From 38100d85fbfe7fb3efed4f57fdcf9283c9a3ecc0 Mon Sep 17 00:00:00 2001 From: jrick Date: Sat, 13 Apr 2024 15:58:10 +0000 Subject: [PATCH] check group and world permissions of iked psk files Similar to the permission checks performed on iked.conf(5) due to the possibility of it containing inline psk strings, require psk files to not be group writable or world read-writable. ok tobhe@ --- sbin/iked/parse.y | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 5fadcd200e6..b9e6f4d6c1d 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.144 2023/08/11 11:24:55 tobhe Exp $ */ +/* $OpenBSD: parse.y,v 1.145 2024/04/13 15:58:10 jrick Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -1950,8 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth) if ((fd = open(filename, O_RDONLY)) == -1) err(1, "open %s", filename); - if (fstat(fd, &sb) == -1) - err(1, "parsekeyfile: stat %s", filename); + if (check_file_secrecy(fd, filename) == -1) + exit(1); if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) errx(1, "%s: key too %s", filename, sb.st_size ? "large" : "small"); -- 2.20.1