6 files changed, 155 insertions, 34 deletions
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
index 19d90253b..50887e35c 100644
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -47,6 +47,7 @@ endif()
 set(common_headers)
 
 set(common_private_headers
+  apply_permutation.h
   base58.h
   boost_serialization_helper.h
   command_line.h
diff --git a/src/common/apply_permutation.h b/src/common/apply_permutation.h
new file mode 100644
index 000000000..4fd952686
--- /dev/null
+++ b/src/common/apply_permutation.h
@@ -0,0 +1,68 @@
+// Copyright (c) 2017, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Most of this file is originally copyright (c) 2017 Raymond Chen, Microsoft
+// This algorithm is adapted from Raymond Chen's code:
+// https://blogs.msdn.microsoft.com/oldnewthing/20170109-00/?p=95145
+
+#include <vector>
+#include <functional>
+#include "misc_log_ex.h"
+
+namespace tools
+{
+
+template<typename F>
+void apply_permutation(std::vector<size_t> permutation, const F &swap)
+{
+  //sanity check
+  for (size_t n = 0; n < permutation.size(); ++n)
+    CHECK_AND_ASSERT_THROW_MES(std::find(permutation.begin(), permutation.end(), n) != permutation.end(), "Bad permutation");
+
+  for (size_t i = 0; i < permutation.size(); ++i)
+  {
+    size_t current = i;
+    while (i != permutation[current])
+    {
+      size_t next = permutation[current];
+      swap(current, next);
+      permutation[current] = current;
+      current = next;
+    }
+    permutation[current] = current;
+  }
+}
+
+template<typename T>
+void apply_permutation(const std::vector<size_t> &permutation, std::vector<T> &v)
+{
+  CHECK_AND_ASSERT_THROW_MES(permutation.size() == v.size(), "Mismatched vector sizes");
+  apply_permutation(permutation, [&v](size_t i0, size_t i1){ std::swap(v[i0], v[i1]); });
+}
+
+}
diff --git a/src/common/base58.cpp b/src/common/base58.cpp
index 64cb7c0de..941373443 100644
--- a/src/common/base58.cpp
+++ b/src/common/base58.cpp
@@ -111,13 +111,13 @@ namespace tools
         uint64_t res = 0;
         switch (9 - size)
         {
-        case 1:            res |= *data++;
-        case 2: res <<= 8; res |= *data++;
-        case 3: res <<= 8; res |= *data++;
-        case 4: res <<= 8; res |= *data++;
-        case 5: res <<= 8; res |= *data++;
-        case 6: res <<= 8; res |= *data++;
-        case 7: res <<= 8; res |= *data++;
+        case 1:            res |= *data++; /* FALLTHRU */
+        case 2: res <<= 8; res |= *data++; /* FALLTHRU */
+        case 3: res <<= 8; res |= *data++; /* FALLTHRU */
+        case 4: res <<= 8; res |= *data++; /* FALLTHRU */
+        case 5: res <<= 8; res |= *data++; /* FALLTHRU */
+        case 6: res <<= 8; res |= *data++; /* FALLTHRU */
+        case 7: res <<= 8; res |= *data++; /* FALLTHRU */
         case 8: res <<= 8; res |= *data; break;
         default: assert(false);
         }
diff --git a/src/common/dns_utils.cpp b/src/common/dns_utils.cpp
index 57c856597..1310b8bfd 100644
--- a/src/common/dns_utils.cpp
+++ b/src/common/dns_utils.cpp
@@ -27,8 +27,6 @@
 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 #include "common/dns_utils.h"
-#include "common/i18n.h"
-#include "cryptonote_basic/cryptonote_basic_impl.h"
 // check local first (in the event of static or in-source compilation of libunbound)
 #include "unbound.h"
 
@@ -326,8 +324,6 @@ bool DNSResolver::check_address_syntax(const char *addr) const
 namespace dns_utils
 {
 
-const char *tr(const char *str) { return i18n_translate(str, "tools::dns_utils"); }
-
 //-----------------------------------------------------------------------
 // TODO: parse the string in a less stupid way, probably with regex
 std::string address_from_txt_record(const std::string& s)
diff --git a/src/common/util.cpp b/src/common/util.cpp
index 046961b06..74a6babf1 100644
--- a/src/common/util.cpp
+++ b/src/common/util.cpp
@@ -39,11 +39,13 @@ using namespace epee;
 #include "net/http_client.h"                        // epee::net_utils::...
 
 #ifdef WIN32
-#include <windows.h>
-#include <shlobj.h>
-#include <strsafe.h>
+  #include <windows.h>
+  #include <shlobj.h>
+  #include <strsafe.h>
 #else 
-#include <sys/utsname.h>
+  #include <sys/file.h>
+  #include <sys/utsname.h>
+  #include <sys/stat.h>
 #endif
 #include <boost/filesystem.hpp>
 #include <boost/asio.hpp>
@@ -53,7 +55,12 @@ namespace tools
 {
   std::function<void(int)> signal_handler::m_handler;
 
-  std::unique_ptr<std::FILE, tools::close_file> create_private_file(const std::string& name)
+  private_file::private_file() noexcept : m_handle(), m_filename() {}
+
+  private_file::private_file(std::FILE* handle, std::string&& filename) noexcept
+    : m_handle(handle), m_filename(std::move(filename)) {}
+
+  private_file private_file::create(std::string name)
   {
 #ifdef WIN32
     struct close_handle
@@ -70,17 +77,17 @@ namespace tools
       const bool fail = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, std::addressof(temp)) == 0;
       process.reset(temp);
       if (fail)
-        return nullptr;
+        return {};
     }
 
     DWORD sid_size = 0;
     GetTokenInformation(process.get(), TokenOwner, nullptr, 0, std::addressof(sid_size));
     if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
-      return nullptr;
+      return {};
 
     std::unique_ptr<char[]> sid{new char[sid_size]};
     if (!GetTokenInformation(process.get(), TokenOwner, sid.get(), sid_size, std::addressof(sid_size)))
-      return nullptr;
+      return {};
 
     const PSID psid = reinterpret_cast<const PTOKEN_OWNER>(sid.get())->Owner;
     const DWORD daclSize =
@@ -88,17 +95,17 @@ namespace tools
 
     const std::unique_ptr<char[]> dacl{new char[daclSize]};
     if (!InitializeAcl(reinterpret_cast<PACL>(dacl.get()), daclSize, ACL_REVISION))
-      return nullptr;
+      return {};
 
     if (!AddAccessAllowedAce(reinterpret_cast<PACL>(dacl.get()), ACL_REVISION, (READ_CONTROL | FILE_GENERIC_READ | DELETE), psid))
-      return nullptr;
+      return {};
 
     SECURITY_DESCRIPTOR descriptor{};
     if (!InitializeSecurityDescriptor(std::addressof(descriptor), SECURITY_DESCRIPTOR_REVISION))
-      return nullptr;
+      return {};
 
     if (!SetSecurityDescriptorDacl(std::addressof(descriptor), true, reinterpret_cast<PACL>(dacl.get()), false))
-      return nullptr;
+      return {};
 
     SECURITY_ATTRIBUTES attributes{sizeof(SECURITY_ATTRIBUTES), std::addressof(descriptor), false};
     std::unique_ptr<void, close_handle> file{
@@ -106,7 +113,7 @@ namespace tools
         name.c_str(),
         GENERIC_WRITE, FILE_SHARE_READ,
         std::addressof(attributes),
-        CREATE_NEW, FILE_ATTRIBUTE_TEMPORARY,
+        CREATE_NEW, (FILE_ATTRIBUTE_TEMPORARY | FILE_FLAG_DELETE_ON_CLOSE),
         nullptr
       )
     };
@@ -121,22 +128,49 @@ namespace tools
         {
           _close(fd);
         }
-        return {real_file, tools::close_file{}};
+        return {real_file, std::move(name)};
       }
     }
 #else
-    const int fd = open(name.c_str(), (O_RDWR | O_EXCL | O_CREAT), S_IRUSR);
-    if (0 <= fd)
+    const int fdr = open(name.c_str(), (O_RDONLY | O_CREAT), S_IRUSR);
+    if (0 <= fdr)
     {
-      std::FILE* file = fdopen(fd, "w");
-      if (!file)
+      struct stat rstats = {};
+      if (fstat(fdr, std::addressof(rstats)) != 0)
       {
-        close(fd);
+        close(fdr);
+        return {};
+      }
+      fchmod(fdr, (S_IRUSR | S_IWUSR));
+      const int fdw = open(name.c_str(), O_RDWR);
+      fchmod(fdr, rstats.st_mode);
+      close(fdr);
+
+      if (0 <= fdw)
+      {
+        struct stat wstats = {};
+        if (fstat(fdw, std::addressof(wstats)) == 0 &&
+            rstats.st_dev == wstats.st_dev && rstats.st_ino == wstats.st_ino &&
+            flock(fdw, (LOCK_EX | LOCK_NB)) == 0 && ftruncate(fdw, 0) == 0)
+        {
+          std::FILE* file = fdopen(fdw, "w");
+          if (file) return {file, std::move(name)};
+        }
+        close(fdw);
       }
-      return {file, tools::close_file{}};
     }
 #endif
-    return nullptr;
+    return {};
+  }
+
+  private_file::~private_file() noexcept
+  {
+    try
+    {
+      boost::system::error_code ec{};
+      boost::filesystem::remove(filename(), ec);
+    }
+    catch (...) {}
   }
 
 #ifdef WIN32
diff --git a/src/common/util.h b/src/common/util.h
index 2452bc9d5..48bdbbc28 100644
--- a/src/common/util.h
+++ b/src/common/util.h
@@ -60,8 +60,30 @@ namespace tools
     }
   };
 
-  //! \return File only readable by owner. nullptr if `filename` exists.
-  std::unique_ptr<std::FILE, close_file> create_private_file(const std::string& filename);
+  //! A file restricted to process owner AND process. Deletes file on destruction.
+  class private_file {
+    std::unique_ptr<std::FILE, close_file> m_handle;
+    std::string m_filename;
+
+    private_file(std::FILE* handle, std::string&& filename) noexcept;
+  public:
+
+    //! `handle() == nullptr && filename.empty()`.
+    private_file() noexcept;
+
+    /*! \return File only readable by owner and only used by this process
+      OR `private_file{}` on error. */
+    static private_file create(std::string filename);
+
+    private_file(private_file&&) = default;
+    private_file& operator=(private_file&&) = default;
+
+    //! Deletes `filename()` and closes `handle()`.
+    ~private_file() noexcept;
+
+    std::FILE* handle() const noexcept { return m_handle.get(); }
+    const std::string& filename() const noexcept { return m_filename; }
+  };
 
   /*! \brief Returns the default data directory.
    *