Fix 11 audit issues: smuggling flag, HPACK safety, TLS hardening, memory caps

H1: Flag HTTP request smuggling when both Content-Length and
    Transfer-Encoding are present (smuggling_risk field on HttpMessage).
M1: Reduce H2Tracker limits (10K→2K connections, 16→2 MB buffers).
M2: Skip HPACK decode on truncated header blocks (header_overflow flag).
M3: Track multiple discarded H2 streams via HashMap (was single Option).
M4: Cap HTTP messages per stream parse at 200.
M5: Optimize find_next_http_start with per-first-byte method groups.
M6: Apply MAX_BODY_SIZE cap to Content-Length bodies.
M7: Discard TLS keys after KeyUpdate instead of futile retries.
M8: Reassemble fragmented TLS handshakes across records (64 KB buffer).
M9: Zeroize keylog file contents after parsing.
M10: Per-direction TLS 1.3 phase flags to eliminate fragile dual-try.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: georgeglarson

src/output/mod.rs

@@ -699,6 +699,7 @@ mod tests {
             },
             headers: vec![("Host".into(), "example.com".into())],
             body: String::new(),
+            smuggling_risk: false,
         };
         let (header, body) = f.format_http_text("stream-1", &msg, &None);
         assert!(header.contains("HTTP"));
@@ -718,6 +719,7 @@ mod tests {
             },
             headers: vec![],
             body: "hello".into(),
+            smuggling_risk: false,
         };
         let (header, body) = f.format_http_text("stream-2", &msg, &None);
         assert!(header.contains("200 OK"));
@@ -815,6 +817,7 @@ mod tests {
             },
             headers: vec![],
             body: String::new(),
+            smuggling_risk: false,
         };
         let j = f.format_http_json("stream-1", &msg);
         assert_eq!(j["type"], "http");

src/protocol/http.rs

@@ -6,6 +6,10 @@ pub struct HttpMessage {
     pub kind: HttpKind,
     pub headers: Vec<(String, String)>,
     pub body: String,
+    /// H1: True when both Content-Length and Transfer-Encoding are present,
+    /// indicating a potential HTTP request smuggling vector.
+    #[serde(skip_serializing_if = "std::ops::Not::not")]
+    pub smuggling_risk: bool,
 }
 
 #[derive(Debug, Serialize)]
@@ -50,6 +54,13 @@ impl HttpMessage {
             let _ = write!(out, "{}: {}\r\n", k, v);
         }
 
+        if self.smuggling_risk {
+            let _ = write!(
+                out,
+                "*** WARNING: Both Content-Length and Transfer-Encoding present (potential request smuggling) ***\r\n"
+            );
+        }
+
         out.push_str("\r\n");
 
         if !self.body.is_empty() {
@@ -86,42 +97,74 @@ const KNOWN_METHODS: &[&str] = &[
 /// M11: Maximum chunked body size (10 MB).
 const MAX_CHUNKED_BODY: usize = 10 * 1024 * 1024;
 
-/// Maximum close-delimited response body size (1 MB).
-/// Independent of stream reassembly limits for defense in depth.
+/// Maximum response body size (1 MB) for both Content-Length and
+/// close-delimited bodies. Independent of stream reassembly limits
+/// for defense in depth.
 const MAX_BODY_SIZE: usize = 1_048_576;
 
+/// Maximum number of HTTP messages parsed from a single stream.
+const MAX_MESSAGES_PER_PARSE: usize = 200;
+
 /// H1: Find the start of the next HTTP message in a byte slice.
 /// Looks for request methods and "HTTP/" response starts.
 /// M7: Uses first-byte filtering to reduce scanning — only bytes matching
 /// a method's first character trigger the inner starts_with comparisons.
 /// M6: Requires full "HTTP/x.y NNN" pattern for response starts to reduce
 /// false splits in close-delimited response bodies.
 fn find_next_http_start(data: &[u8]) -> Option<usize> {
+    // Map each method's first byte to the methods starting with that byte,
+    // so we only check relevant methods per byte (avoids quadratic scan).
+    const METHOD_G: &[&str] = &["GET"];
+    const METHOD_P: &[&str] = &["POST", "PUT", "PATCH"];
+    const METHOD_D: &[&str] = &["DELETE"];
+    const METHOD_C: &[&str] = &["CONNECT"];
+    const METHOD_O: &[&str] = &["OPTIONS"];
+    const METHOD_T: &[&str] = &["TRACE"];
+
     for i in 0..data.len() {
-        // M7: Filter by first byte before attempting starts_with comparisons
-        match data[i] {
+        let remaining = &data[i..];
+        match remaining[0] {
             b'H' => {
                 // M6: Require "HTTP/" followed by digit.digit space digit
-                // to avoid false-matching "HTTP/" in body content.
-                if data.len() >= i + 10
-                    && data[i..].starts_with(b"HTTP/")
-                    && data[i + 5].is_ascii_digit()
-                    && data[i + 6] == b'.'
-                    && data[i + 7].is_ascii_digit()
-                    && data[i + 8] == b' '
-                    && data[i + 9].is_ascii_digit()
+                if remaining.len() >= 10
+                    && remaining.starts_with(b"HTTP/")
+                    && remaining[5].is_ascii_digit()
+                    && remaining[6] == b'.'
+                    && remaining[7].is_ascii_digit()
+                    && remaining[8] == b' '
+                    && remaining[9].is_ascii_digit()
                 {
                     return Some(i);
                 }
             }
-            b'G' | b'P' | b'D' | b'C' | b'O' | b'T' => {
-                for method in KNOWN_METHODS {
-                    if data[i..].starts_with(method.as_bytes()) {
-                        let after = i + method.len();
-                        if after < data.len() && data[after] == b' ' {
-                            return Some(i);
-                        }
-                    }
+            b'G' => {
+                if check_methods(remaining, METHOD_G) {
+                    return Some(i);
+                }
+            }
+            b'P' => {
+                if check_methods(remaining, METHOD_P) {
+                    return Some(i);
+                }
+            }
+            b'D' => {
+                if check_methods(remaining, METHOD_D) {
+                    return Some(i);
+                }
+            }
+            b'C' => {
+                if check_methods(remaining, METHOD_C) {
+                    return Some(i);
+                }
+            }
+            b'O' => {
+                if check_methods(remaining, METHOD_O) {
+                    return Some(i);
+                }
+            }
+            b'T' => {
+                if check_methods(remaining, METHOD_T) {
+                    return Some(i);
                 }
             }
             _ => {}
@@ -130,14 +173,26 @@ fn find_next_http_start(data: &[u8]) -> Option<usize> {
     None
 }
 
+/// Check if remaining data starts with any of the given methods followed by a space.
+#[inline]
+fn check_methods(data: &[u8], methods: &[&str]) -> bool {
+    for method in methods {
+        let mb = method.as_bytes();
+        if data.len() > mb.len() && data.starts_with(mb) && data[mb.len()] == b' ' {
+            return true;
+        }
+    }
+    false
+}
+
 /// Try to parse one or more HTTP messages from a stream payload.
 /// Returns all successfully parsed messages.
 /// Operates on raw bytes to avoid UTF-8 offset mismatches with binary bodies.
 pub fn parse_http(data: &[u8]) -> Vec<HttpMessage> {
     let mut messages = Vec::new();
     let mut remaining = data;
 
-    while !remaining.is_empty() {
+    while !remaining.is_empty() && messages.len() < MAX_MESSAGES_PER_PARSE {
         let (header_end, sep_len) = match find_header_end(remaining) {
             Some(result) => result,
             None => break,
@@ -206,6 +261,10 @@ pub fn parse_http(data: &[u8]) -> Vec<HttpMessage> {
 
         let is_response = matches!(kind, HttpKind::Response { .. });
 
+        // H1: Flag potential HTTP request smuggling when both Content-Length
+        // and Transfer-Encoding are present (RFC 7230 Section 3.3.3).
+        let smuggling_risk = is_chunked && content_length.is_some();
+
         let (body, consumed) = if is_chunked {
             match decode_chunked(after_headers) {
                 Some((decoded, bytes_consumed)) => (
@@ -215,7 +274,7 @@ pub fn parse_http(data: &[u8]) -> Vec<HttpMessage> {
                 None => (String::new(), 0),
             }
         } else if let Some(cl) = content_length {
-            let len = cl.min(after_headers.len());
+            let len = cl.min(after_headers.len()).min(MAX_BODY_SIZE);
             (
                 String::from_utf8_lossy(&after_headers[..len]).into_owned(),
                 len,
@@ -240,6 +299,7 @@ pub fn parse_http(data: &[u8]) -> Vec<HttpMessage> {
             kind,
             headers,
             body,
+            smuggling_risk,
         });
     }
 

src/protocol/http2.rs

@@ -25,9 +25,12 @@ const MAX_FRAME_PAYLOAD: usize = 16_777_215; // 2^24 - 1
 const MAX_STREAMS_PER_CONN: usize = 1_000;
 const MAX_HEADER_BLOCK: usize = 65_536;
 const MAX_DATA_PER_STREAM: usize = 1_048_576; // 1 MB
-const MAX_CONNECTIONS: usize = 10_000;
-/// M1: Cap per-direction buffer to prevent unbounded memory growth.
-const MAX_DIRECTION_BUF: usize = 16 * 1024 * 1024; // 16 MB
+/// M1: Reduced from 10,000 to 2,000 to cap compound memory usage.
+/// 2,000 connections * 2 MB * 2 directions = ~8 GB worst case.
+const MAX_CONNECTIONS: usize = 2_000;
+/// M1: Cap per-direction buffer. Reduced from 16 MB to 2 MB to keep
+/// aggregate memory bounded (~8 GB worst case with MAX_CONNECTIONS).
+const MAX_DIRECTION_BUF: usize = 2 * 1024 * 1024; // 2 MB
 
 /// Direction of data flow within a connection.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
@@ -55,12 +58,12 @@ struct H2Connection {
     detected: Option<bool>,
     /// Monotonic tick for LRU eviction.
     last_active: u64,
-    /// Accumulates header block fragments for discarded streams (rejected at
+    /// M3: Accumulates header block fragments for discarded streams (rejected at
     /// stream limit) or PUSH_PROMISE frames that span multiple CONTINUATION
     /// frames. HPACK is stateful — every header block must be decoded even if
     /// the headers are discarded, otherwise the dynamic table becomes corrupted.
-    /// Format: (stream_id, direction, accumulated_header_bytes).
-    discard_header_buf: Option<(u32, H2Direction, Vec<u8>)>,
+    /// Uses a HashMap to track multiple concurrent discarded streams.
+    discard_header_bufs: HashMap<u32, (H2Direction, Vec<u8>)>,
 }
 
 struct H2Stream {
@@ -78,6 +81,10 @@ struct H2Stream {
     end_stream_headers: bool,
     /// Whether END_STREAM was set on a DATA frame.
     end_stream_data: bool,
+    /// M2: Set when accumulated header block exceeds MAX_HEADER_BLOCK.
+    /// When true, HPACK decoding is skipped to avoid partial dynamic table
+    /// mutation from a truncated header block.
+    header_overflow: bool,
 }
 
 impl H2Stream {
@@ -90,6 +97,7 @@ impl H2Stream {
             end_headers: false,
             end_stream_headers: false,
             end_stream_data: false,
+            header_overflow: false,
         }
     }
 }
@@ -104,7 +112,7 @@ impl H2Connection {
             server_buf: Vec::new(),
             detected: None,
             last_active: 0,
-            discard_header_buf: None,
+            discard_header_bufs: HashMap::new(),
         }
     }
 }
@@ -288,15 +296,18 @@ impl H2Tracker {
                             if header_block.len() <= MAX_HEADER_BLOCK {
                                 buf.extend_from_slice(header_block);
                             }
-                            conn.discard_header_buf = Some((stream_id, direction, buf));
+                            conn.discard_header_bufs.insert(stream_id, (direction, buf));
                         }
                         continue;
                     }
 
                     let stream = conn.streams.entry(stream_id).or_insert_with(H2Stream::new);
 
+                    // M2: Track header block overflow to avoid partial HPACK decode
                     if stream.header_buf.len() + header_block.len() <= MAX_HEADER_BLOCK {
                         stream.header_buf.extend_from_slice(header_block);
+                    } else {
+                        stream.header_overflow = true;
                     }
 
                     if end_stream {
@@ -305,11 +316,13 @@ impl H2Tracker {
 
                     if end_headers {
                         stream.end_headers = true;
-                        let decoder = match direction {
-                            H2Direction::ClientToServer => &mut conn.client_decoder,
-                            H2Direction::ServerToClient => &mut conn.server_decoder,
-                        };
-                        decode_headers(stream, decoder);
+                        if !stream.header_overflow {
+                            let decoder = match direction {
+                                H2Direction::ClientToServer => &mut conn.client_decoder,
+                                H2Direction::ServerToClient => &mut conn.server_decoder,
+                            };
+                            decode_headers(stream, decoder);
+                        }
 
                         if stream.end_stream_headers {
                             if let Some(msg) = build_message(stream) {
@@ -322,18 +335,25 @@ impl H2Tracker {
                 FRAME_CONTINUATION => {
                     if let Some(stream) = conn.streams.get_mut(&stream_id) {
                         if !stream.end_headers {
-                            if stream.header_buf.len() + frame_payload.len() <= MAX_HEADER_BLOCK {
+                            // M2: Track overflow instead of silently dropping
+                            if stream.header_buf.len() + frame_payload.len() <= MAX_HEADER_BLOCK
+                                && !stream.header_overflow
+                            {
                                 stream.header_buf.extend_from_slice(&frame_payload);
+                            } else {
+                                stream.header_overflow = true;
                             }
 
                             let end_headers = flags & FLAG_END_HEADERS != 0;
                             if end_headers {
                                 stream.end_headers = true;
-                                let decoder = match direction {
-                                    H2Direction::ClientToServer => &mut conn.client_decoder,
-                                    H2Direction::ServerToClient => &mut conn.server_decoder,
-                                };
-                                decode_headers(stream, decoder);
+                                if !stream.header_overflow {
+                                    let decoder = match direction {
+                                        H2Direction::ClientToServer => &mut conn.client_decoder,
+                                        H2Direction::ServerToClient => &mut conn.server_decoder,
+                                    };
+                                    decode_headers(stream, decoder);
+                                }
 
                                 if stream.end_stream_headers {
                                     if let Some(msg) = build_message(stream) {
@@ -347,10 +367,11 @@ impl H2Tracker {
                         // CONTINUATION for a discarded stream or PUSH_PROMISE —
                         // accumulate fragments and decode HPACK when complete.
                         let end_headers = flags & FLAG_END_HEADERS != 0;
-                        if let Some((discard_sid, discard_dir, ref mut buf)) =
-                            conn.discard_header_buf
-                            && discard_sid == stream_id
+                        // M3: Use HashMap to track multiple discarded streams
+                        if let Some((discard_dir, buf)) =
+                            conn.discard_header_bufs.get_mut(&stream_id)
                         {
+                            let discard_dir = *discard_dir;
                             if buf.len() + frame_payload.len() <= MAX_HEADER_BLOCK {
                                 buf.extend_from_slice(&frame_payload);
                             }
@@ -360,7 +381,7 @@ impl H2Tracker {
                                     H2Direction::ServerToClient => &mut conn.server_decoder,
                                 };
                                 let _ = decoder.decode(buf);
-                                conn.discard_header_buf = None;
+                                conn.discard_header_bufs.remove(&stream_id);
                             }
                             continue;
                         }
@@ -449,7 +470,7 @@ impl H2Tracker {
                         if header_block.len() <= MAX_HEADER_BLOCK {
                             buf.extend_from_slice(header_block);
                         }
-                        conn.discard_header_buf = Some((stream_id, direction, buf));
+                        conn.discard_header_bufs.insert(stream_id, (direction, buf));
                     }
                 }
                 FRAME_SETTINGS => {
@@ -575,6 +596,7 @@ fn build_message(stream: &H2Stream) -> Option<HttpMessage> {
         kind,
         headers: stream.headers.clone(),
         body,
+        smuggling_risk: false,
     })
 }
 

src/tls/handshake.rs

@@ -21,10 +21,8 @@ pub(crate) struct HandshakeResult {
 /// used to preserve ClientHello's supported_versions detection over ServerHello's
 /// legacy version field.
 ///
-/// **Limitation (L25):** This assumes the handshake message fits in a single TLS record.
-/// Handshake messages spanning multiple records (fragmented handshakes) are not reassembled
-/// and will fail to parse. This is acceptable for typical deployments where ClientHello and
-/// ServerHello fit in one record.
+/// M8: Callers should use `TlsDecryptor::accumulate_handshake` to reassemble
+/// handshake messages spanning multiple TLS records before calling this function.
 pub(crate) fn parse_handshake(
     data: &[u8],
     src_ip: IpAddr,