esp_rsa_sign_alt: Fix esp_init_ds_data_ctx API to not modify user defined data when it is given directory from flash

components/mbedtls/port/esp_ds/esp_rsa_sign_alt.c

@@ -14,6 +14,7 @@
 
 #include "esp_ds.h"
 #include "rsa_sign_alt.h"
+#include "soc/soc_memory_types.h"
 
 #ifdef CONFIG_IDF_TARGET_ESP32S2
 #include "esp32s2/rom/digital_signature.h"
@@ -70,7 +71,7 @@ void esp_ds_set_session_timeout(int timeout)
     }
 }
 
-esp_err_t  esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data)
+esp_err_t esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data)
 {
     if (ds_data == NULL || ds_data->esp_ds_data == NULL) {
         return ESP_ERR_INVALID_ARG;
@@ -82,8 +83,22 @@ esp_err_t  esp_ds_init_data_ctx(esp_ds_data_ctx_t *ds_data)
     }
     s_ds_data = ds_data->esp_ds_data;
     s_esp_ds_hmac_key_id = (hmac_key_id_t) ds_data->efuse_key_id;
-    /* calculate the rsa_length in terms of esp_digital_signature_length_t which is required for the internal DS API */
-    s_ds_data->rsa_length = (ds_data->rsa_length_bits / 32) - 1;
+
+    const unsigned rsa_length_int = (ds_data->rsa_length_bits / 32) - 1;
+    if (esp_ptr_byte_accessible(s_ds_data)) {
+        /* calculate the rsa_length in terms of esp_digital_signature_length_t which is required for the internal DS API */
+        s_ds_data->rsa_length = rsa_length_int;
+    } else if (s_ds_data->rsa_length != rsa_length_int) {
+        /*
+         * Configuration data is most likely from DROM segment and it
+         * is not properly formatted for all parameters consideration.
+         * Moreover, we can not modify as it is read-only and hence
+         * the error.
+         */
+        ESP_LOGE(TAG, "RSA length mismatch %u, %u", s_ds_data->rsa_length, rsa_length_int);
+        return ESP_ERR_INVALID_ARG;
+    }
+
     return ESP_OK;
 }