odds and ends

[vinniefalco]

Summary by CodeRabbit

• Refactor

  • Centralized TLS hostname verification and unified TLS method selection for consistent certificate checks across platforms.
  • Replaced internal I/O synchronization primitive to improve reliability during secure I/O and renegotiation.

• Bug Fixes

  • Improved handling of TLS shutdown/read edge cases so EOF-like shutdowns are reported consistently as truncated streams.

• Chores

  • Simplified build header grouping and explicit target setup for the SSL/TLS variants.

[coderabbitai]

📝 Walkthrough

Walkthrough

Centralized TLS hostname verification and added TLS-method compatibility and shutdown-error normalization for OpenSSL; introduced small helper abstractions for WolfSSL zero-return/shutdown checks; swapped synchronization primitive from capy::coro_lock to capy::async_mutex in both OpenSSL and WolfSSL streams; small CMake header/grouping/target adjustments.

Changes

Cohort / File(s)	Summary
OpenSSL stream updates src/openssl/src/openssl_stream.cpp	Added tls_method_compat(), apply_hostname_verification(SSL*, std::string const&), and normalize_openssl_shutdown_read_error(std::error_code); replaced TLS_method() usage with tls_method_compat(); centralized hostname setup via apply_hostname_verification; swapped include coro_lock.hpp → async_mutex.hpp and changed io_cm_ from capy::coro_lock → capy::async_mutex; updated shutdown/read EOF normalization.
WolfSSL stream updates src/wolfssl/src/wolfssl_stream.cpp	Replaced coro_lock.hpp with async_mutex.hpp; changed io_cm_ to capy::async_mutex; added helpers (is_zero_return_error, has_peer_shutdown) and replaced scattered zero-return/peer-shutdown checks with these helpers to centralize EOF/shutdown logic.
Build / headers / targets CMakeLists.txt	Replaced recursive header globs with explicit header variables for WolfSSL/OpenSSL, adjusted source_group paths, and invoked boost_corosio_setup_properties on the wolfssl and openssl targets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• TLS shutdown tests and fixes #44 — Related changes to TLS read/shutdown error classification in the OpenSSL stream implementation.
• tests and more #34 — Overlapping edits to OpenSSL stream initialization, hostname handling, and synchronization primitive changes.

Poem

🐰 I hopped through headers, tidy and spry,
I paired hostnames under the TLS sky,
Replaced old locks with a softer async hum,
Mapped shutdown whispers so streams don’t run dumb,
🥕✨

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'odds and ends' is vague and generic, using non-descriptive language that does not convey meaningful information about the substantive changes.	Revise the title to be specific and descriptive of the main changes, such as 'Refactor TLS error handling and unify hostname verification across OpenSSL and WolfSSL backends' or similar.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

src/wolfssl/src/wolfssl_stream.cpp (1)

87-91: is_zero_return_error is a single-comparison wrapper — consider whether the indirection adds clarity.

This helper wraps a single == check with no additional logic. While consistency with OpenSSL's companion file is a valid reason, a one-line equality test doesn't typically benefit from a named function in an anonymous namespace. If the intent is to allow future backends to diverge, a short comment stating that would help justify the indirection.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cppalliance-bot]

An automated preview of the documentation is available at https://115.corosio.prtest3.cppalliance.org/index.html

If more commits are pushed to the pull request, the docs will rebuild at the same URL.

2026-02-10 00:41:15 UTC

[codecov]

Codecov Report

❌ Patch coverage is 84.61538% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.75%. Comparing base (b058adb) to head (799c393).
⚠️ Report is 6 commits behind head on develop.

Files with missing lines	Patch %	Lines
src/openssl/src/openssl_stream.cpp	90.00%	2 Missing ⚠️
src/wolfssl/src/wolfssl_stream.cpp	50.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #115      +/-   ##
===========================================
+ Coverage    79.70%   79.75%   +0.05%     
===========================================
  Files           65       65              
  Lines         5661     5680      +19     
===========================================
+ Hits          4512     4530      +18     
- Misses        1149     1150       +1     

Files with missing lines	Coverage Δ
src/corosio/src/test/socket_pair.cpp	72.97% <100.00%> (+1.54%)	⬆️
src/openssl/src/openssl_stream.cpp	77.31% <90.00%> (+1.45%)	⬆️
src/wolfssl/src/wolfssl_stream.cpp	77.25% <50.00%> (-0.53%)	⬇️

... and 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b058adb...799c393. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cppalliance-bot]

GCOVR code coverage report https://115.corosio.prtest3.cppalliance.org/gcovr/index.html
LCOV code coverage report https://115.corosio.prtest3.cppalliance.org/genhtml/index.html
Coverage Diff Report https://115.corosio.prtest3.cppalliance.org/diff-report/index.html

Build time: 2026-02-10 00:47:55 UTC

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/wolfssl/src/wolfssl_stream.cpp`:
- Around line 101-113: The fallback in has_peer_shutdown() can misclassify a
locally-sent close_notify as peer shutdown because it treats any non-zero
wolfSSL_get_shutdown() as "received"; change the behavior to avoid silently
weakening security by (A) replacing the else-branch with a conservative default
that does NOT assume peer shutdown (e.g., return false) and add a clear comment
in do_read_some referencing has_peer_shutdown() about the limitation when flag
macros are unavailable, and/or (B) fail fast at compile-time when neither
WOLFSSL_RECEIVED_SHUTDOWN nor SSL_RECEIVED_SHUTDOWN is defined (use `#error` or a
static_assert-style preprocessor check) so builds must explicitly handle the
missing macros; refer to has_peer_shutdown and do_read_some when making the
change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

has_peer_shutdown fallback may misclassify our own close_notify as peer shutdown.

The else branch (Line 111) treats any non-zero wolfSSL_get_shutdown() value as peer shutdown. However, the return value is a bitmask that can include a "sent" flag (we initiated close_notify) without a "received" flag. At Line 530 in do_read_some, this distinction determines whether the caller sees eof vs stream_truncated — reporting eof when only our own close_notify was sent could mask a truncation attack.

If the flag macros are truly unavailable, there's no clean way to distinguish, but the current fallback silently weakens the security guarantee. Consider at minimum adding a comment at the call site (Line 530) noting this known limitation, or — if feasible — a build-time #error or static_assert when neither macro is defined, to catch this at compile time rather than silently degrading.

🤖 Prompt for AI Agents

In `@src/wolfssl/src/wolfssl_stream.cpp` around lines 101 - 113, The fallback in
has_peer_shutdown() can misclassify a locally-sent close_notify as peer shutdown
because it treats any non-zero wolfSSL_get_shutdown() as "received"; change the
behavior to avoid silently weakening security by (A) replacing the else-branch
with a conservative default that does NOT assume peer shutdown (e.g., return
false) and add a clear comment in do_read_some referencing has_peer_shutdown()
about the limitation when flag macros are unavailable, and/or (B) fail fast at
compile-time when neither WOLFSSL_RECEIVED_SHUTDOWN nor SSL_RECEIVED_SHUTDOWN is
defined (use `#error` or a static_assert-style preprocessor check) so builds must
explicitly handle the missing macros; refer to has_peer_shutdown and
do_read_some when making the change.