Build failure on Mariner (azurelinux) because of unsupported cipher chacha20_poly1305

[GalBr]

When trying to build cryptography from source on Mariner (azurelinux), the build fails:

  error[E0599]: no function or associated item named `chacha20_poly1305` found for struct `openssl::cipher::Cipher` in the current scope
     --> src/backend/aead.rs:459:50
      |
  459 |                         openssl::cipher::Cipher::chacha20_poly1305(),
      |                                                  ^^^^^^^^^^^^^^^^^ function or associated item not found in `Cipher`

Apparently Mariner doesn't support chaha20_poly1305. It seems that Azure patched the problematic code in order to work around this issue. (source)
The package was installed with pip install --no-binary ":all:".
Is this a known issue? Are there plans to integrate something more robust to the build? Some way to avoid this issue aside from changing the source code or using a wheel?

[alex]

Is the OpenSSL that mariner has built with OPENSSL_NO_CHACHA? We don't currently support that build configuration, but we'd accept a patch to build correctly with it.

[GalBr]

Yes, as per the openssl.spec file found here: https://github.com/microsoft/azurelinux/blob/2.0/SPECS/openssl/openssl.spec
It seems that they use ./config no-chacha (among other things).
For mariner 2.0 (which we currently use), they use cryptography version 3.3.2 and then apply a patch to solve CVE-2023-49083 (here).
For azurelinux (mariner 3.0), they use cryptography version 42.0.5 and apply a patch to remove the relevant Rust code (here).
We install and use our own packages, so we don't use the cryptography package that they have installed, but we can't install the version we want (43.0.1 currently).

I'm not sure we have the capacity to help develop the support for this build configuration currenly, but I'll check. In any case, can I get a rough estimate of how complicated this is going to be for someone that isn't familiar with the codebase?

[alex]

I'd probably estimate it at a couple of hours for someone not familiar with the codebase. I can give you a brief tour of what'd be involved:

• https://github.com/pyca/cryptography/blob/main/.github/workflows/ci.yml#L37 is the CI job that you can update to test no-chacha
• https://github.com/pyca/cryptography/blob/main/src/rust/src/backend/cipher_registry.rs#L126 are some examples of using an OSSLCONF
• src/rust/Cargo.toml has some metadata that'd need to be updated

So the main task would be finding the places that rely on chacha being available and adding the approprirate cfg() handling.

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

[github-actions]

This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it.