Fix `puttygen-unix-perms': f_open(), PuTTY's wrapper on fopen, now

takes a third argument which is TRUE if the file is being opened for
writing and wants to be created in such a way that it's readable
only to the owner. This is used when saving private keys.

While I'm here, I also use this option when writing session logs, on
the general principle that they probably contain _something_
sensitive.

The new argument is only supported on Unix, for the moment. (I think
writing owner-accessible-only files is the default on Windows.)

git-svn-id: svn://svn.tartarus.org/sgt/putty@7084 cda61777-01e9-0310-a592-d414129be87e

diff --git a/cmdgen.c b/cmdgen.c
index dfca9dc..d8d5a94 100644 (file)
--- a/cmdgen.c
+++ b/cmdgen.c
@@ -893,7 +893,7 @@ int main(int argc, char **argv)
            assert(ssh1key);
 
            if (outfile)
-               fp = f_open(outfilename, "w");
+               fp = f_open(outfilename, "w", FALSE);
            else
                fp = stdout;
            dec1 = bignum_decimal(ssh1key->exponent);
@@ -951,7 +951,7 @@ int main(int argc, char **argv)
                *p++ = '\0';
 
            if (outfile)
-               fp = f_open(outfilename, "w");
+               fp = f_open(outfilename, "w", FALSE);
            else
                fp = stdout;
            fprintf(fp, "%s\n", buffer);
@@ -981,7 +981,7 @@ int main(int argc, char **argv)
            }
 
            if (outfile)
-               fp = f_open(outfilename, "w");
+               fp = f_open(outfilename, "w", FALSE);
            else
                fp = stdout;
            fprintf(fp, "%s\n", fingerprint);

diff --git a/import.c b/import.c
index 7deb02f..a3c2405 100644 (file)
--- a/import.c
+++ b/import.c
@@ -333,7 +333,7 @@ static struct openssh_key *load_openssh_key(const Filename *filename,
     ret->encrypted = 0;
     memset(ret->iv, 0, sizeof(ret->iv));
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp) {
        errmsg = "unable to open key file";
        goto error;
@@ -893,7 +893,7 @@ int openssh_write(const Filename *filename, struct ssh2_userkey *key,
      * And save it. We'll use Unix line endings just in case it's
      * subsequently transferred in binary mode.
      */
-    fp = f_open(*filename, "wb");      /* ensure Unix line endings */
+    fp = f_open(*filename, "wb", TRUE);      /* ensure Unix line endings */
     if (!fp)
        goto error;
     fputs(header, fp);
@@ -1027,7 +1027,7 @@ static struct sshcom_key *load_sshcom_key(const Filename *filename,
     ret->keyblob = NULL;
     ret->keyblob_len = ret->keyblob_size = 0;
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp) {
        errmsg = "unable to open key file";
        goto error;
@@ -1646,7 +1646,7 @@ int sshcom_write(const Filename *filename, struct ssh2_userkey *key,
      * And save it. We'll use Unix line endings just in case it's
      * subsequently transferred in binary mode.
      */
-    fp = f_open(*filename, "wb");      /* ensure Unix line endings */
+    fp = f_open(*filename, "wb", TRUE);      /* ensure Unix line endings */
     if (!fp)
        goto error;
     fputs("---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----\n", fp);

diff --git a/logging.c b/logging.c
index b83b743..bd5705c 100644 (file)
--- a/logging.c
+++ b/logging.c
@@ -85,7 +85,7 @@ static void logfopen_callback(void *handle, int mode)
        ctx->state = L_ERROR;          /* disable logging */
     } else {
        fmode = (mode == 1 ? "ab" : "wb");
-       ctx->lgfp = f_open(ctx->currlogfilename, fmode);
+       ctx->lgfp = f_open(ctx->currlogfilename, fmode, TRUE);
        if (ctx->lgfp)
            ctx->state = L_OPEN;
        else
@@ -149,7 +149,7 @@ void logfopen(void *handle)
     /* substitute special codes in file name */
     xlatlognam(&ctx->currlogfilename, ctx->cfg.logfilename,ctx->cfg.host, &tm);
 
-    ctx->lgfp = f_open(ctx->currlogfilename, "r");  /* file already present? */
+    ctx->lgfp = f_open(ctx->currlogfilename, "r", FALSE);  /* file already present? */
     if (ctx->lgfp) {
        fclose(ctx->lgfp);
        if (ctx->cfg.logxfovr != LGXF_ASK) {

diff --git a/mac/macmisc.c b/mac/macmisc.c
index 2d976e7..ce32eb4 100644 (file)
--- a/mac/macmisc.c
+++ b/mac/macmisc.c
@@ -156,7 +156,7 @@ int filename_is_null(Filename fn)
     return fn.fss.vRefNum == 0 && fn.fss.parID == 0 && fn.fss.name[0] == 0;
 }
 
-FILE *f_open(Filename fn, char const *mode)
+FILE *f_open(Filename fn, char const *mode, int is_private)
 {
     short savevol;
     long savedir;

diff --git a/mac/macstuff.h b/mac/macstuff.h
index 69c1b2e..3f49cd0 100644 (file)
--- a/mac/macstuff.h
+++ b/mac/macstuff.h
@@ -14,7 +14,7 @@ struct Filename {
     FSSpec fss;
 };
 
-extern FILE * f_open(struct Filename, char const *);
+extern FILE * f_open(struct Filename, char const *, int);
 
 /* Suspiciously similar to an ICFontRecord */
 struct FontSpec {

diff --git a/sshpubk.c b/sshpubk.c
index 79b224c..f35febe 100644 (file)
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -162,7 +162,7 @@ int loadrsakey(const Filename *filename, struct RSAKey *key, char *passphrase,
     int ret = 0;
     const char *error = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
        error = "can't open file";
        goto end;
@@ -203,7 +203,7 @@ int rsakey_encrypted(const Filename *filename, char **comment)
     FILE *fp;
     char buf[64];
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp)
        return 0;                      /* doesn't even exist */
 
@@ -241,7 +241,7 @@ int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
     *bloblen = 0;
     ret = 0;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
        error = "can't open file";
        goto end;
@@ -364,7 +364,7 @@ int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
     /*
      * Done. Write the result to the file.
      */
-    fp = f_open(*filename, "wb");
+    fp = f_open(*filename, "wb", TRUE);
     if (fp) {
        int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
         if (fclose(fp))
@@ -634,7 +634,7 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
     encryption = comment = mac = NULL;
     public_blob = private_blob = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
        error = "can't open file";
        goto error;
@@ -883,7 +883,7 @@ unsigned char *ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
 
     public_blob = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp) {
        error = "can't open file";
        goto error;
@@ -964,7 +964,7 @@ int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
     if (commentptr)
        *commentptr = NULL;
 
-    fp = f_open(*filename, "rb");
+    fp = f_open(*filename, "rb", FALSE);
     if (!fp)
        return 0;
     if (!read_header(fp, header)
@@ -1145,7 +1145,7 @@ int ssh2_save_userkey(const Filename *filename, struct ssh2_userkey *key,
        memset(&s, 0, sizeof(s));
     }
 
-    fp = f_open(*filename, "w");
+    fp = f_open(*filename, "w", TRUE);
     if (!fp)
        return 0;
     fprintf(fp, "PuTTY-User-Key-File-2: %s\n", key->alg->name);
@@ -1181,7 +1181,7 @@ int key_type(const Filename *filename)
     const char openssh_sig[] = "-----BEGIN ";
     int i;
 
-    fp = f_open(*filename, "r");
+    fp = f_open(*filename, "r", FALSE);
     if (!fp)
        return SSH_KEYTYPE_UNOPENABLE;
     i = fread(buf, 1, sizeof(buf), fp);

diff --git a/unix/unix.h b/unix/unix.h
index fd206a9..9c52de6 100644 (file)
--- a/unix/unix.h
+++ b/unix/unix.h
@@ -11,7 +11,7 @@
 struct Filename {
     char path[FILENAME_MAX];
 };
-#define f_open(filename, mode) ( fopen((filename).path, (mode)) )
+FILE *f_open(struct Filename, char const *, int);
 
 struct FontSpec {
     char name[256];

diff --git a/unix/uxmisc.c b/unix/uxmisc.c
index 74eb156..dc20863 100644 (file)
--- a/unix/uxmisc.c
+++ b/unix/uxmisc.c
@@ -5,6 +5,7 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <assert.h>
 #include <unistd.h>
 #include <sys/time.h>
 #include <sys/types.h>
@@ -133,3 +134,17 @@ int cloexec(int fd) {
     if (fdflags == -1) return -1;
     return fcntl(fd, F_SETFD, fdflags | FD_CLOEXEC);
 }
+
+FILE *f_open(struct Filename filename, char const *mode, int is_private)
+{
+    if (!is_private) {
+       return fopen(filename.path, mode);
+    } else {
+       assert(mode[0] == 'w');        /* is_private is meaningless for read */
+       int fd = open(filename.path, O_WRONLY | O_CREAT | O_TRUNC,
+                     0700);
+       if (fd < 0)
+           return NULL;
+       return fdopen(fd, mode);
+    }
+}

diff --git a/windows/winstuff.h b/windows/winstuff.h
index 4ece063..14e20ba 100644 (file)
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@@ -18,7 +18,7 @@
 struct Filename {
     char path[FILENAME_MAX];
 };
-#define f_open(filename, mode) ( fopen((filename).path, (mode)) )
+#define f_open(filename, mode, isprivate) ( fopen((filename).path, (mode)) )
 
 struct FontSpec {
     char name[64];