From: Josh Rickmar <jrick@zettaport.com>
Subject: Check permissions of iked psk files
To: tech@openbsd.org
Date: Fri, 12 Apr 2024 19:39:58 -0400

The same permission checks performed on /etc/iked.conf (which afaict
are only done due the possibility of inline preshared key strings)
should be performed on psk files.

ok?

diff /usr/src
commit - 93536db294f52bc74669089161e04f33a62520f5
path + /usr/src
blob - 5fadcd200e692cc03a3c398f03c2ba50bf41cdc7
file + sbin/iked/parse.y
--- sbin/iked/parse.y
+++ sbin/iked/parse.y
@@ -1950,6 +1950,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
 
 	if ((fd = open(filename, O_RDONLY)) == -1)
 		err(1, "open %s", filename);
+	if (check_file_secrecy(fd, filename) == -1)
+		exit(1);
 	if (fstat(fd, &sb) == -1)
 		err(1, "parsekeyfile: stat %s", filename);
 	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))