Padlock: fix byte swapping assembly for AES-192 and 256

Byte swapping code incorrectly uses the number of AES rounds to swap expanded AES key, while swapping only a single dword in a loop, resulting in swapped key and partially swapped expanded keys, breaking AES encryption and decryption on VIA Padlock hardware. This commit correctly sets the number of swapping loops to be done. Fixes #20073 CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #20077) (cherry picked from commit 7331e7e)
openssl · Jan 20, 2023 · 2bcf8e6 · 2bcf8e6
1 parent d90907d
commit 2bcf8e6
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/engines/asm/e_padlock-x86.pl b/engines/asm/e_padlock-x86.pl
@@ -116,6 +116,8 @@
 &function_begin_B("padlock_key_bswap");
 	&mov	("edx",&wparam(0));
 	&mov	("ecx",&DWP(240,"edx"));
+	&inc	("ecx");
+	&shl	("ecx",2);
 &set_label("bswap_loop");
 	&mov	("eax",&DWP(0,"edx"));
 	&bswap	("eax");

diff --git a/engines/asm/e_padlock-x86_64.pl b/engines/asm/e_padlock-x86_64.pl
@@ -92,6 +92,8 @@
 .align	16
 padlock_key_bswap:
 	mov	240($arg1),%edx
+	inc	%edx
+	shl	\$2,%edx
 .Lbswap_loop:
 	mov	($arg1),%eax
 	bswap	%eax