From 46c23a051cb0a1f92d7ead1393a1a3c3c63daf80 Mon Sep 17 00:00:00 2001
From: gabor-mezei-arm <gabor.mezei@arm.com>
Date: Thu, 29 Apr 2021 16:44:59 +0200
Subject: [PATCH] Fix error checking

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
---
 library/psa_crypto.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 33b97079c..5b9d8cb51 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2489,24 +2489,26 @@ static psa_status_t psa_sign_internal( mbedtls_svc_key_id_t key,
 
     *signature_length = 0;
 
-    if( operation == PSA_SIGN_MESSAGE )
+    if( operation == PSA_SIGN_INVALID )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    else
     {
         if( ! PSA_ALG_IS_SIGN_MESSAGE( alg ) )
             return( PSA_ERROR_INVALID_ARGUMENT );
 
-        if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+        if( operation == PSA_SIGN_MESSAGE )
         {
-            if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
-                return( PSA_ERROR_INVALID_ARGUMENT );
+            if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+            {
+                if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
+                    return( PSA_ERROR_INVALID_ARGUMENT );
+            }
         }
         /* Curently only hash-then-sign algorithms are supported. */
         else
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 
-    else if( operation == PSA_SIGN_INVALID )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
     /* Immediately reject a zero-length signature buffer. This guarantees
      * that signature must be a valid pointer. (On the other hand, the hash
      * buffer can in principle be empty since it doesn't actually have
@@ -2580,24 +2582,26 @@ static psa_status_t psa_verify_internal( mbedtls_svc_key_id_t key,
     psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
     psa_key_slot_t *slot;
 
-    if( operation == PSA_VERIFY_MESSAGE )
+    if( operation == PSA_VERIFY_INVALID )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+    else
     {
         if( ! PSA_ALG_IS_SIGN_MESSAGE( alg ) )
             return( PSA_ERROR_INVALID_ARGUMENT );
 
-        if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+        if( operation == PSA_VERIFY_MESSAGE )
         {
-            if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
-                return( PSA_ERROR_INVALID_ARGUMENT );
+            if ( PSA_ALG_IS_HASH_AND_SIGN( alg ) )
+            {
+                if( ! PSA_ALG_IS_HASH( PSA_ALG_SIGN_GET_HASH( alg ) ) )
+                    return( PSA_ERROR_INVALID_ARGUMENT );
+            }
         }
         /* Curently only hash-then-sign algorithms are supported. */
         else
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 
-    else if( operation == PSA_VERIFY_INVALID )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
     status = psa_get_and_lock_key_slot_with_policy(
                 key, &slot,
                 operation == PSA_VERIFY_HASH ? PSA_KEY_USAGE_VERIFY_HASH :