QUIC: Parse all QUIC packets in a UDP datagram

A UDP datagram may contain multiple QUIC packets, but the parser so far
handled only the very first packet, ignoring any subsequent packets.

Fixes #4198

src/analyzer/protocol/quic/QUIC.spicy

@@ -417,7 +417,7 @@ type CryptoBuffer = unit() {
 ##############
 type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
   var decrypted_data: bytes;
-  var slurp_size: uint64 = 0;
+  var packet_size: uint64 = 0;
   var start: iterator<stream>;
 
   sink crypto_sink;
@@ -466,11 +466,13 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
 
   : void {
       if (self?.long_header && can_decrypt(self.long_header, context, from_client))
-          self.slurp_size = self.offset();
+          # If we have parsed an initial packet that we can decrypt the payload,
+          # determine the size to store into a buffer.
+          self.packet_size = self.offset();
   }
 
-  # Slurp in the whole packet if we determined we have a chance to decrypt.
-  slurp_data: bytes &parse-at=self.start &size=self.slurp_size if ( self.slurp_size > 0 ) {
+  # Buffer the whole packet if we determined we have a chance to decrypt.
+  packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) {
     self.crypto_buffer = new CryptoBuffer();
     self.crypto_sink.connect(self.crypto_buffer);
 
@@ -482,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
       # All data is accessible via the `long_header` unit
       self.decrypted_data = decrypt_crypto_payload(
         self.long_header.version,
-        self.slurp_data,
+        self.packet_data,
         self.long_header.dest_conn_id,
         self.long_header.encrypted_offset,
         self.long_header.payload_length,
@@ -501,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
 
       self.decrypted_data = decrypt_crypto_payload(
         self.long_header.version,
-        self.slurp_data,
+        self.packet_data,
         context.initial_destination_conn_id,
         self.long_header.encrypted_offset,
         self.long_header.payload_length,
@@ -560,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
 ##############
 public type RequestFrame = unit {
   %context = ConnectionIDInfo;
-  : Packet(True, self.context());
+  : Packet(True, self.context())[];
 };
 
 public type ResponseFrame = unit {
   %context = ConnectionIDInfo;
-  : Packet(False, self.context());
+  : Packet(False, self.context())[];
 };

testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	53727	110.213.53.115	443	1	95412c47018cdfe8	(empty)	d5412c47018cdfe8	api.cirrus-ci.com	h3	ISisH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	53727	110.213.53.115	443	1	95412c47018cdfe8	(empty)	d5412c47018cdfe8	api.cirrus-ci.com	h3	ISishH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.events/out

@@ -4,17 +4,20 @@
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11, 
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
+1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735, 
 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06, 
 zerortt.pcap
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840, 
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
+1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac, 
 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400, 
 1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751
+1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	40084	193.167.100.100	443	1	a771f6161a4072c0bf10	(empty)	5911deff	server4:443	hq-interop	ISishIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	40084	193.167.100.100	443	1	a771f6161a4072c0bf10	(empty)	5911deff	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log

@@ -8,5 +8,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
 1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	4a8294bf9201d6cf	(empty)	-	server4:443	hq-interop	ISr
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	1b036a11	(empty)	fc674735	server4:443	hq-interop	ISishIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	1b036a11	(empty)	fc674735	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log

@@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-1.000000	CtPZjS20MLrsMUOJi2	193.167.0.100	49394	193.167.100.100	443	1	15ae5e5e4962163f410b5529fc125bbc	(empty)	e483a751	server4:443	hq-interop	ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	60492	193.167.100.100	443	1	b7c7841c64883e3261d840	(empty)	8d2041ac	server4:443	hq-interop	ISishIH
+1.000000	CtPZjS20MLrsMUOJi2	193.167.0.100	49394	193.167.100.100	443	1	15ae5e5e4962163f410b5529fc125bbc	(empty)	e483a751	server4:443	hq-interop	ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	60492	193.167.100.100	443	1	b7c7841c64883e3261d840	(empty)	8d2041ac	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl

testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	quic
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.4	53241	24.199.110.233	443	1	f21fdf87f736f235846c7f460ca017	1b3ff910	eab5f6f4	-	h3	ISishhIH
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.4	53241	24.199.110.233	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	-	F	-	-	F	Cs	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	46907	127.0.0.1	853	1	fda05288ab9ff546	0fb934775f247b8e	a31f4933d8727231	-	doq	ISishH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	46907	127.0.0.1	853	1	fda05288ab9ff546	0fb934775f247b8e	a31f4933d8727231	-	doq	ISishhH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	49320	127.0.0.1	443	quicv2	fa603212c8688817af3d3238735bc7	(empty)	b168b5cc	localhost	quic-echo-example	ISIIisIH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	49320	127.0.0.1	443	quicv2	fa603212c8688817af3d3238735bc7	(empty)	b168b5cc	localhost	quic-echo-example	ISIIishIH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50841	127.0.0.1	443	quicv2	bdf0c5b27927cc667e58d95b	71b8f3f4	cdc8b6e6	-	h3	ISishIHH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50841	127.0.0.1	443	quicv2	bdf0c5b27927cc667e58d95b	71b8f3f4	cdc8b6e6	-	h3	ISishhIHH
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Traces/README

@@ -38,3 +38,6 @@ Trace Index/Sources:
 - http/docker-http-upgrade.pcap
   Provided by blightzero on #4068
   https://github.com/zeek/zeek/issues/4068
+- quic/merlinc2_Zeek_example.pcapng
+  Provided by Faan Rossouw on #4198
+  https://github.com/zeek/zeek/issues/4198

testing/btest/scripts/base/protocols/quic/merlinc2.zeek

@@ -0,0 +1,8 @@
+# @TEST-DOC: Test PCAP for Merlin C2 from issue #4198
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff quic.log