chore: bump version to v2.3.4

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: doublegate

CHANGELOG.md

@@ -9,6 +9,58 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [2.3.4] - 2026-01-30 - Performance Optimizations & Security Hardening
+
+### Overview
+
+Release implementing 18 performance optimization proposals (T5.1-T5.18) identified in benchmark analysis, with focus on zero-copy operations, memory allocation reduction, and cryptographic hardening. Key improvements: WebSocket mimicry frame wrapping 55-85% faster, DoH tunnel creation 70-86% faster, frame pipeline 11-30% faster, message header deserialization 53% faster, Noise handshake 2.6% faster, plus security enhancements including `zeroize` for secure memory cleanup.
+
+### Changed
+
+#### Performance Optimizations - Obfuscation (wraith-obfuscation)
+- **T5.6: WebSocket mimicry frame wrapping**: 55-85% faster via pre-allocated buffers and 4-byte chunked XOR masking (1456B: 4.01 GiB/s → 7.45 GiB/s, 65KB: 3.08 GiB/s → 5.78 GiB/s)
+- **T5.7: WebSocket RNG optimization**: Struct-level `Mutex<SmallRng>` replacing per-call RNG creation for mask key generation
+- **T5.12: DoH tunnel query creation**: 70-86% faster via pre-allocated Vec and single allocation (244B: 12.8 GiB/s → 45.2 GiB/s, 512B: 12.3 GiB/s → 22.0 GiB/s)
+- **T5.13: DoH tunnel zero-copy parsing**: New `parse_dns_response_slice` API avoiding allocation for in-memory responses
+- **T5.14: DNS label length validation**: Added RFC compliance checks for 63-byte label length limits
+- **T5.15: DoH response bounds-checking**: Hardened response parsing against malformed data
+
+#### Performance Optimizations - Core (wraith-core)
+- **T5.4: Frame full pipeline optimization**: 11-30% faster via `Vec::with_capacity` and unsafe `set_len` eliminating redundant zero-initialization (1456B: 5.85 GiB/s → 7.62 GiB/s, 65KB: 8.04 GiB/s → 8.88 GiB/s)
+- **T5.8: Frame padding RNG optimization**: Thread-local `RefCell<SmallRng>` caching eliminating per-call RNG creation (3 call sites: `pad_to_multiple`, `Frame::new`, `Frame::build`)
+- **T5.9: Frame build delegation**: `build()` delegates to `build_into()` reducing code duplication and maintenance burden
+- **T5.10: Ratchet error path optimization**: `#[cold]` annotation on key-commitment parsing error path
+- **T5.11: Frame benchmarks expansion**: New `build_into_from_parts` benchmark covering 5 payload sizes (64B-65KB)
+
+#### Performance Optimizations - Crypto (wraith-crypto)
+- **T5.16: Message header deserialization**: 53% faster via direct buffer read and offset calculation (25.6 ns → 12.0 ns)
+- **T5.17: Noise handshake optimization**: 2.6% faster via reduced allocations and streamlined validation (25.1 us → 24.4 us)
+
+#### Security Hardening - Files (wraith-files)
+- **T5.18: Secure memory cleanup**: Added `zeroize` on `IncrementalTreeHasher` drop for secure erasure of in-progress hash state
+
+#### Regression Fixes During Development
+- **T5.1 (reverted)**: Read offset cursor pattern caused unbounded buffer growth in repeated `build_into` calls
+- **T5.2 (reverted)**: `Vec::with_capacity(1MB)` pre-allocation introduced 1MB allocation overhead per frame construction
+- **T5.4 (fixed)**: Eliminated zero-initialization overhead in frame build via unsafe `set_len` after explicit writes
+- **T5.5 (reverted)**: Removed `#[inline]` on `from_bytes()` - caused instruction cache pressure negating benefits
+
+### Added
+
+#### Dependencies
+- **wraith-files**: `zeroize` crate for secure memory cleanup of cryptographic material
+
+#### Documentation
+- **Benchmark Analysis**: `docs/testing/BENCHMARK-ANALYSIS-v2.3.4.md` - Comprehensive performance analysis and optimization proposals
+
+### Security
+
+- Secure memory cleanup in file hashing preventing potential key material leakage
+- Hardened DoH response parsing against malformed DNS packets
+- DNS label length validation per RFC specifications
+
+---
+
 ## [2.3.2] - 2026-01-29 - Benchmark-Driven Performance & Security Optimizations
 
 ### Overview

CLAUDE.md

@@ -6,7 +6,7 @@ Guidance for Claude Code when working with this repository.
 
 WRAITH (Wire-speed Resilient Authenticated Invisible Transfer Handler) is a decentralized secure file transfer protocol implemented in Rust.
 
-**Status:** v2.3.2 - Benchmark-Driven Performance & Security Optimizations
+**Status:** v2.3.4 - Performance Optimizations & Security Hardening
 
 ### Metrics
 | Metric | Value |

Cargo.toml

@@ -39,7 +39,7 @@ exclude = [
 ]
 
 [workspace.package]
-version = "2.3.3"
+version = "2.3.4"
 edition = "2024"
 rust-version = "1.88"
 license = "MIT"
@@ -68,7 +68,7 @@ x25519-dalek = { version = "2.0", features = ["static_secrets"] }
 ed25519-dalek = { version = "2.1", features = ["rand_core"] }
 blake3 = "1.5"
 snow = "0.10"
-rand = "0.8"
+rand = { version = "0.8", features = ["small_rng"] }
 rand_core = { version = "0.6", features = ["getrandom"] }
 rand_distr = "0.4"
 zeroize = { version = "1.7", features = ["derive"] }

README.md

@@ -14,7 +14,7 @@ A decentralized secure file transfer protocol optimized for high-throughput, low
   <a href="https://github.com/doublegate/WRAITH-Protocol/actions/workflows/codeql.yml"><img src="https://github.com/doublegate/WRAITH-Protocol/actions/workflows/codeql.yml/badge.svg" alt="CodeQL"></a>
   <a href="https://github.com/doublegate/WRAITH-Protocol/actions/workflows/release.yml"><img src="https://github.com/doublegate/WRAITH-Protocol/actions/workflows/release.yml/badge.svg" alt="Release"></a>
   <br>
-  <a href="https://github.com/doublegate/WRAITH-Protocol/releases"><img src="https://img.shields.io/badge/version-2.3.2-blue.svg" alt="Version"></a>
+  <a href="https://github.com/doublegate/WRAITH-Protocol/releases"><img src="https://img.shields.io/badge/version-2.3.4-blue.svg" alt="Version"></a>
   <a href="docs/security/SECURITY_AUDIT_v1.1.0.md"><img src="https://img.shields.io/badge/security-audited-green.svg" alt="Security"></a>
   <a href="https://www.rust-lang.org/"><img src="https://img.shields.io/badge/rust-1.88%2B-orange.svg" alt="Rust"></a>
   <a href="https://doc.rust-lang.org/edition-guide/rust-2024/index.html"><img src="https://img.shields.io/badge/edition-2024-orange.svg" alt="Edition"></a>

crates/wraith-core/benches/frame_bench.rs

@@ -1,6 +1,6 @@
 use criterion::{Criterion, Throughput, criterion_group, criterion_main};
 use std::hint::black_box;
-use wraith_core::{FRAME_HEADER_SIZE, Frame, FrameBuilder, FrameType};
+use wraith_core::{FRAME_HEADER_SIZE, Frame, FrameBuilder, FrameType, build_into_from_parts};
 
 fn bench_frame_parse(c: &mut Criterion) {
     let frame_data = FrameBuilder::new()
@@ -306,6 +306,40 @@ fn bench_frame_full_pipeline(c: &mut Criterion) {
     group.finish();
 }
 
+fn bench_frame_build_into_from_parts(c: &mut Criterion) {
+    let sizes: Vec<(usize, &str)> = vec![
+        (64, "64_bytes"),
+        (256, "256_bytes"),
+        (512, "512_bytes"),
+        (1024, "1024_bytes"),
+        (1456, "1456_bytes"),
+    ];
+
+    let mut group = c.benchmark_group("frame_build_into_from_parts");
+
+    for (size, name) in sizes {
+        let payload_len = size.saturating_sub(FRAME_HEADER_SIZE);
+        let payload = vec![0x42; payload_len];
+
+        group.throughput(Throughput::Bytes(size as u64));
+        group.bench_function(name, |b| {
+            let mut buf = vec![0u8; size];
+            b.iter(|| {
+                build_into_from_parts(
+                    black_box(FrameType::Data),
+                    black_box(42),
+                    black_box(1000),
+                    black_box(0),
+                    black_box(&payload),
+                    black_box(&mut buf),
+                )
+            })
+        });
+    }
+
+    group.finish();
+}
+
 criterion_group!(
     benches,
     bench_frame_parse,
@@ -318,6 +352,7 @@ criterion_group!(
     bench_parse_implementations_by_size,
     bench_parse_throughput,
     bench_frame_build_into,
+    bench_frame_build_into_from_parts,
     bench_frame_full_pipeline
 );
 criterion_main!(benches);

crates/wraith-core/src/congestion.rs

@@ -7,9 +7,9 @@ use std::collections::VecDeque;
 use std::time::{Duration, Instant};
 
 /// Maximum number of bandwidth samples to keep.
-/// 20 samples captures 2.5 full ProbeBw 8-cycle gains, providing
-/// more stable bandwidth estimates than the previous 10-sample window.
-const BW_WINDOW_SIZE: usize = 20;
+/// 30 samples captures ~3.75 full ProbeBw 8-cycle gains, providing
+/// more stable bandwidth estimates for high-throughput scenarios.
+const BW_WINDOW_SIZE: usize = 30;
 
 /// Maximum number of RTT samples to keep.
 /// 20 samples provides more stable min-RTT estimates across
@@ -122,9 +122,9 @@ impl BbrState {
         let now = Instant::now();
         Self {
             btl_bw: 0,
-            min_rtt: Duration::from_millis(100), // Initial estimate
-            pacing_gain: 2.89,                   // Startup gain (2/ln(2))
-            pacing_gain_fp: STARTUP_GAIN_FP,     // Fixed-point startup gain
+            min_rtt: Duration::from_millis(50), // Initial estimate (50ms for modern networks)
+            pacing_gain: 2.89,                  // Startup gain (2/ln(2))
+            pacing_gain_fp: STARTUP_GAIN_FP,    // Fixed-point startup gain
             cwnd_gain: 2.0,
             cwnd_gain_fp: CWND_GAIN_FP, // Fixed-point cwnd gain
             bdp: 0,
@@ -798,8 +798,9 @@ mod tests {
     fn test_bbr_cwnd_with_bdp() {
         let mut bbr = BbrState::new();
 
-        bbr.update_bandwidth(10_000_000, Duration::from_secs(1));
+        // Update RTT first so BDP calculation uses the actual RTT, not the initial estimate
         bbr.update_rtt(Duration::from_millis(100));
+        bbr.update_bandwidth(10_000_000, Duration::from_secs(1));
 
         let cwnd = bbr.cwnd();
         let expected_bdp = (10_000_000.0 * 0.1) as u64;

crates/wraith-core/src/frame.rs

@@ -14,6 +14,15 @@
 use crate::FRAME_HEADER_SIZE;
 use crate::error::FrameError;
 use rand::Rng;
+use rand::SeedableRng;
+use rand::rngs::SmallRng;
+use std::cell::RefCell;
+
+thread_local! {
+    static PADDING_RNG: RefCell<SmallRng> = RefCell::new(
+        SmallRng::from_rng(&mut rand::thread_rng()).expect("RNG seeding failed")
+    );
+}
 
 /// Maximum payload size (9000 - header - auth tag = 8944)
 const MAX_PAYLOAD_SIZE: usize = 8944;
@@ -64,29 +73,46 @@ pub enum FrameType {
     PathResponse = 0x0F,
 }
 
+/// Lookup table for constant-time frame type validation.
+/// Index 0x00 = Reserved, 0x01-0x0F = valid types, 0x10-0x1F = reserved, rest = invalid.
+/// Value 0 = invalid/reserved, non-zero = valid FrameType discriminant.
+static FRAME_TYPE_TABLE: [u8; 32] = [
+    0,    // 0x00: Reserved
+    0x01, // 0x01: Data
+    0x02, // 0x02: Ack
+    0x03, // 0x03: Control
+    0x04, // 0x04: Rekey
+    0x05, // 0x05: Ping
+    0x06, // 0x06: Pong
+    0x07, // 0x07: Close
+    0x08, // 0x08: Pad
+    0x09, // 0x09: StreamOpen
+    0x0A, // 0x0A: StreamClose
+    0x0B, // 0x0B: StreamReset
+    0x0C, // 0x0C: WindowUpdate
+    0x0D, // 0x0D: GoAway
+    0x0E, // 0x0E: PathChallenge
+    0x0F, // 0x0F: PathResponse
+    0, 0, 0, 0, 0, 0, 0, 0, // 0x10-0x17: Reserved
+    0, 0, 0, 0, 0, 0, 0, 0, // 0x18-0x1F: Reserved
+];
+
 impl TryFrom<u8> for FrameType {
     type Error = FrameError;
 
     fn try_from(value: u8) -> Result<Self, Self::Error> {
-        match value {
-            0x00 => Err(FrameError::ReservedFrameType),
-            0x01 => Ok(Self::Data),
-            0x02 => Ok(Self::Ack),
-            0x03 => Ok(Self::Control),
-            0x04 => Ok(Self::Rekey),
-            0x05 => Ok(Self::Ping),
-            0x06 => Ok(Self::Pong),
-            0x07 => Ok(Self::Close),
-            0x08 => Ok(Self::Pad),
-            0x09 => Ok(Self::StreamOpen),
-            0x0A => Ok(Self::StreamClose),
-            0x0B => Ok(Self::StreamReset),
-            0x0C => Ok(Self::WindowUpdate),
-            0x0D => Ok(Self::GoAway),
-            0x0E => Ok(Self::PathChallenge),
-            0x0F => Ok(Self::PathResponse),
-            0x10..=0x1F => Err(FrameError::ReservedFrameType),
-            _ => Err(FrameError::InvalidFrameType(value)),
+        if value < 32 {
+            let entry = FRAME_TYPE_TABLE[value as usize];
+            if entry != 0 {
+                // SAFETY: entry matches a valid FrameType discriminant (0x01..=0x0F)
+                Ok(unsafe { core::mem::transmute::<u8, FrameType>(entry) })
+            } else if value == 0x00 || (0x10..=0x1F).contains(&value) {
+                Err(FrameError::ReservedFrameType)
+            } else {
+                Err(FrameError::InvalidFrameType(value))
+            }
+        } else {
+            Err(FrameError::InvalidFrameType(value))
         }
     }
 }
@@ -617,12 +643,9 @@ pub fn build_into_from_parts(
     // Write payload
     buf[FRAME_HEADER_SIZE..FRAME_HEADER_SIZE + payload_len].copy_from_slice(payload);
 
-    // Write random padding
+    // Write random padding using fast PRNG (padding is AEAD-encrypted)
     if padding_len > 0 {
-        rand::Rng::fill(
-            &mut rand::thread_rng(),
-            &mut buf[FRAME_HEADER_SIZE + payload_len..],
-        );
+        PADDING_RNG.with_borrow_mut(|rng| rng.fill(&mut buf[FRAME_HEADER_SIZE + payload_len..]));
     }
 
     Ok(total_size)
@@ -730,9 +753,10 @@ impl FrameBuilder {
         // Write payload
         buf[FRAME_HEADER_SIZE..FRAME_HEADER_SIZE + payload_len].copy_from_slice(&self.payload);
 
-        // Write random padding
+        // Write random padding using fast PRNG (padding is AEAD-encrypted)
         if padding_len > 0 {
-            rand::thread_rng().fill(&mut buf[FRAME_HEADER_SIZE + payload_len..]);
+            PADDING_RNG
+                .with_borrow_mut(|rng| rng.fill(&mut buf[FRAME_HEADER_SIZE + payload_len..]));
         }
 
         Ok(total_size)
@@ -743,41 +767,16 @@ impl FrameBuilder {
     /// # Errors
     ///
     /// Returns [`FrameError::PayloadOverflow`] if `total_size` is too small for header + payload.
+    #[allow(clippy::uninit_vec)]
     pub fn build(self, total_size: usize) -> Result<Vec<u8>, FrameError> {
-        let frame_type = self.frame_type.unwrap_or(FrameType::Data);
-        let payload_len = self.payload.len();
-
-        if total_size < FRAME_HEADER_SIZE + payload_len {
-            return Err(FrameError::PayloadOverflow);
-        }
-
-        let padding_len = total_size - FRAME_HEADER_SIZE - payload_len;
         let mut buf = Vec::with_capacity(total_size);
-
-        // Write header
-        buf.extend_from_slice(&self.nonce);
-        buf.push(frame_type as u8);
-        buf.push(self.flags.as_u8());
-        buf.extend_from_slice(&self.stream_id.to_be_bytes());
-        buf.extend_from_slice(&self.sequence.to_be_bytes());
-        buf.extend_from_slice(&self.offset.to_be_bytes());
-        #[allow(clippy::cast_possible_truncation)]
-        let payload_len_u16 = payload_len as u16;
-        buf.extend_from_slice(&payload_len_u16.to_be_bytes());
-        buf.extend_from_slice(&[0u8; 2]); // Reserved
-
-        // Write payload
-        buf.extend_from_slice(&self.payload);
-
-        // Write random padding using thread-local PRNG (fast, non-syscall).
-        // Padding bytes are encrypted by AEAD before transmission, so
-        // cryptographic-quality randomness is not required here.
-        if padding_len > 0 {
-            let start = buf.len();
-            buf.resize(start + padding_len, 0);
-            rand::thread_rng().fill(&mut buf[start..]);
-        }
-
+        // SAFETY: build_into() writes every byte of the buffer:
+        // - Header (28 bytes): nonce, type, flags, stream_id, sequence, offset, payload_len, reserved
+        // - Payload: copied from self.payload
+        // - Padding: filled with random bytes from PADDING_RNG
+        // Total = FRAME_HEADER_SIZE + payload_len + padding_len = total_size
+        unsafe { buf.set_len(total_size) };
+        self.build_into(&mut buf)?;
         Ok(buf)
     }
 }

crates/wraith-core/src/node/obfuscation.rs

@@ -237,7 +237,9 @@ impl Node {
         // Use wraith-obfuscation DohTunnel for protocol mimicry
         // Note: DohTunnel creates DNS query packets with EDNS0 OPT records
         let tunnel = &self.inner.doh_tunnel;
-        let wrapped = tunnel.create_dns_query("wraith.local", data);
+        let wrapped = tunnel
+            .create_dns_query("wraith.local", data)
+            .map_err(|_| NodeError::Obfuscation("DNS label encoding failed".into()))?;
 
         tracing::trace!(
             "Wrapped {} bytes as DoH (total: {} bytes)",