From d0ef7afdfac16afad59676ef7e2583fdeb0c5b00 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 May 2025 22:38:46 +0200
Subject: [PATCH] pki: Make sure the buffer is zeroized too

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
(cherry picked from commit e2064b743d6d2ddf857358a623c6433c8f1eb59b)
---
 src/pki_crypto.c     | 2 ++
 src/pki_gcrypt.c     | 2 ++
 src/pki_mbedcrypto.c | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index cbe8e290..cbbd1347 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -1428,6 +1428,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 249346df..96901faa 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1409,6 +1409,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index ce150557..590e61d5 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -890,6 +890,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);