Skip to content

Commit 1de6299

Browse files
Revert "Update patch for Postgres (#2232)" (#2358)
This reverts commit db72311. The original patch was much more stable. Instead of changing the postgres configure script to check against AWS-LC functions, we comment out the relevant test instead. I've added comments in the patch to reference back to the commit if we ever decide to upstream support to postgres. The Postgres ARM CI dimension is failing, but the failure doesn't seem relevant to this patch. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
1 parent 01ea6bf commit 1de6299

File tree

1 file changed

+53
-62
lines changed

1 file changed

+53
-62
lines changed

tests/ci/integration/postgres_patch/aws-lc-postgres.patch

Lines changed: 53 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -6,69 +6,60 @@
66
# If we do ever get the chance to submit a patch upstream, this patch
77
# should account for those error string discrepencies.
88
#
9-
diff --git a/configure b/configure
10-
index 93fddd6998..6a981cc247 100755
11-
--- a/configure
12-
+++ b/configure
13-
@@ -12805,6 +12805,18 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
14-
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
15-
_ACEOF
16-
17-
+fi
18-
+done
19-
+
20-
+ # Function specific to AWS-LC.
21-
+ for ac_func in awslc_version_string
22-
+do :
23-
+ ac_fn_c_check_func "$LINENO" "awslc_version_string" "ac_cv_func_awslc_version_string"
24-
+if test "x$ac_cv_func_awslc_version_string" = xyes; then :
25-
+ cat >>confdefs.h <<_ACEOF
26-
+#define HAVE_AWSLC_VERSION_STRING 1
27-
+_ACEOF
28-
+
29-
fi
30-
done
31-
32-
diff --git a/configure.ac b/configure.ac
33-
index b6d02f5ecc..f2ba62b35d 100644
34-
--- a/configure.ac
35-
+++ b/configure.ac
36-
@@ -1371,6 +1371,8 @@ if test "$with_ssl" = openssl ; then
37-
AC_CHECK_FUNCS([SSL_CTX_set_cert_cb])
38-
# Function introduced in OpenSSL 1.1.1, not in LibreSSL.
39-
AC_CHECK_FUNCS([X509_get_signature_info SSL_CTX_set_num_tickets])
40-
+ # Function specific to AWS-LC.
41-
+ AC_CHECK_FUNCS([awslc_version_string])
42-
AC_DEFINE([USE_OPENSSL], 1, [Define to 1 to build with OpenSSL support. (--with-ssl=openssl)])
43-
elif test "$with_ssl" != no ; then
44-
AC_MSG_ERROR([--with-ssl must specify openssl])
45-
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
46-
index db6454090d..0fa2ebe3a3 100644
47-
--- a/src/include/pg_config.h.in
48-
+++ b/src/include/pg_config.h.in
49-
@@ -364,6 +364,9 @@
50-
/* Define to 1 if you have the `SSL_CTX_set_num_tickets' function. */
51-
#undef HAVE_SSL_CTX_SET_NUM_TICKETS
52-
53-
+/* Define to 1 if you have the declaration of `awslc_version_string'. */
54-
+#undef HAVE_AWSLC_VERSION_STRING
55-
+
56-
/* Define to 1 if you have the <stdint.h> header file. */
57-
#undef HAVE_STDINT_H
9+
# Ideally we wouldn't be commenting out the test below, but we'd rather
10+
# do an AC_CHECK_FUNCS check against |awslc_version_string| to determine
11+
# whether Postgres is using AWS-LC. That change touches significantly
12+
# more files and causes more churn in our CI however.
13+
# Commit db723116a144386007295521987feed4a6daab2f has a more suitable
14+
# patch that includes the configure script change. That patch would be
15+
# more suitable for upstreaming to postgres whenever we decide to do so.
16+
#
17+
# Note: The diff in 006_transfer_modes.pl has nothing to do with AWS-LC.
18+
# It's just to account for a specific error message on Codebuild ARM.
5819

20+
diff --git a/src/bin/pg_upgrade/t/006_transfer_modes.pl b/src/bin/pg_upgrade/t/006_transfer_modes.pl
21+
index 550a63fdf7d..41975ee1c56 100644
22+
--- a/src/bin/pg_upgrade/t/006_transfer_modes.pl
23+
+++ b/src/bin/pg_upgrade/t/006_transfer_modes.pl
24+
@@ -70,7 +70,7 @@ sub test_mode
25+
'--new-port' => $new->port,
26+
$mode
27+
],
28+
- qr/.* not supported on this platform|could not .* between old and new data directories: .*/,
29+
+ qr/.* not supported on this platform|could not copy file range from .*|could not .* between old and new data directories: .*/,
30+
qr/^$/,
31+
"pg_upgrade with transfer mode $mode");
32+
5933
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
60-
index fffc51f404..93e2b4f8ae 100644
34+
index 9e4947f4e3c..bf5edfeef48 100644
6135
--- a/src/test/ssl/t/002_scram.pl
6236
+++ b/src/test/ssl/t/002_scram.pl
63-
@@ -46,8 +46,10 @@ my $SERVERHOSTCIDR = '127.0.0.1/32';
64-
65-
# Determine whether build supports detection of hash algorithms for
66-
# RSA-PSS certificates.
67-
+# AWS-LC does not support RSA-PSS certificates in libssl.
68-
my $supports_rsapss_certs =
69-
- check_pg_config("#define HAVE_X509_GET_SIGNATURE_INFO 1");
70-
+ check_pg_config("#define HAVE_X509_GET_SIGNATURE_INFO 1") &&
71-
+ !check_pg_config("#define HAVE_AWSLC_VERSION_STRING 1");
72-
73-
# Allocation of base connection string shared among multiple tests.
74-
my $common_connstr;
37+
@@ -155,14 +155,18 @@ $node->connect_ok(
38+
# Now test with a server certificate that uses the RSA-PSS algorithm.
39+
# This checks that the certificate can be loaded and that channel binding
40+
# works. (see bug #17760)
41+
-if ($supports_rsapss_certs)
42+
-{
43+
- switch_server_cert($node, certfile => 'server-rsapss');
44+
- $node->connect_ok(
45+
- "$common_connstr user=ssltestuser channel_binding=require",
46+
- "SCRAM with SSL and channel_binding=require, server certificate uses 'rsassaPss'",
47+
- log_like => [
48+
- qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/
49+
- ]);
50+
-}
51+
+#
52+
+# AWS-LC does not support RSA-PSS certificates in libssl. If there is a relevant
53+
+# feature request for this, cut an issue to our public repository.
54+
+#
55+
+# if ($supports_rsapss_certs)
56+
+# {
57+
+# switch_server_cert($node, certfile => 'server-rsapss');
58+
+# $node->connect_ok(
59+
+# "$common_connstr user=ssltestuser channel_binding=require",
60+
+# "SCRAM with SSL and channel_binding=require, server certificate uses 'rsassaPss'",
61+
+# log_like => [
62+
+# qr/connection authenticated: identity="ssltestuser" method=scram-sha-256/
63+
+# ]);
64+
+# }
65+
done_testing();

0 commit comments

Comments
 (0)