Split off native-tls implementation into separate crate

Author: badeend

.github/workflows/main.yml

@@ -393,11 +393,6 @@ jobs:
               -p wasmtime-c-api --no-default-features
               -p wasmtime-c-api --no-default-features --features wat
               -p wasmtime-c-api --no-default-features --features wasi
-
-          - name: wasmtime-wasi-tls
-            checks: |
-              -p wasmtime-wasi-tls --no-default-features --features rustls
-              -p wasmtime-wasi-tls --no-default-features --features nativetls
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

Cargo.lock

@@ -55,6 +55,7 @@ wasmtime-wasi = { workspace = true, default-features = true, optional = true }
 wasmtime-wasi-nn = { workspace = true, optional = true }
 wasmtime-wasi-config = { workspace = true, optional = true }
 wasmtime-wasi-tls = { workspace = true, optional = true }
+wasmtime-wasi-tls-nativetls = { workspace = true, optional = true }
 wasmtime-wasi-keyvalue = { workspace = true, optional = true }
 wasmtime-wasi-threads = { workspace = true, optional = true }
 wasmtime-wasi-http = { workspace = true, optional = true }
@@ -234,7 +235,8 @@ wasmtime-wasi-nn = { path = "crates/wasi-nn", version = "35.0.0" }
 wasmtime-wasi-config = { path = "crates/wasi-config", version = "35.0.0" }
 wasmtime-wasi-keyvalue = { path = "crates/wasi-keyvalue", version = "35.0.0" }
 wasmtime-wasi-threads = { path = "crates/wasi-threads", version = "35.0.0" }
-wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0", default-features = false }
+wasmtime-wasi-tls = { path = "crates/wasi-tls", version = "35.0.0" }
+wasmtime-wasi-tls-nativetls = { path = "crates/wasi-tls-nativetls", version = "35.0.0" }
 wasmtime-wast = { path = "crates/wast", version = "=35.0.0" }
 
 # Internal Wasmtime-specific crates.
@@ -439,7 +441,6 @@ default = [
   "wasi-config",
   "wasi-keyvalue",
   "wasi-tls",
-  "wasi-tls-rustls",
 
   # Most features of Wasmtime are enabled by default.
   "wat",
@@ -480,7 +481,6 @@ trace-log = ["wasmtime/trace-log"]
 memory-protection-keys = ["wasmtime-cli-flags/memory-protection-keys"]
 profile-pulley = ["wasmtime/profile-pulley"]
 component-model-async = ["wasmtime-cli-flags/component-model-async", "component-model"]
-wasi-tls-nativetls = ["wasi-tls", "wasmtime-wasi-tls/nativetls"]
 
 # This feature, when enabled, will statically compile out all logging statements
 # throughout Wasmtime and its dependencies.
@@ -493,7 +493,6 @@ disable-logging = ["log/max_level_off", "tracing/max_level_off"]
 # the internal mapping for what they enable in Wasmtime itself.
 wasi-nn = ["dep:wasmtime-wasi-nn"]
 wasi-tls = ["dep:wasmtime-wasi-tls"]
-wasi-tls-rustls = ["wasi-tls", "wasmtime-wasi-tls/rustls"]
 wasi-threads = ["dep:wasmtime-wasi-threads", "threads"]
 wasi-http = ["component-model", "dep:wasmtime-wasi-http", "dep:tokio", "dep:hyper"]
 wasi-config = ["dep:wasmtime-wasi-config"]

Cargo.toml

@@ -438,8 +438,6 @@ wasmtime_option_group! {
         pub tcplisten: Vec<String>,
         /// Enable support for WASI TLS (Transport Layer Security) imports (experimental)
         pub tls: Option<bool>,
-        /// Which TLS provider to use for the wasi-tls interface. Either `rustls` or `nativetls`.
-        pub tls_provider: Option<String>,
         /// Implement WASI Preview1 using new Preview2 implementation (true, default) or legacy
         /// implementation (false)
         pub preview2: Option<bool>,

crates/cli-flags/src/lib.rs

@@ -0,0 +1,26 @@
+[package]
+name = "wasmtime-wasi-tls-nativetls"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+repository = "https://github.com/bytecodealliance/wasmtime"
+license = "Apache-2.0 WITH LLVM-exception"
+description = "Wasmtime implementation of the wasi-tls API, using native-tls for TLS support."
+
+[lints]
+workspace = true
+
+[dependencies]
+wasmtime-wasi-tls = { workspace = true }
+tokio = { workspace = true }
+tokio-native-tls = { workspace = true }
+native-tls = { workspace = true }
+
+[dev-dependencies]
+anyhow = { workspace = true }
+test-programs-artifacts = { workspace = true }
+wasmtime = { workspace = true, features = ["runtime", "component-model"] }
+wasmtime-wasi = { workspace = true }
+tokio = { workspace = true, features = ["macros"] }
+futures = { workspace = true }

crates/wasi-tls-nativetls/Cargo.toml

@@ -0,0 +1,82 @@
+//! The `native_tls` provider.
+
+use std::{io, pin::pin};
+
+use wasmtime_wasi_tls::{TlsProvider, TlsStream, TlsTransport};
+
+type BoxFuture<T> = std::pin::Pin<Box<dyn Future<Output = T> + Send>>;
+
+/// The `native_tls` provider.
+pub struct NativeTlsProvider {
+    _priv: (),
+}
+
+impl TlsProvider for NativeTlsProvider {
+    fn connect(
+        &self,
+        server_name: String,
+        transport: Box<dyn TlsTransport>,
+    ) -> BoxFuture<io::Result<Box<dyn TlsStream>>> {
+        async fn connect_impl(
+            server_name: String,
+            transport: Box<dyn TlsTransport>,
+        ) -> Result<NativeTlsStream, native_tls::Error> {
+            let connector = native_tls::TlsConnector::new()?;
+            let stream = tokio_native_tls::TlsConnector::from(connector)
+                .connect(&server_name, transport)
+                .await?;
+            Ok(NativeTlsStream(stream))
+        }
+
+        Box::pin(async move {
+            let stream = connect_impl(server_name, transport)
+                .await
+                .map_err(|e| io::Error::other(e))?;
+            Ok(Box::new(stream) as Box<dyn TlsStream>)
+        })
+    }
+}
+
+impl Default for NativeTlsProvider {
+    fn default() -> Self {
+        Self { _priv: () }
+    }
+}
+
+struct NativeTlsStream(tokio_native_tls::TlsStream<Box<dyn TlsTransport>>);
+
+impl TlsStream for NativeTlsStream {}
+
+impl tokio::io::AsyncRead for NativeTlsStream {
+    fn poll_read(
+        mut self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+        buf: &mut tokio::io::ReadBuf<'_>,
+    ) -> std::task::Poll<io::Result<()>> {
+        pin!(&mut self.as_mut().0).poll_read(cx, buf)
+    }
+}
+
+impl tokio::io::AsyncWrite for NativeTlsStream {
+    fn poll_write(
+        mut self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+        buf: &[u8],
+    ) -> std::task::Poll<io::Result<usize>> {
+        pin!(&mut self.as_mut().0).poll_write(cx, buf)
+    }
+
+    fn poll_flush(
+        mut self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+    ) -> std::task::Poll<Result<(), io::Error>> {
+        pin!(&mut self.as_mut().0).poll_flush(cx)
+    }
+
+    fn poll_shutdown(
+        mut self: std::pin::Pin<&mut Self>,
+        cx: &mut std::task::Context<'_>,
+    ) -> std::task::Poll<Result<(), io::Error>> {
+        pin!(&mut self.as_mut().0).poll_shutdown(cx)
+    }
+}

crates/wasi-tls-nativetls/src/lib.rs

@@ -0,0 +1,72 @@
+use anyhow::{Result, anyhow};
+use wasmtime::{
+    Store,
+    component::{Component, Linker, ResourceTable},
+};
+use wasmtime_wasi::p2::{IoView, WasiCtx, WasiCtxBuilder, WasiView, bindings::Command};
+use wasmtime_wasi_tls::{LinkOptions, WasiTls, WasiTlsCtx, WasiTlsCtxBuilder};
+
+struct Ctx {
+    table: ResourceTable,
+    wasi_ctx: WasiCtx,
+    wasi_tls_ctx: WasiTlsCtx,
+}
+
+impl IoView for Ctx {
+    fn table(&mut self) -> &mut ResourceTable {
+        &mut self.table
+    }
+}
+impl WasiView for Ctx {
+    fn ctx(&mut self) -> &mut WasiCtx {
+        &mut self.wasi_ctx
+    }
+}
+
+async fn run_test(path: &str) -> Result<()> {
+    let provider = Box::new(wasmtime_wasi_tls_nativetls::NativeTlsProvider::default());
+    let ctx = Ctx {
+        table: ResourceTable::new(),
+        wasi_ctx: WasiCtxBuilder::new()
+            .inherit_stderr()
+            .inherit_network()
+            .allow_ip_name_lookup(true)
+            .build(),
+        wasi_tls_ctx: WasiTlsCtxBuilder::new().provider(provider).build(),
+    };
+
+    let engine = test_programs_artifacts::engine(|config| {
+        config.async_support(true);
+    });
+    let mut store = Store::new(&engine, ctx);
+    let component = Component::from_file(&engine, path)?;
+
+    let mut linker = Linker::new(&engine);
+    wasmtime_wasi::p2::add_to_linker_async(&mut linker)?;
+    let mut opts = LinkOptions::default();
+    opts.tls(true);
+    wasmtime_wasi_tls::add_to_linker(&mut linker, &mut opts, |h: &mut Ctx| {
+        WasiTls::new(&h.wasi_tls_ctx, &mut h.table)
+    })?;
+
+    let command = Command::instantiate_async(&mut store, &component, &linker).await?;
+    command
+        .wasi_cli_run()
+        .call_run(&mut store)
+        .await?
+        .map_err(|()| anyhow!("command returned with failing exit status"))
+}
+
+macro_rules! assert_test_exists {
+    ($name:ident) => {
+        #[expect(unused_imports, reason = "just here to assert it exists")]
+        use self::$name as _;
+    };
+}
+
+test_programs_artifacts::foreach_tls!(assert_test_exists);
+
+#[tokio::test(flavor = "multi_thread")]
+async fn tls_sample_application() -> Result<()> {
+    run_test(test_programs_artifacts::TLS_SAMPLE_APPLICATION_COMPONENT).await
+}

crates/wasi-tls-nativetls/tests/main.rs

@@ -11,11 +11,6 @@ description = "Wasmtime implementation of the wasi-tls API"
 [lints]
 workspace = true
 
-[features]
-default = ["rustls"]
-rustls = ["dep:rustls", "dep:tokio-rustls", "dep:webpki-roots"]
-nativetls = ["dep:native-tls", "dep:tokio-native-tls"]
-
 [dependencies]
 anyhow = { workspace = true }
 bytes = { workspace = true }
@@ -27,13 +22,10 @@ tokio = { workspace = true, features = [
 ] }
 wasmtime = { workspace = true, features = ["runtime", "component-model"] }
 wasmtime-wasi = { workspace = true }
-cfg-if = { workspace = true }
 
-tokio-rustls = { workspace = true, optional = true }
-rustls = { workspace = true, optional = true }
-webpki-roots = { workspace = true, optional = true }
-tokio-native-tls = { workspace = true, optional = true }
-native-tls = { workspace = true, optional = true }
+tokio-rustls = { workspace = true }
+rustls = { workspace = true }
+webpki-roots = { workspace = true }
 
 [dev-dependencies]
 test-programs-artifacts = { workspace = true }

crates/wasi-tls/Cargo.toml

@@ -43,9 +43,8 @@
 //!             .allow_ip_name_lookup(true)
 //!             .build(),
 //!         wasi_tls_ctx: WasiTlsCtxBuilder::new()
-//!             // Optionally, configure a specific TLS provider:
-//!             // .provider(Box::new(wasmtime_wasi_tls::RustlsProvider::default()))
-//!             // .provider(Box::new(wasmtime_wasi_tls::NativeTlsProvider::default()))
+//!             // Optionally, configure a different TLS provider:
+//!             // .provider(Box::new(wasmtime_wasi_tls_nativetls::NativeTlsProvider::default()))
 //!             .build(),
 //!     };
 //!
@@ -83,11 +82,11 @@ use wasmtime::component::{HasData, ResourceTable};
 pub mod bindings;
 mod host;
 mod io;
-mod providers;
+mod rustls;
 
 pub use bindings::types::LinkOptions;
 pub use host::{HostClientConnection, HostClientHandshake, HostFutureClientStreams};
-pub use providers::*;
+pub use rustls::RustlsProvider;
 
 /// Capture the state necessary for use in the `wasi-tls` API implementation.
 pub struct WasiTls<'a> {
@@ -128,12 +127,9 @@ impl WasiTlsCtxBuilder {
         Default::default()
     }
 
-    /// Sets the TLS provider to use for this context.
+    /// Configure the TLS provider to use for this context.
     ///
-    /// By default, this is set to the [`DefaultProvider`] which is picked at
-    /// compile time based on feature flags. If this crate is compiled with
-    /// multiple TLS providers, this method can be used to specify the provider
-    /// at runtime.
+    /// By default, this is set to the [`RustlsProvider`].
     pub fn provider(mut self, provider: Box<dyn TlsProvider>) -> Self {
         self.provider = provider;
         self
@@ -149,7 +145,7 @@ impl WasiTlsCtxBuilder {
 impl Default for WasiTlsCtxBuilder {
     fn default() -> Self {
         Self {
-            provider: Box::new(DefaultProvider::default()),
+            provider: Box::new(RustlsProvider::default()),
         }
     }
 }