Index: util/passwordbasedauthentication.c
--- util/passwordbasedauthentication.c.orig
+++ util/passwordbasedauthentication.c
@@ -26,7 +26,13 @@
 // UFC_crypt defines crypt_r when only when __USE_GNU is set
 // this shouldn't affect other implementations
 #define __USE_GNU
+#if defined(__OpenBSD__)
+#if HAS_CRYPT_R
+#include <unistd.h>
+#endif
+#else
 #include <crypt.h>
+#endif
 // INVALID_HASH is used on verify when the given hash is a NULL pointer.
 // This is done to not directly jump to exit with a INVALID_HASH result
 // but rather keep calculating to make it a little bit harder to guess
@@ -166,16 +172,7 @@ pba_finalize (struct PBASettings *settings)
   free (settings);
 }
 
-static int
-pba_is_phc_compliant (const char *setting)
-{
-  if (setting == NULL)
-    {
-      return 1;
-    }
-  return strlen (setting) > 1 && setting[0] == '$';
-}
-
+#if HAS_CRYPT_R
 char *
 pba_hash (struct PBASettings *setting, const char *password)
 {
@@ -204,8 +201,8 @@ pba_hash (struct PBASettings *setting, const char *pas
   rslt = crypt_r (password, settings, data);
   if (rslt == NULL)
     goto exit;
-  result = calloc (1, CRYPT_OUTPUT_SIZE);
-  memcpy (result, rslt, CRYPT_OUTPUT_SIZE);
+  result = malloc (CRYPT_OUTPUT_SIZE);
+  strncpy (result, rslt, CRYPT_OUTPUT_SIZE);
   // remove pepper, by jumping to begin of applied pepper within result
   // and overriding it.
   tmp = result + (tmp - settings);
@@ -239,8 +236,8 @@ pba_verify_hash (const struct PBASettings *setting, co
     {
       data = calloc (1, sizeof (struct crypt_data));
       // manipulate hash to reapply pepper
-      tmp = calloc (1, CRYPT_OUTPUT_SIZE);
-      memcpy (tmp, hash ? hash : INVALID_HASH, CRYPT_OUTPUT_SIZE);
+      tmp = malloc (CRYPT_OUTPUT_SIZE);
+      strncpy (tmp, hash ? hash : INVALID_HASH, CRYPT_OUTPUT_SIZE);
       cmp = strrchr (tmp, '$');
       for (i = MAX_PEPPER_SIZE - 1; i > -1; i--)
         {
@@ -279,3 +276,4 @@ exit:
     free (tmp);
   return result;
 }
+#endif /* #if HAS_CRYPT_R */