kern/lib/crypto/2rsa.c - upstream - Git at Google

 /* Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */

 /*
  * Implementation of RSA signature verification which uses a pre-processed key
  * for computation. The code extends Android's RSA verification code to support
  * multiple RSA key lengths and hash digest algorithms.
  */

 #include <crypto/2sysincludes.h>
 #include <crypto/2common.h>
 #include <crypto/2rsa.h>
 #include <crypto/2sha.h>

 /**
  * a[] -= mod
  */
 static void subM(const struct vb2_public_key *key, uint32_t *a)
 {
 	int64_t A = 0;
 	uint32_t i;
 	for (i = 0; i < key->arrsize; ++i) {
 		A += (uint64_t)a[i] - key->n[i];
 		a[i] = (uint32_t)A;
 		A >>= 32;
 	}
 }

 /**
  * Return a[] >= mod
  */
 int vb2_mont_ge(const struct vb2_public_key *key, uint32_t *a)
 {
 	uint32_t i;
 	for (i = key->arrsize; i;) {
 		--i;
 		if (a[i] < key->n[i])
 			return 0;
 		if (a[i] > key->n[i])
 			return 1;
 	}
 	return 1;  /* equal */
 }

 /**
  * Montgomery c[] += a * b[] / R % mod
  */
 static void montMulAdd(const struct vb2_public_key *key,
                        uint32_t *c,
                        const uint32_t a,
                        const uint32_t *b)
 {
 	uint64_t A = (uint64_t)a * b[0] + c[0];
 	uint32_t d0 = (uint32_t)A * key->n0inv;
 	uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;
 	uint32_t i;

 	for (i = 1; i < key->arrsize; ++i) {
 		A = (A >> 32) + (uint64_t)a * b[i] + c[i];
 		B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;
 		c[i - 1] = (uint32_t)B;
 	}

 	A = (A >> 32) + (B >> 32);

 	c[i - 1] = (uint32_t)A;

 	if (A >> 32) {
 		subM(key, c);
 	}
 }

 /**
  * Montgomery c[] = a[] * b[] / R % mod
  */
 static void montMul(const struct vb2_public_key *key,
                     uint32_t *c,
                     const uint32_t *a,
                     const uint32_t *b)
 {
 	uint32_t i;
 	for (i = 0; i < key->arrsize; ++i) {
 		c[i] = 0;
 	}
 	for (i = 0; i < key->arrsize; ++i) {
 		montMulAdd(key, c, a[i], b);
 	}
 }

 /**
  * In-place public exponentiation. (65537}
  *
  * @param key		Key to use in signing
  * @param inout		Input and output big-endian byte array
  * @param workbuf32	Work buffer; caller must verify this is
  *			(3 * key->arrsize) elements long.
  */
 static void modpowF4(const struct vb2_public_key *key, uint8_t *inout,
 		    uint32_t *workbuf32)
 {
 	uint32_t *a = workbuf32;
 	uint32_t *aR = a + key->arrsize;
 	uint32_t *aaR = aR + key->arrsize;
 	uint32_t *aaa = aaR;  /* Re-use location. */
 	int i;

 	/* Convert from big endian byte array to little endian word array. */
 	for (i = 0; i < (int)key->arrsize; ++i) {
 		uint32_t tmp =
 			(inout[((key->arrsize - 1 - i) * 4) + 0] << 24) |
 			(inout[((key->arrsize - 1 - i) * 4) + 1] << 16) |
 			(inout[((key->arrsize - 1 - i) * 4) + 2] << 8) |
 			(inout[((key->arrsize - 1 - i) * 4) + 3] << 0);
 		a[i] = tmp;
 	}

 	montMul(key, aR, a, key->rr);  /* aR = a * RR / R mod M   */
 	for (i = 0; i < 16; i+=2) {
 		montMul(key, aaR, aR, aR);  /* aaR = aR * aR / R mod M */
 		montMul(key, aR, aaR, aaR);  /* aR = aaR * aaR / R mod M */
 	}
 	montMul(key, aaa, aR, a);  /* aaa = aR * a / R mod M */


 	/* Make sure aaa < mod; aaa is at most 1x mod too large. */
 	if (vb2_mont_ge(key, aaa)) {
 		subM(key, aaa);
 	}

 	/* Convert to bigendian byte array */
 	for (i = (int)key->arrsize - 1; i >= 0; --i) {
 		uint32_t tmp = aaa[i];
 		*inout++ = (uint8_t)(tmp >> 24);
 		*inout++ = (uint8_t)(tmp >> 16);
 		*inout++ = (uint8_t)(tmp >>  8);
 		*inout++ = (uint8_t)(tmp >>  0);
 	}
 }


 static const uint8_t crypto_to_sig[] = {
 	VB2_SIG_RSA1024,
 	VB2_SIG_RSA1024,
 	VB2_SIG_RSA1024,
 	VB2_SIG_RSA2048,
 	VB2_SIG_RSA2048,
 	VB2_SIG_RSA2048,
 	VB2_SIG_RSA4096,
 	VB2_SIG_RSA4096,
 	VB2_SIG_RSA4096,
 	VB2_SIG_RSA8192,
 	VB2_SIG_RSA8192,
 	VB2_SIG_RSA8192,
 };

 /**
  * Convert vb2_crypto_algorithm to vb2_signature_algorithm.
  *
  * @param algorithm	Crypto algorithm (vb2_crypto_algorithm)
  *
  * @return The signature algorithm for that crypto algorithm, or
  * VB2_SIG_INVALID if the crypto algorithm or its corresponding signature
  * algorithm is invalid or not supported.
  */
 enum vb2_signature_algorithm vb2_crypto_to_signature(uint32_t algorithm)
 {
 	if (algorithm < ARRAY_SIZE(crypto_to_sig))
 		return crypto_to_sig[algorithm];
 	else
 		return VB2_SIG_INVALID;
 }

 uint32_t vb2_rsa_sig_size(enum vb2_signature_algorithm sig_alg)
 {
 	switch (sig_alg) {
 	case VB2_SIG_RSA1024:
 		return 1024 / 8;
 	case VB2_SIG_RSA2048:
 		return 2048 / 8;
 	case VB2_SIG_RSA4096:
 		return 4096 / 8;
 	case VB2_SIG_RSA8192:
 		return 8192 / 8;
 	default:
 		return 0;
 	}
 }

 uint32_t vb2_packed_key_size(enum vb2_signature_algorithm sig_alg)
 {
 	uint32_t sig_size = vb2_rsa_sig_size(sig_alg);

 	if (!sig_size)
 		return 0;

 	/*
 	 * Total size needed by a RSAPublicKey buffer is =
 	 *  2 * key_len bytes for the n and rr arrays
 	 *  + sizeof len + sizeof n0inv.
 	 */
 	return 2 * sig_size + 2 * sizeof(uint32_t);
 }

 /*
  * PKCS 1.5 padding (from the RSA PKCS#1 v2.1 standard)
  *
  * Depending on the RSA key size and hash function, the padding is calculated
  * as follows:
  *
  * 0x00 || 0x01 || PS || 0x00 || T
  *
  * T: DER Encoded DigestInfo value which depends on the hash function used.
  *
  * SHA-1:   (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 || H.
  * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
  * SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 || H.
  *
  * Length(T) = 35 octets for SHA-1
  * Length(T) = 51 octets for SHA-256
  * Length(T) = 83 octets for SHA-512
  *
  * PS: octet string consisting of {Length(RSA Key) - Length(T) - 3} 0xFF
  */
 static const uint8_t sha1_tail[] = {
 	0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2b,
 	0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14
 };

 static const uint8_t sha256_tail[] = {
 	0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,
 	0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,
 	0x05,0x00,0x04,0x20
 };

 static const uint8_t sha512_tail[] = {
 	0x00,0x30,0x51,0x30,0x0d,0x06,0x09,0x60,
 	0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,
 	0x05,0x00,0x04,0x40
 };

 int vb2_check_padding(const uint8_t *sig, const struct vb2_public_key *key)
 {
 	/* Determine padding to use depending on the signature type */
 	uint32_t sig_size = vb2_rsa_sig_size(key->sig_alg);
 	uint32_t hash_size = vb2_digest_size(key->hash_alg);
 	uint32_t pad_size = sig_size - hash_size;
 	const uint8_t *tail;
 	uint32_t tail_size;
 	int result = 0;
 	int i;

 	if (!sig_size || !hash_size || hash_size > sig_size)
 		return VB2_ERROR_RSA_PADDING_SIZE;

 	switch (key->hash_alg) {
 	case VB2_HASH_SHA1:
 		tail = sha1_tail;
 		tail_size = sizeof(sha1_tail);
 		break;
 	case VB2_HASH_SHA256:
 		tail = sha256_tail;
 		tail_size = sizeof(sha256_tail);
 		break;
 	case VB2_HASH_SHA512:
 		tail = sha512_tail;
 		tail_size = sizeof(sha512_tail);
 		break;
 	default:
 		return VB2_ERROR_RSA_PADDING_ALGORITHM;
 	}

 	/* First 2 bytes are always 0x00 0x01 */
 	result |= *sig++ ^ 0x00;
 	result |= *sig++ ^ 0x01;

 	/* Then 0xff bytes until the tail */
 	for (i = 0; i < pad_size - tail_size - 2; i++)
 		result |= *sig++ ^ 0xff;

 	/*
 	 * Then the tail.  Even though there are probably no timing issues
 	 * here, we use vb2_safe_memcmp() just to be on the safe side.
 	 */
 	result |= vb2_safe_memcmp(sig, tail, tail_size);

 	return result ? VB2_ERROR_RSA_PADDING : VB2_SUCCESS;
 }

 int vb2_rsa_verify_digest(const struct vb2_public_key *key,
 			  uint8_t *sig,
 			  const uint8_t *digest,
 			  const struct vb2_workbuf *wb)
 {
 	struct vb2_workbuf wblocal = *wb;
 	uint32_t *workbuf32;
 	uint32_t key_bytes;
 	int sig_size;
 	int pad_size;
 	int rv;

 	if (!key || !sig || !digest)
 		return VB2_ERROR_RSA_VERIFY_PARAM;

 	sig_size = vb2_rsa_sig_size(key->sig_alg);
 	if (!sig_size) {
 		VB2_DEBUG("Invalid signature type!\n");
 		return VB2_ERROR_RSA_VERIFY_ALGORITHM;
 	}

 	/* Signature length should be same as key length */
 	key_bytes = key->arrsize * sizeof(uint32_t);
 	if (key_bytes != sig_size) {
 		VB2_DEBUG("Signature is of incorrect length!\n");
 		return VB2_ERROR_RSA_VERIFY_SIG_LEN;
 	}

 	workbuf32 = vb2_workbuf_alloc(&wblocal, 3 * key_bytes);
 	if (!workbuf32) {
 		VB2_DEBUG("ERROR - vboot2 work buffer too small!\n");
 		return VB2_ERROR_RSA_VERIFY_WORKBUF;
 	}

 	modpowF4(key, sig, workbuf32);

 	vb2_workbuf_free(&wblocal, 3 * key_bytes);

 	/*
 	 * Check padding.  Only fail immediately if the padding size is bad.
 	 * Otherwise, continue on to check the digest to reduce the risk of
 	 * timing based attacks.
 	 */
 	rv = vb2_check_padding(sig, key);
 	if (rv == VB2_ERROR_RSA_PADDING_SIZE)
 		return rv;

 	/*
 	 * Check digest.  Even though there are probably no timing issues here,
 	 * use vb2_safe_memcmp() just to be on the safe side.  (That's also why
 	 * we don't return before this check if the padding check failed.)
 	 */
 	pad_size = sig_size - vb2_digest_size(key->hash_alg);
 	if (vb2_safe_memcmp(sig + pad_size, digest, key_bytes - pad_size)) {
 		VB2_DEBUG("Digest check failed!\n");
 		if (!rv)
 			rv = VB2_ERROR_RSA_VERIFY_DIGEST;
 	}

 	return rv;
 }
	/* Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
	* Use of this source code is governed by a BSD-style license that can be
	* found in the LICENSE file.
	*/

	/*
	* Implementation of RSA signature verification which uses a pre-processed key
	* for computation. The code extends Android's RSA verification code to support
	* multiple RSA key lengths and hash digest algorithms.
	*/

	#include <crypto/2sysincludes.h>
	#include <crypto/2common.h>
	#include <crypto/2rsa.h>
	#include <crypto/2sha.h>

	/**
	* a[] -= mod
	*/
	static void subM(const struct vb2_public_key key, uint32_t a)
	{
	int64_t A = 0;
	uint32_t i;
	for (i = 0; i < key->arrsize; ++i) {
	A += (uint64_t)a[i] - key->n[i];
	a[i] = (uint32_t)A;
	A >>= 32;
	}
	}

	/**
	* Return a[] >= mod
	*/
	int vb2_mont_ge(const struct vb2_public_key key, uint32_t a)
	{
	uint32_t i;
	for (i = key->arrsize; i;) {
	--i;
	if (a[i] < key->n[i])
	return 0;
	if (a[i] > key->n[i])
	return 1;
	}
	return 1; /* equal */
	}

	/**
	* Montgomery c[] += a * b[] / R % mod
	*/
	static void montMulAdd(const struct vb2_public_key *key,
	uint32_t *c,
	const uint32_t a,
	const uint32_t *b)
	{
	uint64_t A = (uint64_t)a * b[0] + c[0];
	uint32_t d0 = (uint32_t)A * key->n0inv;
	uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;
	uint32_t i;

	for (i = 1; i < key->arrsize; ++i) {
	A = (A >> 32) + (uint64_t)a * b[i] + c[i];
	B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;
	c[i - 1] = (uint32_t)B;
	}

	A = (A >> 32) + (B >> 32);

	c[i - 1] = (uint32_t)A;

	if (A >> 32) {
	subM(key, c);
	}
	}

	/**
	* Montgomery c[] = a[] * b[] / R % mod
	*/
	static void montMul(const struct vb2_public_key *key,
	uint32_t *c,
	const uint32_t *a,
	const uint32_t *b)
	{
	uint32_t i;
	for (i = 0; i < key->arrsize; ++i) {
	c[i] = 0;
	}
	for (i = 0; i < key->arrsize; ++i) {
	montMulAdd(key, c, a[i], b);
	}
	}

	/**
	* In-place public exponentiation. (65537}
	*
	* @param key Key to use in signing
	* @param inout Input and output big-endian byte array
	* @param workbuf32 Work buffer; caller must verify this is
	* (3 * key->arrsize) elements long.
	*/
	static void modpowF4(const struct vb2_public_key key, uint8_t inout,
	uint32_t *workbuf32)
	{
	uint32_t *a = workbuf32;
	uint32_t *aR = a + key->arrsize;
	uint32_t *aaR = aR + key->arrsize;
	uint32_t aaa = aaR; / Re-use location. */
	int i;

	/* Convert from big endian byte array to little endian word array. */
	for (i = 0; i < (int)key->arrsize; ++i) {
	uint32_t tmp =
	(inout[((key->arrsize - 1 - i) * 4) + 0] << 24) \|
	(inout[((key->arrsize - 1 - i) * 4) + 1] << 16) \|
	(inout[((key->arrsize - 1 - i) * 4) + 2] << 8) \|
	(inout[((key->arrsize - 1 - i) * 4) + 3] << 0);
	a[i] = tmp;
	}

	montMul(key, aR, a, key->rr); /* aR = a * RR / R mod M */
	for (i = 0; i < 16; i+=2) {
	montMul(key, aaR, aR, aR); /* aaR = aR * aR / R mod M */
	montMul(key, aR, aaR, aaR); /* aR = aaR * aaR / R mod M */
	}
	montMul(key, aaa, aR, a); /* aaa = aR * a / R mod M */


	/* Make sure aaa < mod; aaa is at most 1x mod too large. */
	if (vb2_mont_ge(key, aaa)) {
	subM(key, aaa);
	}

	/* Convert to bigendian byte array */
	for (i = (int)key->arrsize - 1; i >= 0; --i) {
	uint32_t tmp = aaa[i];
	*inout++ = (uint8_t)(tmp >> 24);
	*inout++ = (uint8_t)(tmp >> 16);
	*inout++ = (uint8_t)(tmp >> 8);
	*inout++ = (uint8_t)(tmp >> 0);
	}
	}


	static const uint8_t crypto_to_sig[] = {
	VB2_SIG_RSA1024,
	VB2_SIG_RSA1024,
	VB2_SIG_RSA1024,
	VB2_SIG_RSA2048,
	VB2_SIG_RSA2048,
	VB2_SIG_RSA2048,
	VB2_SIG_RSA4096,
	VB2_SIG_RSA4096,
	VB2_SIG_RSA4096,
	VB2_SIG_RSA8192,
	VB2_SIG_RSA8192,
	VB2_SIG_RSA8192,
	};

	/**
	* Convert vb2_crypto_algorithm to vb2_signature_algorithm.
	*
	* @param algorithm Crypto algorithm (vb2_crypto_algorithm)
	*
	* @return The signature algorithm for that crypto algorithm, or
	* VB2_SIG_INVALID if the crypto algorithm or its corresponding signature
	* algorithm is invalid or not supported.
	*/
	enum vb2_signature_algorithm vb2_crypto_to_signature(uint32_t algorithm)
	{
	if (algorithm < ARRAY_SIZE(crypto_to_sig))
	return crypto_to_sig[algorithm];
	else
	return VB2_SIG_INVALID;
	}

	uint32_t vb2_rsa_sig_size(enum vb2_signature_algorithm sig_alg)
	{
	switch (sig_alg) {
	case VB2_SIG_RSA1024:
	return 1024 / 8;
	case VB2_SIG_RSA2048:
	return 2048 / 8;
	case VB2_SIG_RSA4096:
	return 4096 / 8;
	case VB2_SIG_RSA8192:
	return 8192 / 8;
	default:
	return 0;
	}
	}

	uint32_t vb2_packed_key_size(enum vb2_signature_algorithm sig_alg)
	{
	uint32_t sig_size = vb2_rsa_sig_size(sig_alg);

	if (!sig_size)
	return 0;

	/*
	* Total size needed by a RSAPublicKey buffer is =
	* 2 * key_len bytes for the n and rr arrays
	* + sizeof len + sizeof n0inv.
	*/
	return 2 * sig_size + 2 * sizeof(uint32_t);
	}

	/*
	* PKCS 1.5 padding (from the RSA PKCS#1 v2.1 standard)
	*
	* Depending on the RSA key size and hash function, the padding is calculated
	* as follows:
	*
	* 0x00 \|\| 0x01 \|\| PS \|\| 0x00 \|\| T
	*
	* T: DER Encoded DigestInfo value which depends on the hash function used.
	*
	* SHA-1: (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 \|\| H.
	* SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 \|\| H.
	* SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40 \|\| H.
	*
	* Length(T) = 35 octets for SHA-1
	* Length(T) = 51 octets for SHA-256
	* Length(T) = 83 octets for SHA-512
	*
	* PS: octet string consisting of {Length(RSA Key) - Length(T) - 3} 0xFF
	*/
	static const uint8_t sha1_tail[] = {
	0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2b,
	0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14
	};

	static const uint8_t sha256_tail[] = {
	0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,
	0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,
	0x05,0x00,0x04,0x20
	};

	static const uint8_t sha512_tail[] = {
	0x00,0x30,0x51,0x30,0x0d,0x06,0x09,0x60,
	0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,
	0x05,0x00,0x04,0x40
	};

	int vb2_check_padding(const uint8_t sig, const struct vb2_public_key key)
	{
	/* Determine padding to use depending on the signature type */
	uint32_t sig_size = vb2_rsa_sig_size(key->sig_alg);
	uint32_t hash_size = vb2_digest_size(key->hash_alg);
	uint32_t pad_size = sig_size - hash_size;
	const uint8_t *tail;
	uint32_t tail_size;
	int result = 0;
	int i;

	if (!sig_size \|\| !hash_size \|\| hash_size > sig_size)
	return VB2_ERROR_RSA_PADDING_SIZE;

	switch (key->hash_alg) {
	case VB2_HASH_SHA1:
	tail = sha1_tail;
	tail_size = sizeof(sha1_tail);
	break;
	case VB2_HASH_SHA256:
	tail = sha256_tail;
	tail_size = sizeof(sha256_tail);
	break;
	case VB2_HASH_SHA512:
	tail = sha512_tail;
	tail_size = sizeof(sha512_tail);
	break;
	default:
	return VB2_ERROR_RSA_PADDING_ALGORITHM;
	}

	/* First 2 bytes are always 0x00 0x01 */
	result \|= *sig++ ^ 0x00;
	result \|= *sig++ ^ 0x01;

	/* Then 0xff bytes until the tail */
	for (i = 0; i < pad_size - tail_size - 2; i++)
	result \|= *sig++ ^ 0xff;

	/*
	* Then the tail. Even though there are probably no timing issues
	* here, we use vb2_safe_memcmp() just to be on the safe side.
	*/
	result \|= vb2_safe_memcmp(sig, tail, tail_size);

	return result ? VB2_ERROR_RSA_PADDING : VB2_SUCCESS;
	}

	int vb2_rsa_verify_digest(const struct vb2_public_key *key,
	uint8_t *sig,
	const uint8_t *digest,
	const struct vb2_workbuf *wb)
	{
	struct vb2_workbuf wblocal = *wb;
	uint32_t *workbuf32;
	uint32_t key_bytes;
	int sig_size;
	int pad_size;
	int rv;

	if (!key \|\| !sig \|\| !digest)
	return VB2_ERROR_RSA_VERIFY_PARAM;

	sig_size = vb2_rsa_sig_size(key->sig_alg);
	if (!sig_size) {
	VB2_DEBUG("Invalid signature type!\n");
	return VB2_ERROR_RSA_VERIFY_ALGORITHM;
	}

	/* Signature length should be same as key length */
	key_bytes = key->arrsize * sizeof(uint32_t);
	if (key_bytes != sig_size) {
	VB2_DEBUG("Signature is of incorrect length!\n");
	return VB2_ERROR_RSA_VERIFY_SIG_LEN;
	}

	workbuf32 = vb2_workbuf_alloc(&wblocal, 3 * key_bytes);
	if (!workbuf32) {
	VB2_DEBUG("ERROR - vboot2 work buffer too small!\n");
	return VB2_ERROR_RSA_VERIFY_WORKBUF;
	}

	modpowF4(key, sig, workbuf32);

	vb2_workbuf_free(&wblocal, 3 * key_bytes);

	/*
	* Check padding. Only fail immediately if the padding size is bad.
	* Otherwise, continue on to check the digest to reduce the risk of
	* timing based attacks.
	*/
	rv = vb2_check_padding(sig, key);
	if (rv == VB2_ERROR_RSA_PADDING_SIZE)
	return rv;

	/*
	* Check digest. Even though there are probably no timing issues here,
	* use vb2_safe_memcmp() just to be on the safe side. (That's also why
	* we don't return before this check if the padding check failed.)
	*/
	pad_size = sig_size - vb2_digest_size(key->hash_alg);
	if (vb2_safe_memcmp(sig + pad_size, digest, key_bytes - pad_size)) {
	VB2_DEBUG("Digest check failed!\n");
	if (!rv)
	rv = VB2_ERROR_RSA_VERIFY_DIGEST;
	}

	return rv;
	}