From: Eric Biggers <ebiggers@kernel.org>
To: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Milan Broz <gmazyland@gmail.com>
Subject: Re: AF_ALG deprecation fallout
Date: Tue, 7 Jul 2026 20:01:53 -0700 [thread overview]
Message-ID: <20260708030153.GA14700@sol> (raw)
In-Reply-To: <04fbbc8611699e469f44edbccdf3cf1ac65075d3.camel@scientia.org>
On Wed, Jul 08, 2026 at 04:14:04AM +0200, Christoph Anton Mitterer wrote:
> Hey Eric.
>
> Thanks for your fast reply :-)
>
> On Tue, 2026-07-07 at 18:11 -0700, Eric Biggers wrote:
> > In 7.3 we'll indeed be introducing an algorithm allowlist for AF_ALG.
> > But I already proposed including "xts(serpent)", "xts(twofish)", and
> > "xts(camellia)" on it
> > (
> > https://lore.kernel.org/linux-crypto/20260705184419.40762-1-ebiggers@k
> > ernel.org/)
> > based on their mention in various online documentation for
> > cryptsetup,
> > which suggests they indeed likely have some (rare) real-world use.
>
> Good :-)
>
>
>
> > I'm interested in allowing any other algorithms that still have
> > real-world use via AF_ALG, if any exist. If you're aware of any,
> > please
> > speak up.
>
> [X]Chacha, IIRC, would anyway be used without XTS...
It's possible that some of the "aead" ciphers will need to continue to
be supported in AF_ALG too (in addition to privileged use of "ccm(aes)",
which already is on the list since bluez uses it).
But we need a specific list.
> Well, I personally don't use any others, but of course other might.
> What about all these legacy modes that were used for years in examples,
> like cast5-cbc-essiv, aes-cbc-essiv, etc.?
First, the essiv component is not relevant, as far as I can tell.
algif_skcipher actually does have essiv support, but it's a relatively
recent addition and cryptsetup doesn't use it.
So the potential AF_ALG uses there would be "cbc(cast5)" and "cbc(aes)".
> Does your list have any effects on things like chained algos (which I
> think cryptsetup allows to use for tcrypt).
AF_ALG has never supported cipher cascades itself.
> I've wrote just before on the cryptsetup mailing list, that we have the
> nice integrity support in cryptsetup for quite some years now, but I
> guess only few people actually use it because all the available
> algorithms/modes were kinda recommended against[0].
>
> I think XChacha20+Poly1305 might be in reach (but still not actually
> usable?), having finally a large enough nonce (192bits?).
The kernel has had XChaCha20Poly1305 support internally since 2019, but
support for it hasn't been added to dm-crypt yet.
> So any chances that the kernel provides a usable AEAD mode for AES (or
> maybe even Serpent ;-P)?
>
> Like with GCM but a larger nonce?
We probably should add XAES-256-GCM support at some point, which takes
192-bit nonces. Historically it hasn't been feasible to do anything
that uses per-request AES keys in the kernel, since the kernel's crypto
API wasn't designed for that. But we're now moving to a simpler API
where the algorithms including AES-GCM are implemented using regular
functions. We can build XAES-256-GCM support on top of that.
- Eric
next prev parent reply other threads:[~2026-07-08 3:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 0:31 AF_ALG deprecation fallout Christoph Anton Mitterer
2026-07-08 1:11 ` Eric Biggers
2026-07-08 2:14 ` Christoph Anton Mitterer
2026-07-08 3:01 ` Eric Biggers [this message]
2026-07-09 10:47 ` Milan Broz
2026-07-09 12:38 ` Christoph Anton Mitterer
2026-07-09 15:27 ` Eric Biggers
2026-07-09 15:35 ` Eric Biggers
2026-07-09 17:07 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708030153.GA14700@sol \
--to=ebiggers@kernel.org \
--cc=calestyo@scientia.org \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.