diff --git a/src/auth.rs b/src/auth.rs
index 6a16910..df9e2af 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -64,34 +64,36 @@ unsafe extern "C" fn pam_conv_callback(
     resp: *mut *mut PamResponse,
     appdata_ptr: *mut libc::c_void,
 ) -> libc::c_int {
-    // Safety: appdata_ptr was set to a valid *const CString in authenticate()
-    let password = appdata_ptr as *const CString;
-    if password.is_null() {
-        return 7; // PAM_AUTH_ERR
+    unsafe {
+        // Safety: appdata_ptr was set to a valid *const CString in authenticate()
+        let password = appdata_ptr as *const CString;
+        if password.is_null() {
+            return 7; // PAM_AUTH_ERR
+        }
+
+        // Safety: calloc returns zeroed memory for num_msg PamResponse structs.
+        // PAM owns this memory and will free() it.
+        let resp_array = libc::calloc(
+            num_msg as libc::size_t,
+            std::mem::size_of::<PamResponse>() as libc::size_t,
+        ) as *mut PamResponse;
+
+        if resp_array.is_null() {
+            return 7; // PAM_AUTH_ERR
+        }
+
+        for i in 0..num_msg as isize {
+            // Safety: strdup allocates with malloc — PAM will free() the resp strings.
+            // We dereference password which is valid for the lifetime of authenticate().
+            let resp_ptr = resp_array.offset(i);
+            (*resp_ptr).resp = libc::strdup((*password).as_ptr());
+            (*resp_ptr).resp_retcode = 0;
+        }
+
+        // Safety: resp is a valid pointer provided by PAM
+        *resp = resp_array;
+        PAM_SUCCESS
     }
-
-    // Safety: calloc returns zeroed memory for num_msg PamResponse structs.
-    // PAM owns this memory and will free() it.
-    let resp_array = libc::calloc(
-        num_msg as libc::size_t,
-        std::mem::size_of::<PamResponse>() as libc::size_t,
-    ) as *mut PamResponse;
-
-    if resp_array.is_null() {
-        return 7; // PAM_AUTH_ERR
-    }
-
-    for i in 0..num_msg as isize {
-        // Safety: strdup allocates with malloc — PAM will free() the resp strings.
-        // We dereference password which is valid for the lifetime of authenticate().
-        let resp_ptr = resp_array.offset(i);
-        (*resp_ptr).resp = libc::strdup((*password).as_ptr());
-        (*resp_ptr).resp_retcode = 0;
-    }
-
-    // Safety: resp is a valid pointer provided by PAM
-    *resp = resp_array;
-    PAM_SUCCESS
 }
 
 /// Authenticate a user via PAM.
diff --git a/src/lockscreen.rs b/src/lockscreen.rs
index fa7c8f8..16727f4 100644
--- a/src/lockscreen.rs
+++ b/src/lockscreen.rs
@@ -47,7 +47,7 @@ pub fn create_lockscreen_window(
         }
     };
 
-    let mut fp_listener = FingerprintListener::new();
+    let fp_listener = FingerprintListener::new();
     let fp_available = config.fingerprint_enabled
         && fp_listener.is_available(&user.username);