[tls] Ensure cipher alignment size is respected

Adjust the length of the first received ciphertext data buffer to
ensure that all decryption operations respect the cipher's alignment
size.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 18 insertions, 0 deletions

diff --git a/src/net/tls.c b/src/net/tls.c
index f4f8d93..d2b8d60 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -3004,13 +3004,24 @@ static struct interface_descriptor tls_plainstream_desc =
  * @ret rc		Returned status code
  */
 static int tls_newdata_process_header ( struct tls_connection *tls ) {
+	struct tls_cipherspec *cipherspec = &tls->rx_cipherspec;
+	struct cipher_algorithm *cipher = cipherspec->suite->cipher;
+	size_t iv_len = cipherspec->suite->record_iv_len;
 	size_t data_len = ntohs ( tls->rx_header.length );
 	size_t remaining = data_len;
 	size_t frag_len;
+	size_t reserve;
 	struct io_buffer *iobuf;
 	struct io_buffer *tmp;
 	int rc;
 
+	/* Sanity check */
+	assert ( ( TLS_RX_BUFSIZE % cipher->alignsize ) == 0 );
+
+	/* Calculate alignment reservation at start of first data buffer */
+	reserve = ( ( -iv_len ) & ( cipher->alignsize - 1 ) );
+	remaining += reserve;
+
 	/* Allocate data buffers now that we know the length */
 	assert ( list_empty ( &tls->rx_data ) );
 	while ( remaining ) {
@@ -3045,6 +3056,13 @@ static int tls_newdata_process_header ( struct tls_connection *tls ) {
 		 */
 		iob_reserve ( iobuf, ( iob_tailroom ( iobuf ) - frag_len ) );
 
+		/* Ensure first buffer length will be aligned to a
+		 * multiple of the cipher alignment size after
+		 * stripping the record IV.
+		 */
+		iob_reserve ( iobuf, reserve );
+		reserve = 0;
+
 		/* Add I/O buffer to list */
 		list_add_tail ( &iobuf->list, &tls->rx_data );
 	}