raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 01:49:46 +00:00
Code Issues Projects Releases Wiki Activity

NFS: Check the TLS certificate fields in nfs_match_client()

Browse Source 
If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the
cert_serial and privkey_serial fields need to match as well since they
define the client's identity, as presented to the server.

Fixes: 90c9550a8d ("NFS: support the kernel keyring for TLS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
This commit is contained in:
Trond Myklebust
2025-10-18 20:10:36 -04:00
committed by Anna Schumaker
parent 8ab523ce78
commit fb2cba0854
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
fs/nfs/client.c
View File

@@ -338,6 +338,14 @@ again:
/* Match the xprt security policy */
if (clp->cl_xprtsec.policy != data->xprtsec.policy)
continue;
if (clp->cl_xprtsec.policy == RPC_XPRTSEC_TLS_X509) {
if (clp->cl_xprtsec.cert_serial !=
data->xprtsec.cert_serial)
continue;
if (clp->cl_xprtsec.privkey_serial !=
data->xprtsec.privkey_serial)
continue;
}
refcount_inc(&clp->cl_count);
return clp;