WIP

badeend · Oct 30, 2024 · 87001bf · 87001bf
1 parent b79a96a
commit 87001bf
Show file tree

Hide file tree

Showing 20 changed files with 676 additions and 10 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -343,6 +343,9 @@ criterion = { version = "0.5.0", default-features = false, features = ["html_rep
 rustc-hash = "2.0.0"
 libtest-mimic = "0.7.0"
 semver = { version = "1.0.17", default-features = false }
+tokio-rustls = "0.25.0"
+rustls = "0.22.0"
+webpki-roots = "0.26.0"
 
 # =============================================================================
 #

diff --git a/crates/cli-flags/src/lib.rs b/crates/cli-flags/src/lib.rs
@@ -383,6 +383,8 @@ wasmtime_option_group! {
         pub udp: Option<bool>,
         /// Enable WASI APIs marked as: @unstable(feature = network-error-code)
         pub network_error_code: Option<bool>,
+        /// Enable WASI APIs marked as: @unstable(feature = tls)
+        pub tls: Option<bool>,
         /// Allows imports from the `wasi_unstable` core wasm module.
         pub preview0: Option<bool>,
         /// Inherit all environment variables from the parent process.

diff --git a/crates/test-programs/src/bin/preview2_tls_sample_application.rs b/crates/test-programs/src/bin/preview2_tls_sample_application.rs
@@ -0,0 +1,45 @@
+use core::str;
+
+use test_programs::wasi::sockets::network::{IpSocketAddress, Network};
+use test_programs::wasi::sockets::tcp::{ShutdownType, TcpSocket};
+use test_programs::wasi::sockets::tls;
+
+fn test_tls_sample_application() {
+    const PORT: u16 = 443;
+    const DOMAIN: &'static str = "example.com";
+
+    let request = format!("GET / HTTP/1.1\r\nHost: {DOMAIN}\r\n\r\n");
+
+    let net = Network::default();
+
+    let Some(ip) = net
+        .permissive_blocking_resolve_addresses(DOMAIN)
+        .unwrap()
+        .first()
+        .map(|a| a.to_owned())
+    else {
+        // eprintln!("DNS lookup failed."); // TODO
+        panic!("DNS lookup failed.");
+        return;
+    };
+
+    let socket = TcpSocket::new(ip.family()).unwrap();
+    let (tcp_input, tcp_output) = socket
+        .blocking_connect(&net, IpSocketAddress::new(ip, PORT))
+        .unwrap();
+
+    let (_client, tls_input, tls_output) = tls::ClientHandshake::new(DOMAIN, tcp_input, tcp_output)
+        .blocking_finish()
+        .unwrap();
+
+    tls_output.blocking_write_util(request.as_bytes()).unwrap();
+    socket.shutdown(ShutdownType::Send).unwrap();
+    let response = tls_input.blocking_read_to_end().unwrap();
+    let response = String::from_utf8(response).unwrap();
+
+    assert!(response.contains("HTTP/1.1 200 OK"));
+}
+
+fn main() {
+    test_tls_sample_application();
+}
diff --git a/crates/test-programs/src/lib.rs b/crates/test-programs/src/lib.rs
@@ -20,7 +20,7 @@ wit_bindgen::generate!({
         "../wasi-keyvalue/wit",
     ],
     world: "wasmtime:test/test",
-    features: ["cli-exit-with-code"],
+    features: ["cli-exit-with-code", "tls"],
     generate_all,
 });
 

diff --git a/crates/test-programs/src/sockets.rs b/crates/test-programs/src/sockets.rs
@@ -13,6 +13,7 @@ use crate::wasi::sockets::udp::{
     IncomingDatagram, IncomingDatagramStream, OutgoingDatagram, OutgoingDatagramStream, UdpSocket,
 };
 use crate::wasi::sockets::{tcp_create_socket, udp_create_socket};
+use crate::wasi::sockets::tls as tls;
 use std::ops::Range;
 
 const TIMEOUT_NS: u64 = 1_000_000_000;
@@ -265,6 +266,22 @@ impl IncomingDatagramStream {
     }
 }
 
+impl tls::ClientHandshake {
+    pub fn blocking_finish(self) -> Result<(tls::ClientConnection, InputStream, OutputStream), ()> {
+        let future = tls::ClientHandshake::finish(self);
+        let timeout = monotonic_clock::subscribe_duration(TIMEOUT_NS);
+        let pollable = future.subscribe();
+
+        loop {
+            match future.get() {
+                None => pollable.block_until(&timeout).expect("timed out"),
+                Some(Ok(r)) => return r,
+                Some(Err(_)) => unreachable!(),
+            }
+        }
+    }
+}
+
 impl IpAddress {
     pub const IPV4_BROADCAST: IpAddress = IpAddress::Ipv4((255, 255, 255, 255));
 

diff --git a/crates/wasi-http/Cargo.toml b/crates/wasi-http/Cargo.toml
@@ -31,9 +31,9 @@ wasmtime = { workspace = true, features = ['component-model'] }
 
 # The `ring` crate, used to implement TLS, does not build on riscv64 or s390x
 [target.'cfg(not(any(target_arch = "riscv64", target_arch = "s390x")))'.dependencies]
-tokio-rustls = { version = "0.25.0" }
-rustls = { version = "0.22.0" }
-webpki-roots = { version = "0.26.0" }
+tokio-rustls = { workspace = true }
+rustls = { workspace = true }
+webpki-roots = { workspace = true }
 
 [dev-dependencies]
 test-programs-artifacts = { workspace = true }

diff --git a/crates/wasi-http/wit/deps/sockets/tls.wit b/crates/wasi-http/wit/deps/sockets/tls.wit
@@ -0,0 +1,29 @@
+@unstable(feature = tls)
+interface tls {
+    @unstable(feature = tls)
+    use wasi:io/streams@0.2.2.{input-stream, output-stream};
+    @unstable(feature = tls)
+    use wasi:io/poll@0.2.2.{pollable};
+
+    @unstable(feature = tls)
+    resource client-handshake {
+        @unstable(feature = tls)
+        constructor(server-name: string, input: input-stream, output: output-stream);
+
+        @unstable(feature = tls)
+        finish: static func(this: client-handshake) -> future-client-streams;
+    }
+
+    @unstable(feature = tls)
+    resource client-connection {
+    }
+
+    @unstable(feature = tls)
+    resource future-client-streams {
+        @unstable(feature = tls)
+        subscribe: func() -> pollable;
+
+        @unstable(feature = tls)
+        get: func() -> option<result<result<tuple<client-connection, input-stream, output-stream>>>>;
+    }
+}
diff --git a/crates/wasi-http/wit/deps/sockets/world.wit b/crates/wasi-http/wit/deps/sockets/world.wit
@@ -16,4 +16,6 @@ world imports {
     import tcp-create-socket;
     @since(version = 0.2.0)
     import ip-name-lookup;
+    @unstable(feature = tls)
+    import tls;
 }
diff --git a/crates/wasi/Cargo.toml b/crates/wasi/Cargo.toml
@@ -35,6 +35,9 @@ async-trait = { workspace = true }
 system-interface = { workspace = true}
 futures = { workspace = true }
 url = { workspace = true }
+tokio-rustls = { workspace = true }
+rustls = { workspace = true }
+webpki-roots = { workspace = true }
 
 [dev-dependencies]
 tokio = { workspace = true, features = ["time", "sync", "io-std", "io-util", "rt", "rt-multi-thread", "net", "macros", "fs"] }

diff --git a/crates/wasi/src/bindings.rs b/crates/wasi/src/bindings.rs
@@ -164,6 +164,7 @@ pub mod sync {
                 "wasi:io/error": crate::bindings::io::error,
                 "wasi:filesystem/preopens": crate::bindings::filesystem::preopens,
                 "wasi:sockets/network": crate::bindings::sockets::network,
+                "wasi:sockets/tls": crate::bindings::sockets::tls,
 
                 // Configure the resource types of the bound interfaces here
                 // to be the same as the async versions of the resources, that
@@ -406,6 +407,9 @@ mod async_io {
             "wasi:sockets/udp/incoming-datagram-stream": crate::udp::IncomingDatagramStream,
             "wasi:sockets/udp/outgoing-datagram-stream": crate::udp::OutgoingDatagramStream,
             "wasi:sockets/ip-name-lookup/resolve-address-stream": crate::ip_name_lookup::ResolveAddressStream,
+            "wasi:sockets/tls/client-connection": crate::host::tls::ClientConnection,
+            "wasi:sockets/tls/client-handshake": crate::host::tls::ClientHandshake,
+            "wasi:sockets/tls/future-client-streams": crate::host::tls::FutureClientStreams,
             "wasi:filesystem/types/directory-entry-stream": crate::filesystem::ReaddirIterator,
             "wasi:filesystem/types/descriptor": crate::filesystem::Descriptor,
             "wasi:io/streams/input-stream": crate::stream::InputStream,

diff --git a/crates/wasi/src/host/mod.rs b/crates/wasi/src/host/mod.rs
@@ -8,5 +8,6 @@ pub(crate) mod network;
 mod random;
 mod tcp;
 mod tcp_create_socket;
+pub(crate) mod tls;
 mod udp;
 mod udp_create_socket;