clear the password even after a mismatch

diff --git a/doas.c b/doas.c
index a32713623b29bfe54c5ca07415ab1d53b12546cd..6223aff219168fa87f9a38909f9f072535114c21 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -234,6 +234,7 @@ authuser(char *myname, char *login_style, int persist)
                errx(1, "a tty is required");
        }
        if (!auth_userresponse(as, response, 0)) {
+               explicit_bzero(rbuf, sizeof(rbuf));
                syslog(LOG_AUTHPRIV | LOG_NOTICE,
                    "failed auth for %s", myname);
                errx(1, "Authorization failed");