NFS: Check the TLS certificate fields in nfs_match_client()

If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the
cert_serial and privkey_serial fields need to match as well since they
define the client's identity, as presented to the server.

Fixes: 90c9550a8d65 ("NFS: support the kernel keyring for TLS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>

diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 4e3dcc157a83c857bebf8c69b5a56e49d0f6a2dc..54699299d5b16811e1475dce2c5a1d648c26228e 100644 (file)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -338,6 +338,14 @@ again:
                /* Match the xprt security policy */
                if (clp->cl_xprtsec.policy != data->xprtsec.policy)
                        continue;
+               if (clp->cl_xprtsec.policy == RPC_XPRTSEC_TLS_X509) {
+                       if (clp->cl_xprtsec.cert_serial !=
+                           data->xprtsec.cert_serial)
+                               continue;
+                       if (clp->cl_xprtsec.privkey_serial !=
+                           data->xprtsec.privkey_serial)
+                               continue;
+               }
 
                refcount_inc(&clp->cl_count);
                return clp;