netty · normanmaurer · Jun 20, 2025 · May 6, 2025 · May 28, 2025 · Jun 13, 2025
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -37,6 +37,9 @@ jobs:
           - setup: centos7-aarch64
             docker-compose-build: "-f docker/docker-compose.centos-7.yaml build"
             docker-compose-run: "-f docker/docker-compose.centos-7.yaml run cross-compile-aarch64-build"
+          - setup: al2023-x86_64-aws_lc
+            docker-compose-build: "-f docker/docker-compose.al2023.yaml build"
+            docker-compose-run: "-f docker/docker-compose.al2023.yaml run build"
 
     name: ${{ matrix.setup }}
     steps:

diff --git a/.github/workflows/ci-pr.yml b/.github/workflows/ci-pr.yml
@@ -35,6 +35,9 @@ jobs:
           - setup: centos7-aarch64
             docker-compose-build: "-f docker/docker-compose.centos-7.yaml build"
             docker-compose-run: "-f docker/docker-compose.centos-7.yaml run cross-compile-aarch64-build"
+          - setup: al2023-x86_64-aws_lc
+            docker-compose-build: "-f docker/docker-compose.al2023.yaml build"
+            docker-compose-run: "-f docker/docker-compose.al2023.yaml run build"
 
     name: ${{ matrix.setup }}
     steps:

diff --git a/docker/Dockerfile.al2023 b/docker/Dockerfile.al2023
@@ -0,0 +1,55 @@
+FROM --platform=linux/amd64 amazonlinux:2023
+
+ARG java_version=8.0.452-amzn
+ARG aws_lc_version=v1.52.0
+ENV JAVA_VERSION $java_version
+ENV AWS_LC_VERSION $aws_lc_version
+
+# install dependencies
+RUN dnf install -y \
+ apr-devel \
+ autoconf \
+ automake \
+ bzip2 \
+ cmake \
+ git \
+ glibc-devel \
+ golang \
+ libtool \
+ make \
+ patch \
+ perl \
+ perl-parent \
+ perl-devel \
+ tar \
+ unzip \
+ wget \
+ which \
+ zip
+
+# Downloading and installing SDKMAN!
+RUN curl -s "https://get.sdkman.io" | bash
+
+# Installing Java removing some unnecessary SDKMAN files
+RUN bash -c "source $HOME/.sdkman/bin/sdkman-init.sh && \
+    yes | sdk install java $JAVA_VERSION && \
+    rm -rf $HOME/.sdkman/archives/* && \
+    rm -rf $HOME/.sdkman/tmp/*"
+
+RUN echo 'export JAVA_HOME="/root/.sdkman/candidates/java/current"' >> ~/.bashrc
+RUN echo 'export PATH=$JAVA_HOME/bin:$PATH' >> ~/.bashrc
+
+ENV PATH /root/.sdkman/candidates/java/current/bin:$PATH
+
+RUN mkdir "$HOME/sources" && \
+    git clone https://github.com/aws/aws-lc.git "$HOME/sources/aws-lc" && \
+    cd "$HOME/sources/aws-lc" && \
+    git checkout $AWS_LC_VERSION && \
+    cmake -B build -S . -DCMAKE_INSTALL_PREFIX=/opt/aws-lc -DBUILD_SHARED_LIBS=1 -DBUILD_TESTING=0 && \
+    cmake --build build -- -j && \
+    cmake --install build
+
+# Cleanup
+RUN dnf clean all && \
+    rm -rf /var/cache/dnf && \
+    rm -rf "$HOME/sources"
diff --git a/docker/docker-compose.al2023.yaml b/docker/docker-compose.al2023.yaml
@@ -0,0 +1,36 @@
+version: "3"
+
+services:
+
+  runtime-setup:
+    image: netty-tcnative-al2023:x86_64
+    build:
+      context: ../
+      dockerfile: docker/Dockerfile.al2023
+
+  common: &common
+    image: netty-tcnative-al2023:x86_64
+    depends_on: [runtime-setup]
+    environment:
+      MAVEN_OPTS:
+      LD_LIBRARY_PATH: /opt/aws-lc/lib64
+      LDFLAGS: -L/opt/aws-lc/lib64 -lssl -lcrypto
+      CFLAGS: -I/opt/aws-lc/include  -DHAVE_OPENSSL -lssl -lcrypto
+      CXXFLAGS: -I/opt/aws-lc/include  -DHAVE_OPENSSL -lssl -lcrypto
+    volumes:
+      - ~/.m2/repository:/root/.m2/repository
+      - ..:/code
+    working_dir: /code
+
+  build:
+    <<: *common
+    command: /bin/bash -cl "./mvnw -am -pl openssl-dynamic clean package"
+
+  shell:
+    <<: *common
+    volumes:
+      - ~/.m2:/root/.m2
+      - ~/.gitconfig:/root/.gitconfig
+      - ~/.gitignore:/root/.gitignore
+      - ..:/code
+    entrypoint: /bin/bash -l
diff --git a/...lasses/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java b/...lasses/src/main/java/io/netty/internal/tcnative/NativeStaticallyReferencedJniMethods.java
@@ -153,7 +153,7 @@ private NativeStaticallyReferencedJniMethods() {
     static native int x509vErrIpAddressMismatch();
     static native int x509vErrDaneNoMatch();
 
-    // BoringSSL specific.
+    // BoringSSL and AWS-LC specific.
     static native int sslErrorWantCertificateVerify();
     static native int sslErrorWantPrivateKeyOperation();
     static native int sslSignRsaPkcsSha1();

diff --git a/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java b/openssl-classes/src/main/java/io/netty/internal/tcnative/SSL.java
@@ -176,7 +176,7 @@ private SSL() { }
     // https://boringssl.googlesource.com/boringssl/+/chromium-stable/include/openssl/ssl.h#519
     public static final int SSL_ERROR_WANT_PRIVATE_KEY_OPERATION = sslErrorWantPrivateKeyOperation();
 
-    // BoringSSL specific
+    // BoringSSL and AWS-LC specific
     public static final int SSL_ERROR_WANT_CERTIFICATE_VERIFY = sslErrorWantCertificateVerify();
 
     /**
@@ -961,7 +961,7 @@ public static AsyncTask getAsyncTask(long ssl) {
     public static native long getSession(long ssl);
 
     /**
-     * Allow to set the renegotiation mode that is used. This is only support by {@code BoringSSL}.
+     * Allow to set the renegotiation mode that is used. This is only supported by {@code BoringSSL} and {@code AWS-LC}.
      *
      * See <a href="https://boringssl.googlesource.com/boringssl/+/refs/heads/master/include/openssl/ssl.h#4081">
      *     SSL_set_renegotiate_mode</a>..

diff --git a/openssl-classes/src/main/java/io/netty/internal/tcnative/SSLContext.java b/openssl-classes/src/main/java/io/netty/internal/tcnative/SSLContext.java
@@ -668,7 +668,7 @@ public static void setAlpnProtos(long ctx, String[] alpnProtos, int selectorFail
      * For servers, algorithm preference order is dictated by the order of algorithm registration.
      * Most preferred algorithm should be registered first.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} or {@code AWS-LC} is used.
      *
      * <a href="https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Certificate-compression">
      *     SSL_CTX_add_cert_compression_alg</a>
@@ -696,7 +696,7 @@ public static int addCertificateCompressionAlgorithm(long ctx, int direction, fi
      * This allows to offload private key operations
      * if needed.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} and {@code AWS-LC} is used.
      *
      * @param ctx context to use
      * @param method method to use for the given context.
@@ -709,7 +709,7 @@ public static void setPrivateKeyMethod(long ctx, final SSLPrivateKeyMethod metho
      * Sets the {@link AsyncSSLPrivateKeyMethod} to use for the given {@link SSLContext}.
      * This allows to offload private key operations if needed.
      *
-     * This method is currently only supported when {@code BoringSSL} is used.
+     * This method is currently only supported when {@code BoringSSL} and {@code AWS-LC} is used.
      *
      * @param ctx context to use
      * @param method method to use for the given context.

diff --git a/openssl-dynamic/src/main/c/cert_compress.c b/openssl-dynamic/src/main/c/cert_compress.c
@@ -16,7 +16,7 @@
 
 #include "tcn.h"
 #include "ssl_private.h"
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 #include "cert_compress.h"
 
 static int compress(jobject compression_algorithm, jmethodID compress_method, SSL* ssl, CBB* out,
@@ -168,4 +168,4 @@ int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len,
         ssl, out, uncompressed_len, in, in_len);
 }
 
-#endif // OPENSSL_IS_BORINGSSL
+#endif // defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
diff --git a/openssl-dynamic/src/main/c/cert_compress.h b/openssl-dynamic/src/main/c/cert_compress.h
@@ -17,7 +17,7 @@
 #ifndef NETTY_TCNATIVE_CERT_COMPRESS_H_
 #define NETTY_TCNATIVE_CERT_COMPRESS_H_
 
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
 
 int zlib_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
 int zlib_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
@@ -28,6 +28,6 @@ int brotli_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
 int zstd_decompress_java(SSL* ssl, CRYPTO_BUFFER** out, size_t uncompressed_len, const uint8_t* in, size_t in_len);
 int zstd_compress_java(SSL* ssl, CBB* out, const uint8_t* in, size_t in_len);
 
-#endif // OPENSSL_IS_BORINGSSL
+#endif // OPENSSL_IS_AWSLC
 
-#endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */
+#endif /* NETTY_TCNATIVE_CERT_COMPRESS_H_ */
diff --git a/openssl-dynamic/src/main/c/native_constants.c b/openssl-dynamic/src/main/c/native_constants.c
@@ -510,7 +510,7 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, x509vErrDaneNoMat
 #endif
 }
 
-// BoringSSL specific
+// BoringSSL and AWS-LC specific
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslErrorWantCertificateVerify)(TCN_STDARGS) {
     return SSL_ERROR_WANT_CERTIFICATE_VERIFY;
 }
@@ -572,23 +572,23 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslSignRsaPkcs1Md
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateNever)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_never;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateOnce)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_once;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFreely)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_freely;
 #else
     return 0;
@@ -597,15 +597,15 @@ TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateFre
 
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateIgnore)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_ignore;
 #else
     return 0;
 #endif
 }
 
 TCN_IMPLEMENT_CALL(jint, NativeStaticallyReferencedJniMethods, sslRenegotiateExplicit)(TCN_STDARGS) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
     return (jint) ssl_renegotiate_explicit;
 #else
     return 0;
@@ -744,7 +744,7 @@ static const JNINativeMethod method_table[] = {
   { TCN_METHOD_TABLE_ENTRY(x509vErrEmailMismatch, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(x509vErrIpAddressMismatch, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(x509vErrDaneNoMatch, ()I, NativeStaticallyReferencedJniMethods) },
-  // BoringSSL specific
+  // BoringSSL and AWS-LC specific
   { TCN_METHOD_TABLE_ENTRY(sslErrorWantCertificateVerify, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(sslErrorWantPrivateKeyOperation, ()I, NativeStaticallyReferencedJniMethods) },
   { TCN_METHOD_TABLE_ENTRY(sslSignRsaPkcsSha1, ()I, NativeStaticallyReferencedJniMethods) },