Support swift Package Manager

WesleyRosenblum commented 6 days ago

Issue opened on behalf of @waahm7

Problem:

aws-crt-swift is a Swift package that depends on s2n-tls on Linux. Unfortunately, Swift Package Manager doesn't support CMake (see https://github.com/swiftlang/swift-package-manager/issues/4555), and we have a minimal s2n-tls configuration that was working before the following change: https://github.com/aws/s2n-tls/pull/4465.

Our Swift Configuration: https://github.com/awslabs/aws-crt-swift/blob/main/Package.swift#L95

packageTargets.append(.target(
    name: "S2N_TLS",
    dependencies: ["LibCrypto"],
    path: "aws-common-runtime/s2n",
    exclude: s2nExcludes,
    publicHeadersPath: "api",
    cSettings: [
        .headerSearchPath("./"),
        .define("POSIX_C_SOURCE=200809L"),
        .define("S2N_NO_PQ")
    ]
))

Without using CMake, we are not able to build. We would prefer if S2N can provide an official Swift package so that it is configured properly with all the features., as the expected s2n_prelude.h file is not put in place and all feature probes are not running, amongst other missing build logic:

/root/aws-crt-swift/aws-common-runtime/s2n/tls/s2n_config.c:18:6: error: "Expected s2n_prelude.h to be included as part of the compiler flags"
    #error "Expected s2n_prelude.h to be included as part of the compiler flags"

Swift Package Manager doesn’t have a lot of configuration options and just builds the C package with a lot of assumptions. You can’t use any compiler flags, etc. We just wrote the minimum config needed to get it working.

Solution:

We would prefer if S2N can provide an official Swift package so that it is configured properly with all the features.

We can't replicate the build logic from CMake, since SwiftPM doesn’t allow unsafe compiler flags. See: here and here.

As some build flags can be exploited for unsupported or malicious behavior, the use of unsafe flags makes the products containing this target ineligible for use by other packages.

We are thinking about working around this problem by just defining the macros from s2n_prelude.h and having a CI that checks whether s2n_prelude.h has changed so that we can stay up-to-date with the changes.

Does this change what S2N sends over the wire? No
Does this change any public APIs? No
Which versions of TLS will this impact? n/a

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

aws-crt-swift is able to build s2n-tls correctly, including all feature probes being executed.

RFC links: n/a
Related Issues: linked inline
Will the Usage Guide or other documentation need to be updated? yes
Testing: TBD
- Will this change trigger SAW changes? no
- Should this change be fuzz tested? no

Out of scope:

Is there anything the solution will intentionally NOT address?

maddeleine commented 4 days ago

Note: for this issue we need an investigation into what can be done here. None of us are swift experts so if there's a solution that doesn't involve creating a swift s2n package, that would be ideal.

sbSteveK commented 4 days ago

+1 on this request/issue from the AWS IoT Device SDK team.

aws / s2n-tls