add CI script and dimension for MariaDB

.gitignore

@@ -33,6 +33,7 @@ util/bot/sde-win32.tar.xz
 util/bot/win_toolchain.json
 util/bot/yasm-win32.exe
 
+tests/ci/.env
 tests/ci/cdk/cdk.context.json
 test_build_dir/
 cmake-build-debug/

tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml

@@ -29,3 +29,11 @@ batch:
         privileged-mode: false
         compute-type: BUILD_GENERAL1_MEDIUM
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest
+
+    - identifier: mariadb_integration
+      buildspec: ./tests/ci/codebuild/integration/mariadb_integration.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: false
+        compute-type: BUILD_GENERAL1_MEDIUM
+        image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest

tests/ci/codebuild/integration/mariadb_integration.yml

@@ -0,0 +1,9 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+version: 0.2
+
+phases:
+  build:
+    commands:
+      - ./tests/ci/integration/run_mariadb_integration.sh

tests/ci/common_posix_setup.sh

@@ -189,6 +189,19 @@ function build_and_run_minimal_test {
   run_cmake_custom_target 'run_minimal_tests'
 }
 
+# Install local build of AWS-LC for integration testing.
+function aws_lc_build() {
+  AWS_LC_DIR=${1}
+  BUILD_FOLDER=${2}
+  INSTALL_FOLDER=${3}
+
+  echo "Building AWS-LC to ${BUILD_FOLDER} and installing to ${INSTALL_FOLDER}"
+  ${CMAKE_COMMAND} ${AWS_LC_DIR} -GNinja "-B${BUILD_FOLDER}" "-DCMAKE_INSTALL_PREFIX=${INSTALL_FOLDER}"
+  ninja -C ${BUILD_FOLDER} install
+  ls -R ${INSTALL_FOLDER}
+  rm -rf ${BUILD_FOLDER}/*
+}
+
 function print_executable_information {
   EXE_NAME=${1}
   EXE_ARGUMENT=${2}

tests/ci/docker_images/linux-x86/ubuntu-22.04_base/Dockerfile

@@ -24,6 +24,7 @@ RUN set -ex && \
     cmake \
     make \
     ninja-build \
+    patch \
     perl \
     libunwind-dev \
     pkg-config \

tests/ci/integration/mariadb_patch/0001-WIP-Avoid-define-template-_template-so-AWS-LC-builds.patch

@@ -0,0 +1,56 @@
+From 10318f2e70b2cab11537b4fcf10266de254d8452 Mon Sep 17 00:00:00 2001
+From: Otto Kekalainen <ottoke@amazon.com>
+Date: Mon, 28 Nov 2022 20:27:35 -0800
+Subject: [PATCH 1/4] WIP: Avoid '#define template _template' so AWS-LC builds
+ can run
+
+Disable the WolfSSL specific bug fix as it breaks AWS-LC builds with
+errors like:
+
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/mysys_ssl/my_crypt.cc:21:18: error: '_template' does not name a type
+   21 | #define template _template /* bug in WolfSSL 4.4.0, see also violite.h */
+      |                  ^~~~~~~~~
+
+Also:
+
+In file included from /usr/local/include/openssl/evp.h:60,
+                 from /builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/mysys_ssl/my_crypt.cc:22:
+/usr/local/include/openssl/mem.h:257:1: error: 'DeleterImpl' is not a class template
+  257 | BORINGSSL_MAKE_DELETER(char, OPENSSL_free)
+      | ^~~~~~~~~~~~~~~~~~~~~~
+---
+ include/violite.h     | 3 ++-
+ mysys_ssl/my_crypt.cc | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/violite.h b/include/violite.h
+index b823e62b2e1..f9c8ee6b845 100644
+--- a/include/violite.h
++++ b/include/violite.h
+@@ -147,7 +147,8 @@ int vio_getnameinfo(const struct sockaddr *sa,
+ /* Set yaSSL to use same type as MySQL do for socket handles */
+ typedef my_socket YASSL_SOCKET_T;
+ #define YASSL_SOCKET_T_DEFINED
+-#define template _template /* bug in WolfSSL 4.4.0, see also my_crypt.cc */
++// This causes template parse errors in the c++ stdlib.
++// #define template _template /* bug in WolfSSL 4.4.0, see also my_crypt.cc */
+ #include <openssl/ssl.h>
+ #undef template
+ #include <openssl/err.h>
+diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
+index 4d7ebc7bd27..6fabb42f0cb 100644
+--- a/mysys_ssl/my_crypt.cc
++++ b/mysys_ssl/my_crypt.cc
+@@ -18,7 +18,8 @@
+ #include <my_global.h>
+ #include <string.h>
+
+-#define template _template /* bug in WolfSSL 4.4.0, see also violite.h */
++// This causes template parse errors in the c++ stdlib.
++// #define template _template /* bug in WolfSSL 4.4.0, see also violite.h */
+ #include <openssl/evp.h>
+ #undef template
+ #include <openssl/aes.h>
+-- 
+2.39.2
+

tests/ci/integration/mariadb_patch/0002-WIP-Stop-using-the-unchecked-version-of-DES_set_key.patch

@@ -0,0 +1,115 @@
+From e8efa757ab510b81e5f225e5d3736899600d1d86 Mon Sep 17 00:00:00 2001
+From: Otto Kekalainen <ottoke@amazon.com>
+Date: Mon, 28 Nov 2022 21:07:19 -0800
+Subject: [PATCH 2/4] WIP: Stop using the unchecked version of DES_set_key
+
+DES_set_key_unchecked  is deprecated since OpenSSL 3.0
+(https://www.openssl.org/docs/manmaster/man3/DES_set_key.html),
+the current long term support version.
+
+According to DES_set_key_unchecked documentation, it is functionally
+equivalent to DES_set_key, when the global variable DES_check_key is 0.
+In MariaDB the variable DES_check_key is used only in WolfSSL, which is
+not used when AWS-LC is used, so this change should be safe to do.
+
+Example error on CentOS 7:
+
+[ 83%] Building CXX object sql/CMakeFiles/sql.dir/des_key_file.cc.o
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc: In function 'bool load_des_key_file(const char*)':
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc:84:14: error: cannot convert 'DES_cblock' to 'uint8_t* {aka unsigned char*}' for argument '8' to 'int EVP_BytesToKey(const EVP_CIPHER*, const EVP_MD*, const uint8_t*, const uint8_t*, size_t, unsigned int, uint8_t*, uint8_t*)'
+          ivec);
+              ^
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc:85:74: error: 'DES_set_key_unchecked' was not declared in this scope
+  DES_set_key_unchecked(&keyblock.key1,&(des_keyschedule[(int)offset].ks1));
+                                                                          ^
+make[2]: *** [sql/CMakeFiles/sql.dir/des_key_file.cc.o] Error 1
+
+Example error on Fedora:
+
+[ 83%] Building CXX object sql/CMakeFiles/sql.dir/des_key_file.cc.o
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc: In function 'bool load_des_key_file(const char*)':
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc:84:10: error: cannot convert 'DES_cblock' {aka 'DES_cblock_st'} to 'uint8_t*' {aka 'unsigned char*'}
+   84 |          ivec);
+      |          ^~~~
+      |          |
+      |          DES_cblock {aka DES_cblock_st}
+In file included from /usr/local/include/openssl/pem.h:62,
+                 from /usr/local/include/openssl/ssl.h:149,
+                 from /builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/include/violite.h:152,
+                 from /builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.h:22,
+                 from /builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc:18:
+/usr/local/include/openssl/cipher.h:350:44: note:   initializing argument 8 of 'int EVP_BytesToKey(const EVP_CIPHER*, const EVP_MD*, const uint8_t*, const uint8_t*, size_t, unsigned int, uint8_t*, uint8_t*)'
+  350 |                                   uint8_t *iv);
+      |                                   ~~~~~~~~~^~
+/builds/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT/sql/des_key_file.cc:85:2: error: 'DES_set_key_unchecked' was not declared in this scope
+   85 |  DES_set_key_unchecked(&keyblock.key1,&(des_keyschedule[(int)offset].ks1));
+      |  ^~~~~~~~~~~~~~~~~~~~~
+make[2]: *** [sql/CMakeFiles/sql.dir/build.make:177: sql/CMakeFiles/sql.dir/des_key_file.cc.o] Error 1
+---
+ sql/des_key_file.cc | 10 +++++-----
+ sql/item_strfunc.cc | 16 ++++++++--------
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/sql/des_key_file.cc b/sql/des_key_file.cc
+index bfbe04f6015..084523a6d4f 100644
+--- a/sql/des_key_file.cc
++++ b/sql/des_key_file.cc
+@@ -78,13 +78,13 @@ load_des_key_file(const char *file_name)
+ 	DES_cblock ivec;
+ 	bzero((char*) &ivec,sizeof(ivec));
+ 	// We make good 24-byte (168 bit) key from given plaintext key with MD5
+-	EVP_BytesToKey(EVP_des_ede3_cbc(),EVP_md5(),NULL,
++	EVP_BytesToKey( EVP_des_ede3_cbc(),EVP_md5(),NULL,
+ 		       (uchar *) start, (int) (end-start),1,
+ 		       (uchar *) &keyblock,
+-		       ivec);
+-	DES_set_key_unchecked(&keyblock.key1,&(des_keyschedule[(int)offset].ks1));
+-	DES_set_key_unchecked(&keyblock.key2,&(des_keyschedule[(int)offset].ks2));
+-	DES_set_key_unchecked(&keyblock.key3,&(des_keyschedule[(int)offset].ks3));
++                       ivec.bytes);
++	DES_set_key(&keyblock.key1,&(des_keyschedule[(int)offset].ks1));
++	DES_set_key(&keyblock.key2,&(des_keyschedule[(int)offset].ks2));
++	DES_set_key(&keyblock.key3,&(des_keyschedule[(int)offset].ks3));
+ 	if (des_default_key == 15)
+ 	  des_default_key= (uint) offset;		// use first as def.
+       }
+diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
+index 7eee96b3a19..7b6ab0788d2 100644
+--- a/sql/item_strfunc.cc
++++ b/sql/item_strfunc.cc
+@@ -764,11 +764,11 @@ String *Item_func_des_encrypt::val_str(String *str)
+     bzero((char*) &ivec,sizeof(ivec));
+     if (!EVP_BytesToKey(EVP_des_ede3_cbc(),EVP_md5(),NULL,
+ 		   (uchar*) keystr->ptr(), (int) keystr->length(),
+-		   1, (uchar*) &keyblock,ivec))
++		   1, (uchar*) &keyblock,(uchar*) &ivec))
+       goto error;
+-    DES_set_key_unchecked(&keyblock.key1,&keyschedule.ks1);
+-    DES_set_key_unchecked(&keyblock.key2,&keyschedule.ks2);
+-    DES_set_key_unchecked(&keyblock.key3,&keyschedule.ks3);
++    DES_set_key(&keyblock.key1,&keyschedule.ks1);
++    DES_set_key(&keyblock.key2,&keyschedule.ks2);
++    DES_set_key(&keyblock.key3,&keyschedule.ks3);
+   }
+
+   /*
+@@ -859,12 +859,12 @@ String *Item_func_des_decrypt::val_str(String *str)
+     bzero((char*) &ivec,sizeof(ivec));
+     if (!EVP_BytesToKey(EVP_des_ede3_cbc(),EVP_md5(),NULL,
+ 		   (uchar*) keystr->ptr(),(int) keystr->length(),
+-		   1,(uchar*) &keyblock,ivec))
++		   1,(uchar*) &keyblock,(uchar *) &ivec))
+       goto error;
+     // Here we set all 64-bit keys (56 effective) one by one
+-    DES_set_key_unchecked(&keyblock.key1,&keyschedule.ks1);
+-    DES_set_key_unchecked(&keyblock.key2,&keyschedule.ks2);
+-    DES_set_key_unchecked(&keyblock.key3,&keyschedule.ks3);
++    DES_set_key(&keyblock.key1,&keyschedule.ks1);
++    DES_set_key(&keyblock.key2,&keyschedule.ks2);
++    DES_set_key(&keyblock.key3,&keyschedule.ks3);
+   }
+   code= ER_OUT_OF_RESOURCES;
+   if (str->alloc(length-1))
+-- 
+2.39.2
+

tests/ci/integration/mariadb_patch/0003-WIP-Use-replace_regex-in-mysql-test-run-to-make-SSL-.patch

@@ -0,0 +1,28 @@
+From 557b4261a3120b037e2c705ce94453bc63d08823 Mon Sep 17 00:00:00 2001
+From: Otto Kekalainen <ottoke@amazon.com>
+Date: Mon, 28 Nov 2022 21:03:50 -0800
+Subject: [PATCH 3/4] WIP: Use `--replace_regex` in mysql-test-run to make SSL
+ tests pass
+
+Another potential area worthy of upstream contribution.
+
+The new error messages _seem_ to follow uppercase and underscore format.
+
+---
+ mysql-test/main/ssl_crl.test | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mysql-test/main/ssl_crl.test b/mysql-test/main/ssl_crl.test
+index 9b4758578a7..50f7d6981a0 100644
+--- a/mysql-test/main/ssl_crl.test
++++ b/mysql-test/main/ssl_crl.test
+@@ -9,5 +9,6 @@
+ --echo # try logging in with a certificate in the server's --ssl-crl : should fail
+ # OpenSSL 1.1.1a correctly rejects the certificate, but the error message is different
+ --replace_regex /ERROR 2013 \(HY000\): Lost connection to server at '.*', system error: [0-9]+/ERROR 2026 (HY000): TLS\/SSL error: sslv3 alert certificate revoked/
++--replace_regex /SSLV3_ALERT_CERTIFICATE_REVOKED/sslv3 alert certificate revoked/
+ --error 1
+ --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_version'" 2>&1
+-- 
+2.39.2
+

tests/ci/integration/mariadb_patch/0004-WIP-Skip-test-that-is-disabled-when-using-OpenSSL-1..patch

@@ -0,0 +1,29 @@
+From 85cf96e689ef0df5ddefe12cfbcfb18a80e96210 Mon Sep 17 00:00:00 2001
+From: Robin Newhouse <robinnew@amazon.com>
+Date: Mon, 15 May 2023 22:37:36 +0000
+Subject: [PATCH 4/4] WIP: Skip test that is disabled when using OpenSSL 1.1.1
+
+OpenSSL 1.1.1 and AWS-LC use different cipher names than OpenSSL 1.0.2
+so we cannot reuse old tests with hardcoded cipher requirements.
+---
+ mysql-test/main/ssl_cipher.test | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
+index 4671b085ce7..0f926bf3e64 100644
+--- a/mysql-test/main/ssl_cipher.test
++++ b/mysql-test/main/ssl_cipher.test
+@@ -4,8 +4,8 @@
+ #
+ --source include/have_ssl_communication.inc
+
+-if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
+-  skip OpenSSL 1.1.1;
++if (`select @@version_ssl_library like 'OpenSSL 1.1.1%' OR @@version_ssl_library like 'AWS-LC%'`) {
++  skip OpenSSL 1.1.1 and AWS-LC use different cipher names so we cannot reuse old tests with hardcoded cipher requirements;
+ }
+
+ create user ssl_user1@localhost require SSL;
+-- 
+2.39.2
+

tests/ci/integration/run_mariadb_integration.sh

@@ -0,0 +1,83 @@
+#!/bin/bash -exu
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
+source tests/ci/common_posix_setup.sh
+
+# Set up environment.
+
+# ROOT
+#  |
+#  - AWS_LC_DIR
+#    |
+#    - aws-lc
+#  |
+#  - SCRATCH_FOLDER
+#    |
+#    - mariadb
+#    - AWS_LC_BUILD_FOLDER
+#    - AWS_LC_INSTALL_FOLDER
+#    - MARIADB_BUILD_FOLDER
+
+# The CFlags, skipped test list, and patches were taken from the internal CI pipeline of our customer.
+
+# Assumes script is executed from the root of aws-lc directory
+AWS_LC_DIR=$(pwd)
+cd ../
+ROOT=$(pwd)
+
+SCRATCH_FOLDER=${ROOT}/"MARIADB_BUILD_ROOT"
+MARIADB_SRC_FOLDER="${SCRATCH_FOLDER}/server"
+MARIADB_BUILD_FOLDER="${SCRATCH_FOLDER}/server/mariadb-aws-lc"
+MARIADB_PATCH_FOLDER=${AWS_LC_DIR}/"tests/ci/integration/mariadb_patch"
+AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
+AWS_LC_INSTALL_FOLDER="${MARIADB_SRC_FOLDER}/aws-lc-install"
+
+mkdir -p ${SCRATCH_FOLDER}
+rm -rf ${SCRATCH_FOLDER}/*
+cd ${SCRATCH_FOLDER}
+
+function aws_lc_build() {
+  ${CMAKE_COMMAND} ${AWS_LC_DIR} -GNinja "-B${AWS_LC_BUILD_FOLDER}" "-DCMAKE_INSTALL_PREFIX=${AWS_LC_INSTALL_FOLDER}"
+  ninja -C ${AWS_LC_BUILD_FOLDER} install
+  ls -R ${AWS_LC_INSTALL_FOLDER}
+  rm -rf ${AWS_LC_BUILD_FOLDER}/*
+}
+
+function mariadb_build() {
+  cmake ${MARIADB_SRC_FOLDER} -GNinja -DWITH_SSL=${AWS_LC_INSTALL_FOLDER} "-B${MARIADB_BUILD_FOLDER}" -DPLUGIN_COLUMNSTORE=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_S3=NO -DPLUGIN_MROONGA=NO -DPLUGIN_CONNECT=NO -DPLUGIN_SPHINX=NO -DPLUGIN_SPIDER=NO -DPLUGIN_TOKUDB=NO -DPLUGIN_PERFSCHEMA=NO -DWITH_WSREP=OFF
+  ninja -C ${MARIADB_BUILD_FOLDER}
+  ls -R ${MARIADB_BUILD_FOLDER}
+}
+
+function mariadb_run_tests() {
+  pushd ${MARIADB_BUILD_FOLDER}
+  # Basic tests
+  ninja test
+  # More complicated integration tests.
+  echo "main.mysqldump : Field separator argument is not what is expected; check the manual when executing 'SELECT INTO OUTFILE'
+main.flush_logs_not_windows : query 'flush logs' succeeded - should have failed with error ER_CANT_CREATE_FILE (1004)
+main.mysql_upgrade_noengine : upgrade output order does not match the expected" > skiplist
+  ./mysql-test/mtr --suite=main --force --parallel=auto --skip-test-list=${MARIADB_BUILD_FOLDER}/skiplist
+  popd
+}
+
+# TODO: Remove this when we make an upstream contribution.
+function mariadb_patch() {
+  for patchfile in $(find -L "${MARIADB_PATCH_FOLDER}" -type f -name '*.patch'); do
+    echo "Apply patch $patchfile..."
+    patch -p1 --quiet -i "$patchfile"
+  done
+}
+
+# Get latest mariadb version, we can pin to a specific version if MariaDB's code changes break us too often.
+git clone https://github.com/MariaDB/server.git ${MARIADB_SRC_FOLDER} --depth 1
+mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER} ${MARIADB_BUILD_FOLDER}
+ls
+
+aws_lc_build
+pushd ${MARIADB_SRC_FOLDER}
+mariadb_patch
+mariadb_build
+mariadb_run_tests
+popd