From e4ede51d8781f426570d24e55588ee62cf0ee58c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 3 Jun 2025 10:18:26 +0200
Subject: [PATCH] pki: Set ECDSA signature buffers secure

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
(cherry picked from commit b8e587e498284ff3c711e66c61bc1bfb38060f2f)
---
 src/pki_crypto.c | 3 +++
 src/pki_gcrypt.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index ed56824e..8ed428fb 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -2078,6 +2078,9 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey),
         return SSH_ERROR;
     }
 
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buf);
+
     rc = ssh_buffer_add_data(buf,
                              ssh_string_data(sig_blob),
                              ssh_string_len(sig_blob));
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 8aec75e9..ee087e42 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1846,6 +1846,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
                     ssh_signature_free(sig);
                     return NULL;
                 }
+                /* The buffer will contain sensitive information. */
+                ssh_buffer_set_secure(b);
 
                 rc = ssh_buffer_add_data(b,
                                          ssh_string_data(sig_blob),