From 9061f6c775cd143bd7d7239efc211be444410f3d Mon Sep 17 00:00:00 2001
From: jrick <jrick@cvs.openbsd.org>
Date: Sat, 13 Apr 2024 15:58:11 +0000
Subject: check group and world permissions of iked psk files

Similar to the permission checks performed on iked.conf(5) due to the
possibility of it containing inline psk strings, require psk files to not be
group writable or world read-writable.

ok tobhe@
---
 sbin/iked/parse.y | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'sbin/iked')

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 5fadcd200e6..b9e6f4d6c1d 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.144 2023/08/11 11:24:55 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.145 2024/04/13 15:58:10 jrick Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1950,8 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
 
 	if ((fd = open(filename, O_RDONLY)) == -1)
 		err(1, "open %s", filename);
-	if (fstat(fd, &sb) == -1)
-		err(1, "parsekeyfile: stat %s", filename);
+	if (check_file_secrecy(fd, filename) == -1)
+		exit(1);
 	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
 		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
 		    "small");
-- 
cgit v1.2.3