Merge pull request #5951 from arno01/socat

socat: Update from 1.7.2.4 to 1.7.3.0, fixes a possible denial of service attack

pkgs/tools/networking/socat/default.nix

@@ -1,15 +1,17 @@
 { stdenv, fetchurl, openssl }:
 
 stdenv.mkDerivation rec {
-  name = "socat-1.7.2.4";
+  name = "socat-1.7.3.0";
 
   src = fetchurl {
     url = "http://www.dest-unreach.org/socat/download/${name}.tar.bz2";
-    sha256 = "028yjka2zr6j1i8pmfmvzqki8ajczdl1hnry1x31xbbg3j83jxsb";
+    sha256 = "011ydc0x8camplf8l6mshs3v5fswarld8v0wf7grz6rjq18fhrq7";
   };
 
   buildInputs = [ openssl ];
 
+  patches = [ ./enable-ecdhe.patch ];
+
   meta = {
     description = "A utility for bidirectional data transfer between two independent data channels";
     homepage = http://www.dest-unreach.org/socat/;

pkgs/tools/networking/socat/enable-ecdhe.patch

@@ -0,0 +1,19 @@
+--- socat-1.7.3.0/xio-openssl.c	2015-01-24 15:33:42.000000000 +0100
++++ socat-1.7.3.0-ecdhe/xio-openssl.c	2015-01-25 13:38:54.353641097 +0100
+@@ -960,7 +960,6 @@
+       }
+    }
+
+-#if defined(EC_KEY)	/* not on Openindiana 5.11 */
+    {
+       /* see http://openssl.6102.n7.nabble.com/Problem-with-cipher-suite-ECDHE-ECDSA-AES256-SHA384-td42229.html */
+       int	 nid;
+@@ -982,7 +981,6 @@
+
+       SSL_CTX_set_tmp_ecdh(*ctx, ecdh);
+    }
+-#endif /* !defined(EC_KEY) */
+
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+    if (opt_compress) {
+