Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WASI] Options for implementing wasi-tls proposal #109569

Open
jsturtevant opened this issue Nov 5, 2024 · 6 comments
Open

[WASI] Options for implementing wasi-tls proposal #109569

jsturtevant opened this issue Nov 5, 2024 · 6 comments
Assignees
Labels
arch-wasm WebAssembly architecture area-System.Net.Security os-wasi Related to WASI variant of arch-wasm
Milestone

Comments

@jsturtevant
Copy link
Contributor

There is a proposal for adding tls support in wasi-sockets. After adding socket support it makes sense to enable more scenarios with were tls is required. One instance would be using SqlClient.

We've done a few prototypes to figure out how this might work with dotnet:

In the second approach there is a mismatch between the level of the wasi-tls design and the existing SslStream implementation. wasi-tls operates on a transparent stream delegating the handling to the Host. In dotnet's SslStream implementation, the SslStream class handles all of the I/O, tls frame processing, and sends the frames one by one to the SSL context. Since we don't have that level of the SSL context exposed via the wasi-tls interface, and all the processing is happening asynchronously on the host side there is an issue of knowing when all the content has been sent to the host a fully processed by the SSL context and sent back to the guest to be forwarded on the socket layer.

I can think of a few of options to move forward (maybe more if I am missing something, which I might be):

  1. Make changes to the wasi-tls interface to expose a different type of interface that would support the current approach in dotnet's SslStream class. The downside to this is that thee wasi-tls interface is simple and easy to understand as designed today. It keeps the details out of the guest implementation and lets the host handle the complexity.
  2. Create a special case in the SslStream library for WASI that by-passes the current PAL abstraction around SSL and fills in the parts that make sense for wasi-tls in the public API. This would be somewhat similar to the first prototype implementation and be similar to httphandler.
  3. Refactor parts of the current PAL SSL abstraction to support this SSL stream. Downside is that all of the PAL layer is sync and we also still have the challenge of know when we've sent enough information to the underlying SSL context to get a response back.

Looking for some feedback on the various approaches.

/cc @pavelsavara @dicej

@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Nov 5, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@jkotas jkotas added the os-wasi Related to WASI variant of arch-wasm label Nov 5, 2024
@dicej
Copy link
Contributor

dicej commented Nov 5, 2024

I'm in favor of Option 2 since it allows us to keep wasi:sockets/tls high-level, giving us more flexibility to implement it efficiently and securely in the common case where the host is also managing the I/O. That saves us from having to pipe both the ciphertext and the plaintext across the guest/host boundary, leaving the details of framing and (re)handshaking to the host.

@pavelsavara pavelsavara added this to the 10.0.0 milestone Nov 6, 2024
@pavelsavara pavelsavara added arch-wasm WebAssembly architecture and removed untriaged New issue has not been triaged by the area owner labels Nov 6, 2024
Copy link
Contributor

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

@pavelsavara
Copy link
Member

I also prefer option 2 but I would like to hear more about the gaps.
Which C# APIs are not possible or difficult to implement ?
Does SSLStream on Andoid have similar limitations ?

I suggest that we have conf call about it in week of 17/11

@jsturtevant
Copy link
Contributor Author

jsturtevant commented Dec 3, 2024

I've started to work on option 2 and will report back once I have something to look at

@jsturtevant
Copy link
Contributor Author

I've got option 2, working on a branch: main...jsturtevant:runtime:wasi-tls-2.

I am not sure if its worth opening a PR for now since its using a custom host implementation not wasmtime.

I think the next steps would be to help WebAssembly/wasi-sockets#100 move forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
arch-wasm WebAssembly architecture area-System.Net.Security os-wasi Related to WASI variant of arch-wasm
Projects
None yet
Development

No branches or pull requests

4 participants