From: Damien Claisse <d.claisse@criteo.com>
Date: Thu, 13 Nov 2025 15:39:58 +0000 (+0000)
Subject: MINOR: ssl/sample: expose ssl_*c_curve for AWS-LC
X-Git-Tag: v3.3-dev13~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1d46c086894d4a32809aa09088414410407129ee;p=thirdparty%2Fhaproxy.git

MINOR: ssl/sample: expose ssl_*c_curve for AWS-LC

The underlying SSL_get_negotiated_group function has been backported
into AWS-LC [1], so expose the feature for users of this TLS stack
as well. Note that even though it was actually added in AWS-LC 1.56.0,
we require AWSLC_API_VERSION >= 35 which was released in AWS-LC 1.57.0,
because API version wasn't incremented after this change. As the delta
is one minor version (less than two weeks), I consider this acceptable
to avoid relying on a proxy constant like TLSEXT_nid_unknown which
might be removed at some point.

[1] https://github.com/aws/aws-lc/commit/d6a37244ad8922f41f70195104b9da9f64c96202
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index df5724738..ceeb94761 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -24672,7 +24672,7 @@ ssl_bc_client_traffic_secret_0 : string
 ssl_bc_curve : string
   Returns the name of the curve used in the key agreement when the outgoing
   connection was made over an SSL/TLS transport layer. This requires
-  OpenSSL >= 3.0.0.
+  OpenSSL >= 3.0.0 or AWS-LC >= 1.57.0.
 
 ssl_bc_early_exporter_secret : string
   Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the
diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index 230deafc3..5df663814 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1501,9 +1501,9 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
  * front and backend connection.
  *
  * The function to get the curve name (SSL_get_negotiated_group) is only available
- * in OpenSSLv3 onwards and not for previous versions.
+ * in OpenSSLv3 onwards and not for previous versions, and in AWS-LC >= 1.57.0.
  */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35)
 static int
 smp_fetch_ssl_fc_ec(const struct arg *args, struct sample *smp, const char *kw, void *private)
 {
@@ -2549,7 +2549,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_bc_alpn",            smp_fetch_ssl_fc_alpn,        0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
 #endif
 	{ "ssl_bc_cipher",          smp_fetch_ssl_fc_cipher,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35)
         { "ssl_bc_curve",           smp_fetch_ssl_fc_ec,          0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
 #endif
 #if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -2612,7 +2612,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
 	{ "ssl_fc",                 smp_fetch_ssl_fc,             0,                   NULL,    SMP_T_BOOL, SMP_USE_L5CLI },
 	{ "ssl_fc_alg_keysize",     smp_fetch_ssl_fc_alg_keysize, 0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
 	{ "ssl_fc_cipher",          smp_fetch_ssl_fc_cipher,      0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL)
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) || (defined(OPENSSL_IS_AWSLC) && AWSLC_API_VERSION >= 35)
         { "ssl_fc_curve",           smp_fetch_ssl_fc_ec,          0,                   NULL,    SMP_T_STR,  SMP_USE_L5CLI },
 #endif
 	{ "ssl_fc_early_rcvd",      smp_fetch_ssl_fc_early_rcvd,  0,                   NULL,    SMP_T_BOOL, SMP_USE_L5CLI },