Skip to content

Eval mbedtls: add custom BIO + own cert + ALPN bindings for libuv integration#12986

Open
kevinresol wants to merge 2 commits into
HaxeFoundation:developmentfrom
kevinresol:eval-mbedtls
Open

Eval mbedtls: add custom BIO + own cert + ALPN bindings for libuv integration#12986
kevinresol wants to merge 2 commits into
HaxeFoundation:developmentfrom
kevinresol:eval-mbedtls

Conversation

@kevinresol

@kevinresol kevinresol commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

I was trying to make use of the eval.luv package to run a TLS TCP server. But found that several needed mbedtls API are not exposed. The entire code change together with the summary below is AI-generated and obviously I have no idea what I am doing especially on the ocaml part. So please review carefully.

I tried the changes locally and apparently I successfully ran a secure TCP server/client on eval+luv

Description

What changed

This PR extends eval’s mbedtls.* surface to support TLS over non-socket transports (needed when building TLS on eval.luv.Tcp) and closes several binding gaps.

  • Added mbedtls.Config.own_cert(cert, pk) across Haxe/OCaml/C bindings.
  • Added ALPN support:
    • mbedtls.Config.alpn_protocols(protocols:Array<String>)
    • mbedtls.Ssl.get_alpn_protocol():Null<String>
  • Added public custom BIO API:
    • mbedtls.Ssl.set_bio(send, recv) with (Bytes, pos, len) -> Int callbacks.
  • Added SSL error constants in mbedtls.Error:
    • WANT_READ, WANT_WRITE, PEER_CLOSE_NOTIFY.
  • Updated eval runtime wiring (evalSsl.ml) for all new APIs.

Native/runtime changes (libs/mbedtls/mbedtls_stubs.c)

  • Reworked SSL wrapper to own and clean up BIO callback roots correctly (fixes leak from repeated set_bio usage).
  • Reworked config wrapper to own ALPN protocol list memory for correct lifetime and cleanup.
  • Added C stubs for:
    • ml_mbedtls_ssl_conf_own_cert
    • ml_mbedtls_ssl_conf_alpn_protocols
    • ml_mbedtls_ssl_get_alpn_protocol
    • hx_get_ssl_error_flags
  • Updated BIO callback bridge to pass (bytes, pos, len) rather than the previous string-only callback shape.
  • Added mbedtls v4 compatibility paths for mbedtls_pk_parse_key* signatures.

Eval std extern updates

  • std/eval/_std/mbedtls/Config.hx: own_cert, alpn_protocols
  • std/eval/_std/mbedtls/Ssl.hx: set_bio, get_alpn_protocol
  • std/eval/_std/mbedtls/Error.hx: WANT_READ, WANT_WRITE, PEER_CLOSE_NOTIFY
  • src/macro/eval/evalSsl.ml: wiring for all of the above.

Tests

Added new eval project tests/misc/eval/projects/TlsBio/ with checked-in PEM fixtures and --interp coverage for:

  • custom BIO handshake/data flow
  • own_cert server setup
  • ALPN negotiation
  • mTLS client cert flow

Build robustness

  • libs/mbedtls/dune now accepts optional HAXE_MBEDTLS_CFLAGS include flags for local environments with non-default mbedtls header locations. (Reverted as it is breaking linux build)

Why

This gives eval the same TLS primitives required by libuv integration (cert/key, ca, alpn, custom transport pump with WANT_*) without relying on sys.ssl.Socket.

Validation

  • tests/misc/eval/projects/TlsBio/compile.hxml passes (Main.hx:79: ok).
  • Existing eval mbedtls constant smoke test (Issue11631) still passes.
  • Rebuilding via make haxe now produces a fresh runnable ./haxe binary reliably.

…tion

Expose eval mbedtls primitives needed for libuv-driven TLS transports by adding set_bio, own_cert, ALPN bindings, and WANT_* error constants across Haxe/OCaml/C layers. Also fix BIO/config lifetime management in native stubs, add eval TLS coverage under tests/misc/eval/projects/TlsBio.
kevinresol added a commit to kevinresol/tink_tcp that referenced this pull request Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant