Fix warnings about too large skb data in ttls_encrypt() caused by wrong

arithmetics in tcp_write_xmit() (double TLS header size accounting).

Account TCP FIN flag in comparing TCP seqnos with skb->len.

Author: krizhanovsky

linux-4.14.32.patch

@@ -744,18 +744,17 @@ index d323d4fa..0f6bd0cf 100644
  }
 
 diff --git a/include/net/tls.h b/include/net/tls.h
-index df950383..4a99f03d 100644
+index df950383..c3d45c5e 100644
 --- a/include/net/tls.h
 +++ b/include/net/tls.h
-@@ -55,6 +55,13 @@
+@@ -55,6 +55,12 @@
 
  #define TLS_AAD_SPACE_SIZE		13
 
 +#ifdef CONFIG_SECURITY_TEMPESTA
 +#define TLS_MAX_TAG_SZ			16
 +/* Maximum size for required skb overhead: header, IV, tag. */
-+#define TLS_MAX_OVERHEAD		(TLS_HEADER_SIZE + TLS_AAD_SPACE_SIZE \
-+					 + TLS_MAX_TAG_SZ)
++#define TLS_MAX_OVERHEAD		(TLS_AAD_SPACE_SIZE + TLS_MAX_TAG_SZ)
 +#endif
 +
  struct tls_sw_context {

tempesta_fw/tls.c

@@ -250,7 +250,8 @@ tfw_tls_encrypt(struct sock *sk, struct sk_buff *skb, unsigned int limit)
 	       tcb->seq, tcb->end_seq);
 	BUG_ON(!ttls_xfrm_ready(tls));
 	WARN_ON_ONCE(skb->len > TLS_MAX_PAYLOAD_SIZE);
-	WARN_ON_ONCE(tcb->seq + skb->len != tcb->end_seq);
+	WARN_ON_ONCE(tcb->seq + skb->len + !!(tcb->tcp_flags & TCPHDR_FIN)
+		     != tcb->end_seq);
 
 	head_sz = ttls_payload_off(xfrm);
 	tag_sz = ttls_xfrm_taglen(xfrm);

tls/ttls.c

@@ -780,11 +780,8 @@ ttls_encrypt(TlsCtx *tls, struct sg_table *sgt)
 	struct aead_request *req;
 
 	WARN_ON_ONCE(!ttls_xfrm_ready(tls));
-	if (io->msglen > TLS_MAX_PAYLOAD_SIZE) {
-		T_WARN("cannot encrypt a record: content %u too large,"
-		       " maximum %lu\n", io->msglen, TLS_MAX_PAYLOAD_SIZE);
-		return TTLS_ERR_BAD_INPUT_DATA;
-	}
+	WARN_ON_ONCE(io->msglen > TLS_MAX_PAYLOAD_SIZE + TLS_MAX_OVERHEAD
+				  - TLS_HEADER_SIZE);
 
 	req = ttls_aead_req_alloc(c_ctx->cipher_ctx);
 	if (unlikely(!req))