Use the right AES CTX

crypto_kem/kyber1024-90s/clean/aes256ctr.c

@@ -70,7 +70,7 @@ void PQCLEAN_KYBER102490S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const
 *              - uint8_t y:           second additional byte to "absorb"
 **************************************************/
 void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) {
-    aes256_ctr_keyexp(&s->sk_exp, key);
+    aes256_ecb_keyexp(&s->sk_exp, key);
     for (int i = 2; i < 12; i++) {
         s->iv[i] = 0;
     }

crypto_kem/kyber512-90s/clean/aes256ctr.c

@@ -70,7 +70,7 @@ void PQCLEAN_KYBER51290S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const
 *              - uint8_t y:           second additional byte to "absorb"
 **************************************************/
 void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) {
-    aes256_ctr_keyexp(&s->sk_exp, key);
+    aes256_ecb_keyexp(&s->sk_exp, key);
     for (int i = 2; i < 12; i++) {
         s->iv[i] = 0;
     }

crypto_kem/kyber768-90s/clean/aes256ctr.c

@@ -70,7 +70,7 @@ void PQCLEAN_KYBER76890S_CLEAN_aes256_prf(uint8_t *output, size_t outlen, const
 *              - uint8_t y:           second additional byte to "absorb"
 **************************************************/
 void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) {
-    aes256_ctr_keyexp(&s->sk_exp, key);
+    aes256_ecb_keyexp(&s->sk_exp, key);
     for (int i = 2; i < 12; i++) {
         s->iv[i] = 0;
     }