3 test.sh now produces a list of tests that could not be performed for
4 any reason. This helps to analyse these cases.
6 OpenSSL s_server appearently started to neglect TCPs half close feature.
7 Test OPENSSL_TCP4 has been changed to tolerate this.
9 OpenSSL changed its behaviour when connection is rejected. Tests
10 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
11 OPENSSL_CN_SERVER_SECURITY now tolerate this.
13 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
14 appropriate tests failed.
15 Fix: use TLSv1.2 for renegotiation tests
16 Tests: OPENSSLRENEG1 OPENSSLRENEG2
18 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
20 Archlinux 2020 has not which command; its ip,ss commands have modified
23 ####################### V 1.7.3.4:
26 Header of xiotermios_speed() declared parameter unsigned int instead of
27 speed_t, thus compiling failed on MacOS
28 Thanks to Joe Strout and others for reporting this bug.
29 Thanks to Andrew Childs and others for sending a patch.
31 Under certain circumstances, termios options of the first address were
32 applied to the second address, resulting in error
33 "Inappropriate ioctl for device"
34 This affected version 1.7.3.3 only.
36 Thanks to Ivan J. for reporting this issue.
38 Socat failed to compile when no poll() system call was found by
40 Thanks to Jason White for sending a patch.
42 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
43 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
44 for reporting this problem and sending initial patches.
46 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
47 "ai_socktype not supported" when protocol 6 was addressed.
48 The fix removes the possibility to use service names with SCTP.
50 Thanks to Sören for sending an initial patch.
52 Under certain circumstances, Socat printed the "socket ... is at EOF"
56 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
57 not implemented in older bash versions.
59 ####################### V 1.7.3.3:
62 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
64 Added definition of FILAN_OBJS
65 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
68 configure option --enable-msglevel did not work with numbers
70 The autoconf mechanism for determining SHIFT_OFFSET did not work when
72 Thanks to Max Freisinger from Gentoo for sending a patch.
74 Socat still depended on obsolete gethostbyname() function, thus
75 compiling with MUSL libc failed.
76 Problem reported by Kennedy33.
78 The async signal safe diagnostic system used FDs 3 and 4 internally, so
79 use of appropriate fdin or fdout led to failures.
81 Problem reported by Onur Sentürk.
83 The socket based mechanism for passing messages and signal information
84 from signal handler to process could reach and kill the wrong process.
85 Introduces functions diag_sock_pair(), diag_fork()
86 Thanks to Darren Zhao for analysing and reporting this problem.
88 Option ipv6-join-group did not work because it was applied in the wrong
90 Test: UDP6MULTICAST_UNIDIR
91 Thanks to Angus Gratton for sending a patch.
93 Setting ispeed and ospeed failed for some serial devices because the
94 two settings were applied with two different get/set cycles, Thanks to
95 Alexandre Fenyo for providing an initial patch.
96 However, the actual fix is part of a conceptual change of the termios
97 module that aims for applying all changes in a single tcsetaddr call.
98 Fixes FreeBSD Bug 198441
100 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
101 Thanks to Alan Walters for reporting this bug.
103 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
105 With TCP6-LISTEN and the other passive IPv6 addresses the range option
106 just failed: due to a bug in the syntax parser and two more bugs in
107 the xiocheckrange_ip6() function.
108 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
109 Thanks Leah Neukirchen for sending an initial fix.
111 For name resolution Socat only checked the first character of the host
112 name to decide if it is an IPv4 address. This was not RFC conform. This
113 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
116 Thanks to Nicolas Fournil for reporting this issue.
118 Print a useful error message when single character options appear to be
119 merged in Socat invocation
120 Test: SOCCAT_OPT_HINT
122 Fixed some docu typos.
123 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
124 Julian Zinn, and Simon Matter
127 OpenSSL functions TLS1_client_method() and similar are
128 deprecated. Socat now uses recommended TLS_client_method(). The old
129 functions and dependend option openssl-method can still be
130 used when configuring socat with --enable-openssl-method
132 Shell scripts in socat distribution are now headed with:
134 to make them better portable to systems without /bin/bash
135 Thanks to Maya Rashish for sending a patch
137 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
138 configure option --enable-res-deprecated.
140 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
141 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
143 Renamed configure.in to configure.ac and set an appropriate symlink for
145 Related Gentoo bug 426262: Warning on configure.in
146 Thanks to Francesco Turco for reporting that warning.
148 Fixed new IPv6 range code for platforms without s6_addr32 component.
151 test.sh: Show a warning when phase-1 (insecure phase) of a security
154 OpenSSL tests failed on actual Linux distributions. Measures:
155 Increased key lengths from 768 to 1024 bits
156 Added test.sh option -C to delete temp certs from prevsious runs
157 Provide DH-parameter in certificate in PEM
158 OpenSSL s_server option -verify 0 must be omitted
159 OpenSSL authentication method aNULL no longer works
160 Failure of cipher aNULL is not a failure
161 Failure of methods SSL3 and SSL23 is desired
163 test.sh depended on ifconfig and netstat utilities which are no longer
164 availabie in some distributions. test.sh now checks for and prefers
166 Thanks to Ruediger Meier for reporting this problem.
168 More corrections to test.sh:
169 Language settings could still influence test results
170 netstat was still required
171 Suppress usleep deprecated messag
172 Force use of IPv4 with some certificates
173 Set timeout for UDPxMAXCHILDREN tests
176 Added missing Config/Makefile.DragonFly-2-8-2,
177 Config/config.DragonFly-2-8-2.h
178 Removed testcert.conf (to be generated by test.sh)
181 Simplified handling of missing termios defines.
184 Permit combined -d options as -dd etc.
186 ####################### V 1.7.3.2:
189 SIGSEGV and other signals could lead to a 100% CPU loop
191 Failing name resolution could lead to SIGSEGV
192 Thanks to Max for reporting this issue.
194 Include <stddef.h> for ptrdiff_t
195 Thanks to Jeroen Roovers for reporting this issue.
197 Building with --disable-sycls failed due to missing sslcls.h defines
199 Socat hung when configured with --disable-sycls.
201 Some minor corrections with includes etc.
203 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
206 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
208 Test: EXEC_NOFORK_UNIDIR
209 Thanks to David Reiss for reporting this problem.
211 Socat exited with status 0 even when a program invoked with SYSTEM or
213 Tests: SYSTEM_RC EXEC_RC
214 Issue reported by Felix Winkelmann.
216 AddressSanitizer reported a few buffer overflows (false positives).
217 Nevertheless fixed Socat source.
218 Issue reported by Hanno Böck.
220 Socat did not use option ipv6-join-group.
221 Test: USE_IPV6_JOIN_GROUP
222 Thanks to Linus Lüssing for sending a patch.
224 UDP-LISTEN did not honor the max-children option.
225 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
226 Thanks to Leander Berwers for reporting this issue.
228 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
229 and therefore were useless.
230 Thanks to Steve Borenstein for reporting this issue.
232 Option dhparam was documented as dhparams. Added the alias name
233 dhparams to fix this.
234 Thanks to Alexander Neumann for sending a patch.
236 Options shut-down and shut-close did not work.
237 Thanks to Stefan Schimanski for providing a patch.
239 There was a bug in printing readline log message caused by a misleading
241 Thanks to Paul Wouters for reporting.
243 The internal vsnprintf_r function looped or crashed on size parameter
244 with hexadecimal output.
246 Ignore exit code of child process when it was killed by master due to
249 Corrected byte order on read of IPV6_TCLASS value from ancillary
252 Fixed type of the bool element in options. This had bug caused failures
253 e.g. of ignoreeof on big-endian systems when bool was not based on int.
255 On systems with predefined bool type whose size differs from int some
256 IPv6 and TCP options (per setsockopt()) failed.
258 Length of integral data in ancillary messages varies (TOS: 1 byte,
259 TTL: 4 bytes), the old implementation failed for TTL on big-endian
262 Fixed an issue in options processing: TUN and DNS flags had failed on
263 big-endian systems and the NO- forms had probable never worked.
266 Type conflict between int and sig_atomic_t between declaration and
267 definition of diag_immediate_type and diag_immediate_exit broke
268 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
271 Socat failed to compile on platforms with OpenSSL without
272 DTLSv1_client_method or DTLSv1_server_method.
273 Thanks to Simon Matter for sending a patch.
275 NuttX OS headers do not provide struct ip, thus socat did not compile.
276 Made struct ip subject to configure.
277 Thanks to SP for reporting this issue.
279 Socat failed to compile with OpenSSL version 1.0.2d where
280 SSLv3_server_method and SSLv3_client_method are no longer defined.
281 Thanks to Mischa ter Smitten for reporting this issue and providing
284 configure checked for OpenSSL EC_KEY assuming it is a define but it
285 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
286 Thanks to Andrey Arapov for reporting this bug.
288 Changes to make socat compile with OpenSSL 1.1.
289 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
290 providing the base patch.
293 Make Socat compatible with BoringSSL.
294 Thanks to Matt Braithwaite for providing a patch.
296 OpenSSL: Use RAND_status to determine PRNG state
297 Thanks to Adam Langley for providing a patch
299 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
300 requirements. Thanks to Garrick Trowsdale for providing a patch
302 LibreSSL support: check for OPENSSL_NO_COMP
303 Thanks to Bernard Spil for providing a patch
306 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
308 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
310 improved proxy.sh - it now also takes hostnames
312 A few corrections in test.sh
314 DTLS1 test hangs on some distributions. Test is now only performed
315 with OpenSSL 1.0.2 or higher.
317 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
320 Corrected source of socat man page to correctly show man references
321 like socket(2); removed obseolete entries from See Also
323 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
324 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
326 Thanks to Zhigang Wang for reporting this issue.
328 Fixed a couple of English spelling and grammar mistakes.
329 Thanks to Jakub Wild for sending the patches.
331 NOEXPAND() was not resolved 2 times.
333 More minor docu corrections
336 Added contributors to copyright notices. Suggested by Matt Braithwaite.
338 ####################### V 1.7.3.1:
341 Socat security advisory 8
342 A stack overflow in vulnerability was found that can be triggered when
343 command line arguments (complete address specifications, host names,
344 file names) are longer than 512 bytes.
345 Successful exploitation might allow an attacker to execute arbitrary
346 code with the privileges of the socat process.
347 This vulnerability can only be exploited when an attacker is able to
348 inject data into socat's command line.
349 A vulnerable scenario would be a CGI script that reads data from clients
350 and uses (parts of) this data as hostname for a Socat invocation.
352 Credits to Takumi Akiyama for finding and reporting this issue.
354 Socat security advisory 7
356 In the OpenSSL address implementation the hard coded 1024 bit DH p
357 parameter was not prime. The effective cryptographic strength of a key
358 exchange using these parameters was weaker than the one one could get by
359 using a prime p. Moreover, since there is no indication of how these
360 parameters were chosen, the existence of a trapdoor that makes possible
361 for an eavesdropper to recover the shared secret from a key exchange
362 that uses them cannot be ruled out.
363 Futhermore, 1024bit is not considered sufficiently secure.
364 Fix: generated a new 2048bit prime.
365 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
366 Research (MSVR) for finding and reporting this issue.
368 ####################### V 1.7.3.0:
371 Socat security advisory 6
372 CVE-2015-1379: Possible DoS with fork
373 Fixed problems with signal handling caused by use of not async signal
374 safe functions in signal handlers that could freeze socat, allowing
375 denial of service attacks.
376 Many changes in signal handling and the diagnostic messages system were
377 applied to make the code async signal safe but still provide detailled
378 logging from signal handlers:
379 Coded function vsnprintf_r() as async signal safe incomplete substitute
381 Coded function snprinterr() to replace %m in strings with a system error
383 Instead of gettimeofday() use clock_gettime() when available
384 Pass Diagnostic messages from signal handler per unix socket to the main
386 Use sigaction() instead of signal() for better control
387 Turn off nested signal handler invocations
388 Thanks to Peter Lobsinger for reporting and explaining this issue.
390 Red Hat issue 1019975: add TLS host name checks
391 OpenSSL client checks if the server certificates names in
392 extensions/subjectAltName/DNS or in subject/commonName match the name
393 used to connect or the value of the openssl-commonname option.
394 Test: OPENSSL_CN_CLIENT_SECURITY
396 OpenSSL server checks if the client certificates names in
397 extensions/subjectAltNames/DNS or subject/commonName match the value of
398 the openssl-commonname option when it is used.
399 Test: OPENSSL_CN_SERVER_SECURITY
401 Red Hat issue 1019964: socat now uses the system certificate store with
402 OPENSSL when neither options cafile nor capath are used
404 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
405 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
406 prevent downgrade attacks
409 OpenSSL addresses set couple of environment variables from values in
410 peer certificate, e.g.:
411 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
412 SOCAT_OPENSSL_X509_COMMONNAME,
413 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
414 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
416 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
417 Tests: OPENSSL_METHOD_*
419 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
422 Added a new option termios-rawer for ptys.
423 Thanks to Christian Vogelgsang for pointing me to this requirement
426 Bind with ABSTRACT commands used non-abstract namespace (Linux).
428 Thanks to Denis Shatov for reporting this bug.
430 Fixed return value of nestlex()
432 Option ignoreeof on the right address hung.
434 Thanks to Franz Fasching for reporting this bug.
436 Address SYSTEM, when terminating, shut down its parent addresses,
437 e.g. an SSL connection which the parent assumed to still be active.
438 Test: SYSTEM_SHUTDOWN
440 Passive (listening or receiving) addresses with empty port field bound
441 to a random port instead of terminating with error.
444 configure with some combination of disable options produced config
445 files that failed to compile due to missing IPPROTO_TCP.
446 Thanks to Thierry Fournier for report and patch.
448 fixed a few minor bugs with OpenSSL in configure and with messages
450 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
451 is required. Thanks to Zhigang Wang for reporting and sending a patch.
453 Christophe Leroy provided a patch that fixes memory leaks reported by
456 Help for filan -L was bad, is now corrected to:
457 "follow symbolic links instead of showing their properties"
459 Address options fdin and fdout were silently ignored when not applicable
460 due to -u or -U option. Now these combinations are caught as errors.
462 Issue reported by Hendrik.
464 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
465 over option raw which is now obsolote. On SysV systems this call is
466 simulated by appropriate setting.
467 Thanks to Youfu Zhang for reporting issue with option raw.
470 Socat included <sys/poll.h> instead of POSIX <poll.h>
471 Thanks to John Spencer for reporting this issue.
473 Version 1.7.2.4 changed the check for gcc in configure.ac; this
474 broke cross compiling. The particular check gets reverted.
475 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
477 Debian Bug#764251: Set the build timestamp to a deterministic time:
478 support external BUILD_DATE env var to allow to build reproducable
481 Joachim Fenkes provided an new adapted spec file.
483 Type bool and macros Min and Max are defined by socat which led to
484 compile errors when they were already provided by build framework.
485 Thanks to Liyu Liu for providing a patch.
487 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
488 support and appropriate files in Config/
490 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
493 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
494 _POSIX_PTHREAD_SEMANTICS; and minor changes
496 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
498 Socat failed to compile on on PPC due to new requirements for
499 including <linux/errqueue.h> and a weakness in the conditional code.
500 Thanks to Michel Normand for reporting this issue.
503 In the man page the PTY example was badly formatted. Thanks to
504 J.F.Sebastian for sending a patch.
506 Added missing CVE ids to security issues in CHANGES
509 Do not distribute testcert.conf with socat source but generate it
510 (and new testcert6.conf) during test.sh run.
512 ####################### V 1.7.2.4:
515 LISTEN based addresses applied some address options, e.g. so-keepalive,
516 to the listening file descriptor instead of the connected file
518 Thanks to Ulises Alonso for reporting this bug
520 make failed after configure with non gcc compiler due to missing
521 include. Thanks to Horacio Mijail for reporting this problem
523 configure checked for --disable-rawsocket but printed
524 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
525 reporting and patching this bug
527 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
529 Thanks to David Binderman for reporting this issue.
531 procan could not cleanly format ulimit values longer than 16 decimal
532 digits. Thanks to Frank Dana for providing a patch that increases field
535 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
537 Thanks to Emile den Tex for reporting this bug.
539 Changed some variable definitions to make gcc -O2 aliasing checker happy
540 Thanks to Ilya Gordeev for reporting these warnings
542 On big endian platforms with type long >32bit the range option applied a
543 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
545 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
547 Red Hat issue 1022063: out-of-range shifts on net mask bits
549 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
551 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
554 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
555 calculation in xio-ascii.c:_xiodump()
557 Red Hat issue 1021972: fixed a missing NUL termination in return string
558 of sysutils.c:sockaddr_info() for the AF_UNIX case
560 fixed some typos and minor issues, including:
561 Red Hat issue 1021967: formatting error in manual page
563 UNIX-LISTEN with fork option did not remove the socket file system entry
564 when exiting. Other file system based passive address types had similar
565 issues or failed to apply options umask, user e.a.
566 Thanks to Lorenzo Monti for pointing me to this issue
569 Red Hat issue 1020203: configure checks fail with some compilers.
572 Performed changes for Fedora release 19
574 Adapted, improved test.sh script
576 Red Hat issue 1021429: getgroupent fails with large number of groups;
577 use getgrouplist() when available instead of sequence of calls to
580 Red Hat issue 1021948: snprintf API change;
581 Implemented xio_snprintf() function as wrapper that tries to emulate C99
582 behaviour on old glibc systems, and adapted all affected calls
585 Mike Frysinger provided a patch that supports long long for time_t,
586 socklen_t and a few other libc types.
588 Artem Mygaiev extended Cedril Priscals Android build script with pty code
590 The check for fips.h required stddef.h
591 Thanks to Matt Hilt for reporting this issue and sending a patch
593 Check for linux/errqueue.h failed on some systems due to lack of
594 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
596 autoconf now prefers configure.ac over configure.in
597 Thanks to Michael Vastola for sending a patch.
599 type of struct cmsghdr.cmsg is system dependend, determine it with
600 configure; some more print format corrections
603 libwrap always logs to syslog
605 added actual text version of GPLv2
607 ####################### V 1.7.2.3:
610 Socat security advisory 5
611 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
612 overflow with data from command line (see socat-secadv5.txt)
613 Credits to Florian Weimer of the Red Hat Product Security Team
615 ####################### V 1.7.2.2:
618 Socat security advisory 4
620 after refusing a client connection due to bad source address or source
621 port socat shutdown() the socket but did not close() it, resulting in
622 a file descriptor leak in the listening process, visible with lsof and
623 possibly resulting in EMFILE Too many open files. This issue could be
624 misused for a denial of service attack.
625 Full credits to Catalin Mitrofan for finding and reporting this issue.
627 ####################### V 1.7.2.1:
630 Socat security advisory 3
632 fixed a possible heap buffer overflow in the readline address. This bug
633 could be exploited when all of the following conditions were met:
634 1) one of the addresses is READLINE without the noprompt and without the
636 2) the other (almost arbitrary address) reads malicious data (which is
637 then transferred by socat to READLINE).
638 Workaround: when using the READLINE address apply option prompt or
640 Full credits to Johan Thillemann for finding and reporting this issue.
642 ####################### V 1.7.2.0:
645 when UNIX-LISTEN was applied to an existing file it failed as expected
646 but removed the file. Thanks to Bjoern Bosselmann for reporting this
649 fixed a bug where socat might crash when connecting to a unix domain
650 socket using address GOPEN. Thanks to Martin Forssen for bug report and
653 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
654 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
656 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
657 pointed me to that bug
659 TCP-CONNECT with option nonblock reported successful connect even when
662 address option ioctl-intp failed with "unimplemented type 26". Thanks
663 to Jeremy W. Sherman for reporting and fixing that bug
665 socat option -x did not print packet direction, timestamp etc; thanks
666 to Anthony Sharobaiko for sending a patch
668 address PTY does not take any parameters but did not report an error
671 Marcus Meissner provided a patch that fixes invalid output and possible
672 process crash when socat prints info about an unnamed unix domain
675 Michal Soltys reported the following problem and provided an initial
676 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
677 data transfer only parts of the data might have been written.
679 Option o-nonblock in combination with large transfer block sizes
680 may result in partial writes and/or EAGAIN errors that were not handled
681 properly but resulted in data loss or process termination.
683 Fixed a bug that could freeze socat when during assembly of a log
684 message a signal was handled that also printed a log message. socat
685 development had been aware that localtime() is not thread safe but had
686 only expected broken messages, not corrupted stack (glibc 2.11.1,
689 an internal store for child pids was susceptible to pid reuse which
690 could lead to sporadic data loss when both fork option and exec address
691 were used. Thanks to Tetsuya Sodo for reporting this problem and
694 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
695 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
696 for drawing my attention to this issue.
698 UDP-LISTEN slept 1s after accepting a connection. This is not required.
699 Thanks to Peter Valdemar Morch for reporting this issue
701 fixed a bug that could lead to error or socat crash after a client
702 connection with option retry had been established
704 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
707 improved dev_t print format definition
710 Cedril Priscal ported socat to Android (using Googles cross compiler).
711 The port includes the socat_buildscript_for_android.sh script
713 added check for component ipi_spec_dst in struct in_pktinfo so
714 compilation does not fail on Cygwin (thanks to Peter Wagemans for
715 reporting this problem)
717 build failed on RHEL6 due to presence of fips.h; configure now checks
718 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
721 check for netinet6/in6.h only when IPv6 is available and enabled
723 don't fail to compile when the following defines are missing:
724 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
725 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
727 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
728 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
731 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
734 corrections for OpenEmbedded, especially termios SHIFT values and
735 ISPEED/OSPEED. Thanks to John Faith for providing the patch
737 minor corrections to docu and test.sh resulting from local compilation
740 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
741 reporting this issue and sending a patch.
743 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
744 is now bsd/libutil.h; compiler warns on vars that is only written to
747 added option max-children that limits the number of concurrent child
748 processes. Thanks to Sam Liddicott for providing the patch.
750 Till Maas added support for tun/tap addresses without IP address
752 added an option openssl-compress that allows to disable the compression
753 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
754 providing this contribution (sponsored by Google Inc.)
757 minor corrections in docu (thanks to Paggas)
759 client process -> child process
761 ####################### V 1.7.1.3:
764 Socat security advisory 2
766 fixed a stack overflow vulnerability that occurred when command
767 line arguments (whole addresses, host names, file names) were longer
769 Note that this could only be exploited when an attacker was able to
770 inject data into socat's command line.
771 Full credits to Felix Gröbert, Google Security Team, for finding and
774 ####################### V 1.7.1.2:
777 user-late and group-late, when applied to a pty, affected the system
778 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
779 pointing me to this bug)
781 socats openssl addresses failed with "nonblocking operation did not
782 complete" when the peer performed a renegotiation. Thanks to Benjamin
783 Delpy for reporting this bug.
785 info message during socks connect showed bad port number on little
786 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
787 bug report and patch)
789 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
790 to default. Thanks to Martin Dorey for reporting this bug.
793 building socat on systems that predefined the CFLAGS environment to
794 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
795 this problem and to Simon Matter for providing the patch
797 support for Solaris 8 and Sun Studio support (thanks to Sebastian
798 Kayser for providing the patches)
800 on some 64bit systems a compiler warning "cast from pointer to integer
801 of different size" was issued on some option definitions
803 added struct sockaddr_ll to union sockaddr_union to avoid "strict
804 aliasing" warnings (problem reported by Paul Wouters)
807 minor corrections in docu
809 ####################### V 1.7.1.1:
812 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
813 occur under those conditions. Thanks to Toni Mattila for first
814 reporting this problem.
816 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
818 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
819 thanks to Todd Stansell for reporting this bug
821 with unidirectional EXEC and SYSTEM a close() operation was performed
822 on a random number which could result in hanging e.a.
824 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
827 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
828 Thanks to Jim Zimmerman for reporting.
831 added environment variables example to doc/socat-multicast.html
833 ####################### V 1.7.1.0:
836 address options shut-none, shut-down, and shut-close allow to control
837 socat's half close behaviour
839 with address option shut-null socat sends an empty packet to the peer
842 option null-eof changes the behaviour of sockets that receive an empty
843 packet to see EOF instead of ignoring it
845 introduced option names substuser-early and su-e, currently equivalent
846 to option substuser (thanks to Mike Perry for providing the patch)
849 fixed some typos and improved some comments
851 ####################### V 1.7.0.1:
854 fixed possible SIGSEGV in listening addresses when a new connection was
855 reset by peer before the socket addresses could be retrieved. Thanks to
856 Mike Perry for sending a patch.
858 fixed a bug, introduced with version 1.7.0.0, that let client
859 connections with option connect-timeout fail when the connections
860 succeeded. Thanks to Bruno De Fraine for reporting this bug.
862 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
863 and most UNIX-* and ABSTRACT-*
865 half close of EXEC and SYSTEM addresses did not work for pipes and
868 help displayed for some option a wrong type
870 under some circumstances shutdown was called multiple times for the
873 ####################### V 1.7.0.0:
876 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
877 mode for IPv4 and IPv6; new address options sctp-maxseg and
878 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
879 for providing an initial patch)
881 new address "INTERFACE" for transparent network interface handling
882 (suggested by Stuart Nicholson)
884 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
885 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
886 protocol independent socket handling; all parameters are explicitely
887 specified as numbers or hex data
889 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
890 ioctl-bin for generic ioctl() calls.
892 added address options setsockopt-int, setsockopt-bin, and
893 setsockopt-string for generic setsockopt() calls
895 option so-type now only affects the socket() and socketpair() calls,
896 not the name resolution. so-type and so-prototype can now be applied to
897 all socket based addresses.
899 new address option "escape" allows to break a socat instance even when
900 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
902 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
903 for use in executed scripts
905 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
906 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
907 suggested by Ed Sawicki)
909 socat receives all ancillary messages with each received packet on
910 datagram related addresses. The messages are logged in raw form with
911 debug level, and broken down with info level. note: each type of
912 ancillary message must be enabled by appropriate address options.
914 socat provides the contents of ancillary messages received on RECVFROM
915 addresses in appropriate environment variables:
916 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
917 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
918 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
920 the following address options were added to enable ancillary messages:
921 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
922 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
923 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
924 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
926 new address options ipv6-tclass and ipv6-unicast-hops set the related
929 STREAMS (UNIX System V STREAMS) can be configured with the new address
930 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
934 some raw IP and UNIX datagram modes failed on BSD systems
936 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
937 range option, the old listen socket would not be closed but a new one
938 created. open sockets could accumulate.
940 there was a bug in ip*-recv with bind option: it did not bind, and
941 with the first received packet an error occurred:
942 socket_init(): unknown address family 0
945 RECVFROM addresses with FORK option hung after processing the first
946 packet. test: UDP4RECVFROM_FORK
948 corrected a few mistakes that caused compiler warnings on 64bit hosts
949 (thanks to Jonathan Brannan e.a. for providing a patch)
951 EXEC and SYSTEM with stderr injected socat messages into the data
952 stream. test: EXECSTDERRLOG
954 when the EXEC address got a string with consecutive spaces it created
955 additional empty arguments (thanks to Olivier Hervieu for reporting
956 this bug). test: EXECSPACES
958 in ignoreeof polling mode socat also blocked data transfer in the other
959 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
962 corrected alphabetical order of options (proxy-auth)
964 some minor corrections
966 improved test.sh script: more stable timing, corrections for BSD
968 replaced the select() calls by poll() to cleanly fix the problems with
969 many file descriptors already open
971 socat option -lf did not log to file but to stderr
973 socat did not compile on Solaris when configured without termios
974 feature (thanks to Pavan Gadi for reporting this bug)
977 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
980 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
983 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
986 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
990 filan -s prefixes output with FD number if more than one FD
992 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
995 cleanup in xio-unix.c
997 ####################### V 1.6.0.1:
1000 new make target "gitclean"
1002 docu source doc/socat.yo released
1005 exec:...,pty did not kill child process under some circumstances; fixed
1006 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
1007 reporting this problem)
1009 service name resolution failed due to byte order mistake
1010 (thanks to James Sainsbury for reporting this problem)
1012 socat would hang when invoked with many file descriptors already opened
1013 fix: replaced FOPEN_MAX with FD_SETSIZE
1014 thanks to Daniel Lucq for reporting this problem.
1016 fixed bugs where sub processes would become zombies because the master
1017 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
1018 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
1019 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
1020 (thanks to Fernanda G Weiden for reporting this problem)
1022 fixed a bug where sub processes would become zombies because the master
1023 process caught SIGCHLD but did not wait(). this affected addresses
1024 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1025 (thanks to Evan Borgstrom for reporting this problem)
1027 corrected option handling with STDIO; usecase: cool-write
1029 configure --disable-pty also disabled option waitlock
1031 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1032 (thanks to Roland Illig for sending a patch)
1034 corrected name of option intervall to interval (old form still valid
1035 for us German speaking guys)
1037 corrected some print statements and variable names
1039 make uninstall did not uninstall procan
1041 fixed lots of weaknesses in test.sh
1043 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1046 procan -c prints C defines important for socat
1048 added test OPENSSLEOF for OpenSSL half close
1050 ####################### V 1.6.0.0:
1053 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1056 new option ip-add-membership for control of multicast group membership
1058 new address TUN for generation of Linux TUN/TAP pseudo network
1059 interfaces (suggested by Mat Caughron); associated options tun-device,
1060 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1062 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1063 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1064 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1065 socklen parameter on system calls.
1067 option end-close for control of connection closing allows FD sharing
1070 range option supports form address:mask with IPv4
1072 changed behaviour of OPENSSL-LISTEN to require and verify client
1073 certificate per default
1075 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
1076 grained locking on regular files
1078 uninstall target in Makefile (lack reported by Zeeshan Ali)
1081 fixed bug where only first tcpwrap option was applied; fixed bug where
1082 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
1083 and fixing this bug)
1085 filan (and socat -D) could hang when a socket was involved
1087 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
1090 correct bind with udp6-listen (thanks to Jan Horak for reporting this
1093 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
1094 (thanks to Leo Zhadanovsky for reporting this problem)
1096 corrected problem with read data buffered in OpenSSL layer (thanks to
1097 Jon Nelson for reporting this bug)
1099 corrected problem with option readbytes when input stream stayed idle
1102 fixed a bug where a datagram receiver with option fork could fork two
1103 sub processes per packet
1106 moved documentation to new doc/ subdir
1108 new documents (kind of mini tutorials) are provided in doc/
1110 ####################### V 1.5.0.0:
1113 new datagram modes for udp, rawip, unix domain sockets
1115 socat option -T specifies inactivity timeout
1117 rewrote lexical analysis to allow nested socat calls
1119 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
1121 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
1122 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
1124 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
1126 option protocol-family (pf), esp. for openssl-listen
1128 range option supports IPv6 - syntax: range=[::1/128]
1130 option ipv6-v6only (ipv6only)
1132 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
1134 FIPS version of OpenSSL can be integrated - initial patch provided by
1135 David Acker. See README.FIPS
1137 support for resolver options res-debug, aaonly, usevc, primary, igntc,
1138 recurse, defnames, stayopen, dnsrch
1140 options for file attributes on advanced filesystems (ext2, ext3,
1141 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
1142 ext2-noatime, journal-data etc.
1144 option cool-write controls severeness of write failure (EPIPE,
1149 socat option -lh for hostname in log output
1151 traffic dumping provides packet headers
1153 configure.in became part of distribution
1155 socats unpack directory now has full version, e.g. socat-1.5.0.0/
1157 corrected docu of option verify
1160 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
1162 exec with pipes,stderr produced error
1164 setuid-early was ignored with many address types
1166 some minor corrections
1168 ####################### V 1.4.3.1:
1171 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
1172 FIX: do not remove listening UNIX socket in child process
1174 PROBLEM: SIGSEGV when TCP part of SSL connect failed
1175 FIX: check ssl pointer before calling SSL_shutdown
1177 In debug mode, show connect client port even when connect fails
1179 ####################### V 1.4.3.0:
1182 socat options -L, -W for application level locking
1184 options "lockfile", "waitlock" for address level locking
1187 option "readbytes" limits read length (Adam Osuchowski)
1189 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
1191 pty symlink, unix listen socket, and named pipe are per default removed
1192 after use; option unlink-close overrides this new behaviour and also
1193 controls removal of other socat generated files (Stefan Luethje)
1196 option "retry" did not work with tcp-listen
1198 EPIPE condition could result in a 100% CPU loop
1201 support systems without SHUT_RD etc.
1202 handle more size_t types
1203 try to find makedepend options with gcc 3 (richard/OpenMacNews)
1205 ####################### V 1.4.2.0:
1208 option "connect-timeout" limits wait time for connect operations
1209 (requested by Giulio Orsero)
1211 option "dhparam" for explicit Diffie-Hellman parameter file
1214 support for OpenSSL DSA certificates (Miika Komu)
1216 create install directories before copying files (Miika Komu)
1218 when exiting on signal, return status 128+signum instead of 1
1220 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
1223 -lu could cause a core dump on long messages
1226 modifications to simplify using socats features in applications
1228 ####################### V 1.4.1.0:
1231 option "wait-slave" blocks open of pty master side until a client
1232 connects, "pty-intervall" controls polling
1234 option -h as synonym to -? for help (contributed by Christian
1237 filan prints formatted time stamps and rdev (disable with -r)
1239 redirect filan's output, so stdout is not affected (contributed by
1242 filan option -L to follow symbolic links
1244 filan shows termios control characters
1247 proxy address no longer performs unsolicited retries
1249 filan -f no longer needs read permission to analyze a file (but still
1250 needs access permission to directory, of course)
1254 FreeBSD options noopt, nopush, md5sig
1255 OpenBSD options sack-disable, signature-enable
1256 HP-UX, Solaris options abort-threshold, conn-abort-threshold
1257 HP-UX options b900, b3600, b7200
1258 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
1260 further corrections:
1261 address pty now uses ptmx as default if openpty is also available
1263 ####################### V 1.4.0.3:
1266 Socat security advisory 1
1268 fix to a syslog() based format string vulnerability that can lead to
1269 remote code execution. See advisory socat-adv-1.txt
1271 ####################### V 1.4.0.2:
1274 exec'd write-only addresses get a chance to flush before being killed
1276 error handler: print notice on error-exit
1278 filan printed wrong file type information
1280 ####################### V 1.4.0.1:
1283 socks4a constructed invalid header. Problem found, reported, and fixed
1284 by Thomas Themel, by Peter Palfrader, and by rik
1286 with nofork, don't forget to apply some process related options
1287 (chroot, setsid, setpgid, ...)
1289 ####################### V 1.4.0.0:
1292 simple openssl server (ssl-l), experimental openssl trust
1294 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
1297 new options "retry", "forever", and "intervall"
1299 option "fork" for address TCP improves `gender changer´
1301 options "sigint", "sigquit", and "sighup" control passing of signals to
1302 sub process (thanks to David Shea who contributed to this issue)
1304 readline takes respect to the prompt issued by the peer address
1306 options "prompt" and "noprompt" allow to override readline's new
1309 readline supports invisible password with option "noecho"
1311 socat option -lp allows to set hostname in log output
1313 socat option -lu turns on microsecond resolution in log output
1317 before reading available data, check if writing on other channel is
1320 tcp6, udp6: support hostname specification (not only IP address), and
1321 map IP4 names to IP6 addresses
1323 openssl client checks server certificate per default
1325 support unidirectional communication with exec/system subprocess
1327 try to restore original terminal settings when terminating
1329 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
1331 socks4 failed on platforms where long does not have 32 bits
1332 (thanks to Peter Palfrader and Thomas Seyrat)
1334 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
1336 proxy error message was truncated when answer contained multiple spaces
1340 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
1342 ####################### V 1.3.2.2:
1345 PROXY CONNECT failed when the status reply from the proxy server
1346 contained more than one consecutive spaces. Problem reported by
1347 Alexandre Bezroutchko
1349 do not SIGSEGV when proxy address fails to resolve server name
1351 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
1352 Problem reported by Christoph Schittel
1354 test.sh only tests available features
1356 added missing IP and TCP options in filan analyzer
1358 do not apply stdio address options to both directions when in
1361 on systems lacking /dev/*random and egd, provide (weak) entropy from
1366 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
1368 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
1370 support for long long as st_ino type (Cygwin 1.5)
1372 compile on systems where pty can not be featured
1374 ####################### V 1.3.2.1:
1377 "final" solution for the ENOCHLD problem
1379 corrected "make strip"
1381 default gcc debug/opt is "-O" again
1383 check for /proc at runtime, even if configure found it
1385 src.rpm accidently supported SuSE instead of RedHat
1387 ####################### V 1.3.2.0:
1390 option "nofork" connects an exec'd script or program directly
1391 to the file descriptors of the other address, circumventing the socat
1394 support for files >2GB, using ftruncate64(), lseek64(), stat64()
1396 filan has new "simple" output style (filan -s)
1400 options "binary" and "text" for controlling line termination on Cygwin
1401 file system access (hint from Yang Wu-Zhou)
1403 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
1405 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
1408 minor corrections to avoid warnings with gcc 3
1411 further corrections and minor improvements:
1412 configure script is generated with autoconf 2.57 (no longer 2.52)
1414 configure passes CFLAGS to Makefile
1416 option -??? for complete list of address options and their short forms
1418 program name in syslog messages is derived from argv[0]
1420 SIGHUP now prints notice instead of error
1422 EIO during read of pty now gives Notice instead of Error, and
1425 use of hstrerror() for printing resolver error messages
1427 setgrent() got required endgrent()
1429 ####################### V 1.3.1.0:
1432 integration of Wietse Venema's tcpwrapper library (libwrap)
1434 with "proxy" address, option "resolve" controls if hostname or IP
1435 address is sent in request
1437 option "lowport" establishes limited authorization for TCP and UDP
1440 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
1441 An accompanying change in the numbering scheme results in an
1442 incompatibility with earlier socat RPMs!
1445 solved problems and bugs:
1446 PROBLEM: socat daemon terminated when the address of a connecting
1447 client did not match range option value instead of continue listening
1448 SOLVED: in this case, print warning instead of error to keep daemon
1451 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
1453 SOLVED: dont assume that each exiting child process generates SIGCHLD
1455 when converting CRNL to CR, socat converted to NL
1458 further corrections:
1459 configure script now disables features that depend on missing files
1460 making it more robust in "unsupported" environments
1462 server.pem permissions corrected to 600
1464 "make install" now does not strip; use "make strip; make install"
1465 if you like strip (suggested by Peter Bray)
1467 ####################### V 1.3.0.1:
1469 solved problems and bugs:
1470 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
1471 SOLVED: OPENSSL now correctly handles the options list
1473 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
1475 SOLVED: these conversions now simply strip all CR's or NL's from input
1480 SunOS ptys now work on x86, too (thanks to Peter Bray)
1482 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
1485 further corrections:
1486 added WITH_PROXY value to -V output
1488 added compile dependencies of WITH_PTY and WITH_PROXY
1490 -?? did not print option group of proxy options
1492 corrected syntax for bind option in docu
1494 corrected an issue with stdio in unidirectional mode
1496 options socksport and proxyport support service names
1498 ftp.sh script supports proxy address
1500 man page no longer installed with execute permissions (thanks to Peter
1503 fixed a malloc call bug that could cause SIGSEGV or false "out of
1504 memory" errors on EXEC and SYSTEM, depending on program name length and
1507 ####################### V 1.3.0.0:
1510 proxy connect with optional proxy authentication
1512 combined hex and text dump mode, credits to Gregory Margo
1514 address pty applies options user, group, and perm to device
1517 solved problems and bugs:
1518 PROBLEM: option reuseport was not applied (BSD, AIX)
1519 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
1520 credits to Jean-Baptiste Marchand
1522 PROBLEM: ignoreeof with stdio was ignored
1523 SOLVED: ignoreeof now works correctly with address stdio
1525 PROBLEM: ftp.sh did not use user supplied password
1526 SOLVED: ftp.sh now correctly passes password from command line
1528 PROBLEM: server.pem had expired
1529 SOLVED: new server.pem valid for ten years
1531 PROBLEM: socks notice printed wrong port on some platforms
1532 SOLVED: socks now uses correct byte-order for port number in notice
1535 further corrections:
1536 option name o_trunc corrected to o-trunc
1538 combined use of -u and -U is now detected and prevented
1540 made message system a little more robust against format string attacks
1543 ####################### V 1.2.0.0:
1546 address pty for putting socat behind a new pseudo terminal that may
1547 fake a serial line, modem etc.
1549 experimental openssl integration
1550 (it does not provide any trust between the peers because is does not
1551 check certificates!)
1553 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
1554 locking mechanism provided by flock()
1556 options setsid and setpgid now available with all address types
1558 option ctty (controlling terminal) now available for all TERMIOS
1561 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
1562 replaced by options o-trunc and ftruncate=offset
1564 option sourceport now available with TCP and UDP listen addresses to
1565 restrict incoming client connections
1567 unidirectional mode right-to-left (-U)
1570 solved problems and bugs:
1571 PROBLEM: addresses without required parameters but an option containing
1572 a '/' were incorrectly interpreted as implicit GOPEN address
1573 SOLVED: if an address does not have ':' separator but contains '/',
1574 check if the slash is before the first ',' before assuming
1579 ptys under SunOS work now due to use of stream options
1582 further corrections:
1583 with -d -d -d -d -D, don't print debug info during file analysis
1586 ####################### V 1.1.0.1:
1589 .spec file for RPM generation
1592 solved problems and bugs:
1593 PROBLEM: GOPEN on socket did not apply option unlink-late
1594 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
1597 PROBLEM: with unidirectional mode, an unnecessary close timeout was
1599 SOLUTION: in unidirectional mode, terminate without wait time
1601 PROBLEM: using GOPEN on a unix domain socket failed for datagram
1603 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
1606 further corrections:
1608 open() flag options had names starting with "o_", now corrected to "o-"
1610 in docu, *-listen addresses were called *_listen
1612 address unix now called unix-connect because it does not handle unix
1615 in test.sh, apply global command line options with all tests
1618 ####################### V 1.1.0.0:
1621 regular man page and html doc - thanks to kromJx for prototype
1623 new address type "readline", utilizing GNU readline and history libs
1625 address option "history-file" for readline
1627 new option "dash" to "exec" address that allows to start login shells
1629 syslog facility can be set per command line option
1631 new address option "tcp-quickack", found in Linux 2.4
1633 option -g prevents option group checking
1635 filan and procan can print usage
1637 procan prints rlimit infos
1640 solved problems and bugs:
1641 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
1642 SOLVED: set eof flag of channel on shutdown.
1644 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
1645 and has data available while channel 1 reaches EOF, the data is
1647 SOLVED: during one loop run, first handle all data transfers and
1648 _afterwards_ handle EOF.
1650 PROBLEM: despite to option NONBLOCK, the connect() call blocked
1651 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
1653 PROBLEM: UNLINK options issued error when file did not exist,
1655 SOLVED: failure of unlink() is only warning if errno==ENOENT
1657 PROBLEM: TCP6-LISTEN required numeric port specification
1658 SOLVED: now uses common TCP service resolver
1660 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
1661 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
1663 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
1665 SOLVED: corrected EOF handling of sigchld
1669 MacOS and old AIX versions now have pty
1671 flock() now available on Linux (configure check was wrong)
1673 named pipe were generated using mknod(), which requires root under BSD
1674 now they are generated using mkfifo
1677 further corrections:
1678 lots of address options that were "forgotten" at runtime are now
1681 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
1683 "make install" now installs binaries with ownership 0:0
1686 ####################### V 1.0.4.2:
1688 solved problems and bugs:
1689 PROBLEM: EOF of one stream caused close of other stream, giving it no
1690 chance to go down regularly
1691 SOLVED: EOF of one stream now causes shutdown of write part of other
1694 PROBLEM: sending mail via socks address to qmail showed that crlf
1695 option does not work
1696 SOLVED: socks address applies PH_LATE options
1698 PROBLEM: in debug mode, no info about socat and platform was issued
1699 SOLVED: print socat version and uname output in debug mode
1701 PROBLEM: invoking socat with -t and no following parameters caused
1703 SOLVED: -t and -b now check next argv entry
1705 PROBLEM: when opening of logfile (-lf) failed, no error was reported
1706 and no further messages were printed
1707 SOLVED: check result of fopen and print error message if it failed
1710 address type UDP-LISTEN now supports option fork: it internally applies
1711 socket option SO_REUSEADDR so a new UDP socket can bind to port after
1712 `accepting´ a connection (child processes might live forever though)
1713 (suggestion from Damjan Lango)
1716 ####################### V 1.0.4.1:
1718 solved problems and bugs:
1719 PROB: assert in libc caused an endless recursion
1720 SOLVED: no longer catch SIGABRT
1722 PROB: socat printed wrong verbose prefix for "right to left" packets
1723 SOLVED: new parameter for xiotransfer() passes correct prefix
1726 in debug mode, socat prints its command line arguments
1727 in verbose mode, escape special characters and replace unprintables
1728 with '.'. Patch from Adrian Thurston.
1731 ####################### V 1.0.4.0:
1733 solved problems and bugs:
1734 Debug output for lstat and fstat said "stat"
1736 further corrections:
1737 FreeBSD now includes libutil.h
1740 option setsid with exec/pty
1741 option setpgid with exec/pty
1742 option ctty with exec/pty
1744 gettimeofday in sycls.c (no use yet)
1747 before Gethostbyname, invoke inet_aton for MacOSX
1750 ####################### V 1.0.3.0:
1752 solved problems and bugs:
1754 PROB: test 9 of test.sh (echo via file) failed on some platforms,
1755 socat exited without error message
1756 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
1758 PROB: test 17 hung forever
1759 REASON: child death before select loop did not result in EOF
1760 SOLVED: check of existence of children before starting select loop
1762 PROB: test 17 failed
1763 REASON: child dead triggered EOF before last data was read
1764 SOLVED: after child death, read last data before setting EOF
1766 PROB: filan showed that exec processes incorrectly had fd3 open
1767 REASON: inherited open fd3 from main process
1768 SOLVED: set CLOEXEC flag on pty fd in main process
1770 PROB: help printed "undef" instead of group "FORK"
1771 SOLVED: added "FORK" to group name array
1773 PROB: fatal messages did not include severity classifier
1774 SOLVED: added "F" to severity classifier array
1776 PROB: IP6 addresses where printed incorrectly
1777 SOLVED: removed type casts to unsigned short *
1779 further corrections:
1780 socat catches illegal -l modes
1781 corrected error message on setsockopt(linger)
1782 option tabdly is of type uint
1783 correction for UDP over IP6
1784 more cpp conditionals, esp. for IP6 situations
1785 better handling of group NAMED options with listening UNIX sockets
1786 applyopts2 now includes last given phase
1787 corrected option group handling for most address types
1788 introduce dropping of unappliable options (dropopts, dropopts2)
1789 gopen now accepts socket and unix-socket options
1790 exec and system now accept all socket and termios options
1791 child process for exec and system addresses with option pty
1792 improved descriptions and options for EXAMPLES
1793 printf format for file mode changed to "0%03o" with length spec.
1794 added va_end() in branch of msg()
1795 changed phase of lock options from PASTOPEN to FD
1796 support up to four early dying processes
1799 xiosysincludes now includes sysincludes.h for non xio files
1804 TYPE_DOUBLE, u_double
1806 added getsid(), setsid(), send() to sycls
1807 procan prints sid (session id)
1808 mail.sh gets -f (from) option
1809 new EXAMPLEs for file creation
1810 gatherinfo.sh now tells about failures
1811 test.sh can check for much more address/option combinations
1814 ispeed, ospeed for termios on FreeBSD
1815 getpgid() conditional for MacOS 10
1816 added ranlib in Makefile.in for MacOS 10
1817 disable pty option if no pty mechanism is available (MacOS 10)
1818 now compiles and runs on MacOS 10 (still some tests fail)
1819 setgroups() conditional for cygwin
1820 sighandler_t defined conditionally
1821 use gcc option -D_GNU_SOURCE