Commit fb2cba08 authored Oct 18, 2025 by Trond Myklebust Committed by Anna Schumaker Nov 10, 2025

NFS: Check the TLS certificate fields in nfs_match_client()

If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the
cert_serial and privkey_serial fields need to match as well since they
define the client's identity, as presented to the server.

Fixes: 90c9550a ("NFS: support the kernel keyring for TLS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

parent 8ab523ce

fs/nfs/client.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -338,6 +338,14 @@ static struct nfs_client nfs_match_client(const struct nfs_client_initdata dat
		/* Match the xprt security policy */
		if (clp->cl_xprtsec.policy != data->xprtsec.policy)
		continue;
		if (clp->cl_xprtsec.policy == RPC_XPRTSEC_TLS_X509) {
		if (clp->cl_xprtsec.cert_serial !=
		data->xprtsec.cert_serial)
		continue;
		if (clp->cl_xprtsec.privkey_serial !=
		data->xprtsec.privkey_serial)
		continue;
		}

		refcount_inc(&clp->cl_count);
		return clp;