From 4fa9564c909c589bcccc95d57fae5469063c1759 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Tue, 9 Jan 2007 18:14:30 +0000 Subject: [PATCH] Fix `puttygen-unix-perms': f_open(), PuTTY's wrapper on fopen, now takes a third argument which is TRUE if the file is being opened for writing and wants to be created in such a way that it's readable only to the owner. This is used when saving private keys. While I'm here, I also use this option when writing session logs, on the general principle that they probably contain _something_ sensitive. The new argument is only supported on Unix, for the moment. (I think writing owner-accessible-only files is the default on Windows.) [originally from svn r7084] --- cmdgen.c | 6 +++--- import.c | 8 ++++---- logging.c | 4 ++-- mac/macmisc.c | 2 +- mac/macstuff.h | 2 +- sshpubk.c | 18 +++++++++--------- unix/unix.h | 2 +- unix/uxmisc.c | 15 +++++++++++++++ windows/winstuff.h | 2 +- 9 files changed, 37 insertions(+), 22 deletions(-) diff --git a/cmdgen.c b/cmdgen.c index dfca9dce..d8d5a946 100644 --- a/cmdgen.c +++ b/cmdgen.c @@ -893,7 +893,7 @@ int main(int argc, char **argv) assert(ssh1key); if (outfile) - fp = f_open(outfilename, "w"); + fp = f_open(outfilename, "w", FALSE); else fp = stdout; dec1 = bignum_decimal(ssh1key->exponent); @@ -951,7 +951,7 @@ int main(int argc, char **argv) *p++ = '\0'; if (outfile) - fp = f_open(outfilename, "w"); + fp = f_open(outfilename, "w", FALSE); else fp = stdout; fprintf(fp, "%s\n", buffer); @@ -981,7 +981,7 @@ int main(int argc, char **argv) } if (outfile) - fp = f_open(outfilename, "w"); + fp = f_open(outfilename, "w", FALSE); else fp = stdout; fprintf(fp, "%s\n", fingerprint); diff --git a/import.c b/import.c index 7deb02fc..a3c24050 100644 --- a/import.c +++ b/import.c @@ -333,7 +333,7 @@ static struct openssh_key *load_openssh_key(const Filename *filename, ret->encrypted = 0; memset(ret->iv, 0, sizeof(ret->iv)); - fp = f_open(*filename, "r"); + fp = f_open(*filename, "r", FALSE); if (!fp) { errmsg = "unable to open key file"; goto error; @@ -893,7 +893,7 @@ int openssh_write(const Filename *filename, struct ssh2_userkey *key, * And save it. We'll use Unix line endings just in case it's * subsequently transferred in binary mode. */ - fp = f_open(*filename, "wb"); /* ensure Unix line endings */ + fp = f_open(*filename, "wb", TRUE); /* ensure Unix line endings */ if (!fp) goto error; fputs(header, fp); @@ -1027,7 +1027,7 @@ static struct sshcom_key *load_sshcom_key(const Filename *filename, ret->keyblob = NULL; ret->keyblob_len = ret->keyblob_size = 0; - fp = f_open(*filename, "r"); + fp = f_open(*filename, "r", FALSE); if (!fp) { errmsg = "unable to open key file"; goto error; @@ -1646,7 +1646,7 @@ int sshcom_write(const Filename *filename, struct ssh2_userkey *key, * And save it. We'll use Unix line endings just in case it's * subsequently transferred in binary mode. */ - fp = f_open(*filename, "wb"); /* ensure Unix line endings */ + fp = f_open(*filename, "wb", TRUE); /* ensure Unix line endings */ if (!fp) goto error; fputs("---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n", fp); diff --git a/logging.c b/logging.c index b83b743e..bd5705cb 100644 --- a/logging.c +++ b/logging.c @@ -85,7 +85,7 @@ static void logfopen_callback(void *handle, int mode) ctx->state = L_ERROR; /* disable logging */ } else { fmode = (mode == 1 ? "ab" : "wb"); - ctx->lgfp = f_open(ctx->currlogfilename, fmode); + ctx->lgfp = f_open(ctx->currlogfilename, fmode, TRUE); if (ctx->lgfp) ctx->state = L_OPEN; else @@ -149,7 +149,7 @@ void logfopen(void *handle) /* substitute special codes in file name */ xlatlognam(&ctx->currlogfilename, ctx->cfg.logfilename,ctx->cfg.host, &tm); - ctx->lgfp = f_open(ctx->currlogfilename, "r"); /* file already present? */ + ctx->lgfp = f_open(ctx->currlogfilename, "r", FALSE); /* file already present? */ if (ctx->lgfp) { fclose(ctx->lgfp); if (ctx->cfg.logxfovr != LGXF_ASK) { diff --git a/mac/macmisc.c b/mac/macmisc.c index 2d976e7d..ce32eb44 100644 --- a/mac/macmisc.c +++ b/mac/macmisc.c @@ -156,7 +156,7 @@ int filename_is_null(Filename fn) return fn.fss.vRefNum == 0 && fn.fss.parID == 0 && fn.fss.name[0] == 0; } -FILE *f_open(Filename fn, char const *mode) +FILE *f_open(Filename fn, char const *mode, int is_private) { short savevol; long savedir; diff --git a/mac/macstuff.h b/mac/macstuff.h index 69c1b2e4..3f49cd03 100644 --- a/mac/macstuff.h +++ b/mac/macstuff.h @@ -14,7 +14,7 @@ struct Filename { FSSpec fss; }; -extern FILE * f_open(struct Filename, char const *); +extern FILE * f_open(struct Filename, char const *, int); /* Suspiciously similar to an ICFontRecord */ struct FontSpec { diff --git a/sshpubk.c b/sshpubk.c index 79b224c0..f35febe3 100644 --- a/sshpubk.c +++ b/sshpubk.c @@ -162,7 +162,7 @@ int loadrsakey(const Filename *filename, struct RSAKey *key, char *passphrase, int ret = 0; const char *error = NULL; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) { error = "can't open file"; goto end; @@ -203,7 +203,7 @@ int rsakey_encrypted(const Filename *filename, char **comment) FILE *fp; char buf[64]; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) return 0; /* doesn't even exist */ @@ -241,7 +241,7 @@ int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen, *bloblen = 0; ret = 0; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) { error = "can't open file"; goto end; @@ -364,7 +364,7 @@ int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase) /* * Done. Write the result to the file. */ - fp = f_open(*filename, "wb"); + fp = f_open(*filename, "wb", TRUE); if (fp) { int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf)); if (fclose(fp)) @@ -634,7 +634,7 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename, encryption = comment = mac = NULL; public_blob = private_blob = NULL; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) { error = "can't open file"; goto error; @@ -883,7 +883,7 @@ unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm, public_blob = NULL; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) { error = "can't open file"; goto error; @@ -964,7 +964,7 @@ int ssh2_userkey_encrypted(const Filename *filename, char **commentptr) if (commentptr) *commentptr = NULL; - fp = f_open(*filename, "rb"); + fp = f_open(*filename, "rb", FALSE); if (!fp) return 0; if (!read_header(fp, header) @@ -1145,7 +1145,7 @@ int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key, memset(&s, 0, sizeof(s)); } - fp = f_open(*filename, "w"); + fp = f_open(*filename, "w", TRUE); if (!fp) return 0; fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name); @@ -1181,7 +1181,7 @@ int key_type(const Filename *filename) const char openssh_sig[] = "-----BEGIN "; int i; - fp = f_open(*filename, "r"); + fp = f_open(*filename, "r", FALSE); if (!fp) return SSH_KEYTYPE_UNOPENABLE; i = fread(buf, 1, sizeof(buf), fp); diff --git a/unix/unix.h b/unix/unix.h index fd206a9d..9c52de6d 100644 --- a/unix/unix.h +++ b/unix/unix.h @@ -11,7 +11,7 @@ struct Filename { char path[FILENAME_MAX]; }; -#define f_open(filename, mode) ( fopen((filename).path, (mode)) ) +FILE *f_open(struct Filename, char const *, int); struct FontSpec { char name[256]; diff --git a/unix/uxmisc.c b/unix/uxmisc.c index 74eb1568..dc208637 100644 --- a/unix/uxmisc.c +++ b/unix/uxmisc.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include #include @@ -133,3 +134,17 @@ int cloexec(int fd) { if (fdflags == -1) return -1; return fcntl(fd, F_SETFD, fdflags | FD_CLOEXEC); } + +FILE *f_open(struct Filename filename, char const *mode, int is_private) +{ + if (!is_private) { + return fopen(filename.path, mode); + } else { + assert(mode[0] == 'w'); /* is_private is meaningless for read */ + int fd = open(filename.path, O_WRONLY | O_CREAT | O_TRUNC, + 0700); + if (fd < 0) + return NULL; + return fdopen(fd, mode); + } +} diff --git a/windows/winstuff.h b/windows/winstuff.h index 4ece0630..14e20baa 100644 --- a/windows/winstuff.h +++ b/windows/winstuff.h @@ -18,7 +18,7 @@ struct Filename { char path[FILENAME_MAX]; }; -#define f_open(filename, mode) ( fopen((filename).path, (mode)) ) +#define f_open(filename, mode, isprivate) ( fopen((filename).path, (mode)) ) struct FontSpec { char name[64];