From 7a7e59d2a973458c4eab0d1b52590966a478d825 Mon Sep 17 00:00:00 2001
From: Andrey Arapov <arno@nixaid.com>
Date: Sun, 25 Jan 2015 13:48:11 +0100
Subject: [PATCH] socat: Update from 1.7.2.4 to 1.7.3.0, fixes a possible
 denial of service attack

socat: Update from 1.7.2.4 to 1.7.3.0, fixes a possible denial of service attack
(CVE Id pending), improves SSL client security, and provides a couple of bug and
porting fixes.

Among new features, socat now enables OpenSSL server side use of ECDHE ciphers,
providing PFS (Perfect Forward Secrecy)

http://www.dest-unreach.org/socat/doc/CHANGES
---
 pkgs/tools/networking/socat/default.nix       |  6 ++++--
 .../tools/networking/socat/enable-ecdhe.patch | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 pkgs/tools/networking/socat/enable-ecdhe.patch

diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix
index e33edaa32da..65d3b01e89c 100644
--- a/pkgs/tools/networking/socat/default.nix
+++ b/pkgs/tools/networking/socat/default.nix
@@ -1,15 +1,17 @@
 { stdenv, fetchurl, openssl }:
 
 stdenv.mkDerivation rec {
-  name = "socat-1.7.2.4";
+  name = "socat-1.7.3.0";
 
   src = fetchurl {
     url = "http://www.dest-unreach.org/socat/download/${name}.tar.bz2";
-    sha256 = "028yjka2zr6j1i8pmfmvzqki8ajczdl1hnry1x31xbbg3j83jxsb";
+    sha256 = "011ydc0x8camplf8l6mshs3v5fswarld8v0wf7grz6rjq18fhrq7";
   };
 
   buildInputs = [ openssl ];
 
+  patches = [ ./enable-ecdhe.patch ];
+
   meta = {
     description = "A utility for bidirectional data transfer between two independent data channels";
     homepage = http://www.dest-unreach.org/socat/;
diff --git a/pkgs/tools/networking/socat/enable-ecdhe.patch b/pkgs/tools/networking/socat/enable-ecdhe.patch
new file mode 100644
index 00000000000..ad63ec287bc
--- /dev/null
+++ b/pkgs/tools/networking/socat/enable-ecdhe.patch
@@ -0,0 +1,19 @@
+--- socat-1.7.3.0/xio-openssl.c	2015-01-24 15:33:42.000000000 +0100
++++ socat-1.7.3.0-ecdhe/xio-openssl.c	2015-01-25 13:38:54.353641097 +0100
+@@ -960,7 +960,6 @@
+       }
+    }
+
+-#if defined(EC_KEY)	/* not on Openindiana 5.11 */
+    {
+       /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
+       int	 nid;
+@@ -982,7 +981,6 @@
+
+       SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
+    }
+-#endif /* !defined(EC_KEY) */
+
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+    if (opt_compress) {
+