Use OpenBSD-compatible freezero() in place of explicit_bzero() + free()

plugins/sudoers/auth/aix_auth.c

@@ -243,8 +243,7 @@ sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
 	free(message);
 	message = NULL;
 	result = authenticate(pw->pw_name, pass, &reenter, &message);
-	explicit_bzero(pass, strlen(pass));
-	free(pass);
+	freezero(pass, strlen(pass));
 	prompt = message;
     } while (reenter);
 

plugins/sudoers/auth/bsdauth.c

@@ -151,8 +151,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
 
     if (pass) {
 	authok = auth_userresponse(as, pass, 1);
-	explicit_bzero(pass, strlen(pass));
-	free(pass);
+	freezero(pass, strlen(pass));
     }
 
     /* restore old signal handler */

plugins/sudoers/auth/fwtk.c

@@ -134,8 +134,7 @@ restart:
     error = AUTH_FAILURE;
 done:
     explicit_bzero(buf, sizeof(buf));
-    explicit_bzero(pass, strlen(pass));
-    free(pass);
+    freezero(pass, strlen(pass));
     debug_return_int(error);
 }
 

plugins/sudoers/auth/pam.c

@@ -732,8 +732,7 @@ done:
 	    struct pam_response *pr = &reply[n];
 
 	    if (pr->resp != NULL) {
-		explicit_bzero(pr->resp, strlen(pr->resp));
-		free(pr->resp);
+		freezero(pr->resp, strlen(pr->resp));
 		pr->resp = NULL;
 	    }
 	}

plugins/sudoers/auth/passwd.c

@@ -100,9 +100,8 @@ sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
     char *pw_epasswd = auth->data;
     debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);
 
-    if (pw_epasswd != NULL) {
-	explicit_bzero(pw_epasswd, strlen(pw_epasswd));
-	free(pw_epasswd);
-    }
+    if (pw_epasswd != NULL)
+	freezero(pw_epasswd, strlen(pw_epasswd));
+
     debug_return_int(AUTH_SUCCESS);
 }

plugins/sudoers/auth/secureware.c

@@ -101,10 +101,8 @@ sudo_secureware_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
     char *pw_epasswd = auth->data;
     debug_decl(sudo_secureware_cleanup, SUDOERS_DEBUG_AUTH);
 
-    if (pw_epasswd != NULL) {
-	explicit_bzero(pw_epasswd, strlen(pw_epasswd));
-	free(pw_epasswd);
-    }
+    if (pw_epasswd != NULL)
+	freezero(pw_epasswd, strlen(pw_epasswd));
     debug_return_int(AUTH_SUCCESS);
 }
 

plugins/sudoers/auth/securid5.c

@@ -176,10 +176,8 @@ sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_
                 /* Sometimes (when current token close to expire?)
                    ACE challenges for the next token displayed
                    (entered without the PIN) */
-		if (pass != NULL) {
-		    explicit_bzero(pass, strlen(pass));
-		    free(pass);
-		}
+		if (pass != NULL)
+		    freezero(pass, strlen(pass));
         	pass = auth_getpass("\
 !!! ATTENTION !!!\n\
 Wait for the token code to change, \n\
@@ -217,10 +215,8 @@ then enter the new token code.\n", \
     /* Free resources */
     SD_Close(*sd);
 
-    if (pass != NULL) {
-	explicit_bzero(pass, strlen(pass));
-	free(pass);
-    }
+    if (pass != NULL)
+	freezero(pass, strlen(pass));
 
     /* Return stored state to calling process */
     debug_return_int(ret);

plugins/sudoers/auth/sia.c

@@ -90,8 +90,7 @@ sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth,
 
     /* Check password and zero out plaintext copy. */
     rc = sia_ses_authent(NULL, pass, siah);
-    explicit_bzero(pass, strlen(pass));
-    free(pass);
+    freezero(pass, strlen(pass));
 
     if (rc == SIASUCCESS)
 	debug_return_int(AUTH_SUCCESS);

plugins/sudoers/auth/sudo_auth.c

@@ -325,10 +325,8 @@ verify_user(struct passwd *pw, char *prompt, int validated,
 	    if (success != AUTH_FAILURE)
 		break;
 	}
-	if (pass != NULL) {
-	    explicit_bzero(pass, strlen(pass));
-	    free(pass);
-	}
+	if (pass != NULL)
+	    freezero(pass, strlen(pass));
 
 	if (success != AUTH_FAILURE)
 	    goto done;