Merge remote-tracking branch 'origin/topic/awelzel/4198-4201-quic-maintenance'

* origin/topic/awelzel/4198-4201-quic-maintenance: QUIC/decrypt_crypto: Rename all_data to data QUIC: Confirm before forwarding data to SSL QUIC: Parse all QUIC packets in a UDP datagram QUIC: Only slurp till packet end, not till &eod (cherry picked from commit 44304973fb)
2025-10-02 14:48:21 +00:00 · 2025-02-03 17:50:31 +01:00 · 2025-02-03 17:50:31 +01:00 · de8127f3cd
commit de8127f3cd
parent b5774f2de9
32 changed files with 141 additions and 49 deletions
--- a/25
+++ b/25
@ -1,3 +1,28 @@
 7.0.5-2 | 2025-03-18 16:14:21 -0700
  * QUIC/decrypt_crypto: Rename all_data to data (Arne Welzel, Corelight)
    (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
  * GH-4201: QUIC: Confirm before forwarding data to SSL (Arne Welzel, Corelight)
    (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
  * GH-4198: QUIC: Parse all QUIC packets in a UDP datagram (Arne Welzel, Corelight)
    A UDP datagram may contain multiple QUIC packets, but the parser so far
    handled only the very first packet, ignoring any subsequent packets.
    (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
  * QUIC: Only slurp till packet end, not till &eod (Arne Welzel, Corelight)
    This doesn't change behavior, but avoids slurping in more data than
    needed. A UDP packet an contain multiple QUIC packets and we'd read
    all following ones instead just the one we're interested in.
    (cherry picked from commit 44304973fb4ea3ffc94f13feb8592952675202f1)
 7.0.5-1 | 2025-03-18 16:12:32 -0700
  * fix for ZAM optimization of assigning a record field to result of "in" operation (Vern Paxson, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.0.5-1
+7.0.5-2
--- a/src/analyzer/protocol/quic/QUIC.spicy
+++ b/src/analyzer/protocol/quic/QUIC.spicy
@ -9,7 +9,7 @@ import zeek;
 # The interface to the C++ code that handles the decryption of the INITIAL packet payload using well-known keys
 public function decrypt_crypto_payload(
  version: uint32,
-  all_data: bytes,
+  data: bytes,
  connection_id: bytes,
  encrypted_offset: uint64,
  payload_offset: uint64,
@ -417,7 +417,7 @@ type CryptoBuffer = unit() {
 ##############
 type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
  var decrypted_data: bytes;
-  var full_packet: bytes;
+  var packet_size: uint64 = 0;
  var start: iterator<stream>;
  sink crypto_sink;
@ -464,8 +464,15 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
     }
  };
-  # Slurp in the whole packet if we determined we have a chance to decrypt.
+  : void {
-  all_data: bytes &parse-at=self.start &eod if ( self?.long_header && can_decrypt(self.long_header, context, from_client) ) {
+      if (self?.long_header && can_decrypt(self.long_header, context, from_client))
          # If we have parsed an initial packet that we can decrypt the payload,
          # determine the size to store into a buffer.
          self.packet_size = self.offset();
  }
  # Buffer the whole packet if we determined we have a chance to decrypt.
  packet_data: bytes &parse-at=self.start &size=self.packet_size if ( self.packet_size > 0 ) {
    self.crypto_buffer = new CryptoBuffer();
    self.crypto_sink.connect(self.crypto_buffer);
@ -477,7 +484,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
      # All data is accessible via the `long_header` unit
      self.decrypted_data = decrypt_crypto_payload(
        self.long_header.version,
-        self.all_data,
+        self.packet_data,
        self.long_header.dest_conn_id,
        self.long_header.encrypted_offset,
        self.long_header.payload_length,
@ -496,7 +503,7 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
      self.decrypted_data = decrypt_crypto_payload(
        self.long_header.version,
-        self.all_data,
+        self.packet_data,
        context.initial_destination_conn_id,
        self.long_header.encrypted_offset,
        self.long_header.payload_length,
@ -509,6 +516,9 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
    # connection.
    if ( |self.decrypted_data| == 0 )
      throw "decryption failed";
    # We were able to decrypt the INITIAL packet. Confirm QUIC!
    spicy::accept_input();
  }
  # Depending on the type of header and whether we were able to decrypt
@ -543,9 +553,6 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
        context.client_initial_processed = True;
      else
        context.server_initial_processed = True;
      # Take buffered crypto data as confirmation signal.
      spicy::accept_input();
    }
  }
 };
@ -555,10 +562,10 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
 ##############
 public type RequestFrame = unit {
  %context = ConnectionIDInfo;
-  : Packet(True, self.context());
+  : Packet(True, self.context())[];
 };
 public type ResponseFrame = unit {
  %context = ConnectionIDInfo;
-  : Packet(False, self.context());
+  : Packet(False, self.context())[];
 };
--- a/src/analyzer/protocol/quic/decrypt_crypto.cc
+++ b/src/analyzer/protocol/quic/decrypt_crypto.cc
@ -87,7 +87,7 @@ Removes the header protection from the INITIAL packet and returns a DecryptionIn
 that is partially filled
 */
 DecryptionInformation remove_header_protection(const std::vector<uint8_t>& client_hp, uint64_t encrypted_offset,
-                                               const hilti::rt::Bytes& all_data) {
+                                               const hilti::rt::Bytes& data) {
    DecryptionInformation decryptInfo;
    int outlen;
    auto* ctx = get_aes_128_ecb();
@ -96,16 +96,16 @@ DecryptionInformation remove_header_protection(const std::vector<uint8_t>& clien
    EVP_CipherInit_ex(ctx, NULL, NULL, client_hp.data(), NULL, 1);
    static_assert(AEAD_SAMPLE_LENGTH > 0);
-    assert(all_data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH);
+    assert(data.size() >= encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH + AEAD_SAMPLE_LENGTH);
-    const uint8_t* sample = data_as_uint8(all_data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH;
+    const uint8_t* sample = data_as_uint8(data) + encrypted_offset + MAXIMUM_PACKET_NUMBER_LENGTH;
    std::array<uint8_t, AEAD_SAMPLE_LENGTH> mask;
    EVP_CipherUpdate(ctx, mask.data(), &outlen, sample, AEAD_SAMPLE_LENGTH);
    // To determine the actual packet number length,
    // we have to remove the mask from the first byte
-    uint8_t first_byte = data_as_uint8(all_data)[0];
+    uint8_t first_byte = data_as_uint8(data)[0];
    if ( first_byte & 0x80 ) {
        first_byte ^= mask[0] & 0x0F;
@ -118,8 +118,8 @@ DecryptionInformation remove_header_protection(const std::vector<uint8_t>& clien
    int recovered_packet_number_length = (first_byte & 0x03) + 1;
    // .. and use this to reconstruct the (partially) unprotected header
-    std::vector<uint8_t> unprotected_header(data_as_uint8(all_data), data_as_uint8(all_data) + encrypted_offset +
+    std::vector<uint8_t> unprotected_header(data_as_uint8(data),
-                                                                         recovered_packet_number_length);
+                                            data_as_uint8(data) + encrypted_offset + recovered_packet_number_length);
    uint32_t decoded_packet_number = 0;
@ -150,8 +150,8 @@ std::vector<uint8_t> calculate_nonce(std::vector<uint8_t> client_iv, uint64_t pa
 /*
 Function that calls the AEAD decryption routine, and returns the decrypted data.
 */
-hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& all_data,
+hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& data, uint64_t payload_length,
-                         uint64_t payload_length, const DecryptionInformation& decryptInfo) {
+                         const DecryptionInformation& decryptInfo) {
    int out, out2;
    if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH )
@ -163,18 +163,18 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
    if ( payload_length > 10000 )
        throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length));
-    const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size();
+    const uint8_t* encrypted_payload = data_as_uint8(data) + decryptInfo.unprotected_header.size();
    int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH;
    if ( encrypted_payload_size < 0 )
        throw hilti::rt::RuntimeError(hilti::rt::fmt("encrypted_payload_size underflow %ld", encrypted_payload_size));
-    if ( all_data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH )
+    if ( data.size() < decryptInfo.unprotected_header.size() + encrypted_payload_size + AEAD_TAG_LENGTH )
-        throw hilti::rt::RuntimeError(hilti::rt::fmt("all_data too short %ld < %ld", all_data.size(),
+        throw hilti::rt::RuntimeError(hilti::rt::fmt("data too short %ld < %ld", data.size(),
                                                     decryptInfo.unprotected_header.size() + encrypted_payload_size));
-    const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size;
+    const void* tag_to_check = data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size;
    int tag_to_check_length = AEAD_TAG_LENGTH;
    // Allocate memory for decryption.
@ -444,7 +444,7 @@ Function that is called from Spicy, decrypting an INITIAL packet and returning
 the decrypted payload back to the analyzer.
 */
 hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint32_t>& version,
-                                             const hilti::rt::Bytes& all_data, const hilti::rt::Bytes& connection_id,
+                                             const hilti::rt::Bytes& data, const hilti::rt::Bytes& connection_id,
                                             const hilti::rt::integer::safe<uint64_t>& encrypted_offset,
                                             const hilti::rt::integer::safe<uint64_t>& payload_length,
                                             const hilti::rt::Bool& from_client) {
@ -458,9 +458,9 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint
    if ( payload_length < 20 )
        throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < 20", payload_length));
-    if ( (all_data.size() < encrypted_offset + payload_length) )
+    if ( (data.size() < encrypted_offset + payload_length) )
        throw hilti::rt::RuntimeError(
-            hilti::rt::fmt("packet too small %ld %ld", all_data.size(), encrypted_offset + payload_length));
+            hilti::rt::fmt("packet too small %ld %ld", data.size(), encrypted_offset + payload_length));
    uint32_t v = version;
    QuicPacketProtection* qpp = nullptr;
@ -480,10 +480,10 @@ hilti::rt::Bytes QUIC_decrypt_crypto_payload(const hilti::rt::integer::safe<uint
    std::vector<uint8_t> iv = qpp->GetIv(secret);
    std::vector<uint8_t> hp = qpp->GetHp(secret);
-    DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, all_data);
+    DecryptionInformation decryptInfo = remove_header_protection(hp, encrypted_offset, data);
    // Calculate the correct nonce for the decryption
    decryptInfo.nonce = calculate_nonce(iv, decryptInfo.packet_number);
-    return decrypt(key, all_data, payload_length, decryptInfo);
+    return decrypt(key, data, payload_length, decryptInfo);
 }
--- a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/conn.log.cut
@ -0,0 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.analyzer-confirmations/out
@ -0,0 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_QUIC
 analyzer_confirmation, 1692198386.837988, CHhAvVGS1DHFjwGM9, Analyzer::ANALYZER_SSL
--- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.chromium/quic.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	53727	110.213.53.115	443	1	95412c47018cdfe8	(empty)	d5412c47018cdfe8	api.cirrus-ci.com	h3	ISisH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	82.239.54.117	53727	110.213.53.115	443	1	95412c47018cdfe8	(empty)	d5412c47018cdfe8	api.cirrus-ci.com	h3	ISishH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.curl-http3/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.events/out
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.events/out
@ -4,17 +4,20 @@
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 1b036a11, 
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , fc674735
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , fc674735
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, fc674735, 
 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, ef3a4e06, 
 zerortt.pcap
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, b7c7841c64883e3261d840, 
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, F, 1, , 8d2041ac
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
 1.0, handshake_packet, F, C4J4Th3PJpwUYZZ6gc, 1, , 8d2041ac
 1.0, initial_packet, C4J4Th3PJpwUYZZ6gc, T, 1, 8d2041ac, 
 1.0, handshake_packet, T, C4J4Th3PJpwUYZZ6gc, 1, 5b7bc400, 
 1.0, initial_packet, CtPZjS20MLrsMUOJi2, T, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, initial_packet, CtPZjS20MLrsMUOJi2, F, 1, , e483a751
 1.0, handshake_packet, F, CtPZjS20MLrsMUOJi2, 1, , e483a751
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
 1.0, zero_rtt_packet, T, CtPZjS20MLrsMUOJi2, 1, 15ae5e5e4962163f410b5529fc125bbc, 
--- a/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.firefox/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.fragmented-crypto/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/conn.log.cut
@ -2,4 +2,4 @@
 ts	uid	history	service
 0.015059	ClEkJM2Vm5giqnMf4h	-	-
 0.001000	CHhAvVGS1DHFjwGM9	-	-
-0.648580	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.648580	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.handshake/quic.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	40084	193.167.100.100	443	1	a771f6161a4072c0bf10	(empty)	5911deff	server4:443	hq-interop	ISishIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	40084	193.167.100.100	443	1	a771f6161a4072c0bf10	(empty)	5911deff	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/conn.log.cut
@ -2,4 +2,4 @@
 ts	uid	history	service
 0.000000	CHhAvVGS1DHFjwGM9	-	-
 0.016059	ClEkJM2Vm5giqnMf4h	-	-
-0.669020	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.669020	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.retry/quic.log
@ -8,5 +8,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
 1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	4a8294bf9201d6cf	(empty)	-	server4:443	hq-interop	ISr
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	1b036a11	(empty)	fc674735	server4:443	hq-interop	ISishIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	42834	193.167.100.100	443	1	1b036a11	(empty)	fc674735	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/conn.log.cut
@ -2,5 +2,5 @@
 ts	uid	history	service
 0.015059	ClEkJM2Vm5giqnMf4h	-	-
 0.001000	CHhAvVGS1DHFjwGM9	-	-
-0.790739	CtPZjS20MLrsMUOJi2	Dd	quic,ssl
+0.790739	CtPZjS20MLrsMUOJi2	Dd	ssl,quic
-0.718160	C4J4Th3PJpwUYZZ6gc	Dd	quic,ssl
+0.718160	C4J4Th3PJpwUYZZ6gc	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.interop.quic-go_quic-go.zerortt/quic.log
@ -7,6 +7,6 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-1.000000	CtPZjS20MLrsMUOJi2	193.167.0.100	49394	193.167.100.100	443	1	15ae5e5e4962163f410b5529fc125bbc	(empty)	e483a751	server4:443	hq-interop	ISZisZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
+1.000000	CtPZjS20MLrsMUOJi2	193.167.0.100	49394	193.167.100.100	443	1	15ae5e5e4962163f410b5529fc125bbc	(empty)	e483a751	server4:443	hq-interop	ISZishZZZZZZZZZZZZZZZZZZZZZZZZZZZIH
-1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	60492	193.167.100.100	443	1	b7c7841c64883e3261d840	(empty)	8d2041ac	server4:443	hq-interop	ISishIH
+1.000000	C4J4Th3PJpwUYZZ6gc	193.167.0.100	60492	193.167.100.100	443	1	b7c7841c64883e3261d840	(empty)	8d2041ac	server4:443	hq-interop	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/conn.log.cut
@ -0,0 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/quic.log
@ -0,0 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	quic
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.4	53241	24.199.110.233	443	1	f21fdf87f736f235846c7f460ca017	1b3ff910	eab5f6f4	-	h3	ISishhIH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.merlinc2/ssl.log
@ -0,0 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.4	53241	24.199.110.233	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	-	F	-	-	F	Cs	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicdoq/quic.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	46907	127.0.0.1	853	1	fda05288ab9ff546	0fb934775f247b8e	a31f4933d8727231	-	doq	ISishH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	46907	127.0.0.1	853	1	fda05288ab9ff546	0fb934775f247b8e	a31f4933d8727231	-	doq	ISishhH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-echo-443/quic.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	49320	127.0.0.1	443	quicv2	fa603212c8688817af3d3238735bc7	(empty)	b168b5cc	localhost	quic-echo-example	ISIIisIH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	49320	127.0.0.1	443	quicv2	fa603212c8688817af3d3238735bc7	(empty)	b168b5cc	localhost	quic-echo-example	ISIIishIH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.quicv2-http3-443/quic.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	client_initial_dcid	client_scid	server_scid	server_name	client_protocol	history
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50841	127.0.0.1	443	quicv2	bdf0c5b27927cc667e58d95b	71b8f3f4	cdc8b6e6	-	h3	ISishIHH
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	50841	127.0.0.1	443	quicv2	bdf0c5b27927cc667e58d95b	71b8f3f4	cdc8b6e6	-	h3	ISishhIHH
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.run-pcap/conn.log.cut
@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	history	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	ssl,quic
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@ -29,3 +29,6 @@ Trace Index/Sources:
 - http/cooper-grill-dvwa.pcapng
  Provided by cooper-grill on #3995
  https://github.com/zeek/zeek/pull/3995
 - quic/merlinc2_Zeek_example.pcapng
  Provided by Faan Rossouw on #4198
  https://github.com/zeek/zeek/issues/4198
--- a/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng
+++ b/testing/btest/Traces/quic/merlinc2_Zeek_example.pcapng
--- a/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
+++ b/testing/btest/scripts/base/protocols/quic/analyzer-confirmations.zeek
@ -0,0 +1,15 @@
 # @TEST-DOC: Test the order of analyzer confirmations for QUIC and SSL, QUIC should come first.
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -Cr $TRACES/quic/chromium-115.0.5790.110-api-cirrus-com.pcap %INPUT >out
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
 # @TEST-EXEC: btest-diff conn.log.cut
@load base/protocols/quic
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
 	{
 	print "analyzer_confirmation", network_time(), info$c$uid, atype;
 	}
--- a/testing/btest/scripts/base/protocols/quic/merlinc2.zeek
+++ b/testing/btest/scripts/base/protocols/quic/merlinc2.zeek
@ -0,0 +1,8 @@
 # @TEST-DOC: Test PCAP for Merlin C2 from issue #4198
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek -Cr $TRACES/quic/merlinc2_Zeek_example.pcapng base/protocols/quic
 # @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
 # @TEST-EXEC: btest-diff conn.log.cut
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff quic.log