openssl/openssl-ocloexec.patch

Index: crypto/bio/b_sock.c
===================================================================
--- crypto/bio/b_sock.c.orig	2015-05-29 11:54:57.219659682 +0200
+++ crypto/bio/b_sock.c	2015-05-29 11:56:47.059884761 +0200
@@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in
     }
 
  again:
-    s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+    s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
     if (s == INVALID_SOCKET) {
         SYSerr(SYS_F_SOCKET, get_last_socket_error());
         ERR_add_error_data(3, "port='", host, "'");
@@ -765,7 +765,7 @@ int BIO_get_accept_socket(char *host, in
                 } else
                     goto err;
             }
-            cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+            cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
             if (cs != INVALID_SOCKET) {
                 int ii;
                 ii = connect(cs, &client.sa, addrlen);
@@ -847,7 +847,7 @@ int BIO_accept(int sock, char **addr)
     sa.len.s = 0;
     sa.len.i = sizeof(sa.from);
     memset(&sa.from, 0, sizeof(sa.from));
-    ret = accept(sock, &sa.from.sa, (void *)&sa.len);
+    ret = accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC);
     if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
         OPENSSL_assert(sa.len.s <= sizeof(sa.from));
         sa.len.i = (int)sa.len.s;
Index: crypto/bio/bss_conn.c
===================================================================
--- crypto/bio/bss_conn.c.orig	2015-05-29 11:54:57.219659682 +0200
+++ crypto/bio/bss_conn.c	2015-05-29 11:57:45.668538446 +0200
@@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC
             c->them.sin_addr.s_addr = htonl(l);
             c->state = BIO_CONN_S_CREATE_SOCKET;
 
-            ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+            ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
             if (ret == INVALID_SOCKET) {
                 SYSerr(SYS_F_SOCKET, get_last_socket_error());
                 ERR_add_error_data(4, "host=", c->param_hostname,
Index: crypto/bio/bss_dgram.c
===================================================================
--- crypto/bio/bss_dgram.c.orig	2015-05-29 11:54:57.221659705 +0200
+++ crypto/bio/bss_dgram.c	2015-05-29 13:29:42.463696425 +0200
@@ -1176,7 +1176,7 @@ static int dgram_sctp_read(BIO *b, char
             msg.msg_control = cmsgbuf;
             msg.msg_controllen = 512;
             msg.msg_flags = 0;
-            n = recvmsg(b->num, &msg, 0);
+            n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
             if (n <= 0) {
                 if (n < 0)
@@ -1801,7 +1801,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
     msg.msg_controllen = 0;
     msg.msg_flags = 0;
 
-    n = recvmsg(b->num, &msg, MSG_PEEK);
+    n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
     if (n <= 0) {
         if ((n < 0) && (get_last_socket_error() != EAGAIN)
             && (get_last_socket_error() != EWOULDBLOCK))
@@ -1823,7 +1823,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
         msg.msg_controllen = 0;
         msg.msg_flags = 0;
 
-        n = recvmsg(b->num, &msg, 0);
+        n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
         if (n <= 0) {
             if ((n < 0) && (get_last_socket_error() != EAGAIN)
                 && (get_last_socket_error() != EWOULDBLOCK))
@@ -1888,7 +1888,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
             fcntl(b->num, F_SETFL, O_NONBLOCK);
         }
 
-        n = recvmsg(b->num, &msg, MSG_PEEK);
+        n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
 
         if (is_dry) {
             fcntl(b->num, F_SETFL, sockflags);
@@ -1930,7 +1930,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
 
         sockflags = fcntl(b->num, F_GETFL, 0);
         fcntl(b->num, F_SETFL, O_NONBLOCK);
-        n = recvmsg(b->num, &msg, MSG_PEEK);
+        n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
         fcntl(b->num, F_SETFL, sockflags);
 
         /* if notification, process and try again */
@@ -1950,7 +1950,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
             msg.msg_control = NULL;
             msg.msg_controllen = 0;
             msg.msg_flags = 0;
-            n = recvmsg(b->num, &msg, 0);
+            n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
             if (data->handle_notifications != NULL)
                 data->handle_notifications(b, data->notification_context,
Index: crypto/bio/bss_file.c
===================================================================
--- crypto/bio/bss_file.c.orig	2015-05-29 11:54:57.221659705 +0200
+++ crypto/bio/bss_file.c	2015-05-29 13:33:08.553070567 +0200
@@ -119,6 +119,10 @@ BIO *BIO_new_file(const char *filename,
 {
     BIO *ret;
     FILE *file = NULL;
+    size_t modelen = strlen (mode);
+    char newmode[modelen + 2];
+
+    memcpy (mempcpy (newmode, mode, modelen), "e", 2);
 
 #  if defined(_WIN32) && defined(CP_UTF8)
     int sz, len_0 = (int)strlen(filename) + 1;
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
         file = fopen(filename, mode);
     }
 #  else
-    file = fopen(filename, mode);
+    file = fopen(filename, newmode);
 #  endif
     if (file == NULL) {
         SYSerr(SYS_F_FOPEN, get_last_sys_error());
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
     long ret = 1;
     FILE *fp = (FILE *)b->ptr;
     FILE **fpp;
-    char p[4];
+    char p[5];
 
     switch (cmd) {
     case BIO_C_FILE_SEEK:
@@ -386,6 +390,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
         else
             strcat(p, "t");
 #  endif
+        strcat(p, "e");
         fp = fopen(ptr, p);
         if (fp == NULL) {
             SYSerr(SYS_F_FOPEN, get_last_sys_error());
Index: crypto/rand/rand_unix.c
===================================================================
--- crypto/rand/rand_unix.c.orig	2015-05-29 11:54:57.222659716 +0200
+++ crypto/rand/rand_unix.c	2015-05-29 13:36:11.270174218 +0200
@@ -269,7 +269,7 @@ int RAND_poll(void)
 
     for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
          (n < ENTROPY_NEEDED); i++) {
-        if ((fd = open(randomfiles[i], O_RDONLY
+        if ((fd = open(randomfiles[i], O_RDONLY|O_CLOEXEC
 #   ifdef O_NONBLOCK
                        | O_NONBLOCK
 #   endif
Index: crypto/rand/randfile.c
===================================================================
--- crypto/rand/randfile.c.orig	2015-05-29 11:54:57.222659716 +0200
+++ crypto/rand/randfile.c	2015-05-29 13:37:38.156170674 +0200
@@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon
 #ifdef OPENSSL_SYS_VMS
     in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
 #else
-    in = fopen(file, "rb");
+    in = fopen(file, "rbe");
 #endif
     if (in == NULL)
         goto err;
@@ -225,7 +225,7 @@ int RAND_write_file(const char *file)
          * chmod(..., 0600) is too late to protect the file, permissions
          * should be restrictive from the start
          */
-        int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
+        int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600);
         if (fd != -1)
             out = fdopen(fd, "wb");
     }
@@ -255,7 +255,7 @@ int RAND_write_file(const char *file)
         out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
 #else
     if (out == NULL)
-        out = fopen(file, "wb");
+        out = fopen(file, "wbe");
 #endif
     if (out == NULL)
         goto err;