No need to look up shadow password unless we are doing password-style

authentication.  This moves the shadow password lookup to the auth
functions that need it.

plugins/sudoers/auth/secureware.c

@@ -61,31 +61,49 @@ secureware_init(struct passwd *pw, char **promptp, sudo_auth *auth)
     if (crypt_type == INT_MAX)
 	return(AUTH_FAILURE);			/* no shadow */
 #endif
+    sudo_setspent();
+    auth->data = sudo_getepw(pw);
+    sudo_endspent();
     return(AUTH_SUCCESS);
 }
 
 int
 secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth)
 {
+    char *pw_epasswd = auth->data;
 #ifdef __alpha
     extern int crypt_type;
 
 #  ifdef HAVE_DISPCRYPT
-    if (strcmp(user_passwd, dispcrypt(pass, user_passwd, crypt_type)) == 0)
+    if (strcmp(pw_epasswd, dispcrypt(pass, pw_epasswd, crypt_type)) == 0)
 	return(AUTH_SUCCESS);
 #  else
     if (crypt_type == AUTH_CRYPT_BIGCRYPT) {
-	if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+	if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
 	    return(AUTH_SUCCESS);
     } else if (crypt_type == AUTH_CRYPT_CRYPT16) {
-	if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0)
+	if (strcmp(pw_epasswd, crypt(pass, pw_epasswd)) == 0)
 	    return(AUTH_SUCCESS);
     }
 #  endif /* HAVE_DISPCRYPT */
 #elif defined(HAVE_BIGCRYPT)
-    if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+    if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
 	return(AUTH_SUCCESS);
 #endif /* __alpha */
 
 	return(AUTH_FAILURE);
 }
+
+int
+secureware_cleanup(pw, auth)
+    struct passwd *pw;
+    sudo_auth *auth;
+{
+    char *pw_epasswd = auth->data;
+
+    if (pw_epasswd != NULL) {
+	zero_bytes(pw_epasswd, strlen(pw_epasswd));
+	efree(pw_epasswd);
+    }
+    return(AUTH_SUCCESS);
+}