Updates from review

Author: embhorn

.wolfssl_known_macro_extras

@@ -219,6 +219,7 @@ DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER
 ECCSI_ORDER_MORE_BITS_THAN_PRIME
 ECC_DUMP_OID
 ECDHE_SIZE
+EFD_CLOEXEC
 ENABLED_BSDKM_REGISTER
 ENABLE_SECURE_SOCKETS_LOGS
 ESP32
@@ -234,6 +235,7 @@ ETHERNET_AVAILABLE
 ETHERNET_H
 EV_TRIGGER
 EXTERNAL_LOADER_APP
+FD_CLOEXEC
 FIPS_OPTEST_FULL_RUN_AT_MODULE_INIT
 FORCE_FAILURE_GETRANDOM
 FP_ECC_CONTROL
@@ -479,6 +481,7 @@ OS_WINDOWS
 OTHERBOARD
 OTHER_BOARD
 PEER_INFO
+PERF_FLAG_FD_CLOEXEC
 PKA_ECC_SCALAR_MUL_IN_B_COEFF
 PLATFORMIO
 PLUTON_CRYPTO_ECC

src/crl.c

@@ -1666,6 +1666,11 @@ static int SwapLists(WOLFSSL_CRL* crl)
     #define XEVENT_MODE O_RDONLY
 #endif
 
+/* Fall back to no-op if O_CLOEXEC is unavailable on this platform. */
+#ifndef O_CLOEXEC
+    #define O_CLOEXEC 0
+#endif
+
 
 /* we need a unique kqueue user filter fd for crl in case user is doing custom
  * events too */
@@ -1727,7 +1732,7 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg)
     fDER = -1;
 
     if (crl->monitors[0].path) {
-        fPEM = open(crl->monitors[0].path, XEVENT_MODE | WC_CLOEXEC);
+        fPEM = open(crl->monitors[0].path, XEVENT_MODE | O_CLOEXEC);
         if (fPEM == -1) {
             WOLFSSL_MSG("PEM event dir open failed");
             SignalSetup(crl, MONITOR_SETUP_E);
@@ -1737,7 +1742,7 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg)
     }
 
     if (crl->monitors[1].path) {
-        fDER = open(crl->monitors[1].path, XEVENT_MODE | WC_CLOEXEC);
+        fDER = open(crl->monitors[1].path, XEVENT_MODE | O_CLOEXEC);
         if (fDER == -1) {
             WOLFSSL_MSG("DER event dir open failed");
             if (fPEM != -1)
@@ -1804,6 +1809,12 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg)
 #include <sys/inotify.h>
 #include <sys/eventfd.h>
 #include <unistd.h>
+#include <fcntl.h>
+
+/* Fall back to no-op if EFD_CLOEXEC is unavailable. */
+#ifndef EFD_CLOEXEC
+    #define EFD_CLOEXEC 0
+#endif
 
 
 #ifndef max
@@ -1839,7 +1850,7 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg)
 
     WOLFSSL_ENTER("DoMonitor");
 
-    crl->mfd = eventfd(0, WC_EFD_CLOEXEC);  /* our custom shutdown event */
+    crl->mfd = eventfd(0, EFD_CLOEXEC);  /* our custom shutdown event */
     if (crl->mfd < 0) {
         WOLFSSL_MSG("eventfd failed");
         SignalSetup(crl, MONITOR_SETUP_E);
@@ -1850,6 +1861,13 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg)
     notifyFd = inotify_init1(IN_CLOEXEC);
 #else
     notifyFd = inotify_init();
+    #ifdef FD_CLOEXEC
+    if (notifyFd >= 0) {
+        int fdFlags = fcntl(notifyFd, F_GETFD);
+        if (fdFlags >= 0)
+            (void)fcntl(notifyFd, F_SETFD, fdFlags | FD_CLOEXEC);
+    }
+    #endif
 #endif
     if (notifyFd < 0) {
         WOLFSSL_MSG("inotify failed");

src/ssl.c

@@ -19568,6 +19568,9 @@ int wolfSSL_RAND_write_file(const char* fname)
     defined(HAVE_SYS_UN_H)
     #define WOLFSSL_EGD_NBLOCK 0x01
     #include <sys/un.h>
+    #ifndef SOCK_CLOEXEC
+        #define SOCK_CLOEXEC 0
+    #endif
 #endif
 
 /* This collects entropy from the path nm and seeds the global PRNG with it.
@@ -19601,7 +19604,7 @@ int wolfSSL_RAND_egd(const char* nm)
         return WOLFSSL_FATAL_ERROR;
     }
 
-    fd = socket(AF_UNIX, SOCK_STREAM | WC_SOCK_CLOEXEC, 0);
+    fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (fd < 0) {
         WOLFSSL_MSG("Error creating socket");
         WC_FREE_VAR_EX(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);

src/wolfio.c

@@ -29,7 +29,7 @@
  * embedded RTOSes whose libc layers conflict with glibc-style definitions
  * (e.g., Zephyr's socket_select.h vs. glibc's fd_set). */
 #if (defined(__linux__) || defined(__ANDROID__)) && \
-    !defined(__ZEPHYR__) && !defined(_GNU_SOURCE)
+    !defined(WOLFSSL_ZEPHYR) && !defined(_GNU_SOURCE)
     #define _GNU_SOURCE 1
 #endif
 
@@ -51,6 +51,12 @@
 #include <wolfssl/wolfio.h>
 #include <wolfssl/wolfcrypt/logging.h>
 
+/* SOCK_CLOEXEC sets close-on-exec atomically when the socket is created;
+ * fall back to a no-op flag value where it isn't supported. */
+#ifndef SOCK_CLOEXEC
+    #define SOCK_CLOEXEC 0
+#endif
+
 #ifdef NUCLEUS_PLUS_2_3
 /* Holds last Nucleus networking error number */
 int Nucleus_Net_Errno;
@@ -1503,7 +1509,7 @@ int wolfIO_TcpConnect(SOCKET_T* sockfd, const char* ip, word16 port, int to_sec)
     }
 #endif
 
-    *sockfd = (SOCKET_T)socket(addr.ss_family, SOCK_STREAM | WC_SOCK_CLOEXEC, 0);
+    *sockfd = (SOCKET_T)socket(addr.ss_family, SOCK_STREAM | SOCK_CLOEXEC, 0);
 #ifdef USE_WINDOWS_API
     if (*sockfd == SOCKET_INVALID)
 #else
@@ -1581,12 +1587,12 @@ int wolfIO_TcpBind(SOCKET_T* sockfd, word16 port)
     sin->sin6_family = AF_INET6;
     sin->sin6_addr = in6addr_any;
     sin->sin6_port = XHTONS(port);
-    *sockfd = (SOCKET_T)socket(AF_INET6, SOCK_STREAM | WC_SOCK_CLOEXEC, 0);
+    *sockfd = (SOCKET_T)socket(AF_INET6, SOCK_STREAM | SOCK_CLOEXEC, 0);
 #else
     sin->sin_family = AF_INET;
     sin->sin_addr.s_addr = INADDR_ANY;
     sin->sin_port = XHTONS(port);
-    *sockfd = (SOCKET_T)socket(AF_INET, SOCK_STREAM | WC_SOCK_CLOEXEC, 0);
+    *sockfd = (SOCKET_T)socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);
 #endif
 
 #ifdef USE_WINDOWS_API
@@ -1633,7 +1639,7 @@ int wolfIO_TcpBind(SOCKET_T* sockfd, word16 port)
 int wolfIO_TcpAccept(SOCKET_T sockfd, SOCKADDR* peer_addr, XSOCKLENT* peer_len)
 {
     int fd;
-#if !defined(USE_WINDOWS_API) && !defined(__ZEPHYR__) && \
+#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_ZEPHYR) && \
     defined(SOCK_CLOEXEC) && (defined(__linux__) || defined(__ANDROID__))
     fd = (int)accept4(sockfd, peer_addr, peer_len, SOCK_CLOEXEC);
 #else

wolfcrypt/benchmark/benchmark.c

@@ -1574,6 +1574,7 @@ static const char* bench_result_words3[][5] = {
     #include <linux/perf_event.h>
     #include <sys/syscall.h>
     #include <unistd.h>
+    #include <fcntl.h>
 
     #ifndef PERF_FLAG_FD_CLOEXEC
         #define PERF_FLAG_FD_CLOEXEC (1UL << 3)

wolfcrypt/src/port/af_alg/wc_afalg.c

@@ -25,6 +25,11 @@
 
 #include <wolfssl/wolfcrypt/port/af_alg/wc_afalg.h>
 #include <linux/if_alg.h>
+#include <sys/socket.h>
+
+#ifndef SOCK_CLOEXEC
+    #define SOCK_CLOEXEC 0
+#endif
 
 
 /* Sets the type of socket address to use */
@@ -70,7 +75,7 @@ int wc_Afalg_Socket(void)
 {
     int sock;
 
-    if ((sock = socket(AF_ALG, SOCK_SEQPACKET | WC_SOCK_CLOEXEC, 0)) < 0) {
+    if ((sock = socket(AF_ALG, SOCK_SEQPACKET | SOCK_CLOEXEC, 0)) < 0) {
         WOLFSSL_MSG("Failed to get AF_ALG socket");
         return WC_AFALG_SOCK_E;
     }

wolfcrypt/src/port/caam/wolfcaam_qnx.c

@@ -36,6 +36,10 @@
 
 #include <errno.h>
 
+#ifndef O_CLOEXEC
+    #define O_CLOEXEC 0
+#endif
+
 /* for devctl use */
 int caamFd = -1;
 static wolfSSL_Mutex caamMutex;
@@ -48,7 +52,7 @@ int wc_CAAMInitInterface()
         return -1;
     }
 
-    caamFd = open("/dev/wolfCrypt", O_RDWR | WC_CLOEXEC);
+    caamFd = open("/dev/wolfCrypt", O_RDWR | O_CLOEXEC);
     if (caamFd < 0) {
         WOLFSSL_MSG("Could not open /dev/wolfCrypt");
         return -1;

wolfcrypt/src/port/devcrypto/wc_devcrypto.c

@@ -27,10 +27,14 @@ static volatile int fd;
 
 #include <wolfssl/wolfcrypt/port/devcrypto/wc_devcrypto.h>
 
+#ifndef O_CLOEXEC
+    #define O_CLOEXEC 0
+#endif
+
 int wc_DevCryptoInit(void)
 {
     /* create descriptor */
-    if ((fd = open("/dev/crypto", O_RDWR | WC_CLOEXEC, 0)) < 0) {
+    if ((fd = open("/dev/crypto", O_RDWR | O_CLOEXEC, 0)) < 0) {
         WOLFSSL_MSG("Error opening /dev/crypto is cryptodev module loaded?");
         return WC_DEVCRYPTO_E;
     }

wolfcrypt/src/port/intel/quickassist_mem.c

@@ -58,6 +58,10 @@
 #include <sys/ioctl.h>
 #include <sys/mman.h>
 
+#ifndef O_CLOEXEC
+    #define O_CLOEXEC 0
+#endif
+
 #ifdef SAL_IOMMU_CODE
     #include <icp_sal_iommu.h>
 #endif
@@ -714,7 +718,7 @@ CpaStatus qaeMemInit(void)
 {
     if (g_qaeMemFd < 0) {
     #ifndef QAT_V2
-        g_qaeMemFd = open(QAE_MEM, O_RDWR | WC_CLOEXEC);
+        g_qaeMemFd = open(QAE_MEM, O_RDWR | O_CLOEXEC);
         if (g_qaeMemFd < 0) {
             printf("unable to open %s %d\n", QAE_MEM, g_qaeMemFd);
             return CPA_STATUS_FAIL;

wolfcrypt/src/random.c

@@ -213,6 +213,12 @@ This library contains implementation for the random number generator.
     #ifndef EBSNET
         #include <unistd.h>
     #endif
+    /* O_CLOEXEC is preferred (atomic close-on-exec at open() time) but
+     * is unavailable on older kernels and some platforms; fall back to a
+     * no-op so the | flag has no effect. */
+    #ifndef O_CLOEXEC
+        #define O_CLOEXEC 0
+    #endif
 #endif
 
 #if defined(WOLFSSL_SILABS_SE_ACCEL)
@@ -3829,15 +3835,15 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         if (!os->seedFdOpen)
         {
         #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
-            os->fd = open("/dev/urandom", O_RDONLY | WC_CLOEXEC);
+            os->fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
             #if defined(DEBUG_WOLFSSL)
                 WOLFSSL_MSG("opened /dev/urandom.");
             #endif /* DEBUG_WOLFSSL */
             if (os->fd == XBADFD)
         #endif /* NO_DEV_URANDOM */
             {
                 /* may still have /dev/random */
-                os->fd = open("/dev/random", O_RDONLY | WC_CLOEXEC);
+                os->fd = open("/dev/random", O_RDONLY | O_CLOEXEC);
             #if defined(DEBUG_WOLFSSL)
                 WOLFSSL_MSG("opened /dev/random.");
             #endif /* DEBUG_WOLFSSL */
@@ -3855,15 +3861,15 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         }
     #else /* WOLFSSL_KEEP_RNG_SEED_FD_OPEN */
         #ifndef NO_DEV_URANDOM /* way to disable use of /dev/urandom */
-        os->fd = open("/dev/urandom", O_RDONLY | WC_CLOEXEC);
+        os->fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
         #if defined(DEBUG_WOLFSSL)
             WOLFSSL_MSG("opened /dev/urandom.");
         #endif /* DEBUG_WOLFSSL */
         if (os->fd == XBADFD)
         #endif /* !NO_DEV_URANDOM */
         {
             /* may still have /dev/random */
-            os->fd = open("/dev/random", O_RDONLY | WC_CLOEXEC);
+            os->fd = open("/dev/random", O_RDONLY | O_CLOEXEC);
         #if defined(DEBUG_WOLFSSL)
             WOLFSSL_MSG("opened /dev/random.");
         #endif /* DEBUG_WOLFSSL */
@@ -3940,11 +3946,14 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 
 #if defined(CUSTOM_RAND_GENERATE_BLOCK) && defined(WOLFSSL_KCAPI)
 #include <fcntl.h>
+#ifndef O_CLOEXEC
+    #define O_CLOEXEC 0
+#endif
 int wc_hwrng_generate_block(byte *output, word32 sz)
 {
     int fd;
     int ret = 0;
-    fd = open("/dev/hwrng", O_RDONLY | WC_CLOEXEC);
+    fd = open("/dev/hwrng", O_RDONLY | O_CLOEXEC);
     if (fd == -1)
         return OPEN_RAN_E;
     while(sz)