From: Eric Biggers <ebiggers@kernel.org>
To: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Milan Broz <gmazyland@gmail.com>
Subject: Re: AF_ALG deprecation fallout
Date: Tue, 7 Jul 2026 20:01:53 -0700 [thread overview]
Message-ID: <20260708030153.GA14700@sol> (raw)
In-Reply-To: <04fbbc8611699e469f44edbccdf3cf1ac65075d3.camel@scientia.org>
On Wed, Jul 08, 2026 at 04:14:04AM +0200, Christoph Anton Mitterer wrote:
> Hey Eric.
>
> Thanks for your fast reply :-)
>
> On Tue, 2026-07-07 at 18:11 -0700, Eric Biggers wrote:
> > In 7.3 we'll indeed be introducing an algorithm allowlist for AF_ALG.
> > But I already proposed including "xts(serpent)", "xts(twofish)", and
> > "xts(camellia)" on it
> > (
> > https://lore.kernel.org/linux-crypto/20260705184419.40762-1-ebiggers@k
> > ernel.org/)
> > based on their mention in various online documentation for
> > cryptsetup,
> > which suggests they indeed likely have some (rare) real-world use.
>
> Good :-)
>
>
>
> > I'm interested in allowing any other algorithms that still have
> > real-world use via AF_ALG, if any exist. If you're aware of any,
> > please
> > speak up.
>
> [X]Chacha, IIRC, would anyway be used without XTS...
It's possible that some of the "aead" ciphers will need to continue to
be supported in AF_ALG too (in addition to privileged use of "ccm(aes)",
which already is on the list since bluez uses it).
But we need a specific list.
> Well, I personally don't use any others, but of course other might.
> What about all these legacy modes that were used for years in examples,
> like cast5-cbc-essiv, aes-cbc-essiv, etc.?
First, the essiv component is not relevant, as far as I can tell.
algif_skcipher actually does have essiv support, but it's a relatively
recent addition and cryptsetup doesn't use it.
So the potential AF_ALG uses there would be "cbc(cast5)" and "cbc(aes)".
> Does your list have any effects on things like chained algos (which I
> think cryptsetup allows to use for tcrypt).
AF_ALG has never supported cipher cascades itself.
> I've wrote just before on the cryptsetup mailing list, that we have the
> nice integrity support in cryptsetup for quite some years now, but I
> guess only few people actually use it because all the available
> algorithms/modes were kinda recommended against[0].
>
> I think XChacha20+Poly1305 might be in reach (but still not actually
> usable?), having finally a large enough nonce (192bits?).
The kernel has had XChaCha20Poly1305 support internally since 2019, but
support for it hasn't been added to dm-crypt yet.
> So any chances that the kernel provides a usable AEAD mode for AES (or
> maybe even Serpent ;-P)?
>
> Like with GCM but a larger nonce?
We probably should add XAES-256-GCM support at some point, which takes
192-bit nonces. Historically it hasn't been feasible to do anything
that uses per-request AES keys in the kernel, since the kernel's crypto
API wasn't designed for that. But we're now moving to a simpler API
where the algorithms including AES-GCM are implemented using regular
functions. We can build XAES-256-GCM support on top of that.
- Eric
next prev parent reply other threads:[~2026-07-08 3:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-08 0:31 AF_ALG deprecation fallout Christoph Anton Mitterer
2026-07-08 1:11 ` Eric Biggers
2026-07-08 2:14 ` Christoph Anton Mitterer
2026-07-08 3:01 ` Eric Biggers [this message]
2026-07-09 10:47 ` Milan Broz
2026-07-09 12:38 ` Christoph Anton Mitterer
2026-07-09 15:27 ` Eric Biggers
2026-07-09 15:35 ` Eric Biggers
2026-07-09 17:07 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260708030153.GA14700@sol \
--to=ebiggers@kernel.org \
--cc=calestyo@scientia.org \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox