Fix `puttygen-unix-perms': f_open(), PuTTY's wrapper on fopen, now

takes a third argument which is TRUE if the file is being opened for
writing and wants to be created in such a way that it's readable
only to the owner. This is used when saving private keys.

While I'm here, I also use this option when writing session logs, on
the general principle that they probably contain _something_
sensitive.

The new argument is only supported on Unix, for the moment. (I think
writing owner-accessible-only files is the default on Windows.)

[originally from svn r7084]

cmdgen.c

@@ -893,7 +893,7 @@ int main(int argc, char **argv)
 	    assert(ssh1key);
 
 	    if (outfile)
-		fp = f_open(outfilename, "w");
+		fp = f_open(outfilename, "w", FALSE);
 	    else
 		fp = stdout;
 	    dec1 = bignum_decimal(ssh1key->exponent);
@@ -951,7 +951,7 @@ int main(int argc, char **argv)
 		*p++ = '\0';
 
 	    if (outfile)
-		fp = f_open(outfilename, "w");
+		fp = f_open(outfilename, "w", FALSE);
 	    else
 		fp = stdout;
 	    fprintf(fp, "%s\n", buffer);
@@ -981,7 +981,7 @@ int main(int argc, char **argv)
 	    }
 
 	    if (outfile)
-		fp = f_open(outfilename, "w");
+		fp = f_open(outfilename, "w", FALSE);
 	    else
 		fp = stdout;
 	    fprintf(fp, "%s\n", fingerprint);

import.c

@@ -333,7 +333,7 @@ static struct openssh_key *load_openssh_key(const Filename *filename,
     ret->encrypted = 0;
     memset(ret->iv, 0, sizeof(ret->iv));
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp) {
 	errmsg = "unable to open key file";
 	goto error;
@@ -893,7 +893,7 @@ int openssh_write(const Filename *filename, struct ssh2_userkey *key,
      * And save it. We'll use Unix line endings just in case it's
      * subsequently transferred in binary mode.
      */
-    fp = f_open(*filename, "wb");      /* ensure Unix line endings */
+    fp = f_open(*filename, "wb", TRUE);      /* ensure Unix line endings */
     if (!fp)
 	goto error;
     fputs(header, fp);
@@ -1027,7 +1027,7 @@ static struct sshcom_key *load_sshcom_key(const Filename *filename,
     ret->keyblob = NULL;
     ret->keyblob_len = ret->keyblob_size = 0;
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp) {
 	errmsg = "unable to open key file";
 	goto error;
@@ -1646,7 +1646,7 @@ int sshcom_write(const Filename *filename, struct ssh2_userkey *key,
      * And save it. We'll use Unix line endings just in case it's
      * subsequently transferred in binary mode.
      */
-    fp = f_open(*filename, "wb");      /* ensure Unix line endings */
+    fp = f_open(*filename, "wb", TRUE);      /* ensure Unix line endings */
     if (!fp)
 	goto error;
     fputs("---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n", fp);

logging.c

@@ -85,7 +85,7 @@ static void logfopen_callback(void *handle, int mode)
 	ctx->state = L_ERROR;	       /* disable logging */
     } else {
 	fmode = (mode == 1 ? "ab" : "wb");
-	ctx->lgfp = f_open(ctx->currlogfilename, fmode);
+	ctx->lgfp = f_open(ctx->currlogfilename, fmode, TRUE);
 	if (ctx->lgfp)
 	    ctx->state = L_OPEN;
 	else
@@ -149,7 +149,7 @@ void logfopen(void *handle)
     /* substitute special codes in file name */
     xlatlognam(&ctx->currlogfilename, ctx->cfg.logfilename,ctx->cfg.host, &tm);
 
-    ctx->lgfp = f_open(ctx->currlogfilename, "r");  /* file already present? */
+    ctx->lgfp = f_open(ctx->currlogfilename, "r", FALSE);  /* file already present? */
     if (ctx->lgfp) {
 	fclose(ctx->lgfp);
 	if (ctx->cfg.logxfovr != LGXF_ASK) {

mac/macmisc.c

@@ -156,7 +156,7 @@ int filename_is_null(Filename fn)
     return fn.fss.vRefNum == 0 && fn.fss.parID == 0 && fn.fss.name[0] == 0;
 }
 
-FILE *f_open(Filename fn, char const *mode)
+FILE *f_open(Filename fn, char const *mode, int is_private)
 {
     short savevol;
     long savedir;

mac/macstuff.h

@@ -14,7 +14,7 @@ struct Filename {
     FSSpec fss;
 };
 
-extern FILE * f_open(struct Filename, char const *);
+extern FILE * f_open(struct Filename, char const *, int);
 
 /* Suspiciously similar to an ICFontRecord */
 struct FontSpec {

sshpubk.c

@@ -162,7 +162,7 @@ int loadrsakey(const Filename *filename, struct RSAKey *key, char *passphrase,
     int ret = 0;
     const char *error = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
 	error = "can't open file";
 	goto end;
@@ -203,7 +203,7 @@ int rsakey_encrypted(const Filename *filename, char **comment)
     FILE *fp;
     char buf[64];
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp)
 	return 0;		       /* doesn't even exist */
 
@@ -241,7 +241,7 @@ int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
     *bloblen = 0;
     ret = 0;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
 	error = "can't open file";
 	goto end;
@@ -364,7 +364,7 @@ int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
     /*
      * Done. Write the result to the file.
      */
-    fp = f_open(*filename, "wb");
+    fp = f_open(*filename, "wb", TRUE);
     if (fp) {
 	int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
         if (fclose(fp))
@@ -634,7 +634,7 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
     encryption = comment = mac = NULL;
     public_blob = private_blob = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
 	error = "can't open file";
 	goto error;
@@ -883,7 +883,7 @@ unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
 
     public_blob = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
 	error = "can't open file";
 	goto error;
@@ -964,7 +964,7 @@ int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
     if (commentptr)
 	*commentptr = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp)
 	return 0;
     if (!read_header(fp, header)
@@ -1145,7 +1145,7 @@ int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
 	memset(&s, 0, sizeof(s));
     }
 
-    fp = f_open(*filename, "w");
+    fp = f_open(*filename, "w", TRUE);
     if (!fp)
 	return 0;
     fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
@@ -1181,7 +1181,7 @@ int key_type(const Filename *filename)
     const char openssh_sig[] = "-----BEGIN ";
     int i;
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp)
 	return SSH_KEYTYPE_UNOPENABLE;
     i = fread(buf, 1, sizeof(buf), fp);

unix/unix.h

@@ -11,7 +11,7 @@
 struct Filename {
     char path[FILENAME_MAX];
 };
-#define f_open(filename, mode) ( fopen((filename).path, (mode)) )
+FILE *f_open(struct Filename, char const *, int);
 
 struct FontSpec {
     char name[256];

unix/uxmisc.c

@@ -5,6 +5,7 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <assert.h>
 #include <unistd.h>
 #include <sys/time.h>
 #include <sys/types.h>
@@ -133,3 +134,17 @@ int cloexec(int fd) {
     if (fdflags == -1) return -1;
     return fcntl(fd, F_SETFD, fdflags | FD_CLOEXEC);
 }
+
+FILE *f_open(struct Filename filename, char const *mode, int is_private)
+{
+    if (!is_private) {
+	return fopen(filename.path, mode);
+    } else {
+	assert(mode[0] == 'w');	       /* is_private is meaningless for read */
+	int fd = open(filename.path, O_WRONLY | O_CREAT | O_TRUNC,
+		      0700);
+	if (fd < 0)
+	    return NULL;
+	return fdopen(fd, mode);
+    }
+}

windows/winstuff.h

@@ -18,7 +18,7 @@
 struct Filename {
     char path[FILENAME_MAX];
 };
-#define f_open(filename, mode) ( fopen((filename).path, (mode)) )
+#define f_open(filename, mode, isprivate) ( fopen((filename).path, (mode)) )
 
 struct FontSpec {
     char name[64];