QUIC: Confirm before forwarding data to SSL

Fixes #4201

src/analyzer/protocol/quic/QUIC.spicy

@@ -516,6 +516,9 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
     # connection.
     if ( |self.decrypted_data| == 0 )
       throw "decryption failed";
+
+    # We were able to decrypt the INITIAL packet. Confirm QUIC!
+    spicy::accept_input();
   }
 
   # Depending on the type of header and whether we were able to decrypt
@@ -550,9 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
         context.client_initial_processed = True;
       else
         context.server_initial_processed = True;
-
-      # Take buffered crypto data as confirmation signal.
-      spicy::accept_input();
     }
   }
 };

testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_QUIC
+analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SSL

testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut

@@ -2,4 +2,4 @@
 ts	uid	history	service
 0.015059	ClEkJM2Vm5giqnMf4h	-	-
 0.001000	CHhAvVGS1DHFjwGM9	-	-
-0.648580	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.648580	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut

@@ -2,4 +2,4 @@
 ts	uid	history	service
 0.000000	CHhAvVGS1DHFjwGM9	-	-
 0.016059	ClEkJM2Vm5giqnMf4h	-	-
-0.669020	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.669020	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut

@@ -2,5 +2,5 @@
 ts	uid	history	service
 0.015059	ClEkJM2Vm5giqnMf4h	-	-
 0.001000	CHhAvVGS1DHFjwGM9	-	-
-0.790739	CtPZjS20MLrsMUOJi2	Dd	quic,ssl
-0.718160	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.790739	CtPZjS20MLrsMUOJi2	Dd	ssl,quic
+0.718160	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic

testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek

@@ -0,0 +1,15 @@
+# @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first.
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
+# @TEST-EXEC: btest-diff conn.log.cut
+
+@load base/protocols/quic
+
+
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
+	{
+	print "analyzer_confirmation", network_time(), info$c$uid, atype;
+	}