Index: crypto/bio/b_sock.c =================================================================== --- crypto/bio/b_sock.c.orig 2016-04-14 11:01:01.957760118 +0200 +++ crypto/bio/b_sock.c 2016-04-14 11:01:04.759799369 +0200 @@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in } again: - s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL); + s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL); if (s == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET, get_last_socket_error()); ERR_add_error_data(3, "port='", host, "'"); @@ -765,7 +765,7 @@ int BIO_get_accept_socket(char *host, in } else goto err; } - cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL); + cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL); if (cs != INVALID_SOCKET) { int ii; ii = connect(cs, &client.sa, addrlen); @@ -847,7 +847,7 @@ int BIO_accept(int sock, char **addr) sa.len.s = 0; sa.len.i = sizeof(sa.from); memset(&sa.from, 0, sizeof(sa.from)); - ret = accept(sock, &sa.from.sa, (void *)&sa.len); + ret = accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC); if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) { OPENSSL_assert(sa.len.s <= sizeof(sa.from)); sa.len.i = (int)sa.len.s; Index: crypto/bio/bss_conn.c =================================================================== --- crypto/bio/bss_conn.c.orig 2016-04-14 11:01:01.957760118 +0200 +++ crypto/bio/bss_conn.c 2016-04-14 11:01:04.759799369 +0200 @@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC c->them.sin_addr.s_addr = htonl(l); c->state = BIO_CONN_S_CREATE_SOCKET; - ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL); + ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL); if (ret == INVALID_SOCKET) { SYSerr(SYS_F_SOCKET, get_last_socket_error()); ERR_add_error_data(4, "host=", c->param_hostname, Index: crypto/bio/bss_dgram.c =================================================================== --- crypto/bio/bss_dgram.c.orig 2016-04-14 11:01:01.958760132 +0200 +++ crypto/bio/bss_dgram.c 2016-04-14 11:01:04.760799384 +0200 @@ -1175,7 +1175,7 @@ static int dgram_sctp_read(BIO *b, char msg.msg_control = cmsgbuf; msg.msg_controllen = 512; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (n <= 0) { if (n < 0) @@ -1800,7 +1800,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC); if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) @@ -1822,7 +1822,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (n <= 0) { if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) @@ -1887,7 +1887,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) fcntl(b->num, F_SETFL, O_NONBLOCK); } - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC); if (is_dry) { fcntl(b->num, F_SETFL, sockflags); @@ -1929,7 +1929,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) sockflags = fcntl(b->num, F_GETFL, 0); fcntl(b->num, F_SETFL, O_NONBLOCK); - n = recvmsg(b->num, &msg, MSG_PEEK); + n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC); fcntl(b->num, F_SETFL, sockflags); /* if notification, process and try again */ @@ -1949,7 +1949,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) msg.msg_control = NULL; msg.msg_controllen = 0; msg.msg_flags = 0; - n = recvmsg(b->num, &msg, 0); + n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); if (data->handle_notifications != NULL) data->handle_notifications(b, data->notification_context, Index: crypto/bio/bss_file.c =================================================================== --- crypto/bio/bss_file.c.orig 2016-04-14 11:01:01.958760132 +0200 +++ crypto/bio/bss_file.c 2016-04-14 11:01:04.760799384 +0200 @@ -118,6 +118,10 @@ static BIO_METHOD methods_filep = { static FILE *file_fopen(const char *filename, const char *mode) { FILE *file = NULL; + size_t modelen = strlen (mode); + char newmode[modelen + 2]; + + memcpy (mempcpy (newmode, mode, modelen), "e", 2); # if defined(_WIN32) && defined(CP_UTF8) int sz, len_0 = (int)strlen(filename) + 1; @@ -161,7 +165,7 @@ static FILE *file_fopen(const char *file file = fopen(filename, mode); } # else - file = fopen(filename, mode); + file = fopen(filename, newmode); # endif return (file); } @@ -282,7 +286,7 @@ static long MS_CALLBACK file_ctrl(BIO *b long ret = 1; FILE *fp = (FILE *)b->ptr; FILE **fpp; - char p[4]; + char p[5]; switch (cmd) { case BIO_C_FILE_SEEK: @@ -393,6 +397,7 @@ static long MS_CALLBACK file_ctrl(BIO *b else strcat(p, "t"); # endif + strcat(p, "e"); fp = file_fopen(ptr, p); if (fp == NULL) { SYSerr(SYS_F_FOPEN, get_last_sys_error()); Index: crypto/rand/rand_unix.c =================================================================== --- crypto/rand/rand_unix.c.orig 2016-04-14 11:01:04.761799398 +0200 +++ crypto/rand/rand_unix.c 2016-04-14 11:02:13.950768594 +0200 @@ -270,7 +270,7 @@ int RAND_poll(void) for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) && (n < sizeof(tmpbuf)); i++) { - if ((fd = open(randomfiles[i], O_RDONLY + if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC # ifdef O_NONBLOCK | O_NONBLOCK # endif Index: crypto/rand/randfile.c =================================================================== --- crypto/rand/randfile.c.orig 2016-04-14 11:01:01.959760146 +0200 +++ crypto/rand/randfile.c 2016-04-14 11:01:04.761799398 +0200 @@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon #ifdef OPENSSL_SYS_VMS in = vms_fopen(file, "rb", VMS_OPEN_ATTRS); #else - in = fopen(file, "rb"); + in = fopen(file, "rbe"); #endif if (in == NULL) goto err; @@ -225,7 +225,7 @@ int RAND_write_file(const char *file) * chmod(..., 0600) is too late to protect the file, permissions * should be restrictive from the start */ - int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600); + int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600); if (fd != -1) out = fdopen(fd, "wb"); } @@ -255,7 +255,7 @@ int RAND_write_file(const char *file) out = vms_fopen(file, "wb", VMS_OPEN_ATTRS); #else if (out == NULL) - out = fopen(file, "wb"); + out = fopen(file, "wbe"); #endif if (out == NULL) goto err;