From: Tobias Heider <tobias.heider@stusta.de>
Subject: Re: Check permissions of iked psk files
To: Josh Rickmar <jrick@zettaport.com>
Cc: tech@openbsd.org
Date: Sat, 13 Apr 2024 14:05:56 +0200

On Fri, Apr 12, 2024 at 07:45:14PM -0400, Josh Rickmar wrote:
> On Fri, Apr 12, 2024 at 07:39:58PM -0400, Josh Rickmar wrote:
> > The same permission checks performed on /etc/iked.conf (which afaict
> > are only done due the possibility of inline preshared key strings)
> > should be performed on psk files.
> > 
> > ok?
> > 
> 
> Reordered to perform the fstat first (although check_file_secrecy also
> performs a fstat, this result in a better error message).

I think I'd just drop the fstat() in parsekeyfile(). The error message
doesn't make a huge difference.  In any case ok tobhe@

> 
> diff /usr/src
> commit - 93536db294f52bc74669089161e04f33a62520f5
> path + /usr/src
> blob - 5fadcd200e692cc03a3c398f03c2ba50bf41cdc7
> file + sbin/iked/parse.y
> --- sbin/iked/parse.y
> +++ sbin/iked/parse.y
> @@ -1952,6 +1952,8 @@ parsekeyfile(char *filename, struct iked_auth *auth)
>  		err(1, "open %s", filename);
>  	if (fstat(fd, &sb) == -1)
>  		err(1, "parsekeyfile: stat %s", filename);
> +	if (check_file_secrecy(fd, filename) == -1)
> +		exit(1);
>  	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
>  		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
>  		    "small");
>