1User Space Interface 2==================== 3 4Introduction 5------------ 6 7AF_ALG provides unprivileged userspace programs access to arbitrary hash, 8symmetric cipher, AEAD, and RNG algorithms that are implemented in kernel-mode 9code. 10 11AF_ALG is insecure and is deprecated. Originally added to the kernel in 2010, 12most kernel developers now consider it to be a mistake. Support for hardware 13accelerators, which was the original purpose of AF_ALG, has been removed. 14 15AF_ALG continues to be supported only for backwards compatibility. On systems 16where no programs using AF_ALG remain, the support for it should be disabled by 17disabling ``CONFIG_CRYPTO_USER_API_*``. 18 19Deprecation 20----------- 21 22AF_ALG was originally intended to provide userspace programs access to crypto 23accelerators that they wouldn't otherwise have access to. 24 25However, that capability turned out to not be useful on very many systems. More 26significantly, the actual implementation exposes a vastly greater amount of 27functionality than that. It actually provides access to all software algorithms. 28 29This includes arbitrary compositions of different algorithms created via a 30complex template system, as well as algorithms that only make sense as internal 31implementation details of other algorithms. In the past, it also included full 32zero-copy support, which was difficult for the kernel to implement securely. 33 34Ultimately, these algorithms are just math computations. They use the same 35instructions that userspace programs already have access to, just accessed in a 36much more convoluted and less efficient way. 37 38Indeed, userspace code is nearly always what is being used anyway. These same 39algorithms are widely implemented in userspace crypto libraries. 40 41Even when zero-copy and off-CPU accelerators were supported, AF_ALG was usually 42much slower than optimized software cryptography in userspace. This was 43especially true for the small message sizes usually seen in performance-critical 44workloads. While it was possible to demonstrate performance wins for hashing 45large files on embedded devices, it is hard to imagine a situation where this 46would be performance-critical. 47 48Nowadays, AF_ALG no longer supports zero-copy or off-CPU accelerators. 49Therefore, it is *always* slower than an optimized userspace implementation, 50even for large messages. The only possible advantage left is that it avoids 51duplicating code between kernel and userspace. However, userspace 52implementations, especially hardware-accelerated ones, do not need to be large. 53Just because OpenSSL is huge does not mean that all userspace cryptography 54libraries are. 55 56Meanwhile, AF_ALG hasn't been withstanding modern vulnerability discovery tools 57such as syzbot and large language models. It receives a steady stream of CVEs. 58Some of the examples include: 59 60- CVE-2026-31677 61- CVE-2026-31431 (https://copy.fail) 62- CVE-2025-38079 63- CVE-2025-37808 64- CVE-2024-26824 65- CVE-2022-48781 66- CVE-2019-8912 67- CVE-2018-14619 68- CVE-2017-18075 69- CVE-2017-17806 70- CVE-2017-17805 71- CVE-2016-10147 72- CVE-2015-8970 73- CVE-2015-3331 74- CVE-2014-9644 75- CVE-2013-7421 76- CVE-2011-4081 77 78Hardware accelerator drivers are frequently buggy. To reduce attack surface, 79AF_ALG now only provides access to algorithms implemented in software. This 80means that AF_ALG no longer fulfills its original purpose. 81 82It is recommended that, whenever possible, userspace programs be migrated to 83userspace crypto code (which again, is what is normally used anyway) and 84``CONFIG_CRYPTO_USER_API_*`` be disabled. On systems that use SELinux, SELinux 85can also be used to restrict the use of AF_ALG to trusted programs. 86 87The remainder of this documentation provides the historical documentation for 88the deprecated AF_ALG interface. 89 90User Space API General Remarks 91------------------------------ 92 93The kernel crypto API is accessible from user space. Currently, the 94following ciphers are accessible: 95 96- Message digest including keyed message digest (HMAC, CMAC) 97 98- Symmetric ciphers 99 100- AEAD ciphers 101 102- Random Number Generators 103 104The interface is provided via socket type using the type AF_ALG. In 105addition, the setsockopt option type is SOL_ALG. In case the user space 106header files do not export these flags yet, use the following macros: 107 108:: 109 110 #ifndef AF_ALG 111 #define AF_ALG 38 112 #endif 113 #ifndef SOL_ALG 114 #define SOL_ALG 279 115 #endif 116 117 118A cipher is accessed with the same name as done for the in-kernel API 119calls. This includes the generic vs. unique naming schema for ciphers as 120well as the enforcement of priorities for generic names. 121 122To interact with the kernel crypto API, a socket must be created by the 123user space application. User space invokes the cipher operation with the 124send()/write() system call family. The result of the cipher operation is 125obtained with the read()/recv() system call family. 126 127The following API calls assume that the socket descriptor is already 128opened by the user space application and discusses only the kernel 129crypto API specific invocations. 130 131To initialize the socket interface, the following sequence has to be 132performed by the consumer: 133 1341. Create a socket of type AF_ALG with the struct sockaddr_alg 135 parameter specified below for the different cipher types. 136 1372. Invoke bind with the socket descriptor 138 1393. Invoke accept with the socket descriptor. The accept system call 140 returns a new file descriptor that is to be used to interact with the 141 particular cipher instance. When invoking send/write or recv/read 142 system calls to send data to the kernel or obtain data from the 143 kernel, the file descriptor returned by accept must be used. 144 145In-place Cipher operation 146------------------------- 147 148Just like the in-kernel operation of the kernel crypto API, the user 149space interface allows the cipher operation in-place. That means that 150the input buffer used for the send/write system call and the output 151buffer used by the read/recv system call may be one and the same. This 152is of particular interest for symmetric cipher operations where a 153copying of the output data to its final destination can be avoided. 154 155If a consumer on the other hand wants to maintain the plaintext and the 156ciphertext in different memory locations, all a consumer needs to do is 157to provide different memory pointers for the encryption and decryption 158operation. 159 160Message Digest API 161------------------ 162 163The message digest type to be used for the cipher operation is selected 164when invoking the bind syscall. bind requires the caller to provide a 165filled struct sockaddr data structure. This data structure must be 166filled as follows: 167 168:: 169 170 struct sockaddr_alg sa = { 171 .salg_family = AF_ALG, 172 .salg_type = "hash", /* this selects the hash logic in the kernel */ 173 .salg_name = "sha1" /* this is the cipher name */ 174 }; 175 176 177The salg_type value "hash" applies to message digests and keyed message 178digests. Though, a keyed message digest is referenced by the appropriate 179salg_name. Please see below for the setsockopt interface that explains 180how the key can be set for a keyed message digest. 181 182Using the send() system call, the application provides the data that 183should be processed with the message digest. The send system call allows 184the following flags to be specified: 185 186- MSG_MORE: If this flag is set, the send system call acts like a 187 message digest update function where the final hash is not yet 188 calculated. If the flag is not set, the send system call calculates 189 the final message digest immediately. 190 191With the recv() system call, the application can read the message digest 192from the kernel crypto API. If the buffer is too small for the message 193digest, the flag MSG_TRUNC is set by the kernel. 194 195In order to set a message digest key, the calling application must use 196the setsockopt() option of ALG_SET_KEY or ALG_SET_KEY_BY_KEY_SERIAL. If the 197key is not set the HMAC operation is performed without the initial HMAC state 198change caused by the key. 199 200Symmetric Cipher API 201-------------------- 202 203The operation is very similar to the message digest discussion. During 204initialization, the struct sockaddr data structure must be filled as 205follows: 206 207:: 208 209 struct sockaddr_alg sa = { 210 .salg_family = AF_ALG, 211 .salg_type = "skcipher", /* this selects the symmetric cipher */ 212 .salg_name = "cbc(aes)" /* this is the cipher name */ 213 }; 214 215 216Before data can be sent to the kernel using the write/send system call 217family, the consumer must set the key. The key setting is described with 218the setsockopt invocation below. 219 220Using the sendmsg() system call, the application provides the data that 221should be processed for encryption or decryption. In addition, the IV is 222specified with the data structure provided by the sendmsg() system call. 223 224The sendmsg system call parameter of struct msghdr is embedded into the 225struct cmsghdr data structure. See recv(2) and cmsg(3) for more 226information on how the cmsghdr data structure is used together with the 227send/recv system call family. That cmsghdr data structure holds the 228following information specified with a separate header instances: 229 230- specification of the cipher operation type with one of these flags: 231 232 - ALG_OP_ENCRYPT - encryption of data 233 234 - ALG_OP_DECRYPT - decryption of data 235 236- specification of the IV information marked with the flag ALG_SET_IV 237 238The send system call family allows the following flag to be specified: 239 240- MSG_MORE: If this flag is set, the send system call acts like a 241 cipher update function where more input data is expected with a 242 subsequent invocation of the send system call. 243 244Note: The kernel reports -EINVAL for any unexpected data. The caller 245must make sure that all data matches the constraints given in 246/proc/crypto for the selected cipher. 247 248With the recv() system call, the application can read the result of the 249cipher operation from the kernel crypto API. The output buffer must be 250at least as large as to hold all blocks of the encrypted or decrypted 251data. If the output data size is smaller, only as many blocks are 252returned that fit into that output buffer size. 253 254AEAD Cipher API 255--------------- 256 257The operation is very similar to the symmetric cipher discussion. During 258initialization, the struct sockaddr data structure must be filled as 259follows: 260 261:: 262 263 struct sockaddr_alg sa = { 264 .salg_family = AF_ALG, 265 .salg_type = "aead", /* this selects the symmetric cipher */ 266 .salg_name = "gcm(aes)" /* this is the cipher name */ 267 }; 268 269 270Before data can be sent to the kernel using the write/send system call 271family, the consumer must set the key. The key setting is described with 272the setsockopt invocation below. 273 274In addition, before data can be sent to the kernel using the write/send 275system call family, the consumer must set the authentication tag size. 276To set the authentication tag size, the caller must use the setsockopt 277invocation described below. 278 279Using the sendmsg() system call, the application provides the data that 280should be processed for encryption or decryption. In addition, the IV is 281specified with the data structure provided by the sendmsg() system call. 282 283The sendmsg system call parameter of struct msghdr is embedded into the 284struct cmsghdr data structure. See recv(2) and cmsg(3) for more 285information on how the cmsghdr data structure is used together with the 286send/recv system call family. That cmsghdr data structure holds the 287following information specified with a separate header instances: 288 289- specification of the cipher operation type with one of these flags: 290 291 - ALG_OP_ENCRYPT - encryption of data 292 293 - ALG_OP_DECRYPT - decryption of data 294 295- specification of the IV information marked with the flag ALG_SET_IV 296 297- specification of the associated authentication data (AAD) with the 298 flag ALG_SET_AEAD_ASSOCLEN. The AAD is sent to the kernel together 299 with the plaintext / ciphertext. See below for the memory structure. 300 301The send system call family allows the following flag to be specified: 302 303- MSG_MORE: If this flag is set, the send system call acts like a 304 cipher update function where more input data is expected with a 305 subsequent invocation of the send system call. 306 307Note: The kernel reports -EINVAL for any unexpected data. The caller 308must make sure that all data matches the constraints given in 309/proc/crypto for the selected cipher. 310 311With the recv() system call, the application can read the result of the 312cipher operation from the kernel crypto API. The output buffer must be 313at least as large as defined with the memory structure below. If the 314output data size is smaller, the cipher operation is not performed. 315 316The authenticated decryption operation may indicate an integrity error. 317Such breach in integrity is marked with the -EBADMSG error code. 318 319AEAD Memory Structure 320~~~~~~~~~~~~~~~~~~~~~ 321 322The AEAD cipher operates with the following information that is 323communicated between user and kernel space as one data stream: 324 325- plaintext or ciphertext 326 327- associated authentication data (AAD) 328 329- authentication tag 330 331The sizes of the AAD and the authentication tag are provided with the 332sendmsg and setsockopt calls (see there). As the kernel knows the size 333of the entire data stream, the kernel is now able to calculate the right 334offsets of the data components in the data stream. 335 336The user space caller must arrange the aforementioned information in the 337following order: 338 339- AEAD encryption input: AAD \|\| plaintext 340 341- AEAD decryption input: AAD \|\| ciphertext \|\| authentication tag 342 343The output buffer the user space caller provides must be at least as 344large to hold the following data: 345 346- AEAD encryption output: ciphertext \|\| authentication tag 347 348- AEAD decryption output: plaintext 349 350Random Number Generator API 351--------------------------- 352 353Again, the operation is very similar to the other APIs. During 354initialization, the struct sockaddr data structure must be filled as 355follows: 356 357:: 358 359 struct sockaddr_alg sa = { 360 .salg_family = AF_ALG, 361 .salg_type = "rng", /* this selects the random number generator */ 362 .salg_name = "stdrng" /* this is the RNG name */ 363 }; 364 365 366Depending on the RNG type, the RNG must be seeded. The seed is provided 367using the setsockopt interface to set the key. The SP800-90A DRBGs do 368not require a seed, but may be seeded. The seed is also known as a 369*Personalization String* in NIST SP 800-90A standard. 370 371Using the read()/recvmsg() system calls, random numbers can be obtained. 372The kernel generates at most 128 bytes in one call. If user space 373requires more data, multiple calls to read()/recvmsg() must be made. 374 375WARNING: The user space caller may invoke the initially mentioned accept 376system call multiple times. In this case, the returned file descriptors 377have the same state. 378 379Following CAVP testing interfaces are enabled when kernel is built with 380CRYPTO_USER_API_RNG_CAVP option: 381 382- the concatenation of *Entropy* and *Nonce* can be provided to the RNG via 383 ALG_SET_DRBG_ENTROPY setsockopt interface. Setting the entropy requires 384 CAP_SYS_ADMIN permission. 385 386- *Additional Data* can be provided using the send()/sendmsg() system calls, 387 but only after the entropy has been set. 388 389Zero-Copy Interface 390------------------- 391 392AF_ALG used to have zero-copy support, but it was removed due to it being a 393frequent source of vulnerabilities. For backwards compatibility the splice() 394and sendfile() system calls are still supported, but the kernel will make an 395internal copy of the data before passing it to the crypto code. 396 397 398Setsockopt Interface 399-------------------- 400 401In addition to the read/recv and send/write system call handling to send 402and retrieve data subject to the cipher operation, a consumer also needs 403to set the additional information for the cipher operation. This 404additional information is set using the setsockopt system call that must 405be invoked with the file descriptor of the open cipher (i.e. the file 406descriptor returned by the accept system call). 407 408Each setsockopt invocation must use the level SOL_ALG. 409 410The setsockopt interface allows setting the following data using the 411mentioned optname: 412 413- ALG_SET_KEY -- Setting the key. Key setting is applicable to: 414 415 - the skcipher cipher type (symmetric ciphers) 416 417 - the hash cipher type (keyed message digests) 418 419 - the AEAD cipher type 420 421 - the RNG cipher type to provide the seed 422 423- ALG_SET_KEY_BY_KEY_SERIAL -- Setting the key via keyring key_serial_t. 424 This operation behaves the same as ALG_SET_KEY. The decrypted 425 data is copied from a keyring key, and uses that data as the 426 key for symmetric encryption. 427 428 The passed in key_serial_t must have the KEY_(POS|USR|GRP|OTH)_SEARCH 429 permission set, otherwise -EPERM is returned. Supports key types: user, 430 logon, encrypted, and trusted. 431 432- ALG_SET_AEAD_AUTHSIZE -- Setting the authentication tag size for 433 AEAD ciphers. For a encryption operation, the authentication tag of 434 the given size will be generated. For a decryption operation, the 435 provided ciphertext is assumed to contain an authentication tag of 436 the given size (see section about AEAD memory layout below). 437 438- ALG_SET_DRBG_ENTROPY -- Setting the entropy of the random number generator. 439 This option is applicable to RNG cipher type only. 440 441User space API example 442---------------------- 443 444Please see [1] for libkcapi which provides an easy-to-use wrapper around 445the aforementioned Netlink kernel interface. [1] also contains a test 446application that invokes all libkcapi API calls. 447 448[1] https://www.chronox.de/libkcapi/index.html 449