From e2064b743d6d2ddf857358a623c6433c8f1eb59b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 May 2025 22:38:46 +0200
Subject: [PATCH] pki: Make sure the buffer is zeroized too

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Eshan Kelkar <eshankelkar@galorithm.com>
---
 src/pki_crypto.c     | 2 ++
 src/pki_gcrypt.c     | 2 ++
 src/pki_mbedcrypto.c | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 1f894693..70e535fe 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -1547,6 +1547,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 8aec75e9..2361112b 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1409,6 +1409,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index c0ba4d6d..57c87c56 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -890,6 +890,8 @@ ssh_string pki_key_to_blob(const ssh_key key, enum ssh_key_e type)
     if (buffer == NULL) {
         return NULL;
     }
+    /* The buffer will contain sensitive information. Make sure it is erased */
+    ssh_buffer_set_secure(buffer);
 
     if (key->cert != NULL) {
         rc = ssh_buffer_add_buffer(buffer, key->cert);