From f028fe195ba8ea50e3835b718540295aa5392e5c Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Mon, 8 Jan 2024 17:14:44 +0000
Subject: [PATCH] Protect buffer in psa_import_key

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 library/psa_crypto.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index d21c13ea54..cc7dc09d60 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2199,11 +2199,12 @@ rsa_exit:
 }
 
 psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
-                            const uint8_t *data,
+                            const uint8_t *data_external,
                             size_t data_length,
                             mbedtls_svc_key_id_t *key)
 {
     psa_status_t status;
+    LOCAL_INPUT_DECLARE(data_external, data);
     psa_key_slot_t *slot = NULL;
     psa_se_drv_table_entry_t *driver = NULL;
     size_t bits;
@@ -2223,6 +2224,8 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
         return PSA_ERROR_NOT_SUPPORTED;
     }
 
+    LOCAL_INPUT_ALLOC(data_external, data_length, data);
+
     status = psa_start_key_creation(PSA_KEY_CREATION_IMPORT, attributes,
                                     &slot, &driver);
     if (status != PSA_SUCCESS) {
@@ -2277,6 +2280,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
 
     status = psa_finish_key_creation(slot, driver, key);
 exit:
+    LOCAL_INPUT_FREE(data_external, data);
     if (status != PSA_SUCCESS) {
         psa_fail_key_creation(slot, driver);
     }