Secure file saving: restore umask after _all_ failure conditions

The secure file saving code plays some shenanigans with the umask.
Previously, the code could fail to restore the old umask when certain libc
calls failed: malloc, mkstemp, fdopen, and fopen. This resulted in
unrelated code creating files with the wrong umode. Specifically, the
download code's automatic directory creation was creating directories
without the execute permission bit.

Thanks to Quiznos for reporting and helping to track the problem down.

src/util/secsave.c

@@ -69,9 +69,8 @@ enum secsave_errno secsave_errno = SS_ERR_NONE;
 /* Open a file for writing in a secure way. It returns a pointer to a structure
  * secure_save_info on success, or NULL on failure. */
 static struct secure_save_info *
-secure_open_umask(unsigned char *file_name, mode_t mask)
+secure_open_umask(unsigned char *file_name)
 {
-	mode_t saved_mask;
 	struct stat st;
 	struct secure_save_info *ssi;
 
@@ -144,8 +143,6 @@ secure_open_umask(unsigned char *file_name, mode_t mask)
 		}
 	}
 
-	saved_mask = umask(mask);
-
 	if (ssi->secure_save) {
 		/* We use a random name for temporary file, mkstemp() opens
 		 * the file and return a file descriptor named fd, which is
@@ -187,8 +184,6 @@ secure_open_umask(unsigned char *file_name, mode_t mask)
 		}
 	}
 
-	umask(saved_mask);
-
 	return ssi;
 
 free_file_name:
@@ -206,12 +201,20 @@ end:
 struct secure_save_info *
 secure_open(unsigned char *file_name)
 {
+	struct secure_save_info *ssi;
+	mode_t saved_mask;
 #ifdef CONFIG_OS_WIN32
 	/* There is neither S_IRWXG nor S_IRWXO under crossmingw32-gcc */
-	return secure_open_umask(file_name, 0177);
+	const mode_t mask = 0177;
 #else
-	return secure_open_umask(file_name, S_IXUSR | S_IRWXG | S_IRWXO);
+	const mode_t mask = S_IXUSR | S_IRWXG | S_IRWXO;
 #endif
+	
+	saved_mask = umask(mask);
+	ssi = secure_open_umask(file_name);
+	umask(saved_mask);
+
+	return ssi;
 }
 
 /* Close a file opened with secure_open, and return 0 on success, errno