public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/socat] rawhide: Add test for openssl-groups option
@ 2026-06-16 13:56 Martin Osvald
0 siblings, 0 replies; only message in thread
From: Martin Osvald @ 2026-06-16 13:56 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/socat
Branch : rawhide
Commit : b584fb53cb9508da637a8baf3fd71001e56976ad
Author : Martin Osvald <mosvald@redhat.com>
Date : 2026-06-16T13:56:31+00:00
Stats : +121/-0 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/socat/c/b584fb53cb9508da637a8baf3fd71001e56976ad?branch=rawhide
Log:
Add test for openssl-groups option
---
diff --git a/socat-1.8.1.1-test-openssl-groups.patch b/socat-1.8.1.1-test-openssl-groups.patch
new file mode 100644
index 0000000..3bfee3a
--- /dev/null
+++ b/socat-1.8.1.1-test-openssl-groups.patch
@@ -0,0 +1,120 @@
+Add test for openssl-groups option
+
+Adds a test case to test.sh for the openssl-groups option. The test
+verifies that TLS key exchange groups can be configured and are
+actually negotiated as specified.
+
+The test uses openssl s_client to connect and verify group negotiation,
+following the pattern of existing OpenSSL tests like OPENSSL_COMPRESS.
+
+Test scenarios:
+1. Server with openssl-groups=prime256v1:secp384r1 negotiates prime256v1
+2. Server with openssl-groups=X25519:prime256v1 prefers X25519 (best-effort)
+
+The test gracefully handles OpenSSL version differences and skips if
+prerequisites are not available.
+
+Co-developed-by: Claude AI <noreply@anthropic.com>
+Signed-off-by: Martin Osvald <mosvald@redhat.com>
+
+diff --git a/test.sh b/test.sh
+index 53bbb2a..a377352 100755
+--- a/test.sh
++++ b/test.sh
+@@ -21129,6 +21129,96 @@ fi ;; # NUMCOND
+ esac
+ N=$((N+1))
+
++NAME=OPENSSL_GROUPS
++case "$TESTS" in
++*%$N%*|*%functions%*|*%openssl%*|*%tcp%*|*%tcp4%*|*%ip4%*|*%$NAME%*)
++TEST="$NAME: OpenSSL groups option"
++if ! eval $NUMCOND; then :;
++elif ! testfeats openssl >/dev/null; then
++ $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
++ cant
++elif ! testfeats listen tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
++ $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
++ cant
++elif ! testoptions openssl-groups >/dev/null; then
++ $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL groups option not available${NORMAL}\n" $N
++ cant
++elif ! type openssl >/dev/null 2>&1; then
++ $PRINTF "test $F_n $TEST... ${YELLOW}openssl executable not available${NORMAL}\n" $N
++ cant
++else
++ gentestcert testsrv
++ printf "test $F_n $TEST... " $N
++ tf="$td/test$N.stdout"
++ te="$td/test$N.stderr"
++ success=yes
++
++ # Test 1: Verify prime256v1 is negotiated when specified
++ newport tcp4 # provide free port number in $PORT
++ CMD1="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,pf=ip4,$REUSEADDR,$SOCAT_EGD,cert=testsrv.crt,key=testsrv.key,verify=0,openssl-groups=prime256v1:secp384r1 PIPE"
++ $CMD1 2>"${te}1" &
++ pid0=$!
++ waittcp4port $PORT 1
++ # Connect with s_client requesting prime256v1 or X25519, should get prime256v1
++ echo "test" | openssl s_client -connect $LOCALHOST:$PORT -groups prime256v1:X25519 2>&1 | \
++ tee "${tf}1" | grep -q "prime256v1\|P-256"
++ rc1=$?
++ kill $pid0 2>/dev/null
++ wait $pid0 2>/dev/null || true
++
++ if [ $rc1 -ne 0 ]; then
++ success=
++ fi
++
++ # Test 2: Verify X25519 is negotiated when preferred
++ if [ -n "$success" ]; then
++ newport tcp4 # provide free port number in $PORT
++ CMD2="$TRACE $SOCAT $opts OPENSSL-LISTEN:$PORT,pf=ip4,$REUSEADDR,$SOCAT_EGD,cert=testsrv.crt,key=testsrv.key,verify=0,openssl-groups=X25519:prime256v1 PIPE"
++ $CMD2 2>"${te}2" &
++ pid0=$!
++ waittcp4port $PORT 1
++ # Connect with s_client supporting both, should get X25519
++ echo "test" | openssl s_client -connect $LOCALHOST:$PORT -groups X25519:prime256v1 2>&1 | \
++ tee "${tf}2" | grep -q "X25519\|x25519"
++ rc2=$?
++ kill $pid0 2>/dev/null
++ wait $pid0 2>/dev/null || true
++
++ # X25519 test is best-effort; if it fails, just check that connection worked
++ if [ $rc2 -ne 0 ]; then
++ # Check if at least some group was negotiated
++ if grep -q "prime256v1\|P-256\|secp384r1" "${tf}2"; then
++ : # Connection worked with fallback, that's acceptable
++ else
++ success=
++ fi
++ fi
++ fi
++
++ if [ -z "$success" ]; then
++ $PRINTF "$FAILED: $TRACE $SOCAT:\n"
++ if [ ! -f "${tf}2" ]; then
++ echo "$CMD1 &"
++ cat "${te}1"
++ echo "Output:"
++ cat "${tf}1"
++ else
++ echo "$CMD2 &"
++ cat "${te}2"
++ echo "Output:"
++ cat "${tf}2"
++ fi
++ failed
++ else
++ $PRINTF "$OK\n"
++ if [ -n "$debug" ]; then cat "${te}1" "${te}2" 2>/dev/null; fi
++ ok
++ fi
++fi ;; # NUMCOND, feats
++esac
++N=$((N+1))
++
++
+ # >>>
+
+ # end of common tests
diff --git a/socat.spec b/socat.spec
index 8700477..8b2b43d 100644
--- a/socat.spec
+++ b/socat.spec
@@ -10,6 +10,7 @@ Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
Patch1: socat-1.8.1.0-openssl4.patch
Patch2: socat-1.8.1.1-openssl-groups.patch
+Patch3: socat-1.8.1.1-test-openssl-groups.patch
BuildRequires: make
BuildRequires: gcc
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-16 13:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-16 13:56 [rpms/socat] rawhide: Add test for openssl-groups option Martin Osvald
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox