pki: Set ECDSA signature buffers secure

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
2025-07-25 03:41:56 +03:00 · 2025-06-03 10:18:26 +02:00
parent b314fd3e04
commit b8e587e498
2 changed files with 5 additions and 0 deletions
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@ -2276,6 +2276,9 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
        return SSH_ERROR;
    }

+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buf);
+
    rc = ssh_buffer_add_data(buf,
                             ssh_string_data(sig_blob),
                             (uint32_t)ssh_string_len(sig_blob));
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@ -1848,6 +1848,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                    ssh_signature_free(sig);
                    return NULL;
                }
+                /* The buffer will contain sensitive information. */
+                ssh_buffer_set_secure(b);

                rc = ssh_buffer_add_data(b,
                                         ssh_string_data(sig_blob),