Add support for AWS Libcrypto (AWS-LC) (pyca#12681)

* Add support for AWS-LC

* Add GitHub CI Integration

* Fix flake

* Remove some untested functions since we don't support DH fully at the moment

* Bindgen on Ubuntu 22.04 should work fine now

* Feedback: Update Cargo.toml directly

* Feeback: multi-line C comments, fixed similar spot

* Combine logic

* Feedback: HMAC hash check

* cleanup

* Indentation correction

* Update aws-lc CI testing to use v1.49.0 tag

* Rebased

Author: skmcgrail

.github/bin/build_openssl.sh

@@ -61,4 +61,14 @@ elif [[ "${TYPE}" == "boringssl" ]]; then
   rm -rf "${OSSL_PATH}/bin"
   popd
   rm -rf boringssl/
+elif [[ "${TYPE}" == "aws-lc" ]]; then
+  git clone https://github.com/aws/aws-lc.git
+  pushd aws-lc
+  git checkout "${VERSION}"
+  cmake -B build -DCMAKE_INSTALL_PREFIX="${OSSL_PATH}"
+  make -C build -j"$(nproc)" install
+  # delete binaries we don't need
+  rm -rf "${OSSL_PATH:?}/bin"
+  popd # aws-lc
+  rm -rf aws-lc/
 fi

.github/workflows/ci.yml

@@ -47,6 +47,8 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL main branch, as of Apr 16, 2025.
           - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "23018360710de333b3343e63cbb3bd2dceb3287d"}}
+          # Latest tag of AWS-LC main branch, as of March 28, 2025.
+          - {VERSION: "3.12", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "aws-lc", VERSION: "v1.49.0"}}
           # Latest commit on the OpenSSL master branch, as of Apr 16, 2025.
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "24bc185439a950dc4427be10ec60231a923840ad"}}
           # Builds with various Rust versions. Includes MSRV and next
@@ -121,7 +123,7 @@ jobs:
           echo "RUSTFLAGS=-Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib -Clink-arg=-Wl,-rpath=${OSSL_PATH}/lib64" >> $GITHUB_ENV
         if: matrix.PYTHON.OPENSSL
       - run: sudo apt-get install -y bindgen
-        if: matrix.PYTHON.OPENSSL.TYPE == 'boringssl'
+        if: matrix.PYTHON.OPENSSL.TYPE == 'boringssl' || matrix.PYTHON.OPENSSL.TYPE == 'aws-lc'
       - name: Cache rust and pip
         uses: ./.github/actions/cache
         timeout-minutes: 2

src/_cffi_src/openssl/bignum.py

@@ -35,7 +35,7 @@
 """
 
 CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_PRIME_CHECKS = 0;
 int (*BN_prime_checks_for_size)(int) = NULL;
 #else

src/_cffi_src/openssl/bio.py

@@ -35,7 +35,8 @@
 """
 
 CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \
+    || CRYPTOGRAPHY_IS_AWSLC
 
 #if !defined(_WIN32)
 #include <sys/socket.h>

src/_cffi_src/openssl/cryptography.py

@@ -42,6 +42,13 @@
 #define CRYPTOGRAPHY_IS_BORINGSSL 0
 #endif
 
+#if defined(OPENSSL_IS_AWSLC)
+#define CRYPTOGRAPHY_IS_AWSLC 1
+#else
+#define CRYPTOGRAPHY_IS_AWSLC 0
+#endif
+
+
 #if OPENSSL_VERSION_NUMBER < 0x10101050
     #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later"
 #endif

src/_cffi_src/openssl/engine.py

@@ -28,8 +28,10 @@
 int ENGINE_free(ENGINE *);
 const char *ENGINE_get_name(const ENGINE *);
 
-// These bindings are unused by cryptography or pyOpenSSL but are present
-// for advanced users who need them.
+/*
+These bindings are unused by cryptography or pyOpenSSL but are present
+for advanced users who need them.
+*/
 int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int);
 void ENGINE_load_builtin_engines(void);
 EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *);
@@ -40,12 +42,16 @@
 #ifdef OPENSSL_NO_ENGINE
 static const long Cryptography_HAS_ENGINE = 0;
 
-#if CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
 typedef void UI_METHOD;
 #endif
 
-/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */
-#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL
+/*
+Despite being OPENSSL_NO_ENGINE,
+BoringSSL/LibreSSL/AWS-LC define these symbols.
+*/
+#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL \
+    && !CRYPTOGRAPHY_IS_AWSLC
 int (*ENGINE_free)(ENGINE *) = NULL;
 void (*ENGINE_load_builtin_engines)(void) = NULL;
 #endif

src/_cffi_src/openssl/err.py

@@ -36,7 +36,7 @@
 """
 
 CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
 static const int EVP_F_EVP_ENCRYPTFINAL_EX = 0;
 static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH = 0;
 #endif

src/_cffi_src/openssl/ssl.py

@@ -12,6 +12,7 @@
 static const long Cryptography_HAS_SSL_ST;
 static const long Cryptography_HAS_TLS_ST;
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS;
+static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS;
 static const long Cryptography_HAS_SIGALGS;
 static const long Cryptography_HAS_PSK;
 static const long Cryptography_HAS_PSK_TLSv1_3;
@@ -477,7 +478,8 @@
 
 /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
    removed */
-#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \
+    || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_SSL_ST = 1;
 #else
 static const long Cryptography_HAS_SSL_ST = 0;
@@ -494,7 +496,8 @@
 static const long TLS_ST_OK = 0;
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \
+    || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_DTLS_GET_DATA_MTU = 0;
 size_t (*DTLS_get_data_mtu)(SSL *) = NULL;
 #else
@@ -589,9 +592,15 @@
 
 #if CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 0;
+int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL;
+#else
+static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 1;
+#endif
 
+#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
+static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS = 0;
 static const long SSL_VERIFY_POST_HANDSHAKE = 0;
-int (*SSL_CTX_set_ciphersuites)(SSL_CTX *, const char *) = NULL;
+
 int (*SSL_verify_client_post_handshake)(SSL *) = NULL;
 void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL;
 void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL;
@@ -600,10 +609,10 @@
 int (*SSL_read_early_data)(SSL *, void *, size_t, size_t *) = NULL;
 int (*SSL_CTX_set_max_early_data)(SSL_CTX *, uint32_t) = NULL;
 #else
-static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 1;
+static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS = 1;
 #endif
 
-#if CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_SSL_COOKIE = 0;
 
 static const long SSL_OP_COOKIE_EXCHANGE = 0;
@@ -623,7 +632,8 @@
 #else
 static const long Cryptography_HAS_SSL_COOKIE = 1;
 #endif
-#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \
+    || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_PSK_TLSv1_3 = 0;
 void (*SSL_CTX_set_psk_find_session_callback)(SSL_CTX *,
                                            int (*)(
@@ -646,7 +656,7 @@
 int (*SSL_SESSION_set1_master_key)(SSL_SESSION *, const unsigned char *,
                                    size_t) = NULL;
 int (*SSL_SESSION_set_cipher)(SSL_SESSION *, const SSL_CIPHER *) = NULL;
-#if !CRYPTOGRAPHY_IS_BORINGSSL
+#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_AWSLC
 int (*SSL_SESSION_set_protocol_version)(SSL_SESSION *, int) = NULL;
 #endif
 SSL_SESSION *(*Cryptography_SSL_SESSION_new)(void) = NULL;

src/cryptography/hazmat/backends/openssl/backend.py

@@ -132,7 +132,19 @@ def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
         # FIPS mode still allows SHA1 for HMAC
         if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
             return True
-
+        if rust_openssl.CRYPTOGRAPHY_IS_AWSLC:
+            return isinstance(
+                algorithm,
+                (
+                    hashes.SHA1,
+                    hashes.SHA224,
+                    hashes.SHA256,
+                    hashes.SHA384,
+                    hashes.SHA512,
+                    hashes.SHA512_224,
+                    hashes.SHA512_256,
+                ),
+            )
         return self.hash_supported(algorithm)
 
     def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool:
@@ -236,7 +248,10 @@ def elliptic_curve_exchange_algorithm_supported(
         )
 
     def dh_supported(self) -> bool:
-        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_AWSLC
+        )
 
     def dh_x942_serialization_supported(self) -> bool:
         return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
@@ -252,6 +267,7 @@ def x448_supported(self) -> bool:
         return (
             not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
             and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_AWSLC
         )
 
     def ed25519_supported(self) -> bool:
@@ -265,6 +281,7 @@ def ed448_supported(self) -> bool:
         return (
             not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
             and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_AWSLC
         )
 
     def ecdsa_deterministic_supported(self) -> bool:
@@ -279,7 +296,10 @@ def poly1305_supported(self) -> bool:
         return True
 
     def pkcs7_supported(self) -> bool:
-        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_AWSLC
+        )
 
 
 backend = Backend()

src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi

@@ -47,6 +47,7 @@ __all__ = [
 
 CRYPTOGRAPHY_IS_LIBRESSL: bool
 CRYPTOGRAPHY_IS_BORINGSSL: bool
+CRYPTOGRAPHY_IS_AWSLC: bool
 CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool
 CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -64,8 +64,13 @@ def cryptography_has_custom_ext() -> list[str]:
 
 def cryptography_has_tlsv13_functions() -> list[str]:
     return [
-        "SSL_VERIFY_POST_HANDSHAKE",
         "SSL_CTX_set_ciphersuites",
+    ]
+
+
+def cryptography_has_tlsv13_hs_functions() -> list[str]:
+    return [
+        "SSL_VERIFY_POST_HANDSHAKE",
         "SSL_verify_client_post_handshake",
         "SSL_CTX_set_post_handshake_auth",
         "SSL_set_post_handshake_auth",
@@ -164,6 +169,9 @@ def cryptography_has_get_extms_support() -> list[str]:
     "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13,
     "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext,
     "Cryptography_HAS_TLSv1_3_FUNCTIONS": cryptography_has_tlsv13_functions,
+    "Cryptography_HAS_TLSv1_3_HS_FUNCTIONS": (
+        cryptography_has_tlsv13_hs_functions
+    ),
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,

src/rust/Cargo.toml

@@ -33,4 +33,4 @@ name = "cryptography_rust"
 crate-type = ["cdylib"]
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] }

src/rust/build.rs

@@ -34,6 +34,10 @@ fn main() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL");
     }
 
+    if env::var("DEP_OPENSSL_AWSLC").is_ok() {
+        println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_AWSLC");
+    }
+
     if env::var("CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY").map_or(false, |v| !v.is_empty() && v != "0")
     {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY");

src/rust/cryptography-key-parsing/Cargo.toml

@@ -15,4 +15,4 @@ cryptography-crypto = { path = "../cryptography-crypto" }
 cryptography-x509 = { path = "../cryptography-x509" }
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_RC2"))'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_RC2"))', 'cfg(CRYPTOGRAPHY_IS_AWSLC)'] }

src/rust/cryptography-key-parsing/build.rs

@@ -13,6 +13,10 @@ fn main() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL");
     }
 
+    if env::var("DEP_OPENSSL_AWSLC").is_ok() {
+        println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_AWSLC");
+    }
+
     if let Ok(vars) = env::var("DEP_OPENSSL_CONF") {
         for var in vars.split(',') {
             println!("cargo:rustc-cfg=CRYPTOGRAPHY_OSSLCONF=\"{var}\"");

src/rust/cryptography-key-parsing/src/ec.rs

@@ -44,11 +44,11 @@ pub(crate) fn ec_params_to_group(
                 &cryptography_x509::oid::EC_SECT409K1 => openssl::nid::Nid::SECT409K1,
                 &cryptography_x509::oid::EC_SECT571K1 => openssl::nid::Nid::SECT571K1,
 
-                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
                 &cryptography_x509::oid::EC_BRAINPOOLP256R1 => openssl::nid::Nid::BRAINPOOL_P256R1,
-                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
                 &cryptography_x509::oid::EC_BRAINPOOLP384R1 => openssl::nid::Nid::BRAINPOOL_P384R1,
-                #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
+                #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
                 &cryptography_x509::oid::EC_BRAINPOOLP512R1 => openssl::nid::Nid::BRAINPOOL_P512R1,
 
                 _ => return Err(KeyParsingError::UnsupportedEllipticCurve(curve_oid.clone())),

src/rust/cryptography-key-parsing/src/pkcs8.rs

@@ -84,7 +84,11 @@ pub fn parse_private_key(
                 openssl::pkey::Id::X25519,
             )?)
         }
-        #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
+        #[cfg(not(any(
+            CRYPTOGRAPHY_IS_LIBRESSL,
+            CRYPTOGRAPHY_IS_BORINGSSL,
+            CRYPTOGRAPHY_IS_AWSLC
+        )))]
         AlgorithmParameters::X448 => {
             let key_bytes = asn1::parse_single(k.private_key)?;
             Ok(openssl::pkey::PKey::private_key_from_raw_bytes(
@@ -99,7 +103,11 @@ pub fn parse_private_key(
                 openssl::pkey::Id::ED25519,
             )?)
         }
-        #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
+        #[cfg(not(any(
+            CRYPTOGRAPHY_IS_LIBRESSL,
+            CRYPTOGRAPHY_IS_BORINGSSL,
+            CRYPTOGRAPHY_IS_AWSLC
+        )))]
         AlgorithmParameters::Ed448 => {
             let key_bytes = asn1::parse_single(k.private_key)?;
             Ok(openssl::pkey::PKey::private_key_from_raw_bytes(

src/rust/cryptography-key-parsing/src/spki.rs

@@ -29,7 +29,11 @@ pub fn parse_public_key(
             openssl::pkey::Id::ED25519,
         )
         .map_err(|_| KeyParsingError::InvalidKey)?),
-        #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
+        #[cfg(not(any(
+            CRYPTOGRAPHY_IS_LIBRESSL,
+            CRYPTOGRAPHY_IS_BORINGSSL,
+            CRYPTOGRAPHY_IS_AWSLC
+        )))]
         AlgorithmParameters::Ed448 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes(
             k.subject_public_key.as_bytes(),
             openssl::pkey::Id::ED448,
@@ -40,7 +44,11 @@ pub fn parse_public_key(
             openssl::pkey::Id::X25519,
         )
         .map_err(|_| KeyParsingError::InvalidKey)?),
-        #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
+        #[cfg(not(any(
+            CRYPTOGRAPHY_IS_LIBRESSL,
+            CRYPTOGRAPHY_IS_BORINGSSL,
+            CRYPTOGRAPHY_IS_AWSLC
+        )))]
         AlgorithmParameters::X448 => Ok(openssl::pkey::PKey::public_key_from_raw_bytes(
             k.subject_public_key.as_bytes(),
             openssl::pkey::Id::X448,

src/rust/cryptography-openssl/Cargo.toml

@@ -14,4 +14,4 @@ foreign-types = "0.3"
 foreign-types-shared = "0.1"
 
 [lints.rust]
-unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)'] }
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)'] }