Support for building with AWS Libcrypto (AWS-LC) (#929)

Hello,

I'm an engineer at AWS working on AWS-LC, AWS's open-source fork of
Google's BoringSSL. We would like to propose adding AWS-LC support to
netty-tcnative, alongside its existing support for OpenSSL, BoringSSL,
and LibreSSL.

AWS-LC shares a similar API surface area to the existing BoringSSL
integration within your library, while providing additional benefits for
users.
We are committed to backwards compatibility and maintain extensive CI
testing infrastructure that continuously validates compatibility with
many open-source projects.
We plan to add netty-tcnative compatibility testing to this suite to
ensure ongoing compatibility.

Some of the highlights offered by this integration:

1. Performance optimizations specifically targeted for modern CPU
architectures, including AWS Graviton processors, and Intel x86-64 with
AVX-512 instructions
2. Formal verification of critical cryptographic primitives, with
ongoing investment in expanding verification coverage.
3. FIPS 140-3 compliance support through a dedicated FIPS build mode.

Given netty-tcnative's existing support for BoringSSL, integrating
AWS-LC is relatively straightforward.
This integration would provide netty users with a well-supported path to
leverage AWS-LC's improvements in performance, security,
and compliance without requiring them to maintain custom patches or
modifications.

The this integration supports all current netty-tcnative functionality
that is supported for the BoringSSL integration.

Currently this pull request targets users who build the netty-tcnative
JARs themselves following the [How to build
](https://netty.io/wiki/forked-tomcat-native.html#how-to-build)
instructions. This would allow users wanting to use AWS-LC to do so
successfully.

At this time I don't see an explicit need to offer static compilations
of AWS-LC bundled in a jar file (similar to the BoringSSL integration).
I noticed
that the current LibreSSL static build is not published, so I wasn't
sure if maintaining these static variants is a goal in the long-term,
but would be open
to discuss further if you'd like.

Once this PR is merged in I can publish the corresponding PR to netty to
make necessary adjustments there for the netty-tcnative with aws-lc
integration to work as expected and have additional testing as
necessary.

---------

Co-authored-by: Norman Maurer <norman_maurer@apple.com>

Author: skmcgrail

.github/workflows/ci-build.yml

@@ -37,6 +37,9 @@ jobs:
           - setup: centos7-aarch64
             docker-compose-build: "-f docker/docker-compose.centos-7.yaml build"
             docker-compose-run: "-f docker/docker-compose.centos-7.yaml run cross-compile-aarch64-build"
+          - setup: al2023-x86_64-aws_lc
+            docker-compose-build: "-f docker/docker-compose.al2023.yaml build"
+            docker-compose-run: "-f docker/docker-compose.al2023.yaml run build"
 
     name: ${{ matrix.setup }}
     steps:

.github/workflows/ci-pr.yml

@@ -35,6 +35,9 @@ jobs:
           - setup: centos7-aarch64
             docker-compose-build: "-f docker/docker-compose.centos-7.yaml build"
             docker-compose-run: "-f docker/docker-compose.centos-7.yaml run cross-compile-aarch64-build"
+          - setup: al2023-x86_64-aws_lc
+            docker-compose-build: "-f docker/docker-compose.al2023.yaml build"
+            docker-compose-run: "-f docker/docker-compose.al2023.yaml run build"
 
     name: ${{ matrix.setup }}
     steps:

docker/Dockerfile.al2023

@@ -0,0 +1,55 @@
+FROM --platform=linux/amd64 amazonlinux:2023
+
+ARG java_version=8.0.452-amzn
+ARG aws_lc_version=v1.52.0
+ENV JAVA_VERSION $java_version
+ENV AWS_LC_VERSION $aws_lc_version
+
+# install dependencies
+RUN dnf install -y \
+ apr-devel \
+ autoconf \
+ automake \
+ bzip2 \
+ cmake \
+ git \
+ glibc-devel \
+ golang \
+ libtool \
+ make \
+ patch \
+ perl \
+ perl-parent \
+ perl-devel \
+ tar \
+ unzip \
+ wget \
+ which \
+ zip
+
+# Downloading and installing SDKMAN!
+RUN curl -s "https://get.sdkman.io" | bash
+
+# Installing Java removing some unnecessary SDKMAN files
+RUN bash -c "source $HOME/.sdkman/bin/sdkman-init.sh && \
+    yes | sdk install java $JAVA_VERSION && \
+    rm -rf $HOME/.sdkman/archives/* && \
+    rm -rf $HOME/.sdkman/tmp/*"
+
+RUN echo 'export JAVA_HOME="/root/.sdkman/candidates/java/current"' >> ~/.bashrc
+RUN echo 'export PATH=$JAVA_HOME/bin:$PATH' >> ~/.bashrc
+
+ENV PATH /root/.sdkman/candidates/java/current/bin:$PATH
+
+RUN mkdir "$HOME/sources" && \
+    git clone https://github.com/aws/aws-lc.git "$HOME/sources/aws-lc" && \
+    cd "$HOME/sources/aws-lc" && \
+    git checkout $AWS_LC_VERSION && \
+    cmake -B build -S . -DCMAKE_INSTALL_PREFIX=/opt/aws-lc -DBUILD_SHARED_LIBS=1 -DBUILD_TESTING=0 && \
+    cmake --build build -- -j && \
+    cmake --install build
+
+# Cleanup
+RUN dnf clean all && \
+    rm -rf /var/cache/dnf && \
+    rm -rf "$HOME/sources"

docker/docker-compose.al2023.yaml

@@ -0,0 +1,36 @@
+version: "3"
+
+services:
+
+  runtime-setup:
+    image: netty-tcnative-al2023:x86_64
+    build:
+      context: ../
+      dockerfile: docker/Dockerfile.al2023
+
+  common: &common
+    image: netty-tcnative-al2023:x86_64
+    depends_on: [runtime-setup]
+    environment:
+      MAVEN_OPTS:
+      LD_LIBRARY_PATH: /opt/aws-lc/lib64
+      LDFLAGS: -L/opt/aws-lc/lib64 -lssl -lcrypto
+      CFLAGS: -I/opt/aws-lc/include  -DHAVE_OPENSSL -lssl -lcrypto
+      CXXFLAGS: -I/opt/aws-lc/include  -DHAVE_OPENSSL -lssl -lcrypto
+    volumes:
+      - ~/.m2/repository:/root/.m2/repository
+      - ..:/code
+    working_dir: /code
+
+  build:
+    <<: *common
+    command: /bin/bash -cl "./mvnw -am -pl openssl-dynamic clean package"
+
+  shell:
+    <<: *common
+    volumes:
+      - ~/.m2:/root/.m2
+      - ~/.gitconfig:/root/.gitconfig
+      - ~/.gitignore:/root/.gitignore
+      - ..:/code
+    entrypoint: /bin/bash -l

openssl-classes/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java

@@ -153,7 +153,7 @@ private NativeStaticallyReferencedJniMethods() {
     static native int x509vErrIpAddressMismatch();
     static native int x509vErrDaneNoMatch();
 
-    // BoringSSL specific.
+    // BoringSSL and AWS-LC specific.
     static native int sslErrorWantCertificateVerify();
     static native int sslErrorWantPrivateKeyOperation();
     static native int sslSignRsaPkcsSha1();

openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java

@@ -176,7 +176,7 @@ private SSL() { }
     // https://boringssl.googlesource.com/boringssl/+/chromium-stable/include/openssl/ssl.h#519
     public static final int SSL_ERROR_WANT_PRIVATE_KEY_OPERATION = sslErrorWantPrivateKeyOperation();
 
-    // BoringSSL specific
+    // BoringSSL and AWS-LC specific
     public static final int SSL_ERROR_WANT_CERTIFICATE_VERIFY = sslErrorWantCertificateVerify();
 
     /**
@@ -961,7 +961,7 @@ public static AsyncTask getAsyncTask(long ssl) {
     public static native long getSession(long ssl);
 
     /**
-     * Allow to set the renegotiation mode that is used. This is only support by {@code BoringSSL}.
+     * Allow to set the renegotiation mode that is used. This is only supported by {@code BoringSSL} and {@code AWS-LC}.
      *
      * See <a href="https://boringssl.googlesource.com/boringssl/+/refs/heads/master/include/openssl/ssl.h#4081">
      *     SSL_set_renegotiate_mode</a>..

openssl-classes/src/main/java/io/netty/internal/tcnative/SSLContext.java

@@ -668,7 +668,7 @@ public static void setAlpnProtos(long ctx, String[] alpnProtos, int selectorFail
      * For servers, algorithm preference order is dictated by the order of algorithm registration.
      * Most preferred algorithm should be registered first.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} or {@code AWS-LC} is used.
      *
      * <a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Certificate-compression">
      *     SSL_CTX_add_cert_compression_alg</a>
@@ -696,7 +696,7 @@ public static int addCertificateCompressionAlgorithm(long ctx, int direction, fi
      * This allows to offload private key operations
      * if needed.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} and {@code AWS-LC} is used.
      *
      * @param ctx context to use
      * @param method method to use for the given context.
@@ -709,7 +709,7 @@ public static void setPrivateKeyMethod(long ctx, final SSLPrivateKeyMethod metho
      * Sets the {@link AsyncSSLPrivateKeyMethod} to use for the given {@link SSLContext}.
      * This allows to offload private key operations if needed.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} and {@code AWS-LC} is used.
      *
      * @param ctx context to use
      * @param method method to use for the given context.

openssl-dynamic/src/main/c/cert_compress.c

@@ -16,7 +16,7 @@
 
 #include "tcn.h"
 #include "ssl_private.h"
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 #include "cert_compress.h"
 
 static int compress(jobject compression_algorithm, jmethodID compress_method, SSL* ssl, CBB* out,
@@ -168,4 +168,4 @@ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len,
         ssl, out, uncompressed_len, in, in_len);
 }
 
-#endif // OPENSSL_IS_BORINGSSL
+#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)

openssl-dynamic/src/main/c/cert_compress.h

@@ -17,7 +17,7 @@
 #ifndef NETTY_TCNATIVE_CERT_COMPRESS_H_
 #define NETTY_TCNATIVE_CERT_COMPRESS_H_
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 
 int zlib_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
 int zlib_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
@@ -28,6 +28,6 @@ int brotli_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
 int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
 int zstd_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
 
-#endif // OPENSSL_IS_BORINGSSL
+#endif // OPENSSL_IS_AWSLC
 
-#endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */
+#endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */

openssl-dynamic/src/main/c/native_constants.c

@@ -510,7 +510,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, x509vErrDaneNoMat
 #endif
 }
 
-// BoringSSL specific
+// BoringSSL and AWS-LC specific
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslErrorWantCertificateVerify)(TCN_STDARGS) {
     return SSL_ERROR_WANT_CERTIFICATE_VERIFY;
 }
@@ -572,23 +572,23 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslSignRsaPkcs1Md
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNever)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_never;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnce)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_once;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFreely)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_freely;
 #else
     return 0;
@@ -597,15 +597,15 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFre
 
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgnore)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_ignore;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateExplicit)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_explicit;
 #else
     return 0;
@@ -744,7 +744,7 @@ static const JNINativeMethod method_table[] = {
   { TCN_METHOD_TABLE_ENTRY(x509vErrEmailMismatch, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(x509vErrIpAddressMismatch, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(x509vErrDaneNoMatch, ()I, NativeStaticallyReferencedJniMethods) },
-  // BoringSSL specific
+  // BoringSSL and AWS-LC specific
   { TCN_METHOD_TABLE_ENTRY(sslErrorWantCertificateVerify, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(sslErrorWantPrivateKeyOperation, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(sslSignRsaPkcsSha1, ()I, NativeStaticallyReferencedJniMethods) },