Add native-tls backend for wasi-tls

Cargo.toml

@@ -234,7 +234,7 @@ wasmtime-wasi-nn = { path = "crates/wasi-nn", version = "35.0.0" }
 wasmtime-wasi-config = { path = "crates/wasi-config", version = "35.0.0" }
 wasmtime-wasi-keyvalue = { path = "crates/wasi-keyvalue", version = "35.0.0" }
 wasmtime-wasi-threads = { path = "crates/wasi-threads", version = "35.0.0" }
-wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0" }
+wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0", default-features = false }
 wasmtime-wast = { path = "crates/wast", version = "=35.0.0" }
 
 # Internal Wasmtime-specific crates.
@@ -438,6 +438,7 @@ default = [
   "wasi-config",
   "wasi-keyvalue",
   "wasi-tls",
+  "wasi-tls-rustls",
 
   # Most features of Wasmtime are enabled by default.
   "wat",
@@ -478,6 +479,7 @@ trace-log = ["wasmtime/trace-log"]
 memory-protection-keys = ["wasmtime-cli-flags/memory-protection-keys"]
 profile-pulley = ["wasmtime/profile-pulley"]
 component-model-async = ["wasmtime-cli-flags/component-model-async", "component-model"]
+wasi-tls-nativetls = ["wasi-tls", "wasmtime-wasi-tls/nativetls"]
 
 # This feature, when enabled, will statically compile out all logging statements
 # throughout Wasmtime and its dependencies.
@@ -490,6 +492,7 @@ disable-logging = ["log/max_level_off", "tracing/max_level_off"]
 # the internal mapping for what they enable in Wasmtime itself.
 wasi-nn = ["dep:wasmtime-wasi-nn"]
 wasi-tls = ["dep:wasmtime-wasi-tls"]
+wasi-tls-rustls = ["wasi-tls", "wasmtime-wasi-tls/rustls"]
 wasi-threads = ["dep:wasmtime-wasi-threads", "threads"]
 wasi-http = ["component-model", "dep:wasmtime-wasi-http", "dep:tokio", "dep:hyper"]
 wasi-config = ["dep:wasmtime-wasi-config"]

crates/cli-flags/src/lib.rs

@@ -438,6 +438,8 @@ wasmtime_option_group! {
         pub tcplisten: Vec<String>,
         /// Enable support for WASI TLS (Transport Layer Security) imports (experimental)
         pub tls: Option<bool>,
+        /// Which TLS provider to use for the wasi-tls interface. Either `rustls` or `nativetls`.
+        pub tls_provider: Option<String>,
         /// Implement WASI Preview1 using new Preview2 implementation (true, default) or legacy
         /// implementation (false)
         pub preview2: Option<bool>,

crates/test-programs/src/bin/tls_sample_application.rs

@@ -7,8 +7,9 @@ use test_programs::wasi::tls::types::ClientHandshake;
 const PORT: u16 = 443;
 
 fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
-    let request =
-        format!("GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\nConnection: close\r\n\r\n");
+    let request = format!(
+        "GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\nConnection: close\r\n\r\n"
+    );
 
     let net = Network::default();
 

crates/wasi-tls/Cargo.toml

@@ -14,7 +14,7 @@ workspace = true
 [features]
 default = ["rustls"]
 rustls = ["dep:rustls", "dep:tokio-rustls", "dep:webpki-roots"]
-native-tls = ["dep:native-tls", "dep:tokio-native-tls"]
+nativetls = ["dep:native-tls", "dep:tokio-native-tls"]
 
 [dependencies]
 anyhow = { workspace = true }

crates/wasi-tls/src/host.rs

@@ -5,22 +5,22 @@ use wasmtime_wasi::p2::Pollable;
 use wasmtime_wasi::p2::{DynInputStream, DynOutputStream, DynPollable, IoError};
 
 use crate::{
-    WasiTlsCtx, bindings,
+    TlsStream, TlsTransport, WasiTls, bindings,
     io::{
         AsyncReadStream, AsyncWriteStream, FutureOutput, WasiFuture, WasiStreamReader,
         WasiStreamWriter,
     },
 };
 
-impl<'a> bindings::types::Host for WasiTlsCtx<'a> {}
-
-/// The underlying transport. Typically, this is a TCP input+output stream.
-type Transport = tokio::io::Join<WasiStreamReader, WasiStreamWriter>;
+impl<'a> bindings::types::Host for WasiTls<'a> {}
 
 /// Represents the ClientHandshake which will be used to configure the handshake
-pub struct HostClientHandshake(crate::client::Handshake<Transport>);
+pub struct HostClientHandshake {
+    server_name: String,
+    transport: Box<dyn TlsTransport>,
+}
 
-impl<'a> bindings::types::HostClientHandshake for WasiTlsCtx<'a> {
+impl<'a> bindings::types::HostClientHandshake for WasiTls<'a> {
     fn new(
         &mut self,
         server_name: String,
@@ -33,9 +33,11 @@ impl<'a> bindings::types::HostClientHandshake for WasiTlsCtx<'a> {
         let reader = WasiStreamReader::new(input);
         let writer = WasiStreamWriter::new(output);
         let transport = tokio::io::join(reader, writer);
-        let handshake = crate::client::Handshake::new(server_name, transport);
 
-        Ok(self.table.push(HostClientHandshake(handshake))?)
+        Ok(self.table.push(HostClientHandshake {
+            server_name,
+            transport: Box::new(transport) as Box<dyn TlsTransport>,
+        })?)
     }
 
     fn finish(
@@ -44,8 +46,13 @@ impl<'a> bindings::types::HostClientHandshake for WasiTlsCtx<'a> {
     ) -> wasmtime::Result<Resource<HostFutureClientStreams>> {
         let handshake = self.table.delete(this)?;
 
+        let connect = self
+            .ctx
+            .provider
+            .connect(handshake.server_name, handshake.transport);
+
         let future = HostFutureClientStreams(WasiFuture::spawn(async move {
-            let tls_stream = handshake.0.finish().await?;
+            let tls_stream = connect.await?;
 
             let (rx, tx) = tokio::io::split(tls_stream);
             let write_stream = AsyncWriteStream::new(tx);
@@ -78,7 +85,7 @@ impl Pollable for HostFutureClientStreams {
     }
 }
 
-impl<'a> bindings::types::HostFutureClientStreams for WasiTlsCtx<'a> {
+impl<'a> bindings::types::HostFutureClientStreams for WasiTls<'a> {
     fn subscribe(
         &mut self,
         this: Resource<HostFutureClientStreams>,
@@ -134,10 +141,10 @@ impl<'a> bindings::types::HostFutureClientStreams for WasiTlsCtx<'a> {
 
 /// Represents the client connection and used to shut down the tls stream
 pub struct HostClientConnection(
-    crate::io::AsyncWriteStream<tokio::io::WriteHalf<crate::client::Connection<Transport>>>,
+    crate::io::AsyncWriteStream<tokio::io::WriteHalf<Box<dyn TlsStream>>>,
 );
 
-impl<'a> bindings::types::HostClientConnection for WasiTlsCtx<'a> {
+impl<'a> bindings::types::HostClientConnection for WasiTls<'a> {
     fn close_output(&mut self, this: Resource<HostClientConnection>) -> wasmtime::Result<()> {
         self.table.get_mut(&this)?.0.close()
     }