[tls] Ensure cipher alignment size is respected

Adjust the length of the first received ciphertext data buffer to
ensure that all decryption operations respect the cipher's alignment
size.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/tls.c b/src/net/tls.c
index f4f8d930d68ff6a97ecb4421ce972a48d937330f..d2b8d6091f978d53f12fa3d2eea622c963fa8e66 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -3004,13 +3004,24 @@ static struct interface_descriptor tls_plainstream_desc =
  * @ret rc             Returned status code
  */
 static int tls_newdata_process_header ( struct tls_connection *tls ) {
+       struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
+       struct cipher_algorithm *cipher = cipherspec->suite->cipher;
+       size_t iv_len = cipherspec->suite->record_iv_len;
        size_t data_len = ntohs ( tls->rx_header.length );
        size_t remaining = data_len;
        size_t frag_len;
+       size_t reserve;
        struct io_buffer *iobuf;
        struct io_buffer *tmp;
        int rc;
 
+       /* Sanity check */
+       assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
+
+       /* Calculate alignment reservation at start of first data buffer */
+       reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
+       remaining += reserve;
+
        /* Allocate data buffers now that we know the length */
        assert ( list_empty ( &tls->rx_data ) );
        while ( remaining ) {
@@ -3045,6 +3056,13 @@ static int tls_newdata_process_header ( struct tls_connection *tls ) {
                 */
                iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
 
+               /* Ensure first buffer length will be aligned to a
+                * multiple of the cipher alignment size after
+                * stripping the record IV.
+                */
+               iob_reserve ( iobuf, reserve );
+               reserve = 0;
+
                /* Add I/O buffer to list */
                list_add_tail ( &iobuf->list, &tls->rx_data );
        }