[PATCH 1/8] nvme-keyring: restrict match length for version '1' identifiers
Christoph Hellwig
hch at lst.de
Thu Jul 18 22:34:33 PDT 2024
On Thu, Jul 18, 2024 at 04:48:51PM +0200, Hannes Reinecke wrote:
> TP8018 changed the TLS PSK identifiers to append a PSK hash value,
> so to lookup identifiers we should just consider the length of
> the match value, not the length of the identifiers to compare
> against.
> And we should modify the PSK lookup algorithm to prefer v1 identifiers
> as they can be uniquely identified.
Can you reword this a bit to remove the weird "we should" and state it
in terms of requirements / recommendations from the standard. Bonus
points for adding actual references to the specifications.
> @@ -109,19 +107,38 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
> *
> * 'Retained' PSKs (ie 'generated == false')
> * should be preferred to 'generated' PSKs,
> + * PSKs with hash (psk_ver 1) should be
> + * preferred to PSKs without (psk_ver 0),
> * and SHA-384 should be preferred to SHA-256.
Please reflow this to use up 80 characters and make the paragraph easily
readable.
More information about the Linux-nvme
mailing list