From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Sun, 19 Oct 2025 00:10:36 +0000 (-0400)
Subject: NFS: Check the TLS certificate fields in nfs_match_client()
X-Git-Tag: v6.17.9~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8fa37219074811c04d4ecb742c73e2b296da6a8;p=thirdparty%2Fkernel%2Fstable.git

NFS: Check the TLS certificate fields in nfs_match_client()

[ Upstream commit fb2cba0854a7f315c8100a807a6959b99d72479e ]

If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the
cert_serial and privkey_serial fields need to match as well since they
define the client's identity, as presented to the server.

Fixes: 90c9550a8d65 ("NFS: support the kernel keyring for TLS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 4e3dcc157a83c..54699299d5b16 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -338,6 +338,14 @@ again:
 		/* Match the xprt security policy */
 		if (clp->cl_xprtsec.policy != data->xprtsec.policy)
 			continue;
+		if (clp->cl_xprtsec.policy == RPC_XPRTSEC_TLS_X509) {
+			if (clp->cl_xprtsec.cert_serial !=
+			    data->xprtsec.cert_serial)
+				continue;
+			if (clp->cl_xprtsec.privkey_serial !=
+			    data->xprtsec.privkey_serial)
+				continue;
+		}
 
 		refcount_inc(&clp->cl_count);
 		return clp;