keys+nts: warn if loading world-readable/writable key

Log a warning message if the file specified by the keyfile or ntsserverkey directive is world-readable or writable, which is likely an insecure misconfiguration. There is no check of directories containing the file.
2025-12-05 13:55:07 -05:00 · 2023-01-19 16:09:40 +01:00
parent 88e711ad9a
commit 9cba9c8585
4 changed files with 32 additions and 0 deletions
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -667,6 +667,8 @@ create_credentials(const char **certs, const char **keys, int n_certs_keys,
      assert(0);

    for (i = 0; i < n_certs_keys; i++) {
+      if (!UTI_CheckFilePermissions(keys[i], 0771))
+        ;
      r = gnutls_certificate_set_x509_key_file(credentials, certs[i], keys[i],
                                               GNUTLS_X509_FMT_PEM);
      if (r < 0)