[rpms/socat] rawhide: Add test for openssl-groups option

[Martin Osvald <mosvald@redhat.com>]

A new commit has been pushed.

Repo   : rpms/socat
Branch : rawhide
Commit : b584fb53cb9508da637a8baf3fd71001e56976ad
Author : Martin Osvald <mosvald@redhat.com>
Date   : 2026-06-16T13:56:31+00:00
Stats  : +121/-0 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/socat/c/b584fb53cb9508da637a8baf3fd71001e56976ad?branch=rawhide

Log:
Add test for openssl-groups option

---
diff --git a/socat-1.8.1.1-test-openssl-groups.patch b/socat-1.8.1.1-test-openssl-groups.patch
new file mode 100644
index 0000000..3bfee3a
--- /dev/null
+++ b/socat-1.8.1.1-test-openssl-groups.patch
@@ -0,0 +1,120 @@
+Add test for openssl-groups option
+
+Adds a test case to test.sh for the openssl-groups option. The test
+verifies that TLS key exchange groups can be configured and are
+actually negotiated as specified.
+
+The test uses openssl s_client to connect and verify group negotiation,
+following the pattern of existing OpenSSL tests like OPENSSL_COMPRESS.
+
+Test scenarios:
+1. Server with openssl-groups=prime256v1:secp384r1 negotiates prime256v1
+2. Server with openssl-groups=X25519:prime256v1 prefers X25519 (best-effort)
+
+The test gracefully handles OpenSSL version differences and skips if
+prerequisites are not available.
+
+Co-developed-by: Claude AI <noreply@anthropic.com>
+Signed-off-by: Martin Osvald <mosvald@redhat.com>
+
+diff --git a/test.sh b/test.sh
+index 53bbb2a..a377352 100755
+--- a/test.sh
++++ b/test.sh
+@@ -21129,6 +21129,96 @@ fi ;; # NUMCOND
+ esac
+ N=$((N+1))
+ 
++NAME=OPENSSL_GROUPS
++case "$TESTS" in
++*%$N%*|*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
++TEST="$NAME: OpenSSL groups option"
++if ! eval $NUMCOND; then :;
++elif ! testfeats openssl >/dev/null; then
++    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
++    cant
++elif ! testfeats listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
++    $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
++    cant
++elif ! testoptions openssl-groups >/dev/null; then
++    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL groups option not available${NORMAL}\n" $N
++    cant
++elif ! type openssl >/dev/null 2>&1; then
++    $PRINTF "test $F_n $TEST... ${YELLOW}openssl executable not available${NORMAL}\n" $N
++    cant
++else
++    gentestcert testsrv
++    printf "test $F_n $TEST... " $N
++    tf="$td/test$N.stdout"
++    te="$td/test$N.stderr"
++    success=yes
++
++    # Test 1: Verify prime256v1 is negotiated when specified
++    newport tcp4 	# provide free port number in $PORT
++    CMD1="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,pf=ip4,$REUSEADDR,$SOCAT_EGD,cert=testsrv.crt,key=testsrv.key,verify=0,openssl-groups=prime256v1:secp384r1 PIPE"
++    $CMD1 2>"${te}1" &
++    pid0=$!
++    waittcp4port $PORT 1
++    # Connect with s_client requesting prime256v1 or X25519, should get prime256v1
++    echo "test" | openssl s_client -connect $LOCALHOST:$PORT -groups prime256v1:X25519 2>&1 | \
++        tee "${tf}1" | grep -q "prime256v1\|P-256"
++    rc1=$?
++    kill $pid0 2>/dev/null
++    wait $pid0 2>/dev/null || true
++
++    if [ $rc1 -ne 0 ]; then
++        success=
++    fi
++
++    # Test 2: Verify X25519 is negotiated when preferred
++    if [ -n "$success" ]; then
++        newport tcp4 	# provide free port number in $PORT
++        CMD2="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,pf=ip4,$REUSEADDR,$SOCAT_EGD,cert=testsrv.crt,key=testsrv.key,verify=0,openssl-groups=X25519:prime256v1 PIPE"
++        $CMD2 2>"${te}2" &
++        pid0=$!
++        waittcp4port $PORT 1
++        # Connect with s_client supporting both, should get X25519
++        echo "test" | openssl s_client -connect $LOCALHOST:$PORT -groups X25519:prime256v1 2>&1 | \
++            tee "${tf}2" | grep -q "X25519\|x25519"
++        rc2=$?
++        kill $pid0 2>/dev/null
++        wait $pid0 2>/dev/null || true
++
++        # X25519 test is best-effort; if it fails, just check that connection worked
++        if [ $rc2 -ne 0 ]; then
++            # Check if at least some group was negotiated
++            if grep -q "prime256v1\|P-256\|secp384r1" "${tf}2"; then
++                : # Connection worked with fallback, that's acceptable
++            else
++                success=
++            fi
++        fi
++    fi
++
++    if [ -z "$success" ]; then
++        $PRINTF "$FAILED: $TRACE $SOCAT:\n"
++        if [ ! -f "${tf}2" ]; then
++            echo "$CMD1 &"
++            cat "${te}1"
++            echo "Output:"
++            cat "${tf}1"
++        else
++            echo "$CMD2 &"
++            cat "${te}2"
++            echo "Output:"
++            cat "${tf}2"
++        fi
++        failed
++    else
++        $PRINTF "$OK\n"
++        if [ -n "$debug" ]; then cat "${te}1" "${te}2" 2>/dev/null; fi
++        ok
++    fi
++fi ;; # NUMCOND, feats
++esac
++N=$((N+1))
++
++
+ # >>>
+ 
+ # end of common tests

diff --git a/socat.spec b/socat.spec
index 8700477..8b2b43d 100644
--- a/socat.spec
+++ b/socat.spec
@@ -10,6 +10,7 @@ Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
 
 Patch1: socat-1.8.1.0-openssl4.patch
 Patch2: socat-1.8.1.1-openssl-groups.patch
+Patch3: socat-1.8.1.1-test-openssl-groups.patch
 
 BuildRequires: make
 BuildRequires:  gcc