Bug 2121245

Summary: add AF_ALG support
Product: [Fedora] Fedora Reporter: Robert Elliott <elliott>
Component: gnutlsAssignee: Red Hat Crypto Team <crypto-team>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: ansasaki, crypto-team, dueno, fkrenzel, rwright, tm, zfridric
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Elliott 2022-08-24 23:02:59 UTC 
Description of problem:

GnuTLS 3.7.2 (2021-05-29) added support for the Linux kernel crypto API AF_ALG socket interface when built with configure --enable-afalg. This allows access to kernel implementations of certain algorithms (including cbc(aes), xts(aes), ccm(aes), gcm(aes), hmac(sha256|384|512]), and sha[256|384|512)).

Although  software-based implementations in the kernel are no better than what GnuTLS can do on its own in userspace (using the nettle library), this path allows access to hardware device drivers for cryptographic offload devices. GnuTLS cannot access those from userspace.

The Fedora 36 kernel is compiled with userspace AF_ALG support for hash, skcipher, rng, and aead functions.

In Fedora 36, another crypto library, openssl, is compiled with AF_ALG support (only for AES-CBC):
$ openssl version -a
ENGINES: "/usr/lib/64/engines-3"
and that directory includes afalg.so.

$ openssl engine -t afalg
(afalg) AFALG engine support
     [ available ]

openssl engine -c afalg
(afalg) AFALG engine support
 [AES-128-CBC, AES-192-CBC, AES-256-CBC]

Suggestion: build GnuTLS with --enable-afalg so that hardware offload engines are accessible by software using GnuTLS.