[rpms/socat] rawhide: Add openssl-groups option for post-quantum key exchange

[Martin Osvald <mosvald@redhat.com>]

A new commit has been pushed.

Repo   : rpms/socat
Branch : rawhide
Commit : a1315d09bb394e9b6c2a7d3cef5b97d0d5451c11
Author : Martin Osvald <mosvald@redhat.com>
Date   : 2026-06-16T13:56:31+00:00
Stats  : +146/-0 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/socat/c/a1315d09bb394e9b6c2a7d3cef5b97d0d5451c11?branch=rawhide

Log:
Add openssl-groups option for post-quantum key exchange

---
diff --git a/socat-1.8.1.1-openssl-groups.patch b/socat-1.8.1.1-openssl-groups.patch
new file mode 100644
index 0000000..990ee71
--- /dev/null
+++ b/socat-1.8.1.1-openssl-groups.patch
@@ -0,0 +1,145 @@
+Add openssl-groups option for post-quantum key exchange
+
+Enable configuration of TLS key exchange groups to support post-quantum
+cryptography hybrid KEMs like X25519MLKEM768. Replaces hardcoded P-256
+with modern SSL_CTX_set1_groups_list() API for OpenSSL 1.1.0+.
+
+Co-developed-by: Claude AI <noreply@anthropic.com>
+Signed-off-by: Martin Osvald <mosvald@redhat.com>
+
+diff --git a/doc/socat.1 b/doc/socat.1
+index 131a2b2..c1f2d0b 100644
+--- a/doc/socat.1
++++ b/doc/socat.1
+@@ -3782,6 +3782,13 @@ to proof that it is the owner of a certificate needs the private key\&.
+ Specifies the file with the Diffie Hellman parameters\&. These parameters may
+ also be in the file given with the cert
+ option in which case the dhparams option is not needed\&.
++.IP "\fB\f(CWopenssl-groups=<groups\-list>\fP\fP"
++Specifies the list of key exchange groups (curves) for the
++connection\&. The <groups\-list> is a colon\-separated list of
++group names in preference order\&. Useful for enabling post\-quantum
++cryptography (PQC) in TLS 1\&.3, e\&.g\&.,
++\(dq\&X25519MLKEM768:X25519:prime256v1\(dq\&\&. Requires OpenSSL 1\&.1\&.0 or
++higher\&. If not specified, OpenSSL uses its built\-in defaults\&.
+ .IP "\fB\f(CWcafile=<filename>\fP\fP"
+ Specifies the file with the trusted (root) authority certificates\&. The file
+ must be in PEM format and should contain one or more certificates\&. The party
+diff --git a/doc/socat.yo b/doc/socat.yo
+index a8c03f3..30697cf 100644
+--- a/doc/socat.yo
++++ b/doc/socat.yo
+@@ -3398,6 +3398,12 @@ label(OPTION_OPENSSL_DHPARAMS)dit(bf(tt(dhparams=<filename>)))
+    Specifies the file with the Diffie Hellman parameters. These parameters may
+    also be in the file given with the link(cert)(OPTION_OPENSSL_CERTIFICATE)
+    option in which case the dhparams option is not needed.
++label(OPTION_OPENSSL_GROUPS)dit(bf(tt(openssl-groups=<groups-list>)))
++   Specifies the list of key exchange groups (curves) for the connection.
++   The bf(tt(<groups-list>)) is a colon-separated list of group names in
++   preference order, e.g. tt(X25519MLKEM768:X25519:prime256v1). Useful for
++   enabling post-quantum cryptography (PQC) in TLS 1.3. Requires OpenSSL 1.1.0
++   or higher. If not specified, OpenSSL uses its built-in defaults.
+ label(OPTION_OPENSSL_CAFILE)dit(bf(tt(cafile=<filename>)))
+    Specifies the file with the trusted (root) authority certificates. The file
+    must be in PEM format and should contain one or more certificates. The party
+diff --git a/xio-openssl.c b/xio-openssl.c
+index e328ee2..e91b61b 100644
+--- a/xio-openssl.c
++++ b/xio-openssl.c
+@@ -121,6 +121,7 @@ const struct optdesc opt_openssl_key         = { "openssl-key",         "key",
+ const struct optdesc opt_openssl_dhparam     = { "openssl-dhparam",     "dh",    OPT_OPENSSL_DHPARAM,     GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
+ const struct optdesc opt_openssl_cafile      = { "openssl-cafile",     "cafile", OPT_OPENSSL_CAFILE,      GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
+ const struct optdesc opt_openssl_capath      = { "openssl-capath",     "capath", OPT_OPENSSL_CAPATH,      GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
++const struct optdesc opt_openssl_groups      = { "openssl-groups",     NULL,     OPT_OPENSSL_GROUPS,      GROUP_OPENSSL, PH_SPEC, TYPE_STRING,   OFUNC_SPEC };
+ const struct optdesc opt_openssl_egd         = { "openssl-egd",        "egd",    OPT_OPENSSL_EGD,         GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
+ #if HAVE_SSL_CTX_set_tlsext_max_fragment_length || defined(SSL_CTX_set_tlsext_max_fragment_length)
+ const struct optdesc opt_openssl_maxfraglen  = { "openssl-maxfraglen",  "maxfraglen",  OPT_OPENSSL_MAXFRAGLEN,  GROUP_OPENSSL, PH_SPEC, TYPE_INT, OFUNC_SPEC };
+@@ -1340,20 +1341,30 @@ cont_out:
+       ;
+    }
+ 
+-#if HAVE_TYPE_EC_KEY	/* not on Openindiana 5.11 */
++   /* Configure supported groups/curves for key exchange */
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    {
+-      /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
+-      int	 nid;
+-      EC_KEY *ecdh;
++      char *opt_groups = NULL;
+ 
+-#if 0
+-      nid = OBJ_sn2nid(ECDHE_CURVE);
+-      if (nid == NID_undef) {
+-	 Error("openssl: failed to set ECDHE parameters");
+-	 return -1;
++      retropt_string(opts, OPT_OPENSSL_GROUPS, &opt_groups);
++
++      if (opt_groups != NULL) {
++         if (!SSL_CTX_set1_groups_list(ctx, opt_groups)) {
++            Warn2("SSL_CTX_set1_groups_list(ctx, \"%s\"): %s",
++                  opt_groups, ERR_error_string(ERR_get_error(), NULL));
++            Error1("Failed to set OpenSSL groups: %s", opt_groups);
++            return -1;
++         }
++         Info1("OpenSSL key exchange groups set to: %s", opt_groups);
++      } else {
++         Debug("OpenSSL groups not specified, using library defaults");
+       }
+-#endif
+-      nid = NID_X9_62_prime256v1;
++   }
++#elif HAVE_TYPE_EC_KEY
++   /* Legacy API for OpenSSL < 1.1.0: single curve only, no PQC support */
++   {
++      int nid = NID_X9_62_prime256v1;
++      EC_KEY *ecdh;
+       ecdh = EC_KEY_new_by_curve_name(nid);
+       if (NULL == ecdh) {
+ 	 Error("openssl: failed to set ECDHE parameters");
+@@ -1361,8 +1372,9 @@ cont_out:
+       }
+ 
+       SSL_CTX_set_tmp_ecdh(ctx, ecdh);
++      EC_KEY_free(ecdh);
+    }
+-#endif /* HAVE_TYPE_EC_KEY */
++#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+    if (opt_compress) {
+diff --git a/xio-openssl.h b/xio-openssl.h
+index 3570856..6495b73 100644
+--- a/xio-openssl.h
++++ b/xio-openssl.h
+@@ -23,6 +23,7 @@ extern const struct optdesc opt_openssl_verify;
+ extern const struct optdesc opt_openssl_certificate;
+ extern const struct optdesc opt_openssl_key;
+ extern const struct optdesc opt_openssl_dhparam;
++extern const struct optdesc opt_openssl_groups;
+ extern const struct optdesc opt_openssl_cafile;
+ extern const struct optdesc opt_openssl_capath;
+ extern const struct optdesc opt_openssl_egd;
+diff --git a/xioopts.c b/xioopts.c
+index 685370a..92f0167 100644
+--- a/xioopts.c
++++ b/xioopts.c
+@@ -1306,6 +1306,7 @@ const struct optname optionnames[] = {
+ 	IF_OPENSSL("openssl-dhparam",	&opt_openssl_dhparam)
+ 	IF_OPENSSL("openssl-dhparams",	&opt_openssl_dhparam)
+ 	IF_OPENSSL("openssl-egd",	&opt_openssl_egd)
++	IF_OPENSSL("openssl-groups",	&opt_openssl_groups)
+ #if WITH_FIPS
+ 	IF_OPENSSL("openssl-fips",	&opt_openssl_fips)
+ #endif
+diff --git a/xioopts.h b/xioopts.h
+index edd6134..96a704f 100644
+--- a/xioopts.h
++++ b/xioopts.h
+@@ -526,6 +526,7 @@ enum e_optcode {
+    OPT_OPENSSL_CERTIFICATE,
+    OPT_OPENSSL_CIPHERLIST,
+    OPT_OPENSSL_COMMONNAME,
++   OPT_OPENSSL_GROUPS,
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+    OPT_OPENSSL_COMPRESS,
+ #endif

diff --git a/socat.spec b/socat.spec
index 210bf2f..8700477 100644
--- a/socat.spec
+++ b/socat.spec
@@ -9,6 +9,7 @@ Url:  http://www.dest-unreach.org/socat/
 Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
 
 Patch1: socat-1.8.1.0-openssl4.patch
+Patch2: socat-1.8.1.1-openssl-groups.patch
 
 BuildRequires: make
 BuildRequires:  gcc