From b8e587e498284ff3c711e66c61bc1bfb38060f2f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 3 Jun 2025 10:18:26 +0200
Subject: [PATCH] pki: Set ECDSA signature buffers secure

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
---
 src/pki_crypto.c | 3 +++
 src/pki_gcrypt.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 70e535fe..ea0d5d49 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -2276,6 +2276,9 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
         return SSH_ERROR;
     }
 
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buf);
+
     rc = ssh_buffer_add_data(buf,
                              ssh_string_data(sig_blob),
                              (uint32_t)ssh_string_len(sig_blob));
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 2361112b..78abd323 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1848,6 +1848,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                     ssh_signature_free(sig);
                     return NULL;
                 }
+                /* The buffer will contain sensitive information. */
+                ssh_buffer_set_secure(b);
 
                 rc = ssh_buffer_add_data(b,
                                          ssh_string_data(sig_blob),