Eval mbedtls: add custom BIO + own cert + ALPN bindings for libuv integration#12986
Open
kevinresol wants to merge 2 commits into
Open
Eval mbedtls: add custom BIO + own cert + ALPN bindings for libuv integration#12986kevinresol wants to merge 2 commits into
kevinresol wants to merge 2 commits into
Conversation
…tion Expose eval mbedtls primitives needed for libuv-driven TLS transports by adding set_bio, own_cert, ALPN bindings, and WANT_* error constants across Haxe/OCaml/C layers. Also fix BIO/config lifetime management in native stubs, add eval TLS coverage under tests/misc/eval/projects/TlsBio.
kevinresol
added a commit
to kevinresol/tink_tcp
that referenced
this pull request
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I was trying to make use of the eval.luv package to run a TLS TCP server. But found that several needed mbedtls API are not exposed. The entire code change together with the summary below is AI-generated and obviously I have no idea what I am doing especially on the ocaml part. So please review carefully.
I tried the changes locally and apparently I successfully ran a secure TCP server/client on eval+luv
Description
What changed
This PR extends eval’s
mbedtls.*surface to support TLS over non-socket transports (needed when building TLS oneval.luv.Tcp) and closes several binding gaps.mbedtls.Config.own_cert(cert, pk)across Haxe/OCaml/C bindings.mbedtls.Config.alpn_protocols(protocols:Array<String>)mbedtls.Ssl.get_alpn_protocol():Null<String>mbedtls.Ssl.set_bio(send, recv)with(Bytes, pos, len) -> Intcallbacks.mbedtls.Error:WANT_READ,WANT_WRITE,PEER_CLOSE_NOTIFY.evalSsl.ml) for all new APIs.Native/runtime changes (
libs/mbedtls/mbedtls_stubs.c)set_biousage).ml_mbedtls_ssl_conf_own_certml_mbedtls_ssl_conf_alpn_protocolsml_mbedtls_ssl_get_alpn_protocolhx_get_ssl_error_flags(bytes, pos, len)rather than the previous string-only callback shape.mbedtls_pk_parse_key*signatures.Eval std extern updates
std/eval/_std/mbedtls/Config.hx:own_cert,alpn_protocolsstd/eval/_std/mbedtls/Ssl.hx:set_bio,get_alpn_protocolstd/eval/_std/mbedtls/Error.hx:WANT_READ,WANT_WRITE,PEER_CLOSE_NOTIFYsrc/macro/eval/evalSsl.ml: wiring for all of the above.Tests
Added new eval project
tests/misc/eval/projects/TlsBio/with checked-in PEM fixtures and--interpcoverage for:own_certserver setupBuild robustness
(Reverted as it is breaking linux build)libs/mbedtls/dunenow accepts optionalHAXE_MBEDTLS_CFLAGSinclude flags for local environments with non-default mbedtls header locations.Why
This gives eval the same TLS primitives required by libuv integration (
cert/key,ca,alpn, custom transport pump withWANT_*) without relying onsys.ssl.Socket.Validation
tests/misc/eval/projects/TlsBio/compile.hxmlpasses (Main.hx:79: ok).Issue11631) still passes.make haxenow produces a fresh runnable./haxebinary reliably.