zenhttp improvements (robustness / correctness) (#968)

A collection of security, correctness, and robustness fixes in `zenhttp` and `zencore` surfaced by security review. Most items are small, independent commits grouped here because they all tighten trust boundaries or fix UB along the same code paths.

## WebSocket protocol hardening (RFC 6455)

- **Enforce the client-side mask bit**. Server-side frame loops now reject unmasked frames with close code 1002 per §5.1. Prevents HTTP intermediary smuggling.
- **Validate control frames and RSV bits**. Fragmented control frames, oversized (>125 B) control payloads, and any non-zero RSV bit now fail the connection before allocation.
- **Lower per-frame payload cap** from 256 MB → 4 MB. Bounds per-connection accumulator memory.
- **Implement message fragmentation**. Continuation frames are coalesced and delivered as a single message; interleaved non-control frames close with 1002; assembled messages are capped at 4 MB (1009 on overflow). Previously partial fragments were delivered to handlers, bypassing payload validation.
- **Parse the 101 handshake response properly** in `HttpWsClient`. Status-line, `Upgrade`, `Connection`, and `Sec-WebSocket-Accept` are now matched exactly rather than via substring searches against the full body.

## Auth / OIDC hardening

- **Constant-time password compare** in `PasswordSecurity::IsAllowed` (closes a remote length/content timing oracle). Adds a shared `ConstantTimeEquals` helper.
- **Harden Basic-auth header parsing**: trim trailing LWS, reject control bytes and DEL in the credential.
- **OIDC discovery pinning**: require HTTPS (loopback exempt), verify `issuer` matches `BaseUrl`, require `token_endpoint` / `userinfo_endpoint` / `jwks_uri` to share origin with `BaseUrl`, reject empty `token_endpoint`.
- **Restrict `POST /auth/oidc/refreshtoken`** to local-machine requests. Previously unauthenticated in default deployments — remote callers could evict or replace cached tokens.
- **Stop logging OIDC provider response bodies** on refresh failure (IdPs echo `refresh_token` back in error bodies).
- **Drop the unused `IdentityToken` field** from `OidcClient` / `OpenIdToken` so nothing in the tree accidentally trusts an unverified JWT.

## Auth state encryption migration

- Add `AesGcm` AEAD primitive (BCrypt / OpenSSL backends, mbedTLS stubbed) and `CryptoRandom::Fill` CSPRNG helper in `zencore/crypto.h`.
- Migrate authstate file from AES-256-CBC with a fixed IV to AES-GCM with a fresh 12-byte random nonce per write and the 4-byte `ZEN1` magic bound as AAD. Legacy-CBC files are transparently read once and rewritten in the new format.

## Filesystem / IO robustness

- `IoBufferExtendedCore::Materialize` now checks `MAP_FAILED` on POSIX (was comparing to `nullptr`, which let the failure sentinel propagate into later reads and `munmap(MAP_FAILED, ...)`).
- `IoBufferBuilder::MakeFromFile / MakeFromTemporaryFile`: close the FD/HANDLE on exception via a dismissable `ScopeGuard`; actually check the `fstat()` return value (previously used an uninitialized `FileSize`).
- `ReadFromFileMaybe`: loop short reads, retry `EINTR`, chunk Windows `ReadFile` at `0xFFFFFFFF` bytes (fixes silent truncation of multi-GiB reads).
- `WipeDirectory`: compare `FindFirstFileW` handle against `INVALID_HANDLE_VALUE` rather than `nullptr`.
- `RemoveFileNative` (Linux/macOS): report non-`ENOENT` stat failures via the `std::error_code` out-param and stop reading `st_mode` after a failed stat.

## Buffer / compression correctness

- Avoid per-copy `IoBufferCore` heap allocations in `CompositeBuffer::CopyTo / ViewOrCopyRange` iterators; add fast path for `BufferHeader::Read` when the 64-byte header fits in the first plain-memory segment.
- `BufferHeader`: add `IsHeaderValid()` gate covering `BlockSizeExponent` range, `BlockCount * BlockSize` overflow, and `TotalRawSize` bounds before any arithmetic uses them. Defends against attacker-controlled headers that can pass the CRC and trigger OOB writes in `DecompressBlock`.

1 files changed, 55 insertions, 8 deletions

diff --git a/src/zenhttp/servers/wsframecodec.cpp b/src/zenhttp/servers/wsframecodec.cpp
index e452141fe..781f04c5e 100644
--- a/src/zenhttp/servers/wsframecodec.cpp
+++ b/src/zenhttp/servers/wsframecodec.cpp
@@ -16,7 +16,7 @@ namespace zen {
 //
 
 WsFrameParseResult
-WsFrameCodec::TryParseFrame(const uint8_t* Data, size_t Size)
+WsFrameCodec::TryParseFrame(const uint8_t* Data, size_t Size, bool RequireMask)
 {
 	// Minimum frame: 2 bytes header (unmasked server frames) or 6 bytes (masked client frames)
 	if (Size < 2)
@@ -24,10 +24,48 @@ WsFrameCodec::TryParseFrame(const uint8_t* Data, size_t Size)
 		return {};
 	}
 
-	const bool	  Fin		 = (Data[0] & 0x80) != 0;
-	const uint8_t OpcodeRaw	 = Data[0] & 0x0F;
-	const bool	  Masked	 = (Data[1] & 0x80) != 0;
-	uint64_t	  PayloadLen = Data[1] & 0x7F;
+	const bool	  Fin		  = (Data[0] & 0x80) != 0;
+	const uint8_t RsvBits	  = Data[0] & 0x70;
+	const uint8_t OpcodeRaw	  = Data[0] & 0x0F;
+	const bool	  Masked	  = (Data[1] & 0x80) != 0;
+	const uint8_t ShortLength = Data[1] & 0x7F;
+	uint64_t	  PayloadLen  = ShortLength;
+
+	const bool IsControlFrame = (OpcodeRaw & 0x08) != 0;
+
+	// RFC 6455 section 5.2: RSV1/2/3 must be zero unless a negotiated extension
+	// defines them.  We do not negotiate any extensions, so any non-zero RSV bit
+	// is a protocol violation.
+	if (RsvBits != 0)
+	{
+		WsFrameParseResult Error;
+		Error.Status = WsFrameParseStatus::kProtocolError;
+		return Error;
+	}
+
+	// RFC 6455 section 5.5: control frames (Close / Ping / Pong and any opcode
+	// in 0x8..0xF) MUST NOT be fragmented and MUST have a payload of 125 bytes
+	// or less.  Rejecting fragmented or oversized control frames prevents a
+	// peer from tying up unbounded memory inside an auto-pong, and closes off
+	// a class of smuggling tricks where handlers might observe partial control
+	// payloads.
+	if (IsControlFrame && (!Fin || ShortLength > 125))
+	{
+		WsFrameParseResult Error;
+		Error.Status = WsFrameParseStatus::kProtocolError;
+		return Error;
+	}
+
+	// RFC 6455 section 5.1: a server MUST close the connection upon receiving an
+	// unmasked client frame.  Signal this distinctly from "need more data" so the
+	// server close path can trigger a 1002 close rather than stalling for bytes
+	// that will never satisfy the parse.
+	if (RequireMask && !Masked)
+	{
+		WsFrameParseResult Error;
+		Error.Status = WsFrameParseStatus::kProtocolError;
+		return Error;
+	}
 
 	size_t HeaderSize = 2;
 
@@ -51,11 +89,19 @@ WsFrameCodec::TryParseFrame(const uint8_t* Data, size_t Size)
 		HeaderSize = 10;
 	}
 
-	// Reject frames with unreasonable payload sizes to prevent OOM
-	static constexpr uint64_t kMaxPayloadSize = 256 * 1024 * 1024;	// 256 MB
+	// Reject frames with unreasonable payload sizes to bound per-connection
+	// memory.  Parsers accumulate the whole frame before dispatch (see the
+	// read loops in wsasio.cpp / wshttpsys.cpp), so this cap also bounds the
+	// accumulator: a peer that advertises a large frame and streams bytes
+	// slowly cannot grow buffers past this limit.  4 MB is well above anything
+	// the monitoring / stats endpoints produce; raise it if a legitimate use
+	// case emerges.
+	static constexpr uint64_t kMaxPayloadSize = 4 * 1024 * 1024;  // 4 MB
 	if (PayloadLen > kMaxPayloadSize)
 	{
-		return {};
+		WsFrameParseResult Error;
+		Error.Status = WsFrameParseStatus::kProtocolError;
+		return Error;
 	}
 
 	const size_t MaskSize	= Masked ? 4 : 0;
@@ -70,6 +116,7 @@ WsFrameCodec::TryParseFrame(const uint8_t* Data, size_t Size)
 	const uint8_t* PayloadData = Data + HeaderSize + MaskSize;
 
 	WsFrameParseResult Result;
+	Result.Status		 = WsFrameParseStatus::kValid;
 	Result.IsValid		 = true;
 	Result.BytesConsumed = TotalFrame;
 	Result.Opcode		 = static_cast<WebSocketOpcode>(OpcodeRaw);