Add native-tls backend for wasi-tls (#11064)

* Reorganize the wasi-tls folder and isolate the `rustls`-specific bits from the rest of the implementation.
- `client.rs`: The rustls parts.
- `io.rs`: WASI I/O conversion utility types.
- `host.rs`: The host types + impls.
- `bindings.rs`: The generated bindings.

* Add `native-tls` backend

* Improve compatibility of `test_tls_sample_application`:
It used to perform a "half-close" after sending the HTTP request. This is a TLS1.3+ feature, though Rustls & OpenSSL already supported it for TLS1.2 and lower. Technically, that makes them non-spec compliant, but they chose to align with the semantics of the underlying TCP connection. I suspect the TLS1.3 spec was updated to match what was already happening in reality.
Anyhow, SChannel does not support half-closed connections and so the `read` call after the `close_output+shutdown` failed.
I've reordered the test to first perform the HTTP conversation and _then_ do the TLS+TCP teardown.

* Implement flushing on the `AsyncWriteStream`. The `AsyncWriteStream` implementation was copied from the TCP equivalent, which doesn't need flushing. The TLS implementations _do_ maintain an internal buffer, so the `flush` call need to be hooked up.

* Switch to a model that uses runtime configuration.

* Check wasmtime-wasi-tls features in isolation.

* Clarify intended use of `WasiTlsCtxBuilder::provider`

* Split off native-tls implementation into separate crate

* Add a dedicated Ci job to test the `native-tls` backend.

prtest:full

* Update vets

---------

Co-authored-by: Alex Crichton <[email protected]>

Author: badeend

.github/workflows/main.yml

@@ -812,6 +812,23 @@ jobs:
     # Run the tests!
     - run: cargo test -p wasmtime-wasi-nn --features ${{ matrix.feature }}
 
+  # Test `wasmtime-wasi-tls-nativetls` in its own job. This is because it
+  # depends on OpenSSL, which is not easily available on all platforms.
+  test_wasi_tls_nativetls:
+    name: Test wasi-tls using native-tls provider
+    needs: determine
+    if: needs.determine.outputs.run-full
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+    - uses: ./.github/actions/install-rust
+    - run: cargo test -p wasmtime-wasi-tls-nativetls
+
   # Test the `wasmtime-fuzzing` crate. Split out from the main tests because
   # `--all-features` brings in OCaml, which is a pain to get setup for all
   # targets.
@@ -1114,6 +1131,7 @@ jobs:
       - doc
       - micro_checks
       - special_tests
+      - test_wasi_tls_nativetls
       - clippy
       - monolith_checks
       - platform_checks

Cargo.lock

@@ -158,6 +158,7 @@ members = [
   "crates/test-programs",
   "crates/wasi-preview1-component-adapter",
   "crates/wasi-preview1-component-adapter/verify",
+  "crates/wasi-tls-nativetls",
   "examples/fib-debug/wasm",
   "examples/wasm",
   "examples/tokio/wasm",
@@ -235,6 +236,7 @@ wasmtime-wasi-config = { path = "crates/wasi-config", version = "35.0.0" }
 wasmtime-wasi-keyvalue = { path = "crates/wasi-keyvalue", version = "35.0.0" }
 wasmtime-wasi-threads = { path = "crates/wasi-threads", version = "35.0.0" }
 wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0" }
+wasmtime-wasi-tls-nativetls = { path = "crates/wasi-tls-nativetls", version = "35.0.0" }
 wasmtime-wast = { path = "crates/wast", version = "=35.0.0" }
 
 # Internal Wasmtime-specific crates.
@@ -399,6 +401,8 @@ ittapi = "0.4.0"
 libm = "0.2.7"
 tokio-rustls = "0.25.0"
 rustls = "0.22.0"
+tokio-native-tls = "0.3.1"
+native-tls = "0.2.11"
 webpki-roots = "0.26.0"
 itertools = "0.14.0"
 base64 = "0.22.1"

Cargo.toml

@@ -7,6 +7,9 @@
 # - wasmtime-wasi-nn: mutually-exclusive features that aren't available for all
 #   targets, needs its own CI job.
 #
+# - wasmtime-wasi-tls-nativetls: the openssl dependency does not play nice with
+#   cross compilation. This crate is tested in a separate CI job.
+#
 # - wasmtime-fuzzing: enabling all features brings in OCaml which is a pain to
 #   configure for all targets, so it has its own CI job.
 #
@@ -21,6 +24,7 @@
 args = ['cargo', 'test', '--workspace', '--all-features']
 args.append('--exclude=test-programs')
 args.append('--exclude=wasmtime-wasi-nn')
+args.append('--exclude=wasmtime-wasi-tls-nativetls')
 args.append('--exclude=wasmtime-fuzzing')
 args.append('--exclude=wasm-spec-interpreter')
 args.append('--exclude=veri_engine')

ci/run-tests.py

@@ -7,8 +7,9 @@ use test_programs::wasi::tls::types::ClientHandshake;
 const PORT: u16 = 443;
 
 fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
-    let request =
-        format!("GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\n\r\n");
+    let request = format!(
+        "GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\nConnection: close\r\n\r\n"
+    );
 
     let net = Network::default();
 
@@ -25,13 +26,13 @@ fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
     tls_output
         .blocking_write_util(request.as_bytes())
         .context("writing http request failed")?;
-    client_connection
-        .blocking_close_output(&tls_output)
-        .context("closing tls connection failed")?;
-    socket.shutdown(ShutdownType::Send)?;
     let response = tls_input
         .blocking_read_to_end()
         .context("reading http response failed")?;
+    client_connection
+        .blocking_close_output(&tls_output)
+        .context("closing tls connection failed")?;
+    socket.shutdown(ShutdownType::Both)?;
 
     if String::from_utf8(response)?.contains("HTTP/1.1 200 OK") {
         Ok(())
@@ -55,7 +56,7 @@ fn test_tls_invalid_certificate(_domain: &str, ip: IpAddress) -> Result<()> {
 
     match ClientHandshake::new(BAD_DOMAIN, tcp_input, tcp_output).blocking_finish() {
         // We're expecting an error regarding the "certificate" is some form or
-        // another. When we add more TLS backends other than rustls, this naive
+        // another. When we add more TLS backends this naive
         // check will likely need to be revisited/expanded:
         Err(e) if e.to_debug_string().contains("certificate") => Ok(()),
 

crates/test-programs/src/bin/tls_sample_application.rs

@@ -0,0 +1,26 @@
+[package]
+name = "wasmtime-wasi-tls-nativetls"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+repository = "https://github.com/bytecodealliance/wasmtime"
+license = "Apache-2.0 WITH LLVM-exception"
+description = "Wasmtime implementation of the wasi-tls API, using native-tls for TLS support."
+
+[lints]
+workspace = true
+
+[dependencies]
+wasmtime-wasi-tls = { workspace = true }
+tokio = { workspace = true }
+tokio-native-tls = { workspace = true }
+native-tls = { workspace = true }
+
+[dev-dependencies]
+anyhow = { workspace = true }
+test-programs-artifacts = { workspace = true }
+wasmtime = { workspace = true, features = ["runtime", "component-model"] }
+wasmtime-wasi = { workspace = true }
+tokio = { workspace = true, features = ["macros"] }
+futures = { workspace = true }