From faf59babe846b4148af6331fcefe826a78e2dcfd Mon Sep 17 00:00:00 2001
From: Raef Coles <raef.coles@arm.com>
Date: Mon, 10 Oct 2022 15:40:56 +0100
Subject: [PATCH] Make LMS verification return VERIFY_FAILED more

To align with PSA error code rules on when VERIFY_FAILED is returned vs
INVALID_ARGUMENT

Signed-off-by: Raef Coles <raef.coles@arm.com>
---
 library/lmots.c |  2 +-
 library/lms.c   | 22 ++++++++++++++++------
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/library/lmots.c b/library/lmots.c
index 8ffadb89e..97325aa8e 100644
--- a/library/lmots.c
+++ b/library/lmots.c
@@ -565,7 +565,7 @@ int mbedtls_lmots_verify( const mbedtls_lmots_public_t *ctx,
                                                         NULL );
     if( ret )
     {
-        return( ret );
+        return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
     }
 
     if( memcmp( &Kc_public_key_candidate, ctx->public_key,
diff --git a/library/lms.c b/library/lms.c
index c115dac9d..de38c0283 100644
--- a/library/lms.c
+++ b/library/lms.c
@@ -322,11 +322,6 @@ int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
         return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
     }
 
-    if( sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) )
-    {
-        return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
-    }
-
     if( ctx->params.type
         != MBEDTLS_LMS_SHA256_M32_H10 )
     {
@@ -339,6 +334,16 @@ int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
         return( MBEDTLS_ERR_LMS_BAD_INPUT_DATA );
     }
 
+    if( sig_size != MBEDTLS_LMS_SIG_LEN(ctx->params.type, ctx->params.otstype) )
+    {
+        return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+    }
+
+    if( sig_size < SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_TYPE_LEN )
+    {
+        return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+    }
+
     if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMOTS_TYPE_LEN,
             sig + SIG_OTS_SIG_OFFSET + MBEDTLS_LMOTS_SIG_TYPE_OFFSET )
         != MBEDTLS_LMOTS_SHA256_N32_W8 )
@@ -346,6 +351,11 @@ int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
         return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
     }
 
+    if( sig_size < SIG_TYPE_OFFSET(ctx->params.otstype) + MBEDTLS_LMS_TYPE_LEN )
+    {
+        return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
+    }
+
     if( mbedtls_lms_network_bytes_to_unsigned_int( MBEDTLS_LMS_TYPE_LEN,
             sig + SIG_TYPE_OFFSET(ctx->params.otstype))
         != MBEDTLS_LMS_SHA256_M32_H10 )
@@ -376,7 +386,7 @@ int mbedtls_lms_verify( const mbedtls_lms_public_t *ctx,
             sizeof( Kc_candidate_ots_pub_key ), NULL );
     if( ret != 0 )
     {
-        return( ret );
+        return( MBEDTLS_ERR_LMS_VERIFY_FAILED );
     }
 
     create_merkle_leaf_value(