Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.
This commit correctly sets the number of swapping loops to be done.
Fixes #20073
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)
(cherry picked from commit
7331e7ef79fe4499d81cc92249e9c97e9ff9291a)
&function_begin_B("padlock_key_bswap");
&mov ("edx",&wparam(0));
&mov ("ecx",&DWP(240,"edx"));
+ &inc ("ecx");
+ &shl ("ecx",2);
&set_label("bswap_loop");
&mov ("eax",&DWP(0,"edx"));
&bswap ("eax");
.align 16
padlock_key_bswap:
mov 240($arg1),%edx
+ inc %edx
+ shl \$2,%edx
.Lbswap_loop:
mov ($arg1),%eax
bswap %eax