Padlock: fix byte swapping assembly for AES-192 and 256

Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.

This commit correctly sets the number of swapping loops to be done.

Fixes #20073

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20077)

(cherry picked from commit 7331e7ef79fe4499d81cc92249e9c97e9ff9291a)

diff --git a/engines/asm/e_padlock-x86.pl b/engines/asm/e_padlock-x86.pl
index 5b097ce3ef9b10cf517907bb1ad425e2cf68674c..07f7000fd38a32c021198eff3ee91cedef9fd733 100644 (file)
--- a/engines/asm/e_padlock-x86.pl
+++ b/engines/asm/e_padlock-x86.pl
@@ -116,6 +116,8 @@ $chunk="ebx";
 &function_begin_B("padlock_key_bswap");
        &mov    ("edx",&wparam(0));
        &mov    ("ecx",&DWP(240,"edx"));
+       &inc    ("ecx");
+       &shl    ("ecx",2);
 &set_label("bswap_loop");
        &mov    ("eax",&DWP(0,"edx"));
        &bswap  ("eax");

diff --git a/engines/asm/e_padlock-x86_64.pl b/engines/asm/e_padlock-x86_64.pl
index 09b0aaa48dfed22bd1a25f8b976af1f935f9cda5..dfd2ae656375122d9ab468eb5a9fc5c9ac35966e 100644 (file)
--- a/engines/asm/e_padlock-x86_64.pl
+++ b/engines/asm/e_padlock-x86_64.pl
@@ -92,6 +92,8 @@ padlock_capability:
 .align 16
 padlock_key_bswap:
        mov     240($arg1),%edx
+       inc     %edx
+       shl     \$2,%edx
 .Lbswap_loop:
        mov     ($arg1),%eax
        bswap   %eax