File openssl-ocloexec.patch of Package openssl

diff -rNU 30 ../openssl-1.0.1u-o/crypto/bio/b_sock.c ./crypto/bio/b_sock.c
--- ../openssl-1.0.1u-o/crypto/bio/b_sock.c	2016-09-22 12:29:27.000000000 +0200
+++ ./crypto/bio/b_sock.c	2016-11-06 21:24:10.000000000 +0100
@@ -692,103 +692,103 @@
         addrlen = res->ai_addrlen <= sizeof(server) ?
             res->ai_addrlen : sizeof(server);
         memcpy(&server, res->ai_addr, addrlen);
 
         (*p_freeaddrinfo.f) (res);
         goto again;
     } while (0);
 # endif
 
     if (!BIO_get_port(p, &port))
         goto err;
 
     memset((char *)&server, 0, sizeof(server));
     server.sa_in.sin_family = AF_INET;
     server.sa_in.sin_port = htons(port);
     addrlen = sizeof(server.sa_in);
 
     if (h == NULL || strcmp(h, "*") == 0)
         server.sa_in.sin_addr.s_addr = INADDR_ANY;
     else {
         if (!BIO_get_host_ip(h, &(ip[0])))
             goto err;
         l = (unsigned long)
             ((unsigned long)ip[0] << 24L) |
             ((unsigned long)ip[1] << 16L) |
             ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
         server.sa_in.sin_addr.s_addr = htonl(l);
     }
 
  again:
-    s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+    s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
     if (s == INVALID_SOCKET) {
         SYSerr(SYS_F_SOCKET, get_last_socket_error());
         ERR_add_error_data(3, "port='", host, "'");
         BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET);
         goto err;
     }
 # ifdef SO_REUSEADDR
     if (bind_mode == BIO_BIND_REUSEADDR) {
         int i = 1;
 
         ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&i, sizeof(i));
         bind_mode = BIO_BIND_NORMAL;
     }
 # endif
     if (bind(s, &server.sa, addrlen) == -1) {
 # ifdef SO_REUSEADDR
         err_num = get_last_socket_error();
         if ((bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED) &&
 #  ifdef OPENSSL_SYS_WINDOWS
             /*
              * Some versions of Windows define EADDRINUSE to a dummy value.
              */
             (err_num == WSAEADDRINUSE))
 #  else
             (err_num == EADDRINUSE))
 #  endif
         {
             client = server;
             if (h == NULL || strcmp(h, "*") == 0) {
 #  if OPENSSL_USE_IPV6
                 if (client.sa.sa_family == AF_INET6) {
                     memset(&client.sa_in6.sin6_addr, 0,
                            sizeof(client.sa_in6.sin6_addr));
                     client.sa_in6.sin6_addr.s6_addr[15] = 1;
                 } else
 #  endif
                 if (client.sa.sa_family == AF_INET) {
                     client.sa_in.sin_addr.s_addr = htonl(0x7F000001);
                 } else
                     goto err;
             }
-            cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
+            cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
             if (cs != INVALID_SOCKET) {
                 int ii;
                 ii = connect(cs, &client.sa, addrlen);
                 closesocket(cs);
                 if (ii == INVALID_SOCKET) {
                     bind_mode = BIO_BIND_REUSEADDR;
                     closesocket(s);
                     goto again;
                 }
                 /* else error */
             }
             /* else error */
         }
 # endif
         SYSerr(SYS_F_BIND, err_num);
         ERR_add_error_data(3, "port='", host, "'");
         BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_BIND_SOCKET);
         goto err;
     }
     if (listen(s, MAX_LISTEN) == -1) {
         SYSerr(SYS_F_BIND, get_last_socket_error());
         ERR_add_error_data(3, "port='", host, "'");
         BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_LISTEN_SOCKET);
         goto err;
     }
     ret = 1;
  err:
     if (str != NULL)
         OPENSSL_free(str);
     if ((ret == 0) && (s != INVALID_SOCKET)) {
diff -rNU 30 ../openssl-1.0.1u-o/crypto/bio/bss_conn.c ./crypto/bio/bss_conn.c
--- ../openssl-1.0.1u-o/crypto/bio/bss_conn.c	2016-09-22 12:29:27.000000000 +0200
+++ ./crypto/bio/bss_conn.c	2016-11-06 21:24:57.000000000 +0100
@@ -168,61 +168,61 @@
             c->state = BIO_CONN_S_GET_IP;
             break;
 
         case BIO_CONN_S_GET_IP:
             if (BIO_get_host_ip(c->param_hostname, &(c->ip[0])) <= 0)
                 goto exit_loop;
             c->state = BIO_CONN_S_GET_PORT;
             break;
 
         case BIO_CONN_S_GET_PORT:
             if (c->param_port == NULL) {
                 /* abort(); */
                 goto exit_loop;
             } else if (BIO_get_port(c->param_port, &c->port) <= 0)
                 goto exit_loop;
             c->state = BIO_CONN_S_CREATE_SOCKET;
             break;
 
         case BIO_CONN_S_CREATE_SOCKET:
             /* now setup address */
             memset((char *)&c->them, 0, sizeof(c->them));
             c->them.sin_family = AF_INET;
             c->them.sin_port = htons((unsigned short)c->port);
             l = (unsigned long)
                 ((unsigned long)c->ip[0] << 24L) |
                 ((unsigned long)c->ip[1] << 16L) |
                 ((unsigned long)c->ip[2] << 8L) | ((unsigned long)c->ip[3]);
             c->them.sin_addr.s_addr = htonl(l);
             c->state = BIO_CONN_S_CREATE_SOCKET;
 
-            ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
+            ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
             if (ret == INVALID_SOCKET) {
                 SYSerr(SYS_F_SOCKET, get_last_socket_error());
                 ERR_add_error_data(4, "host=", c->param_hostname,
                                    ":", c->param_port);
                 BIOerr(BIO_F_CONN_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET);
                 goto exit_loop;
             }
             b->num = ret;
             c->state = BIO_CONN_S_NBIO;
             break;
 
         case BIO_CONN_S_NBIO:
             if (c->nbio) {
                 if (!BIO_socket_nbio(b->num, 1)) {
                     BIOerr(BIO_F_CONN_STATE, BIO_R_ERROR_SETTING_NBIO);
                     ERR_add_error_data(4, "host=",
                                        c->param_hostname, ":", c->param_port);
                     goto exit_loop;
                 }
             }
             c->state = BIO_CONN_S_CONNECT;
 
 # if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
             i = 1;
             i = setsockopt(b->num, SOL_SOCKET, SO_KEEPALIVE, (char *)&i,
                            sizeof(i));
             if (i < 0) {
                 SYSerr(SYS_F_SOCKET, get_last_socket_error());
                 ERR_add_error_data(4, "host=", c->param_hostname,
                                    ":", c->param_port);
diff -rNU 30 ../openssl-1.0.1u-o/crypto/bio/bss_dgram.c ./crypto/bio/bss_dgram.c
--- ../openssl-1.0.1u-o/crypto/bio/bss_dgram.c	2016-09-22 12:29:27.000000000 +0200
+++ ./crypto/bio/bss_dgram.c	2016-11-06 21:27:40.000000000 +0100
@@ -1089,61 +1089,61 @@
     }
 }
 #  endif
 
 static int dgram_sctp_read(BIO *b, char *out, int outl)
 {
     int ret = 0, n = 0, i, optval;
     socklen_t optlen;
     bio_dgram_sctp_data *data = (bio_dgram_sctp_data *) b->ptr;
     union sctp_notification *snp;
     struct msghdr msg;
     struct iovec iov;
     struct cmsghdr *cmsg;
     char cmsgbuf[512];
 
     if (out != NULL) {
         clear_socket_error();
 
         do {
             memset(&data->rcvinfo, 0x00,
                    sizeof(struct bio_dgram_sctp_rcvinfo));
             iov.iov_base = out;
             iov.iov_len = outl;
             msg.msg_name = NULL;
             msg.msg_namelen = 0;
             msg.msg_iov = &iov;
             msg.msg_iovlen = 1;
             msg.msg_control = cmsgbuf;
             msg.msg_controllen = 512;
             msg.msg_flags = 0;
-            n = recvmsg(b->num, &msg, 0);
+            n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
             if (n <= 0) {
                 if (n < 0)
                     ret = n;
                 break;
             }
 
             if (msg.msg_controllen > 0) {
                 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg;
                      cmsg = CMSG_NXTHDR(&msg, cmsg)) {
                     if (cmsg->cmsg_level != IPPROTO_SCTP)
                         continue;
 #  ifdef SCTP_RCVINFO
                     if (cmsg->cmsg_type == SCTP_RCVINFO) {
                         struct sctp_rcvinfo *rcvinfo;
 
                         rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmsg);
                         data->rcvinfo.rcv_sid = rcvinfo->rcv_sid;
                         data->rcvinfo.rcv_ssn = rcvinfo->rcv_ssn;
                         data->rcvinfo.rcv_flags = rcvinfo->rcv_flags;
                         data->rcvinfo.rcv_ppid = rcvinfo->rcv_ppid;
                         data->rcvinfo.rcv_tsn = rcvinfo->rcv_tsn;
                         data->rcvinfo.rcv_cumtsn = rcvinfo->rcv_cumtsn;
                         data->rcvinfo.rcv_context = rcvinfo->rcv_context;
                     }
 #  endif
 #  ifdef SCTP_SNDRCV
                     if (cmsg->cmsg_type == SCTP_SNDRCV) {
                         struct sctp_sndrcvinfo *sndrcvinfo;
 
@@ -1714,83 +1714,83 @@
     ret =
         setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event,
                    sizeof(struct sctp_event));
 #  else
     eventsize = sizeof(struct sctp_event_subscribe);
     ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
     if (ret < 0)
         return -1;
 
     event.sctp_sender_dry_event = 1;
 
     ret =
         setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event,
                    sizeof(struct sctp_event_subscribe));
 #  endif
     if (ret < 0)
         return -1;
 
     /* peek for notification */
     memset(&snp, 0x00, sizeof(union sctp_notification));
     iov.iov_base = (char *)&snp;
     iov.iov_len = sizeof(union sctp_notification);
     msg.msg_name = NULL;
     msg.msg_namelen = 0;
     msg.msg_iov = &iov;
     msg.msg_iovlen = 1;
     msg.msg_control = NULL;
     msg.msg_controllen = 0;
     msg.msg_flags = 0;
 
-    n = recvmsg(b->num, &msg, MSG_PEEK);
+    n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
     if (n <= 0) {
         if ((n < 0) && (get_last_socket_error() != EAGAIN)
             && (get_last_socket_error() != EWOULDBLOCK))
             return -1;
         else
             return 0;
     }
 
     /* if we find a notification, process it and try again if necessary */
     while (msg.msg_flags & MSG_NOTIFICATION) {
         memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
         msg.msg_namelen = 0;
         msg.msg_iov = &iov;
         msg.msg_iovlen = 1;
         msg.msg_control = NULL;
         msg.msg_controllen = 0;
         msg.msg_flags = 0;
 
-        n = recvmsg(b->num, &msg, 0);
+        n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
         if (n <= 0) {
             if ((n < 0) && (get_last_socket_error() != EAGAIN)
                 && (get_last_socket_error() != EWOULDBLOCK))
                 return -1;
             else
                 return is_dry;
         }
 
         if (snp.sn_header.sn_type == SCTP_SENDER_DRY_EVENT) {
             is_dry = 1;
 
             /* disable sender dry event */
 #  ifdef SCTP_EVENT
             memset(&event, 0, sizeof(struct sctp_event));
             event.se_assoc_id = 0;
             event.se_type = SCTP_SENDER_DRY_EVENT;
             event.se_on = 0;
             ret =
                 setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event,
                            sizeof(struct sctp_event));
 #  else
             eventsize = (socklen_t) sizeof(struct sctp_event_subscribe);
             ret =
                 getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event,
                            &eventsize);
             if (ret < 0)
                 return -1;
 
             event.sctp_sender_dry_event = 0;
 
@@ -1801,123 +1801,123 @@
             if (ret < 0)
                 return -1;
         }
 #  ifdef SCTP_AUTHENTICATION_EVENT
         if (snp.sn_header.sn_type == SCTP_AUTHENTICATION_EVENT)
             dgram_sctp_handle_auth_free_key_event(b, &snp);
 #  endif
 
         if (data->handle_notifications != NULL)
             data->handle_notifications(b, data->notification_context,
                                        (void *)&snp);
 
         /* found notification, peek again */
         memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
         msg.msg_namelen = 0;
         msg.msg_iov = &iov;
         msg.msg_iovlen = 1;
         msg.msg_control = NULL;
         msg.msg_controllen = 0;
         msg.msg_flags = 0;
 
         /* if we have seen the dry already, don't wait */
         if (is_dry) {
             sockflags = fcntl(b->num, F_GETFL, 0);
             fcntl(b->num, F_SETFL, O_NONBLOCK);
         }
 
-        n = recvmsg(b->num, &msg, MSG_PEEK);
+        n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
 
         if (is_dry) {
             fcntl(b->num, F_SETFL, sockflags);
         }
 
         if (n <= 0) {
             if ((n < 0) && (get_last_socket_error() != EAGAIN)
                 && (get_last_socket_error() != EWOULDBLOCK))
                 return -1;
             else
                 return is_dry;
         }
     }
 
     /* read anything else */
     return is_dry;
 }
 
 int BIO_dgram_sctp_msg_waiting(BIO *b)
 {
     int n, sockflags;
     union sctp_notification snp;
     struct msghdr msg;
     struct iovec iov;
     bio_dgram_sctp_data *data = (bio_dgram_sctp_data *) b->ptr;
 
     /* Check if there are any messages waiting to be read */
     do {
         memset(&snp, 0x00, sizeof(union sctp_notification));
         iov.iov_base = (char *)&snp;
         iov.iov_len = sizeof(union sctp_notification);
         msg.msg_name = NULL;
         msg.msg_namelen = 0;
         msg.msg_iov = &iov;
         msg.msg_iovlen = 1;
         msg.msg_control = NULL;
         msg.msg_controllen = 0;
         msg.msg_flags = 0;
 
         sockflags = fcntl(b->num, F_GETFL, 0);
         fcntl(b->num, F_SETFL, O_NONBLOCK);
-        n = recvmsg(b->num, &msg, MSG_PEEK);
+        n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
         fcntl(b->num, F_SETFL, sockflags);
 
         /* if notification, process and try again */
         if (n > 0 && (msg.msg_flags & MSG_NOTIFICATION)) {
 #  ifdef SCTP_AUTHENTICATION_EVENT
             if (snp.sn_header.sn_type == SCTP_AUTHENTICATION_EVENT)
                 dgram_sctp_handle_auth_free_key_event(b, &snp);
 #  endif
 
             memset(&snp, 0x00, sizeof(union sctp_notification));
             iov.iov_base = (char *)&snp;
             iov.iov_len = sizeof(union sctp_notification);
             msg.msg_name = NULL;
             msg.msg_namelen = 0;
             msg.msg_iov = &iov;
             msg.msg_iovlen = 1;
             msg.msg_control = NULL;
             msg.msg_controllen = 0;
             msg.msg_flags = 0;
-            n = recvmsg(b->num, &msg, 0);
+            n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
 
             if (data->handle_notifications != NULL)
                 data->handle_notifications(b, data->notification_context,
                                            (void *)&snp);
         }
 
     } while (n > 0 && (msg.msg_flags & MSG_NOTIFICATION));
 
     /* Return 1 if there is a message to be read, return 0 otherwise. */
     if (n > 0)
         return 1;
     else
         return 0;
 }
 
 static int dgram_sctp_puts(BIO *bp, const char *str)
 {
     int n, ret;
 
     n = strlen(str);
     ret = dgram_sctp_write(bp, str, n);
     return (ret);
 }
 # endif
 
 static int BIO_dgram_should_retry(int i)
 {
     int err;
 
     if ((i == 0) || (i == -1)) {
diff -rNU 30 ../openssl-1.0.1u-o/crypto/bio/bss_file.c ./crypto/bio/bss_file.c
--- ../openssl-1.0.1u-o/crypto/bio/bss_file.c	2016-09-22 12:29:27.000000000 +0200
+++ ./crypto/bio/bss_file.c	2016-11-06 21:34:11.000000000 +0100
@@ -92,103 +92,108 @@
 # if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB)
 #  include <nwfileio.h>
 # endif
 
 # if !defined(OPENSSL_NO_STDIO)
 
 static int MS_CALLBACK file_write(BIO *h, const char *buf, int num);
 static int MS_CALLBACK file_read(BIO *h, char *buf, int size);
 static int MS_CALLBACK file_puts(BIO *h, const char *str);
 static int MS_CALLBACK file_gets(BIO *h, char *str, int size);
 static long MS_CALLBACK file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int MS_CALLBACK file_new(BIO *h);
 static int MS_CALLBACK file_free(BIO *data);
 static BIO_METHOD methods_filep = {
     BIO_TYPE_FILE,
     "FILE pointer",
     file_write,
     file_read,
     file_puts,
     file_gets,
     file_ctrl,
     file_new,
     file_free,
     NULL,
 };
 
 static FILE *file_fopen(const char *filename, const char *mode)
 {
     FILE *file = NULL;
 
+    size_t modelen = strlen (mode);
+    char newmode[modelen + 2];
+    memcpy (mempcpy (newmode, mode, modelen), "e", 2);
+
+
 #  if defined(_WIN32) && defined(CP_UTF8)
     int sz, len_0 = (int)strlen(filename) + 1;
     DWORD flags;
 
     /*
      * Basically there are three cases to cover: a) filename is
      * pure ASCII string; b) actual UTF-8 encoded string and
      * c) locale-ized string, i.e. one containing 8-bit
      * characters that are meaningful in current system locale.
      * If filename is pure ASCII or real UTF-8 encoded string,
      * MultiByteToWideChar succeeds and _wfopen works. If
      * filename is locale-ized string, chances are that
      * MultiByteToWideChar fails reporting
      * ERROR_NO_UNICODE_TRANSLATION, in which case we fall
      * back to fopen...
      */
     if ((sz = MultiByteToWideChar(CP_UTF8, (flags = MB_ERR_INVALID_CHARS),
                                   filename, len_0, NULL, 0)) > 0 ||
         (GetLastError() == ERROR_INVALID_FLAGS &&
          (sz = MultiByteToWideChar(CP_UTF8, (flags = 0),
                                    filename, len_0, NULL, 0)) > 0)
         ) {
         WCHAR wmode[8];
         WCHAR *wfilename = _alloca(sz * sizeof(WCHAR));
 
         if (MultiByteToWideChar(CP_UTF8, flags,
                                 filename, len_0, wfilename, sz) &&
             MultiByteToWideChar(CP_UTF8, 0, mode, strlen(mode) + 1,
                                 wmode, sizeof(wmode) / sizeof(wmode[0])) &&
             (file = _wfopen(wfilename, wmode)) == NULL &&
             (errno == ENOENT || errno == EBADF)
             ) {
             /*
              * UTF-8 decode succeeded, but no file, filename
              * could still have been locale-ized...
              */
             file = fopen(filename, mode);
         }
     } else if (GetLastError() == ERROR_NO_UNICODE_TRANSLATION) {
         file = fopen(filename, mode);
     }
 #  else
-    file = fopen(filename, mode);
+    file = fopen(filename, newmode);
 #  endif
     return (file);
 }
 
 BIO *BIO_new_file(const char *filename, const char *mode)
 {
     BIO  *ret;
     FILE *file = file_fopen(filename, mode);
 
     if (file == NULL) {
         SYSerr(SYS_F_FOPEN, get_last_sys_error());
         ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
         if (errno == ENOENT)
             BIOerr(BIO_F_BIO_NEW_FILE, BIO_R_NO_SUCH_FILE);
         else
             BIOerr(BIO_F_BIO_NEW_FILE, ERR_R_SYS_LIB);
         return (NULL);
     }
     if ((ret = BIO_new(BIO_s_file())) == NULL) {
         fclose(file);
         return (NULL);
     }
 
     BIO_clear_flags(ret, BIO_FLAGS_UPLINK); /* we did fopen -> we disengage
                                              * UPLINK */
     BIO_set_fp(ret, file, BIO_CLOSE);
     return (ret);
 }
 
 BIO *BIO_new_fp(FILE *stream, int close_flag)
@@ -255,61 +260,61 @@
     }
     return (ret);
 }
 
 static int MS_CALLBACK file_write(BIO *b, const char *in, int inl)
 {
     int ret = 0;
 
     if (b->init && (in != NULL)) {
         if (b->flags & BIO_FLAGS_UPLINK)
             ret = UP_fwrite(in, (int)inl, 1, b->ptr);
         else
             ret = fwrite(in, (int)inl, 1, (FILE *)b->ptr);
         if (ret)
             ret = inl;
         /* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */
         /*
          * according to Tim Hudson <tjh@cryptsoft.com>, the commented out
          * version above can cause 'inl' write calls under some stupid stdio
          * implementations (VMS)
          */
     }
     return (ret);
 }
 
 static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
     long ret = 1;
     FILE *fp = (FILE *)b->ptr;
     FILE **fpp;
-    char p[4];
+    char p[5];
 
     switch (cmd) {
     case BIO_C_FILE_SEEK:
     case BIO_CTRL_RESET:
         if (b->flags & BIO_FLAGS_UPLINK)
             ret = (long)UP_fseek(b->ptr, num, 0);
         else
             ret = (long)fseek(fp, num, 0);
         break;
     case BIO_CTRL_EOF:
         if (b->flags & BIO_FLAGS_UPLINK)
             ret = (long)UP_feof(fp);
         else
             ret = (long)feof(fp);
         break;
     case BIO_C_FILE_TELL:
     case BIO_CTRL_INFO:
         if (b->flags & BIO_FLAGS_UPLINK)
             ret = UP_ftell(b->ptr);
         else
             ret = ftell(fp);
         break;
     case BIO_C_SET_FILE_PTR:
         file_free(b);
         b->shutdown = (int)num & BIO_CLOSE;
         b->ptr = ptr;
         b->init = 1;
 #  if BIO_FLAGS_UPLINK!=0
 #   if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
 #    define _IOB_ENTRIES 20
@@ -366,60 +371,63 @@
         file_free(b);
         b->shutdown = (int)num & BIO_CLOSE;
         if (num & BIO_FP_APPEND) {
             if (num & BIO_FP_READ)
                 BUF_strlcpy(p, "a+", sizeof p);
             else
                 BUF_strlcpy(p, "a", sizeof p);
         } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
             BUF_strlcpy(p, "r+", sizeof p);
         else if (num & BIO_FP_WRITE)
             BUF_strlcpy(p, "w", sizeof p);
         else if (num & BIO_FP_READ)
             BUF_strlcpy(p, "r", sizeof p);
         else {
             BIOerr(BIO_F_FILE_CTRL, BIO_R_BAD_FOPEN_MODE);
             ret = 0;
             break;
         }
 #  if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_WIN32_CYGWIN)
         if (!(num & BIO_FP_TEXT))
             strcat(p, "b");
         else
             strcat(p, "t");
 #  endif
 #  if defined(OPENSSL_SYS_NETWARE)
         if (!(num & BIO_FP_TEXT))
             strcat(p, "b");
         else
             strcat(p, "t");
 #  endif
+
+       strcat(p, "e");
+
         fp = file_fopen(ptr, p);
         if (fp == NULL) {
             SYSerr(SYS_F_FOPEN, get_last_sys_error());
             ERR_add_error_data(5, "fopen('", ptr, "','", p, "')");
             BIOerr(BIO_F_FILE_CTRL, ERR_R_SYS_LIB);
             ret = 0;
             break;
         }
         b->ptr = fp;
         b->init = 1;
         BIO_clear_flags(b, BIO_FLAGS_UPLINK); /* we did fopen -> we disengage
                                                * UPLINK */
         break;
     case BIO_C_GET_FILE_PTR:
         /* the ptr parameter is actually a FILE ** in this case. */
         if (ptr != NULL) {
             fpp = (FILE **)ptr;
             *fpp = (FILE *)b->ptr;
         }
         break;
     case BIO_CTRL_GET_CLOSE:
         ret = (long)b->shutdown;
         break;
     case BIO_CTRL_SET_CLOSE:
         b->shutdown = (int)num;
         break;
     case BIO_CTRL_FLUSH:
         if (b->flags & BIO_FLAGS_UPLINK)
             UP_fflush(b->ptr);
         else
diff -rNU 30 ../openssl-1.0.1u-o/crypto/rand/rand_unix.c ./crypto/rand/rand_unix.c
--- ../openssl-1.0.1u-o/crypto/rand/rand_unix.c	2016-09-22 12:23:06.000000000 +0200
+++ ./crypto/rand/rand_unix.c	2016-11-06 21:34:49.000000000 +0100
@@ -242,61 +242,61 @@
 # else                          /* !defined(__OpenBSD__) */
 int RAND_poll(void)
 {
     unsigned long l;
     pid_t curr_pid = getpid();
 #  if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
     unsigned char tmpbuf[ENTROPY_NEEDED];
     int n = 0;
 #  endif
 #  ifdef DEVRANDOM
     static const char *randomfiles[] = { DEVRANDOM };
     struct stat randomstats[sizeof(randomfiles) / sizeof(randomfiles[0])];
     int fd;
     unsigned int i;
 #  endif
 #  ifdef DEVRANDOM_EGD
     static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
     const char **egdsocket = NULL;
 #  endif
 
 #  ifdef DEVRANDOM
     memset(randomstats, 0, sizeof(randomstats));
     /*
      * Use a random entropy pool device. Linux, FreeBSD and OpenBSD have
      * this. Use /dev/urandom if you can as /dev/random may block if it runs
      * out of random entries.
      */
 
     for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
          (n < ENTROPY_NEEDED); i++) {
-        if ((fd = open(randomfiles[i], O_RDONLY
+        if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
 #   ifdef O_NONBLOCK
                        | O_NONBLOCK
 #   endif
 #   ifdef O_BINARY
                        | O_BINARY
 #   endif
 #   ifdef O_NOCTTY              /* If it happens to be a TTY (god forbid), do
                                  * not make it our controlling tty */
                        | O_NOCTTY
 #   endif
              )) >= 0) {
             int usec = 10 * 1000; /* spend 10ms on each file */
             int r;
             unsigned int j;
             struct stat *st = &randomstats[i];
 
             /*
              * Avoid using same input... Used to be O_NOFOLLOW above, but
              * it's not universally appropriate...
              */
             if (fstat(fd, st) != 0) {
                 close(fd);
                 continue;
             }
             for (j = 0; j < i; j++) {
                 if (randomstats[j].st_ino == st->st_ino &&
                     randomstats[j].st_dev == st->st_dev)
                     break;
             }
             if (j < i) {
diff -rNU 30 ../openssl-1.0.1u-o/crypto/rand/randfile.c ./crypto/rand/randfile.c
--- ../openssl-1.0.1u-o/crypto/rand/randfile.c	2016-09-22 12:29:27.000000000 +0200
+++ ./crypto/rand/randfile.c	2016-11-06 21:37:25.000000000 +0100
@@ -120,61 +120,61 @@
     MS_STATIC unsigned char buf[BUFSIZE];
 #ifndef OPENSSL_NO_POSIX_IO
     struct stat sb;
 #endif
     int i, ret = 0, n;
     FILE *in;
 
     if (file == NULL)
         return (0);
 
 #ifndef OPENSSL_NO_POSIX_IO
 # ifdef PURIFY
     /*
      * struct stat can have padding and unused fields that may not be
      * initialized in the call to stat(). We need to clear the entire
      * structure before calling RAND_add() to avoid complaints from
      * applications such as Valgrind.
      */
     memset(&sb, 0, sizeof(sb));
 # endif
     if (stat(file, &sb) < 0)
         return (0);
     RAND_add(&sb, sizeof(sb), 0.0);
 #endif
     if (bytes == 0)
         return (ret);
 
 #ifdef OPENSSL_SYS_VMS
     in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
 #else
-    in = fopen(file, "rb");
+    in = fopen(file, "rbe");
 #endif
     if (in == NULL)
         goto err;
 #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
     if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
         /*
          * this file is a device. we don't want read an infinite number of
          * bytes from a random device, nor do we want to use buffered I/O
          * because we will waste system entropy.
          */
         bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */
 # ifndef OPENSSL_NO_SETVBUF_IONBF
         setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */
 # endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
     }
 #endif
     for (;;) {
         if (bytes > 0)
             n = (bytes < BUFSIZE) ? (int)bytes : BUFSIZE;
         else
             n = BUFSIZE;
         i = fread(buf, 1, n, in);
         if (i <= 0)
             break;
 #ifdef PURIFY
         RAND_add(buf, i, (double)i);
 #else
         /* even if n != i, use the full array */
         RAND_add(buf, n, (double)i);
 #endif
@@ -198,91 +198,91 @@
     FILE *out = NULL;
     int n;
 #ifndef OPENSSL_NO_POSIX_IO
     struct stat sb;
 
     i = stat(file, &sb);
     if (i != -1) {
 # if defined(S_ISBLK) && defined(S_ISCHR)
         if (S_ISBLK(sb.st_mode) || S_ISCHR(sb.st_mode)) {
             /*
              * this file is a device. we don't write back to it. we
              * "succeed" on the assumption this is some sort of random
              * device. Otherwise attempting to write to and chmod the device
              * causes problems.
              */
             return (1);
         }
 # endif
     }
 #endif
 
 #if defined(O_CREAT) && !defined(OPENSSL_NO_POSIX_IO) && !defined(OPENSSL_SYS_VMS)
     {
 # ifndef O_BINARY
 #  define O_BINARY 0
 # endif
         /*
          * chmod(..., 0600) is too late to protect the file, permissions
          * should be restrictive from the start
          */
-        int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
+        int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600);
         if (fd != -1)
             out = fdopen(fd, "wb");
     }
 #endif
 
 #ifdef OPENSSL_SYS_VMS
     /*
      * VMS NOTE: Prior versions of this routine created a _new_ version of
      * the rand file for each call into this routine, then deleted all
      * existing versions named ;-1, and finally renamed the current version
      * as ';1'. Under concurrent usage, this resulted in an RMS race
      * condition in rename() which could orphan files (see vms message help
      * for RMS$_REENT). With the fopen() calls below, openssl/VMS now shares
      * the top-level version of the rand file. Note that there may still be
      * conditions where the top-level rand file is locked. If so, this code
      * will then create a new version of the rand file. Without the delete
      * and rename code, this can result in ascending file versions that stop
      * at version 32767, and this routine will then return an error. The
      * remedy for this is to recode the calling application to avoid
      * concurrent use of the rand file, or synchronize usage at the
      * application level. Also consider whether or not you NEED a persistent
      * rand file in a concurrent use situation.
      */
 
     out = vms_fopen(file, "rb+", VMS_OPEN_ATTRS);
     if (out == NULL)
         out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
 #else
     if (out == NULL)
-        out = fopen(file, "wb");
+        out = fopen(file, "wbe");
 #endif
     if (out == NULL)
         goto err;
 
 #ifndef NO_CHMOD
     chmod(file, 0600);
 #endif
     n = RAND_DATA;
     for (;;) {
         i = (n > BUFSIZE) ? BUFSIZE : n;
         n -= BUFSIZE;
         if (RAND_bytes(buf, i) <= 0)
             rand_err = 1;
         i = fwrite(buf, 1, i, out);
         if (i <= 0) {
             ret = 0;
             break;
         }
         ret += i;
         if (n <= 0)
             break;
     }
 
     fclose(out);
     OPENSSL_cleanse(buf, BUFSIZE);
  err:
     return (rand_err ? -1 : ret);
 }
 
 const char *RAND_file_name(char *buf, size_t size)
openSUSE Build Service is sponsored by