3 files changed, 6 insertions, 6 deletions
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 5fdfcb8dd3..8b56585ee1 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: randfile.c,v 1.45 2024/04/10 14:53:01 beck Exp $ */
+/* $OpenBSD: randfile.c,v 1.46 2026/03/10 05:26:04 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -105,7 +105,7 @@ RAND_write_file(const char *file)
                return (1);
        }
-        fd = open(file, O_WRONLY|O_CREAT, 0600);
+        fd = open(file, O_WRONLY|O_CREAT|O_CLOEXEC, 0600);
        if (fd == -1)
                return (1);
        out = fdopen(fd, "wb");
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 22fa8455a1..848117a91a 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */
+/* $OpenBSD: tls_config.c,v 1.72 2026/03/10 05:26:04 deraadt Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -49,7 +49,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
        *buf = NULL;
        *len = 0;
-        if ((fd = open(filename, O_RDONLY)) == -1) {
+        if ((fd = open(filename, O_RDONLY|O_CLOEXEC)) == -1) {
                tls_error_set(error, TLS_ERROR_UNKNOWN,
                    "failed to open %s file '%s'",
                    filetype, filename);
diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c
index b276d2cfa7..d93efb830d 100644
--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */
+/* $OpenBSD: tls_util.c,v 1.17 2026/03/10 05:26:04 deraadt Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
@@ -162,7 +162,7 @@ tls_load_file(const char *name, size_t *len, char *password)
        *len = 0;
-        if ((fd = open(name, O_RDONLY)) == -1)
+        if ((fd = open(name, O_RDONLY|O_CLOEXEC)) == -1)
                return (NULL);
        /* Just load the file into memory without decryption */

diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c index 5fdfcb8dd3..8b56585ee1 100644 --- a/src/lib/libcrypto/rand/randfile.c +++ b/src/lib/libcrypto/rand/randfile.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: randfile.c,v 1.45 2024/04/10 14:53:01 beck Exp $ */	1	/* $OpenBSD: randfile.c,v 1.46 2026/03/10 05:26:04 deraadt Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -105,7 +105,7 @@ RAND_write_file(const char *file)
105	return (1);	105	return (1);
106	}	106	}
107		107
108	fd = open(file, O_WRONLY\|O_CREAT, 0600);	108	fd = open(file, O_WRONLY\|O_CREAT\|O_CLOEXEC, 0600);
109	if (fd == -1)	109	if (fd == -1)
110	return (1);	110	return (1);
111	out = fdopen(fd, "wb");	111	out = fdopen(fd, "wb");


diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 22fa8455a1..848117a91a 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.72 2026/03/10 05:26:04 deraadt Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -49,7 +49,7 @@ tls_config_load_file(struct tls_error error, const char filetype,
49	*buf = NULL;	49	*buf = NULL;
50	*len = 0;	50	*len = 0;
51		51
52	if ((fd = open(filename, O_RDONLY)) == -1) {	52	if ((fd = open(filename, O_RDONLY\|O_CLOEXEC)) == -1) {
53	tls_error_set(error, TLS_ERROR_UNKNOWN,	53	tls_error_set(error, TLS_ERROR_UNKNOWN,
54	"failed to open %s file '%s'",	54	"failed to open %s file '%s'",
55	filetype, filename);	55	filetype, filename);


diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c index b276d2cfa7..d93efb830d 100644 --- a/src/lib/libtls/tls_util.c +++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */	1	/* $OpenBSD: tls_util.c,v 1.17 2026/03/10 05:26:04 deraadt Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	4	* Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
@@ -162,7 +162,7 @@ tls_load_file(const char name, size_t len, char *password)
162		162
163	*len = 0;	163	*len = 0;
164		164
165	if ((fd = open(name, O_RDONLY)) == -1)	165	if ((fd = open(name, O_RDONLY\|O_CLOEXEC)) == -1)
166	return (NULL);	166	return (NULL);
167		167
168	/* Just load the file into memory without decryption */	168	/* Just load the file into memory without decryption */