Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: linux-crypto@vger.kernel.org,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Milan Broz <gmazyland@gmail.com>
Subject: Re: AF_ALG deprecation fallout
Date: Tue, 7 Jul 2026 20:01:53 -0700	[thread overview]
Message-ID: <20260708030153.GA14700@sol> (raw)
In-Reply-To: <04fbbc8611699e469f44edbccdf3cf1ac65075d3.camel@scientia.org>

On Wed, Jul 08, 2026 at 04:14:04AM +0200, Christoph Anton Mitterer wrote:
> Hey Eric.
> 
> Thanks for your fast reply :-)
> 
> On Tue, 2026-07-07 at 18:11 -0700, Eric Biggers wrote:
> > In 7.3 we'll indeed be introducing an algorithm allowlist for AF_ALG.
> > But I already proposed including "xts(serpent)", "xts(twofish)", and
> > "xts(camellia)" on it
> > (
> > https://lore.kernel.org/linux-crypto/20260705184419.40762-1-ebiggers@k
> > ernel.org/)
> > based on their mention in various online documentation for
> > cryptsetup,
> > which suggests they indeed likely have some (rare) real-world use.
> 
> Good :-)
> 
> 
> 
> > I'm interested in allowing any other algorithms that still have
> > real-world use via AF_ALG, if any exist.  If you're aware of any,
> > please
> > speak up.
> 
> [X]Chacha, IIRC, would anyway be used without XTS...

It's possible that some of the "aead" ciphers will need to continue to
be supported in AF_ALG too (in addition to privileged use of "ccm(aes)",
which already is on the list since bluez uses it).

But we need a specific list.

> Well, I personally don't use any others, but of course other might.
> What about all these legacy modes that were used for years in examples,
> like cast5-cbc-essiv, aes-cbc-essiv, etc.?

First, the essiv component is not relevant, as far as I can tell.
algif_skcipher actually does have essiv support, but it's a relatively
recent addition and cryptsetup doesn't use it.

So the potential AF_ALG uses there would be "cbc(cast5)" and "cbc(aes)".

> Does your list have any effects on things like chained algos (which I
> think cryptsetup allows to use for tcrypt).

AF_ALG has never supported cipher cascades itself.

> I've wrote just before on the cryptsetup mailing list, that we have the
> nice integrity support in cryptsetup for quite some years now, but I
> guess only few people actually use it because all the available
> algorithms/modes were kinda recommended against[0].
> 
> I think XChacha20+Poly1305 might be in reach (but still not actually
> usable?), having finally a large enough nonce (192bits?).

The kernel has had XChaCha20Poly1305 support internally since 2019, but
support for it hasn't been added to dm-crypt yet.

> So any chances that the kernel provides a usable AEAD mode for AES (or
> maybe even Serpent ;-P)? 
> 
> Like with GCM but a larger nonce?

We probably should add XAES-256-GCM support at some point, which takes
192-bit nonces.  Historically it hasn't been feasible to do anything
that uses per-request AES keys in the kernel, since the kernel's crypto
API wasn't designed for that.  But we're now moving to a simpler API
where the algorithms including AES-GCM are implemented using regular
functions.  We can build XAES-256-GCM support on top of that.

- Eric

  reply	other threads:[~2026-07-08  3:03 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08  0:31 AF_ALG deprecation fallout Christoph Anton Mitterer
2026-07-08  1:11 ` Eric Biggers
2026-07-08  2:14   ` Christoph Anton Mitterer
2026-07-08  3:01     ` Eric Biggers [this message]
2026-07-09 10:47       ` Milan Broz
2026-07-09 12:38         ` Christoph Anton Mitterer
2026-07-09 15:27           ` Eric Biggers
2026-07-09 15:35         ` Eric Biggers
2026-07-09 17:07           ` Milan Broz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260708030153.GA14700@sol \
    --to=ebiggers@kernel.org \
    --cc=calestyo@scientia.org \
    --cc=gmazyland@gmail.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox