Add missing symbols for postgres #979
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samuel40791765
force-pushed
the
postgres-cast
branch
4 times, most recently
from
9b8e900 to
774eefa
Compare
samuel40791765
force-pushed
the
postgres-cast
branch
from
6a5c0ac to
8ca077e
Compare
samuel40791765
commented
Apr 28, 2023
There was a problem hiding this comment.
I looked into some of our concerns for adding back Cast from decrepit and wanted to make the following points.
- This had already existed in AWS-LC when we were working on removing decrepit. During the work for that, we had the consensus that we would remove everything that did not have usage internally and incrementally add back functions if customers needed the functionality.
- We can consider influencing the Postgres upstream by submitting a PR to them to ifdef out the Cast ciphersuites. However, this change would only be added in new Postgres releases and won't be applicable to old releases. We can take a look at PostGres's versioning policy here: https://www.postgresql.org/support/versioning/
PostgreSQL Versions 11-15 are currently supported, with each major version of PostgreSQL having a support timeline of 5 years. Any upstream influence we make now, won't truly be felt until PostgreSQL15 is deprecated in 2027 (assuming an upstream contribution makes it to Version 16).
Considering these factors, we should look to add minimal support for the Cast ciphersuites through EVP now, so we can gain adoption in existing versions of PostGreSQL. We can still make an upstream contribution to ifdef the CAST, blowfish, and des usage out of PostGres when building with AWS-LC, so that new versions of PostGres don't continue rely on this behavior.
We're making sure to only expose the minimal amount of symbols needed, which are the EVP_CIPHERs in this case. We're also adding the AWS_LC_DEPRECATED macro in front of the CAST ciphersuites to indicate that these function should not be relied on. This will intentionally cause current builds of PostGres to complain about deprecated symbols. We can make an upstream contribution to ifdef these deprecated symbols to silence these warnings.
samuel40791765
force-pushed
the
postgres-cast
branch
from
8ca077e to
a96ee81
Compare
torben-hansen
approved these changes
May 1, 2023
nebeid
approved these changes
May 1, 2023
samuel40791765
force-pushed
the
postgres-cast
branch
from
a96ee81 to
674b86c
Compare
andrewhop
pushed a commit
to andrewhop/aws-lc
that referenced
this pull request
Sep 11, 2023
This had already existed in AWS-LC when we were working on removing decrepit. During the work for that, we had the consensus that we would remove everything that did not have usage internally and incrementally add back functions if customers needed the functionality. We can consider influencing the Postgres upstream by submitting a PR to them to ifdef out the Cast ciphersuites. However, this change would only be added in new Postgres releases and won't be applicable to old releases. PostgreSQL Versions 11-15 are currently supported, with each major version of PostgreSQL having a support timeline of 5 years. Any upstream influence we make now, won't truly be felt until PostgreSQL15 is deprecated in 2027 (assuming an upstream contribution makes it to Version 16). Considering these factors, we should look to add minimal support for the Cast ciphersuites through EVP now, so we can gain adoption in existing versions of PostGres. We can still make an upstream contribution to ifdef the CAST, blowfish, and des usage out of PostGres when building with AWS-LC, so that new versions of PostGres don't continue rely on this behavior. We're making sure to only expose the minimal amount of symbols needed, which are the EVP_CIPHERs in this case. We're also adding the AWS_LC_DEPRECATED macro in front of the CAST ciphersuites to indicate that these function should not be relied on. This will intentionally cause current builds of PostGres to complain about deprecated symbols. We can make an upstream contribution to ifdef these deprecated symbols to silence these warnings.
andrewhop
pushed a commit
to andrewhop/aws-lc
that referenced
this pull request
Sep 12, 2023
This had already existed in AWS-LC when we were working on removing decrepit. During the work for that, we had the consensus that we would remove everything that did not have usage internally and incrementally add back functions if customers needed the functionality. We can consider influencing the Postgres upstream by submitting a PR to them to ifdef out the Cast ciphersuites. However, this change would only be added in new Postgres releases and won't be applicable to old releases. PostgreSQL Versions 11-15 are currently supported, with each major version of PostgreSQL having a support timeline of 5 years. Any upstream influence we make now, won't truly be felt until PostgreSQL15 is deprecated in 2027 (assuming an upstream contribution makes it to Version 16). Considering these factors, we should look to add minimal support for the Cast ciphersuites through EVP now, so we can gain adoption in existing versions of PostGres. We can still make an upstream contribution to ifdef the CAST, blowfish, and des usage out of PostGres when building with AWS-LC, so that new versions of PostGres don't continue rely on this behavior. We're making sure to only expose the minimal amount of symbols needed, which are the EVP_CIPHERs in this case. We're also adding the AWS_LC_DEPRECATED macro in front of the CAST ciphersuites to indicate that these function should not be relied on. This will intentionally cause current builds of PostGres to complain about deprecated symbols. We can make an upstream contribution to ifdef these deprecated symbols to silence these warnings.
andrewhop
pushed a commit
that referenced
this pull request
Sep 13, 2023
This had already existed in AWS-LC when we were working on removing decrepit. During the work for that, we had the consensus that we would remove everything that did not have usage internally and incrementally add back functions if customers needed the functionality. We can consider influencing the Postgres upstream by submitting a PR to them to ifdef out the Cast ciphersuites. However, this change would only be added in new Postgres releases and won't be applicable to old releases. PostgreSQL Versions 11-15 are currently supported, with each major version of PostgreSQL having a support timeline of 5 years. Any upstream influence we make now, won't truly be felt until PostgreSQL15 is deprecated in 2027 (assuming an upstream contribution makes it to Version 16). Considering these factors, we should look to add minimal support for the Cast ciphersuites through EVP now, so we can gain adoption in existing versions of PostGres. We can still make an upstream contribution to ifdef the CAST, blowfish, and des usage out of PostGres when building with AWS-LC, so that new versions of PostGres don't continue rely on this behavior. We're making sure to only expose the minimal amount of symbols needed, which are the EVP_CIPHERs in this case. We're also adding the AWS_LC_DEPRECATED macro in front of the CAST ciphersuites to indicate that these function should not be relied on. This will intentionally cause current builds of PostGres to complain about deprecated symbols. We can make an upstream contribution to ifdef these deprecated symbols to silence these warnings.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves
CryptoAlg-1746andCryptoAlg-1747Description of changes:
Postgres has some "missing symbols" that we need to add back to support.
casthad originally been removed along withdecrepit, so this is just putting them back. The test file had not been removed, so we only need to add backcast.c.SSL_CTX_set_min_proto_versionto be a macro, which was OpenSSL's way of wrapping around theSSL_CTX_ctrlfunctions. The simplest way around this is to redefine theSSL_CTX_set_min_proto_versionas a macro at the end ofssl.h, like we've been doing for other instances of this.Call-outs:
N/A
Testing:
Confirmed by building with Postgres.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and
the ISC license.