Mailing List Archive

From:: Josh Rickmar <jrick@zettaport.com>
Subject:: Re: Check permissions of iked psk files
To:: tech@openbsd.org
Date:: Fri, 12 Apr 2024 19:45:14 -0400

Download raw body.

Thread

2024-04-12 23:39 Josh Rickmar:
Check permissions of iked psk files
- 2024-04-12 23:45 Josh Rickmar:
  Check permissions of iked psk files
- - 2024-04-13 12:05 Tobias Heider:
    Check permissions of iked psk files
  - - 2024-04-25 08:07 Jonathan Gray:
      Check permissions of iked psk files

On Fri, Apr 12, 2024 at 07:39:58PM -0400, Josh Rickmar wrote:
> The same permission checks performed on /etc/iked.conf (which afaict
> are only done due the possibility of inline preshared key strings)
> should be performed on psk files.
> 
> ok?
> 

Reordered to perform the fstat first (although check_file_secrecy also
performs a fstat, this result in a better error message).

diff /usr/src
commit - 93536db294f52bc74669089161e04f33a62520f5
path + /usr/src
blob - 5fadcd200e692cc03a3c398f03c2ba50bf41cdc7
file + sbin/iked/parse.y
--- sbin/iked/parse.y
+++ sbin/iked/parse.y
@@ -1952,6 +1952,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
 		err(1, "open %s", filename);
 	if (fstat(fd, &sb) == -1)
 		err(1, "parsekeyfile: stat %s", filename);
+	if (check_file_secrecy(fd, filename) == -1)
+		exit(1);
 	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
 		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
 		    "small");

2024-04-12 23:39 Josh Rickmar:
Check permissions of iked psk files
- 2024-04-12 23:45 Josh Rickmar:
  Check permissions of iked psk files
- - 2024-04-13 12:05 Tobias Heider:
    Check permissions of iked psk files
  - - 2024-04-25 08:07 Jonathan Gray:
      Check permissions of iked psk files