No need to look up shadow password unless we are doing password-style

authentication.  This moves the shadow password lookup to the auth
functions that need it.

plugins/sudoers/auth/passwd.c

@@ -55,6 +55,9 @@ passwd_init(struct passwd *pw, char **promptp, sudo_auth *auth)
     if (skeyaccess(pw, user_tty, NULL, NULL) == 0)
 	return(AUTH_FAILURE);
 #endif
+    sudo_setspent();
+    auth->data = sudo_getepw(pw);
+    sudo_endspent();
     return(AUTH_SUCCESS);
 }
 
@@ -62,14 +65,15 @@ int
 passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
 {
     char sav, *epass;
+    char *pw_epasswd = auth->data;
     size_t pw_len;
     int error;
 
-    pw_len = strlen(pw->pw_passwd);
+    pw_len = strlen(pw_epasswd);
 
 #ifdef HAVE_GETAUTHUID
     /* Ultrix shadow passwords may use crypt16() */
-    error = strcmp(pw->pw_passwd, (char *) crypt16(pass, pw->pw_passwd));
+    error = strcmp(pw_epasswd, (char *) crypt16(pass, pw_epasswd));
     if (!error)
 	return(AUTH_SUCCESS);
 #endif /* HAVE_GETAUTHUID */
@@ -79,7 +83,7 @@ passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
      * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
      */
     sav = pass[8];
-    if (pw_len == DESLEN || HAS_AGEINFO(pw->pw_passwd, pw_len))
+    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
 	pass[8] = '\0';
 
     /*
@@ -87,12 +91,26 @@ passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
      * HP-UX may add aging info (separated by a ',') at the end so
      * only compare the first DESLEN characters in that case.
      */
-    epass = (char *) crypt(pass, pw->pw_passwd);
+    epass = (char *) crypt(pass, pw_epasswd);
     pass[8] = sav;
-    if (HAS_AGEINFO(pw->pw_passwd, pw_len) && strlen(epass) == DESLEN)
-	error = strncmp(pw->pw_passwd, epass, DESLEN);
+    if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+	error = strncmp(pw_epasswd, epass, DESLEN);
     else
-	error = strcmp(pw->pw_passwd, epass);
+	error = strcmp(pw_epasswd, epass);
 
     return(error ? AUTH_FAILURE : AUTH_SUCCESS);
 }
+
+int
+passwd_cleanup(pw, auth)
+    struct passwd *pw;
+    sudo_auth *auth;
+{
+    char *pw_epasswd = auth->data;
+
+    if (pw_epasswd != NULL) {
+	zero_bytes(pw_epasswd, strlen(pw_epasswd));
+	efree(pw_epasswd);
+    }
+    return(AUTH_SUCCESS);
+}

plugins/sudoers/auth/secureware.c

@@ -61,31 +61,49 @@ secureware_init(struct passwd *pw, char **promptp, sudo_auth *auth)
     if (crypt_type == INT_MAX)
 	return(AUTH_FAILURE);			/* no shadow */
 #endif
+    sudo_setspent();
+    auth->data = sudo_getepw(pw);
+    sudo_endspent();
     return(AUTH_SUCCESS);
 }
 
 int
 secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth)
 {
+    char *pw_epasswd = auth->data;
 #ifdef __alpha
     extern int crypt_type;
 
 #  ifdef HAVE_DISPCRYPT
-    if (strcmp(user_passwd, dispcrypt(pass, user_passwd, crypt_type)) == 0)
+    if (strcmp(pw_epasswd, dispcrypt(pass, pw_epasswd, crypt_type)) == 0)
 	return(AUTH_SUCCESS);
 #  else
     if (crypt_type == AUTH_CRYPT_BIGCRYPT) {
-	if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+	if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
 	    return(AUTH_SUCCESS);
     } else if (crypt_type == AUTH_CRYPT_CRYPT16) {
-	if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0)
+	if (strcmp(pw_epasswd, crypt(pass, pw_epasswd)) == 0)
 	    return(AUTH_SUCCESS);
     }
 #  endif /* HAVE_DISPCRYPT */
 #elif defined(HAVE_BIGCRYPT)
-    if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+    if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
 	return(AUTH_SUCCESS);
 #endif /* __alpha */
 
 	return(AUTH_FAILURE);
 }
+
+int
+secureware_cleanup(pw, auth)
+    struct passwd *pw;
+    sudo_auth *auth;
+{
+    char *pw_epasswd = auth->data;
+
+    if (pw_epasswd != NULL) {
+	zero_bytes(pw_epasswd, strlen(pw_epasswd));
+	efree(pw_epasswd);
+    }
+    return(AUTH_SUCCESS);
+}

plugins/sudoers/auth/sudo_auth.c

@@ -71,10 +71,10 @@ static sudo_auth auth_switch[] = {
 
 /* Non-standalone entries */
 #ifndef WITHOUT_PASSWD
-    AUTH_ENTRY("passwd", 0, passwd_init, NULL, passwd_verify, NULL, NULL, NULL)
+    AUTH_ENTRY("passwd", 0, passwd_init, NULL, passwd_verify, passwd_cleanup, NULL, NULL)
 #endif
 #if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
-    AUTH_ENTRY("secureware", 0, secureware_init, NULL, secureware_verify, NULL, NULL, NULL)
+    AUTH_ENTRY("secureware", 0, secureware_init, NULL, secureware_verify, secureware_cleanup, NULL, NULL)
 #endif
 #ifdef HAVE_AFS
     AUTH_ENTRY("afs", 0, NULL, NULL, afs_verify, NULL, NULL, NULL)

plugins/sudoers/auth/sudo_auth.h

@@ -75,8 +75,10 @@ int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
 /* Prototypes for normal methods */
 int passwd_init(struct passwd *pw, char **prompt, sudo_auth *auth);
 int passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth);
+int passwd_cleanup(struct passwd *pw, sudo_auth *auth);
 int secureware_init(struct passwd *pw, char **prompt, sudo_auth *auth);
 int secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth);
+int secureware_cleanup(struct passwd *pw, sudo_auth *auth);
 int rfc1938_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
 int rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth);
 int afs_verify(struct passwd *pw, char *pass, sudo_auth *auth);