Test for TCP reset (RST) on security events

[krizhanovsky]

tempesta-tech/tempesta#861 implemented in tempesta-tech/tempesta#1643 makes Tempesta FW to reset client connections, which exposed malicious activity. With the pull request tls.test_tls_handshake.TlsVhostHandshakeTest.test_bad_host fails with

ERROR: test_bad_host (tls.test_tls_handshake.TlsVhostHandshakeTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/tempesta-test/tls/handshake.py", line 188, in send_recv
    resp = self.sock.recvall(timeout=self.io_to)
  File "/root/tempesta-test/tls/scapy_ssl_tls/ssl_tls.py", line 1297, in recvall
    data = self._s.recv(size)
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/tempesta-test/tls/test_tls_handshake.py", line 457, in test_bad_host
    self.assertFalse(hs12.do_12(), "Bad Host successfully processed")
  File "/root/tempesta-test/tls/handshake.py", line 432, in do_12
    return self._do_12_req(fuzzer)
  File "/root/tempesta-test/tls/handshake.py", line 413, in _do_12_req
    resp = self.send_recv(tls.TLSPlaintext(data=req))
  File "/root/tempesta-test/tls/handshake.py", line 199, in send_recv
    raise tls.TLSProtocolError(sock_except, pkt, resp)
tls.scapy_ssl_tls.ssl_tls.TLSProtocolError: [Errno 104] Connection reset by peer

Connection trace of it is (note RST at the end):

# tcpdump -nn -i lo tcp port 443
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:20:49.847010 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [S], seq 336296342, win 65495, options [mss 65495,sackOK,TS val 2783514118 ecr 0,nop,wscale 7], length 0
15:20:49.847048 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [S.], seq 2906679165, ack 336296343, win 65483, options [mss 65495,sackOK,TS val 2783514118 ecr 2783514118,nop,wscale 7], length 0
15:20:49.847071 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [.], ack 1, win 512, options [nop,nop,TS val 2783514118 ecr 2783514118], length 0
15:20:49.875473 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [P.], seq 1:236, ack 1, win 512, options [nop,nop,TS val 2783514146 ecr 2783514118], length 235
15:20:49.875735 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [.], ack 236, win 512, options [nop,nop,TS val 2783514147 ecr 2783514146], length 0
15:20:49.875761 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [P.], seq 1:853, ack 236, win 512, options [nop,nop,TS val 2783514147 ecr 2783514146], length 852
15:20:49.875784 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [.], ack 853, win 506, options [nop,nop,TS val 2783514147 ecr 2783514147], length 0
15:20:50.457645 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [P.], seq 236:243, ack 853, win 512, options [nop,nop,TS val 2783514729 ecr 2783514147], length 7
15:20:50.457684 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [.], ack 243, win 512, options [nop,nop,TS val 2783514729 ecr 2783514729], length 0
15:20:50.466937 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [P.], seq 243:324, ack 853, win 512, options [nop,nop,TS val 2783514738 ecr 2783514729], length 81
15:20:50.466963 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [.], ack 324, win 512, options [nop,nop,TS val 2783514738 ecr 2783514738], length 0
15:20:50.496492 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [P.], seq 324:369, ack 853, win 512, options [nop,nop,TS val 2783514767 ecr 2783514738], length 45
15:20:50.496520 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [.], ack 369, win 512, options [nop,nop,TS val 2783514767 ecr 2783514767], length 0
15:20:50.496874 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [P.], seq 853:1079, ack 369, win 512, options [nop,nop,TS val 2783514768 ecr 2783514767], length 226
15:20:50.496896 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [.], ack 1079, win 511, options [nop,nop,TS val 2783514768 ecr 2783514768], length 0
15:20:51.002009 IP 127.0.0.1.40906 > 127.0.0.1.443: Flags [P.], seq 369:436, ack 1079, win 512, options [nop,nop,TS val 2783515273 ecr 2783514768], length 67
15:20:51.005375 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [.], ack 436, win 512, options [nop,nop,TS val 2783515276 ecr 2783515273], length 0
15:20:51.006024 IP 127.0.0.1.443 > 127.0.0.1.40906: Flags [R.], seq 1079, ack 436, win 512, options [nop,nop,TS val 2783515277 ecr 2783515273], length 0

and for previous version is

# tcpdump -nn -i lo tcp port 443
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:21:51.103819 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [S], seq 1543175981, win 65495, options [mss 65495,sackOK,TS val 2783575375 ecr 0,nop,wscale 7], length 0
15:21:51.103857 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [S.], seq 1561337545, ack 1543175982, win 65483, options [mss 65495,sackOK,TS val 2783575375 ecr 2783575375,nop,wscale 7], length 0
15:21:51.103880 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [.], ack 1, win 512, options [nop,nop,TS val 2783575375 ecr 2783575375], length 0
15:21:51.131516 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [P.], seq 1:236, ack 1, win 512, options [nop,nop,TS val 2783575402 ecr 2783575375], length 235
15:21:51.131782 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 236, win 512, options [nop,nop,TS val 2783575403 ecr 2783575402], length 0
15:21:51.131808 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [P.], seq 1:854, ack 236, win 512, options [nop,nop,TS val 2783575403 ecr 2783575402], length 853
15:21:51.131832 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [.], ack 854, win 506, options [nop,nop,TS val 2783575403 ecr 2783575403], length 0
15:21:51.712988 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [P.], seq 236:243, ack 854, win 512, options [nop,nop,TS val 2783575984 ecr 2783575403], length 7
15:21:51.713029 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 243, win 512, options [nop,nop,TS val 2783575984 ecr 2783575984], length 0
15:21:51.722970 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [P.], seq 243:324, ack 854, win 512, options [nop,nop,TS val 2783575994 ecr 2783575984], length 81
15:21:51.722999 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 324, win 512, options [nop,nop,TS val 2783575994 ecr 2783575994], length 0
15:21:51.752820 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [P.], seq 324:369, ack 854, win 512, options [nop,nop,TS val 2783576024 ecr 2783575994], length 45
15:21:51.752849 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 369, win 512, options [nop,nop,TS val 2783576024 ecr 2783576024], length 0
15:21:51.753197 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [P.], seq 854:1080, ack 369, win 512, options [nop,nop,TS val 2783576024 ecr 2783576024], length 226
15:21:51.753219 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [.], ack 1080, win 511, options [nop,nop,TS val 2783576024 ecr 2783576024], length 0
15:21:52.257696 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [P.], seq 369:436, ack 1080, win 512, options [nop,nop,TS val 2783576529 ecr 2783576024], length 67
15:21:52.261163 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 436, win 512, options [nop,nop,TS val 2783576532 ecr 2783576529], length 0
15:21:52.261619 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [F.], seq 1080, ack 436, win 512, options [nop,nop,TS val 2783576533 ecr 2783576529], length 0
15:21:52.262085 IP 127.0.0.1.41036 > 127.0.0.1.443: Flags [F.], seq 436, ack 1081, win 512, options [nop,nop,TS val 2783576533 ecr 2783576533], length 0
15:21:52.262125 IP 127.0.0.1.443 > 127.0.0.1.41036: Flags [.], ack 437, win 512, options [nop,nop,TS val 2783576533 ecr 2783576533], length 0

Fix and unmask the test and develop a new one using several Frang limits to make sure that Tempesta FW resets TCP connections.

helpers/analyzer.py should help with the task.