Padlock: fix byte swapping assembly for AES-192 and 256

Byte swapping code incorrectly uses the number of AES rounds to swap expanded AES key, while swapping only a single dword in a loop, resulting in swapped key and partially swapped expanded keys, breaking AES encryption and decryption on VIA Padlock hardware. This commit correctly sets the number of swapping loops to be done. Fixes #20073 CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20077)
2023-01-18 20:14:48 +03:00 · 2023-01-18 20:14:48 +03:00 · 7331e7ef79
parent 69d6ecb7c3
commit 7331e7ef79
2 changed files with 4 additions and 0 deletions
--- a/engines/asm/e_padlock-x86.pl
+++ b/engines/asm/e_padlock-x86.pl
@ -115,6 +115,8 @@ $chunk="ebx";
 &function_begin_B("padlock_key_bswap");
 	&mov	("edx",&wparam(0));
 	&mov	("ecx",&DWP(240,"edx"));
+	&inc	("ecx");
+	&shl	("ecx",2);
 &set_label("bswap_loop");
 	&mov	("eax",&DWP(0,"edx"));
 	&bswap	("eax");
--- a/engines/asm/e_padlock-x86_64.pl
+++ b/engines/asm/e_padlock-x86_64.pl
@ -94,6 +94,8 @@ padlock_capability:
 .align	16
 padlock_key_bswap:
 	mov	240($arg1),%edx
+	inc	%edx
+	shl	\$2,%edx
 .Lbswap_loop:
 	mov	($arg1),%eax
 	bswap	%eax