2 ####################### V 1.8.0.0
5 Socats OpenSSL addresses do not (and never did) check certificate
6 revocation lists (CRLs). Socat now prints a warning about this.
9 Added the --experimental option that enables use of features that might
12 Now warning messages are printed by default. If you want to see only
13 errors and fatals as in previous versions, use option -d0;
14 option -d4 is equivalent to -dddd and to -d -d -d -d
15 The number of warnings has been reduced, e.g.removing a non existing
16 file does in most cases no longer log a warning.
18 Added address type internal SOCKETPAIR. This is similar to the unnamed
19 PIPE address (only for internal echoing) but it provides datagram mode
20 (the default) and thus keeps packet boundaries.
21 Tests: SOCKETPAIR_STREAM SOCKETPAIR_DATAGRAM SOCKETPAIR_SEQPACKET
24 New option -S <mask> controls catching and logging of signals that are
25 not internally used by Socat.
26 Tests: SIGTERM_NOLOG SIG31_LOG
28 Added option ipv6-join-source-group.
29 Thanks to Martin Buck and David Schweizer for sending patches.
31 Added option http-version to PROXY-CONNECT address to support servers
32 that are not able to handle HTTP version 1.0
33 Test: PROXY_HTTPVERSION
34 Feature inspired by Robin Palotai.
36 New options openssl-maxfraglen and openssl-maxsendfrag for
37 functions/macros SSL_CTX_set_tlsext_max_fragment_length() and
38 SSL_CTX_set_max_send_fragment().
39 Thanks to James Tavares for his contribution.
41 Added Info log of resulting OpenSSL max fragment length.
43 Implemented options rcvtimeo and sndtimeo, the first of which may be
44 useful to prevent endlessly hanging DTLS connection etablishment.
46 Feature proposed by Vladimir Nikishkin.
48 The file names with -r and -R now may contain environment variable
50 Test: VARS_IN_SNIFFPATH
52 Socat option --statistics logs final byte and packet counter values
53 before exit. Signal USR1 logs actual values.
54 Tests: OPTION_STATISTICS SIGUSR1_STATISTICS
56 Added option sitout-eio to specify a timerange in which EIO on the pty
57 of a sub process is tolerated.
58 Red Hat issue 1853102 related.
59 Thanks to Jonathan Casiot for sending an initial patch.
61 Socat now installs as socat1 and is referenced by symbolic link socat,
62 same with man page (socat1.1 by socat.1)
64 New option children-shutup[=1|2...] decreases severity of log
65 messages in LISTEN and CONNECT type sub processes.
68 New option retrieve-vlan for supporting VLANs in INTERFACE addresses:
69 Linux normally keeps VLAN tags in outgoing raw packets, but appears to
70 strip them from incoming packets and makes them available in
71 PACKET_AUXDATA ancillary messages only.
72 Up do version 1.7.4.5 Socat did not handle this situation, so the VLAN
73 tags where effectively stripped off incoming packets.
74 With this option Socat restores the VLAN tag.
75 Feature inspired by Zhao Dong.
77 Socket option SO_REUSEADDR is now automatically applied to TCP LISTEN
78 addresses. reuseaddr= restores the old behaviour.
79 Tests: TCP4_REUSEADDR OPENSSL_6_REUSEADDR REUSEADDR_NULL
81 TCP based client addresses now try all results of name resolution until
82 a connection attempt succeeded.
83 Tests: TRY_ADDRS_4 TRY_ADDRS_4_6
84 Feature recommended by Anand Buddhdev.
86 configure option --enable-default-ipv allows to specify at build time if
87 IPv4, IPv6, or none of these is the preferred default; this is related
88 to environment variables SOCAT_PREFERRED_RESOLVE_IP and
89 SOCAT_DEFAULT_LISTEN_IP, and to Socat option -4, -6.
90 Furthermore, mechanism of IPv4 vs.IPv6 selection has been reworked.
91 When no IP version is preferred by these mechanism, passive Socat
92 addresses (LISTEN, RECV, RECVFROM) default to IPv6 because it might
93 support both versions (but checkout option ipv6-v6only).
94 For client addresses, when one of these mechanisms applies and name
95 resolution gives addresses of both IP versions, the addresses of the
96 preferred versions are tried first.
98 New option ai-addrconfig sets or unsets the AI_ADDRCONFIG flag of the
99 resolver to prevent name resolution to address families that are not
100 available in the network configuration. Default value is 1 in case the
101 resolver does not get an address family hint.
103 Flag AI_PASSIVE is now automatically applied for LISTEN, RECV, and
104 RECVFROM type addresses, and with bind option. In addition to its
105 application to the getaddrinfo() function, when this flag is set while
106 no IP version is preferred by build, environment, option, or address
107 type, Socat chooses IPv6 because this might activate both versions (but
108 check option ipv6-v6only).
109 Added option ai-passive to control this flag explicitely.
111 New option ai-v4mapped (v4mapped) sets or unsets the AI_V4MAPPED flag
112 of the resolver. For Socat addresses requiring IPv6 addresses, this
113 resolves IPv4 addresses to the approriate IPv6 address [::ffff:*:*].
115 DNS resolver Options (res-*) are now set for the complete open phase of
116 the address, not per getaddrinfo() invocation.
118 Added the netns option that tries to open an address in the given
120 Tests: NETNS NETNS_EXEC
122 New address ACCEPT-FD (ACCEPT) expects a listening file descriptor
123 passed from parent, and accepts one or more connections for data
124 transfer. This can be used with "inetd mode" of systemd.
127 Added experimental socks5 TCP client support (connect,bind); syntax:
128 SOCKS5-CONNECT:<socks-server>:<socks-port>:<target-host>:<target-port>
129 SOCKS5-LISTEN:<socks-server>:<socks-port>:<listen-host>:<listen-port>
130 Thanks to Charlie Svensson and others for contributions.
132 New address types POSIXMQ-RECEIVE, POSIXMQ-READ, POSIXMQ-SEND, and
133 POSIXMQ-BIDIRECTIONAL (Linux only, experimental), and option
135 Tests: LINUX_POSIXMQ_READ_PRIO LINUX_POSIXMQ_RECV_FORK
136 LINUX_POSIXMQ_RECV_MAXCHILDREN LINUX_POSIXMQ_SEND_MAXCHILDREN
138 New address SHELL invokes a shell but without the overhead of SYSTEM
140 Added options res-retrans and res-retry that make use of undocumented
141 resolver variables to set the retransmission time interval resp.the
142 number of times to retransmit.
143 Disable them and the old res-* opts with: ./configure --disable-resolve
145 Added option res-nsaddr that overrides /etc/resolv.conf nameserver
146 address based on an undocumented resolver feature.
148 New option chdir changes the working directory of the address to the
149 given path, only during the open stage.
150 Tests: CHDIR_ON_CREATE CHDIR_ON_SYSTEM
152 Option umask now applies only during opening of its very address, not
153 for the lifetime of the process; the original umask is restored
155 Tests: UMASK_ON_CREATE UMASK_ON_SYSTEM
157 Added option unix-bind-tempname (bind-tempname) to allow UNIX (and
158 ABSTRACT) client addresses to bind to unique addresses even when
159 invoked in forked off sub processes.
160 Tests: UNIX_LISTEN_CONNECT_BIND_TEMPNAME UNIX_LISTEN_CLIENT_BIND_TEMPNAME
161 UNIX_RECVFROM_CLIENT_BIND_TEMPNAME UNIX_RECVFROM_SENDTO_BIND_TEMPNAME
162 ABSTRACT_LISTEN_CONNECT_BIND_TEMPNAME ABSTRACT_LISTEN_CLIENT_BIND_TEMPNAME
163 ABSTRACT_RECVFROM_CLIENT_BIND_TEMPNAME ABSTRACT_RECVFROM_SENDTO_BIND_TEMPNAME
164 Thanks to Kai Lüke for sending an initial patch.
166 New option f-setpipe-sz (pipesz) sets the pipe size on systems that
167 provide ioctl F_SETIPE_SZ.
168 Filan prints the current value.
169 Tests: STDIN_F_SETPIPE_SZ EXEC_F_SETPIPE_SZ
171 Bidirectional PIPE addresses may block on writing a data chunk larger
172 than pipe buffer. Socat now tries to detect if transfer block size is
173 large enough and issues a warning.
175 Added direct support of DCCP protocol, new addresses:
178 DCCP4-CONNECT (DCCP4)
179 DCCP4-LISTEN (DCCP4-L)
180 DCCP6-CONNECT (DCCP6)
181 DCCP6-LISTEN (DCCP6-L)
182 New option: dccp-set-ccid (ccid)
184 Support for UDP-Lite protocol, new addresses:
191 All these are also available in UDPLITE4-* and UDPLITE6-* form;
192 options udplite-recv-cscov and udplite-send-cscov.
194 Procan now prints info about CC and __STDC_VERSION__, about FD_SETSIZE,
195 value of SO_PROTOCOL/SO_PROTOTYPE and some other defines, definitions
196 of many C types, and the actual umask.
198 Procan tries to find the name of the controlling terminal, on Linux it
199 reads info from /proc/self/stat and searches for a device with matching
200 major and minor numbers.
202 Added socat-chain.sh that makes it possible to stack protocols, e.g. to
203 drive socks through TLS, or to use TLS over a serial line.
204 Tests: SOCAT_CHAIN_SOCKS4 SOCAT_CHAIN_SSL_PTY
206 Added script socat-mux.sh that performs n-to-1 / 1-to-n communications
207 using two Socat instances with multicasting.
211 When a sub process (EXEC, SYSTEM) terminated with exit code other than
212 0, its last sent data might have been lost depending on timing of read/
213 write and SIGCHLD in Socat.
214 Now the SIGCHLD handler does not simply terminate Socat in this case,
215 but remembers the failure and allows further processing.
216 Thanks to Luke Jones for reporting this issue.
218 Now catching the case of empty SNI host to prevent OpenSSL error.
219 This is related to Red Hat issue 2081414.
221 Better formatted help output; address keywords in help output are now
222 printed in uppercase.
224 In previous Socat versions errors EPIPE and ECONNRESET on read() were
225 handled at warning level, thus not automatically leading to termination
226 with exit code 1. Beginning with this release these conditions are
227 handled as errors with termination and exit code 1 to not pretend
228 success on possible data loss.
229 Problem reported by Scott Burkett.
231 In previous Socat versions errors on shutdown() were ignored (info
233 Now Socat handles EPIPE and ECONNRESET as errors to indicate possible
234 failure of data transfer.
236 INTERFACE addresses did not accept options of INTERFACE group (for
237 historical reasons they were only available with TUN addresses).
239 Opening addresses did not check if they support all directions expected
240 by Socat. Now an error is printed when, e.g,, a read-only type address
241 is opened for writing.
243 A lot of minor corrections, e.g., catch readline() errors in filan,
244 detect byte order in procan
247 OpenSSL cipherlist option did not override global openssl.cnf settings.
248 Now SSL_CTX_set_cipher_list() is called before
249 SSL_CTX_use_certificate_chain_file().
250 Thanks to Hiroshi Sakurai for reporting the problem and suggesting this
253 Fixed option sourceport with UDP6-DATAGRAM.
255 Some client addresses (e.g. TCP-CONNECT) take the fork option for
256 automatically spawning new connections, however the max-children option
259 Fixed the end-close option, it just did not work.
261 In configure.ac was a direct call to gcc instead of $CC which broke
263 Thanks to Fergus Dall for sending a patch.
266 Introduced groups_t instead of uint32_t, for more flexibility.
268 Rearranged option group bits to only require 32 bits on older systems.
270 Make gcc happy, replace strncat with "manual" copying
272 On addresses like UDP-RECVFROM with fork option every packet causes a
273 new child process which then reads the packet. The parent process must
274 wait until the packet has been read before checking again. The former
275 synchronization mechanism using SIGUSR1 is now replaced by a
276 socketpair. SIGUSR1 is no longer used for internal synchronization.
277 Tests: UDP4_FORK UDP6_FORK UNIX_FORK
279 Renamed xioopts_t to xioparms_t to avoid confusion with xioopts module.
281 Moved multicast related code from xioopts.c to xio-ip.c and xio-ip6.c
283 Pointers of type struct single are now always called sfd.
286 Removed Config/ because its contents have not been maintained for many
289 Try to not receive outgoing packets on raw (PF_PACKET) sockets - use
290 PACKET_IGNORE_OUTGOING socket options when available.
291 Test: INTERFACE_IGNOREOUTGOING
293 Renewed port to OpenBSD:
294 Guard OPENSSL_INIT_SETTINGS; and minor changes.
296 Thanks to Paul Hunt for sending a fix of the configure
297 --enable-openssl-base processing.
299 Enable direct largefile support on "smaller" systems per
300 _FILE_OFFSET_BITS and _LARGE_FILES.
301 Thanks to Fergus Dall for sending a patch.
303 Some corrections for better 32bit systems support.
306 Removed obselete parts from test.sh
308 test.sh: Introduced function checkcond
310 Renamed test.sh option -foreign to -internet
313 Removed obselete file doc/xio.help
315 Added doc for option ipv6-join-group (ipv6-add-membership)
316 Thanks to Martin Buck for sending the patch.
318 Renamed xiogetpacketsrc() to xiogetancillary()
320 On bad parameter number now print syntax.
322 ####################### V 1.7.4.5 (not released):
325 On connect() failure and in some other situations Socat tries to get
326 detailled information about the error with recvmsg(). Error return of
327 this function is now logged as Info instead of Warn.
329 Tests of the correction of the "IP_ADD_SOURCE_MEMBERSHIP but not struct
330 ip_mreq_source" issue left an #undef in xiosysincludes.h that disabled
331 the ip-add-source-membership option.
332 Thanks to Benjamin Poirier for sending a patch.
334 Fixed a bug in dalan module that caused SIGSEGV in, e.g.,
335 SOCKET-LISTEN:1:1:'"/tmp/sock"'
336 Test: DALAN_NO_SIGSEGV
338 The retry option with some address types (TCP) did not close() the
339 sockets after failed attempts, resulting in an FD leak.
341 Filan: Corrected some syntax error messages
343 Filan: Fixed a bug introduced in 1.7.4.4 that broke displaying
344 TCP/UDP on options -s, -S
345 Test: FILAN_SHORT_TCP
347 Filan: If IP protocol type cannot be retrieved, display at least the
350 Filan: Fixed diag_set() call in filan_main.c, bug popped up with C23.
351 Thanks to Cristian Rodríguez from openSUSE for reporting this issue.
353 Querying the vsock Context Identifier (CID) requires an FD from opening
355 Thanks to Volker Simonis for sending a patch.
357 Fixed an internal FD leak in the EXEC,SYSTEM addresses.
359 The FDs of the socketpair that queues messages from signal handlers
360 lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.
362 Option stderr on addresses EXEC and SYSTEM uses a temporary FD. It
363 lacked the FD_CLOEXEC setting and thus leakt into child processes.
365 Restoring of STDIO tty settings failed on Solaris type operating
367 Thanks to Gordon W.Ross for reporting and fixing this issue.
370 The OpenSSL client SNI parameter, when not explicitely specified, is
371 derived from option commonname or rom target server name. This is not
372 useful with IP addresses, which Socat now checks and avoids.
374 Socat options -L and -W create lock files using mkstemp(), so they had
375 permissions 600. There does not seem to be a good reason for this
376 restrictive mode. Furthermore Silla Rizzoli experienced that Minicom
377 ignores lock files with mode 600, so it is set to 644 now.
379 Procan tries to find out VSOCK CID only when running as root
381 The mechanism for deferring logs from signal handlers had an issue that
382 caused lots of unwanted recvfrom() calls.
384 Do not try to remove abstract UNIX socket entries after use.
387 VSOCK, VSOCK-L support options pf, socktype, prototype (currently
391 New Environment variable SOCAT_TRANSFER_WAIT that Socat sleep before
392 starting the data transfer loop. Useful, e.g., to accumulate multiple
393 packets in a receiving datagram socket before starting to process them.
395 "//" comments were used for disabling experimental code. These lines
396 have now been removed or disabled in other ways to make Socat compile
397 with C89/C90 standard again.
399 fcntl() trace prints flags now in hexadecimal.
401 Stream dump options -r and -R now open their pathes with CLOEXEC to
402 prevent leaking into sub processes.
405 Stream dump write now warn on write errors and partial writes (but
406 still do not recover).
408 Removed trailing white space from *.h and *.c files.
411 Small correction in configure.ac makes Socat C99 able.
412 Thanks to Florian Weimer from Red Hat for providing a patch.
415 Syntax and semantics of some options (esp.unlink-close) were not clear.
416 Thanks to Anthony Chavez for reporting this and making suggestions.
418 socat-tun.html described TCP as tunnel medium but this does not keep
419 packet boundaries. Changed to UDP.
421 Added examples for DCCP client and server.
423 Complex Socat examples are now displayed in two or three lines for
425 dest-unreach.css stylesheet has been improved to support this.
428 Idea: EXEC,SYSTEM addresses can keep packet boundaries when option
429 socktype=<val-of-SOCK_DGRAM>
430 Tests: EXECSOCKETPAIRPACKETS SYSTEMSOCKETPAIRPACKETS
432 Cosmetic corrections of EXEC,SYSTEM tests.
434 test.sh: Added option --expect-fail to specify comma separated list of
435 test numbers whose failure shall not cause a failure of the whole
438 test.sh: Added help text
440 Speeded up wait loops; more addresses in upper case; more tests with
441 command printing ($VERBOSE)
443 test.sh: Check if ports are free before using them for tests
445 Test EXEC_FDS checks with Filan if EXEC address only passes stdio FDs.
447 Improved template; prepared namesFAIL, -d (DEBUG)
449 ####################### V 1.7.4.4:
452 In error.c msg2() there was a stack overflow on long messages: The
453 terminating \0 Byte was written behind the last position.
454 Thanks to Martin Liška for sending the address sanitizer report.
456 UDP-RECVFROM with fork sometimes terminated when multiple packets
457 arrived. This issue was introduced with a bug fix in version 1.7.4.0.
458 Reason was not handling EAGAIN on recvmsg().
459 Thanks to Jamie McQuillan for reporting this issue.
461 Address TCP with options connect-timeout and retry terminated
462 immediately when a connection attempt failed on network error or
464 Test: TCP_TIMEOUT_RETRY
465 Thanks to Kamil Holubicki for reporting this issue.
467 There were a couple of weaknesses and errors when accessing invalid or
468 incompatible file system entries with UNIX domain, file, and generic
470 For example, UNIX-CONNECT, when using a non matching socktype, failed
471 with -1 and did not print an error message, instead of printing an
472 error message and exiting with rc=1.
473 Thanks to Paul Wise for reporting and analyzing the case of accessing
474 a left over socket entry with GOPEN.
476 The rawer option failed because it tried to clear CREAD.
479 UDP-SEND and UPD-SENDTO with option lowport always bound to port 1
480 instead of a free port in range 640..1023
483 Fixed bad parser error message on "socat /tmp/x\"x/x -"
485 Tightened syntax checks to detect numerical arguments that are missing
486 or have trailing garbage.
487 Test: INTEGER_GARBAGE
489 ctype(3) functions need there arguments to be unsigned char.
490 Thanks to Taylor R Campbell for sending a patch.
492 Filan library uses Socats diag/error message system and therefore had
493 always the signal handler messages socket pair open. This fix avoids
494 this socketpair in standalone Filan.
496 Corrected printf format for type socklen_t in two places.
499 OpenSSL, at least 1.1 on Ubuntu, crashed with SIGSEGV under certain
500 conditions: client connection to server with certificate with empty
501 subject, and pressing ^C after successful connect.
502 This crash is now prevented by setting OPENSSL_INIT_NO_ATEXIT.
503 Thanks to Martin Dorey for reporting and analyzing this issue, and for
504 providing an environment for reproduction.
506 Socat failed to compile on platforms that have
507 IP_ADD_SOURCE_MEMBERSHIP but not struct ip_mreq_source
508 Thanks to Justin Yackoski for sending a patch.
510 configure.ac's detection of getprotobynumber_r() variant did not
511 recognize if this function does not exist, e.g. on Musl libc.
512 Thanks to Alexander Kanavin and Baruch Siach for sending patches.
514 Corrected message format when no strftime() is available; improved
515 handling of very long host or program names
517 Solaris requires that termios options are always applied to the slave
520 Fixed ancillary messages on Solaris.
522 Filan: Solaris has the open file path infos in /proc/<pid>/path/
523 Thanks to Andy Fiddaman to directing me to the patch.
525 Filan now recognizes and prints Solaris doors and event ports.
527 Solaris derivatives no longer need librt for clock_gettime()
528 Thanks to Andy Fiddaman to directing me to the patch.
530 LibreSSL does not have OPENSSL_INIT_new(). This function is now
531 guarded. Socat might build with LibreSSL.
532 Thanks to Orbea for reporting and helping.
535 Failure during building documentation, e.g. due to missing Yodl
536 packages, now does not let the build process fail.
537 Feature requested by Seyhun.
540 Filan prints target of symlink when appropriate
543 VSOCK-LISTEN now generates environment variables SOCAT_PEERADDR,
544 SOCAT_PEERPORT, SOCAT_SOCKADDR, SOCAT_SOCKPORT
545 New address aliases VSOCK, VSOCK-L
548 Fixed typo in doc/socat-tun.html and link in README.
549 Thanks to William Suthers for reporting.
551 Fixed hard coded path in docu examples.
552 Thanks to Jakub Wilk for sending a patch.
554 Updated doc/socat-openssltunnel.html: 2048 bits, commonname
557 Unset SOCAT_MAIN_WAIT on informational Socat calls
559 SOCAT=socat used ./socat instead of the version derived by $PATH
561 Do not try VSOCK_ECHO test when feature is not compiled in.
563 Fixed logging of test 220 TUNINTERFACE
565 Musl libc refuses to execve() shell scripts, 2 tests needed to be
568 Musl libc has FOPEN_MAX=1000 which made bash dumping core on test
571 Added tests for failures of UNIX socket and GOPEN accesses to non
572 matching file system entries.
574 CONNECT_TO_MISSING CONNECT_TO_DENIED CONNECT_TO_DIRECTORY
575 CONNECT_TO_ORPHANED CONNECT_TO_FILE CONNECT_TO_DGRAM
576 CONNECT_TO_SEQPACKET SEND_TO_MISSING SEND_TO_DENIED SEND_TO_DIRECTORY
577 SEND_TO_ORPHANED SEND_TO_FILE SEND_TO_STREAM SEND_TO_SEQPACKET
578 SENDTO_TO_MISSING SENDTO_TO_DENIED SENDTO_TO_DIRECTORY
579 SENDTO_TO_ORPHANED SENDTO_TO_FILE SENDTO_TO_STREAM SENDTO_TO_SEQPACKET
580 SEQPACKET_TO_MISSING SEQPACKET_TO_DENIED SEQPACKET_TO_DIRECTORY
581 SEQPACKET_TO_ORPHANED SEQPACKET_TO_FILE SEQPACKET_TO_STREAM
582 SEQPACKET_TO_DGRAM UNIX_TO_MISSING UNIX_TO_DENIED UNIX_TO_DIRECTORY
583 UNIX_TO_FILE UNIX_TO_ORPHANED GOPEN_TO_DENIED GOPEN_TO_DIRECTORY
586 On RHEL-9 SCTP support requires installation of package
587 kernel-modules-extra. test.sh now detects when SCTP is missing in
588 kernel and reacts with warnings instead of errors.
590 VSOCK loopback still does not seem to work even in kernel 5.13, so just
591 issue warning on "No such device".
593 ####################### V 1.7.4.3:
596 Socat crashed with SIGSEGV when peer presented a certificate without
598 Thanks to Martin Dorey for reporting this issue and sending a patch.
600 Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
602 Thanks to Andy Fiddaman for sending a patch.
604 Socat since 1.7.4.0 did not compile on Solaris and its derivatives
605 because the getprotobynumber_r() function prototype differ from the
607 configure now checks for the variant.
608 Thanks to Robert Zybeck for reporting this issue.
610 The variable for the no-sni option was not initialized and could thus
611 break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
612 platform succeeded with -g but failed with -O compiler option.
613 Thanks to valgrind for quickly finding the cause.
616 Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
617 Adapted include requirements for IPv6
620 Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
621 UNIX domain sockets of type SEQPACKET are not available.
622 Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
623 EPROTOTYPE on most other OSes).
624 Streams: Must not push ldterm when it is already active (hangs).
627 Socats build date and time may now be set externally with environment
628 variable SOURCE_DATE_EPOCH.
629 Thanks to Viktor Kleinik for sending a patch.
631 Building Socat in a sub directory failed.
632 Now the following works even for the docu parts:
633 mkdir -p myos; cd myos; ../configure && make; cd ..
634 Thanks to Jon Ringle for sending a patch.
637 test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
638 does not allow fractions of seconds, grep does not understand '\<';
639 OpenIndiana/SunOS netstat format;
640 many more functional and cosmetic code corrections.
643 The socktype option was documented unspecifically as type option.
644 Thanks to Jonas Metzger for the hint.
646 ####################### V 1.7.4.2:
649 The per address parameters for OpenSSL overlapped in memory with socket
650 parameters. Magically this did not seem to cause problems except on
651 MacOS Catalina that reported errors like:
652 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
654 Test: OPENSSL_PARA_OVERLAP
655 Thanks to Ryo Ota for reporting this bug.
657 Fixed a few minor coding issues
659 A VSOCK warning message was generated with all listening addresses
660 instead of only with VSOCK-LISTEN
662 When an OPENSSL-CONNECT client presented a certificate with IPv6
663 subject alternate name and the OPENSSL-LISTEN server had no commonname
664 option, the server crashed with SIGSEGV in xioip6_pton().
665 Test: OPENSSL_CLIENT_IP6_CN
667 Thanks to Vlad Slepukhin for reporting this issue and providing a patch
669 Corrected a typo in configure.ac that broke option --enable-openssl-base
670 Thanks to john1doe for reporting this issue.
672 Socat looped endlessly, not responding to SIGTERM, when a service name
673 (for port) could not be resolved.
676 Using options of NAMED group, e.g.chown, with abstract UNIX domain
677 sockets, produced errors because the function was applied with a normal
678 file system related call, e.g.chown(), using file "" (empty name). Instead of
679 chown(), Socat now uses fchown() on the file descriptor. However, such
680 a call usually has no real effect.
682 Thanks to Andreas Fink for reporting this issue.
684 Option -R did not only dump ("sniff") right-to-left, but also
685 left-to-right traffic to the given file.
686 Test: SNIFF_RIGHT_TO_LEFT
687 Thanks to 1314 gsf for reporting this bug and sending a patch.
689 Options -r and -R, when opening a named pipe that has no actual reader,
690 failed with "No such device or address". To solve this problem, Socat
691 now opens the pipe in rw-Mode.
692 Thanks to Cody J.Soultz for sending a patch.
694 The call "socat -r - PIPE" traced to file ./- instead of issuing a
697 Print a message when readbytes option causes EOF
699 The ip-recverr option had no effect. Corrected and improved its
700 handling of ancilliary messages, so it is able to analyze ICMP error
701 packets (Linux only?)
703 Setgui(), Setuid() calls in xio-progcall.c were useless.
706 Prevent the TIMESTAMP tests from sporadically failing due do seconds
709 Fixed in test.sh a few issues reported by shellcheck
712 Added missing docu of OpenSSL options min-proto-version,
715 Added missing closing parenthesis in socat.yo.
716 Thanks to Emanuele Torre for reporting this issue.
718 Corrected more typos and added missing bug info to CHANGES, performed
719 some non functional corrections.
722 Corrected building when clock_gettime() not available, with or without
725 ####################### V 1.7.4.1:
728 Socat 1.7.4.0 failed to compile especially on 32 bit systems.
729 Thanks to Wang Mingyu and others for sending a patch or reporting this
732 Under certain conditions OpenSSL stream connections, in particular bulk
733 data transfer in unidirectional mode, failed during transfer or near
734 its with Connection reset by peer on receiver side.
735 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
736 lazy SSL shutdown handling on the sender side in combination with
737 SSL_MODE_AUTO_RETRY turned off.
738 Fix: After SSH_shutdown but before socket shutdown call SSL_read()
739 Test: OPENSSL_STREAM_TO_SERVER
740 Fixes Red Hat issue 1870279.
742 ####################### V 1.7.4.0:
745 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
746 but not checked for integer overflow. This could lead to heap based
747 buffer overflow, assuming the attacker could provide this parameter.
748 Test: BLKSIZE_INT_OVERFL
749 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
753 Socats address parser read over end of string when there were unbalanced
755 Test: UNBALANCED_QUOTE
757 Removed unused usleep() call from sycls.c
759 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
760 building failed on Solaris 9.
761 Thanks to Greg Earle for reporting this issue and providing a patch.
763 Mitigated race condition of quickly terminating SYSTEM or EXEC child
766 Option o-direct might require alignment of read/write buffer to, e.g.,
767 512 bytes, Socat now takes care of this when allocating the buffer.
768 With this fix read() succeeds, however, write() still might fail when
769 not writing complete pages.
772 There was a race condition in the way Socat UDP-RECVFROM and similar
773 addresses with option fork prevents one packet from triggering
774 multiple processes. The symptom was that Socat master process seemed to
775 hang and did not process further packets. The fix makes use of
776 pselect() system call.
777 Thanks to Fulvio Scapin for reporting this issue.
779 UNIX domain client addresses applied file system entry options (group
780 NAMED) to the server socket instead of the client (bind) socket entry.
781 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
782 Thanks to Nico Williams for reporting this major issue.
784 Length of single address options was limited to 511 bytes. This value
785 is now increased to 2047 bytes.
786 Change suggested by Mario Camou.
788 Addresses of type RECVFROM with option fork looped with an error
789 message in case that the second address failed before consuming the
790 packet. The fix makes RECVFROM drop the packet when the second address
791 failed before reading it. Use retry or forever option with the second
792 address if you want to avoid data loss.
793 Fixes Red Hat bug 1907718
794 Thanks to Chunmei Xu for reporting this issue and proving the patch.
796 Socats DTLS implementation has been reworked and appears to work now
798 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
799 OPENSSL-DTLS-CLIENT (DTLS)
800 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
801 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
802 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
805 filan did not output the socket protocol.
806 filan -s assumed each stream socket to be TCP and each datagram socket
807 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
809 Help text showed two parameters for UDP4-RECVFROM address, but only
811 Thanks to John the Scott for reporting this issue.
813 Error messages from SSL_read() and SSL_write() sometimes stated
814 SSL_connect instead of originating function name.
816 Fixed some more non functional minor issues.
819 In gcc version 10 the default changed from -fcommon to -fno-common.
820 Consequently, linking filan and procan failed with error
821 "multiple definition of `deny_severity'" and `allow_severity'
822 Fixed by removing definitions in filan.c and procan.c
824 Thanks to László Böszörményi and others for reporting this issue.
826 Solaris 9 does not provide strndup(); added substitute code.
827 Thanks to Greg Earle for providing a patch.
829 Added configure option --enable-openssl-base to specify the location of
830 a non-OS OpenSSL installation
832 There are systems whose kernel understands SCTP but getaddrinfo does
833 not. As workaround after EIA_SOCKTYPE on name and service resolution
834 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
835 ai_protocol=0 and try again
836 Test: SCTP_SERVICENAME
838 Per file filesystem options were still named ext2-* and depended on
839 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
840 These fs-* options are also available on old systems with ext2_fs.h
842 New options openssl-min-proto-version (min-version) and
843 openssl-max-proto-version (max-version) give access to the related
844 OpenSSL set-macros and substitute deprecated version-specific methods.
845 Test: OPENSSL_MIN_VERSION
847 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
850 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
851 must explicitely be included.
852 Thanks to Rosen Penev for reporting and sending a patch.
855 test.sh now produces a list of tests that could not be performed for
856 any reason. This helps to analyse these cases.
858 OpenSSL s_server appearently started to neglect TCPs half close feature.
859 Test OPENSSL_TCP4 has been changed to tolerate this.
861 OpenSSL changed its behaviour when connection is rejected. Tests
862 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
863 OPENSSL_CN_SERVER_SECURITY now tolerate this.
865 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
866 appropriate tests failed.
867 Fix: use TLSv1.2 for renegotiation tests
868 Tests: OPENSSLRENEG1 OPENSSLRENEG2
870 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
872 Archlinux 2020 has not which command; its ip,ss commands have modified
875 More testing issues solved:
876 * ss to pipe might omit column separator
877 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
879 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
882 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
883 Test: GOPENUNIXSEQPACKET
884 Feature suggested by vi0oss.
886 The generic setsockopt-int and related options are, in case of
887 listening/accepting addresses, applied to the connected socket(s). To enable
888 setting options on the listening socket, a new option setsockopt-listen
889 has been implemented. See the documentation for info on data types.
890 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
891 Thanks to Steven Danna and Korian Edeline for reporting this issue.
893 Filan option -S gives short description like -s but with improved
896 Socat OpenSSL client, when server was specified using IP address, did
897 not verify connection on certificates SubjectAltName IP entries.
898 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
899 Fixes Red Hat bug 1805132
901 Added options -r and -R for raw dump of transferred data to files.
902 Test: OPTION_RAW_DUMP
904 Added option ip-transparent (socket option IP_TRANSPARENT)
905 Thanks to Wang Shanker for sending a patch.
907 OPENSSL-CONNECT now automatically uses the SNI feature, option
908 openssl-no-sni turns it off. Option openssl-snihost overrides the value
909 of option openssl-commonname or the server name.
910 Tests: OPENSSL_SNI OPENSSL_NO_SNI
911 Thanks to Travis Burtrum for providing the initial patch
913 New option accept-timeout (listen-timeout)
917 New option ip-add-source-membership
918 Feature inspired by Brian (b f31415)
920 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
921 of replies, as it did up to version 1.7.3.4. Use option sourceport when
922 you need the old behaviour.
923 Test: UDP_DATAGRAM_SOURCEPORT
924 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
926 New option proxy-authorization-file reads PROXY-CONNECT credentials
927 from file and makes it possible to hide this data from the process
930 Thanks to Charles Stephens for sending an initial patch.
932 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
933 Developed by Stefano Garzarella.
936 Added printf formats for uint16_t etc.
939 Address UDP-RECV does not support option fork.
940 Thanks to Fulvio Scapin for reporting that mistake in docu.
942 TUN address documentation showed TCP for backend which may merge
943 consecutive packets which causes data loss.
944 Thanks to Tomasz Lakota for reporting this issue.
946 ####################### V 1.7.3.4:
949 Header of xiotermios_speed() declared parameter unsigned int instead of
950 speed_t, thus compiling failed on MacOS
951 Thanks to Joe Strout and others for reporting this bug.
952 Thanks to Andrew Childs and others for sending a patch.
954 Under certain circumstances, termios options of the first address were
955 applied to the second address, resulting in error
956 "Inappropriate ioctl for device"
957 This affected version 1.7.3.3 only.
959 Thanks to Ivan J. for reporting this issue.
961 Socat failed to compile when no poll() system call was found by
963 Thanks to Jason White for sending a patch.
965 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
966 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
967 for reporting this problem and sending initial patches.
969 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
970 "ai_socktype not supported" when protocol 6 was addressed.
971 The fix removes the possibility to use service names with SCTP.
973 Thanks to Sören for sending an initial patch.
975 Under certain circumstances, Socat printed the "socket ... is at EOF"
979 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
980 not implemented in older bash versions.
982 ####################### V 1.7.3.3:
985 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
987 Added definition of FILAN_OBJS
988 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
991 configure option --enable-msglevel did not work with numbers
993 The autoconf mechanism for determining SHIFT_OFFSET did not work when
995 Thanks to Max Freisinger from Gentoo for sending a patch.
997 Socat still depended on obsolete gethostbyname() function, thus
998 compiling with MUSL libc failed.
999 Problem reported by Kennedy33.
1001 The async signal safe diagnostic system used FDs 3 and 4 internally, so
1002 use of appropriate fdin or fdout led to failures.
1004 Problem reported by Onur Sentürk.
1006 The socket based mechanism for passing messages and signal information
1007 from signal handler to process could reach and kill the wrong process.
1008 Introduces functions diag_sock_pair(), diag_fork()
1009 Thanks to Darren Zhao for analysing and reporting this problem.
1011 Option ipv6-join-group did not work because it was applied in the wrong
1013 Test: UDP6MULTICAST_UNIDIR
1014 Thanks to Angus Gratton for sending a patch.
1016 Setting ispeed and ospeed failed for some serial devices because the
1017 two settings were applied with two different get/set cycles, Thanks to
1018 Alexandre Fenyo for providing an initial patch.
1019 However, the actual fix is part of a conceptual change of the termios
1020 module that aims for applying all changes in a single tcsetattr call.
1021 Fixes FreeBSD Bug 198441
1023 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
1024 Thanks to Alan Walters for reporting this bug.
1026 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
1028 With TCP6-LISTEN and the other passive IPv6 addresses the range option
1029 just failed: due to a bug in the syntax parser and two more bugs in
1030 the xiocheckrange_ip6() function.
1031 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
1032 Thanks Leah Neukirchen for sending an initial fix.
1034 For name resolution Socat only checked the first character of the host
1035 name to decide if it is an IPv4 address. This was not RFC conform. This
1036 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
1039 Thanks to Nicolas Fournil for reporting this issue.
1041 Print a useful error message when single character options appear to be
1042 merged in Socat invocation
1043 Test: SOCAT_OPT_HINT
1045 Fixed some docu typos.
1046 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
1047 Julian Zinn, and Simon Matter
1050 OpenSSL functions TLS1_client_method() and similar are
1051 deprecated. Socat now uses recommended TLS_client_method(). The old
1052 functions and dependend option openssl-method can still be
1053 used when configuring socat with --enable-openssl-method
1055 Shell scripts in socat distribution are now headed with:
1056 #! /usr/bin/env bash
1057 to make them better portable to systems without /bin/bash
1058 Thanks to Maya Rashish for sending a patch
1060 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
1061 configure option --enable-res-deprecated.
1063 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
1064 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
1066 Renamed configure.in to configure.ac and set an appropriate symlink for
1068 Related Gentoo bug 426262: Warning on configure.in
1069 Thanks to Francesco Turco for reporting that warning.
1071 Fixed new IPv6 range code for platforms without s6_addr32 component.
1074 test.sh: Show a warning when phase-1 (insecure phase) of a security
1077 OpenSSL tests failed on actual Linux distributions. Measures:
1078 Increased key lengths from 768 to 1024 bits
1079 Added test.sh option -C to delete temp certs from prevsious runs
1080 Provide DH-parameter in certificate in PEM
1081 OpenSSL s_server option -verify 0 must be omitted
1082 OpenSSL authentication method aNULL no longer works
1083 Failure of cipher aNULL is not a failure
1084 Failure of methods SSL3 and SSL23 is desired
1086 test.sh depended on ifconfig and netstat utilities which are no longer
1087 availabie in some distributions. test.sh now checks for and prefers
1089 Thanks to Ruediger Meier for reporting this problem.
1091 More corrections to test.sh:
1092 Language settings could still influence test results
1093 netstat was still required
1094 Suppress usleep deprecated messag
1095 Force use of IPv4 with some certificates
1096 Set timeout for UDPxMAXCHILDREN tests
1099 Added missing Config/Makefile.DragonFly-2-8-2,
1100 Config/config.DragonFly-2-8-2.h
1101 Removed testcert.conf (to be generated by test.sh)
1104 Simplified handling of missing termios defines.
1107 Permit combined -d options as -dd etc.
1110 ext2 options are now fs options.
1112 ####################### V 1.7.3.2:
1115 SIGSEGV and other signals could lead to a 100% CPU loop
1117 Failing name resolution could lead to SIGSEGV
1118 Thanks to Max for reporting this issue.
1120 Include <stddef.h> for ptrdiff_t
1121 Thanks to Jeroen Roovers for reporting this issue.
1123 Building with --disable-sycls failed due to missing sslcls.h defines
1125 Socat hung when configured with --disable-sycls.
1127 Some minor corrections with includes etc.
1129 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
1130 for sending a patch.
1132 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
1133 incorrectly assigned
1134 Test: EXEC_NOFORK_UNIDIR
1135 Thanks to David Reiss for reporting this problem.
1137 Socat exited with status 0 even when a program invoked with SYSTEM or
1139 Tests: SYSTEM_RC EXEC_RC
1140 Issue reported by Felix Winkelmann.
1142 AddressSanitizer reported a few buffer overflows (false positives).
1143 Nevertheless fixed Socat source.
1144 Issue reported by Hanno Böck.
1146 Socat did not use option ipv6-join-group.
1147 Test: USE_IPV6_JOIN_GROUP
1148 Thanks to Linus Lüssing for sending a patch.
1150 UDP-LISTEN did not honor the max-children option.
1151 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
1152 Thanks to Leander Berwers for reporting this issue.
1154 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
1155 and therefore were useless.
1156 Thanks to Steve Borenstein for reporting this issue.
1158 Option dhparam was documented as dhparams. Added the alias name
1159 dhparams to fix this.
1160 Thanks to Alexander Neumann for sending a patch.
1162 Options shut-down and shut-close did not work.
1163 Thanks to Stefan Schimanski for providing a patch.
1165 There was a bug in printing readline log message caused by a misleading
1167 Thanks to Paul Wouters for reporting.
1169 The internal vsnprintf_r function looped or crashed on size parameter
1170 with hexadecimal output.
1172 Ignore exit code of child process when it was killed by master due to
1175 Corrected byte order on read of IPV6_TCLASS value from ancillary
1178 Fixed type of the bool element in options. This had bug caused failures
1179 e.g. of ignoreeof on big-endian systems when bool was not based on int.
1181 On systems with predefined bool type whose size differs from int some
1182 IPv6 and TCP options (per setsockopt()) failed.
1184 Length of integral data in ancillary messages varies (TOS: 1 byte,
1185 TTL: 4 bytes), the old implementation failed for TTL on big-endian
1188 Fixed an issue in options processing: TUN and DNS flags had failed on
1189 big-endian systems and the NO- forms had probable never worked.
1192 Type conflict between int and sig_atomic_t between declaration and
1193 definition of diag_immediate_type and diag_immediate_exit broke
1194 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
1197 Socat failed to compile on platforms with OpenSSL without
1198 DTLSv1_client_method or DTLSv1_server_method.
1199 Thanks to Simon Matter for sending a patch.
1201 NuttX OS headers do not provide struct ip, thus socat did not compile.
1202 Made struct ip subject to configure.
1203 Thanks to SP for reporting this issue.
1205 Socat failed to compile with OpenSSL version 1.0.2d where
1206 SSLv3_server_method and SSLv3_client_method are no longer defined.
1207 Thanks to Mischa ter Smitten for reporting this issue and providing
1210 configure checked for OpenSSL EC_KEY assuming it is a define but it
1211 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
1212 Thanks to Andrey Arapov for reporting this bug.
1214 Changes to make socat compile with OpenSSL 1.1.
1215 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
1216 providing the base patch.
1219 Make Socat compatible with BoringSSL.
1220 Thanks to Matt Braithwaite for providing a patch.
1222 OpenSSL: Use RAND_status to determine PRNG state
1223 Thanks to Adam Langley for providing a patch
1225 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
1226 requirements. Thanks to Garrick Trowsdale for providing a patch
1228 LibreSSL support: check for OPENSSL_NO_COMP
1229 Thanks to Bernard Spil for providing a patch
1232 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
1234 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
1236 improved proxy.sh - it now also takes hostnames
1238 A few corrections in test.sh
1240 DTLS1 test hangs on some distributions. Test is now only performed
1241 with OpenSSL 1.0.2 or higher.
1243 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
1246 Corrected source of socat man page to correctly show man references
1247 like socket(2); removed obseolete entries from See Also
1249 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
1250 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
1252 Thanks to Zhigang Wang for reporting this issue.
1254 Fixed a couple of English spelling and grammar mistakes.
1255 Thanks to Jakub Wild for sending the patches.
1257 NOEXPAND() was not resolved 2 times.
1259 More minor docu corrections
1262 Added contributors to copyright notices. Suggested by Matt Braithwaite.
1264 ####################### V 1.7.3.1:
1267 Socat security advisory 8
1268 A stack overflow in vulnerability was found that can be triggered when
1269 command line arguments (complete address specifications, host names,
1270 file names) are longer than 512 bytes.
1271 Successful exploitation might allow an attacker to execute arbitrary
1272 code with the privileges of the socat process.
1273 This vulnerability can only be exploited when an attacker is able to
1274 inject data into socat's command line.
1275 A vulnerable scenario would be a CGI script that reads data from clients
1276 and uses (parts of) this data as hostname for a Socat invocation.
1278 Credits to Takumi Akiyama for finding and reporting this issue.
1280 Socat security advisory 7
1282 In the OpenSSL address implementation the hard coded 1024 bit DH p
1283 parameter was not prime. The effective cryptographic strength of a key
1284 exchange using these parameters was weaker than the one one could get by
1285 using a prime p. Moreover, since there is no indication of how these
1286 parameters were chosen, the existence of a trapdoor that makes possible
1287 for an eavesdropper to recover the shared secret from a key exchange
1288 that uses them cannot be ruled out.
1289 Futhermore, 1024bit is not considered sufficiently secure.
1290 Fix: generated a new 2048bit prime.
1291 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
1292 Research (MSVR) for finding and reporting this issue.
1294 ####################### V 1.7.3.0:
1297 Socat security advisory 6
1298 CVE-2015-1379: Possible DoS with fork
1299 Fixed problems with signal handling caused by use of not async signal
1300 safe functions in signal handlers that could freeze socat, allowing
1301 denial of service attacks.
1302 Many changes in signal handling and the diagnostic messages system were
1303 applied to make the code async signal safe but still provide detailled
1304 logging from signal handlers:
1305 Coded function vsnprintf_r() as async signal safe incomplete substitute
1307 Coded function snprinterr() to replace %m in strings with a system error
1309 Instead of gettimeofday() use clock_gettime() when available
1310 Pass Diagnostic messages from signal handler per unix socket to the main
1312 Use sigaction() instead of signal() for better control
1313 Turn off nested signal handler invocations
1314 Thanks to Peter Lobsinger for reporting and explaining this issue.
1316 Red Hat issue 1019975: add TLS host name checks
1317 OpenSSL client checks if the server certificates names in
1318 extensions/subjectAltName/DNS or in subject/commonName match the name
1319 used to connect or the value of the openssl-commonname option.
1320 Test: OPENSSL_CN_CLIENT_SECURITY
1322 OpenSSL server checks if the client certificates names in
1323 extensions/subjectAltNames/DNS or subject/commonName match the value of
1324 the openssl-commonname option when it is used.
1325 Test: OPENSSL_CN_SERVER_SECURITY
1327 Red Hat issue 1019964: socat now uses the system certificate store with
1328 OPENSSL when neither options cafile nor capath are used
1330 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
1331 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
1332 prevent downgrade attacks
1335 OpenSSL addresses set couple of environment variables from values in
1336 peer certificate, e.g.:
1337 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
1338 SOCAT_OPENSSL_X509_COMMONNAME,
1339 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
1340 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
1342 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
1343 Tests: OPENSSL_METHOD_*
1345 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
1348 Added a new option termios-rawer for ptys.
1349 Thanks to Christian Vogelgsang for pointing me to this requirement
1352 Bind with ABSTRACT commands used non-abstract namespace (Linux).
1354 Thanks to Denis Shatov for reporting this bug.
1356 Fixed return value of nestlex()
1358 Option ignoreeof on the right address hung.
1360 Thanks to Franz Fasching for reporting this bug.
1362 Address SYSTEM, when terminating, shut down its parent addresses,
1363 e.g. an SSL connection which the parent assumed to still be active.
1364 Test: SYSTEM_SHUTDOWN
1366 Passive (listening or receiving) addresses with empty port field bound
1367 to a random port instead of terminating with error.
1370 configure with some combination of disable options produced config
1371 files that failed to compile due to missing IPPROTO_TCP.
1372 Thanks to Thierry Fournier for report and patch.
1374 fixed a few minor bugs with OpenSSL in configure and with messages
1376 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
1377 is required. Thanks to Zhigang Wang for reporting and sending a patch.
1379 Christophe Leroy provided a patch that fixes memory leaks reported by
1382 Help for filan -L was bad, is now corrected to:
1383 "follow symbolic links instead of showing their properties"
1385 Address options fdin and fdout were silently ignored when not applicable
1386 due to -u or -U option. Now these combinations are caught as errors.
1388 Issue reported by Hendrik.
1390 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
1391 over option raw which is now obsolote. On SysV systems this call is
1392 simulated by appropriate setting.
1393 Thanks to Youfu Zhang for reporting issue with option raw.
1396 Socat included <sys/poll.h> instead of POSIX <poll.h>
1397 Thanks to John Spencer for reporting this issue.
1399 Version 1.7.2.4 changed the check for gcc in configure.ac; this
1400 broke cross compiling. The particular check gets reverted.
1401 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
1403 Debian Bug#764251: Set the build timestamp to a deterministic time:
1404 support external BUILD_DATE env var to allow to build reproducable
1407 Joachim Fenkes provided an new adapted spec file.
1409 Type bool and macros Min and Max are defined by socat which led to
1410 compile errors when they were already provided by build framework.
1411 Thanks to Liyu Liu for providing a patch.
1413 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
1414 support and appropriate files in Config/
1416 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
1419 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
1420 _POSIX_PTHREAD_SEMANTICS; and minor changes
1422 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
1424 Socat failed to compile on on PPC due to new requirements for
1425 including <linux/errqueue.h> and a weakness in the conditional code.
1426 Thanks to Michel Normand for reporting this issue.
1429 In the man page the PTY example was badly formatted. Thanks to
1430 J.F.Sebastian for sending a patch.
1432 Added missing CVE ids to security issues in CHANGES
1435 Do not distribute testcert.conf with socat source but generate it
1436 (and new testcert6.conf) during test.sh run.
1438 ####################### V 1.7.2.4:
1441 LISTEN based addresses applied some address options, e.g. so-keepalive,
1442 to the listening file descriptor instead of the connected file
1444 Thanks to Ulises Alonso for reporting this bug
1446 make failed after configure with non gcc compiler due to missing
1447 include. Thanks to Horacio Mijail for reporting this problem
1449 configure checked for --disable-rawsocket but printed
1450 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
1451 reporting and patching this bug
1453 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
1455 Thanks to David Binderman for reporting this issue.
1457 procan could not cleanly format ulimit values longer than 16 decimal
1458 digits. Thanks to Frank Dana for providing a patch that increases field
1461 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
1463 Thanks to Emile den Tex for reporting this bug.
1465 Changed some variable definitions to make gcc -O2 aliasing checker happy
1466 Thanks to Ilya Gordeev for reporting these warnings
1468 On big endian platforms with type long >32bit the range option applied a
1469 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
1471 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
1473 Red Hat issue 1022063: out-of-range shifts on net mask bits
1475 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
1477 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
1480 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
1481 calculation in xio-ascii.c:_xiodump()
1483 Red Hat issue 1021972: fixed a missing NUL termination in return string
1484 of sysutils.c:sockaddr_info() for the AF_UNIX case
1486 fixed some typos and minor issues, including:
1487 Red Hat issue 1021967: formatting error in manual page
1489 UNIX-LISTEN with fork option did not remove the socket file system entry
1490 when exiting. Other file system based passive address types had similar
1491 issues or failed to apply options umask, user e.a.
1492 Thanks to Lorenzo Monti for pointing me to this issue
1495 Red Hat issue 1020203: configure checks fail with some compilers.
1498 Performed changes for Fedora release 19
1500 Adapted, improved test.sh script
1502 Red Hat issue 1021429: getgroupent fails with large number of groups;
1503 use getgrouplist() when available instead of sequence of calls to
1506 Red Hat issue 1021948: snprintf API change;
1507 Implemented xio_snprintf() function as wrapper that tries to emulate C99
1508 behaviour on old glibc systems, and adapted all affected calls
1511 Mike Frysinger provided a patch that supports long long for time_t,
1512 socklen_t and a few other libc types.
1514 Artem Mygaiev extended Cedril Priscals Android build script with pty code
1516 The check for fips.h required stddef.h
1517 Thanks to Matt Hilt for reporting this issue and sending a patch
1519 Check for linux/errqueue.h failed on some systems due to lack of
1520 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
1522 autoconf now prefers configure.ac over configure.in
1523 Thanks to Michael Vastola for sending a patch.
1525 type of struct cmsghdr.cmsg is system dependend, determine it with
1526 configure; some more print format corrections
1529 libwrap always logs to syslog
1531 added actual text version of GPLv2
1533 ####################### V 1.7.2.3:
1536 Socat security advisory 5
1537 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
1538 overflow with data from command line (see socat-secadv5.txt)
1539 Credits to Florian Weimer of the Red Hat Product Security Team
1541 ####################### V 1.7.2.2:
1544 Socat security advisory 4
1546 after refusing a client connection due to bad source address or source
1547 port socat shutdown() the socket but did not close() it, resulting in
1548 a file descriptor leak in the listening process, visible with lsof and
1549 possibly resulting in EMFILE Too many open files. This issue could be
1550 misused for a denial of service attack.
1551 Full credits to Catalin Mitrofan for finding and reporting this issue.
1553 ####################### V 1.7.2.1:
1556 Socat security advisory 3
1558 fixed a possible heap buffer overflow in the readline address. This bug
1559 could be exploited when all of the following conditions were met:
1560 1) one of the addresses is READLINE without the noprompt and without the
1562 2) the other (almost arbitrary address) reads malicious data (which is
1563 then transferred by socat to READLINE).
1564 Workaround: when using the READLINE address apply option prompt or
1566 Full credits to Johan Thillemann for finding and reporting this issue.
1568 ####################### V 1.7.2.0:
1571 when UNIX-LISTEN was applied to an existing file it failed as expected
1572 but removed the file. Thanks to Bjoern Bosselmann for reporting this
1575 fixed a bug where socat might crash when connecting to a unix domain
1576 socket using address GOPEN. Thanks to Martin Forssen for bug report and
1579 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
1580 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
1582 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
1583 pointed me to that bug
1585 TCP-CONNECT with option nonblock reported successful connect even when
1586 it was still pending
1588 address option ioctl-intp failed with "unimplemented type 26". Thanks
1589 to Jeremy W. Sherman for reporting and fixing that bug
1591 socat option -x did not print packet direction, timestamp etc; thanks
1592 to Anthony Sharobaiko for sending a patch
1594 address PTY does not take any parameters but did not report an error
1595 when some were given
1597 Marcus Meissner provided a patch that fixes invalid output and possible
1598 process crash when socat prints info about an unnamed unix domain
1601 Michal Soltys reported the following problem and provided an initial
1602 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
1603 data transfer only parts of the data might have been written.
1605 Option o-nonblock in combination with large transfer block sizes
1606 may result in partial writes and/or EAGAIN errors that were not handled
1607 properly but resulted in data loss or process termination.
1609 Fixed a bug that could freeze socat when during assembly of a log
1610 message a signal was handled that also printed a log message. socat
1611 development had been aware that localtime() is not thread safe but had
1612 only expected broken messages, not corrupted stack (glibc 2.11.1,
1615 an internal store for child pids was susceptible to pid reuse which
1616 could lead to sporadic data loss when both fork option and exec address
1617 were used. Thanks to Tetsuya Sodo for reporting this problem and
1620 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
1621 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
1622 for drawing my attention to this issue.
1624 UDP-LISTEN slept 1s after accepting a connection. This is not required.
1625 Thanks to Peter Valdemar Morch for reporting this issue
1627 fixed a bug that could lead to error or socat crash after a client
1628 connection with option retry had been established
1630 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
1633 improved dev_t print format definition
1636 Cedril Priscal ported socat to Android (using Googles cross compiler).
1637 The port includes the socat_buildscript_for_android.sh script
1639 added check for component ipi_spec_dst in struct in_pktinfo so
1640 compilation does not fail on Cygwin (thanks to Peter Wagemans for
1641 reporting this problem)
1643 build failed on RHEL6 due to presence of fips.h; configure now checks
1644 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
1647 check for netinet6/in6.h only when IPv6 is available and enabled
1649 don't fail to compile when the following defines are missing:
1650 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
1651 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
1653 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
1654 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
1655 proposing a solution
1657 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
1658 providing the patch.
1660 corrections for OpenEmbedded, especially termios SHIFT values and
1661 ISPEED/OSPEED. Thanks to John Faith for providing the patch
1663 minor corrections to docu and test.sh resulting from local compilation
1666 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
1667 reporting this issue and sending a patch.
1669 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
1670 is now bsd/libutil.h; compiler warns on vars that is only written to
1673 added option max-children that limits the number of concurrent child
1674 processes. Thanks to Sam Liddicott for providing the patch.
1676 Till Maas added support for tun/tap addresses without IP address
1678 added an option openssl-compress that allows to disable the compression
1679 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
1680 providing this contribution (sponsored by Google Inc.)
1683 minor corrections in docu (thanks to Paggas)
1685 client process -> child process
1687 ####################### V 1.7.1.3:
1690 Socat security advisory 2
1692 fixed a stack overflow vulnerability that occurred when command
1693 line arguments (whole addresses, host names, file names) were longer
1695 Note that this could only be exploited when an attacker was able to
1696 inject data into socat's command line.
1697 Full credits to Felix Gröbert, Google Security Team, for finding and
1698 reporting this issue
1700 ####################### V 1.7.1.2:
1703 user-late and group-late, when applied to a pty, affected the system
1704 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
1705 pointing me to this bug)
1707 socats openssl addresses failed with "nonblocking operation did not
1708 complete" when the peer performed a renegotiation. Thanks to Benjamin
1709 Delpy for reporting this bug.
1711 info message during socks connect showed bad port number on little
1712 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
1713 bug report and patch)
1715 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
1716 to default. Thanks to Martin Dorey for reporting this bug.
1719 building socat on systems that predefined the CFLAGS environment to
1720 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
1721 this problem and to Simon Matter for providing the patch
1723 support for Solaris 8 and Sun Studio support (thanks to Sebastian
1724 Kayser for providing the patches)
1726 on some 64bit systems a compiler warning "cast from pointer to integer
1727 of different size" was issued on some option definitions
1729 added struct sockaddr_ll to union sockaddr_union to avoid "strict
1730 aliasing" warnings (problem reported by Paul Wouters)
1733 minor corrections in docu
1735 ####################### V 1.7.1.1:
1738 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
1739 occur under those conditions. Thanks to Toni Mattila for first
1740 reporting this problem.
1742 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
1744 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
1745 thanks to Todd Stansell for reporting this bug
1747 with unidirectional EXEC and SYSTEM a close() operation was performed
1748 on a random number which could result in hanging e.a.
1750 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
1753 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
1754 Thanks to Jim Zimmerman for reporting.
1757 added environment variables example to doc/socat-multicast.html
1759 ####################### V 1.7.1.0:
1762 address options shut-none, shut-down, and shut-close allow to control
1763 socat's half close behaviour
1765 with address option shut-null socat sends an empty packet to the peer
1768 option null-eof changes the behaviour of sockets that receive an empty
1769 packet to see EOF instead of ignoring it
1771 introduced option names substuser-early and su-e, currently equivalent
1772 to option substuser (thanks to Mike Perry for providing the patch)
1775 fixed some typos and improved some comments
1777 ####################### V 1.7.0.1:
1780 fixed possible SIGSEGV in listening addresses when a new connection was
1781 reset by peer before the socket addresses could be retrieved. Thanks to
1782 Mike Perry for sending a patch.
1784 fixed a bug, introduced with version 1.7.0.0, that let client
1785 connections with option connect-timeout fail when the connections
1786 succeeded. Thanks to Bruno De Fraine for reporting this bug.
1788 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
1789 and most UNIX-* and ABSTRACT-*
1791 half close of EXEC and SYSTEM addresses did not work for pipes and
1792 sometimes socketpair
1794 help displayed for some option a wrong type
1796 under some circumstances shutdown was called multiple times for the
1799 ####################### V 1.7.0.0:
1802 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1803 mode for IPv4 and IPv6; new address options sctp-maxseg and
1804 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1805 for providing an initial patch)
1807 new address "INTERFACE" for transparent network interface handling
1808 (suggested by Stuart Nicholson)
1810 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1811 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1812 protocol independent socket handling; all parameters are explicitely
1813 specified as numbers or hex data
1815 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1816 ioctl-bin for generic ioctl() calls.
1818 added address options setsockopt-int, setsockopt-bin, and
1819 setsockopt-string for generic setsockopt() calls
1821 option so-type now only affects the socket() and socketpair() calls,
1822 not the name resolution. so-type and so-prototype can now be applied to
1823 all socket based addresses.
1825 new address option "escape" allows to break a socat instance even when
1826 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1828 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1829 for use in executed scripts
1831 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1832 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1833 suggested by Ed Sawicki)
1835 socat receives all ancillary messages with each received packet on
1836 datagram related addresses. The messages are logged in raw form with
1837 debug level, and broken down with info level. note: each type of
1838 ancillary message must be enabled by appropriate address options.
1840 socat provides the contents of ancillary messages received on RECVFROM
1841 addresses in appropriate environment variables:
1842 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1843 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1844 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1846 the following address options were added to enable ancillary messages:
1847 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1848 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1849 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1850 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1852 new address options ipv6-tclass and ipv6-unicast-hops set the related
1855 STREAMS (UNIX System V STREAMS) can be configured with the new address
1856 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1860 some raw IP and UNIX datagram modes failed on BSD systems
1862 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1863 range option, the old listen socket would not be closed but a new one
1864 created. open sockets could accumulate.
1866 there was a bug in ip*-recv with bind option: it did not bind, and
1867 with the first received packet an error occurred:
1868 socket_init(): unknown address family 0
1869 test: RAWIP4RECVBIND
1871 RECVFROM addresses with FORK option hung after processing the first
1872 packet. test: UDP4RECVFROM_FORK
1874 corrected a few mistakes that caused compiler warnings on 64bit hosts
1875 (thanks to Jonathan Brannan e.a. for providing a patch)
1877 EXEC and SYSTEM with stderr injected socat messages into the data
1878 stream. test: EXECSTDERRLOG
1880 when the EXEC address got a string with consecutive spaces it created
1881 additional empty arguments (thanks to Olivier Hervieu for reporting
1882 this bug). test: EXECSPACES
1884 in ignoreeof polling mode socat also blocked data transfer in the other
1885 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
1888 corrected alphabetical order of options (proxy-auth)
1890 some minor corrections
1892 improved test.sh script: more stable timing, corrections for BSD
1894 replaced the select() calls by poll() to cleanly fix the problems with
1895 many file descriptors already open
1897 socat option -lf did not log to file but to stderr
1899 socat did not compile on Solaris when configured without termios
1900 feature (thanks to Pavan Gadi for reporting this bug)
1903 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
1906 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
1909 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
1912 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
1916 filan -s prefixes output with FD number if more than one FD
1918 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
1919 providing the patch)
1921 cleanup in xio-unix.c
1923 ####################### V 1.6.0.1:
1926 new make target "gitclean"
1928 docu source doc/socat.yo released
1931 exec:...,pty did not kill child process under some circumstances; fixed
1932 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
1933 reporting this problem)
1935 service name resolution failed due to byte order mistake
1936 (thanks to James Sainsbury for reporting this problem)
1938 socat would hang when invoked with many file descriptors already opened
1939 fix: replaced FOPEN_MAX with FD_SETSIZE
1940 thanks to Daniel Lucq for reporting this problem.
1942 fixed bugs where sub processes would become zombies because the master
1943 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
1944 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
1945 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
1946 (thanks to Fernanda G Weiden for reporting this problem)
1948 fixed a bug where sub processes would become zombies because the master
1949 process caught SIGCHLD but did not wait(). this affected addresses
1950 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1951 (thanks to Evan Borgstrom for reporting this problem)
1953 corrected option handling with STDIO; usecase: cool-write
1955 configure --disable-pty also disabled option waitlock
1957 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1958 (thanks to Roland Illig for sending a patch)
1960 corrected name of option intervall to interval (old form still valid
1961 for us German speaking guys)
1963 corrected some print statements and variable names
1965 make uninstall did not uninstall procan
1967 fixed lots of weaknesses in test.sh
1969 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1972 procan -c prints C defines important for socat
1974 added test OPENSSLEOF for OpenSSL half close
1976 ####################### V 1.6.0.0:
1979 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1982 new option ip-add-membership for control of multicast group membership
1984 new address TUN for generation of Linux TUN/TAP pseudo network
1985 interfaces (suggested by Mat Caughron); associated options tun-device,
1986 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1988 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1989 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1990 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1991 socklen parameter on system calls.
1993 option end-close for control of connection closing allows FD sharing
1996 range option supports form address:mask with IPv4
1998 changed behaviour of OPENSSL-LISTEN to require and verify client
1999 certificate per default
2001 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
2002 grained locking on regular files
2004 uninstall target in Makefile (lack reported by Zeeshan Ali)
2007 fixed bug where only first tcpwrap option was applied; fixed bug where
2008 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
2009 and fixing this bug)
2011 filan (and socat -D) could hang when a socket was involved
2013 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
2016 correct bind with udp6-listen (thanks to Jan Horak for reporting this
2019 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
2020 (thanks to Leo Zhadanovsky for reporting this problem)
2022 corrected problem with read data buffered in OpenSSL layer (thanks to
2023 Jon Nelson for reporting this bug)
2025 corrected problem with option readbytes when input stream stayed idle
2028 fixed a bug where a datagram receiver with option fork could fork two
2029 sub processes per packet
2032 moved documentation to new doc/ subdir
2034 new documents (kind of mini tutorials) are provided in doc/
2036 ####################### V 1.5.0.0:
2039 new datagram modes for udp, rawip, unix domain sockets
2041 socat option -T specifies inactivity timeout
2043 rewrote lexical analysis to allow nested socat calls
2045 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
2047 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
2048 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
2050 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
2052 option protocol-family (pf), esp. for openssl-listen
2054 range option supports IPv6 - syntax: range=[::1/128]
2056 option ipv6-v6only (ipv6only)
2058 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
2060 FIPS version of OpenSSL can be integrated - initial patch provided by
2061 David Acker. See README.FIPS
2063 support for resolver options res-debug, aaonly, usevc, primary, igntc,
2064 recurse, defnames, stayopen, dnsrch
2066 options for file attributes on advanced filesystems (ext2, ext3,
2067 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
2068 ext2-noatime, journal-data etc.
2070 option cool-write controls severeness of write failure (EPIPE,
2075 socat option -lh for hostname in log output
2077 traffic dumping provides packet headers
2079 configure.in became part of distribution
2081 socats unpack directory now has full version, e.g. socat-1.5.0.0/
2083 corrected docu of option verify
2086 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
2088 exec with pipes,stderr produced error
2090 setuid-early was ignored with many address types
2092 some minor corrections
2094 ####################### V 1.4.3.1:
2097 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
2098 FIX: do not remove listening UNIX socket in child process
2100 PROBLEM: SIGSEGV when TCP part of SSL connect failed
2101 FIX: check ssl pointer before calling SSL_shutdown
2103 In debug mode, show connect client port even when connect fails
2105 ####################### V 1.4.3.0:
2108 socat options -L, -W for application level locking
2110 options "lockfile", "waitlock" for address level locking
2113 option "readbytes" limits read length (Adam Osuchowski)
2115 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
2117 pty symlink, unix listen socket, and named pipe are per default removed
2118 after use; option unlink-close overrides this new behaviour and also
2119 controls removal of other socat generated files (Stefan Luethje)
2122 option "retry" did not work with tcp-listen
2124 EPIPE condition could result in a 100% CPU loop
2127 support systems without SHUT_RD etc.
2128 handle more size_t types
2129 try to find makedepend options with gcc 3 (richard/OpenMacNews)
2131 ####################### V 1.4.2.0:
2134 option "connect-timeout" limits wait time for connect operations
2135 (requested by Giulio Orsero)
2137 option "dhparam" for explicit Diffie-Hellman parameter file
2140 support for OpenSSL DSA certificates (Miika Komu)
2142 create install directories before copying files (Miika Komu)
2144 when exiting on signal, return status 128+signum instead of 1
2146 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
2149 -lu could cause a core dump on long messages
2152 modifications to simplify using socats features in applications
2154 ####################### V 1.4.1.0:
2157 option "wait-slave" blocks open of pty master side until a client
2158 connects, "pty-intervall" controls polling
2160 option -h as synonym to -? for help (contributed by Christian
2163 filan prints formatted time stamps and rdev (disable with -r)
2165 redirect filan's output, so stdout is not affected (contributed by
2168 filan option -L to follow symbolic links
2170 filan shows termios control characters
2173 proxy address no longer performs unsolicited retries
2175 filan -f no longer needs read permission to analyze a file (but still
2176 needs access permission to directory, of course)
2180 FreeBSD options noopt, nopush, md5sig
2181 OpenBSD options sack-disable, signature-enable
2182 HP-UX, Solaris options abort-threshold, conn-abort-threshold
2183 HP-UX options b900, b3600, b7200
2184 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
2186 further corrections:
2187 address pty now uses ptmx as default if openpty is also available
2189 ####################### V 1.4.0.3:
2192 Socat security advisory 1
2194 fix to a syslog() based format string vulnerability that can lead to
2195 remote code execution. See advisory socat-adv-1.txt
2197 ####################### V 1.4.0.2:
2200 exec'd write-only addresses get a chance to flush before being killed
2202 error handler: print notice on error-exit
2204 filan printed wrong file type information
2206 ####################### V 1.4.0.1:
2209 socks4a constructed invalid header. Problem found, reported, and fixed
2210 by Thomas Themel, by Peter Palfrader, and by rik
2212 with nofork, don't forget to apply some process related options
2213 (chroot, setsid, setpgid, ...)
2215 ####################### V 1.4.0.0:
2218 simple openssl server (ssl-l), experimental openssl trust
2220 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
2223 new options "retry", "forever", and "intervall"
2225 option "fork" for address TCP improves `gender changer´
2227 options "sigint", "sigquit", and "sighup" control passing of signals to
2228 sub process (thanks to David Shea who contributed to this issue)
2230 readline takes respect to the prompt issued by the peer address
2232 options "prompt" and "noprompt" allow to override readline's new
2235 readline supports invisible password with option "noecho"
2237 socat option -lp allows to set hostname in log output
2239 socat option -lu turns on microsecond resolution in log output
2243 before reading available data, check if writing on other channel is
2246 tcp6, udp6: support hostname specification (not only IP address), and
2247 map IP4 names to IP6 addresses
2249 openssl client checks server certificate per default
2251 support unidirectional communication with exec/system subprocess
2253 try to restore original terminal settings when terminating
2255 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
2257 socks4 failed on platforms where long does not have 32 bits
2258 (thanks to Peter Palfrader and Thomas Seyrat)
2260 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
2262 proxy error message was truncated when answer contained multiple spaces
2266 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
2268 ####################### V 1.3.2.2:
2271 PROXY CONNECT failed when the status reply from the proxy server
2272 contained more than one consecutive spaces. Problem reported by
2273 Alexandre Bezroutchko
2275 do not SIGSEGV when proxy address fails to resolve server name
2277 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
2278 Problem reported by Christoph Schittel
2280 test.sh only tests available features
2282 added missing IP and TCP options in filan analyzer
2284 do not apply stdio address options to both directions when in
2287 on systems lacking /dev/*random and egd, provide (weak) entropy from
2292 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
2294 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
2296 support for long long as st_ino type (Cygwin 1.5)
2298 compile on systems where pty can not be featured
2300 ####################### V 1.3.2.1:
2303 "final" solution for the ENOCHLD problem
2305 corrected "make strip"
2307 default gcc debug/opt is "-O" again
2309 check for /proc at runtime, even if configure found it
2311 src.rpm accidently supported SuSE instead of RedHat
2313 ####################### V 1.3.2.0:
2316 option "nofork" connects an exec'd script or program directly
2317 to the file descriptors of the other address, circumventing the socat
2320 support for files >2GB, using ftruncate64(), lseek64(), stat64()
2322 filan has new "simple" output style (filan -s)
2326 options "binary" and "text" for controlling line termination on Cygwin
2327 file system access (hint from Yang Wu-Zhou)
2329 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
2331 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
2334 minor corrections to avoid warnings with gcc 3
2337 further corrections and minor improvements:
2338 configure script is generated with autoconf 2.57 (no longer 2.52)
2340 configure passes CFLAGS to Makefile
2342 option -??? for complete list of address options and their short forms
2344 program name in syslog messages is derived from argv[0]
2346 SIGHUP now prints notice instead of error
2348 EIO during read of pty now gives Notice instead of Error, and
2351 use of hstrerror() for printing resolver error messages
2353 setgrent() got required endgrent()
2355 ####################### V 1.3.1.0:
2358 integration of Wietse Venema's tcpwrapper library (libwrap)
2360 with "proxy" address, option "resolve" controls if hostname or IP
2361 address is sent in request
2363 option "lowport" establishes limited authorization for TCP and UDP
2366 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
2367 An accompanying change in the numbering scheme results in an
2368 incompatibility with earlier socat RPMs!
2371 solved problems and bugs:
2372 PROBLEM: socat daemon terminated when the address of a connecting
2373 client did not match range option value instead of continue listening
2374 SOLVED: in this case, print warning instead of error to keep daemon
2377 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
2379 SOLVED: dont assume that each exiting child process generates SIGCHLD
2381 when converting CRNL to CR, socat converted to NL
2384 further corrections:
2385 configure script now disables features that depend on missing files
2386 making it more robust in "unsupported" environments
2388 server.pem permissions corrected to 600
2390 "make install" now does not strip; use "make strip; make install"
2391 if you like strip (suggested by Peter Bray)
2393 ####################### V 1.3.0.1:
2395 solved problems and bugs:
2396 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
2397 SOLVED: OPENSSL now correctly handles the options list
2399 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
2401 SOLVED: these conversions now simply strip all CR's or NL's from input
2406 SunOS ptys now work on x86, too (thanks to Peter Bray)
2408 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
2411 further corrections:
2412 added WITH_PROXY value to -V output
2414 added compile dependencies of WITH_PTY and WITH_PROXY
2416 -?? did not print option group of proxy options
2418 corrected syntax for bind option in docu
2420 corrected an issue with stdio in unidirectional mode
2422 options socksport and proxyport support service names
2424 ftp.sh script supports proxy address
2426 man page no longer installed with execute permissions (thanks to Peter
2429 fixed a malloc call bug that could cause SIGSEGV or false "out of
2430 memory" errors on EXEC and SYSTEM, depending on program name length and
2433 ####################### V 1.3.0.0:
2436 proxy connect with optional proxy authentication
2438 combined hex and text dump mode, credits to Gregory Margo
2440 address pty applies options user, group, and perm to device
2443 solved problems and bugs:
2444 PROBLEM: option reuseport was not applied (BSD, AIX)
2445 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
2446 credits to Jean-Baptiste Marchand
2448 PROBLEM: ignoreeof with stdio was ignored
2449 SOLVED: ignoreeof now works correctly with address stdio
2451 PROBLEM: ftp.sh did not use user supplied password
2452 SOLVED: ftp.sh now correctly passes password from command line
2454 PROBLEM: server.pem had expired
2455 SOLVED: new server.pem valid for ten years
2457 PROBLEM: socks notice printed wrong port on some platforms
2458 SOLVED: socks now uses correct byte-order for port number in notice
2461 further corrections:
2462 option name o_trunc corrected to o-trunc
2464 combined use of -u and -U is now detected and prevented
2466 made message system a little more robust against format string attacks
2469 ####################### V 1.2.0.0:
2472 address pty for putting socat behind a new pseudo terminal that may
2473 fake a serial line, modem etc.
2475 experimental openssl integration
2476 (it does not provide any trust between the peers because is does not
2477 check certificates!)
2479 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
2480 locking mechanism provided by flock()
2482 options setsid and setpgid now available with all address types
2484 option ctty (controlling terminal) now available for all TERMIOS
2487 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
2488 replaced by options o-trunc and ftruncate=offset
2490 option sourceport now available with TCP and UDP listen addresses to
2491 restrict incoming client connections
2493 unidirectional mode right-to-left (-U)
2496 solved problems and bugs:
2497 PROBLEM: addresses without required parameters but an option containing
2498 a '/' were incorrectly interpreted as implicit GOPEN address
2499 SOLVED: if an address does not have ':' separator but contains '/',
2500 check if the slash is before the first ',' before assuming
2505 ptys under SunOS work now due to use of stream options
2508 further corrections:
2509 with -d -d -d -d -D, don't print debug info during file analysis
2512 ####################### V 1.1.0.1:
2515 .spec file for RPM generation
2518 solved problems and bugs:
2519 PROBLEM: GOPEN on socket did not apply option unlink-late
2520 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
2523 PROBLEM: with unidirectional mode, an unnecessary close timeout was
2525 SOLUTION: in unidirectional mode, terminate without wait time
2527 PROBLEM: using GOPEN on a unix domain socket failed for datagram
2529 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
2532 further corrections:
2534 open() flag options had names starting with "o_", now corrected to "o-"
2536 in docu, *-listen addresses were called *_listen
2538 address unix now called unix-connect because it does not handle unix
2541 in test.sh, apply global command line options with all tests
2544 ####################### V 1.1.0.0:
2547 regular man page and html doc - thanks to kromJx for prototype
2549 new address type "readline", utilizing GNU readline and history libs
2551 address option "history-file" for readline
2553 new option "dash" to "exec" address that allows to start login shells
2555 syslog facility can be set per command line option
2557 new address option "tcp-quickack", found in Linux 2.4
2559 option -g prevents option group checking
2561 filan and procan can print usage
2563 procan prints rlimit infos
2566 solved problems and bugs:
2567 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
2568 SOLVED: set eof flag of channel on shutdown.
2570 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
2571 and has data available while channel 1 reaches EOF, the data is
2573 SOLVED: during one loop run, first handle all data transfers and
2574 _afterwards_ handle EOF.
2576 PROBLEM: despite to option NONBLOCK, the connect() call blocked
2577 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
2579 PROBLEM: UNLINK options issued error when file did not exist,
2581 SOLVED: failure of unlink() is only warning if errno==ENOENT
2583 PROBLEM: TCP6-LISTEN required numeric port specification
2584 SOLVED: now uses common TCP service resolver
2586 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
2587 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
2589 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
2591 SOLVED: corrected EOF handling of sigchld
2595 MacOS and old AIX versions now have pty
2597 flock() now available on Linux (configure check was wrong)
2599 named pipe were generated using mknod(), which requires root under BSD
2600 now they are generated using mkfifo
2603 further corrections:
2604 lots of address options that were "forgotten" at runtime are now
2607 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
2609 "make install" now installs binaries with ownership 0:0
2612 ####################### V 1.0.4.2:
2614 solved problems and bugs:
2615 PROBLEM: EOF of one stream caused close of other stream, giving it no
2616 chance to go down regularly
2617 SOLVED: EOF of one stream now causes shutdown of write part of other
2620 PROBLEM: sending mail via socks address to qmail showed that crlf
2621 option does not work
2622 SOLVED: socks address applies PH_LATE options
2624 PROBLEM: in debug mode, no info about socat and platform was issued
2625 SOLVED: print socat version and uname output in debug mode
2627 PROBLEM: invoking socat with -t and no following parameters caused
2629 SOLVED: -t and -b now check next argv entry
2631 PROBLEM: when opening of logfile (-lf) failed, no error was reported
2632 and no further messages were printed
2633 SOLVED: check result of fopen and print error message if it failed
2636 address type UDP-LISTEN now supports option fork: it internally applies
2637 socket option SO_REUSEADDR so a new UDP socket can bind to port after
2638 `accepting´ a connection (child processes might live forever though)
2639 (suggestion from Damjan Lango)
2642 ####################### V 1.0.4.1:
2644 solved problems and bugs:
2645 PROB: assert in libc caused an endless recursion
2646 SOLVED: no longer catch SIGABRT
2648 PROB: socat printed wrong verbose prefix for "right to left" packets
2649 SOLVED: new parameter for xiotransfer() passes correct prefix
2652 in debug mode, socat prints its command line arguments
2653 in verbose mode, escape special characters and replace unprintables
2654 with '.'. Patch from Adrian Thurston.
2657 ####################### V 1.0.4.0:
2659 solved problems and bugs:
2660 Debug output for lstat and fstat said "stat"
2662 further corrections:
2663 FreeBSD now includes libutil.h
2666 option setsid with exec/pty
2667 option setpgid with exec/pty
2668 option ctty with exec/pty
2670 gettimeofday in sycls.c (no use yet)
2673 before Gethostbyname, invoke inet_aton for MacOSX
2676 ####################### V 1.0.3.0:
2678 solved problems and bugs:
2680 PROB: test 9 of test.sh (echo via file) failed on some platforms,
2681 socat exited without error message
2682 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
2684 PROB: test 17 hung forever
2685 REASON: child death before select loop did not result in EOF
2686 SOLVED: check of existence of children before starting select loop
2688 PROB: test 17 failed
2689 REASON: child dead triggered EOF before last data was read
2690 SOLVED: after child death, read last data before setting EOF
2692 PROB: filan showed that exec processes incorrectly had fd3 open
2693 REASON: inherited open fd3 from main process
2694 SOLVED: set CLOEXEC flag on pty fd in main process
2696 PROB: help printed "undef" instead of group "FORK"
2697 SOLVED: added "FORK" to group name array
2699 PROB: fatal messages did not include severity classifier
2700 SOLVED: added "F" to severity classifier array
2702 PROB: IP6 addresses where printed incorrectly
2703 SOLVED: removed type casts to unsigned short *
2705 further corrections:
2706 socat catches illegal -l modes
2707 corrected error message on setsockopt(linger)
2708 option tabdly is of type uint
2709 correction for UDP over IP6
2710 more cpp conditionals, esp. for IP6 situations
2711 better handling of group NAMED options with listening UNIX sockets
2712 applyopts2 now includes last given phase
2713 corrected option group handling for most address types
2714 introduce dropping of unappliable options (dropopts, dropopts2)
2715 gopen now accepts socket and unix-socket options
2716 exec and system now accept all socket and termios options
2717 child process for exec and system addresses with option pty
2718 improved descriptions and options for EXAMPLES
2719 printf format for file mode changed to "0%03o" with length spec.
2720 added va_end() in branch of msg()
2721 changed phase of lock options from PASTOPEN to FD
2722 support up to four early dying processes
2725 xiosysincludes now includes sysincludes.h for non xio files
2730 TYPE_DOUBLE, u_double
2732 added getsid(), setsid(), send() to sycls
2733 procan prints sid (session id)
2734 mail.sh gets -f (from) option
2735 new EXAMPLEs for file creation
2736 gatherinfo.sh now tells about failures
2737 test.sh can check for much more address/option combinations
2740 ispeed, ospeed for termios on FreeBSD
2741 getpgid() conditional for MacOS 10
2742 added ranlib in Makefile.in for MacOS 10
2743 disable pty option if no pty mechanism is available (MacOS 10)
2744 now compiles and runs on MacOS 10 (still some tests fail)
2745 setgroups() conditional for cygwin
2746 sighandler_t defined conditionally
2747 use gcc option -D_GNU_SOURCE