Fix check on ML_DSA pubkey size at runtime

Author: danielinux

config/examples/sim-ml-dsa.config

@@ -25,8 +25,8 @@
 
 ARCH=sim
 TARGET=sim
-SIGN?=ML_DSA
-HASH?=SHA256
+SIGN=ML_DSA
+HASH=SHA256
 WOLFBOOT_SMALL_STACK=0
 SPI_FLASH=0
 DEBUG=0
@@ -38,17 +38,17 @@ DELTA_UPDATES=0
 # Category 2:
 ML_DSA_LEVEL=2
 IMAGE_SIGNATURE_SIZE=2420
-IMAGE_HEADER_SIZE?=8192
+IMAGE_HEADER_SIZE=8192
 #
 # Category 3:
 # ML_DSA_LEVEL=3
 # IMAGE_SIGNATURE_SIZE=3309
-# IMAGE_HEADER_SIZE?=8192
+# IMAGE_HEADER_SIZE=8192
 #
 # Category 5:
 # ML_DSA_LEVEL=5
 # IMAGE_SIGNATURE_SIZE=4627
-# IMAGE_HEADER_SIZE?=12288
+# IMAGE_HEADER_SIZE=12288
 # This example needsd larger sector size.
 # WOLFBOOT_SECTOR_SIZE=0x3000
 #

src/image.c

@@ -593,6 +593,7 @@ static void wolfBoot_verify_signature_xmss(uint8_t key_slot,
 
 #ifdef WOLFBOOT_SIGN_ML_DSA
 #include <wolfssl/wolfcrypt/dilithium.h>
+
 static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
         struct wolfBoot_image *img, uint8_t *sig)
 {
@@ -636,9 +637,9 @@ static void wolfBoot_verify_signature_ml_dsa(uint8_t key_slot,
             wolfBoot_printf("error: wc_MlDsaKey_GetPubLen returned %d\n", ret);
             ret = -1;
         }
-        else if (pub_len != KEYSTORE_PUBKEY_SIZE_ML_DSA) {
+        else if (pub_len > KEYSTORE_PUBKEY_SIZE) {
             wolfBoot_printf("error: ML-DSA pub key mismatch: got %d bytes " \
-                   "expected %d\n", pub_len, KEYSTORE_PUBKEY_SIZE_ML_DSA);
+                   "max %d\n", pub_len, KEYSTORE_PUBKEY_SIZE);
             ret = -1;
         }
     }