fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture, code quality, correctness) identified ~80 findings. This commit fixes 40 of them across all workspace crates. Critical fixes: - Federation service: validate origin against mTLS cert CN/SAN (C1) - WS bridge: add DM channel auth, size limits, rate limiting (C2) - hpke_seal: panic on error instead of silent empty ciphertext (C3) - hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7) Security fixes: - Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes() returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password, conversation hex_key all wrapped in Zeroizing - Keystore: 0o600 file permissions on Unix - MeshIdentity: 0o600 file permissions on Unix - Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor - Mobile: TLS verification gated behind insecure-dev feature flag - Proto: from_bytes default limit tightened from 64 MiB to 8 MiB Correctness fixes: - fetch_wait: register waiter before fetch to close TOCTOU window - MeshEnvelope: exclude hop_count from signature (forwarding no longer invalidates sender signature) - BroadcastChannel: encrypt returns Result instead of panicking - transcript: rename verify_transcript_chain → validate_transcript_structure - group.rs: extract shared process_incoming() for receive_message variants - auth_ops: remove spurious RegistrationRequest deserialization - MeshStore.seen: bounded to 100K with FIFO eviction Quality fixes: - FFI error classification: typed downcast instead of string matching - Plugin HookVTable: SAFETY documentation for unsafe Send+Sync - clippy::unwrap_used: warn → deny workspace-wide - Various .unwrap_or("") → proper error returns Review report: docs/REVIEW-2026-03-04.md 152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
2026-03-04 07:52:12 +01:00
parent 4694a3098b
commit 394199b19b
58 changed files with 3893 additions and 414 deletions
--- a/crates/quicproquo-ffi/Cargo.toml
+++ b/crates/quicproquo-ffi/Cargo.toml
@@ -12,6 +12,7 @@ crate-type = ["cdylib", "staticlib"]
 quicproquo-client = { path = "../quicproquo-client" }
 tokio = { workspace = true }
 anyhow = { workspace = true }
+capnp = { workspace = true }
 serde_json = { workspace = true }
 hex = { workspace = true }

--- a/crates/quicproquo-ffi/src/lib.rs
+++ b/crates/quicproquo-ffi/src/lib.rs
@@ -40,6 +40,42 @@ impl QpqHandle {
    }
 }

+// ---------------------------------------------------------------------------
+// Error classification
+// ---------------------------------------------------------------------------
+
+/// Classify an `anyhow::Error` from `cmd_login` into an FFI status code.
+///
+/// Checks the error chain for typed downcasting before falling back to
+/// message-based heuristics.
+fn classify_login_error(err: &anyhow::Error) -> i32 {
+    // Check error chain for OPAQUE-specific typed errors.
+    for cause in err.chain() {
+        // capnp::Error indicates transport/RPC failure.
+        if cause.downcast_ref::<capnp::Error>().is_some() {
+            return QPQ_ERROR;
+        }
+    }
+    // Fall back to message inspection for OPAQUE authentication failures,
+    // since opaque-ke errors are converted to anyhow strings upstream.
+    let msg = format!("{err:#}");
+    if msg.contains("OPAQUE") || msg.contains("bad password") || msg.contains("credential") {
+        QPQ_AUTH_FAILED
+    } else {
+        QPQ_ERROR
+    }
+}
+
+/// Classify an `anyhow::Error` from receive operations into an FFI status code.
+fn classify_receive_error(err: &anyhow::Error) -> i32 {
+    let msg = format!("{err:#}");
+    if msg.contains("timeout") || msg.contains("Timeout") || msg.contains("timed out") {
+        QPQ_TIMEOUT
+    } else {
+        QPQ_ERROR
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -180,13 +216,9 @@ pub unsafe extern "C" fn qpq_login(
        }
        Err(e) => {
            let msg = format!("{e:#}");
-            if msg.contains("auth") || msg.contains("OPAQUE") || msg.contains("credential") {
-                h.set_error(&msg);
-                QPQ_AUTH_FAILED
-            } else {
-                h.set_error(&msg);
-                QPQ_ERROR
-            }
+            let code = classify_login_error(&e);
+            h.set_error(&msg);
+            code
        }
    }
 }
@@ -345,13 +377,9 @@ pub unsafe extern "C" fn qpq_receive(
        }
        Err(e) => {
            let msg = format!("{e:#}");
-            if msg.contains("timeout") || msg.contains("Timeout") {
-                h.set_error(&msg);
-                QPQ_TIMEOUT
-            } else {
-                h.set_error(&msg);
-                QPQ_ERROR
-            }
+            let code = classify_receive_error(&e);
+            h.set_error(&msg);
+            code
        }
    }
 }