zenhttp improvements (robustness / correctness) (#968)

A collection of security, correctness, and robustness fixes in `zenhttp` and `zencore` surfaced by security review. Most items are small, independent commits grouped here because they all tighten trust boundaries or fix UB along the same code paths.

## WebSocket protocol hardening (RFC 6455)

- **Enforce the client-side mask bit**. Server-side frame loops now reject unmasked frames with close code 1002 per §5.1. Prevents HTTP intermediary smuggling.
- **Validate control frames and RSV bits**. Fragmented control frames, oversized (>125 B) control payloads, and any non-zero RSV bit now fail the connection before allocation.
- **Lower per-frame payload cap** from 256 MB → 4 MB. Bounds per-connection accumulator memory.
- **Implement message fragmentation**. Continuation frames are coalesced and delivered as a single message; interleaved non-control frames close with 1002; assembled messages are capped at 4 MB (1009 on overflow). Previously partial fragments were delivered to handlers, bypassing payload validation.
- **Parse the 101 handshake response properly** in `HttpWsClient`. Status-line, `Upgrade`, `Connection`, and `Sec-WebSocket-Accept` are now matched exactly rather than via substring searches against the full body.

## Auth / OIDC hardening

- **Constant-time password compare** in `PasswordSecurity::IsAllowed` (closes a remote length/content timing oracle). Adds a shared `ConstantTimeEquals` helper.
- **Harden Basic-auth header parsing**: trim trailing LWS, reject control bytes and DEL in the credential.
- **OIDC discovery pinning**: require HTTPS (loopback exempt), verify `issuer` matches `BaseUrl`, require `token_endpoint` / `userinfo_endpoint` / `jwks_uri` to share origin with `BaseUrl`, reject empty `token_endpoint`.
- **Restrict `POST /auth/oidc/refreshtoken`** to local-machine requests. Previously unauthenticated in default deployments — remote callers could evict or replace cached tokens.
- **Stop logging OIDC provider response bodies** on refresh failure (IdPs echo `refresh_token` back in error bodies).
- **Drop the unused `IdentityToken` field** from `OidcClient` / `OpenIdToken` so nothing in the tree accidentally trusts an unverified JWT.

## Auth state encryption migration

- Add `AesGcm` AEAD primitive (BCrypt / OpenSSL backends, mbedTLS stubbed) and `CryptoRandom::Fill` CSPRNG helper in `zencore/crypto.h`.
- Migrate authstate file from AES-256-CBC with a fixed IV to AES-GCM with a fresh 12-byte random nonce per write and the 4-byte `ZEN1` magic bound as AAD. Legacy-CBC files are transparently read once and rewritten in the new format.

## Filesystem / IO robustness

- `IoBufferExtendedCore::Materialize` now checks `MAP_FAILED` on POSIX (was comparing to `nullptr`, which let the failure sentinel propagate into later reads and `munmap(MAP_FAILED, ...)`).
- `IoBufferBuilder::MakeFromFile / MakeFromTemporaryFile`: close the FD/HANDLE on exception via a dismissable `ScopeGuard`; actually check the `fstat()` return value (previously used an uninitialized `FileSize`).
- `ReadFromFileMaybe`: loop short reads, retry `EINTR`, chunk Windows `ReadFile` at `0xFFFFFFFF` bytes (fixes silent truncation of multi-GiB reads).
- `WipeDirectory`: compare `FindFirstFileW` handle against `INVALID_HANDLE_VALUE` rather than `nullptr`.
- `RemoveFileNative` (Linux/macOS): report non-`ENOENT` stat failures via the `std::error_code` out-param and stop reading `st_mode` after a failed stat.

## Buffer / compression correctness

- Avoid per-copy `IoBufferCore` heap allocations in `CompositeBuffer::CopyTo / ViewOrCopyRange` iterators; add fast path for `BufferHeader::Read` when the 64-byte header fits in the first plain-memory segment.
- `BufferHeader`: add `IsHeaderValid()` gate covering `BlockSizeExponent` range, `BlockCount * BlockSize` overflow, and `TotalRawSize` bounds before any arithmetic uses them. Defends against attacker-controlled headers that can pass the CRC and trigger OOB writes in `DecompressBlock`.

1 files changed, 217 insertions, 25 deletions

diff --git a/src/zenhttp/auth/authmgr.cpp b/src/zenhttp/auth/authmgr.cpp
index 2fa22f2c2..9d10b1ba6 100644
--- a/src/zenhttp/auth/authmgr.cpp
+++ b/src/zenhttp/auth/authmgr.cpp
@@ -12,6 +12,11 @@
 #include <zencore/trace.h>
 #include <zenhttp/auth/oidc.h>
 
+#if ZEN_WITH_TESTS
+#	include <zencore/testing.h>
+#	include <zencore/testutils.h>
+#endif
+
 #include <condition_variable>
 #include <memory>
 #include <shared_mutex>
@@ -25,13 +30,37 @@ namespace zen {
 using namespace std::literals;
 
 namespace details {
+	// On-disk format for the GCM-encrypted authstate:
+	//
+	//   [ 4 bytes: magic "ZEN1" ]
+	//   [12 bytes: GCM nonce    ]  — fresh random value per write
+	//   [ N bytes: ciphertext   ]  — same length as the plaintext
+	//   [16 bytes: GCM tag      ]
+	//
+	// The magic is bound into the authentication by passing it as AAD to
+	// AesGcm; that ties the tag to the exact header bytes, so an attacker
+	// cannot strip the format indicator or swap to a different format without
+	// failing authentication.
+	//
+	// The magic also doubles as the format version.  If the framing ever
+	// needs to change (e.g. adding a key-identifier for rotation), bump to
+	// "ZEN2" and teach the reader to accept both.
+	constexpr std::string_view kAuthStateMagic	  = "ZEN1";
+	constexpr size_t		   kAuthStateHeaderSz = 4 + AesGcm::NonceSize;
+
 	IoBuffer ReadEncryptedFile(std::filesystem::path	   Path,
 							   const AesKey256Bit&		   Key,
-							   const AesIV128Bit&		   IV,
-							   std::optional<std::string>& Reason)
+							   const AesIV128Bit&		   LegacyIV,
+							   std::optional<std::string>& Reason,
+							   bool*					   OutWasLegacy = nullptr)
 	{
 		ZEN_TRACE_CPU("AuthMgr::ReadEncryptedFile");
 
+		if (OutWasLegacy)
+		{
+			*OutWasLegacy = false;
+		}
+
 		FileContents Result = ReadFile(Path);
 
 		if (Result.ErrorCode)
@@ -46,24 +75,52 @@ namespace details {
 			return IoBuffer();
 		}
 
+		// Current format: magic-prefixed AES-256-GCM
+		if (EncryptedBuffer.GetSize() >= kAuthStateHeaderSz + AesGcm::TagSize &&
+			memcmp(EncryptedBuffer.GetData(), kAuthStateMagic.data(), kAuthStateMagic.size()) == 0)
+		{
+			const uint8_t* Bytes	  = static_cast<const uint8_t*>(EncryptedBuffer.GetData());
+			const size_t   Total	  = EncryptedBuffer.GetSize();
+			const size_t   CipherSize = Total - kAuthStateHeaderSz - AesGcm::TagSize;
+
+			MemoryView Magic(Bytes, kAuthStateMagic.size());
+			MemoryView Nonce(Bytes + kAuthStateMagic.size(), AesGcm::NonceSize);
+			MemoryView Cipher(Bytes + kAuthStateHeaderSz, CipherSize);
+			MemoryView Tag(Bytes + kAuthStateHeaderSz + CipherSize, AesGcm::TagSize);
+
+			std::vector<uint8_t> PlainBuffer(CipherSize);
+			MemoryView PlainView = AesGcm::Decrypt(Key, Nonce, /*Aad=*/Magic, Cipher, Tag, MakeMutableMemoryView(PlainBuffer), Reason);
+
+			if (PlainView.IsEmpty())
+			{
+				return IoBuffer();
+			}
+
+			return IoBufferBuilder::MakeCloneFromMemory(PlainView);
+		}
+
+		// Legacy format: raw AES-256-CBC with the caller-configured IV.
+		// Decrypt it once so we don't lose the user's cached state across
+		// the upgrade; the next SaveState will rewrite in the GCM format.
 		std::vector<uint8_t> DecryptionBuffer;
 		DecryptionBuffer.resize(EncryptedBuffer.GetSize() + Aes::BlockSize);
 
-		MemoryView DecryptedView = Aes::Decrypt(Key, IV, EncryptedBuffer, MakeMutableMemoryView(DecryptionBuffer), Reason);
+		MemoryView DecryptedView = Aes::Decrypt(Key, LegacyIV, EncryptedBuffer, MakeMutableMemoryView(DecryptionBuffer), Reason);
 
 		if (DecryptedView.IsEmpty())
 		{
 			return IoBuffer();
 		}
 
+		if (OutWasLegacy)
+		{
+			*OutWasLegacy = true;
+		}
+
 		return IoBufferBuilder::MakeCloneFromMemory(DecryptedView);
 	}
 
-	void WriteEncryptedFile(std::filesystem::path		Path,
-							IoBuffer					FileData,
-							const AesKey256Bit&			Key,
-							const AesIV128Bit&			IV,
-							std::optional<std::string>& Reason)
+	void WriteEncryptedFile(std::filesystem::path Path, IoBuffer FileData, const AesKey256Bit& Key, std::optional<std::string>& Reason)
 	{
 		ZEN_TRACE_CPU("AuthMgr::WriteEncryptedFile");
 
@@ -72,17 +129,44 @@ namespace details {
 			return;
 		}
 
-		std::vector<uint8_t> EncryptionBuffer;
-		EncryptionBuffer.resize(FileData.GetSize() + Aes::BlockSize);
+		if (!Key.IsValid())
+		{
+			Reason = "invalid key";
+			return;
+		}
+
+		// Fresh nonce per write.  Never reuse a (Key, Nonce) pair — GCM is
+		// catastrophically broken under nonce reuse.
+		uint8_t Nonce[AesGcm::NonceSize];
+		if (!CryptoRandom::Fill(MakeMutableMemoryView(Nonce), &Reason))
+		{
+			return;
+		}
+
+		std::vector<uint8_t> FileBuffer;
+		FileBuffer.resize(kAuthStateHeaderSz + FileData.GetSize() + AesGcm::TagSize);
+
+		// [magic][nonce][cipher][tag]
+		memcpy(FileBuffer.data(), kAuthStateMagic.data(), kAuthStateMagic.size());
+		memcpy(FileBuffer.data() + kAuthStateMagic.size(), Nonce, AesGcm::NonceSize);
 
-		MemoryView EncryptedView = Aes::Encrypt(Key, IV, FileData, MakeMutableMemoryView(EncryptionBuffer), Reason);
+		MutableMemoryView CipherOut(FileBuffer.data() + kAuthStateHeaderSz, FileData.GetSize());
+		MutableMemoryView TagOut(FileBuffer.data() + kAuthStateHeaderSz + FileData.GetSize(), AesGcm::TagSize);
 
-		if (EncryptedView.IsEmpty())
+		MemoryView CipherView = AesGcm::Encrypt(Key,
+												MakeMemoryView(Nonce),
+												/*Aad=*/MakeMemoryView(kAuthStateMagic),
+												FileData.GetView(),
+												CipherOut,
+												TagOut,
+												Reason);
+
+		if (CipherView.IsEmpty())
 		{
 			return;
 		}
 
-		TemporaryFile::SafeWriteFile(Path, EncryptedView);
+		TemporaryFile::SafeWriteFile(Path, MakeMemoryView(FileBuffer));
 	}
 }  // namespace details
 
@@ -191,10 +275,9 @@ public:
 		bool IsNew = false;
 
 		{
-			auto Token = OpenIdToken{.IdentityToken = RefreshResult.IdentityToken,
-									 .RefreshToken	= RefreshResult.RefreshToken,
-									 .AccessToken	= fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
-									 .ExpireTime	= Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
+			auto Token = OpenIdToken{.RefreshToken = RefreshResult.RefreshToken,
+									 .AccessToken  = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
+									 .ExpireTime   = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
 
 			std::unique_lock _(m_TokenMutex);
 
@@ -240,7 +323,6 @@ private:
 
 	struct OpenIdToken
 	{
-		std::string IdentityToken;
 		std::string RefreshToken;
 		std::string AccessToken;
 		TimePoint	ExpireTime{};
@@ -283,9 +365,18 @@ private:
 		try
 		{
 			std::optional<std::string> Reason;
+			bool					   WasLegacy = false;
+
+			IoBuffer Buffer = details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv,
+														 m_Config.EncryptionKey,
+														 m_Config.EncryptionIV,
+														 Reason,
+														 &WasLegacy);
 
-			IoBuffer Buffer =
-				details::ReadEncryptedFile(m_Config.RootDirectory / "authstate"sv, m_Config.EncryptionKey, m_Config.EncryptionIV, Reason);
+			if (Buffer && WasLegacy)
+			{
+				ZEN_INFO("authstate read via legacy AES-CBC fallback; next save will migrate to AES-GCM");
+			}
 
 			if (!Buffer)
 			{
@@ -399,7 +490,6 @@ private:
 			details::WriteEncryptedFile(m_Config.RootDirectory / "authstate"sv,
 										AuthState.Save().GetBuffer().AsIoBuffer(),
 										m_Config.EncryptionKey,
-										m_Config.EncryptionIV,
 										Reason);
 
 			if (Reason)
@@ -466,10 +556,9 @@ private:
 					{
 						ZEN_DEBUG("refresh access token from provider '{}' Ok", Kv.first);
 
-						auto Token = OpenIdToken{.IdentityToken = RefreshResult.IdentityToken,
-												 .RefreshToken	= RefreshResult.RefreshToken,
-												 .AccessToken	= fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
-												 .ExpireTime	= Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
+						auto Token = OpenIdToken{.RefreshToken = RefreshResult.RefreshToken,
+												 .AccessToken  = fmt::format("Bearer {}"sv, RefreshResult.AccessToken),
+												 .ExpireTime   = Clock::now() + Seconds(RefreshResult.ExpiresInSeconds)};
 
 						{
 							std::unique_lock _(m_TokenMutex);
@@ -534,4 +623,107 @@ AuthMgr::Create(const AuthConfig& Config)
 	return std::make_unique<AuthMgrImpl>(Config);
 }
 
+#if ZEN_WITH_TESTS
+
+TEST_SUITE_BEGIN("http.authmgr");
+
+TEST_CASE("authmgr.authstate_gcm_roundtrip")
+{
+	ScopedTemporaryDirectory TmpDir;
+	std::filesystem::path	 Path = TmpDir.Path() / "authstate";
+
+	const AesKey256Bit Key = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+	const AesIV128Bit  UnusedIv;  // ignored on write, unused on GCM read
+
+	const std::string_view Plain = "sensitive compact-binary payload representing cached auth state"sv;
+	IoBuffer			   InBuf = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(Plain));
+
+	std::optional<std::string> WriteReason;
+	details::WriteEncryptedFile(Path, InBuf, Key, WriteReason);
+	REQUIRE_FALSE(WriteReason.has_value());
+
+	std::optional<std::string> ReadReason;
+	bool					   WasLegacy = true;
+	IoBuffer				   Out		 = details::ReadEncryptedFile(Path, Key, UnusedIv, ReadReason, &WasLegacy);
+	REQUIRE_FALSE(ReadReason.has_value());
+	REQUIRE(Out.GetSize() == Plain.size());
+	CHECK(memcmp(Out.GetData(), Plain.data(), Plain.size()) == 0);
+	CHECK_FALSE(WasLegacy);
+}
+
+TEST_CASE("authmgr.authstate_legacy_cbc_fallback")
+{
+	// Hand-craft a legacy-format authstate file (raw AES-CBC, no magic) and
+	// verify the reader falls back, returns the plaintext, and flags the file
+	// as legacy so the caller can rewrite it in the new format.
+	ScopedTemporaryDirectory TmpDir;
+	std::filesystem::path	 Path = TmpDir.Path() / "authstate";
+
+	const AesKey256Bit Key		 = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+	const uint8_t	   IvBytes[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15};
+	const AesIV128Bit  LegacyIv	 = AesIV128Bit::FromMemoryView(MakeMemoryView(IvBytes));
+
+	const std::string_view Plain = "legacy authstate payload"sv;
+
+	std::vector<uint8_t>	   CbcBuf(Plain.size() + Aes::BlockSize);
+	std::optional<std::string> CbcReason;
+	MemoryView				   CbcView = Aes::Encrypt(Key, LegacyIv, MakeMemoryView(Plain), MakeMutableMemoryView(CbcBuf), CbcReason);
+	REQUIRE_FALSE(CbcReason.has_value());
+
+	TemporaryFile::SafeWriteFile(Path, CbcView);
+
+	std::optional<std::string> ReadReason;
+	bool					   WasLegacy = false;
+	IoBuffer				   Out		 = details::ReadEncryptedFile(Path, Key, LegacyIv, ReadReason, &WasLegacy);
+	REQUIRE_FALSE(ReadReason.has_value());
+	REQUIRE(Out.GetSize() == Plain.size());
+	CHECK(memcmp(Out.GetData(), Plain.data(), Plain.size()) == 0);
+	CHECK(WasLegacy);
+}
+
+TEST_CASE("authmgr.authstate_gcm_tamper_detection")
+{
+	ScopedTemporaryDirectory TmpDir;
+	std::filesystem::path	 Path = TmpDir.Path() / "authstate";
+
+	const AesKey256Bit Key = AesKey256Bit::FromString("abcdefghijklmnopqrstuvxyz0123456"sv);
+	const AesIV128Bit  UnusedIv;
+
+	const std::string_view Plain = "payload that should not decrypt after tampering"sv;
+	IoBuffer			   InBuf = IoBufferBuilder::MakeCloneFromMemory(MakeMemoryView(Plain));
+
+	std::optional<std::string> WriteReason;
+	details::WriteEncryptedFile(Path, InBuf, Key, WriteReason);
+	REQUIRE_FALSE(WriteReason.has_value());
+
+	// Flip a single byte in the middle of the ciphertext region (past magic +
+	// nonce) and verify the GCM tag check rejects the tampered file.  Copy
+	// the bytes out first and drop the FileContents / IoBuffer handles before
+	// rewriting so the underlying file isn't still open when we overwrite it.
+	std::vector<uint8_t> Mutated;
+	{
+		FileContents FC	   = ReadFile(Path);
+		IoBuffer	 Whole = FC.Flatten();
+		REQUIRE(Whole.GetSize() > 4 + AesGcm::NonceSize);
+		Mutated.assign(static_cast<const uint8_t*>(Whole.GetData()), static_cast<const uint8_t*>(Whole.GetData()) + Whole.GetSize());
+	}
+	Mutated[4 + AesGcm::NonceSize] ^= 0x40;
+	TemporaryFile::SafeWriteFile(Path, MakeMemoryView(Mutated));
+
+	std::optional<std::string> ReadReason;
+	bool					   WasLegacy = false;
+	IoBuffer				   Out		 = details::ReadEncryptedFile(Path, Key, UnusedIv, ReadReason, &WasLegacy);
+	CHECK(ReadReason.has_value());
+	CHECK(Out.GetSize() == 0);
+}
+
+TEST_SUITE_END();
+
+void
+authmgr_forcelink()
+{
+}
+
+#endif	// ZEN_WITH_TESTS
+
 }  // namespace zen