| blob | 7a34381b969879236d0f8a5e925908651bd2704b |
1
2 ####################### V 1.8.0.1:
4 Corrections:
5 When no IP version was preferred by environment, option -4/-6, or
6 address option pf, Socat version 1.8.0.0 address TCP-LISTEN did not
7 accept TCP4 connections under BSD family operating systems, but only
8 TCP6. To regain previous behaviour, preferring IP version 4 is now the
9 default. This also fixes some other issues with bind and range options.
10 Thanks to Mike Andrews for reporting this issue.
11 Tests: LISTEN_4 LISTEN_6 V1800_*_RANGE V1800_*_BIND
13 Added Socat option -0 to allow version 1.8.0.0 behaviour (no preferred
14 IP version).
16 UDP-SENDTO, UDPLITE-SENDTO, and IP-SENDTO addresses now select an IPv4
17 address in case the server name resolves to both IPv4 and IPv6
18 addresses.
19 Tests: V1800_*_SENDTO_RESOLV_6_4
21 Guard applyopts_termios_value() with WITH_TERMIOS.
22 Thanks to Kush Upadhyay from Amazon Bottlerocket team for providing the
23 patch.
25 In some situations xioclose() was called nested what could cause hanging
26 of OpenSSL in pthread_rwlock_wrlock()
28 socat 1.8.0.0 with addresses of type RECVFROM and option fork, where
29 the second address failed to connect/open in the child process, entered
30 a fork loop that was only stopped by FD exhaustion caused by FD leak.
31 Test: RECVFROM_FORK_LOOP
33 socat 1.8.0.0 had an FD leak with addresses of type RECVFROM with fork.
34 Test: RECVFROM_FORK_LEAK
36 With version 1.8.0.0, options ipv6-join-group and ipv6-join-source-group
37 did not work.
38 Thanks to Linus Luessing for reporting this bug.
40 IP-SENDTO and option pf (protocol-family) with protocol name (vs.numeric
41 argument) failed with message:
42 E retropts_int(): trailing garbage in numerical arg of option "protocol-family"
43 Test: IP_SENDTO_PF
45 Fixed a possible buffer overrun with long log lines. In fact it does
46 not write beyond end of buffer but lets pass excessive data to the
47 write() function.
48 Thanks to Heinrich Schuchardt from Canonical for reporting and sending
49 a patch.
51 Reworked domain name resolution, centralized IPv4/IPv6 sorting.
53 Print warning about not checking CRLs in OpenSSL only in the first
54 child process.
56 Features:
57 Total inactivity timeout option -T 0 now means 0.0 seconds; up to
58 version 1.8.0.0 it meant no total inactivity timeout.
60 Changed socat-chain.sh, socat-mux.sh, and socat-broker.sh to work with
61 older Socat versions.
63 socat-mux.sh and socat-broker.sh, when run as root, now internally use
64 low (512..1023) UDP ports to increase security.
66 Added option ai-all (sets AI_ALL flag of getaddrinfo() resolver)
68 Socks5 now also allows syntax without socks port, and supports option
69 socksport.
71 Porting:
72 Changes for building and testing on NetBSD
74 New Linux distributions dislike egrep, fgrep
76 When NETDB_INTERNAL is not available it should be set to -1.
77 Thanks to Baruch Siach for sending a patch.
79 On OpenSolaris/Illumos, isastream() is declared only in stropts.h, not
80 in sys/stropts.h
81 Thanks to Andy Fiddaman for sending a patch.
83 On latest Illumos, compilation failed due to new unexpected SO_PROTOCOL
84 implementation.
85 Thanks to Andy Fiddaman for sending a patch.
87 Building:
88 Makefile.in: procan.o build requires srcdir prefix for explicit source
89 file.
90 Thanks to Hongxu Jia and Andrew Schoolman for providing patches.
92 Makefile.in: the CC define for procan.o build failed when CC had more
93 than one word.
94 Thanks to Hongxu Jia for providing an inital patch.
96 Testing:
97 Added the optional DEVTESTS feature for developer tests with controlled
98 name resolution to both IPv4 and IPV6 addresses: configure Socat with
99 --enable-devtests, this provides internal resolution of domain
100 dest-unreach.net with host names: localhost-4, localhost-6,
101 localhost-4-6, and localhost-6-4
103 test.sh: lots of corrections and improvements
105 test.sh: many hardcoded sleep values were replaced by much shorter
106 values tuned to performance of the platform.
108 test.sh -D for output of platform/system specific defines (variables)
110 test.sh: fixed ss determination; more DEFS
112 Documentation:
113 Fixed a lot of typos.
114 Thanks to Solomon Victorino for sending the patch.
116 ####################### V 1.8.0.0:
118 Security:
119 Socats OpenSSL addresses do not (and never did) check certificate
120 revocation lists (CRLs). Socat now prints a warning about this.
122 Features:
123 Added the --experimental option that enables use of features that might
124 change in the future.
126 Now warning messages are printed by default. If you want to see only
127 errors and fatals as in previous versions, use option -d0;
128 option -d4 is equivalent to -dddd and to -d -d -d -d
129 The number of warnings has been reduced, e.g.removing a non existing
130 file does in most cases no longer log a warning.
132 Added address type internal SOCKETPAIR. This is similar to the unnamed
133 PIPE address (only for internal echoing) but it provides datagram mode
134 (the default) and thus keeps packet boundaries.
135 Tests: SOCKETPAIR_STREAM SOCKETPAIR_DATAGRAM SOCKETPAIR_SEQPACKET
136 SOCKETPAIR_BOUNDARIES
138 New option -S <mask> controls catching and logging of signals that are
139 not internally used by Socat.
140 Tests: SIGTERM_NOLOG SIG31_LOG
142 Added option ipv6-join-source-group.
143 Thanks to Martin Buck and David Schweizer for sending patches.
145 Added option http-version to PROXY-CONNECT address to support servers
146 that are not able to handle HTTP version 1.0
147 Test: PROXY_HTTPVERSION
148 Feature inspired by Robin Palotai.
150 New options openssl-maxfraglen and openssl-maxsendfrag for
151 functions/macros SSL_CTX_set_tlsext_max_fragment_length() and
152 SSL_CTX_set_max_send_fragment().
153 Thanks to James Tavares for his contribution.
155 Added Info log of resulting OpenSSL max fragment length.
157 Implemented options rcvtimeo and sndtimeo, the first of which may be
158 useful to prevent endlessly hanging DTLS connection etablishment.
159 Test: RCVTIMEO_DTLS
160 Feature proposed by Vladimir Nikishkin.
162 The file names with -r and -R now may contain environment variable
163 references.
164 Test: VARS_IN_SNIFFPATH
166 Socat option --statistics logs final byte and packet counter values
167 before exit. Signal USR1 logs actual values.
168 Tests: OPTION_STATISTICS SIGUSR1_STATISTICS
170 Added option sitout-eio to specify a timerange in which EIO on the pty
171 of a sub process is tolerated.
172 Red Hat issue 1853102 related.
173 Thanks to Jonathan Casiot for sending an initial patch.
175 Socat now installs as socat1 and is referenced by symbolic link socat,
176 same with man page (socat1.1 by socat.1)
178 New option children-shutup[=1|2...] decreases severity of log
179 messages in LISTEN and CONNECT type sub processes.
180 Test: CHILDREN_SHUTUP
182 New option retrieve-vlan for supporting VLANs in INTERFACE addresses:
183 Linux normally keeps VLAN tags in outgoing raw packets, but appears to
184 strip them from incoming packets and makes them available in
185 PACKET_AUXDATA ancillary messages only.
186 Up do version 1.7.4.5 Socat did not handle this situation, so the VLAN
187 tags where effectively stripped off incoming packets.
188 With this option Socat restores the VLAN tag.
189 Feature inspired by Zhao Dong.
191 Socket option SO_REUSEADDR is now automatically applied to TCP LISTEN
192 addresses. reuseaddr= restores the old behaviour.
193 Tests: TCP4_REUSEADDR OPENSSL_6_REUSEADDR REUSEADDR_NULL
195 TCP based client addresses now try all results of name resolution until
196 a connection attempt succeeded.
197 Tests: TRY_ADDRS_4 TRY_ADDRS_4_6
198 Feature recommended by Anand Buddhdev.
200 configure option --enable-default-ipv allows to specify at build time if
201 IPv4, IPv6, or none of these is the preferred default; this is related
202 to environment variables SOCAT_PREFERRED_RESOLVE_IP and
203 SOCAT_DEFAULT_LISTEN_IP, and to Socat option -4, -6.
204 Furthermore, mechanism of IPv4 vs.IPv6 selection has been reworked.
205 When no IP version is preferred by these mechanism, passive Socat
206 addresses (LISTEN, RECV, RECVFROM) default to IPv6 because it might
207 support both versions (but checkout option ipv6-v6only).
208 For client addresses, when one of these mechanisms applies and name
209 resolution gives addresses of both IP versions, the addresses of the
210 preferred versions are tried first.
212 New option ai-addrconfig sets or unsets the AI_ADDRCONFIG flag of the
213 resolver to prevent name resolution to address families that are not
214 available in the network configuration. Default value is 1 in case the
215 resolver does not get an address family hint.
217 Flag AI_PASSIVE is now automatically applied for LISTEN, RECV, and
218 RECVFROM type addresses, and with bind option. In addition to its
219 application to the getaddrinfo() function, when this flag is set while
220 no IP version is preferred by build, environment, option, or address
221 type, Socat chooses IPv6 because this might activate both versions (but
222 check option ipv6-v6only).
223 Added option ai-passive to control this flag explicitely.
225 New option ai-v4mapped (v4mapped) sets or unsets the AI_V4MAPPED flag
226 of the resolver. For Socat addresses requiring IPv6 addresses, this
227 resolves IPv4 addresses to the approriate IPv6 address [::ffff:*:*].
229 DNS resolver Options (res-*) are now set for the complete open phase of
230 the address, not per getaddrinfo() invocation.
232 Added the netns option that tries to open an address in the given
233 network namespace.
234 Tests: NETNS NETNS_EXEC
236 New address ACCEPT-FD (ACCEPT) expects a listening file descriptor
237 passed from parent, and accepts one or more connections for data
238 transfer. This can be used with "inetd mode" of systemd.
239 Test: ACCEPT_FD
241 Added experimental socks5 TCP client support (connect,bind); syntax:
242 SOCKS5-CONNECT:<socks-server>:<socks-port>:<target-host>:<target-port>
243 SOCKS5-LISTEN:<socks-server>:<socks-port>:<listen-host>:<listen-port>
244 Thanks to Charlie Svensson and others for contributions.
246 New address types POSIXMQ-RECEIVE, POSIXMQ-READ, POSIXMQ-SEND, and
247 POSIXMQ-BIDIRECTIONAL (Linux only, experimental), and option
248 posixmq-priority
249 Tests: LINUX_POSIXMQ_READ_PRIO LINUX_POSIXMQ_RECV_FORK
250 LINUX_POSIXMQ_RECV_MAXCHILDREN LINUX_POSIXMQ_SEND_MAXCHILDREN
252 New address SHELL invokes a shell but without the overhead of SYSTEM
254 Added options res-retrans and res-retry that make use of undocumented
255 resolver variables to set the retransmission time interval resp.the
256 number of times to retransmit.
257 Disable them and the old res-* opts with: ./configure --disable-resolve
259 Added option res-nsaddr that overrides /etc/resolv.conf nameserver
260 address based on an undocumented resolver feature.
262 New option chdir changes the working directory of the address to the
263 given path, only during the open stage.
264 Tests: CHDIR_ON_CREATE CHDIR_ON_SYSTEM
266 Option umask now applies only during opening of its very address, not
267 for the lifetime of the process; the original umask is restored
268 afterwards.
269 Tests: UMASK_ON_CREATE UMASK_ON_SYSTEM
271 Added option unix-bind-tempname (bind-tempname) to allow UNIX (and
272 ABSTRACT) client addresses to bind to unique addresses even when
273 invoked in forked off sub processes.
274 Tests: UNIX_LISTEN_CONNECT_BIND_TEMPNAME UNIX_LISTEN_CLIENT_BIND_TEMPNAME
275 UNIX_RECVFROM_CLIENT_BIND_TEMPNAME UNIX_RECVFROM_SENDTO_BIND_TEMPNAME
276 ABSTRACT_LISTEN_CONNECT_BIND_TEMPNAME ABSTRACT_LISTEN_CLIENT_BIND_TEMPNAME
277 ABSTRACT_RECVFROM_CLIENT_BIND_TEMPNAME ABSTRACT_RECVFROM_SENDTO_BIND_TEMPNAME
278 Thanks to Kai Lüke for sending an initial patch.
280 New option f-setpipe-sz (pipesz) sets the pipe size on systems that
281 provide ioctl F_SETIPE_SZ.
282 Filan prints the current value.
283 Tests: STDIN_F_SETPIPE_SZ EXEC_F_SETPIPE_SZ
285 Bidirectional PIPE addresses may block on writing a data chunk larger
286 than pipe buffer. Socat now tries to detect if transfer block size is
287 large enough and issues a warning.
289 Added direct support of DCCP protocol, new addresses:
290 DCCP-CONNECT (DCCP)
291 DCCP-LISTEN (DCCP-L)
292 DCCP4-CONNECT (DCCP4)
293 DCCP4-LISTEN (DCCP4-L)
294 DCCP6-CONNECT (DCCP6)
295 DCCP6-LISTEN (DCCP6-L)
296 New option: dccp-set-ccid (ccid)
298 Support for UDP-Lite protocol, new addresses:
299 UDPLITE-CONNECT
300 UDPLITE-LISTEN
301 UDPLITE-DATAGRAM
302 UDPLITE-RECV
303 UDPLITE-RECVFROM
304 UDPLITE-SENDTO
305 All these are also available in UDPLITE4-* and UDPLITE6-* form;
306 options udplite-recv-cscov and udplite-send-cscov.
308 Procan now prints info about CC and __STDC_VERSION__, about FD_SETSIZE,
309 value of SO_PROTOCOL/SO_PROTOTYPE and some other defines, definitions
310 of many C types, and the actual umask.
312 Procan tries to find the name of the controlling terminal, on Linux it
313 reads info from /proc/self/stat and searches for a device with matching
314 major and minor numbers.
316 Added socat-chain.sh that makes it possible to stack protocols, e.g. to
317 drive socks through TLS, or to use TLS over a serial line.
318 Tests: SOCAT_CHAIN_SOCKS4 SOCAT_CHAIN_SSL_PTY
320 Added script socat-mux.sh that performs n-to-1 / 1-to-n communications
321 using two Socat instances with multicasting.
322 Tests: SOCAT_MUX
324 Corrections:
325 When a sub process (EXEC, SYSTEM) terminated with exit code other than
326 0, its last sent data might have been lost depending on timing of read/
327 write and SIGCHLD in Socat.
328 Now the SIGCHLD handler does not simply terminate Socat in this case,
329 but remembers the failure and allows further processing.
330 Thanks to Luke Jones for reporting this issue.
332 Now catching the case of empty SNI host to prevent OpenSSL error.
333 This is related to Red Hat issue 2081414.
335 Better formatted help output; address keywords in help output are now
336 printed in uppercase.
338 In previous Socat versions errors EPIPE and ECONNRESET on read() were
339 handled at warning level, thus not automatically leading to termination
340 with exit code 1. Beginning with this release these conditions are
341 handled as errors with termination and exit code 1 to not pretend
342 success on possible data loss.
343 Problem reported by Scott Burkett.
345 In previous Socat versions errors on shutdown() were ignored (info
346 level).
347 Now Socat handles EPIPE and ECONNRESET as errors to indicate possible
348 failure of data transfer.
350 INTERFACE addresses did not accept options of INTERFACE group (for
351 historical reasons they were only available with TUN addresses).
353 Opening addresses did not check if they support all directions expected
354 by Socat. Now an error is printed when, e.g,, a read-only type address
355 is opened for writing.
357 A lot of minor corrections, e.g., catch readline() errors in filan,
358 detect byte order in procan
359 Test: EXEC_SIGINT
361 OpenSSL cipherlist option did not override global openssl.cnf settings.
362 Now SSL_CTX_set_cipher_list() is called before
363 SSL_CTX_use_certificate_chain_file().
364 Thanks to Hiroshi Sakurai for reporting the problem and suggesting this
365 solution.
367 Fixed option sourceport with UDP6-DATAGRAM.
369 Some client addresses (e.g. TCP-CONNECT) take the fork option for
370 automatically spawning new connections, however the max-children option
371 was not applied.
373 Fixed the end-close option, it just did not work.
375 In configure.ac was a direct call to gcc instead of $CC which broke
376 cross compiling.
377 Thanks to Fergus Dall for sending a patch.
379 Coding:
380 Introduced groups_t instead of uint32_t, for more flexibility.
382 Rearranged option group bits to only require 32 bits on older systems.
384 Make gcc happy, replace strncat with "manual" copying
386 On addresses like UDP-RECVFROM with fork option every packet causes a
387 new child process which then reads the packet. The parent process must
388 wait until the packet has been read before checking again. The former
389 synchronization mechanism using SIGUSR1 is now replaced by a
390 socketpair. SIGUSR1 is no longer used for internal synchronization.
391 Tests: UDP4_FORK UDP6_FORK UNIX_FORK
393 Renamed xioopts_t to xioparms_t to avoid confusion with xioopts module.
395 Moved multicast related code from xioopts.c to xio-ip.c and xio-ip6.c
397 Pointers of type struct single are now always called sfd.
399 Porting:
400 Removed Config/ because its contents have not been maintained for many
401 years.
403 Try to not receive outgoing packets on raw (PF_PACKET) sockets - use
404 PACKET_IGNORE_OUTGOING socket options when available.
405 Test: INTERFACE_IGNOREOUTGOING
407 Renewed port to OpenBSD:
408 Guard OPENSSL_INIT_SETTINGS; and minor changes.
410 Thanks to Paul Hunt for sending a fix of the configure
411 --enable-openssl-base processing.
413 Enable direct largefile support on "smaller" systems per
414 _FILE_OFFSET_BITS and _LARGE_FILES.
415 Thanks to Fergus Dall for sending a patch.
417 Some corrections for better 32bit systems support.
419 Testing:
420 Removed obselete parts from test.sh
422 test.sh: Introduced function checkcond
424 Renamed test.sh option -foreign to -internet
426 Documentation:
427 Removed obselete file doc/xio.help
429 Added doc for option ipv6-join-group (ipv6-add-membership)
430 Thanks to Martin Buck for sending the patch.
432 Renamed xiogetpacketsrc() to xiogetancillary()
434 On bad parameter number now print syntax.
436 ####################### V 1.7.4.5 (not released):
438 Corrections:
439 On connect() failure and in some other situations Socat tries to get
440 detailled information about the error with recvmsg(). Error return of
441 this function is now logged as Info instead of Warn.
443 Tests of the correction of the "IP_ADD_SOURCE_MEMBERSHIP but not struct
444 ip_mreq_source" issue left an #undef in xiosysincludes.h that disabled
445 the ip-add-source-membership option.
446 Thanks to Benjamin Poirier for sending a patch.
448 Fixed a bug in dalan module that caused SIGSEGV in, e.g.,
449 SOCKET-LISTEN:1:1:'"/tmp/sock"'
450 Test: DALAN_NO_SIGSEGV
452 The retry option with some address types (TCP) did not close() the
453 sockets after failed attempts, resulting in an FD leak.
455 Filan: Corrected some syntax error messages
457 Filan: Fixed a bug introduced in 1.7.4.4 that broke displaying
458 TCP/UDP on options -s, -S
459 Test: FILAN_SHORT_TCP
461 Filan: If IP protocol type cannot be retrieved, display at least the
462 socket type
464 Filan: Fixed diag_set() call in filan_main.c, bug popped up with C23.
465 Thanks to Cristian Rodríguez from openSUSE for reporting this issue.
467 Querying the vsock Context Identifier (CID) requires an FD from opening
468 /dev/vsock.
469 Thanks to Volker Simonis for sending a patch.
471 Fixed an internal FD leak in the EXEC,SYSTEM addresses.
473 The FDs of the socketpair that queues messages from signal handlers
474 lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.
476 Option stderr on addresses EXEC and SYSTEM uses a temporary FD. It
477 lacked the FD_CLOEXEC setting and thus leakt into child processes.
479 Restoring of STDIO tty settings failed on Solaris type operating
480 systems.
481 Thanks to Gordon W.Ross for reporting and fixing this issue.
482 Test: RESTORE_TTY
484 The OpenSSL client SNI parameter, when not explicitely specified, is
485 derived from option commonname or rom target server name. This is not
486 useful with IP addresses, which Socat now checks and avoids.
488 Socat options -L and -W create lock files using mkstemp(), so they had
489 permissions 600. There does not seem to be a good reason for this
490 restrictive mode. Furthermore Silla Rizzoli experienced that Minicom
491 ignores lock files with mode 600, so it is set to 644 now.
493 Procan tries to find out VSOCK CID only when running as root
495 The mechanism for deferring logs from signal handlers had an issue that
496 caused lots of unwanted recvfrom() calls.
498 Do not try to remove abstract UNIX socket entries after use.
500 Features:
501 VSOCK, VSOCK-L support options pf, socktype, prototype (currently
502 useless)
504 Coding:
505 New Environment variable SOCAT_TRANSFER_WAIT that Socat sleep before
506 starting the data transfer loop. Useful, e.g., to accumulate multiple
507 packets in a receiving datagram socket before starting to process them.
509 "//" comments were used for disabling experimental code. These lines
510 have now been removed or disabled in other ways to make Socat compile
511 with C89/C90 standard again.
513 fcntl() trace prints flags now in hexadecimal.
515 Stream dump options -r and -R now open their pathes with CLOEXEC to
516 prevent leaking into sub processes.
517 Test: EXEC_SNIFF
519 Stream dump write now warn on write errors and partial writes (but
520 still do not recover).
522 Removed trailing white space from *.h and *.c files.
524 Porting:
525 Small correction in configure.ac makes Socat C99 able.
526 Thanks to Florian Weimer from Red Hat for providing a patch.
528 Documentation:
529 Syntax and semantics of some options (esp.unlink-close) were not clear.
530 Thanks to Anthony Chavez for reporting this and making suggestions.
532 socat-tun.html described TCP as tunnel medium but this does not keep
533 packet boundaries. Changed to UDP.
535 Added examples for DCCP client and server.
537 Complex Socat examples are now displayed in two or three lines for
538 better overview.
539 dest-unreach.css stylesheet has been improved to support this.
541 Testing:
542 Idea: EXEC,SYSTEM addresses can keep packet boundaries when option
543 socktype=<val-of-SOCK_DGRAM>
544 Tests: EXECSOCKETPAIRPACKETS SYSTEMSOCKETPAIRPACKETS
546 Cosmetic corrections of EXEC,SYSTEM tests.
548 test.sh: Added option --expect-fail to specify comma separated list of
549 test numbers whose failure shall not cause a failure of the whole
550 script.
552 test.sh: Added help text
554 Speeded up wait loops; more addresses in upper case; more tests with
555 command printing ($VERBOSE)
557 test.sh: Check if ports are free before using them for tests
559 Test EXEC_FDS checks with Filan if EXEC address only passes stdio FDs.
561 Improved template; prepared namesFAIL, -d (DEBUG)
563 ####################### V 1.7.4.4:
565 Corrections:
566 In error.c msg2() there was a stack overflow on long messages: The
567 terminating \0 Byte was written behind the last position.
568 Thanks to Martin Liška for sending the address sanitizer report.
570 UDP-RECVFROM with fork sometimes terminated when multiple packets
571 arrived. This issue was introduced with a bug fix in version 1.7.4.0.
572 Reason was not handling EAGAIN on recvmsg().
573 Thanks to Jamie McQuillan for reporting this issue.
575 Address TCP with options connect-timeout and retry terminated
576 immediately when a connection attempt failed on network error or
577 connection refused.
578 Test: TCP_TIMEOUT_RETRY
579 Thanks to Kamil Holubicki for reporting this issue.
581 There were a couple of weaknesses and errors when accessing invalid or
582 incompatible file system entries with UNIX domain, file, and generic
583 addresses.
584 For example, UNIX-CONNECT, when using a non matching socktype, failed
585 with -1 and did not print an error message, instead of printing an
586 error message and exiting with rc=1.
587 Thanks to Paul Wise for reporting and analyzing the case of accessing
588 a left over socket entry with GOPEN.
590 The rawer option failed because it tried to clear CREAD.
591 Test: RAWER
593 UDP-SEND and UPD-SENDTO with option lowport always bound to port 1
594 instead of a free port in range 640..1023
595 Test: UDP_LOWPORT
597 Fixed bad parser error message on "socat /tmp/x\"x/x -"
599 Tightened syntax checks to detect numerical arguments that are missing
600 or have trailing garbage.
601 Test: INTEGER_GARBAGE
603 ctype(3) functions need there arguments to be unsigned char.
604 Thanks to Taylor R Campbell for sending a patch.
606 Filan library uses Socats diag/error message system and therefore had
607 always the signal handler messages socket pair open. This fix avoids
608 this socketpair in standalone Filan.
610 Corrected printf format for type socklen_t in two places.
612 Porting:
613 OpenSSL, at least 1.1 on Ubuntu, crashed with SIGSEGV under certain
614 conditions: client connection to server with certificate with empty
615 subject, and pressing ^C after successful connect.
616 This crash is now prevented by setting OPENSSL_INIT_NO_ATEXIT.
617 Thanks to Martin Dorey for reporting and analyzing this issue, and for
618 providing an environment for reproduction.
620 Socat failed to compile on platforms that have
621 IP_ADD_SOURCE_MEMBERSHIP but not struct ip_mreq_source
622 Thanks to Justin Yackoski for sending a patch.
624 configure.ac's detection of getprotobynumber_r() variant did not
625 recognize if this function does not exist, e.g. on Musl libc.
626 Thanks to Alexander Kanavin and Baruch Siach for sending patches.
628 Corrected message format when no strftime() is available; improved
629 handling of very long host or program names
631 Solaris requires that termios options are always applied to the slave
632 side of PTY.
634 Fixed ancillary messages on Solaris.
636 Filan: Solaris has the open file path infos in /proc/<pid>/path/
637 Thanks to Andy Fiddaman for directing me to the patch.
639 Filan now recognizes and prints Solaris doors and event ports.
641 Solaris derivatives no longer need librt for clock_gettime()
642 Thanks to Andy Fiddaman for directing me to the patch.
644 LibreSSL does not have OPENSSL_INIT_new(). This function is now
645 guarded. Socat might build with LibreSSL.
646 Thanks to Orbea for reporting and helping.
648 Building:
649 Failure during building documentation, e.g. due to missing Yodl
650 packages, now does not let the build process fail.
651 Feature requested by Seyhun.
653 Features:
654 Filan prints target of symlink when appropriate
655 Test: FILANSYMLINK
657 VSOCK-LISTEN now generates environment variables SOCAT_PEERADDR,
658 SOCAT_PEERPORT, SOCAT_SOCKADDR, SOCAT_SOCKPORT
659 New address aliases VSOCK, VSOCK-L
661 Documentation:
662 Fixed typo in doc/socat-tun.html and link in README.
663 Thanks to William Suthers for reporting.
665 Fixed hard coded path in docu examples.
666 Thanks to Jakub Wilk for sending a patch.
668 Updated doc/socat-openssltunnel.html: 2048 bits, commonname
670 Testing:
671 Unset SOCAT_MAIN_WAIT on informational Socat calls
673 SOCAT=socat used ./socat instead of the version derived by $PATH
675 Do not try VSOCK_ECHO test when feature is not compiled in.
677 Fixed logging of test 220 TUNINTERFACE
679 Musl libc refuses to execve() shell scripts, 2 tests needed to be
680 adapted.
682 Musl libc has FOPEN_MAX=1000 which made bash dumping core on test
683 EXCEED_FOPEN_MAX.
685 Added tests for failures of UNIX socket and GOPEN accesses to non
686 matching file system entries.
687 Tests:
688 CONNECT_TO_MISSING CONNECT_TO_DENIED CONNECT_TO_DIRECTORY
689 CONNECT_TO_ORPHANED CONNECT_TO_FILE CONNECT_TO_DGRAM
690 CONNECT_TO_SEQPACKET SEND_TO_MISSING SEND_TO_DENIED SEND_TO_DIRECTORY
691 SEND_TO_ORPHANED SEND_TO_FILE SEND_TO_STREAM SEND_TO_SEQPACKET
692 SENDTO_TO_MISSING SENDTO_TO_DENIED SENDTO_TO_DIRECTORY
693 SENDTO_TO_ORPHANED SENDTO_TO_FILE SENDTO_TO_STREAM SENDTO_TO_SEQPACKET
694 SEQPACKET_TO_MISSING SEQPACKET_TO_DENIED SEQPACKET_TO_DIRECTORY
695 SEQPACKET_TO_ORPHANED SEQPACKET_TO_FILE SEQPACKET_TO_STREAM
696 SEQPACKET_TO_DGRAM UNIX_TO_MISSING UNIX_TO_DENIED UNIX_TO_DIRECTORY
697 UNIX_TO_FILE UNIX_TO_ORPHANED GOPEN_TO_DENIED GOPEN_TO_DIRECTORY
698 GOPEN_TO_ORPHANED
700 On RHEL-9 SCTP support requires installation of package
701 kernel-modules-extra. test.sh now detects when SCTP is missing in
702 kernel and reacts with warnings instead of errors.
704 VSOCK loopback still does not seem to work even in kernel 5.13, so just
705 issue warning on "No such device".
707 ####################### V 1.7.4.3:
709 Corrections:
710 Socat crashed with SIGSEGV when peer presented a certificate without
711 (or empty?) subject.
712 Thanks to Martin Dorey for reporting this issue and sending a patch.
714 Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
715 distributions)
716 Thanks to Andy Fiddaman for sending a patch.
718 Socat since 1.7.4.0 did not compile on Solaris and its derivatives
719 because the getprotobynumber_r() function prototype differ from the
720 Linux version.
721 configure now checks for the variant.
722 Thanks to Robert Zybeck for reporting this issue.
724 The variable for the no-sni option was not initialized and could thus
725 break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
726 platform succeeded with -g but failed with -O compiler option.
727 Thanks to valgrind for quickly finding the cause.
729 Porting:
730 Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
731 Adapted include requirements for IPv6
732 Guarded MSG_DONTWAIT
734 Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
735 UNIX domain sockets of type SEQPACKET are not available.
736 Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
737 EPROTOTYPE on most other OSes).
738 Streams: Must not push ldterm when it is already active (hangs).
740 Building:
741 Socats build date and time may now be set externally with environment
742 variable SOURCE_DATE_EPOCH.
743 Thanks to Viktor Kleinik for sending a patch.
745 Building Socat in a sub directory failed.
746 Now the following works even for the docu parts:
747 mkdir -p myos; cd myos; ../configure && make; cd ..
748 Thanks to Jon Ringle for sending a patch.
750 Testing:
751 test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
752 does not allow fractions of seconds, grep does not understand '\<';
753 OpenIndiana/SunOS netstat format;
754 many more functional and cosmetic code corrections.
756 Documentation:
757 The socktype option was documented unspecifically as type option.
758 Thanks to Jonas Metzger for the hint.
760 ####################### V 1.7.4.2:
762 Corrections:
763 The per address parameters for OpenSSL overlapped in memory with socket
764 parameters. Magically this did not seem to cause problems except on
765 MacOS Catalina that reported errors like:
766 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
767 Invalid argument
768 Test: OPENSSL_PARA_OVERLAP
769 Thanks to Ryo Ota for reporting this bug.
771 Fixed a few minor coding issues
773 A VSOCK warning message was generated with all listening addresses
774 instead of only with VSOCK-LISTEN
776 When an OPENSSL-CONNECT client presented a certificate with IPv6
777 subject alternate name and the OPENSSL-LISTEN server had no commonname
778 option, the server crashed with SIGSEGV in xioip6_pton().
779 Test: OPENSSL_CLIENT_IP6_CN
780 Red Hat bug 1981308
781 Thanks to Vlad Slepukhin for reporting this issue and providing a patch
783 Corrected a typo in configure.ac that broke option --enable-openssl-base
784 Thanks to john1doe for reporting this issue.
786 Socat looped endlessly, not responding to SIGTERM, when a service name
787 (for port) could not be resolved.
788 Test: BAD_SERVICE
790 Using options of NAMED group, e.g.chown, with abstract UNIX domain
791 sockets, produced errors because the function was applied with a normal
792 file system related call, e.g.chown(), using file "" (empty name). Instead of
793 chown(), Socat now uses fchown() on the file descriptor. However, such
794 a call usually has no real effect.
795 Test: ABSTRACT_USER
796 Thanks to Andreas Fink for reporting this issue.
798 Option -R did not only dump ("sniff") right-to-left, but also
799 left-to-right traffic to the given file.
800 Test: SNIFF_RIGHT_TO_LEFT
801 Thanks to 1314 gsf for reporting this bug and sending a patch.
803 Options -r and -R, when opening a named pipe that has no actual reader,
804 failed with "No such device or address". To solve this problem, Socat
805 now opens the pipe in rw-Mode.
806 Thanks to Cody J.Soultz for sending a patch.
808 The call "socat -r - PIPE" traced to file ./- instead of issuing a
809 syntax error.
811 Print a message when readbytes option causes EOF
813 The ip-recverr option had no effect. Corrected and improved its
814 handling of ancilliary messages, so it is able to analyze ICMP error
815 packets (Linux only?)
817 Setgui(), Setuid() calls in xio-progcall.c were useless.
819 Testing:
820 Prevent the TIMESTAMP tests from sporadically failing due do seconds
821 overflow
823 Fixed in test.sh a few issues reported by shellcheck
825 Documentation:
826 Added missing docu of OpenSSL options min-proto-version,
827 max-proto-version.
829 Added missing closing parenthesis in socat.yo.
830 Thanks to Emanuele Torre for reporting this issue.
832 Corrected more typos and added missing bug info to CHANGES, performed
833 some non functional corrections.
835 Porting:
836 Corrected building when clock_gettime() not available, with or without
837 gettimeofday().
839 ####################### V 1.7.4.1:
841 Corrections:
842 Socat 1.7.4.0 failed to compile especially on 32 bit systems.
843 Thanks to Wang Mingyu and others for sending a patch or reporting this
844 issue.
846 Under certain conditions OpenSSL stream connections, in particular bulk
847 data transfer in unidirectional mode, failed during transfer or near
848 its with Connection reset by peer on receiver side.
849 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
850 lazy SSL shutdown handling on the sender side in combination with
851 SSL_MODE_AUTO_RETRY turned off.
852 Fix: After SSH_shutdown but before socket shutdown call SSL_read()
853 Test: OPENSSL_STREAM_TO_SERVER
854 Fixes Red Hat issue 1870279.
856 ####################### V 1.7.4.0:
858 Security:
859 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
860 but not checked for integer overflow. This could lead to heap based
861 buffer overflow, assuming the attacker could provide this parameter.
862 Test: BLKSIZE_INT_OVERFL
863 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
864 example exploit.
866 Corrections:
867 Socats address parser read over end of string when there were unbalanced
868 quotes
869 Test: UNBALANCED_QUOTE
871 Removed unused usleep() call from sycls.c
873 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
874 building failed on Solaris 9.
875 Thanks to Greg Earle for reporting this issue and providing a patch.
877 Mitigated race condition of quickly terminating SYSTEM or EXEC child
878 processes.
880 Option o-direct might require alignment of read/write buffer to, e.g.,
881 512 bytes, Socat now takes care of this when allocating the buffer.
882 With this fix read() succeeds, however, write() still might fail when
883 not writing complete pages.
884 Test: O_DIRECT
886 There was a race condition in the way Socat UDP-RECVFROM and similar
887 addresses with option fork prevents one packet from triggering
888 multiple processes. The symptom was that Socat master process seemed to
889 hang and did not process further packets. The fix makes use of
890 pselect() system call.
891 Thanks to Fulvio Scapin for reporting this issue.
893 UNIX domain client addresses applied file system entry options (group
894 NAMED) to the server socket instead of the client (bind) socket entry.
895 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
896 Thanks to Nico Williams for reporting this major issue.
898 Length of single address options was limited to 511 bytes. This value
899 is now increased to 2047 bytes.
900 Change suggested by Mario Camou.
902 Addresses of type RECVFROM with option fork looped with an error
903 message in case that the second address failed before consuming the
904 packet. The fix makes RECVFROM drop the packet when the second address
905 failed before reading it. Use retry or forever option with the second
906 address if you want to avoid data loss.
907 Fixes Red Hat bug 1907718
908 Thanks to Chunmei Xu for reporting this issue and proving the patch.
910 Socats DTLS implementation has been reworked and appears to work now
911 reasonably over UDP.
912 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
913 OPENSSL-DTLS-CLIENT (DTLS)
914 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
915 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
916 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
917 sending patches.
919 filan did not output the socket protocol.
920 filan -s assumed each stream socket to be TCP and each datagram socket
921 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
923 Help text showed two parameters for UDP4-RECVFROM address, but only
924 <port> is allowed.
925 Thanks to John the Scott for reporting this issue.
927 Error messages from SSL_read() and SSL_write() sometimes stated
928 SSL_connect instead of originating function name.
930 Fixed some more non functional minor issues.
932 Porting:
933 In gcc version 10 the default changed from -fcommon to -fno-common.
934 Consequently, linking filan and procan failed with error
935 "multiple definition of `deny_severity'" and `allow_severity'
936 Fixed by removing definitions in filan.c and procan.c
937 Debian issue 957823
938 Thanks to László Böszörményi and others for reporting this issue.
940 Solaris 9 does not provide strndup(); added substitute code.
941 Thanks to Greg Earle for providing a patch.
943 Added configure option --enable-openssl-base to specify the location of
944 a non-OS OpenSSL installation
946 There are systems whose kernel understands SCTP but getaddrinfo does
947 not. As workaround after EIA_SOCKTYPE on name and service resolution
948 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
949 ai_protocol=0 and try again
950 Test: SCTP_SERVICENAME
952 Per file filesystem options were still named ext2-* and depended on
953 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
954 These fs-* options are also available on old systems with ext2_fs.h
956 New options openssl-min-proto-version (min-version) and
957 openssl-max-proto-version (max-version) give access to the related
958 OpenSSL set-macros and substitute deprecated version-specific methods.
959 Test: OPENSSL_MIN_VERSION
961 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
962 SSL_library_init.
964 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
965 must explicitely be included.
966 Thanks to Rosen Penev for reporting and sending a patch.
968 Testing:
969 test.sh now produces a list of tests that could not be performed for
970 any reason. This helps to analyse these cases.
972 OpenSSL s_server appearently started to neglect TCPs half close feature.
973 Test OPENSSL_TCP4 has been changed to tolerate this.
975 OpenSSL changed its behaviour when connection is rejected. Tests
976 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
977 OPENSSL_CN_SERVER_SECURITY now tolerate this.
979 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
980 appropriate tests failed.
981 Fix: use TLSv1.2 for renegotiation tests
982 Tests: OPENSSLRENEG1 OPENSSLRENEG2
984 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
986 Archlinux 2020 has not which command; its ip,ss commands have modified
987 version strings
989 More testing issues solved:
990 * ss to pipe might omit column separator
991 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
992 * do not use sort -V
993 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
995 New features:
996 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
997 Test: GOPENUNIXSEQPACKET
998 Feature suggested by vi0oss.
1000 The generic setsockopt-int and related options are, in case of
1001 listening/accepting addresses, applied to the connected socket(s). To enable
1002 setting options on the listening socket, a new option setsockopt-listen
1003 has been implemented. See the documentation for info on data types.
1004 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
1005 Thanks to Steven Danna and Korian Edeline for reporting this issue.
1007 Filan option -S gives short description like -s but with improved
1008 format
1010 Socat OpenSSL client, when server was specified using IP address, did
1011 not verify connection on certificates SubjectAltName IP entries.
1012 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
1013 Fixes Red Hat bug 1805132
1015 Added options -r and -R for raw dump of transferred data to files.
1016 Test: OPTION_RAW_DUMP
1018 Added option ip-transparent (socket option IP_TRANSPARENT)
1019 Thanks to Wang Shanker for sending a patch.
1021 OPENSSL-CONNECT now automatically uses the SNI feature, option
1022 openssl-no-sni turns it off. Option openssl-snihost overrides the value
1023 of option openssl-commonname or the server name.
1024 Tests: OPENSSL_SNI OPENSSL_NO_SNI
1025 Thanks to Travis Burtrum for providing the initial patch
1027 New option accept-timeout (listen-timeout)
1028 Test: ACCEPTTIMEOUT
1029 Proposed by Roland
1031 New option ip-add-source-membership
1032 Feature inspired by Brian (b f31415)
1034 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
1035 of replies, as it did up to version 1.7.3.4. Use option sourceport when
1036 you need the old behaviour.
1037 Test: UDP_DATAGRAM_SOURCEPORT
1038 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
1040 New option proxy-authorization-file reads PROXY-CONNECT credentials
1041 from file and makes it possible to hide this data from the process
1042 table.
1043 Test: PROXYAUTHFILE
1044 Thanks to Charles Stephens for sending an initial patch.
1046 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
1047 Developed by Stefano Garzarella.
1049 Coding:
1050 Added printf formats for uint16_t etc.
1052 Documentation:
1053 Address UDP-RECV does not support option fork.
1054 Thanks to Fulvio Scapin for reporting that mistake in docu.
1056 TUN address documentation showed TCP for backend which may merge
1057 consecutive packets which causes data loss.
1058 Thanks to Tomasz Lakota for reporting this issue.
1060 ####################### V 1.7.3.4:
1062 Corrections:
1063 Header of xiotermios_speed() declared parameter unsigned int instead of
1064 speed_t, thus compiling failed on MacOS
1065 Thanks to Joe Strout and others for reporting this bug.
1066 Thanks to Andrew Childs and others for sending a patch.
1068 Under certain circumstances, termios options of the first address were
1069 applied to the second address, resulting in error
1070 "Inappropriate ioctl for device"
1071 This affected version 1.7.3.3 only.
1072 Test: TERMIOS_PH_ALL
1073 Thanks to Ivan J. for reporting this issue.
1075 Socat failed to compile when no poll() system call was found by
1076 configure.
1077 Thanks to Jason White for sending a patch.
1079 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
1080 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
1081 for reporting this problem and sending initial patches.
1083 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
1084 "ai_socktype not supported" when protocol 6 was addressed.
1085 The fix removes the possibility to use service names with SCTP.
1086 Test: IP_SENDTO_6
1087 Thanks to Sören for sending an initial patch.
1089 Under certain circumstances, Socat printed the "socket ... is at EOF"
1090 multiple times.
1091 Test: MULTIPLE_EOF
1093 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
1094 not implemented in older bash versions.
1096 ####################### V 1.7.3.3:
1098 Corrections:
1099 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
1100 and snprinterr.o
1101 Added definition of FILAN_OBJS
1102 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
1103 providing patches.
1105 configure option --enable-msglevel did not work with numbers
1107 The autoconf mechanism for determining SHIFT_OFFSET did not work when
1108 cross compiling.
1109 Thanks to Max Freisinger from Gentoo for sending a patch.
1111 Socat still depended on obsolete gethostbyname() function, thus
1112 compiling with MUSL libc failed.
1113 Problem reported by Kennedy33.
1115 The async signal safe diagnostic system used FDs 3 and 4 internally, so
1116 use of appropriate fdin or fdout led to failures.
1117 Test: DIAG_FDIN
1118 Problem reported by Onur Sentürk.
1120 The socket based mechanism for passing messages and signal information
1121 from signal handler to process could reach and kill the wrong process.
1122 Introduces functions diag_sock_pair(), diag_fork()
1123 Thanks to Darren Zhao for analysing and reporting this problem.
1125 Option ipv6-join-group did not work because it was applied in the wrong
1126 phase
1127 Test: UDP6MULTICAST_UNIDIR
1128 Thanks to Angus Gratton for sending a patch.
1130 Setting ispeed and ospeed failed for some serial devices because the
1131 two settings were applied with two different get/set cycles, Thanks to
1132 Alexandre Fenyo for providing an initial patch.
1133 However, the actual fix is part of a conceptual change of the termios
1134 module that aims for applying all changes in a single tcsetattr call.
1135 Fixes FreeBSD Bug 198441
1137 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
1138 Thanks to Alan Walters for reporting this bug.
1140 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
1142 With TCP6-LISTEN and the other passive IPv6 addresses the range option
1143 just failed: due to a bug in the syntax parser and two more bugs in
1144 the xiocheckrange_ip6() function.
1145 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
1146 Thanks Leah Neukirchen for sending an initial fix.
1148 For name resolution Socat only checked the first character of the host
1149 name to decide if it is an IPv4 address. This was not RFC conform. This
1150 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
1151 TCP6:127.0.0.1:80
1152 Debian issue 695885
1153 Thanks to Nicolas Fournil for reporting this issue.
1155 Print a useful error message when single character options appear to be
1156 merged in Socat invocation
1157 Test: SOCAT_OPT_HINT
1159 Fixed some docu typos.
1160 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
1161 Julian Zinn, and Simon Matter
1163 Porting:
1164 OpenSSL functions TLS1_client_method() and similar are
1165 deprecated. Socat now uses recommended TLS_client_method(). The old
1166 functions and dependend option openssl-method can still be
1167 used when configuring socat with --enable-openssl-method
1169 Shell scripts in socat distribution are now headed with:
1170 #! /usr/bin/env bash
1171 to make them better portable to systems without /bin/bash
1172 Thanks to Maya Rashish for sending a patch
1174 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
1175 configure option --enable-res-deprecated.
1177 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
1178 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
1180 Renamed configure.in to configure.ac and set an appropriate symlink for
1181 older environments.
1182 Related Gentoo bug 426262: Warning on configure.in
1183 Thanks to Francesco Turco for reporting that warning.
1185 Fixed new IPv6 range code for platforms without s6_addr32 component.
1187 Testing:
1188 test.sh: Show a warning when phase-1 (insecure phase) of a security
1189 test fails
1191 OpenSSL tests failed on actual Linux distributions. Measures:
1192 Increased key lengths from 768 to 1024 bits
1193 Added test.sh option -C to delete temp certs from prevsious runs
1194 Provide DH-parameter in certificate in PEM
1195 OpenSSL s_server option -verify 0 must be omitted
1196 OpenSSL authentication method aNULL no longer works
1197 Failure of cipher aNULL is not a failure
1198 Failure of methods SSL3 and SSL23 is desired
1200 test.sh depended on ifconfig and netstat utilities which are no longer
1201 availabie in some distributions. test.sh now checks for and prefers
1202 ip and ss.
1203 Thanks to Ruediger Meier for reporting this problem.
1205 More corrections to test.sh:
1206 Language settings could still influence test results
1207 netstat was still required
1208 Suppress usleep deprecated messag
1209 Force use of IPv4 with some certificates
1210 Set timeout for UDPxMAXCHILDREN tests
1212 Git:
1213 Added missing Config/Makefile.DragonFly-2-8-2,
1214 Config/config.DragonFly-2-8-2.h
1215 Removed testcert.conf (to be generated by test.sh)
1217 Cosmetics:
1218 Simplified handling of missing termios defines.
1220 New features:
1221 Permit combined -d options as -dd etc.
1223 porting:
1224 ext2 options are now fs options.
1226 ####################### V 1.7.3.2:
1228 corrections:
1229 SIGSEGV and other signals could lead to a 100% CPU loop
1231 Failing name resolution could lead to SIGSEGV
1232 Thanks to Max for reporting this issue.
1234 Include <stddef.h> for ptrdiff_t
1235 Thanks to Jeroen Roovers for reporting this issue.
1237 Building with --disable-sycls failed due to missing sslcls.h defines
1239 Socat hung when configured with --disable-sycls.
1241 Some minor corrections with includes etc.
1243 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
1244 for sending a patch.
1246 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
1247 incorrectly assigned
1248 Test: EXEC_NOFORK_UNIDIR
1249 Thanks to David Reiss for reporting this problem.
1251 Socat exited with status 0 even when a program invoked with SYSTEM or
1252 EXEC failed.
1253 Tests: SYSTEM_RC EXEC_RC
1254 Issue reported by Felix Winkelmann.
1256 AddressSanitizer reported a few buffer overflows (false positives).
1257 Nevertheless fixed Socat source.
1258 Issue reported by Hanno Böck.
1260 Socat did not use option ipv6-join-group.
1261 Test: USE_IPV6_JOIN_GROUP
1262 Thanks to Linus Lüssing for sending a patch.
1264 UDP-LISTEN did not honor the max-children option.
1265 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
1266 Thanks to Leander Berwers for reporting this issue.
1268 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
1269 and therefore were useless.
1270 Thanks to Steve Borenstein for reporting this issue.
1272 Option dhparam was documented as dhparams. Added the alias name
1273 dhparams to fix this.
1274 Thanks to Alexander Neumann for sending a patch.
1276 Options shut-down and shut-close did not work.
1277 Thanks to Stefan Schimanski for providing a patch.
1279 There was a bug in printing readline log message caused by a misleading
1280 indentation.
1281 Thanks to Paul Wouters for reporting.
1283 The internal vsnprintf_r function looped or crashed on size parameter
1284 with hexadecimal output.
1286 Ignore exit code of child process when it was killed by master due to
1287 EOF
1289 Corrected byte order on read of IPV6_TCLASS value from ancillary
1290 message
1292 Fixed type of the bool element in options. This had bug caused failures
1293 e.g. of ignoreeof on big-endian systems when bool was not based on int.
1295 On systems with predefined bool type whose size differs from int some
1296 IPv6 and TCP options (per setsockopt()) failed.
1298 Length of integral data in ancillary messages varies (TOS: 1 byte,
1299 TTL: 4 bytes), the old implementation failed for TTL on big-endian
1300 hosts.
1302 Fixed an issue in options processing: TUN and DNS flags had failed on
1303 big-endian systems and the NO- forms had probable never worked.
1305 porting:
1306 Type conflict between int and sig_atomic_t between declaration and
1307 definition of diag_immediate_type and diag_immediate_exit broke
1308 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
1309 reporting this bug.
1311 Socat failed to compile on platforms with OpenSSL without
1312 DTLSv1_client_method or DTLSv1_server_method.
1313 Thanks to Simon Matter for sending a patch.
1315 NuttX OS headers do not provide struct ip, thus socat did not compile.
1316 Made struct ip subject to configure.
1317 Thanks to SP for reporting this issue.
1319 Socat failed to compile with OpenSSL version 1.0.2d where
1320 SSLv3_server_method and SSLv3_client_method are no longer defined.
1321 Thanks to Mischa ter Smitten for reporting this issue and providing
1322 a patch.
1324 configure checked for OpenSSL EC_KEY assuming it is a define but it
1325 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
1326 Thanks to Andrey Arapov for reporting this bug.
1328 Changes to make socat compile with OpenSSL 1.1.
1329 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
1330 providing the base patch.
1331 Debian Bug#828550
1333 Make Socat compatible with BoringSSL.
1334 Thanks to Matt Braithwaite for providing a patch.
1336 OpenSSL: Use RAND_status to determine PRNG state
1337 Thanks to Adam Langley for providing a patch
1339 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
1340 requirements. Thanks to Garrick Trowsdale for providing a patch
1342 LibreSSL support: check for OPENSSL_NO_COMP
1343 Thanks to Bernard Spil for providing a patch
1345 testing:
1346 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
1348 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
1350 improved proxy.sh - it now also takes hostnames
1352 A few corrections in test.sh
1354 DTLS1 test hangs on some distributions. Test is now only performed
1355 with OpenSSL 1.0.2 or higher.
1357 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
1359 docu:
1360 Corrected source of socat man page to correctly show man references
1361 like socket(2); removed obseolete entries from See Also
1363 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
1364 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
1365 are correct).
1366 Thanks to Zhigang Wang for reporting this issue.
1368 Fixed a couple of English spelling and grammar mistakes.
1369 Thanks to Jakub Wild for sending the patches.
1371 NOEXPAND() was not resolved 2 times.
1373 More minor docu corrections
1375 legal:
1376 Added contributors to copyright notices. Suggested by Matt Braithwaite.
1378 ####################### V 1.7.3.1:
1380 security:
1381 Socat security advisory 8
1382 A stack overflow in vulnerability was found that can be triggered when
1383 command line arguments (complete address specifications, host names,
1384 file names) are longer than 512 bytes.
1385 Successful exploitation might allow an attacker to execute arbitrary
1386 code with the privileges of the socat process.
1387 This vulnerability can only be exploited when an attacker is able to
1388 inject data into socat's command line.
1389 A vulnerable scenario would be a CGI script that reads data from clients
1390 and uses (parts of) this data as hostname for a Socat invocation.
1391 Test: NESTEDOVFL
1392 Credits to Takumi Akiyama for finding and reporting this issue.
1394 Socat security advisory 7
1395 MSVR-1499
1396 In the OpenSSL address implementation the hard coded 1024 bit DH p
1397 parameter was not prime. The effective cryptographic strength of a key
1398 exchange using these parameters was weaker than the one one could get by
1399 using a prime p. Moreover, since there is no indication of how these
1400 parameters were chosen, the existence of a trapdoor that makes possible
1401 for an eavesdropper to recover the shared secret from a key exchange
1402 that uses them cannot be ruled out.
1403 Futhermore, 1024bit is not considered sufficiently secure.
1404 Fix: generated a new 2048bit prime.
1405 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
1406 Research (MSVR) for finding and reporting this issue.
1408 ####################### V 1.7.3.0:
1410 security:
1411 Socat security advisory 6
1412 CVE-2015-1379: Possible DoS with fork
1413 Fixed problems with signal handling caused by use of not async signal
1414 safe functions in signal handlers that could freeze socat, allowing
1415 denial of service attacks.
1416 Many changes in signal handling and the diagnostic messages system were
1417 applied to make the code async signal safe but still provide detailled
1418 logging from signal handlers:
1419 Coded function vsnprintf_r() as async signal safe incomplete substitute
1420 of libc vsnprintf()
1421 Coded function snprinterr() to replace %m in strings with a system error
1422 message
1423 Instead of gettimeofday() use clock_gettime() when available
1424 Pass Diagnostic messages from signal handler per unix socket to the main
1425 program flow
1426 Use sigaction() instead of signal() for better control
1427 Turn off nested signal handler invocations
1428 Thanks to Peter Lobsinger for reporting and explaining this issue.
1430 Red Hat issue 1019975: add TLS host name checks
1431 OpenSSL client checks if the server certificates names in
1432 extensions/subjectAltName/DNS or in subject/commonName match the name
1433 used to connect or the value of the openssl-commonname option.
1434 Test: OPENSSL_CN_CLIENT_SECURITY
1436 OpenSSL server checks if the client certificates names in
1437 extensions/subjectAltNames/DNS or subject/commonName match the value of
1438 the openssl-commonname option when it is used.
1439 Test: OPENSSL_CN_SERVER_SECURITY
1441 Red Hat issue 1019964: socat now uses the system certificate store with
1442 OPENSSL when neither options cafile nor capath are used
1444 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
1445 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
1446 prevent downgrade attacks
1448 new features:
1449 OpenSSL addresses set couple of environment variables from values in
1450 peer certificate, e.g.:
1451 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
1452 SOCAT_OPENSSL_X509_COMMONNAME,
1453 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
1454 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
1456 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
1457 Tests: OPENSSL_METHOD_*
1459 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
1460 by Andrey Arapov.
1462 Added a new option termios-rawer for ptys.
1463 Thanks to Christian Vogelgsang for pointing me to this requirement
1465 corrections:
1466 Bind with ABSTRACT commands used non-abstract namespace (Linux).
1467 Test: ABSTRACT_BIND
1468 Thanks to Denis Shatov for reporting this bug.
1470 Fixed return value of nestlex()
1472 Option ignoreeof on the right address hung.
1473 Test: IGNOREEOF_REV
1474 Thanks to Franz Fasching for reporting this bug.
1476 Address SYSTEM, when terminating, shut down its parent addresses,
1477 e.g. an SSL connection which the parent assumed to still be active.
1478 Test: SYSTEM_SHUTDOWN
1480 Passive (listening or receiving) addresses with empty port field bound
1481 to a random port instead of terminating with error.
1482 Test: TCP4_NOPORT
1484 configure with some combination of disable options produced config
1485 files that failed to compile due to missing IPPROTO_TCP.
1486 Thanks to Thierry Fournier for report and patch.
1488 fixed a few minor bugs with OpenSSL in configure and with messages
1490 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
1491 is required. Thanks to Zhigang Wang for reporting and sending a patch.
1493 Christophe Leroy provided a patch that fixes memory leaks reported by
1494 valgrind
1496 Help for filan -L was bad, is now corrected to:
1497 "follow symbolic links instead of showing their properties"
1499 Address options fdin and fdout were silently ignored when not applicable
1500 due to -u or -U option. Now these combinations are caught as errors.
1501 Test: FDOUT_ERROR
1502 Issue reported by Hendrik.
1504 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
1505 over option raw which is now obsolote. On SysV systems this call is
1506 simulated by appropriate setting.
1507 Thanks to Youfu Zhang for reporting issue with option raw.
1509 porting:
1510 Socat included <sys/poll.h> instead of POSIX <poll.h>
1511 Thanks to John Spencer for reporting this issue.
1513 Version 1.7.2.4 changed the check for gcc in configure.ac; this
1514 broke cross compiling. The particular check gets reverted.
1515 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
1517 Debian Bug#764251: Set the build timestamp to a deterministic time:
1518 support external BUILD_DATE env var to allow to build reproducable
1519 binaries
1521 Joachim Fenkes provided an new adapted spec file.
1523 Type bool and macros Min and Max are defined by socat which led to
1524 compile errors when they were already provided by build framework.
1525 Thanks to Liyu Liu for providing a patch.
1527 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
1528 support and appropriate files in Config/
1530 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
1531 on Illumos
1533 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
1534 _POSIX_PTHREAD_SEMANTICS; and minor changes
1536 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
1537 linux/errqueue.h
1538 Socat failed to compile on on PPC due to new requirements for
1539 including <linux/errqueue.h> and a weakness in the conditional code.
1540 Thanks to Michel Normand for reporting this issue.
1542 doc:
1543 In the man page the PTY example was badly formatted. Thanks to
1544 J.F.Sebastian for sending a patch.
1546 Added missing CVE ids to security issues in CHANGES
1548 testing:
1549 Do not distribute testcert.conf with socat source but generate it
1550 (and new testcert6.conf) during test.sh run.
1552 ####################### V 1.7.2.4:
1554 corrections:
1555 LISTEN based addresses applied some address options, e.g. so-keepalive,
1556 to the listening file descriptor instead of the connected file
1557 descriptor
1558 Thanks to Ulises Alonso for reporting this bug
1560 make failed after configure with non gcc compiler due to missing
1561 include. Thanks to Horacio Mijail for reporting this problem
1563 configure checked for --disable-rawsocket but printed
1564 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
1565 reporting and patching this bug
1567 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
1568 Probably no impact.
1569 Thanks to David Binderman for reporting this issue.
1571 procan could not cleanly format ulimit values longer than 16 decimal
1572 digits. Thanks to Frank Dana for providing a patch that increases field
1573 width to 24 digits.
1575 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
1576 "Invalid argument"
1577 Thanks to Emile den Tex for reporting this bug.
1579 Changed some variable definitions to make gcc -O2 aliasing checker happy
1580 Thanks to Ilya Gordeev for reporting these warnings
1582 On big endian platforms with type long >32bit the range option applied a
1583 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
1585 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
1587 Red Hat issue 1022063: out-of-range shifts on net mask bits
1589 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
1591 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
1592 uses
1594 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
1595 calculation in xio-ascii.c:_xiodump()
1597 Red Hat issue 1021972: fixed a missing NUL termination in return string
1598 of sysutils.c:sockaddr_info() for the AF_UNIX case
1600 fixed some typos and minor issues, including:
1601 Red Hat issue 1021967: formatting error in manual page
1603 UNIX-LISTEN with fork option did not remove the socket file system entry
1604 when exiting. Other file system based passive address types had similar
1605 issues or failed to apply options umask, user e.a.
1606 Thanks to Lorenzo Monti for pointing me to this issue
1608 porting:
1609 Red Hat issue 1020203: configure checks fail with some compilers.
1610 Use case: clang
1612 Performed changes for Fedora release 19
1614 Adapted, improved test.sh script
1616 Red Hat issue 1021429: getgroupent fails with large number of groups;
1617 use getgrouplist() when available instead of sequence of calls to
1618 getgrent()
1620 Red Hat issue 1021948: snprintf API change;
1621 Implemented xio_snprintf() function as wrapper that tries to emulate C99
1622 behaviour on old glibc systems, and adapted all affected calls
1623 appropriately
1625 Mike Frysinger provided a patch that supports long long for time_t,
1626 socklen_t and a few other libc types.
1628 Artem Mygaiev extended Cedril Priscals Android build script with pty code
1630 The check for fips.h required stddef.h
1631 Thanks to Matt Hilt for reporting this issue and sending a patch
1633 Check for linux/errqueue.h failed on some systems due to lack of
1634 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
1636 autoconf now prefers configure.ac over configure.in
1637 Thanks to Michael Vastola for sending a patch.
1639 type of struct cmsghdr.cmsg is system dependend, determine it with
1640 configure; some more print format corrections
1642 docu:
1643 libwrap always logs to syslog
1645 added actual text version of GPLv2
1647 ####################### V 1.7.2.3:
1649 security:
1650 Socat security advisory 5
1651 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
1652 overflow with data from command line (see socat-secadv5.txt)
1653 Credits to Florian Weimer of the Red Hat Product Security Team
1655 ####################### V 1.7.2.2:
1657 security:
1658 Socat security advisory 4
1659 CVE-2013-3571:
1660 after refusing a client connection due to bad source address or source
1661 port socat shutdown() the socket but did not close() it, resulting in
1662 a file descriptor leak in the listening process, visible with lsof and
1663 possibly resulting in EMFILE Too many open files. This issue could be
1664 misused for a denial of service attack.
1665 Full credits to Catalin Mitrofan for finding and reporting this issue.
1667 ####################### V 1.7.2.1:
1669 security:
1670 Socat security advisory 3
1671 CVE-2012-0219:
1672 fixed a possible heap buffer overflow in the readline address. This bug
1673 could be exploited when all of the following conditions were met:
1674 1) one of the addresses is READLINE without the noprompt and without the
1675 prompt options.
1676 2) the other (almost arbitrary address) reads malicious data (which is
1677 then transferred by socat to READLINE).
1678 Workaround: when using the READLINE address apply option prompt or
1679 noprompt.
1680 Full credits to Johan Thillemann for finding and reporting this issue.
1682 ####################### V 1.7.2.0:
1684 corrections:
1685 when UNIX-LISTEN was applied to an existing file it failed as expected
1686 but removed the file. Thanks to Bjoern Bosselmann for reporting this
1687 problem
1689 fixed a bug where socat might crash when connecting to a unix domain
1690 socket using address GOPEN. Thanks to Martin Forssen for bug report and
1691 patch.
1693 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
1694 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
1696 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
1697 pointed me to that bug
1699 TCP-CONNECT with option nonblock reported successful connect even when
1700 it was still pending
1702 address option ioctl-intp failed with "unimplemented type 26". Thanks
1703 to Jeremy W. Sherman for reporting and fixing that bug
1705 socat option -x did not print packet direction, timestamp etc; thanks
1706 to Anthony Sharobaiko for sending a patch
1708 address PTY does not take any parameters but did not report an error
1709 when some were given
1711 Marcus Meissner provided a patch that fixes invalid output and possible
1712 process crash when socat prints info about an unnamed unix domain
1713 socket
1715 Michal Soltys reported the following problem and provided an initial
1716 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
1717 data transfer only parts of the data might have been written.
1719 Option o-nonblock in combination with large transfer block sizes
1720 may result in partial writes and/or EAGAIN errors that were not handled
1721 properly but resulted in data loss or process termination.
1723 Fixed a bug that could freeze socat when during assembly of a log
1724 message a signal was handled that also printed a log message. socat
1725 development had been aware that localtime() is not thread safe but had
1726 only expected broken messages, not corrupted stack (glibc 2.11.1,
1727 Ubuntu 10.4)
1729 an internal store for child pids was susceptible to pid reuse which
1730 could lead to sporadic data loss when both fork option and exec address
1731 were used. Thanks to Tetsuya Sodo for reporting this problem and
1732 sending a patch
1734 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
1735 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
1736 for drawing my attention to this issue.
1738 UDP-LISTEN slept 1s after accepting a connection. This is not required.
1739 Thanks to Peter Valdemar Morch for reporting this issue
1741 fixed a bug that could lead to error or socat crash after a client
1742 connection with option retry had been established
1744 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
1745 undefined
1747 improved dev_t print format definition
1749 porting:
1750 Cedril Priscal ported socat to Android (using Googles cross compiler).
1751 The port includes the socat_buildscript_for_android.sh script
1753 added check for component ipi_spec_dst in struct in_pktinfo so
1754 compilation does not fail on Cygwin (thanks to Peter Wagemans for
1755 reporting this problem)
1757 build failed on RHEL6 due to presence of fips.h; configure now checks
1758 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
1759 problem
1761 check for netinet6/in6.h only when IPv6 is available and enabled
1763 don't fail to compile when the following defines are missing:
1764 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
1765 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
1767 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
1768 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
1769 proposing a solution
1771 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
1772 providing the patch.
1774 corrections for OpenEmbedded, especially termios SHIFT values and
1775 ISPEED/OSPEED. Thanks to John Faith for providing the patch
1777 minor corrections to docu and test.sh resulting from local compilation
1778 on Openmoko SHR
1780 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
1781 reporting this issue and sending a patch.
1783 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
1784 is now bsd/libutil.h; compiler warns on vars that is only written to
1786 new features:
1787 added option max-children that limits the number of concurrent child
1788 processes. Thanks to Sam Liddicott for providing the patch.
1790 Till Maas added support for tun/tap addresses without IP address
1792 added an option openssl-compress that allows to disable the compression
1793 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
1794 providing this contribution (sponsored by Google Inc.)
1796 docu:
1797 minor corrections in docu (thanks to Paggas)
1799 client process -> child process
1801 ####################### V 1.7.1.3:
1803 security:
1804 Socat security advisory 2
1805 CVE-2010-2799:
1806 fixed a stack overflow vulnerability that occurred when command
1807 line arguments (whole addresses, host names, file names) were longer
1808 than 512 bytes.
1809 Note that this could only be exploited when an attacker was able to
1810 inject data into socat's command line.
1811 Full credits to Felix Gröbert, Google Security Team, for finding and
1812 reporting this issue
1814 ####################### V 1.7.1.2:
1816 corrections:
1817 user-late and group-late, when applied to a pty, affected the system
1818 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
1819 pointing me to this bug)
1821 socats openssl addresses failed with "nonblocking operation did not
1822 complete" when the peer performed a renegotiation. Thanks to Benjamin
1823 Delpy for reporting this bug.
1825 info message during socks connect showed bad port number on little
1826 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
1827 bug report and patch)
1829 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
1830 to default. Thanks to Martin Dorey for reporting this bug.
1832 porting:
1833 building socat on systems that predefined the CFLAGS environment to
1834 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
1835 this problem and to Simon Matter for providing the patch
1837 support for Solaris 8 and Sun Studio support (thanks to Sebastian
1838 Kayser for providing the patches)
1840 on some 64bit systems a compiler warning "cast from pointer to integer
1841 of different size" was issued on some option definitions
1843 added struct sockaddr_ll to union sockaddr_union to avoid "strict
1844 aliasing" warnings (problem reported by Paul Wouters)
1846 docu:
1847 minor corrections in docu
1849 ####################### V 1.7.1.1:
1851 corrections:
1852 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
1853 occur under those conditions. Thanks to Toni Mattila for first
1854 reporting this problem.
1856 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
1858 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
1859 thanks to Todd Stansell for reporting this bug
1861 with unidirectional EXEC and SYSTEM a close() operation was performed
1862 on a random number which could result in hanging e.a.
1864 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
1865 systems
1867 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
1868 Thanks to Jim Zimmerman for reporting.
1870 docu changes:
1871 added environment variables example to doc/socat-multicast.html
1873 ####################### V 1.7.1.0:
1875 new features:
1876 address options shut-none, shut-down, and shut-close allow to control
1877 socat's half close behaviour
1879 with address option shut-null socat sends an empty packet to the peer
1880 to indicate EOF
1882 option null-eof changes the behaviour of sockets that receive an empty
1883 packet to see EOF instead of ignoring it
1885 introduced option names substuser-early and su-e, currently equivalent
1886 to option substuser (thanks to Mike Perry for providing the patch)
1888 corrections:
1889 fixed some typos and improved some comments
1891 ####################### V 1.7.0.1:
1893 corrections:
1894 fixed possible SIGSEGV in listening addresses when a new connection was
1895 reset by peer before the socket addresses could be retrieved. Thanks to
1896 Mike Perry for sending a patch.
1898 fixed a bug, introduced with version 1.7.0.0, that let client
1899 connections with option connect-timeout fail when the connections
1900 succeeded. Thanks to Bruno De Fraine for reporting this bug.
1902 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
1903 and most UNIX-* and ABSTRACT-*
1905 half close of EXEC and SYSTEM addresses did not work for pipes and
1906 sometimes socketpair
1908 help displayed for some option a wrong type
1910 under some circumstances shutdown was called multiple times for the
1911 same fd
1913 ####################### V 1.7.0.0:
1915 new features:
1916 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1917 mode for IPv4 and IPv6; new address options sctp-maxseg and
1918 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1919 for providing an initial patch)
1921 new address "INTERFACE" for transparent network interface handling
1922 (suggested by Stuart Nicholson)
1924 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1925 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1926 protocol independent socket handling; all parameters are explicitely
1927 specified as numbers or hex data
1929 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1930 ioctl-bin for generic ioctl() calls.
1932 added address options setsockopt-int, setsockopt-bin, and
1933 setsockopt-string for generic setsockopt() calls
1935 option so-type now only affects the socket() and socketpair() calls,
1936 not the name resolution. so-type and so-prototype can now be applied to
1937 all socket based addresses.
1939 new address option "escape" allows to break a socat instance even when
1940 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1942 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1943 for use in executed scripts
1945 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1946 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1947 suggested by Ed Sawicki)
1949 socat receives all ancillary messages with each received packet on
1950 datagram related addresses. The messages are logged in raw form with
1951 debug level, and broken down with info level. note: each type of
1952 ancillary message must be enabled by appropriate address options.
1954 socat provides the contents of ancillary messages received on RECVFROM
1955 addresses in appropriate environment variables:
1956 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1957 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1958 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1960 the following address options were added to enable ancillary messages:
1961 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1962 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1963 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1964 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1966 new address options ipv6-tclass and ipv6-unicast-hops set the related
1967 socket options.
1969 STREAMS (UNIX System V STREAMS) can be configured with the new address
1970 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1971 patch)
1973 corrections:
1974 some raw IP and UNIX datagram modes failed on BSD systems
1976 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1977 range option, the old listen socket would not be closed but a new one
1978 created. open sockets could accumulate.
1980 there was a bug in ip*-recv with bind option: it did not bind, and
1981 with the first received packet an error occurred:
1982 socket_init(): unknown address family 0
1983 test: RAWIP4RECVBIND
1985 RECVFROM addresses with FORK option hung after processing the first
1986 packet. test: UDP4RECVFROM_FORK
1988 corrected a few mistakes that caused compiler warnings on 64bit hosts
1989 (thanks to Jonathan Brannan e.a. for providing a patch)
1991 EXEC and SYSTEM with stderr injected socat messages into the data
1992 stream. test: EXECSTDERRLOG
1994 when the EXEC address got a string with consecutive spaces it created
1995 additional empty arguments (thanks to Olivier Hervieu for reporting
1996 this bug). test: EXECSPACES
1998 in ignoreeof polling mode socat also blocked data transfer in the other
1999 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
2000 reporting this bug)
2002 corrected alphabetical order of options (proxy-auth)
2004 some minor corrections
2006 improved test.sh script: more stable timing, corrections for BSD
2008 replaced the select() calls by poll() to cleanly fix the problems with
2009 many file descriptors already open
2011 socat option -lf did not log to file but to stderr
2013 socat did not compile on Solaris when configured without termios
2014 feature (thanks to Pavan Gadi for reporting this bug)
2016 porting:
2017 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
2018 help)
2020 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
2021 help)
2023 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
2024 his help)
2026 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
2027 help)
2029 further changes:
2030 filan -s prefixes output with FD number if more than one FD
2032 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
2033 providing the patch)
2035 cleanup in xio-unix.c
2037 ####################### V 1.6.0.1:
2039 new features:
2040 new make target "gitclean"
2042 docu source doc/socat.yo released
2044 corrections:
2045 exec:...,pty did not kill child process under some circumstances; fixed
2046 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
2047 reporting this problem)
2049 service name resolution failed due to byte order mistake
2050 (thanks to James Sainsbury for reporting this problem)
2052 socat would hang when invoked with many file descriptors already opened
2053 fix: replaced FOPEN_MAX with FD_SETSIZE
2054 thanks to Daniel Lucq for reporting this problem.
2056 fixed bugs where sub processes would become zombies because the master
2057 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
2058 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
2059 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
2060 (thanks to Fernanda G Weiden for reporting this problem)
2062 fixed a bug where sub processes would become zombies because the master
2063 process caught SIGCHLD but did not wait(). this affected addresses
2064 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
2065 (thanks to Evan Borgstrom for reporting this problem)
2067 corrected option handling with STDIO; usecase: cool-write
2069 configure --disable-pty also disabled option waitlock
2071 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
2072 (thanks to Roland Illig for sending a patch)
2074 corrected name of option intervall to interval (old form still valid
2075 for us German speaking guys)
2077 corrected some print statements and variable names
2079 make uninstall did not uninstall procan
2081 fixed lots of weaknesses in test.sh
2083 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
2085 further changes:
2086 procan -c prints C defines important for socat
2088 added test OPENSSLEOF for OpenSSL half close
2090 ####################### V 1.6.0.0:
2092 new features:
2093 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
2094 and multicast modes
2096 new option ip-add-membership for control of multicast group membership
2098 new address TUN for generation of Linux TUN/TAP pseudo network
2099 interfaces (suggested by Mat Caughron); associated options tun-device,
2100 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
2102 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
2103 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
2104 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
2105 socklen parameter on system calls.
2107 option end-close for control of connection closing allows FD sharing
2108 by sub processes
2110 range option supports form address:mask with IPv4
2112 changed behaviour of OPENSSL-LISTEN to require and verify client
2113 certificate per default
2115 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
2116 grained locking on regular files
2118 uninstall target in Makefile (lack reported by Zeeshan Ali)
2120 corrections:
2121 fixed bug where only first tcpwrap option was applied; fixed bug where
2122 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
2123 and fixing this bug)
2125 filan (and socat -D) could hang when a socket was involved
2127 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
2128 Roberto Mackun)
2130 correct bind with udp6-listen (thanks to Jan Horak for reporting this
2131 bug)
2133 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
2134 (thanks to Leo Zhadanovsky for reporting this problem)
2136 corrected problem with read data buffered in OpenSSL layer (thanks to
2137 Jon Nelson for reporting this bug)
2139 corrected problem with option readbytes when input stream stayed idle
2140 after so many bytes
2142 fixed a bug where a datagram receiver with option fork could fork two
2143 sub processes per packet
2145 further changes:
2146 moved documentation to new doc/ subdir
2148 new documents (kind of mini tutorials) are provided in doc/
2150 ####################### V 1.5.0.0:
2152 new features:
2153 new datagram modes for udp, rawip, unix domain sockets
2155 socat option -T specifies inactivity timeout
2157 rewrote lexical analysis to allow nested socat calls
2159 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
2161 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
2162 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
2164 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
2166 option protocol-family (pf), esp. for openssl-listen
2168 range option supports IPv6 - syntax: range=[::1/128]
2170 option ipv6-v6only (ipv6only)
2172 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
2174 FIPS version of OpenSSL can be integrated - initial patch provided by
2175 David Acker. See README.FIPS
2177 support for resolver options res-debug, aaonly, usevc, primary, igntc,
2178 recurse, defnames, stayopen, dnsrch
2180 options for file attributes on advanced filesystems (ext2, ext3,
2181 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
2182 ext2-noatime, journal-data etc.
2184 option cool-write controls severeness of write failure (EPIPE,
2185 ECONNRESET)
2187 option o-noatime
2189 socat option -lh for hostname in log output
2191 traffic dumping provides packet headers
2193 configure.in became part of distribution
2195 socats unpack directory now has full version, e.g. socat-1.5.0.0/
2197 corrected docu of option verify
2199 corrections:
2200 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
2202 exec with pipes,stderr produced error
2204 setuid-early was ignored with many address types
2206 some minor corrections
2208 ####################### V 1.4.3.1:
2210 corrections:
2211 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
2212 FIX: do not remove listening UNIX socket in child process
2214 PROBLEM: SIGSEGV when TCP part of SSL connect failed
2215 FIX: check ssl pointer before calling SSL_shutdown
2217 In debug mode, show connect client port even when connect fails
2219 ####################### V 1.4.3.0:
2221 new features:
2222 socat options -L, -W for application level locking
2224 options "lockfile", "waitlock" for address level locking
2225 (Stefan Luethje)
2227 option "readbytes" limits read length (Adam Osuchowski)
2229 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
2231 pty symlink, unix listen socket, and named pipe are per default removed
2232 after use; option unlink-close overrides this new behaviour and also
2233 controls removal of other socat generated files (Stefan Luethje)
2235 corrections:
2236 option "retry" did not work with tcp-listen
2238 EPIPE condition could result in a 100% CPU loop
2240 further changes:
2241 support systems without SHUT_RD etc.
2242 handle more size_t types
2243 try to find makedepend options with gcc 3 (richard/OpenMacNews)
2245 ####################### V 1.4.2.0:
2247 new features:
2248 option "connect-timeout" limits wait time for connect operations
2249 (requested by Giulio Orsero)
2251 option "dhparam" for explicit Diffie-Hellman parameter file
2253 corrections:
2254 support for OpenSSL DSA certificates (Miika Komu)
2256 create install directories before copying files (Miika Komu)
2258 when exiting on signal, return status 128+signum instead of 1
2260 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
2261 Mantinan)
2263 -lu could cause a core dump on long messages
2265 further changes:
2266 modifications to simplify using socats features in applications
2268 ####################### V 1.4.1.0:
2270 new features:
2271 option "wait-slave" blocks open of pty master side until a client
2272 connects, "pty-intervall" controls polling
2274 option -h as synonym to -? for help (contributed by Christian
2275 Lademann)
2277 filan prints formatted time stamps and rdev (disable with -r)
2279 redirect filan's output, so stdout is not affected (contributed by
2280 Luigi Iotti)
2282 filan option -L to follow symbolic links
2284 filan shows termios control characters
2286 corrections:
2287 proxy address no longer performs unsolicited retries
2289 filan -f no longer needs read permission to analyze a file (but still
2290 needs access permission to directory, of course)
2292 porting:
2293 Option dsusp
2294 FreeBSD options noopt, nopush, md5sig
2295 OpenBSD options sack-disable, signature-enable
2296 HP-UX, Solaris options abort-threshold, conn-abort-threshold
2297 HP-UX options b900, b3600, b7200
2298 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
2300 further corrections:
2301 address pty now uses ptmx as default if openpty is also available
2303 ####################### V 1.4.0.3:
2305 security:
2306 Socat security advisory 1
2307 CVE-2004-1484:
2308 fix to a syslog() based format string vulnerability that can lead to
2309 remote code execution. See advisory socat-adv-1.txt
2311 ####################### V 1.4.0.2:
2313 corrections:
2314 exec'd write-only addresses get a chance to flush before being killed
2316 error handler: print notice on error-exit
2318 filan printed wrong file type information
2320 ####################### V 1.4.0.1:
2322 corrections:
2323 socks4a constructed invalid header. Problem found, reported, and fixed
2324 by Thomas Themel, by Peter Palfrader, and by rik
2326 with nofork, don't forget to apply some process related options
2327 (chroot, setsid, setpgid, ...)
2329 ####################### V 1.4.0.0:
2331 new features:
2332 simple openssl server (ssl-l), experimental openssl trust
2334 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
2335 openssl
2337 new options "retry", "forever", and "intervall"
2339 option "fork" for address TCP improves `gender changer´
2341 options "sigint", "sigquit", and "sighup" control passing of signals to
2342 sub process (thanks to David Shea who contributed to this issue)
2344 readline takes respect to the prompt issued by the peer address
2346 options "prompt" and "noprompt" allow to override readline's new
2347 default behaviour
2349 readline supports invisible password with option "noecho"
2351 socat option -lp allows to set hostname in log output
2353 socat option -lu turns on microsecond resolution in log output
2356 corrections:
2357 before reading available data, check if writing on other channel is
2358 possible
2360 tcp6, udp6: support hostname specification (not only IP address), and
2361 map IP4 names to IP6 addresses
2363 openssl client checks server certificate per default
2365 support unidirectional communication with exec/system subprocess
2367 try to restore original terminal settings when terminating
2369 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
2371 socks4 failed on platforms where long does not have 32 bits
2372 (thanks to Peter Palfrader and Thomas Seyrat)
2374 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
2376 proxy error message was truncated when answer contained multiple spaces
2379 porting:
2380 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
2382 ####################### V 1.3.2.2:
2384 corrections:
2385 PROXY CONNECT failed when the status reply from the proxy server
2386 contained more than one consecutive spaces. Problem reported by
2387 Alexandre Bezroutchko
2389 do not SIGSEGV when proxy address fails to resolve server name
2391 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
2392 Problem reported by Christoph Schittel
2394 test.sh only tests available features
2396 added missing IP and TCP options in filan analyzer
2398 do not apply stdio address options to both directions when in
2399 unidirectional mode
2401 on systems lacking /dev/*random and egd, provide (weak) entropy from
2402 libc random()
2405 porting:
2406 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
2408 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
2410 support for long long as st_ino type (Cygwin 1.5)
2412 compile on systems where pty can not be featured
2414 ####################### V 1.3.2.1:
2416 corrections:
2417 "final" solution for the ENOCHLD problem
2419 corrected "make strip"
2421 default gcc debug/opt is "-O" again
2423 check for /proc at runtime, even if configure found it
2425 src.rpm accidently supported SuSE instead of RedHat
2427 ####################### V 1.3.2.0:
2429 new features:
2430 option "nofork" connects an exec'd script or program directly
2431 to the file descriptors of the other address, circumventing the socat
2432 transfer engine
2434 support for files >2GB, using ftruncate64(), lseek64(), stat64()
2436 filan has new "simple" output style (filan -s)
2439 porting:
2440 options "binary" and "text" for controlling line termination on Cygwin
2441 file system access (hint from Yang Wu-Zhou)
2443 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
2445 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
2446 John DuBois)
2448 minor corrections to avoid warnings with gcc 3
2451 further corrections and minor improvements:
2452 configure script is generated with autoconf 2.57 (no longer 2.52)
2454 configure passes CFLAGS to Makefile
2456 option -??? for complete list of address options and their short forms
2458 program name in syslog messages is derived from argv[0]
2460 SIGHUP now prints notice instead of error
2462 EIO during read of pty now gives Notice instead of Error, and
2463 triggers EOF
2465 use of hstrerror() for printing resolver error messages
2467 setgrent() got required endgrent()
2469 ####################### V 1.3.1.0:
2471 new features:
2472 integration of Wietse Venema's tcpwrapper library (libwrap)
2474 with "proxy" address, option "resolve" controls if hostname or IP
2475 address is sent in request
2477 option "lowport" establishes limited authorization for TCP and UDP
2478 connections
2480 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
2481 An accompanying change in the numbering scheme results in an
2482 incompatibility with earlier socat RPMs!
2485 solved problems and bugs:
2486 PROBLEM: socat daemon terminated when the address of a connecting
2487 client did not match range option value instead of continue listening
2488 SOLVED: in this case, print warning instead of error to keep daemon
2489 active
2491 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
2492 processes
2493 SOLVED: dont assume that each exiting child process generates SIGCHLD
2495 when converting CRNL to CR, socat converted to NL
2498 further corrections:
2499 configure script now disables features that depend on missing files
2500 making it more robust in "unsupported" environments
2502 server.pem permissions corrected to 600
2504 "make install" now does not strip; use "make strip; make install"
2505 if you like strip (suggested by Peter Bray)
2507 ####################### V 1.3.0.1:
2509 solved problems and bugs:
2510 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
2511 SOLVED: OPENSSL now correctly handles the options list
2513 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
2514 block boundary
2515 SOLVED: these conversions now simply strip all CR's or NL's from input
2516 stream
2519 porting:
2520 SunOS ptys now work on x86, too (thanks to Peter Bray)
2522 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
2525 further corrections:
2526 added WITH_PROXY value to -V output
2528 added compile dependencies of WITH_PTY and WITH_PROXY
2530 -?? did not print option group of proxy options
2532 corrected syntax for bind option in docu
2534 corrected an issue with stdio in unidirectional mode
2536 options socksport and proxyport support service names
2538 ftp.sh script supports proxy address
2540 man page no longer installed with execute permissions (thanks to Peter
2541 Bray)
2543 fixed a malloc call bug that could cause SIGSEGV or false "out of
2544 memory" errors on EXEC and SYSTEM, depending on program name length and
2545 libc.
2547 ####################### V 1.3.0.0:
2549 new features:
2550 proxy connect with optional proxy authentication
2552 combined hex and text dump mode, credits to Gregory Margo
2554 address pty applies options user, group, and perm to device
2557 solved problems and bugs:
2558 PROBLEM: option reuseport was not applied (BSD, AIX)
2559 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
2560 credits to Jean-Baptiste Marchand
2562 PROBLEM: ignoreeof with stdio was ignored
2563 SOLVED: ignoreeof now works correctly with address stdio
2565 PROBLEM: ftp.sh did not use user supplied password
2566 SOLVED: ftp.sh now correctly passes password from command line
2568 PROBLEM: server.pem had expired
2569 SOLVED: new server.pem valid for ten years
2571 PROBLEM: socks notice printed wrong port on some platforms
2572 SOLVED: socks now uses correct byte-order for port number in notice
2575 further corrections:
2576 option name o_trunc corrected to o-trunc
2578 combined use of -u and -U is now detected and prevented
2580 made message system a little more robust against format string attacks
2583 ####################### V 1.2.0.0:
2585 new features:
2586 address pty for putting socat behind a new pseudo terminal that may
2587 fake a serial line, modem etc.
2589 experimental openssl integration
2590 (it does not provide any trust between the peers because is does not
2591 check certificates!)
2593 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
2594 locking mechanism provided by flock()
2596 options setsid and setpgid now available with all address types
2598 option ctty (controlling terminal) now available for all TERMIOS
2599 addresses
2601 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
2602 replaced by options o-trunc and ftruncate=offset
2604 option sourceport now available with TCP and UDP listen addresses to
2605 restrict incoming client connections
2607 unidirectional mode right-to-left (-U)
2610 solved problems and bugs:
2611 PROBLEM: addresses without required parameters but an option containing
2612 a '/' were incorrectly interpreted as implicit GOPEN address
2613 SOLVED: if an address does not have ':' separator but contains '/',
2614 check if the slash is before the first ',' before assuming
2615 implicit GOPEN.
2618 porting:
2619 ptys under SunOS work now due to use of stream options
2622 further corrections:
2623 with -d -d -d -d -D, don't print debug info during file analysis
2626 ####################### V 1.1.0.1:
2628 new features:
2629 .spec file for RPM generation
2632 solved problems and bugs:
2633 PROBLEM: GOPEN on socket did not apply option unlink-late
2634 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
2635 options
2637 PROBLEM: with unidirectional mode, an unnecessary close timeout was
2638 applied
2639 SOLUTION: in unidirectional mode, terminate without wait time
2641 PROBLEM: using GOPEN on a unix domain socket failed for datagram
2642 sockets
2643 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
2646 further corrections:
2648 open() flag options had names starting with "o_", now corrected to "o-"
2650 in docu, *-listen addresses were called *_listen
2652 address unix now called unix-connect because it does not handle unix
2653 datagram sockets
2655 in test.sh, apply global command line options with all tests
2658 ####################### V 1.1.0.0:
2660 new features:
2661 regular man page and html doc - thanks to kromJx for prototype
2663 new address type "readline", utilizing GNU readline and history libs
2665 address option "history-file" for readline
2667 new option "dash" to "exec" address that allows to start login shells
2669 syslog facility can be set per command line option
2671 new address option "tcp-quickack", found in Linux 2.4
2673 option -g prevents option group checking
2675 filan and procan can print usage
2677 procan prints rlimit infos
2680 solved problems and bugs:
2681 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
2682 SOLVED: set eof flag of channel on shutdown.
2684 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
2685 and has data available while channel 1 reaches EOF, the data is
2686 lost.
2687 SOLVED: during one loop run, first handle all data transfers and
2688 _afterwards_ handle EOF.
2690 PROBLEM: despite to option NONBLOCK, the connect() call blocked
2691 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
2693 PROBLEM: UNLINK options issued error when file did not exist,
2694 terminating socat
2695 SOLVED: failure of unlink() is only warning if errno==ENOENT
2697 PROBLEM: TCP6-LISTEN required numeric port specification
2698 SOLVED: now uses common TCP service resolver
2700 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
2701 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
2703 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
2704 never terminated
2705 SOLVED: corrected EOF handling of sigchld
2708 porting:
2709 MacOS and old AIX versions now have pty
2711 flock() now available on Linux (configure check was wrong)
2713 named pipe were generated using mknod(), which requires root under BSD
2714 now they are generated using mkfifo
2717 further corrections:
2718 lots of address options that were "forgotten" at runtime are now
2719 available
2721 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
2723 "make install" now installs binaries with ownership 0:0
2726 ####################### V 1.0.4.2:
2728 solved problems and bugs:
2729 PROBLEM: EOF of one stream caused close of other stream, giving it no
2730 chance to go down regularly
2731 SOLVED: EOF of one stream now causes shutdown of write part of other
2732 stream
2734 PROBLEM: sending mail via socks address to qmail showed that crlf
2735 option does not work
2736 SOLVED: socks address applies PH_LATE options
2738 PROBLEM: in debug mode, no info about socat and platform was issued
2739 SOLVED: print socat version and uname output in debug mode
2741 PROBLEM: invoking socat with -t and no following parameters caused
2742 SIGSEGV
2743 SOLVED: -t and -b now check next argv entry
2745 PROBLEM: when opening of logfile (-lf) failed, no error was reported
2746 and no further messages were printed
2747 SOLVED: check result of fopen and print error message if it failed
2749 new features:
2750 address type UDP-LISTEN now supports option fork: it internally applies
2751 socket option SO_REUSEADDR so a new UDP socket can bind to port after
2752 `accepting´ a connection (child processes might live forever though)
2753 (suggestion from Damjan Lango)
2756 ####################### V 1.0.4.1:
2758 solved problems and bugs:
2759 PROB: assert in libc caused an endless recursion
2760 SOLVED: no longer catch SIGABRT
2762 PROB: socat printed wrong verbose prefix for "right to left" packets
2763 SOLVED: new parameter for xiotransfer() passes correct prefix
2765 new features:
2766 in debug mode, socat prints its command line arguments
2767 in verbose mode, escape special characters and replace unprintables
2768 with '.'. Patch from Adrian Thurston.
2771 ####################### V 1.0.4.0:
2773 solved problems and bugs:
2774 Debug output for lstat and fstat said "stat"
2776 further corrections:
2777 FreeBSD now includes libutil.h
2779 new features:
2780 option setsid with exec/pty
2781 option setpgid with exec/pty
2782 option ctty with exec/pty
2783 TCP V6 connect test
2784 gettimeofday in sycls.c (no use yet)
2786 porting:
2787 before Gethostbyname, invoke inet_aton for MacOSX
2790 ####################### V 1.0.3.0:
2792 solved problems and bugs:
2794 PROB: test 9 of test.sh (echo via file) failed on some platforms,
2795 socat exited without error message
2796 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
2798 PROB: test 17 hung forever
2799 REASON: child death before select loop did not result in EOF
2800 SOLVED: check of existence of children before starting select loop
2802 PROB: test 17 failed
2803 REASON: child dead triggered EOF before last data was read
2804 SOLVED: after child death, read last data before setting EOF
2806 PROB: filan showed that exec processes incorrectly had fd3 open
2807 REASON: inherited open fd3 from main process
2808 SOLVED: set CLOEXEC flag on pty fd in main process
2810 PROB: help printed "undef" instead of group "FORK"
2811 SOLVED: added "FORK" to group name array
2813 PROB: fatal messages did not include severity classifier
2814 SOLVED: added "F" to severity classifier array
2816 PROB: IP6 addresses where printed incorrectly
2817 SOLVED: removed type casts to unsigned short *
2819 further corrections:
2820 socat catches illegal -l modes
2821 corrected error message on setsockopt(linger)
2822 option tabdly is of type uint
2823 correction for UDP over IP6
2824 more cpp conditionals, esp. for IP6 situations
2825 better handling of group NAMED options with listening UNIX sockets
2826 applyopts2 now includes last given phase
2827 corrected option group handling for most address types
2828 introduce dropping of unappliable options (dropopts, dropopts2)
2829 gopen now accepts socket and unix-socket options
2830 exec and system now accept all socket and termios options
2831 child process for exec and system addresses with option pty
2832 improved descriptions and options for EXAMPLES
2833 printf format for file mode changed to "0%03o" with length spec.
2834 added va_end() in branch of msg()
2835 changed phase of lock options from PASTOPEN to FD
2836 support up to four early dying processes
2838 structural changes:
2839 xiosysincludes now includes sysincludes.h for non xio files
2841 new features:
2842 option umask
2843 CHANGES file
2844 TYPE_DOUBLE, u_double
2845 OFUNC_OFFSET
2846 added getsid(), setsid(), send() to sycls
2847 procan prints sid (session id)
2848 mail.sh gets -f (from) option
2849 new EXAMPLEs for file creation
2850 gatherinfo.sh now tells about failures
2851 test.sh can check for much more address/option combinations
2853 porting:
2854 ispeed, ospeed for termios on FreeBSD
2855 getpgid() conditional for MacOS 10
2856 added ranlib in Makefile.in for MacOS 10
2857 disable pty option if no pty mechanism is available (MacOS 10)
2858 now compiles and runs on MacOS 10 (still some tests fail)
2859 setgroups() conditional for cygwin
2860 sighandler_t defined conditionally
2861 use gcc option -D_GNU_SOURCE