LMS: address review findings on Wconversion cleanup

- Fix small-variant signing regression (review finding bonus): reverting
  word16 sum -> unsigned int in wc_lmots_q_expand broke the small-variant
  checksum loop, which relies on arithmetic wrapping at 2^16. Restore
  word16 sum with explicit (word16) casts at every assignment so the
  -Wconversion warning is silenced without changing semantics. Caught by
  the new runtime test job (also added).
- Fix 16-bit shift UB (review #1): the matrix doesn't cover 16-bit, but
  on word32 = unsigned long targets `1U << params->height` is undefined
  for height >= 16. Restore (word32)1U on every shift whose exponent can
  reach height (LMS_Q_AT_LEVEL macro and four open-coded sites).
- Add msgSz <= 0 check to wc_LmsKey_Verify (review #2): wc_LmsKey_Sign
  already rejects non-positive msgSz; the public verify entry point did
  not. Without it, the (word32)msgSz cast forwarded a huge value to
  wc_hss_verify and caused buffer over-read.
- Add a test_lms_runtime CI job (review #11): the existing matrix only
  builds; it cannot catch a semantic regression like the q_expand one
  above. The new job builds --enable-lms and --enable-lms=yes,small and
  runs testwolfcrypt for both.
- Make wc_hss_make_key loop index word32 (review #10) so the (int)cast
  on HSS_MAX_LEVELS in the second-loop bound is no longer needed.
- Add LMOTS_Y_LEN as the canonical name for the LM-OTS y[] length and
  alias LMS_PRIV_Y_TREE_LEN to it (review #6); switch the non-cache
  call sites in wc_hss_sign / wc_lms_sig_copy / wc_hss_sign_build_sig
  to LMOTS_Y_LEN to match intent.

Verified: 15 matrix rows still build clean under the conversion flags;
testwolfcrypt LMS Vfy / LMS pass for --enable-lms, --enable-lms=yes,small,
and --enable-lms=yes,small,sha256-192,shake256; bench_lms shows no
regression.

https://claude.ai/code/session_01EJmy1bKDgHseTwZ5Qqpu1g

Author: claude

.github/workflows/wolfCrypt-Wconversion.yml

@@ -55,3 +55,29 @@ jobs:
           echo "running ./configure ${{ matrix.config }}"
           ./configure ${{ matrix.config }} || $(exit 3)
           make -j 4 || $(exit 4)
+
+  # Compiler-clean (above) doesn't catch a bad cast that silently changes
+  # the wire output. Run testwolfcrypt's lms_test under the same conversion
+  # flags on the default and small LMS variants.
+  test_lms_runtime:
+    strategy:
+      matrix:
+        config: [
+          '--enable-lms CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"',
+          '--enable-lms=yes,small CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"',
+        ]
+    name: test LMS runtime
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Build and run wolfCrypt LMS tests
+        run: |
+          ./autogen.sh || $(exit 2)
+          echo "running ./configure ${{ matrix.config }}"
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          ./wolfcrypt/test/testwolfcrypt || $(exit 5)

wolfcrypt/src/wc_lms.c

@@ -1492,6 +1492,7 @@ int wc_LmsKey_GetSigLen(const LmsKey* key, word32* len)
  * @param [in] msgSz  Length of the message in bytes.
  * @return  0 on success.
  * @return  BAD_FUNC_ARG when a key, sig or msg is NULL.
+ * @return  BAD_FUNC_ARG when msgSz is not greater than 0.
  * @return  SIG_VERIFY_E when signature did not verify message.
  * @return  BAD_STATE_E when wrong state for operation.
  * @return  BUFFER_E when sigSz is invalid for parameters.
@@ -1505,6 +1506,9 @@ int wc_LmsKey_Verify(LmsKey* key, const byte* sig, word32 sigSz,
     if ((key == NULL) || (sig == NULL) || (msg == NULL)) {
         ret = BAD_FUNC_ARG;
     }
+    if ((ret == 0) && (msgSz <= 0)) {
+        ret = BAD_FUNC_ARG;
+    }
     /* Check state. */
     if ((ret == 0) && (key->state != WC_LMS_STATE_OK) &&
             (key->state != WC_LMS_STATE_VERIFYONLY)) {

wolfcrypt/src/wc_lms_impl.c

@@ -689,7 +689,11 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
     byte* qe)
 {
     int ret = 0;
-    unsigned int sum;
+    /* sum is word16: the small-variant checksum loop below relies on
+     * arithmetic wrapping at 2^16 (sum <<= w then sum >> (16 - w) reads the
+     * top byte of the rolled value). Switching to a wider type would let
+     * those high bits leak into subsequent reads. */
+    word16 sum;
     unsigned int i;
 
 #ifndef WOLFSSL_WC_LMS_SMALL
@@ -699,27 +703,27 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
             /* No expansion required, just copy. */
             XMEMCPY(qe, q, n);
             /* Start sum with all 2^w - 1s and subtract from that. */
-            sum = 0xffU * n;
+            sum = (word16)(0xffU * n);
             /* For each byte of the hash. */
             for (i = 0; i < n; i++) {
                 /* Subtract coefficient from sum. */
-                sum -= q[i];
+                sum = (word16)(sum - q[i]);
             }
             /* Put coefficients of checksum on the end. */
             qe[n + 0] = (word8)(sum >> 8);
             qe[n + 1] = (word8)(sum     );
             break;
         /* Winternitz width of 4. */
         case 4:
-            sum = 2U * 0xfU * n;
+            sum = (word16)(2U * 0xfU * n);
             /* For each byte of the hash. */
             for (i = 0; i < n; i++) {
                 /* Get coefficient. */
                 qe[0] = (q[i] >> 4)      ;
                 qe[1] = (q[i]     ) & 0xf;
                 /* Subtract coefficients from sum. */
-                sum -= qe[0];
-                sum -= qe[1];
+                sum = (word16)(sum - qe[0]);
+                sum = (word16)(sum - qe[1]);
                 /* Move to next coefficients. */
                 qe += 2;
             }
@@ -730,7 +734,7 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
             break;
         /* Winternitz width of 2. */
         case 2:
-            sum = 4U * 0x3U * n;
+            sum = (word16)(4U * 0x3U * n);
             /* For each byte of the hash. */
             for (i = 0; i < n; i++) {
                 /* Get coefficients. */
@@ -739,10 +743,10 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
                 qe[2] = (q[i] >> 2) & 0x3;
                 qe[3] = (q[i]     ) & 0x3;
                 /* Subtract coefficients from sum. */
-                sum -= qe[0];
-                sum -= qe[1];
-                sum -= qe[2];
-                sum -= qe[3];
+                sum = (word16)(sum - qe[0]);
+                sum = (word16)(sum - qe[1]);
+                sum = (word16)(sum - qe[2]);
+                sum = (word16)(sum - qe[3]);
                 /* Move to next coefficients. */
                 qe += 4;
             }
@@ -755,7 +759,7 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
             break;
         /* Winternitz width of 1. */
         case 1:
-            sum = 8U * 0x01U * n;
+            sum = (word16)(8U * 0x01U * n);
             /* For each byte of the hash. */
             for (i = 0; i < n; i++) {
                 /* Get coefficients. */
@@ -768,14 +772,14 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
                 qe[6] = (q[i] >> 1) & 0x1;
                 qe[7] = (q[i]     ) & 0x1;
                 /* Subtract coefficients from sum. */
-                sum -= qe[0];
-                sum -= qe[1];
-                sum -= qe[2];
-                sum -= qe[3];
-                sum -= qe[4];
-                sum -= qe[5];
-                sum -= qe[6];
-                sum -= qe[7];
+                sum = (word16)(sum - qe[0]);
+                sum = (word16)(sum - qe[1]);
+                sum = (word16)(sum - qe[2]);
+                sum = (word16)(sum - qe[3]);
+                sum = (word16)(sum - qe[4]);
+                sum = (word16)(sum - qe[5]);
+                sum = (word16)(sum - qe[6]);
+                sum = (word16)(sum - qe[7]);
                 /* Move to next coefficients. */
                 qe += 8;
             }
@@ -811,7 +815,7 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
 
     if (ret == 0) {
         /* Start sum with all 2^w - 1s and subtract from that. */
-        sum = ((1U << w) - 1U) * ((n * 8U) / w);
+        sum = (word16)(((1U << w) - 1U) * ((n * 8U) / w));
         /* For each byte of the hash. */
         for (i = 0; i < n; i++) {
             /* Get next byte. */
@@ -821,21 +825,21 @@ static WC_INLINE int wc_lmots_q_expand(byte* q, word8 n, word8 w, word8 ls,
                 /* Get coefficient. */
                 *qe = (byte)(a >> (8 - w));
                 /* Subtract coefficient from sum. */
-                sum -= *qe;
+                sum = (word16)(sum - *qe);
                 /* Move to next coefficient. */
                 qe++;
                 /* Remove width bits. */
                 a = (byte)(a << w);
             }
         }
         /* Shift sum up as required to pack it on the end of hash. */
-        sum <<= ls;
+        sum = (word16)(sum << ls);
         /* For each width bit of checksum. */
         for (j = 16 - w; j >= ls; j--) {
             /* Get coefficient. */
             *(qe++) = (byte)(sum >> (16 - w));
             /* Remove width bits. */
-            sum <<= w;
+            sum = (word16)(sum << w);
         }
     }
 #endif /* !WOLFSSL_WC_LMS_SMALL */
@@ -2242,7 +2246,8 @@ static int wc_lms_treehash_init(LmsState* state, LmsPrivState* privState,
             /* Copy out top root nodes. */
             if ((h > params->height - params->rootLevels) &&
                     ((i >> (h-1)) != ((i + 1) >> (h - 1)))) {
-                word32 off = (1U << (params->height - h)) + (i >> h) - 1U;
+                word32 off = ((word32)1U << (params->height - h)) +
+                    (i >> h) - 1U;
                 XMEMCPY(root + off * params->hash_len, temp, params->hash_len);
             }
 
@@ -2393,7 +2398,8 @@ static int wc_lms_treehash_update(LmsState* state, LmsPrivState* privState,
             if ((ret == 0) && (q == 0) && (!useRoot) &&
                     (h > params->height - params->rootLevels) &&
                     ((i >> (h-1)) != ((i + 1) >> (h - 1)))) {
-                word32 off = (1U << (params->height - h)) + (i >> h) - 1U;
+                word32 off = ((word32)1U << (params->height - h)) +
+                    (i >> h) - 1U;
                 XMEMCPY(privState->root + off * params->hash_len, temp,
                     params->hash_len);
             }
@@ -2506,8 +2512,8 @@ static void wc_lms_sig_copy(const LmsParams* params, const byte* y,
     c32toa(params->lmOtsType & LMS_H_W_MASK, sig);
     sig += LMS_TYPE_LEN;
     /* S = u32str(q) || ots_signature || ... */
-    XMEMCPY(sig, y, LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len));
-    sig += LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len);
+    XMEMCPY(sig, y, LMOTS_Y_LEN(params->p, params->hash_len));
+    sig += LMOTS_Y_LEN(params->p, params->hash_len);
     /* S = u32str(q) || ots_signature || u32str(type) || ... */
     c32toa(params->lmsType & LMS_H_W_MASK, sig);
 }
@@ -3001,7 +3007,7 @@ static int wc_hss_derive_seed_i(LmsState* state, const byte* id,
 /* Get q, index, of leaf at the specified level. */
 #define LMS_Q_AT_LEVEL(q, ls, l, h)                                 \
     (w64GetLow32(w64ShiftRight((q), (((ls) - 1 - (l)) * (h)))) &    \
-     ((1U << (h)) - 1U))
+     (((word32)1U << (h)) - 1U))
 
 /* Expand the seed and I for further levels and set q for each level.
  *
@@ -3069,7 +3075,7 @@ static int wc_hss_expand_private_key(LmsState* state, byte* priv,
 
         /* Get q for level from 64-bit composite. */
         q32 = w64GetLow32(w64ShiftRight(q, (int)(params->levels - 1U - i) *
-            params->height)) & ((1U << params->height) - 1U);
+            params->height)) & (((word32)1U << params->height) - 1U);
         /* Set q of tree. */
         c32toa(q32, priv);
 
@@ -3362,7 +3368,8 @@ static int wc_hss_update_auth_path(LmsState* state, HssPrivKey* priv_key,
                 word32 qm1a = LMS_AUTH_PATH_IDX(q - 1, h);
                 /* If different then copy in cached hash. */
                 if ((qa != qm1a) && (qa > maxq)) {
-                    word32 off = (1U << (params->height - h)) + (qa >> h) - 1U;
+                    word32 off = ((word32)1U << (params->height - h)) +
+                        (qa >> h) - 1U;
                     XMEMCPY(privState->auth_path + h * params->hash_len,
                         privState->root + off * params->hash_len,
                         params->hash_len);
@@ -3605,7 +3612,7 @@ int wc_hss_make_key(LmsState* state, WC_RNG* rng, byte* priv_raw,
 {
     const LmsParams* params = state->params;
     int ret = 0;
-    int i;
+    word32 i;
     byte* p = priv_raw;
     byte* pub_root = pub + LMS_L_LEN + LMS_TYPE_LEN + LMS_TYPE_LEN + LMS_I_LEN;
 
@@ -3619,7 +3626,7 @@ int wc_hss_make_key(LmsState* state, WC_RNG* rng, byte* priv_raw,
                       (params->lmOtsType & LMS_H_W_MASK));
     }
     /* Set rest of levels to an invalid value. */
-    for (; i < (int)HSS_MAX_LEVELS; i++) {
+    for (; i < HSS_MAX_LEVELS; i++) {
         p[i] = 0xff;
     }
     p += HSS_PRIV_KEY_PARAM_SET_LEN;
@@ -3744,7 +3751,7 @@ int wc_hss_sign(LmsState* state, byte* priv_raw, HssPrivKey* priv_key,
             ret = wc_lms_sign(state, p, msg, msgSz, sig);
             if (ret == 0) {
                 byte* s = sig + LMS_Q_LEN + LMS_TYPE_LEN +
-                    LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len) +
+                    LMOTS_Y_LEN(params->p, params->hash_len) +
                     LMS_TYPE_LEN;
                 byte* priv_q = p;
                 byte* priv_seed = priv_q + LMS_Q_LEN;
@@ -3879,8 +3886,7 @@ static int wc_hss_sign_build_sig(LmsState* state, byte* priv_raw,
                     LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len));
             }
         #endif /* !WOLFSSL_LMS_NO_SIG_CACHE */
-            s += LMS_PRIV_Y_TREE_LEN(params->p, params->hash_len) +
-                LMS_TYPE_LEN;
+            s += LMOTS_Y_LEN(params->p, params->hash_len) + LMS_TYPE_LEN;
 
             /* Copy the authentication path out of the private key. */
             XMEMCPY(s, priv_key->state[i].auth_path,

wolfssl/wolfcrypt/wc_lms.h

@@ -479,12 +479,16 @@ enum wc_LmsState {
     #define LMS_PRIV_SMOOTH_LEN(l, h, rl, cb, hLen)     0U
 #endif
 
-/* Length of one LM-OTS y[]: the C randomizer plus p hashes. Always defined
- * (independent of WOLFSSL_LMS_NO_SIG_CACHE) because it is also used to walk
- * the in-memory signature layout, not just the y cache. */
-#define LMS_PRIV_Y_TREE_LEN(p, hLen)                                \
+/* Length of one LM-OTS y[]: the C randomizer plus p hashes. */
+#define LMOTS_Y_LEN(p, hLen)                                        \
     ((word32)(hLen) + (word32)(p) * (word32)(hLen))
 
+/* Length of one LM-OTS y[] when stored in the per-level y cache. Same value
+ * as LMOTS_Y_LEN; kept as a separate name for the cache call sites. Always
+ * defined (independent of WOLFSSL_LMS_NO_SIG_CACHE) because it is also used
+ * to walk the in-memory signature layout, not just the y cache. */
+#define LMS_PRIV_Y_TREE_LEN(p, hLen)    LMOTS_Y_LEN(p, hLen)
+
 #ifndef WOLFSSL_LMS_NO_SIG_CACHE
     /* Length of the y data cached in private key data. */
     #define LMS_PRIV_Y_LEN(l, p, hLen)                              \