Padlock: fix byte swapping assembly for AES-192 and 256

Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.

This commit correctly sets the number of swapping loops to be done.

Fixes #20073

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)

diff --git a/engines/asm/e_padlock-x86.pl b/engines/asm/e_padlock-x86.pl
index f579a4d933f8e36005d7fb1fbb095f00705ec934..bb2b14468982cbb989326458231c8b6703a8b349 100644 (file)
--- a/engines/asm/e_padlock-x86.pl
+++ b/engines/asm/e_padlock-x86.pl
@@ -115,6 +115,8 @@ $chunk="ebx";
 &function_begin_B("padlock_key_bswap");
        &mov    ("edx",&wparam(0));
        &mov    ("ecx",&DWP(240,"edx"));
+       &inc    ("ecx");
+       &shl    ("ecx",2);
 &set_label("bswap_loop");
        &mov    ("eax",&DWP(0,"edx"));
        &bswap  ("eax");

diff --git a/engines/asm/e_padlock-x86_64.pl b/engines/asm/e_padlock-x86_64.pl
index 7982f19932720197417285431c1cf98bc8e8846e..2622e272db287b00337554fb26ab3c84efe8af52 100644 (file)
--- a/engines/asm/e_padlock-x86_64.pl
+++ b/engines/asm/e_padlock-x86_64.pl
@@ -94,6 +94,8 @@ padlock_capability:
 .align 16
 padlock_key_bswap:
        mov     240($arg1),%edx
+       inc     %edx
+       shl     \$2,%edx
 .Lbswap_loop:
        mov     ($arg1),%eax
        bswap   %eax