Inconsistent and possibly confusing mld_sign() API and contracts #974
Description
A pedantic reviewer points out:
File: mldsa/src/sign.c, in mld_sign:
c
ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx,
ctxlen, sk, context);
*smlen += mlen;
return ret;
If mld_sign_signature fails, it sets *siglen = 0. Then *smlen += mlen makes *smlen = mlen on failure. The CBMC contract says the function
should return *smlen == MLDSA_CRYPTO_BYTES + mlen on success, but doesn't constrain *smlen on failure. However, returning a non-zero
*smlen on failure could confuse callers into thinking there's valid data in the buffer. The mld_sign_open counterpart does set *mlen = 0
on failure.
Severity: Low (robustness). Consider setting *smlen = 0 on error for defensive consistency.
I tend to agree... we should set *smlen==0 on failure, and update the contracts and comments to match. Does this also affect the top-level API in mldsa_native.h?