On Tue, Feb 07, 2023 at 10:51:46AM -0800, Jakub Kicinski wrote: . > Any aes-gcm or chacha-poly implementations which would do that come > to mind? I'm asking 'cause we probably want to do stable if we know > of a combination which would be broken, or the chances of one existing > are high. Good point. I had a quick look at tls_sw.c and it *appears* to be safe with the default software code. As tls_sw only uses the generic AEAD algorithms (rather than the IPsec-specific variants which aren't safe), the software-only paths *should* be OK. However, drivers that support these algorithms may require fallbacks for esoteric reasons. For example, drivers/crypto/amcc appears to require a fallback for certain input parameters which may or may not be possible with TLS. To be on the safe side I would do a backport once this has been in mainline for a little bit. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
