From b22a24b23f7807fa406c61aa64a4d4fbbde18ffe Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 5 Nov 2019 16:56:39 +0100
Subject: [PATCH] Fix MBEDTLS_PK_SIGNATURE_MAX_SIZE to account for ECDSA

The original definition of MBEDTLS_PK_SIGNATURE_MAX_SIZE only took RSA
into account. An ECDSA signature may be larger than the maximum
possible RSA signature size, depending on build options; for example
this is the case with config-suite-b.h.
---
 include/mbedtls/pk.h | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index a51177807..2fdc4c1fc 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -104,7 +104,37 @@ typedef struct mbedtls_pk_rsassa_pss_options
 /**
  * \brief           Maximum size of a signature made by mbedtls_pk_sign().
  */
+/* This fallback value is used if there is no software signature support.
+ * This is possible even if check_config.h is included, for example if
+ * MBEDTLS_ECDH_C is enabled but neither MBEDTLS_ECDSA_C  nor MBEDTLS_RSA_C.
+ * Use MBEDTLS_MPI_MAX_SIZE which is the maximum size than an RSA-alt
+ * implementation can produce, assuming that MBEDTLS_MPI_MAX_SIZE is set
+ * correctly. This is not necessarily the best choice of size and it may
+ * change in future versions. */
 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#if defined(MBEDTLS_RSA_C) &&                                   \
+    MBEDTLS_MPI_MAX_SIZE > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+#if defined(MBEDTLS_ECDSA_C) &&                                 \
+    MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#endif
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
+    PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE + 11 > MBEDTLS_PK_SIGNATURE_MAX_SIZE
+/* PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE is the maximum size of a signature made
+ * through the PSA API in the PSA representation.
+ * The Mbed TLS representation is different for ECDSA signatures:
+ * PSA uses the raw concatenation of r and s,
+ * whereas Mbed TLS uses the ASN.1 representation (SEQUENCE of two INTEGERs).
+ * Add the overhead of ASN.1: up to (1+2) + 2 * (1+2+1) for the
+ * types, lengths (represented by up to 2 bytes), and potential leading
+ * zeros of the INTEGERs and the SEQUENCE. */
+#undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
+#define MBEDTLS_PK_SIGNATURE_MAX_SIZE ( PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE + 11 )
+#endif
 
 /**
  * \brief           Types for interfacing with the debug module