Kerberos tickets");
+    code = krb5_cc_initialize(ctx, ccache, kprinc);
+    if (code != 0)
+        bail_krb5(ctx, code, "error initializing ticket cache");
+    code = krb5_cc_store_cred(ctx, ccache, &creds);
+    if (code != 0)
+        bail_krb5(ctx, code, "error storing credentials");
+    krb5_cc_close(ctx, ccache);
+    krb5_free_cred_contents(ctx, &creds);
+    krb5_kt_close(ctx, keytab);
+    krb5_free_principal(ctx, kprinc);
+    krb5_get_init_creds_opt_free(ctx, opts);
+    krb5_free_context(ctx);
+    free(krbtgt);
+}
+
+#else /* !HAVE_KRB5 */
+
+static void
+kerberos_kinit(void)
+{
+    static const char *const format[] = {
+        "kinit --no-afslog -k -t %s %s >/dev/null 2>&1 </dev/null",
+        "kinit -k -t %s %s >/dev/null 2>&1 </dev/null",
+        "kinit -t %s %s >/dev/null 2>&1 </dev/null",
+        "kinit -k -K %s %s >/dev/null 2>&1 </dev/null"};
+    FILE *file;
+    char *path;
+    char principal[BUFSIZ], *command;
+    size_t i;
+    int status;
+
+    /* Read the principal corresponding to the keytab. */
+    path = test_file_path("config/principal");
+    if (path == NULL) {
+        test_file_path_free(config->keytab);
+        config->keytab = NULL;
+        return;
+    }
+    file = fopen(path, "r");
+    if (file == NULL) {
+        test_file_path_free(path);
+        return;
+    }
+    test_file_path_free(path);
+    if (fgets(principal, sizeof(principal), file) == NULL)
+        bail("cannot read %s", path);
+    fclose(file);
+    if (principal[strlen(principal) - 1] != '\n')
+        bail("no newline in %s", path);
+    principal[strlen(principal) - 1] = '\0';
+    config->principal = bstrdup(principal);
+
+    /* Now do the Kerberos initialization. */
+    for (i = 0; i < ARRAY_SIZE(format); i++) {
+        basprintf(&command, format[i], config->keytab, principal);
+        status = system(command);
+        free(command);
+        if (status != -1 && WEXITSTATUS(status) == 0)
+            break;
+    }
+    if (status == -1 || WEXITSTATUS(status) != 0)
+        bail("cannot get Kerberos tickets");
+}
+
+#endif /* !HAVE_KRB5 */
+
+
+/*
+ * Free all the memory associated with our Kerberos setup, but don't remove
+ * the ticket cache.  This is used when cleaning up on exit from a non-primary
+ * process so that test programs that fork don't remove the ticket cache still
+ * used by the main program.
+ */
+static void
+kerberos_free(void)
+{
+    test_tmpdir_free(tmpdir_ticket);
+    tmpdir_ticket = NULL;
+    if (config != NULL) {
+        test_file_path_free(config->keytab);
+        free(config->principal);
+        free(config->cache);
+        free(config->userprinc);
+        free(config->username);
+        free(config->password);
+        free(config->pkinit_principal);
+        free(config->pkinit_cert);
+        free(config);
+        config = NULL;
+    }
+    if (krb5ccname != NULL) {
+        putenv((char *) "KRB5CCNAME=");
+        free(krb5ccname);
+        krb5ccname = NULL;
+    }
+    if (krb5_ktname != NULL) {
+        putenv((char *) "KRB5_KTNAME=");
+        free(krb5_ktname);
+        krb5_ktname = NULL;
+    }
+}
+
+
+/*
+ * Clean up at the end of a test.  This removes the ticket cache and resets
+ * and frees the memory allocated for the environment variables so that
+ * valgrind output on test suites is cleaner.  Most of the work is done by
+ * kerberos_free, but this function also deletes the ticket cache.
+ */
+void
+kerberos_cleanup(void)
+{
+    char *path;
+
+    if (tmpdir_ticket != NULL) {
+        basprintf(&path, "%s/krb5cc_test", tmpdir_ticket);
+        unlink(path);
+        free(path);
+    }
+    kerberos_free();
+}
+
+
+/*
+ * The cleanup handler for the TAP framework.  Call kerberos_cleanup if we're
+ * in the primary process and kerberos_free if not.  The first argument, which
+ * indicates whether the test succeeded or not, is ignored, since we need to
+ * do the same thing either way.
+ */
+static void
+kerberos_cleanup_handler(int success UNUSED, int primary)
+{
+    if (primary)
+        kerberos_cleanup();
+    else
+        kerberos_free();
+}
+
+
+/*
+ * Obtain Kerberos tickets for the principal specified in config/principal
+ * using the keytab specified in config/keytab, both of which are presumed to
+ * be in tests in either the build or the source tree.  Also sets KRB5_KTNAME
+ * and KRB5CCNAME.
+ *
+ * Returns the contents of config/principal in newly allocated memory or NULL
+ * if Kerberos tests are apparently not configured.  If Kerberos tests are
+ * configured but something else fails, calls bail.
+ */
+struct kerberos_config *
+kerberos_setup(enum kerberos_needs needs)
+{
+    char *path;
+    char buffer[BUFSIZ];
+    FILE *file = NULL;
+
+    /* If we were called before, clean up after the previous run. */
+    if (config != NULL)
+        kerberos_cleanup();
+    config = bcalloc(1, sizeof(struct kerberos_config));
+
+    /*
+     * If we have a config/keytab file, set the KRB5CCNAME and KRB5_KTNAME
+     * environment variables and obtain initial tickets.
+     */
+    config->keytab = test_file_path("config/keytab");
+    if (config->keytab == NULL) {
+        if (needs == TAP_KRB_NEEDS_KEYTAB || needs == TAP_KRB_NEEDS_BOTH)
+            skip_all("Kerberos tests not configured");
+    } else {
+        tmpdir_ticket = test_tmpdir();
+        basprintf(&config->cache, "%s/krb5cc_test", tmpdir_ticket);
+        basprintf(&krb5ccname, "KRB5CCNAME=%s/krb5cc_test", tmpdir_ticket);
+        basprintf(&krb5_ktname, "KRB5_KTNAME=%s", config->keytab);
+        putenv(krb5ccname);
+        putenv(krb5_ktname);
+        kerberos_kinit();
+    }
+
+    /*
+     * If we have a config/password file, read it and fill out the relevant
+     * members of our config struct.
+     */
+    path = test_file_path("config/password");
+    if (path != NULL)
+        file = fopen(path, "r");
+    if (file == NULL) {
+        if (needs == TAP_KRB_NEEDS_PASSWORD || needs == TAP_KRB_NEEDS_BOTH)
+            skip_all("Kerberos tests not configured");
+    } else {
+        if (fgets(buffer, sizeof(buffer), file) == NULL)
+            bail("cannot read %s", path);
+        if (buffer[strlen(buffer) - 1] != '\n')
+            bail("no newline in %s", path);
+        buffer[strlen(buffer) - 1] = '\0';
+        config->userprinc = bstrdup(buffer);
+        if (fgets(buffer, sizeof(buffer), file) == NULL)
+            bail("cannot read password from %s", path);
+        fclose(file);
+        if (buffer[strlen(buffer) - 1] != '\n')
+            bail("password too long in %s", path);
+        buffer[strlen(buffer) - 1] = '\0';
+        config->password = bstrdup(buffer);
+
+        /*
+         * Strip the realm from the principal and set realm and username.
+         * This is not strictly correct; it doesn't cope with escaped @-signs
+         * or enterprise names.
+         */
+        config->username = bstrdup(config->userprinc);
+        config->realm = strchr(config->username, '@');
+        if (config->realm == NULL)
+            bail("test principal has no realm");
+        *config->realm = '\0';
+        config->realm++;
+    }
+    test_file_path_free(path);
+
+    /*
+     * If we have PKINIT configuration, read it and fill out the relevant
+     * members of our config struct.
+     */
+    path = test_file_path("config/pkinit-principal");
+    if (path != NULL)
+        file = fopen(path, "r");
+    if (path != NULL && file != NULL) {
+        if (fgets(buffer, sizeof(buffer), file) == NULL)
+            bail("cannot read %s", path);
+        if (buffer[strlen(buffer) - 1] != '\n')
+            bail("no newline in %s", path);
+        buffer[strlen(buffer) - 1] = '\0';
+        fclose(file);
+        test_file_path_free(path);
+        path = test_file_path("config/pkinit-cert");
+        if (path != NULL) {
+            config->pkinit_principal = bstrdup(buffer);
+            config->pkinit_cert = bstrdup(path);
+        }
+    }
+    test_file_path_free(path);
+    if (config->pkinit_cert == NULL && (needs & TAP_KRB_NEEDS_PKINIT) != 0)
+        skip_all("PKINIT tests not configured");
+
+    /*
+     * Register the cleanup function so that the caller doesn't have to do
+     * explicit cleanup.
+     */
+    test_cleanup_register(kerberos_cleanup_handler);
+
+    /* Return the configuration. */
+    return config;
+}
+
+
+/*
+ * Clean up the krb5.conf file generated by kerberos_generate_conf and free
+ * the memory used to set the environment variable.  This doesn't fail if the
+ * file and variable are already gone, allowing it to be harmlessly run
+ * multiple times.
+ *
+ * Normally called via an atexit handler.
+ */
+void
+kerberos_cleanup_conf(void)
+{
+    char *path;
+
+    if (tmpdir_conf != NULL) {
+        basprintf(&path, "%s/krb5.conf", tmpdir_conf);
+        unlink(path);
+        free(path);
+        test_tmpdir_free(tmpdir_conf);
+        tmpdir_conf = NULL;
+    }
+    putenv((char *) "KRB5_CONFIG=");
+    free(krb5_config);
+    krb5_config = NULL;
+}
+
+
+/*
+ * Generate a krb5.conf file for testing and set KRB5_CONFIG to point to it.
+ * The [appdefaults] section will be stripped out and the default realm will
+ * be set to the realm specified, if not NULL.  This will use config/krb5.conf
+ * in preference, so users can configure the tests by creating that file if
+ * the system file isn't suitable.
+ *
+ * Depends on data/generate-krb5-conf being present in the test suite.
+ */
+void
+kerberos_generate_conf(const char *realm)
+{
+    char *path;
+    const char *argv[3];
+
+    if (tmpdir_conf != NULL)
+        kerberos_cleanup_conf();
+    path = test_file_path("data/generate-krb5-conf");
+    if (path == NULL)
+        bail("cannot find generate-krb5-conf");
+    argv[0] = path;
+    argv[1] = realm;
+    argv[2] = NULL;
+    run_setup(argv);
+    test_file_path_free(path);
+    tmpdir_conf = test_tmpdir();
+    basprintf(&krb5_config, "KRB5_CONFIG=%s/krb5.conf", tmpdir_conf);
+    putenv(krb5_config);
+    if (atexit(kerberos_cleanup_conf) != 0)
+        sysdiag("cannot register cleanup function");
+}
+
+
+/*
+ * The remaining functions in this file are only available if Kerberos
+ * libraries are available.
+ */
+#ifdef HAVE_KRB5
+
+
+/*
+ * Report a Kerberos error and bail out.  Takes a long instead of a
+ * krb5_error_code because it can also handle a kadm5_ret_t (which may be a
+ * different size).
+ */
+void
+bail_krb5(krb5_context ctx, long code, const char *format, ...)
+{
+    const char *k5_msg = NULL;
+    char *message;
+    va_list args;
+
+    if (ctx != NULL)
+        k5_msg = krb5_get_error_message(ctx, (krb5_error_code) code);
+    va_start(args, format);
+    bvasprintf(&message, format, args);
+    va_end(args);
+    if (k5_msg == NULL)
+        bail("%s", message);
+    else
+        bail("%s: %s", message, k5_msg);
+}
+
+
+/*
+ * Report a Kerberos error as a diagnostic to stderr.  Takes a long instead of
+ * a krb5_error_code because it can also handle a kadm5_ret_t (which may be a
+ * different size).
+ */
+void
+diag_krb5(krb5_context ctx, long code, const char *format, ...)
+{
+    const char *k5_msg = NULL;
+    char *message;
+    va_list args;
+
+    if (ctx != NULL)
+        k5_msg = krb5_get_error_message(ctx, (krb5_error_code) code);
+    va_start(args, format);
+    bvasprintf(&message, format, args);
+    va_end(args);
+    if (k5_msg == NULL)
+        diag("%s", message);
+    else
+        diag("%s: %s", message, k5_msg);
+    free(message);
+    if (k5_msg != NULL)
+        krb5_free_error_message(ctx, k5_msg);
+}
+
+
+/*
+ * Find the principal of the first entry of a keytab and return it.  The
+ * caller is responsible for freeing the result with krb5_free_principal.
+ * Exit on error.
+ */
+krb5_principal
+kerberos_keytab_principal(krb5_context ctx, const char *path)
+{
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    krb5_principal princ;
+    krb5_error_code status;
+
+    status = krb5_kt_resolve(ctx, path, &keytab);
+    if (status != 0)
+        bail_krb5(ctx, status, "error opening %s", path);
+    status = krb5_kt_start_seq_get(ctx, keytab, &cursor);
+    if (status != 0)
+        bail_krb5(ctx, status, "error reading %s", path);
+    status = krb5_kt_next_entry(ctx, keytab, &entry, &cursor);
+    if (status != 0)
+        bail("no principal found in keytab file %s", path);
+    status = krb5_copy_principal(ctx, entry.principal, &princ);
+    if (status != 0)
+        bail_krb5(ctx, status, "error copying principal from %s", path);
+    krb5_kt_free_entry(ctx, &entry);
+    krb5_kt_end_seq_get(ctx, keytab, &cursor);
+    krb5_kt_close(ctx, keytab);
+    return princ;
+}
+
+#endif /* HAVE_KRB5 */
diff --git a/tests/tap/kerberos.h b/tests/tap/kerberos.h
new file mode 100644
index 000000000000..53dd09619c96
--- /dev/null
+++ b/tests/tap/kerberos.h
@@ -0,0 +1,135 @@
+/*
+ * Utility functions for tests that use Kerberos.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2006-2007, 2009, 2011-2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_KERBEROS_H
+#define TAP_KERBEROS_H 1
+
+#include <config.h>
+#include <tests/tap/macros.h>
+
+#ifdef HAVE_KRB5
+#    include <portable/krb5.h>
+#endif
+
+/* Holds the information parsed from the Kerberos test configuration. */
+struct kerberos_config {
+    char *keytab;           /* Path to the keytab. */
+    char *principal;        /* Principal whose keys are in the keytab. */
+    char *cache;            /* Path to the Kerberos ticket cache. */
+    char *userprinc;        /* The fully-qualified principal. */
+    char *username;         /* The local (non-realm) part of principal. */
+    char *realm;            /* The realm part of the principal. */
+    char *password;         /* The password. */
+    char *pkinit_principal; /* Principal for PKINIT authentication. */
+    char *pkinit_cert;      /* Path to certificates for PKINIT. */
+};
+
+/*
+ * Whether to skip all tests (by calling skip_all) in kerberos_setup if
+ * certain configuration information isn't available.  "_BOTH" means that the
+ * tests require both keytab and password, but PKINIT is not required.
+ */
+enum kerberos_needs
+{
+    /* clang-format off */
+    TAP_KRB_NEEDS_NONE     = 0x00,
+    TAP_KRB_NEEDS_KEYTAB   = 0x01,
+    TAP_KRB_NEEDS_PASSWORD = 0x02,
+    TAP_KRB_NEEDS_BOTH     = 0x01 | 0x02,
+    TAP_KRB_NEEDS_PKINIT   = 0x04
+    /* clang-format on */
+};
+
+BEGIN_DECLS
+
+/*
+ * Set up Kerberos, returning the test configuration information.  This
+ * obtains Kerberos tickets from config/keytab, if one is present, and stores
+ * them in a Kerberos ticket cache, sets KRB5_KTNAME and KRB5CCNAME.  It also
+ * loads the principal and password from config/password, if it exists, and
+ * stores the principal, password, username, and realm in the returned struct.
+ *
+ * If there is no config/keytab file, KRB5_KTNAME and KRB5CCNAME won't be set
+ * and the keytab field will be NULL.  If there is no config/password file,
+ * the principal field will be NULL.  If the files exist but loading them
+ * fails, or authentication fails, kerberos_setup calls bail.
+ *
+ * kerberos_cleanup will be run as a cleanup function normally, freeing all
+ * resources and cleaning up temporary files on process exit.  It can,
+ * however, be called directly if for some reason the caller needs to delete
+ * the Kerberos environment again.  However, normally the caller can just call
+ * kerberos_setup again.
+ */
+struct kerberos_config *kerberos_setup(enum kerberos_needs)
+    __attribute__((__malloc__));
+void kerberos_cleanup(void);
+
+/*
+ * Generate a krb5.conf file for testing and set KRB5_CONFIG to point to it.
+ * The [appdefaults] section will be stripped out and the default realm will
+ * be set to the realm specified, if not NULL.  This will use config/krb5.conf
+ * in preference, so users can configure the tests by creating that file if
+ * the system file isn't suitable.
+ *
+ * Depends on data/generate-krb5-conf being present in the test suite.
+ *
+ * kerberos_cleanup_conf will clean up after this function, but usually
+ * doesn't need to be called directly since it's registered as an atexit
+ * handler.
+ */
+void kerberos_generate_conf(const char *realm);
+void kerberos_cleanup_conf(void);
+
+/* These interfaces are only available with native Kerberos support. */
+#ifdef HAVE_KRB5
+
+/* Bail out with an error, appending the Kerberos error message. */
+void bail_krb5(krb5_context, long, const char *format, ...)
+    __attribute__((__noreturn__, __nonnull__(3), __format__(printf, 3, 4)));
+
+/* Report a diagnostic with Kerberos error to stderr prefixed with #. */
+void diag_krb5(krb5_context, long, const char *format, ...)
+    __attribute__((__nonnull__(3), __format__(printf, 3, 4)));
+
+/*
+ * Given a Kerberos context and the path to a keytab, retrieve the principal
+ * for the first entry in the keytab and return it.  Calls bail on failure.
+ * The returned principal should be freed with krb5_free_principal.
+ */
+krb5_principal kerberos_keytab_principal(krb5_context, const char *path)
+    __attribute__((__nonnull__));
+
+#endif /* HAVE_KRB5 */
+
+END_DECLS
+
+#endif /* !TAP_MESSAGES_H */
diff --git a/tests/tap/libtap.sh b/tests/tap/libtap.sh
new file mode 100644
index 000000000000..1827a689e380
--- /dev/null
+++ b/tests/tap/libtap.sh
@@ -0,0 +1,248 @@
+# Shell function library for test cases.
+#
+# Note that while many of the functions in this library could benefit from
+# using "local" to avoid possibly hammering global variables, Solaris /bin/sh
+# doesn't support local and this library aspires to be portable to Solaris
+# Bourne shell.  Instead, all private variables are prefixed with "tap_".
+#
+# This file provides a TAP-compatible shell function library useful for
+# writing test cases.  It is part of C TAP Harness, which can be found at
+# <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2009-2012, 2016 Russ Allbery <eagle@eyrie.org>
+# Copyright 2006-2008, 2013
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+# Print out the number of test cases we expect to run.
+plan () {
+    count=1
+    planned="$1"
+    failed=0
+    echo "1..$1"
+    trap finish 0
+}
+
+# Prepare for lazy planning.
+plan_lazy () {
+    count=1
+    planned=0
+    failed=0
+    trap finish 0
+}
+
+# Report the test status on exit.
+finish () {
+    tap_highest=`expr "$count" - 1`
+    if [ "$planned" = 0 ] ; then
+        echo "1..$tap_highest"
+        planned="$tap_highest"
+    fi
+    tap_looks='# Looks like you'
+    if [ "$planned" -gt 0 ] ; then
+        if [ "$planned" -gt "$tap_highest" ] ; then
+            if [ "$planned" -gt 1 ] ; then
+                echo "$tap_looks planned $planned tests but only ran" \
+                    "$tap_highest"
+            else
+                echo "$tap_looks planned $planned test but only ran" \
+                    "$tap_highest"
+            fi
+        elif [ "$planned" -lt "$tap_highest" ] ; then
+            tap_extra=`expr "$tap_highest" - "$planned"`
+            if [ "$planned" -gt 1 ] ; then
+                echo "$tap_looks planned $planned tests but ran" \
+                    "$tap_extra extra"
+            else
+                echo "$tap_looks planned $planned test but ran" \
+                    "$tap_extra extra"
+            fi
+        elif [ "$failed" -gt 0 ] ; then
+            if [ "$failed" -gt 1 ] ; then
+                echo "$tap_looks failed $failed tests of $planned"
+            else
+                echo "$tap_looks failed $failed test of $planned"
+            fi
+        elif [ "$planned" -gt 1 ] ; then
+            echo "# All $planned tests successful or skipped"
+        else
+            echo "# $planned test successful or skipped"
+        fi
+    fi
+}
+
+# Skip the entire test suite.  Should be run instead of plan.
+skip_all () {
+    tap_desc="$1"
+    if [ -n "$tap_desc" ] ; then
+        echo "1..0 # skip $tap_desc"
+    else
+        echo "1..0 # skip"
+    fi
+    exit 0
+}
+
+# ok takes a test description and a command to run and prints success if that
+# command is successful, false otherwise.  The count starts at 1 and is
+# updated each time ok is printed.
+ok () {
+    tap_desc="$1"
+    if [ -n "$tap_desc" ] ; then
+        tap_desc=" - $tap_desc"
+    fi
+    shift
+    if "$@" ; then
+        echo ok "$count$tap_desc"
+    else
+        echo not ok "$count$tap_desc"
+        failed=`expr $failed + 1`
+    fi
+    count=`expr $count + 1`
+}
+
+# Skip the next test.  Takes the reason why the test is skipped.
+skip () {
+    echo "ok $count # skip $*"
+    count=`expr $count + 1`
+}
+
+# Report the same status on a whole set of tests.  Takes the count of tests,
+# the description, and then the command to run to determine the status.
+ok_block () {
+    tap_i=$count
+    tap_end=`expr $count + $1`
+    shift
+    while [ "$tap_i" -lt "$tap_end" ] ; do
+        ok "$@"
+        tap_i=`expr $tap_i + 1`
+    done
+}
+
+# Skip a whole set of tests.  Takes the count and then the reason for skipping
+# the test.
+skip_block () {
+    tap_i=$count
+    tap_end=`expr $count + $1`
+    shift
+    while [ "$tap_i" -lt "$tap_end" ] ; do
+        skip "$@"
+        tap_i=`expr $tap_i + 1`
+    done
+}
+
+# Portable variant of printf '%s\n' "$*".  In the majority of cases, this
+# function is slower than printf, because the latter is often implemented
+# as a builtin command.  The value of the variable IFS is ignored.
+#
+# This macro must not be called via backticks inside double quotes, since this
+# will result in bizarre escaping behavior and lots of extra backslashes on
+# Solaris.
+puts () {
+    cat << EOH
+$@
+EOH
+}
+
+# Run a program expected to succeed, and print ok if it does and produces the
+# correct output.  Takes the description, expected exit status, the expected
+# output, the command to run, and then any arguments for that command.
+# Standard output and standard error are combined when analyzing the output of
+# the command.
+#
+# If the command may contain system-specific error messages in its output,
+# add strip_colon_error before the command to post-process its output.
+ok_program () {
+    tap_desc="$1"
+    shift
+    tap_w_status="$1"
+    shift
+    tap_w_output="$1"
+    shift
+    tap_output=`"$@" 2>&1`
+    tap_status=$?
+    if [ $tap_status = $tap_w_status ] \
+        && [ x"$tap_output" = x"$tap_w_output" ] ; then
+        ok "$tap_desc" true
+    else
+        echo "#  saw: ($tap_status) $tap_output"
+        echo "#  not: ($tap_w_status) $tap_w_output"
+        ok "$tap_desc" false
+    fi
+}
+
+# Strip a colon and everything after it off the output of a command, as long
+# as that colon comes after at least one whitespace character.  (This is done
+# to avoid stripping the name of the program from the start of an error
+# message.)  This is used to remove system-specific error messages (coming
+# from strerror, for example).
+strip_colon_error() {
+    tap_output=`"$@" 2>&1`
+    tap_status=$?
+    tap_output=`puts "$tap_output" | sed 's/^\([^ ]* [^:]*\):.*/\1/'`
+    puts "$tap_output"
+    return $tap_status
+}
+
+# Bail out with an error message.
+bail () {
+    echo 'Bail out!' "$@"
+    exit 255
+}
+
+# Output a diagnostic on standard error, preceded by the required # mark.
+diag () {
+    echo '#' "$@"
+}
+
+# Search for the given file first in $C_TAP_BUILD and then in $C_TAP_SOURCE
+# and echo the path where the file was found, or the empty string if the file
+# wasn't found.
+#
+# This macro uses puts, so don't run it using backticks inside double quotes
+# or bizarre quoting behavior will happen with Solaris sh.
+test_file_path () {
+    if [ -n "$C_TAP_BUILD" ] && [ -f "$C_TAP_BUILD/$1" ] ; then
+        puts "$C_TAP_BUILD/$1"
+    elif [ -n "$C_TAP_SOURCE" ] && [ -f "$C_TAP_SOURCE/$1" ] ; then
+        puts "$C_TAP_SOURCE/$1"
+    else
+        echo ''
+    fi
+}
+
+# Create $C_TAP_BUILD/tmp for use by tests for storing temporary files and
+# return the path (via standard output).
+#
+# This macro uses puts, so don't run it using backticks inside double quotes
+# or bizarre quoting behavior will happen with Solaris sh.
+test_tmpdir () {
+    if [ -z "$C_TAP_BUILD" ] ; then
+        tap_tmpdir="./tmp"
+    else
+        tap_tmpdir="$C_TAP_BUILD"/tmp
+    fi
+    if [ ! -d "$tap_tmpdir" ] ; then
+        mkdir "$tap_tmpdir" || bail "Error creating $tap_tmpdir"
+    fi
+    puts "$tap_tmpdir"
+}
diff --git a/tests/tap/macros.h b/tests/tap/macros.h
new file mode 100644
index 000000000000..c2c8b5c7315d
--- /dev/null
+++ b/tests/tap/macros.h
@@ -0,0 +1,99 @@
+/*
+ * Helpful macros for TAP header files.
+ *
+ * This is not, strictly speaking, related to TAP, but any TAP add-on is
+ * probably going to need these macros, so define them in one place so that
+ * everyone can pull them in.
+ *
+ * This file is part of C TAP Harness.  The current version plus supporting
+ * documentation is at <https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+ *
+ * Copyright 2008, 2012-2013, 2015 Russ Allbery <eagle@eyrie.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_MACROS_H
+#define TAP_MACROS_H 1
+
+/*
+ * __attribute__ is available in gcc 2.5 and later, but only with gcc 2.7
+ * could you use the __format__ form of the attributes, which is what we use
+ * (to avoid confusion with other macros), and only with gcc 2.96 can you use
+ * the attribute __malloc__.  2.96 is very old, so don't bother trying to get
+ * the other attributes to work with GCC versions between 2.7 and 2.96.
+ */
+#ifndef __attribute__
+#    if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 96)
+#        define __attribute__(spec) /* empty */
+#    endif
+#endif
+
+/*
+ * We use __alloc_size__, but it was only available in fairly recent versions
+ * of GCC.  Suppress warnings about the unknown attribute if GCC is too old.
+ * We know that we're GCC at this point, so we can use the GCC variadic macro
+ * extension, which will still work with versions of GCC too old to have C99
+ * variadic macro support.
+ */
+#if !defined(__attribute__) && !defined(__alloc_size__)
+#    if defined(__GNUC__) && !defined(__clang__)
+#        if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 3)
+#            define __alloc_size__(spec, args...) /* empty */
+#        endif
+#    endif
+#endif
+
+/* Suppress __warn_unused_result__ if gcc is too old. */
+#if !defined(__attribute__) && !defined(__warn_unused_result__)
+#    if __GNUC__ < 3 || (__GNUC__ == 3 && __GNUC_MINOR__ < 4)
+#        define __warn_unused_result__ /* empty */
+#    endif
+#endif
+
+/*
+ * LLVM and Clang pretend to be GCC but don't support all of the __attribute__
+ * settings that GCC does.  For them, suppress warnings about unknown
+ * attributes on declarations.  This unfortunately will affect the entire
+ * compilation context, but there's no push and pop available.
+ */
+#if !defined(__attribute__) && (defined(__llvm__) || defined(__clang__))
+#    pragma GCC diagnostic ignored "-Wattributes"
+#endif
+
+/* Used for unused parameters to silence gcc warnings. */
+#define UNUSED __attribute__((__unused__))
+
+/*
+ * BEGIN_DECLS is used at the beginning of declarations so that C++
+ * compilers don't mangle their names.  END_DECLS is used at the end.
+ */
+#undef BEGIN_DECLS
+#undef END_DECLS
+#ifdef __cplusplus
+#    define BEGIN_DECLS extern "C" {
+#    define END_DECLS   }
+#else
+#    define BEGIN_DECLS /* empty */
+#    define END_DECLS   /* empty */
+#endif
+
+#endif /* TAP_MACROS_H */
diff --git a/tests/tap/perl/Test/RRA.pm b/tests/tap/perl/Test/RRA.pm
new file mode 100644
index 000000000000..6ea65c5701c3
--- /dev/null
+++ b/tests/tap/perl/Test/RRA.pm
@@ -0,0 +1,324 @@
+# Helper functions for test programs written in Perl.
+#
+# This module provides a collection of helper functions used by test programs
+# written in Perl.  This is a general collection of functions that can be used
+# by both C packages with Automake and by stand-alone Perl modules.  See
+# Test::RRA::Automake for additional functions specifically for C Automake
+# distributions.
+#
+# SPDX-License-Identifier: MIT
+
+package Test::RRA;
+
+use 5.010;
+use base qw(Exporter);
+use strict;
+use warnings;
+
+use Carp qw(croak);
+use File::Temp;
+
+# Abort if Test::More was loaded before Test::RRA to be sure that we get the
+# benefits of the Test::More probing below.
+if ($INC{'Test/More.pm'}) {
+    croak('Test::More loaded before Test::RRA');
+}
+
+# Red Hat's base perl package doesn't include Test::More (one has to install
+# the perl-core package in addition).  Try to detect this and skip any Perl
+# tests if Test::More is not present.  This relies on Test::RRA being included
+# before Test::More.
+eval {
+    require Test::More;
+    Test::More->import();
+};
+if ($@) {
+    print "1..0 # SKIP Test::More required for test\n"
+      or croak('Cannot write to stdout');
+    exit 0;
+}
+
+# Declare variables that should be set in BEGIN for robustness.
+our (@EXPORT_OK, $VERSION);
+
+# Set $VERSION and everything export-related in a BEGIN block for robustness
+# against circular module loading (not that we load any modules, but
+# consistency is good).
+BEGIN {
+    @EXPORT_OK = qw(
+        is_file_contents skip_unless_author skip_unless_automated use_prereq
+    );
+
+    # This version should match the corresponding rra-c-util release, but with
+    # two digits for the minor version, including a leading zero if necessary,
+    # so that it will sort properly.
+    $VERSION = '10.00';
+}
+
+# Compare a string to the contents of a file, similar to the standard is()
+# function, but to show the line-based unified diff between them if they
+# differ.
+#
+# $got      - The output that we received
+# $expected - The path to the file containing the expected output
+# $message  - The message to use when reporting the test results
+#
+# Returns: undef
+#  Throws: Exception on failure to read or write files or run diff
+sub is_file_contents {
+    my ($got, $expected, $message) = @_;
+
+    # If they're equal, this is simple.
+    open(my $fh, '<', $expected) or BAIL_OUT("Cannot open $expected: $!\n");
+    my $data = do { local $/ = undef; <$fh> };
+    close($fh) or BAIL_OUT("Cannot close $expected: $!\n");
+    if ($got eq $data) {
+        is($got, $data, $message);
+        return;
+    }
+
+    # Otherwise, we show a diff, but only if we have IPC::System::Simple and
+    # diff succeeds.  Otherwise, we fall back on showing the full expected and
+    # seen output.
+    eval {
+        require IPC::System::Simple;
+
+        my $tmp     = File::Temp->new();
+        my $tmpname = $tmp->filename;
+        print {$tmp} $got or BAIL_OUT("Cannot write to $tmpname: $!\n");
+        my @command = ('diff', '-u', $expected, $tmpname);
+        my $diff    = IPC::System::Simple::capturex([0 .. 1], @command);
+        diag($diff);
+    };
+    if ($@) {
+        diag('Expected:');
+        diag($expected);
+        diag('Seen:');
+        diag($data);
+    }
+
+    # Report failure.
+    ok(0, $message);
+    return;
+}
+
+# Skip this test unless author tests are requested.  Takes a short description
+# of what tests this script would perform, which is used in the skip message.
+# Calls plan skip_all, which will terminate the program.
+#
+# $description - Short description of the tests
+#
+# Returns: undef
+sub skip_unless_author {
+    my ($description) = @_;
+    if (!$ENV{AUTHOR_TESTING}) {
+        plan(skip_all => "$description only run for author");
+    }
+    return;
+}
+
+# Skip this test unless doing automated testing or release testing.  This is
+# used for tests that should be run by CPAN smoke testing or during releases,
+# but not for manual installs by end users.  Takes a short description of what
+# tests this script would perform, which is used in the skip message.  Calls
+# plan skip_all, which will terminate the program.
+#
+# $description - Short description of the tests
+#
+# Returns: undef
+sub skip_unless_automated {
+    my ($description) = @_;
+    for my $env (qw(AUTOMATED_TESTING RELEASE_TESTING AUTHOR_TESTING)) {
+        return if $ENV{$env};
+    }
+    plan(skip_all => "$description normally skipped");
+    return;
+}
+
+# Attempt to load a module and skip the test if the module could not be
+# loaded.  If the module could be loaded, call its import function manually.
+# If the module could not be loaded, calls plan skip_all, which will terminate
+# the program.
+#
+# The special logic here is based on Test::More and is required to get the
+# imports to happen in the caller's namespace.
+#
+# $module  - Name of the module to load
+# @imports - Any arguments to import, possibly including a version
+#
+# Returns: undef
+sub use_prereq {
+    my ($module, @imports) = @_;
+
+    # If the first import looks like a version, pass it as a bare string.
+    my $version = q{};
+    if (@imports >= 1 && $imports[0] =~ m{ \A \d+ (?: [.][\d_]+ )* \z }xms) {
+        $version = shift(@imports);
+    }
+
+    # Get caller information to put imports in the correct package.
+    my ($package) = caller;
+
+    # Do the import with eval, and try to isolate it from the surrounding
+    # context as much as possible.  Based heavily on Test::More::_eval.
+    ## no critic (BuiltinFunctions::ProhibitStringyEval)
+    ## no critic (ValuesAndExpressions::ProhibitImplicitNewlines)
+    my ($result, $error, $sigdie);
+    {
+        local $@            = undef;
+        local $!            = undef;
+        local $SIG{__DIE__} = undef;
+        $result = eval qq{
+            package $package;
+            use $module $version \@imports;
+            1;
+        };
+        $error  = $@;
+        $sigdie = $SIG{__DIE__} || undef;
+    }
+
+    # If the use failed for any reason, skip the test.
+    if (!$result || $error) {
+        my $name = length($version) > 0 ? "$module $version" : $module;
+        plan(skip_all => "$name required for test");
+    }
+
+    # If the module set $SIG{__DIE__}, we cleared that via local.  Restore it.
+    ## no critic (Variables::RequireLocalizedPunctuationVars)
+    if (defined($sigdie)) {
+        $SIG{__DIE__} = $sigdie;
+    }
+    return;
+}
+
+1;
+__END__
+
+=for stopwords
+Allbery Allbery's DESC bareword sublicense MERCHANTABILITY NONINFRINGEMENT
+rra-c-util CPAN diff
+
+=head1 NAME
+
+Test::RRA - Support functions for Perl tests
+
+=head1 SYNOPSIS
+
+    use Test::RRA
+      qw(skip_unless_author skip_unless_automated use_prereq);
+
+    # Skip this test unless author tests are requested.
+    skip_unless_author('Coding style tests');
+
+    # Skip this test unless doing automated or release testing.
+    skip_unless_automated('POD syntax tests');
+
+    # Load modules, skipping the test if they're not available.
+    use_prereq('Perl6::Slurp', 'slurp');
+    use_prereq('Test::Script::Run', '0.04');
+
+=head1 DESCRIPTION
+
+This module collects utility functions that are useful for Perl test scripts.
+It assumes Russ Allbery's Perl module layout and test conventions and will
+only be useful for other people if they use the same conventions.
+
+This module B<must> be loaded before Test::More or it will abort during
+import.  It will skip the test (by printing a skip message to standard output
+and exiting with status 0, equivalent to C<plan skip_all>) during import if
+Test::More is not available.  This allows tests written in Perl using this
+module to be skipped if run on a system with Perl but not Test::More, such as
+Red Hat systems with the C<perl> package but not the C<perl-core> package
+installed.
+
+=head1 FUNCTIONS
+
+None of these functions are imported by default.  The ones used by a script
+should be explicitly imported.
+
+=over 4
+
+=item is_file_contents(GOT, EXPECTED, MESSAGE)
+
+Check a string against the contents of a file, showing the differences if any
+using diff (if IPC::System::Simple and diff are available).  GOT is the output
+the test received.  EXPECTED is the path to a file containing the expected
+output (not the output itself).  MESSAGE is a message to display alongside the
+test results.
+
+=item skip_unless_author(DESC)
+
+Checks whether AUTHOR_TESTING is set in the environment and skips the whole
+test (by calling C<plan skip_all> from Test::More) if it is not.  DESC is a
+description of the tests being skipped.  A space and C<only run for author>
+will be appended to it and used as the skip reason.
+
+=item skip_unless_automated(DESC)
+
+Checks whether AUTHOR_TESTING, AUTOMATED_TESTING, or RELEASE_TESTING are set
+in the environment and skips the whole test (by calling C<plan skip_all> from
+Test::More) if they are not.  This should be used by tests that should not run
+during end-user installs of the module, but which should run as part of CPAN
+smoke testing and release testing.
+
+DESC is a description of the tests being skipped.  A space and C<normally
+skipped> will be appended to it and used as the skip reason.
+
+=item use_prereq(MODULE[, VERSION][, IMPORT ...])
+
+Attempts to load MODULE with the given VERSION and import arguments.  If this
+fails for any reason, the test will be skipped (by calling C<plan skip_all>
+from Test::More) with a skip reason saying that MODULE is required for the
+test.
+
+VERSION will be passed to C<use> as a version bareword if it looks like a
+version number.  The remaining IMPORT arguments will be passed as the value of
+an array.
+
+=back
+
+=head1 AUTHOR
+
+Russ Allbery <eagle@eyrie.org>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2016, 2018-2019, 2021 Russ Allbery <eagle@eyrie.org>
+
+Copyright 2013-2014 The Board of Trustees of the Leland Stanford Junior
+University
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+=head1 SEE ALSO
+
+Test::More(3), Test::RRA::Automake(3), Test::RRA::Config(3)
+
+This module is maintained in the rra-c-util package.  The current version is
+available from L<https://www.eyrie.org/~eagle/software/rra-c-util/>.
+
+The functions to control when tests are run use environment variables defined
+by the L<Lancaster
+Consensus|https://github.com/Perl-Toolchain-Gang/toolchain-site/blob/master/lancaster-consensus.md>.
+
+=cut
+
+# Local Variables:
+# copyright-at-end-flag: t
+# End:
diff --git a/tests/tap/perl/Test/RRA/Automake.pm b/tests/tap/perl/Test/RRA/Automake.pm
new file mode 100644
index 000000000000..261feab81e27
--- /dev/null
+++ b/tests/tap/perl/Test/RRA/Automake.pm
@@ -0,0 +1,487 @@
+# Helper functions for Perl test programs in Automake distributions.
+#
+# This module provides a collection of helper functions used by test programs
+# written in Perl and included in C source distributions that use Automake.
+# They embed knowledge of how I lay out my source trees and test suites with
+# Autoconf and Automake.  They may be usable by others, but doing so will
+# require closely following the conventions implemented by the rra-c-util
+# utility collection.
+#
+# All the functions here assume that C_TAP_BUILD and C_TAP_SOURCE are set in
+# the environment.  This is normally done via the C TAP Harness runtests
+# wrapper.
+#
+# SPDX-License-Identifier: MIT
+
+package Test::RRA::Automake;
+
+use 5.010;
+use base qw(Exporter);
+use strict;
+use warnings;
+
+use Exporter;
+use File::Find qw(find);
+use File::Spec;
+use Test::More;
+use Test::RRA::Config qw($LIBRARY_PATH);
+
+# Used below for use lib calls.
+my ($PERL_BLIB_ARCH, $PERL_BLIB_LIB);
+
+# Determine the path to the build tree of any embedded Perl module package in
+# this source package.  We do this in a BEGIN block because we're going to use
+# the results in a use lib command below.
+BEGIN {
+    $PERL_BLIB_ARCH = File::Spec->catdir(qw(perl blib arch));
+    $PERL_BLIB_LIB  = File::Spec->catdir(qw(perl blib lib));
+
+    # If C_TAP_BUILD is set, we can come up with better values.
+    if (defined($ENV{C_TAP_BUILD})) {
+        my ($vol, $dirs) = File::Spec->splitpath($ENV{C_TAP_BUILD}, 1);
+        my @dirs = File::Spec->splitdir($dirs);
+        pop(@dirs);
+        $PERL_BLIB_ARCH = File::Spec->catdir(@dirs, qw(perl blib arch));
+        $PERL_BLIB_LIB  = File::Spec->catdir(@dirs, qw(perl blib lib));
+    }
+}
+
+# Prefer the modules built as part of our source package.  Otherwise, we may
+# not find Perl modules while testing, or find the wrong versions.
+use lib $PERL_BLIB_ARCH;
+use lib $PERL_BLIB_LIB;
+
+# Declare variables that should be set in BEGIN for robustness.
+our (@EXPORT_OK, $VERSION);
+
+# Set $VERSION and everything export-related in a BEGIN block for robustness
+# against circular module loading (not that we load any modules, but
+# consistency is good).
+BEGIN {
+    @EXPORT_OK = qw(
+        all_files automake_setup perl_dirs test_file_path test_tmpdir
+    );
+
+    # This version should match the corresponding rra-c-util release, but with
+    # two digits for the minor version, including a leading zero if necessary,
+    # so that it will sort properly.
+    $VERSION = '10.00';
+}
+
+# Directories to skip globally when looking for all files, or for directories
+# that could contain Perl files.
+my @GLOBAL_SKIP = qw(
+    .git .pc _build autom4te.cache build-aux perl/_build perl/blib
+);
+
+# Additional paths to skip when building a list of all files in the
+# distribution.  This primarily skips build artifacts that aren't interesting
+# to any of the tests.  These match any path component.
+my @FILES_SKIP = qw(
+    .deps .dirstamp .libs aclocal.m4 config.h config.h.in config.h.in~
+    config.log config.status configure configure~
+);
+
+# The temporary directory created by test_tmpdir, if any.  If this is set,
+# attempt to remove the directory stored here on program exit (but ignore
+# failure to do so).
+my $TMPDIR;
+
+# Returns a list of all files in the distribution.
+#
+# Returns: List of files
+sub all_files {
+    my @files;
+
+    # Turn the skip lists into hashes for ease of querying.
+    my %skip       = map { $_ => 1 } @GLOBAL_SKIP;
+    my %files_skip = map { $_ => 1 } @FILES_SKIP;
+
+    # Wanted function for find.  Prune anything matching either of the skip
+    # lists, or *.lo files, and then add all regular files to the list.
+    my $wanted = sub {
+        my $file = $_;
+        my $path = $File::Find::name;
+        $path =~ s{ \A [.]/ }{}xms;
+        if ($skip{$path} || $files_skip{$file} || $file =~ m{ [.]lo\z }xms) {
+            $File::Find::prune = 1;
+            return;
+        }
+        if (!-d $file) {
+            push(@files, $path);
+        }
+    };
+
+    # Do the recursive search and return the results.
+    find($wanted, q{.});
+    return @files;
+}
+
+# Perform initial test setup for running a Perl test in an Automake package.
+# This verifies that C_TAP_BUILD and C_TAP_SOURCE are set and then changes
+# directory to the C_TAP_SOURCE directory by default.  Sets LD_LIBRARY_PATH if
+# the $LIBRARY_PATH configuration option is set.  Calls BAIL_OUT if
+# C_TAP_BUILD or C_TAP_SOURCE are missing or if anything else fails.
+#
+# $args_ref - Reference to a hash of arguments to configure behavior:
+#   chdir_build - If set to a true value, changes to C_TAP_BUILD instead of
+#                 C_TAP_SOURCE
+#
+# Returns: undef
+sub automake_setup {
+    my ($args_ref) = @_;
+
+    # Bail if C_TAP_BUILD or C_TAP_SOURCE are not set.
+    if (!$ENV{C_TAP_BUILD}) {
+        BAIL_OUT('C_TAP_BUILD not defined (run under runtests)');
+    }
+    if (!$ENV{C_TAP_SOURCE}) {
+        BAIL_OUT('C_TAP_SOURCE not defined (run under runtests)');
+    }
+
+    # C_TAP_BUILD or C_TAP_SOURCE will be the test directory.  Change to the
+    # parent.
+    my $start;
+    if ($args_ref->{chdir_build}) {
+        $start = $ENV{C_TAP_BUILD};
+    } else {
+        $start = $ENV{C_TAP_SOURCE};
+    }
+    my ($vol, $dirs) = File::Spec->splitpath($start, 1);
+    my @dirs = File::Spec->splitdir($dirs);
+    pop(@dirs);
+
+    # Simplify relative paths at the end of the directory.
+    my $ups = 0;
+    my $i   = $#dirs;
+    while ($i > 2 && $dirs[$i] eq File::Spec->updir) {
+        $ups++;
+        $i--;
+    }
+    for (1 .. $ups) {
+        pop(@dirs);
+        pop(@dirs);
+    }
+    my $root = File::Spec->catpath($vol, File::Spec->catdir(@dirs), q{});
+    chdir($root) or BAIL_OUT("cannot chdir to $root: $!");
+
+    # If C_TAP_BUILD is a subdirectory of C_TAP_SOURCE, add it to the global
+    # ignore list.
+    my ($buildvol, $builddirs) = File::Spec->splitpath($ENV{C_TAP_BUILD}, 1);
+    my @builddirs = File::Spec->splitdir($builddirs);
+    pop(@builddirs);
+    if ($buildvol eq $vol && @builddirs == @dirs + 1) {
+        while (@dirs && $builddirs[0] eq $dirs[0]) {
+            shift(@builddirs);
+            shift(@dirs);
+        }
+        if (@builddirs == 1) {
+            push(@GLOBAL_SKIP, $builddirs[0]);
+        }
+    }
+
+    # Set LD_LIBRARY_PATH if the $LIBRARY_PATH configuration option is set.
+    ## no critic (Variables::RequireLocalizedPunctuationVars)
+    if (defined($LIBRARY_PATH)) {
+        @builddirs = File::Spec->splitdir($builddirs);
+        pop(@builddirs);
+        my $libdir = File::Spec->catdir(@builddirs, $LIBRARY_PATH);
+        my $path   = File::Spec->catpath($buildvol, $libdir, q{});
+        if (-d "$path/.libs") {
+            $path .= '/.libs';
+        }
+        if ($ENV{LD_LIBRARY_PATH}) {
+            $ENV{LD_LIBRARY_PATH} .= ":$path";
+        } else {
+            $ENV{LD_LIBRARY_PATH} = $path;
+        }
+    }
+    return;
+}
+
+# Returns a list of directories that may contain Perl scripts and that should
+# be passed to Perl test infrastructure that expects a list of directories to
+# recursively check.  The list will be all eligible top-level directories in
+# the package except for the tests directory, which is broken out to one
+# additional level.  Calls BAIL_OUT on any problems
+#
+# $args_ref - Reference to a hash of arguments to configure behavior:
+#   skip - A reference to an array of directories to skip
+#
+# Returns: List of directories possibly containing Perl scripts to test
+sub perl_dirs {
+    my ($args_ref) = @_;
+
+    # Add the global skip list.  We also ignore the perl directory if it
+    # exists since, in my packages, it is treated as a Perl module
+    # distribution and has its own standalone test suite.
+    my @skip = $args_ref->{skip} ? @{ $args_ref->{skip} } : ();
+    push(@skip, @GLOBAL_SKIP, 'perl');
+
+    # Separate directories to skip under tests from top-level directories.
+    my @skip_tests = grep { m{ \A tests/ }xms } @skip;
+    @skip = grep { !m{ \A tests }xms } @skip;
+    for my $skip_dir (@skip_tests) {
+        $skip_dir =~ s{ \A tests/ }{}xms;
+    }
+
+    # Convert the skip lists into hashes for convenience.
+    my %skip       = map { $_ => 1 } @skip, 'tests';
+    my %skip_tests = map { $_ => 1 } @skip_tests;
+
+    # Build the list of top-level directories to test.
+    opendir(my $rootdir, q{.}) or BAIL_OUT("cannot open .: $!");
+    my @dirs = grep { -d && !$skip{$_} } readdir($rootdir);
+    closedir($rootdir);
+    @dirs = File::Spec->no_upwards(@dirs);
+
+    # Add the list of subdirectories of the tests directory.
+    if (-d 'tests') {
+        opendir(my $testsdir, q{tests}) or BAIL_OUT("cannot open tests: $!");
+
+        # Skip if found in %skip_tests or if not a directory.
+        my $is_skipped = sub {
+            my ($dir) = @_;
+            return 1 if $skip_tests{$dir};
+            $dir = File::Spec->catdir('tests', $dir);
+            return -d $dir ? 0 : 1;
+        };
+
+        # Build the filtered list of subdirectories of tests.
+        my @test_dirs = grep { !$is_skipped->($_) } readdir($testsdir);
+        closedir($testsdir);
+        @test_dirs = File::Spec->no_upwards(@test_dirs);
+
+        # Add the tests directory to the start of the directory name.
+        push(@dirs, map { File::Spec->catdir('tests', $_) } @test_dirs);
+    }
+    return @dirs;
+}
+
+# Find a configuration file for the test suite.  Searches relative to
+# C_TAP_BUILD first and then C_TAP_SOURCE and returns whichever is found
+# first.  Calls BAIL_OUT if the file could not be found.
+#
+# $file - Partial path to the file
+#
+# Returns: Full path to the file
+sub test_file_path {
+    my ($file) = @_;
+  BASE:
+    for my $base ($ENV{C_TAP_BUILD}, $ENV{C_TAP_SOURCE}) {
+        next if !defined($base);
+        if (-e "$base/$file") {
+            return "$base/$file";
+        }
+    }
+    BAIL_OUT("cannot find $file");
+    return;
+}
+
+# Create a temporary directory for tests to use for transient files and return
+# the path to that directory.  The directory is automatically removed on
+# program exit.  The directory permissions use the current umask.  Calls
+# BAIL_OUT if the directory could not be created.
+#
+# Returns: Path to a writable temporary directory
+sub test_tmpdir {
+    my $path;
+
+    # If we already figured out what directory to use, reuse the same path.
+    # Otherwise, create a directory relative to C_TAP_BUILD if set.
+    if (defined($TMPDIR)) {
+        $path = $TMPDIR;
+    } else {
+        my $base;
+        if (defined($ENV{C_TAP_BUILD})) {
+            $base = $ENV{C_TAP_BUILD};
+        } else {
+            $base = File::Spec->curdir;
+        }
+        $path = File::Spec->catdir($base, 'tmp');
+    }
+
+    # Create the directory if it doesn't exist.
+    if (!-d $path) {
+        if (!mkdir($path, 0777)) {
+            BAIL_OUT("cannot create directory $path: $!");
+        }
+    }
+
+    # Store the directory name for cleanup and return it.
+    $TMPDIR = $path;
+    return $path;
+}
+
+# On program exit, remove $TMPDIR if set and if possible.  Report errors with
+# diag but otherwise ignore them.
+END {
+    if (defined($TMPDIR) && -d $TMPDIR) {
+        local $! = undef;
+        if (!rmdir($TMPDIR)) {
+            diag("cannot remove temporary directory $TMPDIR: $!");
+        }
+    }
+}
+
+1;
+__END__
+
+=for stopwords
+Allbery Automake Automake-aware Automake-based rra-c-util ARGS subdirectories
+sublicense MERCHANTABILITY NONINFRINGEMENT umask
+
+=head1 NAME
+
+Test::RRA::Automake - Automake-aware support functions for Perl tests
+
+=head1 SYNOPSIS
+
+    use Test::RRA::Automake qw(automake_setup perl_dirs test_file_path);
+    automake_setup({ chdir_build => 1 });
+
+    # Paths to directories that may contain Perl scripts.
+    my @dirs = perl_dirs({ skip => [qw(lib)] });
+
+    # Configuration for Kerberos tests.
+    my $keytab = test_file_path('config/keytab');
+
+=head1 DESCRIPTION
+
+This module collects utility functions that are useful for test scripts
+written in Perl and included in a C Automake-based package.  They assume the
+layout of a package that uses rra-c-util and C TAP Harness for the test
+structure.
+
+Loading this module will also add the directories C<perl/blib/arch> and
+C<perl/blib/lib> to the Perl library search path, relative to C_TAP_BUILD if
+that environment variable is set.  This is harmless for C Automake projects
+that don't contain an embedded Perl module, and for those projects that do,
+this will allow subsequent C<use> calls to find modules that are built as part
+of the package build process.
+
+The automake_setup() function should be called before calling any other
+functions provided by this module.
+
+=head1 FUNCTIONS
+
+None of these functions are imported by default.  The ones used by a script
+should be explicitly imported.  On failure, all of these functions call
+BAIL_OUT (from Test::More).
+
+=over 4
+
+=item all_files()
+
+Returns a list of all "interesting" files in the distribution that a test
+suite may want to look at.  This excludes various products of the build system,
+the build directory if it's under the source directory, and a few other
+uninteresting directories like F<.git>.  The returned paths will be paths
+relative to the root of the package.
+
+=item automake_setup([ARGS])
+
+Verifies that the C_TAP_BUILD and C_TAP_SOURCE environment variables are set
+and then changes directory to the top of the source tree (which is one
+directory up from the C_TAP_SOURCE path, since C_TAP_SOURCE points to the top
+of the tests directory).
+
+If ARGS is given, it should be a reference to a hash of configuration options.
+Only one option is supported: C<chdir_build>.  If it is set to a true value,
+automake_setup() changes directories to the top of the build tree instead.
+
+=item perl_dirs([ARGS])
+
+Returns a list of directories that may contain Perl scripts that should be
+tested by test scripts that test all Perl in the source tree (such as syntax
+or coding style checks).  The paths will be simple directory names relative to
+the current directory or two-part directory names under the F<tests>
+directory.  (Directories under F<tests> are broken out separately since it's
+common to want to apply different policies to different subdirectories of
+F<tests>.)
+
+If ARGS is given, it should be a reference to a hash of configuration options.
+Only one option is supported: C<skip>, whose value should be a reference to an
+array of additional top-level directories or directories starting with
+C<tests/> that should be skipped.
+
+=item test_file_path(FILE)
+
+Given FILE, which should be a relative path, locates that file relative to the
+test directory in either the source or build tree.  FILE will be checked for
+relative to the environment variable C_TAP_BUILD first, and then relative to
+C_TAP_SOURCE.  test_file_path() returns the full path to FILE or calls
+BAIL_OUT if FILE could not be found.
+
+=item test_tmpdir()
+
+Create a temporary directory for tests to use for transient files and return
+the path to that directory.  The directory is created relative to the
+C_TAP_BUILD environment variable, which must be set.  Permissions on the
+directory are set using the current umask.  test_tmpdir() returns the full
+path to the temporary directory or calls BAIL_OUT if it could not be created.
+
+The directory is automatically removed if possible on program exit.  Failure
+to remove the directory on exit is reported with diag() and otherwise ignored.
+
+=back
+
+=head1 ENVIRONMENT
+
+=over 4
+
+=item C_TAP_BUILD
+
+The root of the tests directory in Automake build directory for this package,
+used to find files as documented above.
+
+=item C_TAP_SOURCE
+
+The root of the tests directory in the source tree for this package, used to
+find files as documented above.
+
+=back
+
+=head1 AUTHOR
+
+Russ Allbery <eagle@eyrie.org>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2014-2015, 2018-2021 Russ Allbery <eagle@eyrie.org>
+
+Copyright 2013 The Board of Trustees of the Leland Stanford Junior University
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+=head1 SEE ALSO
+
+Test::More(3), Test::RRA(3), Test::RRA::Config(3)
+
+This module is maintained in the rra-c-util package.  The current version is
+available from L<https://www.eyrie.org/~eagle/software/rra-c-util/>.
+
+The C TAP Harness test driver and libraries for TAP-based C testing are
+available from L<https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+
+=cut
+
+# Local Variables:
+# copyright-at-end-flag: t
+# End:
diff --git a/tests/tap/perl/Test/RRA/Config.pm b/tests/tap/perl/Test/RRA/Config.pm
new file mode 100644
index 000000000000..77f967e35b52
--- /dev/null
+++ b/tests/tap/perl/Test/RRA/Config.pm
@@ -0,0 +1,224 @@
+# Configuration for Perl test cases.
+#
+# In order to reuse the same Perl test cases in multiple packages, I use a
+# configuration file to store some package-specific data.  This module loads
+# that configuration and provides the namespace for the configuration
+# settings.
+#
+# SPDX-License-Identifier: MIT
+
+package Test::RRA::Config;
+
+use 5.010;
+use base qw(Exporter);
+use strict;
+use warnings;
+
+use Test::More;
+
+# Declare variables that should be set in BEGIN for robustness.
+our (@EXPORT_OK, $VERSION);
+
+# Set $VERSION and everything export-related in a BEGIN block for robustness
+# against circular module loading (not that we load any modules, but
+# consistency is good).
+BEGIN {
+    @EXPORT_OK = qw(
+        $COVERAGE_LEVEL @COVERAGE_SKIP_TESTS @CRITIC_IGNORE $LIBRARY_PATH
+        $MINIMUM_VERSION %MINIMUM_VERSION @MODULE_VERSION_IGNORE
+        @POD_COVERAGE_EXCLUDE @STRICT_IGNORE @STRICT_PREREQ
+    );
+
+    # This version should match the corresponding rra-c-util release, but with
+    # two digits for the minor version, including a leading zero if necessary,
+    # so that it will sort properly.
+    $VERSION = '10.00';
+}
+
+# If C_TAP_BUILD or C_TAP_SOURCE are set in the environment, look for
+# data/perl.conf under those paths for a C Automake package.  Otherwise, look
+# in t/data/perl.conf for a standalone Perl module or tests/data/perl.conf for
+# Perl tests embedded in a larger distribution.  Don't use Test::RRA::Automake
+# since it may not exist.
+our $PATH;
+for my $base ($ENV{C_TAP_BUILD}, $ENV{C_TAP_SOURCE}, './t', './tests') {
+    next if !defined($base);
+    my $path = "$base/data/perl.conf";
+    if (-r $path) {
+        $PATH = $path;
+        last;
+    }
+}
+if (!defined($PATH)) {
+    BAIL_OUT('cannot find data/perl.conf');
+}
+
+# Pre-declare all of our variables and set any defaults.
+our $COVERAGE_LEVEL = 100;
+our @COVERAGE_SKIP_TESTS;
+our @CRITIC_IGNORE;
+our $LIBRARY_PATH;
+our $MINIMUM_VERSION = '5.010';
+our %MINIMUM_VERSION;
+our @MODULE_VERSION_IGNORE;
+our @POD_COVERAGE_EXCLUDE;
+our @STRICT_IGNORE;
+our @STRICT_PREREQ;
+
+# Load the configuration.
+if (!do($PATH)) {
+    my $error = $@ || $! || 'loading file did not return true';
+    BAIL_OUT("cannot load $PATH: $error");
+}
+
+1;
+__END__
+
+=for stopwords
+Allbery rra-c-util Automake perlcritic .libs namespace subdirectory sublicense
+MERCHANTABILITY NONINFRINGEMENT regexes
+
+=head1 NAME
+
+Test::RRA::Config - Perl test configuration
+
+=head1 SYNOPSIS
+
+    use Test::RRA::Config qw($MINIMUM_VERSION);
+    print "Required Perl version is $MINIMUM_VERSION\n";
+
+=head1 DESCRIPTION
+
+Test::RRA::Config encapsulates per-package configuration for generic Perl test
+programs that are shared between multiple packages using the rra-c-util
+infrastructure.  It handles locating and loading the test configuration file
+for both C Automake packages and stand-alone Perl modules.
+
+Test::RRA::Config looks for a file named F<data/perl.conf> relative to the
+root of the test directory.  That root is taken from the environment variables
+C_TAP_BUILD or C_TAP_SOURCE (in that order) if set, which will be the case for
+C Automake packages using C TAP Harness.  If neither is set, it expects the
+root of the test directory to be a directory named F<t> relative to the
+current directory, which will be the case for stand-alone Perl modules.
+
+The following variables are supported:
+
+=over 4
+
+=item $COVERAGE_LEVEL
+
+The coverage level achieved by the test suite for Perl test coverage testing
+using Test::Strict, as a percentage.  The test will fail if test coverage less
+than this percentage is achieved.  If not given, defaults to 100.
+
+=item @COVERAGE_SKIP_TESTS
+
+Directories under F<t> whose tests should be skipped when doing coverage
+testing.  This can be tests that won't contribute to coverage or tests that
+don't run properly under Devel::Cover for some reason (such as ones that use
+taint checking).  F<docs> and F<style> will always be skipped regardless of
+this setting.
+
+=item @CRITIC_IGNORE
+
+Additional files or directories to ignore when doing recursive perlcritic
+testing.  To ignore files that will be installed, the path should start with
+F<blib>.
+
+=item $LIBRARY_PATH
+
+Add this directory (or a F<.libs> subdirectory) relative to the top of the
+source tree to LD_LIBRARY_PATH when checking the syntax of Perl modules.  This
+may be required to pick up libraries that are used by in-tree Perl modules so
+that Perl scripts can pass a syntax check.
+
+=item $MINIMUM_VERSION
+
+Default minimum version requirement for included Perl scripts.  If not given,
+defaults to 5.010.
+
+=item %MINIMUM_VERSION
+
+Minimum version exceptions for specific directories.  The keys should be
+minimum versions of Perl to enforce.  The value for each key should be a
+reference to an array of either top-level directory names or directory names
+starting with F<tests/>.  All files in those directories will have that
+minimum Perl version constraint imposed instead of $MINIMUM_VERSION.
+
+=item @MODULE_VERSION_IGNORE
+
+File names to ignore when checking that all modules in a distribution have the
+same version.  Sometimes, some specific modules need separate, special version
+handling, such as modules defining database schemata for DBIx::Class, and
+can't follow the version of the larger package.
+
+=item @POD_COVERAGE_EXCLUDE
+
+Regexes that match method names that should be excluded from POD coverage
+testing.  Normally, all methods have to be documented in the POD for a Perl
+module, but methods matching any of these regexes will be considered private
+and won't require documentation.
+
+=item @STRICT_IGNORE
+
+Additional directories to ignore when doing recursive Test::Strict testing for
+C<use strict> and C<use warnings>.  The contents of this directory must be
+either top-level directory names or directory names starting with F<tests/>.
+
+=item @STRICT_PREREQ
+
+A list of Perl modules that have to be available in order to do meaningful
+Test::Strict testing.  If any of the modules cannot be loaded via C<use>,
+Test::Strict checking will be skipped.  There is currently no way to require
+specific versions of the modules.
+
+=back
+
+No variables are exported by default, but the variables can be imported into
+the local namespace to avoid long variable names.
+
+=head1 AUTHOR
+
+Russ Allbery <eagle@eyrie.org>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2015-2016, 2019, 2021 Russ Allbery <eagle@eyrie.org>
+
+Copyright 2013-2014 The Board of Trustees of the Leland Stanford Junior
+University
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+=head1 SEE ALSO
+
+perlcritic(1), Test::MinimumVersion(3), Test::RRA(3), Test::RRA::Automake(3),
+Test::Strict(3)
+
+This module is maintained in the rra-c-util package.  The current version is
+available from L<https://www.eyrie.org/~eagle/software/rra-c-util/>.
+
+The C TAP Harness test driver and libraries for TAP-based C testing are
+available from L<https://www.eyrie.org/~eagle/software/c-tap-harness/>.
+
+=cut
+
+# Local Variables:
+# copyright-at-end-flag: t
+# End:
diff --git a/tests/tap/process.c b/tests/tap/process.c
new file mode 100644
index 000000000000..2f797f8f7567
--- /dev/null
+++ b/tests/tap/process.c
@@ -0,0 +1,532 @@
+/*
+ * Utility functions for tests that use subprocesses.
+ *
+ * Provides utility functions for subprocess manipulation.  Specifically,
+ * provides a function, run_setup, which runs a command and bails if it fails,
+ * using its error message as the bail output, and is_function_output, which
+ * runs a function in a subprocess and checks its output and exit status
+ * against expected values.
+ *
+ * Requires an Autoconf probe for sys/select.h and a replacement for a missing
+ * mkstemp.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2002, 2004-2005, 2013, 2016-2017 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2009-2011, 2013-2014
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <signal.h>
+#ifdef HAVE_SYS_SELECT_H
+#    include <sys/select.h>
+#endif
+#include <sys/stat.h>
+#ifdef HAVE_SYS_TIME_H
+#    include <sys/time.h>
+#endif
+#include <sys/wait.h>
+#include <time.h>
+
+#include <tests/tap/basic.h>
+#include <tests/tap/process.h>
+#include <tests/tap/string.h>
+
+/* May be defined by the build system. */
+#ifndef PATH_FAKEROOT
+#    define PATH_FAKEROOT ""
+#endif
+
+/* How long to wait for the process to start in seconds. */
+#define PROCESS_WAIT 10
+
+/*
+ * Used to store information about a background process.  This contains
+ * everything required to stop the process and clean up after it.
+ */
+struct process {
+    pid_t pid;            /* PID of child process */
+    char *pidfile;        /* PID file to delete on process stop */
+    char *tmpdir;         /* Temporary directory for log file */
+    char *logfile;        /* Log file of process output */
+    bool is_child;        /* Whether we can waitpid for process */
+    struct process *next; /* Next process in global list */
+};
+
+/*
+ * Global list of started processes, which will be cleaned up automatically on
+ * program exit if they haven't been explicitly stopped with process_stop
+ * prior to that point.
+ */
+static struct process *processes = NULL;
+
+
+/*
+ * Given a function, an expected exit status, and expected output, runs that
+ * function in a subprocess, capturing stdout and stderr via a pipe, and
+ * returns the function output in newly allocated memory.  Also captures the
+ * process exit status.
+ */
+static void
+run_child_function(test_function_type function, void *data, int *status,
+                   char **output)
+{
+    int fds[2];
+    pid_t child;
+    char *buf;
+    ssize_t count, ret, buflen;
+    int rval;
+
+    /* Flush stdout before we start to avoid odd forking issues. */
+    fflush(stdout);
+
+    /* Set up the pipe and call the function, collecting its output. */
+    if (pipe(fds) == -1)
+        sysbail("can't create pipe");
+    child = fork();
+    if (child == (pid_t) -1) {
+        sysbail("can't fork");
+    } else if (child == 0) {
+        /* In child.  Set up our stdout and stderr. */
+        close(fds[0]);
+        if (dup2(fds[1], 1) == -1)
+            _exit(255);
+        if (dup2(fds[1], 2) == -1)
+            _exit(255);
+
+        /* Now, run the function and exit successfully if it returns. */
+        (*function)(data);
+        fflush(stdout);
+        _exit(0);
+    } else {
+        /*
+         * In the parent; close the extra file descriptor, read the output if
+         * any, and then collect the exit status.
+         */
+        close(fds[1]);
+        buflen = BUFSIZ;
+        buf = bmalloc(buflen);
+        count = 0;
+        do {
+            ret = read(fds[0], buf + count, buflen - count - 1);
+            if (SSIZE_MAX - count <= ret)
+                bail("maximum output size exceeded in run_child_function");
+            if (ret > 0)
+                count += ret;
+            if (count >= buflen - 1) {
+                buflen += BUFSIZ;
+                buf = brealloc(buf, buflen);
+            }
+        } while (ret > 0);
+        buf[count] = '\0';
+        if (waitpid(child, &rval, 0) == (pid_t) -1)
+            sysbail("waitpid failed");
+        close(fds[0]);
+    }
+
+    /* Store the output and return. */
+    *status = rval;
+    *output = buf;
+}
+
+
+/*
+ * Given a function, data to pass to that function, an expected exit status,
+ * and expected output, runs that function in a subprocess, capturing stdout
+ * and stderr via a pipe, and compare the combination of stdout and stderr
+ * with the expected output and the exit status with the expected status.
+ * Expects the function to always exit (not die from a signal).
+ */
+void
+is_function_output(test_function_type function, void *data, int status,
+                   const char *output, const char *format, ...)
+{
+    char *buf, *msg;
+    int rval;
+    va_list args;
+
+    run_child_function(function, data, &rval, &buf);
+
+    /* Now, check the results against what we expected. */
+    va_start(args, format);
+    bvasprintf(&msg, format, args);
+    va_end(args);
+    ok(WIFEXITED(rval), "%s (exited)", msg);
+    is_int(status, WEXITSTATUS(rval), "%s (status)", msg);
+    is_string(output, buf, "%s (output)", msg);
+    free(buf);
+    free(msg);
+}
+
+
+/*
+ * A helper function for run_setup.  This is a function to run an external
+ * command, suitable for passing into run_child_function.  The expected
+ * argument must be an argv array, with argv[0] being the command to run.
+ */
+static void
+exec_command(void *data)
+{
+    char *const *argv = data;
+
+    execvp(argv[0], argv);
+}
+
+
+/*
+ * Given a command expressed as an argv struct, with argv[0] the name or path
+ * to the command, run that command.  If it exits with a non-zero status, use
+ * the part of its output up to the first newline as the error message when
+ * calling bail.
+ */
+void
+run_setup(const char *const argv[])
+{
+    char *output, *p;
+    int status;
+
+    run_child_function(exec_command, (void *) argv, &status, &output);
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        p = strchr(output, '\n');
+        if (p != NULL)
+            *p = '\0';
+        if (output[0] != '\0')
+            bail("%s", output);
+        else
+            bail("setup command failed with no output");
+    }
+    free(output);
+}
+
+
+/*
+ * Free the resources associated with tracking a process, without doing
+ * anything to the process.  This is kept separate so that we can free
+ * resources during shutdown in a non-primary process.
+ */
+static void
+process_free(struct process *process)
+{
+    struct process **prev;
+
+    /* Do nothing if called with a NULL argument. */
+    if (process == NULL)
+        return;
+
+    /* Remove the process from the global list. */
+    prev = &processes;
+    while (*prev != NULL && *prev != process)
+        prev = &(*prev)->next;
+    if (*prev == process)
+        *prev = process->next;
+
+    /* Free resources. */
+    free(process->pidfile);
+    free(process->logfile);
+    test_tmpdir_free(process->tmpdir);
+    free(process);
+}
+
+
+/*
+ * Kill a process and wait for it to exit.  Returns the status of the process.
+ * Calls bail on a system failure or a failure of the process to exit.
+ *
+ * We are quite aggressive with error reporting here because child processes
+ * that don't exit or that don't exist often indicate some form of test
+ * failure.
+ */
+static int
+process_kill(struct process *process)
+{
+    int result, i;
+    int status = -1;
+    struct timeval tv;
+    unsigned long pid = process->pid;
+
+    /* If the process is not a child, just kill it and hope. */
+    if (!process->is_child) {
+        if (kill(process->pid, SIGTERM) < 0 && errno != ESRCH)
+            sysbail("cannot send SIGTERM to process %lu", pid);
+        return 0;
+    }
+
+    /* Check if the process has already exited. */
+    result = waitpid(process->pid, &status, WNOHANG);
+    if (result < 0)
+        sysbail("cannot wait for child process %lu", pid);
+    else if (result > 0)
+        return status;
+
+    /*
+     * Kill the process and wait for it to exit.  I don't want to go to the
+     * work of setting up a SIGCHLD handler or a full event loop here, so we
+     * effectively poll every tenth of a second for process exit (and
+     * hopefully faster when it does since the SIGCHLD may interrupt our
+     * select, although we're racing with it.
+     */
+    if (kill(process->pid, SIGTERM) < 0 && errno != ESRCH)
+        sysbail("cannot send SIGTERM to child process %lu", pid);
+    for (i = 0; i < PROCESS_WAIT * 10; i++) {
+        tv.tv_sec = 0;
+        tv.tv_usec = 100000;
+        select(0, NULL, NULL, NULL, &tv);
+        result = waitpid(process->pid, &status, WNOHANG);
+        if (result < 0)
+            sysbail("cannot wait for child process %lu", pid);
+        else if (result > 0)
+            return status;
+    }
+
+    /* The process still hasn't exited.  Bail. */
+    bail("child process %lu did not exit on SIGTERM", pid);
+
+    /* Not reached, but some compilers may get confused. */
+    return status;
+}
+
+
+/*
+ * Stop a particular process given its process struct.  This kills the
+ * process, waits for it to exit if possible (giving it at most five seconds),
+ * and then removes it from the global processes struct so that it isn't
+ * stopped again during global shutdown.
+ */
+void
+process_stop(struct process *process)
+{
+    int status;
+    unsigned long pid = process->pid;
+
+    /* Stop the process. */
+    status = process_kill(process);
+
+    /* Call diag to flush logs as well as provide exit status. */
+    if (process->is_child)
+        diag("stopped process %lu (exit status %d)", pid, status);
+    else
+        diag("stopped process %lu", pid);
+
+    /* Remove the log and PID file. */
+    diag_file_remove(process->logfile);
+    unlink(process->pidfile);
+    unlink(process->logfile);
+
+    /* Free resources. */
+    process_free(process);
+}
+
+
+/*
+ * Stop all running processes.  This is called as a cleanup handler during
+ * process shutdown.  The first argument, which says whether the test was
+ * successful, is ignored, since the same actions should be performed
+ * regardless.  The second argument says whether this is the primary process,
+ * in which case we do the full shutdown.  Otherwise, we only free resources
+ * but don't stop the process.
+ */
+static void
+process_stop_all(int success UNUSED, int primary)
+{
+    while (processes != NULL) {
+        if (primary)
+            process_stop(processes);
+        else
+            process_free(processes);
+    }
+}
+
+
+/*
+ * Read the PID of a process from a file.  This is necessary when running
+ * under fakeroot to get the actual PID of the remctld process.
+ */
+static pid_t
+read_pidfile(const char *path)
+{
+    FILE *file;
+    char buffer[BUFSIZ];
+    long pid;
+
+    file = fopen(path, "r");
+    if (file == NULL)
+        sysbail("cannot open %s", path);
+    if (fgets(buffer, sizeof(buffer), file) == NULL)
+        sysbail("cannot read from %s", path);
+    fclose(file);
+    pid = strtol(buffer, NULL, 10);
+    if (pid <= 0)
+        bail("cannot read PID from %s", path);
+    return (pid_t) pid;
+}
+
+
+/*
+ * Start a process and return its status information.  The status information
+ * is also stored in the global processes linked list so that it can be
+ * stopped automatically on program exit.
+ *
+ * The boolean argument says whether to start the process under fakeroot.  If
+ * true, PATH_FAKEROOT must be defined, generally by Autoconf.  If it's not
+ * found, call skip_all.
+ *
+ * This is a helper function for process_start and process_start_fakeroot.
+ */
+static struct process *
+process_start_internal(const char *const argv[], const char *pidfile,
+                       bool fakeroot)
+{
+    size_t i;
+    int log_fd;
+    const char *name;
+    struct timeval tv;
+    struct process *process;
+    const char **fakeroot_argv = NULL;
+    const char *path_fakeroot = PATH_FAKEROOT;
+
+    /* Check prerequisites. */
+    if (fakeroot && path_fakeroot[0] == '\0')
+        skip_all("fakeroot not found");
+
+    /* Create the process struct and log file. */
+    process = bcalloc(1, sizeof(struct process));
+    process->pidfile = bstrdup(pidfile);
+    process->tmpdir = test_tmpdir();
+    name = strrchr(argv[0], '/');
+    if (name != NULL)
+        name++;
+    else
+        name = argv[0];
+    basprintf(&process->logfile, "%s/%s.log.XXXXXX", process->tmpdir, name);
+    log_fd = mkstemp(process->logfile);
+    if (log_fd < 0)
+        sysbail("cannot create log file for %s", argv[0]);
+
+    /* If using fakeroot, rewrite argv accordingly. */
+    if (fakeroot) {
+        for (i = 0; argv[i] != NULL; i++)
+            ;
+        fakeroot_argv = bcalloc(2 + i + 1, sizeof(const char *));
+        fakeroot_argv[0] = path_fakeroot;
+        fakeroot_argv[1] = "--";
+        for (i = 0; argv[i] != NULL; i++)
+            fakeroot_argv[i + 2] = argv[i];
+        fakeroot_argv[i + 2] = NULL;
+        argv = fakeroot_argv;
+    }
+
+    /*
+     * Fork off the child process, redirect its standard output and standard
+     * error to the log file, and then exec the program.
+     */
+    process->pid = fork();
+    if (process->pid < 0)
+        sysbail("fork failed");
+    else if (process->pid == 0) {
+        if (dup2(log_fd, STDOUT_FILENO) < 0)
+            sysbail("cannot redirect standard output");
+        if (dup2(log_fd, STDERR_FILENO) < 0)
+            sysbail("cannot redirect standard error");
+        close(log_fd);
+        if (execv(argv[0], (char *const *) argv) < 0)
+            sysbail("exec of %s failed", argv[0]);
+    }
+    close(log_fd);
+    free(fakeroot_argv);
+
+    /*
+     * In the parent.  Wait for the child to start by watching for the PID
+     * file to appear in 100ms intervals.
+     */
+    for (i = 0; i < PROCESS_WAIT * 10 && access(pidfile, F_OK) != 0; i++) {
+        tv.tv_sec = 0;
+        tv.tv_usec = 100000;
+        select(0, NULL, NULL, NULL, &tv);
+    }
+
+    /*
+     * If the PID file still hasn't appeared after ten seconds, attempt to
+     * kill the process and then bail.
+     */
+    if (access(pidfile, F_OK) != 0) {
+        kill(process->pid, SIGTERM);
+        alarm(5);
+        waitpid(process->pid, NULL, 0);
+        alarm(0);
+        bail("cannot start %s", argv[0]);
+    }
+
+    /*
+     * Read the PID back from the PID file.  This usually isn't necessary for
+     * non-forking daemons, but always doing this makes this function general,
+     * and it's required when running under fakeroot.
+     */
+    if (fakeroot)
+        process->pid = read_pidfile(pidfile);
+    process->is_child = !fakeroot;
+
+    /* Register the log file as a source of diag messages. */
+    diag_file_add(process->logfile);
+
+    /*
+     * Add the process to our global list and set our cleanup handler if this
+     * is the first process we started.
+     */
+    if (processes == NULL)
+        test_cleanup_register(process_stop_all);
+    process->next = processes;
+    processes = process;
+
+    /* All done. */
+    return process;
+}
+
+
+/*
+ * Start a process and return the opaque process struct.  The process must
+ * create pidfile with its PID when startup is complete.
+ */
+struct process *
+process_start(const char *const argv[], const char *pidfile)
+{
+    return process_start_internal(argv, pidfile, false);
+}
+
+
+/*
+ * Start a process under fakeroot and return the opaque process struct.  If
+ * fakeroot is not available, calls skip_all.  The process must create pidfile
+ * with its PID when startup is complete.
+ */
+struct process *
+process_start_fakeroot(const char *const argv[], const char *pidfile)
+{
+    return process_start_internal(argv, pidfile, true);
+}
diff --git a/tests/tap/process.h b/tests/tap/process.h
new file mode 100644
index 000000000000..4210c209ed0b
--- /dev/null
+++ b/tests/tap/process.h
@@ -0,0 +1,95 @@
+/*
+ * Utility functions for tests that use subprocesses.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Written by Russ Allbery <eagle@eyrie.org>
+ * Copyright 2009-2010, 2013
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_PROCESS_H
+#define TAP_PROCESS_H 1
+
+#include <config.h>
+#include <tests/tap/macros.h>
+
+/* Opaque data type for process_start and friends. */
+struct process;
+
+BEGIN_DECLS
+
+/*
+ * Run a function in a subprocess and check the exit status and expected
+ * output (stdout and stderr combined) against the provided values.  Expects
+ * the function to always exit (not die from a signal).  data is optional data
+ * that's passed into the function as its only argument.
+ *
+ * This reports as three separate tests: whether the function exited rather
+ * than was killed, whether the exit status was correct, and whether the
+ * output was correct.
+ */
+typedef void (*test_function_type)(void *);
+void is_function_output(test_function_type, void *data, int status,
+                        const char *output, const char *format, ...)
+    __attribute__((__format__(printf, 5, 6), __nonnull__(1)));
+
+/*
+ * Run a setup program.  Takes the program to run and its arguments as an argv
+ * vector, where argv[0] must be either the full path to the program or the
+ * program name if the PATH should be searched.  If the program does not exit
+ * successfully, call bail, with the error message being the output from the
+ * program.
+ */
+void run_setup(const char *const argv[]) __attribute__((__nonnull__));
+
+/*
+ * process_start starts a process in the background, returning an opaque data
+ * struct that can be used to stop the process later.  The standard output and
+ * standard error of the process will be sent to a log file registered with
+ * diag_file_add, so its output will be properly interleaved with the test
+ * case output.
+ *
+ * The process should create a PID file in the path given as the second
+ * argument when it's finished initialization.
+ *
+ * process_start_fakeroot is the same but starts the process under fakeroot.
+ * PATH_FAKEROOT must be defined (generally by Autoconf).  If fakeroot is not
+ * found, process_start_fakeroot will call skip_all, so be sure to call this
+ * function before plan.
+ *
+ * process_stop can be called to explicitly stop the process.  If it isn't
+ * called by the test program, it will be called automatically when the
+ * program exits.
+ */
+struct process *process_start(const char *const argv[], const char *pidfile)
+    __attribute__((__nonnull__));
+struct process *process_start_fakeroot(const char *const argv[],
+                                       const char *pidfile)
+    __attribute__((__nonnull__));
+void process_stop(struct process *);
+
+END_DECLS
+
+#endif /* TAP_PROCESS_H */
diff --git a/tests/tap/string.c b/tests/tap/string.c
new file mode 100644
index 000000000000..71cf571e6f03
--- /dev/null
+++ b/tests/tap/string.c
@@ -0,0 +1,67 @@
+/*
+ * String utilities for the TAP protocol.
+ *
+ * Additional string utilities that can't be included with C TAP Harness
+ * because they rely on additional portability code from rra-c-util.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Copyright 2011-2012 Russ Allbery <eagle@eyrie.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#include <config.h>
+#include <portable/system.h>
+
+#include <tests/tap/basic.h>
+#include <tests/tap/string.h>
+
+
+/*
+ * vsprintf into a newly allocated string, reporting a fatal error with bail
+ * on failure.
+ */
+void
+bvasprintf(char **strp, const char *fmt, va_list args)
+{
+    int status;
+
+    status = vasprintf(strp, fmt, args);
+    if (status < 0)
+        sysbail("failed to allocate memory for vasprintf");
+}
+
+
+/*
+ * sprintf into a newly allocated string, reporting a fatal error with bail on
+ * failure.
+ */
+void
+basprintf(char **strp, const char *fmt, ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    bvasprintf(strp, fmt, args);
+    va_end(args);
+}
diff --git a/tests/tap/string.h b/tests/tap/string.h
new file mode 100644
index 000000000000..651c38a26f06
--- /dev/null
+++ b/tests/tap/string.h
@@ -0,0 +1,51 @@
+/*
+ * String utilities for the TAP protocol.
+ *
+ * Additional string utilities that can't be included with C TAP Harness
+ * because they rely on additional portability code from rra-c-util.
+ *
+ * The canonical version of this file is maintained in the rra-c-util package,
+ * which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+ *
+ * Copyright 2011-2012 Russ Allbery <eagle@eyrie.org>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+#ifndef TAP_STRING_H
+#define TAP_STRING_H 1
+
+#include <config.h>
+#include <tests/tap/macros.h>
+
+#include <stdarg.h> /* va_list */
+
+BEGIN_DECLS
+
+/* sprintf into an allocated string, calling bail on any failure. */
+void basprintf(char **, const char *, ...)
+    __attribute__((__nonnull__, __format__(printf, 2, 3)));
+void bvasprintf(char **, const char *, va_list)
+    __attribute__((__nonnull__, __format__(printf, 2, 0)));
+
+END_DECLS
+
+#endif /* !TAP_STRING_H */
diff --git a/tests/valgrind/logs-t b/tests/valgrind/logs-t
new file mode 100755
index 000000000000..5444d00a5730
--- /dev/null
+++ b/tests/valgrind/logs-t
@@ -0,0 +1,83 @@
+#!/usr/bin/perl
+#
+# Check for errors in valgrind logs.
+#
+# The canonical version of this file is maintained in the rra-c-util package,
+# which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>.
+#
+# Copyright 2018-2019, 2021 Russ Allbery <eagle@eyrie.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+use 5.010;
+use strict;
+use warnings;
+
+use lib "$ENV{C_TAP_SOURCE}/tap/perl";
+
+use Test::RRA;
+use Test::RRA::Automake qw(automake_setup);
+
+use File::Spec;
+use Test::More;
+
+# Skip this test if C_TAP_VALGRIND was not set.
+if (!exists $ENV{C_TAP_VALGRIND}) {
+    plan skip_all => 'Not testing under valgrind';
+}
+
+# Set up Automake testing.
+automake_setup({ chdir_build => 1 });
+
+# Gather the list of valgrind logs (and skip this test if there are none).
+opendir(my $logdir, File::Spec->catfile('tests', 'tmp', 'valgrind'))
+  or plan skip_all => 'No valgrind logs in tests/tmp/valgrind';
+my @logs = grep { m{ \A log [.] }xms } readdir $logdir;
+closedir($logdir) or BAIL_OUT("cannot close directory: $!");
+
+# Check each log file.
+plan tests => scalar(@logs);
+for my $file (@logs) {
+    my $path = File::Spec->catfile('tests', 'tmp', 'valgrind', $file);
+    open(my $log, '<', $path) or BAIL_OUT("cannot open $path: $!");
+    my $okay = 1;
+    my @log;
+    while (defined(my $line = <$log>)) {
+        push(@log, $line);
+        if ($line =~ m{ ERROR [ ] SUMMARY: [ ] (\d+) [ ] errors }xms) {
+            $okay = ($1 == 0);
+        }
+    }
+    close($log) or BAIL_OUT("cannot close $path: $!");
+    if ($okay) {
+        unlink($path);
+    } else {
+        for my $line (@log) {
+            print '# ', $line
+              or BAIL_OUT("cannot print to standard output: $!");
+        }
+    }
+    ok($okay, $path);
+}
+
+# Remove tests/tmp/valgrind if it's now empty.
+rmdir(File::Spec->catfile('tests', 'tmp', 'valgrind'));
+rmdir(File::Spec->catfile('tests', 'tmp'));