MINOR: cfgcond: add "awslc_api_atleast" and "awslc_api_before"

AWS-LC features are not easily tested with just the openssl version constant. AWS-LC uses its own API versioning stored in the AWSLC_API_VERSION constant. This patch add the two awslc_api_atleast and awslc_api_before predicates that help to check the AWS-LC API.
2025-12-02 08:11:29 +01:00 · 2025-11-14 10:23:45 +01:00 · 2025-11-14 10:23:45 +01:00 · 69c50764b4
commit 69c50764b4
parent b07f1242a7
5 changed files with 65 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1178,6 +1178,14 @@ operator, so that "A && B || C && D" evalues as "(A && B) || (C && D)".

 The list of currently supported predicates is the following:

+  - awslc_api_atleast(<ver>): returns true if the current awslc API number
+                            is at least as recent as <ver> otherwise false.
+                            Example: awslc_api_atleast(35)
+
+  - awslc_api_before(<ver>): returns true if the current awslc API number
+                            is strictly older than <ver> otherwise false.
+                            Example: awslc_api_before(26)
+
  - defined(<name>)       : returns true if an environment variable <name>
                            exists, regardless of its contents

--- a/include/haproxy/cfgcond-t.h
+++ b/include/haproxy/cfgcond-t.h
@ -54,6 +54,8 @@ enum cond_predicate {
 	CFG_PRED_OSSL_VERSION_ATLEAST,   // "openssl_version_atleast"
 	CFG_PRED_OSSL_VERSION_BEFORE,    // "openssl_version_before"
 	CFG_PRED_SSLLIB_NAME_STARTSWITH, // "ssllib_name_startswith"
+	CFG_PRED_AWSLC_API_ATLEAST,      // "awslc_api_atleast"
+	CFG_PRED_AWSLC_API_BEFORE,       // "awslc_api_before"
 	CFG_PRED_ENABLED,                // "enabled"
 };

--- a/include/haproxy/tools.h
+++ b/include/haproxy/tools.h
@ -1413,7 +1413,8 @@ static inline int warn_if_lower(const char *text, long min)
 	value = atol(text);
 	return value && value < min;
 }
-
+/* compare the current AWS-LC API number to a string */
+int awslc_compare_current_api(const char *version);
 /* compare the current OpenSSL version to a string */
 int openssl_compare_current_version(const char *version);
 /* compare the current OpenSSL name to a string */
--- a/src/cfgcond.c
+++ b/src/cfgcond.c
@ -29,6 +29,8 @@ const struct cond_pred_kw cond_predicates[] = {
 	{ "openssl_version_atleast", CFG_PRED_OSSL_VERSION_ATLEAST,   ARG1(1, STR)         },
 	{ "openssl_version_before",  CFG_PRED_OSSL_VERSION_BEFORE,    ARG1(1, STR)         },
 	{ "ssllib_name_startswith",  CFG_PRED_SSLLIB_NAME_STARTSWITH, ARG1(1, STR)         },
+	{ "awslc_api_atleast",       CFG_PRED_AWSLC_API_ATLEAST,      ARG1(1, STR)         },
+	{ "awslc_api_before",        CFG_PRED_AWSLC_API_BEFORE,       ARG1(1, STR)         },
 	{ "enabled",                 CFG_PRED_ENABLED,                ARG1(1, STR)         },
 	{ NULL, CFG_PRED_NONE, 0 }
 };
@ -285,6 +287,24 @@ int cfg_eval_cond_term(const struct cfg_cond_term *term, char **err)
 				ret = opensslret > 0;
 			break;
 		}
+		case CFG_PRED_AWSLC_API_ATLEAST: { // checks if the current AWSLC API is at least this one
+			int awslcret = awslc_compare_current_api(term->args[0].data.str.area);
+
+			if (awslcret < -1) /* can't parse the string or no AWS-LC available */
+				ret = -1;
+			else
+				ret = awslcret <= 0;
+			break;
+		}
+		case CFG_PRED_AWSLC_API_BEFORE: { // checks if the current AWSLC API is older than this one
+			int awslcret = awslc_compare_current_api(term->args[0].data.str.area);
+
+			if (awslcret < -1) /* can't parse the string or no AWS-LC available */
+				ret = -1;
+			else
+				ret = awslcret > 0;
+			break;
+		}
 		case CFG_PRED_SSLLIB_NAME_STARTSWITH: { // checks if the current SSL library's name starts with a specified string (can be used to distinguish OpenSSL from LibreSSL or BoringSSL)
 			ret = openssl_compare_current_name(term->args[0].data.str.area) == 0;
 			break;
--- a/src/tools.c
+++ b/src/tools.c
@ -6865,6 +6865,39 @@ int word_fingerprint_distance(const uint8_t *fp1, const uint8_t *fp2)
 	return dist;
 }

+/*
+ * This function compares the loaded AWS-LC API number with a string <version>
+ * This function use the same return code as compare_current_version:
+ *
+ *  -1 : the version in argument is older than the current AWS-LC API
+ *   0 : the version in argument is the same as the current AWS-LC API
+ *   1 : the version in argument is newer than the current AWS-LC API
+ *
+ * Or some errors:
+ *  -2 : AWS-LC is not available on this process
+ *  -3 : the version in argument is not parsable
+ */
+int awslc_compare_current_api(const char *version)
+{
+#if defined(OPENSSL_IS_AWSLC) && defined(AWSLC_API_VERSION)
+	int numapi;
+	char *endptr;
+
+	numapi = strtol(version, &endptr, 10);
+	if (endptr == version || *endptr != '\0')
+		return -3;
+
+	if (numapi < AWSLC_API_VERSION)
+		return -1;
+	else if (numapi > AWSLC_API_VERSION)
+		return 1;
+	else
+		return 0;
+#else
+	return -2;
+#endif
+}
+
 /*
 * This function compares the loaded openssl version with a string <version>
 * This function use the same return code as compare_current_version: