From: jrick Date: Sat, 13 Apr 2024 15:58:10 +0000 (+0000) Subject: check group and world permissions of iked psk files X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=38100d85fbfe7fb3efed4f57fdcf9283c9a3ecc0;p=openbsd check group and world permissions of iked psk files Similar to the permission checks performed on iked.conf(5) due to the possibility of it containing inline psk strings, require psk files to not be group writable or world read-writable. ok tobhe@ --- diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 5fadcd200e6..b9e6f4d6c1d 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.144 2023/08/11 11:24:55 tobhe Exp $ */ +/* $OpenBSD: parse.y,v 1.145 2024/04/13 15:58:10 jrick Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -1950,8 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth) if ((fd = open(filename, O_RDONLY)) == -1) err(1, "open %s", filename); - if (fstat(fd, &sb) == -1) - err(1, "parsekeyfile: stat %s", filename); + if (check_file_secrecy(fd, filename) == -1) + exit(1); if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) errx(1, "%s: key too %s", filename, sb.st_size ? "large" : "small");