pam: use PAM_REINITIALIZE_CRED

[opendoas.git] / pam.c

diff --git a/pam.c b/pam.c
index ee02b0faab8fa43d7c48e28d2f9cf569e9d2b82f..68294b275451c2e3ee9a88700b413114a261d748 100644 (file)
--- a/pam.c
+++ b/pam.c
@@ -23,10 +23,10 @@
 #include <errno.h>
 #include <limits.h>
 #include <pwd.h>
-#ifdef HAVE_READPASSPHRASE_H
+#ifdef HAVE_READPASSPHRASE
 #      include <readpassphrase.h>
 #else
-#      include "readpassphrase.h"
+#      include "sys-readpassphrase.h"
 #endif
 #include <signal.h>
 #include <stdio.h>
@@ -37,7 +37,8 @@
 
 #include <security/pam_appl.h>
 
-#include "includes.h"
+#include "openbsd.h"
+#include "doas.h"
 
 #ifndef HOST_NAME_MAX
 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
@@ -123,7 +124,7 @@ fail:
        for (i = 0; i < nmsgs; i++) {
                if (rsp[i].resp == NULL)
                        continue;
-               switch (style = msgs[i]->msg_style) {
+               switch (msgs[i]->msg_style) {
                case PAM_PROMPT_ECHO_OFF:
                case PAM_PROMPT_ECHO_ON:
                        explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
@@ -131,6 +132,7 @@ fail:
                }
                rsp[i].resp = NULL;
        }
+       free(rsp);
 
        return PAM_CONV_ERR;
 }
@@ -311,9 +313,9 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
                warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
                    pam_strerror(pamh, ret));
 
-       ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+       ret = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
        if (ret != PAM_SUCCESS)
-               warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
+               warn("pam_setcred(?, PAM_REINITIALIZE_CRED): %s", pam_strerror(pamh, ret));
        else
                cred = 1;