[cristinamillion]

> Cryptography on Linux (or - on most platforms) is still in a bad shape.

libsodium addresses the non-TLS part of this pretty well, doesn't it? I know it doesn't have any native password-based KDF that won't DOS your device under anything but simple load, but otherwise it uses good algorithms.

> today Chacha20-Poly1305 is the only viable AEAD crypto system for embedded/low-computing-capability devices, including those with AES acceleration.

True, but there are some nice-looking AEAD candidates in the CAESAR competition, some of which out-perform AES-GCM and CHACHA20 by a good margin. We'd probably all be using OCB mode if Rogaway hadn't used such a bizarre initial license (which took a few iterations to get in a sane state and still require you to pay him something like $70,000 USD for use in commercial embedded systems).

[dom0]

NaCl/libsodium doesn't really work for a lot of cases, partly since it only supports AES-(GCM) if the hardware supports it, which just ain't going to work for anything that uses encryption for storage ("You can't open this file on this computer, please go to a computer with AES-NI, thank you"), and partly because it's opinionated approach doesn't work for some software (AES-GCM is actually an instance of this).

Otherwise it's a nice library. So if it works for a project I highly recommend it.

--

I really hope that CAESAR moves the state of AEAD forwards. By all accounts it already has.