commit 3a96e431f52e0dc30405e20330aa6ac0f04790e3
from: Martijn van Duren <martijn@openbsd.org>
date: Thu Jan 17 09:27:01 2019 UTC

clear the password even after a mismatch

commit - b2396b2c55e3573bc93c1f004b695f71bb92b207
commit + 3a96e431f52e0dc30405e20330aa6ac0f04790e3
blob - cb9c9b44fd3af895600e7381a65cff17938f83fe
blob + 8133c3cfd7c7f834365b8c2b88095a93d5442580
--- vias.c
+++ vias.c
@@ -316,6 +316,7 @@ authuser(char *myname, char *login_style, int persist)
 		errx(1, "a tty is required");
 	}
 	if (!auth_userresponse(as, response, 0)) {
+		explicit_bzero(rbuf, sizeof(rbuf));
 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
 		    "failed auth for %s", myname);
 		errc(1, EPERM, NULL);