aws
diff --git a/‎aws-lc-rs/Makefile
+13-7 b/‎aws-lc-rs/Makefile
+13-7
diff --git a/‎aws-lc-rs/src/agreement.rs
+10-10 b/‎aws-lc-rs/src/agreement.rs
+10-10
diff --git a/‎aws-lc-rs/src/agreement/ephemeral.rs
+1-1 b/‎aws-lc-rs/src/agreement/ephemeral.rs
+1-1
diff --git a/‎aws-lc-rs/src/bn.rs
-14 b/‎aws-lc-rs/src/bn.rs
-14
diff --git a/‎aws-lc-rs/src/digest.rs
+7-7 b/‎aws-lc-rs/src/digest.rs
+7-7
diff --git a/‎aws-lc-rs/src/ec.rs
+1-3 b/‎aws-lc-rs/src/ec.rs
+1-3
diff --git a/‎aws-lc-rs/src/ec/encoding.rs
+5-5 b/‎aws-lc-rs/src/ec/encoding.rs
+5-5
diff --git a/‎aws-lc-rs/src/ec/key_pair.rs
+3-3 b/‎aws-lc-rs/src/ec/key_pair.rs
+3-3
diff --git a/‎aws-lc-rs/src/encoding.rs
+15-4 b/‎aws-lc-rs/src/encoding.rs
+15-4
diff --git a/‎aws-lc-rs/src/evp_pkey.rs
+4-4 b/‎aws-lc-rs/src/evp_pkey.rs
+4-4
@@ -30,26 +30,32 @@ coverage:
 coverage-fips:
 	cargo llvm-cov --features "${AWS_LC_RS_COV_EXTRA_FEATURES},fips" --no-fail-fast --fail-under-lines 95 --ignore-filename-regex "aws-lc(-fips|)-sys/*" --lcov --output-path lcov.info
 
+test: export AWS_LC_RS_DISABLE_SLOW_TESTS = 1
 test:
+	cargo test --all-targets
 	cargo test --all-targets --features unstable
-	cargo test --release --all-targets
 	cargo test --release --all-targets --features bindgen,unstable
-	cargo test --release --all-targets --features fips,unstable
-	cargo test --no-default-features --all-targets --features fips,unstable
+	cargo test --release --all-targets --features fips,bindgen,unstable
+	cargo test --no-default-features --all-targets --features aws-lc-sys
 	cargo test --no-default-features --all-targets --features aws-lc-sys,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-sig-verify,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-io,unstable
-	cargo test --no-default-features --all-targets --features aws-lc-sys,alloc,unstable
+	cargo test --no-default-features --all-targets --features fips
+	cargo test --no-default-features --all-targets --features fips,unstable
+	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-sig-verify
+	cargo test --no-default-features --all-targets --features aws-lc-sys,ring-io
+	cargo test --no-default-features --all-targets --features aws-lc-sys,alloc
 
 msrv:
 	cargo msrv verify
 
 clippy:
 	cargo +nightly clippy --all-targets --features bindgen,fips,unstable -- -W clippy::all  -W clippy::pedantic
 
-clippy-fix:
+clippy-fips-fix:
 	cargo +nightly clippy --all-targets --features bindgen,fips,unstable --fix --allow-dirty -- -W clippy::all  -W clippy::pedantic
 
+clippy-fix:
+	cargo +nightly clippy --all-targets --features bindgen,unstable --fix --allow-dirty -- -W clippy::all  -W clippy::pedantic
+
 ci: format clippy msrv test coverage api-diff-pub
 
 readme:
 
@@ -56,7 +56,7 @@ use crate::ec::encoding::sec1::{
     parse_sec1_private_bn,
 };
 #[cfg(feature = "fips")]
-use crate::ec::validate_evp_key;
+use crate::ec::validate_ec_evp_key;
 #[cfg(not(feature = "fips"))]
 use crate::ec::verify_evp_key_nid;
 use crate::ec::{encoding, evp_key_generate};
@@ -304,7 +304,7 @@ impl PrivateKey {
         #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;
         #[cfg(feature = "fips")]
-        validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
+        validate_ec_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
 
         Ok(Self::new(alg, evp_pkey))
     }
@@ -333,7 +333,7 @@ impl PrivateKey {
     }
 
     #[cfg(test)]
-    #[allow(clippy::missing_errors_doc, missing_docs)]
+    #[allow(missing_docs, clippy::missing_errors_doc)]
     pub fn generate_for_test(
         alg: &'static Algorithm,
         rng: &dyn crate::rand::SecureRandom,
@@ -410,7 +410,7 @@ impl PrivateKey {
                 let len = marshal_sec1_public_point_into_buffer(&mut public_key, evp_pkey, false)?;
                 Ok(PublicKey {
                     inner_key: self.inner_key.clone(),
-                    public_key,
+                    key_bytes: public_key,
                     len,
                 })
             }
@@ -419,7 +419,7 @@ impl PrivateKey {
                 let out_len = priv_key.marshal_raw_public_to_buffer(&mut buffer)?;
                 Ok(PublicKey {
                     inner_key: self.inner_key.clone(),
-                    public_key: buffer,
+                    key_bytes: buffer,
                     len: out_len,
                 })
             }
@@ -522,7 +522,7 @@ const MAX_PUBLIC_KEY_LEN: usize = ec::PUBLIC_KEY_MAX_LEN;
 /// A public key for key agreement.
 pub struct PublicKey {
     inner_key: KeyInner,
-    public_key: [u8; MAX_PUBLIC_KEY_LEN],
+    key_bytes: [u8; MAX_PUBLIC_KEY_LEN],
     len: usize,
 }
 
@@ -542,7 +542,7 @@ impl Debug for PublicKey {
         f.write_str(&format!(
             "PublicKey {{ algorithm: {:?}, bytes: \"{}\" }}",
             self.inner_key.algorithm(),
-            hex::encode(&self.public_key[0..self.len])
+            hex::encode(&self.key_bytes[0..self.len])
         ))
     }
 }
@@ -552,15 +552,15 @@ impl AsRef<[u8]> for PublicKey {
     /// Octet-String-to-Elliptic-Curve-Point algorithm in
     /// [SEC 1: Elliptic Curve Cryptography, Version 2.0].
     fn as_ref(&self) -> &[u8] {
-        &self.public_key[0..self.len]
+        &self.key_bytes[0..self.len]
     }
 }
 
 impl Clone for PublicKey {
     fn clone(&self) -> Self {
         PublicKey {
             inner_key: self.inner_key.clone(),
-            public_key: self.public_key,
+            key_bytes: self.key_bytes,
             len: self.len,
         }
     }
@@ -614,7 +614,7 @@ impl AsBigEndian<EcPublicKeyUncompressedBin<'static>> for PublicKey {
         }
 
         let mut buffer = vec![0u8; self.len];
-        buffer.copy_from_slice(&self.public_key[0..self.len]);
+        buffer.copy_from_slice(&self.key_bytes[0..self.len]);
 
         Ok(EcPublicKeyUncompressedBin::new(buffer))
     }
 
@@ -41,7 +41,7 @@ impl EphemeralPrivateKey {
     }
 
     #[cfg(test)]
-    #[allow(clippy::missing_errors_doc, missing_docs)]
+    #[allow(missing_docs, clippy::missing_errors_doc)]
     pub fn generate_for_test(
         alg: &'static Algorithm,
         rng: &dyn SecureRandom,
 
@@ -13,20 +13,6 @@ impl TryFrom<&[u8]> for LcPtr<BIGNUM> {
     }
 }
 
-impl TryFrom<u64> for LcPtr<BIGNUM> {
-    type Error = ();
-
-    fn try_from(value: u64) -> Result<Self, Self::Error> {
-        unsafe {
-            let mut bn = LcPtr::new(BN_new())?;
-            if 1 != BN_set_u64(*bn.as_mut(), value) {
-                return Err(());
-            }
-            Ok(bn)
-        }
-    }
-}
-
 impl TryFrom<&[u8]> for DetachableLcPtr<BIGNUM> {
     type Error = ();
 
 
@@ -155,8 +155,8 @@ impl Context {
 
         Ok(Digest {
             algorithm: self.algorithm,
-            digest_msg: output,
-            digest_len: self.algorithm.output_len,
+            message: output,
+            len: self.algorithm.output_len,
         })
     }
 
@@ -199,8 +199,8 @@ pub fn digest(algorithm: &'static Algorithm, data: &[u8]) -> Digest {
 
     Digest {
         algorithm,
-        digest_msg: output,
-        digest_len: algorithm.output_len,
+        message: output,
+        len: algorithm.output_len,
     }
 }
 
@@ -211,8 +211,8 @@ pub fn digest(algorithm: &'static Algorithm, data: &[u8]) -> Digest {
 pub struct Digest {
     /// The trait `Copy` can't be implemented for dynamic arrays, so we set a
     /// fixed array and the appropriate length.
-    digest_msg: [u8; MAX_OUTPUT_LEN],
-    digest_len: usize,
+    message: [u8; MAX_OUTPUT_LEN],
+    len: usize,
 
     algorithm: &'static Algorithm,
 }
@@ -229,7 +229,7 @@ impl Digest {
 impl AsRef<[u8]> for Digest {
     #[inline]
     fn as_ref(&self) -> &[u8] {
-        &self.digest_msg[..self.digest_len]
+        &self.message[..self.len]
     }
 }
 
 
@@ -31,8 +31,6 @@ pub(crate) mod signature;
 const ELEM_MAX_BITS: usize = 521;
 pub(crate) const ELEM_MAX_BYTES: usize = (ELEM_MAX_BITS + 7) / 8;
 
-pub(crate) const SCALAR_MAX_BYTES: usize = ELEM_MAX_BYTES;
-
 /// The maximum length, in bytes, of an encoded public key.
 pub(crate) const PUBLIC_KEY_MAX_LEN: usize = 1 + (2 * ELEM_MAX_BYTES);
 
@@ -62,7 +60,7 @@ pub(crate) fn verify_evp_key_nid(
 }
 
 #[inline]
-pub(crate) fn validate_evp_key(
+pub(crate) fn validate_ec_evp_key(
     evp_pkey: &ConstPointer<EVP_PKEY>,
     expected_curve_nid: i32,
 ) -> Result<(), KeyRejected> {
 
@@ -3,7 +3,7 @@
 
 use crate::aws_lc::{EVP_PKEY, EVP_PKEY_EC};
 use crate::ec::encoding::sec1::parse_sec1_public_point;
-use crate::ec::validate_evp_key;
+use crate::ec::validate_ec_evp_key;
 
 use crate::error::KeyRejected;
 use crate::ptr::LcPtr;
@@ -23,7 +23,7 @@ pub(crate) mod sec1 {
     use crate::cbb::LcCBB;
     use crate::ec::{
         compressed_public_key_size_bytes, ec_group_from_nid, uncompressed_public_key_size_bytes,
-        validate_evp_key, KeyRejected,
+        validate_ec_evp_key, KeyRejected,
     };
     use crate::error::Unspecified;
     use crate::ptr::{ConstPointer, DetachableLcPtr, LcPtr};
@@ -72,7 +72,7 @@ pub(crate) mod sec1 {
 
         ec_key.detach();
 
-        validate_evp_key(&pkey.as_const(), nid)?;
+        validate_ec_evp_key(&pkey.as_const(), nid)?;
 
         Ok(pkey)
     }
@@ -126,7 +126,7 @@ pub(crate) mod sec1 {
         ec_key.detach();
 
         // Validate the EC_KEY before returning it.
-        validate_evp_key(&pkey.as_const(), expected_curve_nid)?;
+        validate_ec_evp_key(&pkey.as_const(), expected_curve_nid)?;
 
         Ok(pkey)
     }
@@ -250,5 +250,5 @@ pub(crate) fn parse_ec_public_key(
 ) -> Result<LcPtr<EVP_PKEY>, KeyRejected> {
     LcPtr::<EVP_PKEY>::parse_rfc5280_public_key(key_bytes, EVP_PKEY_EC)
         .or(parse_sec1_public_point(key_bytes, expected_curve_nid))
-        .and_then(|key| validate_evp_key(&key.as_const(), expected_curve_nid).map(|()| key))
+        .and_then(|key| validate_ec_evp_key(&key.as_const(), expected_curve_nid).map(|()| key))
 }
@@ -10,7 +10,7 @@ use core::fmt::{Debug, Formatter};
 use crate::ec::evp_key_generate;
 use crate::ec::signature::{EcdsaSignatureFormat, EcdsaSigningAlgorithm, PublicKey};
 #[cfg(feature = "fips")]
-use crate::ec::validate_evp_key;
+use crate::ec::validate_ec_evp_key;
 #[cfg(not(feature = "fips"))]
 use crate::ec::verify_evp_key_nid;
 
@@ -97,7 +97,7 @@ impl EcdsaKeyPair {
         #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;
         #[cfg(feature = "fips")]
-        validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
+        validate_ec_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
 
         let key_pair = Self::new(alg, evp_pkey)?;
 
@@ -188,7 +188,7 @@ impl EcdsaKeyPair {
         #[cfg(not(feature = "fips"))]
         verify_evp_key_nid(&evp_pkey.as_const(), alg.id.nid())?;
         #[cfg(feature = "fips")]
-        validate_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
+        validate_ec_evp_key(&evp_pkey.as_const(), alg.id.nid())?;
 
         Ok(Self::new(alg, evp_pkey)?)
     }
 
@@ -55,14 +55,16 @@ macro_rules! generated_encodings {
 }
 pub(crate) use generated_encodings;
 generated_encodings!(
+    (Curve25519SeedBin, Curve25519SeedBinType),
     (EcPrivateKeyBin, EcPrivateKeyBinType),
     (EcPrivateKeyRfc5915Der, EcPrivateKeyRfc5915DerType),
-    (EcPublicKeyUncompressedBin, EcPublicKeyUncompressedBinType),
     (EcPublicKeyCompressedBin, EcPublicKeyCompressedBinType),
-    (PublicKeyX509Der, PublicKeyX509DerType),
-    (Curve25519SeedBin, Curve25519SeedBinType),
+    (EcPublicKeyUncompressedBin, EcPublicKeyUncompressedBinType),
     (Pkcs8V1Der, Pkcs8V1DerType),
-    (Pkcs8V2Der, Pkcs8V2DerType)
+    (Pkcs8V2Der, Pkcs8V2DerType),
+    (PqdsaPrivateKeyRaw, PqdsaPrivateKeyRawType),
+    (PqdsaSeedRaw, PqdsaSeedRawType),
+    (PublicKeyX509Der, PublicKeyX509DerType)
 );
 
 /// Trait for types that can be serialized into a DER format.
@@ -82,3 +84,12 @@ pub trait AsBigEndian<T> {
     /// Returns Unspecified if serialization fails.
     fn as_be_bytes(&self) -> Result<T, crate::error::Unspecified>;
 }
+
+/// Trait for values that can be serialized into a raw format
+pub trait AsRawBytes<T> {
+    /// Serializes into a raw format.
+    ///
+    /// # Errors
+    /// Returns Unspecified if serialization fails.
+    fn as_raw_bytes(&self) -> Result<T, crate::error::Unspecified>;
+}
@@ -10,7 +10,7 @@ use crate::aws_lc::{
     EVP_parse_private_key, EVP_parse_public_key, EC_KEY, EVP_PKEY, EVP_PKEY_CTX, EVP_PKEY_ED25519,
     RSA,
 };
-#[cfg(not(feature = "fips"))]
+#[cfg(all(feature = "unstable", not(feature = "fips")))]
 use crate::aws_lc::{
     EVP_PKEY_pqdsa_new_raw_private_key, EVP_PKEY_pqdsa_new_raw_public_key, EVP_PKEY_PQDSA,
     NID_MLDSA44, NID_MLDSA65, NID_MLDSA87,
@@ -243,7 +243,7 @@ impl LcPtr<EVP_PKEY> {
         bytes: &[u8],
         evp_pkey_type: c_int,
     ) -> Result<Self, KeyRejected> {
-        #[cfg(not(feature = "fips"))]
+        #[cfg(all(feature = "unstable", not(feature = "fips")))]
         if evp_pkey_type == EVP_PKEY_PQDSA {
             return match bytes.len() {
                 2560 => Self::new(unsafe {
@@ -257,7 +257,7 @@ impl LcPtr<EVP_PKEY> {
                 }),
                 _ => Err(()),
             }
-            .map_err(|()| KeyRejected::unspecified());
+            .map_err(|()| KeyRejected::invalid_encoding());
         }
 
         Self::new(unsafe {
@@ -270,7 +270,7 @@ impl LcPtr<EVP_PKEY> {
         bytes: &[u8],
         evp_pkey_type: c_int,
     ) -> Result<Self, KeyRejected> {
-        #[cfg(not(feature = "fips"))]
+        #[cfg(all(feature = "unstable", not(feature = "fips")))]
         if evp_pkey_type == EVP_PKEY_PQDSA {
             return match bytes.len() {
                 1312 => Self::new(unsafe {
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ impl EphemeralPrivateKey {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`#[cfg(test)]`
`44`		`- #[allow(clippy::missing_errors_doc, missing_docs)]`
	`44`	`+ #[allow(missing_docs, clippy::missing_errors_doc)]`
`45`	`45`	`pub fn generate_for_test(`
`46`	`46`	`alg: &'static Algorithm,`
`47`	`47`	`rng: &dyn SecureRandom,`
Original file line number	Diff line number	Diff line change
`@@ -155,8 +155,8 @@ impl Context {`
`155`	`155`
`156`	`156`	`Ok(Digest {`
`157`	`157`	`algorithm: self.algorithm,`
`158`		`- digest_msg: output,`
`159`		`- digest_len: self.algorithm.output_len,`
	`158`	`+ message: output,`
	`159`	`+ len: self.algorithm.output_len,`
`160`	`160`	`})`
`161`	`161`	`}`
`162`	`162`
`@@ -199,8 +199,8 @@ pub fn digest(algorithm: &'static Algorithm, data: &[u8]) -> Digest {`
`199`	`199`
`200`	`200`	`Digest {`
`201`	`201`	`algorithm,`
`202`		`- digest_msg: output,`
`203`		`- digest_len: algorithm.output_len,`
	`202`	`+ message: output,`
	`203`	`+ len: algorithm.output_len,`
`204`	`204`	`}`
`205`	`205`	`}`
`206`	`206`
`@@ -211,8 +211,8 @@ pub fn digest(algorithm: &'static Algorithm, data: &[u8]) -> Digest {`
`211`	`211`	`pub struct Digest {`
`212`	`212`	/// The trait `Copy` can't be implemented for dynamic arrays, so we set a
`213`	`213`	`/// fixed array and the appropriate length.`
`214`		`- digest_msg: [u8; MAX_OUTPUT_LEN],`
`215`		`- digest_len: usize,`
	`214`	`+ message: [u8; MAX_OUTPUT_LEN],`
	`215`	`+ len: usize,`
`216`	`216`
`217`	`217`	`algorithm: &'static Algorithm,`
`218`	`218`	`}`
`@@ -229,7 +229,7 @@ impl Digest {`
`229`	`229`	`impl AsRef<[u8]> for Digest {`
`230`	`230`	`#[inline]`
`231`	`231`	`fn as_ref(&self) -> &[u8] {`
`232`		`- &self.digest_msg[..self.digest_len]`
	`232`	`+ &self.message[..self.len]`
`233`	`233`	`}`
`234`	`234`	`}`
`235`	`235`