fix building with the latest aws-lc (#13210)

alex · web-flow · commit b97b77be1714 · 2025-07-25T20:13:30.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -42,8 +42,8 @@ jobs:
           - {VERSION: "3.13", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "libressl", VERSION: "4.1.0"}}
           # Latest commit on the BoringSSL main branch, as of Jul 22, 2025.
           - {VERSION: "3.13", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "boringssl", VERSION: "17164fff9c433e482e51d9d3954d8f4815020a91"}}
-          # Latest tag of AWS-LC main branch, as of Jul 04, 2025.
-          - {VERSION: "3.13", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "aws-lc", VERSION: "v1.55.0"}}
+          # Latest tag of AWS-LC main branch, as of Jul 26, 2025.
+          - {VERSION: "3.13", NOXSESSION: "rust,tests", OPENSSL: {TYPE: "aws-lc", VERSION: "v1.56.0"}}
           # Latest commit on the OpenSSL master branch, as of Jul 22, 2025.
           - {VERSION: "3.13", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b3187ab5a757496e588ea9bdb7fabd12d194e66a"}}
           # Builds with various Rust versions. Includes MSRV and next
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
@@ -13,6 +13,7 @@
 static const long Cryptography_HAS_TLS_ST;
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS;
 static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS;
+static const long Cryptography_HAS_SSL_VERIFY_CLIENT_POST_HANDSHAKE;
 static const long Cryptography_HAS_SIGALGS;
 static const long Cryptography_HAS_PSK;
 static const long Cryptography_HAS_PSK_TLSv1_3;
@@ -601,7 +602,6 @@
 static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS = 0;
 static const long SSL_VERIFY_POST_HANDSHAKE = 0;
 
-int (*SSL_verify_client_post_handshake)(SSL *) = NULL;
 void (*SSL_CTX_set_post_handshake_auth)(SSL_CTX *, int) = NULL;
 void (*SSL_set_post_handshake_auth)(SSL *, int) = NULL;
 uint32_t (*SSL_SESSION_get_max_early_data)(const SSL_SESSION *) = NULL;
@@ -612,6 +612,14 @@
 static const long Cryptography_HAS_TLSv1_3_HS_FUNCTIONS = 1;
 #endif
 
+#if CRYPTOGRAPHY_IS_BORINGSSL
+static const long Cryptography_HAS_SSL_VERIFY_CLIENT_POST_HANDSHAKE = 0;
+
+int (*SSL_verify_client_post_handshake)(SSL *) = NULL;
+#else
+static const long Cryptography_HAS_SSL_VERIFY_CLIENT_POST_HANDSHAKE = 1;
+#endif
+
 #if CRYPTOGRAPHY_IS_BORINGSSL || CRYPTOGRAPHY_IS_AWSLC
 static const long Cryptography_HAS_SSL_COOKIE = 0;
 
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -81,6 +81,12 @@ def cryptography_has_tlsv13_hs_functions() -> list[str]:
     ]
 
 
+def cryptography_has_ssl_verify_client_post_handshake() -> list[str]:
+    return [
+        "SSL_verify_client_post_handshake",
+    ]
+
+
 def cryptography_has_engine() -> list[str]:
     return [
         "ENGINE_by_id",
@@ -172,6 +178,9 @@ def cryptography_has_get_extms_support() -> list[str]:
     "Cryptography_HAS_TLSv1_3_HS_FUNCTIONS": (
         cryptography_has_tlsv13_hs_functions
     ),
+    "Cryptography_HAS_SSL_VERIFY_CLIENT_POST_HANDSHAKE": (
+        cryptography_has_ssl_verify_client_post_handshake
+    ),
     "Cryptography_HAS_ENGINE": cryptography_has_engine,
     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
     "Cryptography_HAS_SRTP": cryptography_has_srtp,
