3 Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
5 Thanks to Andy Fiddaman for sending a patch.
7 Socat since 1.7.4.0 did not compile on Solaris and its derivatives
8 because the getprotobynumber_r() function prototype differ from the
10 configure now checks for the variant.
11 Thanks to Robert Zybeck for reporting this issue.
14 Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
15 Adapted include requirements for IPv6
18 ####################### V 1.7.4.2:
21 The per address parameters for OpenSSL overlapped in memory with socket
22 parameters. Magically this did not seem to cause problems except on
23 MacOS Catalina that reported errors like:
24 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
26 Test: OPENSSL_PARA_OVERLAP
27 Thanks to Ryo Ota for reporting this bug.
29 Fixed a few minor coding issues
31 A VSOCK warning message was generated with all listening addresses
32 instead of only with VSOCK-LISTEN
34 When an OPENSSL-CONNECT client presented a certificate with IPv6
35 subject alternate name and the OPENSSL-LISTEN server had no commonname
36 option, the server crashed with SIGSEGV in xioip6_pton().
37 Test: OPENSSL_CLIENT_IP6_CN
39 Thanks to Vlad Slepukhin for reporting this issue and providing a patch
41 Corrected a typo in configure.ac that broke option --enable-openssl-base
42 Thanks to john1doe for reporting this issue.
44 Socat looped endlessly, not responding to SIGTERM, when a service name
45 (for port) could not be resolved.
48 Using options of NAMED group, e.g.chown, with abstract UNIX domain
49 sockets, produced errors because the function was applied with a normal
50 file system related call, e.g.chown(), using file "" (empty name). Instead of
51 chown(), Socat now uses fchown() on the file descriptor. However, such
52 a call usually has no real effect.
54 Thanks to Andreas Fink for reporting this issue.
56 Option -R did not only dump ("sniff") right-to-left, but also
57 left-to-right traffic to the given file.
58 Test: SNIFF_RIGHT_TO_LEFT
59 Thanks to 1314 gsf for reporting this bug and sending a patch.
61 Options -r and -R, when opening a named pipe that has no actual reader,
62 failed with "No such device or address". To solve this problem, Socat
63 now opens the pipe in rw-Mode.
64 Thanks to Cody J.Soultz for sending a patch.
66 The call "socat -r - PIPE" traced to file ./- instead of issuing a
69 Print a message when readbytes option causes EOF
71 The ip-recverr option had no effect. Corrected and improved its
72 handling of ancilliary messages, so it is able to analyze ICMP error
75 Setgui(), Setuid() calls in xio-progcall.c were useless.
78 Prevent the TIMESTAMP tests from sporadically failing due do seconds
81 Fixed in test.sh a few issues reported by shellcheck
84 Added missing docu of OpenSSL options min-proto-version,
87 Added missing closing parenthesis in socat.yo.
88 Thanks to Emanuele Torre for reporting this issue.
90 Corrected more typos and added missing bug info to CHANGES, performed
91 some non functional corrections.
94 Corrected building when clock_gettime() not available, with or without
97 ####################### V 1.7.4.1:
100 Socat 1.7.4.0 failed to compile especially on 32 bit systems.
101 Thanks to Wang Mingyu and others for sending a patch or reporting this
104 Under certain conditions OpenSSL stream connections, in particular bulk
105 data transfer in unidirectional mode, failed during transfer or near
106 its with Connection reset by peer on receiver side.
107 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
108 lazy SSL shutdown handling on the sender side in combination with
109 SSL_MODE_AUTO_RETRY turned off.
110 Fix: After SSH_shutdown but before socket shutdown call SSL_read()
111 Test: OPENSSL_STREAM_TO_SERVER
112 Fixes Red Hat issue 1870279.
114 ####################### V 1.7.4.0:
117 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
118 but not checked for integer overflow. This could lead to heap based
119 buffer overflow, assuming the attacker could provide this parameter.
120 Test: BLKSIZE_INT_OVERFL
121 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
125 Socats address parser read over end of string when there were unbalanced
127 Test: UNBALANCED_QUOTE
129 Removed unused usleep() call from sycls.c
131 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
132 building failed on Solaris 9.
133 Thanks to Greg Earle for reporting this issue and providing a patch.
135 Mitigated race condition of quickly terminating SYSTEM or EXEC child
138 Option o-direct might require alignment of read/write buffer to, e.g.,
139 512 bytes, Socat now takes care of this when allocating the buffer.
140 With this fix read() succeeds, however, write() still might fail when
141 not writing complete pages.
144 There was a race condition in the way Socat UDP-RECVFROM and similar
145 addresses with option fork prevents one packet from triggering
146 multiple processes. The symptom was that Socat master process seemed to
147 hang and did not process further packets. The fix makes use of
148 pselect() system call.
149 Thanks to Fulvio Scapin for reporting this issue.
151 UNIX domain client addresses applied file system entry options (group
152 NAMED) to the server socket instead of the client (bind) socket entry.
153 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
154 Thanks to Nico Williams for reporting this major issue.
156 Length of single address options was limited to 511 bytes. This value
157 is now increased to 2047 bytes.
158 Change suggested by Mario Camou.
160 Addresses of type RECVFROM with option fork looped with an error
161 message in case that the second address failed before consuming the
162 packet. The fix makes RECVFROM drop the packet when the second address
163 failed before reading it. Use retry or forever option with the second
164 address if you want to avoid data loss.
165 Fixes Red Hat bug 1907718
166 Thanks to Chunmei Xu for reporting this issue and proving the patch.
168 Socats DTLS implementation has been reworked and appears to work now
170 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
171 OPENSSL-DTLS-CLIENT (DTLS)
172 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
173 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
174 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
177 filan did not output the socket protocol.
178 filan -s assumed each stream socket to be TCP and each datagram socket
179 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
181 Help text showed two parameters for UDP4-RECVFROM address, but only
183 Thanks to John the Scott for reporting this issue.
185 Error messages from SSL_read() and SSL_write() sometimes stated
186 SSL_connect instead of originating function name.
188 Fixed some more non functional minor issues.
191 In gcc version 10 the default changed from -fcommon to -fno-common.
192 Consequently, linking filan and procan failed with error
193 "multiple definition of `deny_severity'" and `allow_severity'
194 Fixed by removing definitions in filan.c and procan.c
196 Thanks to László Böszörményi and others for reporting this issue.
198 Solaris 9 does not provide strndup(); added substitute code.
199 Thanks to Greg Earle for providing a patch.
201 Added configure option --enable-openssl-base to specify the location of
202 a non-OS OpenSSL installation
204 There are systems whose kernel understands SCTP but getaddrinfo does
205 not. As workaround after EIA_SOCKTYPE on name and service resolution
206 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
207 ai_protocol=0 and try again
208 Test: SCTP_SERVICENAME
210 Per file filesystem options were still named ext2-* and depended on
211 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
212 These fs-* options are also available on old systems with ext2_fs.h
214 New options openssl-min-proto-version (min-version) and
215 openssl-max-proto-version (max-version) give access to the related
216 OpenSSL set-macros and substitute deprecated version-specific methods.
217 Test: OPENSSL_MIN_VERSION
219 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
222 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
223 must explicitely be included.
224 Thanks to Rosen Penev for reporting and sending a patch.
227 test.sh now produces a list of tests that could not be performed for
228 any reason. This helps to analyse these cases.
230 OpenSSL s_server appearently started to neglect TCPs half close feature.
231 Test OPENSSL_TCP4 has been changed to tolerate this.
233 OpenSSL changed its behaviour when connection is rejected. Tests
234 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
235 OPENSSL_CN_SERVER_SECURITY now tolerate this.
237 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
238 appropriate tests failed.
239 Fix: use TLSv1.2 for renegotiation tests
240 Tests: OPENSSLRENEG1 OPENSSLRENEG2
242 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
244 Archlinux 2020 has not which command; its ip,ss commands have modified
247 More testing issues solved:
248 * ss to pipe might omit column separator
249 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
251 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
254 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
255 Test: GOPENUNIXSEQPACKET
256 Feature suggested by vi0oss.
258 The generic setsockopt-int and related options are, in case of
259 listening/accepting addresses, applied to the connected socket(s). To enable
260 setting options on the listening socket, a new option setsockopt-listen
261 has been implemented. See the documentation for info on data types.
262 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
263 Thanks to Steven Danna and Korian Edeline for reporting this issue.
265 Filan option -S gives short description like -s but with improved
268 Socat OpenSSL client, when server was specified using IP address, did
269 not verify connection on certificates SubjectAltName IP entries.
270 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
271 Fixes Red Hat bug 1805132
273 Added options -r and -R for raw dump of transferred data to files.
274 Test: OPTION_RAW_DUMP
276 Added option ip-transparent (socket option IP_TRANSPARENT)
277 Thanks to Wang Shanker for sending a patch.
279 OPENSSL-CONNECT now automatically uses the SNI feature, option
280 openssl-no-sni turns it off. Option openssl-snihost overrides the value
281 of option openssl-commonname or the server name.
282 Tests: OPENSSL_SNI OPENSSL_NO_SNI
283 Thanks to Travis Burtrum for providing the initial patch
285 New option accept-timeout (listen-timeout)
289 New option ip-add-source-membership
290 Feature inspired by Brian (b f31415)
292 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
293 of replies, as it did up to version 1.7.3.4. Use option sourceport when
294 you need the old behaviour.
295 Test: UDP_DATAGRAM_SOURCEPORT
296 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
298 New option proxy-authorization-file reads PROXY-CONNECT credentials
299 from file and makes it possible to hide this data from the process
302 Thanks to Charles Stephens for sending an initial patch.
304 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
305 Developed by Stefano Garzarella.
308 Added printf formats for uint16_t etc.
311 Address UDP-RECV does not support option fork.
312 Thanks to Fulvio Scapin for reporting that mistake in docu.
314 TUN address documentation showed TCP for backend which may merge
315 consecutive packets which causes data loss.
316 Thanks to Tomasz Lakota for reporting this issue.
318 ####################### V 1.7.3.4:
321 Header of xiotermios_speed() declared parameter unsigned int instead of
322 speed_t, thus compiling failed on MacOS
323 Thanks to Joe Strout and others for reporting this bug.
324 Thanks to Andrew Childs and others for sending a patch.
326 Under certain circumstances, termios options of the first address were
327 applied to the second address, resulting in error
328 "Inappropriate ioctl for device"
329 This affected version 1.7.3.3 only.
331 Thanks to Ivan J. for reporting this issue.
333 Socat failed to compile when no poll() system call was found by
335 Thanks to Jason White for sending a patch.
337 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
338 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
339 for reporting this problem and sending initial patches.
341 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
342 "ai_socktype not supported" when protocol 6 was addressed.
343 The fix removes the possibility to use service names with SCTP.
345 Thanks to Sören for sending an initial patch.
347 Under certain circumstances, Socat printed the "socket ... is at EOF"
351 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
352 not implemented in older bash versions.
354 ####################### V 1.7.3.3:
357 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
359 Added definition of FILAN_OBJS
360 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
363 configure option --enable-msglevel did not work with numbers
365 The autoconf mechanism for determining SHIFT_OFFSET did not work when
367 Thanks to Max Freisinger from Gentoo for sending a patch.
369 Socat still depended on obsolete gethostbyname() function, thus
370 compiling with MUSL libc failed.
371 Problem reported by Kennedy33.
373 The async signal safe diagnostic system used FDs 3 and 4 internally, so
374 use of appropriate fdin or fdout led to failures.
376 Problem reported by Onur Sentürk.
378 The socket based mechanism for passing messages and signal information
379 from signal handler to process could reach and kill the wrong process.
380 Introduces functions diag_sock_pair(), diag_fork()
381 Thanks to Darren Zhao for analysing and reporting this problem.
383 Option ipv6-join-group did not work because it was applied in the wrong
385 Test: UDP6MULTICAST_UNIDIR
386 Thanks to Angus Gratton for sending a patch.
388 Setting ispeed and ospeed failed for some serial devices because the
389 two settings were applied with two different get/set cycles, Thanks to
390 Alexandre Fenyo for providing an initial patch.
391 However, the actual fix is part of a conceptual change of the termios
392 module that aims for applying all changes in a single tcsetaddr call.
393 Fixes FreeBSD Bug 198441
395 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
396 Thanks to Alan Walters for reporting this bug.
398 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
400 With TCP6-LISTEN and the other passive IPv6 addresses the range option
401 just failed: due to a bug in the syntax parser and two more bugs in
402 the xiocheckrange_ip6() function.
403 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
404 Thanks Leah Neukirchen for sending an initial fix.
406 For name resolution Socat only checked the first character of the host
407 name to decide if it is an IPv4 address. This was not RFC conform. This
408 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
411 Thanks to Nicolas Fournil for reporting this issue.
413 Print a useful error message when single character options appear to be
414 merged in Socat invocation
417 Fixed some docu typos.
418 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
419 Julian Zinn, and Simon Matter
422 OpenSSL functions TLS1_client_method() and similar are
423 deprecated. Socat now uses recommended TLS_client_method(). The old
424 functions and dependend option openssl-method can still be
425 used when configuring socat with --enable-openssl-method
427 Shell scripts in socat distribution are now headed with:
429 to make them better portable to systems without /bin/bash
430 Thanks to Maya Rashish for sending a patch
432 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
433 configure option --enable-res-deprecated.
435 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
436 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
438 Renamed configure.in to configure.ac and set an appropriate symlink for
440 Related Gentoo bug 426262: Warning on configure.in
441 Thanks to Francesco Turco for reporting that warning.
443 Fixed new IPv6 range code for platforms without s6_addr32 component.
446 test.sh: Show a warning when phase-1 (insecure phase) of a security
449 OpenSSL tests failed on actual Linux distributions. Measures:
450 Increased key lengths from 768 to 1024 bits
451 Added test.sh option -C to delete temp certs from prevsious runs
452 Provide DH-parameter in certificate in PEM
453 OpenSSL s_server option -verify 0 must be omitted
454 OpenSSL authentication method aNULL no longer works
455 Failure of cipher aNULL is not a failure
456 Failure of methods SSL3 and SSL23 is desired
458 test.sh depended on ifconfig and netstat utilities which are no longer
459 availabie in some distributions. test.sh now checks for and prefers
461 Thanks to Ruediger Meier for reporting this problem.
463 More corrections to test.sh:
464 Language settings could still influence test results
465 netstat was still required
466 Suppress usleep deprecated messag
467 Force use of IPv4 with some certificates
468 Set timeout for UDPxMAXCHILDREN tests
471 Added missing Config/Makefile.DragonFly-2-8-2,
472 Config/config.DragonFly-2-8-2.h
473 Removed testcert.conf (to be generated by test.sh)
476 Simplified handling of missing termios defines.
479 Permit combined -d options as -dd etc.
482 ext2 options are now fs options.
484 ####################### V 1.7.3.2:
487 SIGSEGV and other signals could lead to a 100% CPU loop
489 Failing name resolution could lead to SIGSEGV
490 Thanks to Max for reporting this issue.
492 Include <stddef.h> for ptrdiff_t
493 Thanks to Jeroen Roovers for reporting this issue.
495 Building with --disable-sycls failed due to missing sslcls.h defines
497 Socat hung when configured with --disable-sycls.
499 Some minor corrections with includes etc.
501 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
504 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
506 Test: EXEC_NOFORK_UNIDIR
507 Thanks to David Reiss for reporting this problem.
509 Socat exited with status 0 even when a program invoked with SYSTEM or
511 Tests: SYSTEM_RC EXEC_RC
512 Issue reported by Felix Winkelmann.
514 AddressSanitizer reported a few buffer overflows (false positives).
515 Nevertheless fixed Socat source.
516 Issue reported by Hanno Böck.
518 Socat did not use option ipv6-join-group.
519 Test: USE_IPV6_JOIN_GROUP
520 Thanks to Linus Lüssing for sending a patch.
522 UDP-LISTEN did not honor the max-children option.
523 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
524 Thanks to Leander Berwers for reporting this issue.
526 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
527 and therefore were useless.
528 Thanks to Steve Borenstein for reporting this issue.
530 Option dhparam was documented as dhparams. Added the alias name
531 dhparams to fix this.
532 Thanks to Alexander Neumann for sending a patch.
534 Options shut-down and shut-close did not work.
535 Thanks to Stefan Schimanski for providing a patch.
537 There was a bug in printing readline log message caused by a misleading
539 Thanks to Paul Wouters for reporting.
541 The internal vsnprintf_r function looped or crashed on size parameter
542 with hexadecimal output.
544 Ignore exit code of child process when it was killed by master due to
547 Corrected byte order on read of IPV6_TCLASS value from ancillary
550 Fixed type of the bool element in options. This had bug caused failures
551 e.g. of ignoreeof on big-endian systems when bool was not based on int.
553 On systems with predefined bool type whose size differs from int some
554 IPv6 and TCP options (per setsockopt()) failed.
556 Length of integral data in ancillary messages varies (TOS: 1 byte,
557 TTL: 4 bytes), the old implementation failed for TTL on big-endian
560 Fixed an issue in options processing: TUN and DNS flags had failed on
561 big-endian systems and the NO- forms had probable never worked.
564 Type conflict between int and sig_atomic_t between declaration and
565 definition of diag_immediate_type and diag_immediate_exit broke
566 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
569 Socat failed to compile on platforms with OpenSSL without
570 DTLSv1_client_method or DTLSv1_server_method.
571 Thanks to Simon Matter for sending a patch.
573 NuttX OS headers do not provide struct ip, thus socat did not compile.
574 Made struct ip subject to configure.
575 Thanks to SP for reporting this issue.
577 Socat failed to compile with OpenSSL version 1.0.2d where
578 SSLv3_server_method and SSLv3_client_method are no longer defined.
579 Thanks to Mischa ter Smitten for reporting this issue and providing
582 configure checked for OpenSSL EC_KEY assuming it is a define but it
583 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
584 Thanks to Andrey Arapov for reporting this bug.
586 Changes to make socat compile with OpenSSL 1.1.
587 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
588 providing the base patch.
591 Make Socat compatible with BoringSSL.
592 Thanks to Matt Braithwaite for providing a patch.
594 OpenSSL: Use RAND_status to determine PRNG state
595 Thanks to Adam Langley for providing a patch
597 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
598 requirements. Thanks to Garrick Trowsdale for providing a patch
600 LibreSSL support: check for OPENSSL_NO_COMP
601 Thanks to Bernard Spil for providing a patch
604 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
606 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
608 improved proxy.sh - it now also takes hostnames
610 A few corrections in test.sh
612 DTLS1 test hangs on some distributions. Test is now only performed
613 with OpenSSL 1.0.2 or higher.
615 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
618 Corrected source of socat man page to correctly show man references
619 like socket(2); removed obseolete entries from See Also
621 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
622 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
624 Thanks to Zhigang Wang for reporting this issue.
626 Fixed a couple of English spelling and grammar mistakes.
627 Thanks to Jakub Wild for sending the patches.
629 NOEXPAND() was not resolved 2 times.
631 More minor docu corrections
634 Added contributors to copyright notices. Suggested by Matt Braithwaite.
636 ####################### V 1.7.3.1:
639 Socat security advisory 8
640 A stack overflow in vulnerability was found that can be triggered when
641 command line arguments (complete address specifications, host names,
642 file names) are longer than 512 bytes.
643 Successful exploitation might allow an attacker to execute arbitrary
644 code with the privileges of the socat process.
645 This vulnerability can only be exploited when an attacker is able to
646 inject data into socat's command line.
647 A vulnerable scenario would be a CGI script that reads data from clients
648 and uses (parts of) this data as hostname for a Socat invocation.
650 Credits to Takumi Akiyama for finding and reporting this issue.
652 Socat security advisory 7
654 In the OpenSSL address implementation the hard coded 1024 bit DH p
655 parameter was not prime. The effective cryptographic strength of a key
656 exchange using these parameters was weaker than the one one could get by
657 using a prime p. Moreover, since there is no indication of how these
658 parameters were chosen, the existence of a trapdoor that makes possible
659 for an eavesdropper to recover the shared secret from a key exchange
660 that uses them cannot be ruled out.
661 Futhermore, 1024bit is not considered sufficiently secure.
662 Fix: generated a new 2048bit prime.
663 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
664 Research (MSVR) for finding and reporting this issue.
666 ####################### V 1.7.3.0:
669 Socat security advisory 6
670 CVE-2015-1379: Possible DoS with fork
671 Fixed problems with signal handling caused by use of not async signal
672 safe functions in signal handlers that could freeze socat, allowing
673 denial of service attacks.
674 Many changes in signal handling and the diagnostic messages system were
675 applied to make the code async signal safe but still provide detailled
676 logging from signal handlers:
677 Coded function vsnprintf_r() as async signal safe incomplete substitute
679 Coded function snprinterr() to replace %m in strings with a system error
681 Instead of gettimeofday() use clock_gettime() when available
682 Pass Diagnostic messages from signal handler per unix socket to the main
684 Use sigaction() instead of signal() for better control
685 Turn off nested signal handler invocations
686 Thanks to Peter Lobsinger for reporting and explaining this issue.
688 Red Hat issue 1019975: add TLS host name checks
689 OpenSSL client checks if the server certificates names in
690 extensions/subjectAltName/DNS or in subject/commonName match the name
691 used to connect or the value of the openssl-commonname option.
692 Test: OPENSSL_CN_CLIENT_SECURITY
694 OpenSSL server checks if the client certificates names in
695 extensions/subjectAltNames/DNS or subject/commonName match the value of
696 the openssl-commonname option when it is used.
697 Test: OPENSSL_CN_SERVER_SECURITY
699 Red Hat issue 1019964: socat now uses the system certificate store with
700 OPENSSL when neither options cafile nor capath are used
702 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
703 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
704 prevent downgrade attacks
707 OpenSSL addresses set couple of environment variables from values in
708 peer certificate, e.g.:
709 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
710 SOCAT_OPENSSL_X509_COMMONNAME,
711 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
712 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
714 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
715 Tests: OPENSSL_METHOD_*
717 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
720 Added a new option termios-rawer for ptys.
721 Thanks to Christian Vogelgsang for pointing me to this requirement
724 Bind with ABSTRACT commands used non-abstract namespace (Linux).
726 Thanks to Denis Shatov for reporting this bug.
728 Fixed return value of nestlex()
730 Option ignoreeof on the right address hung.
732 Thanks to Franz Fasching for reporting this bug.
734 Address SYSTEM, when terminating, shut down its parent addresses,
735 e.g. an SSL connection which the parent assumed to still be active.
736 Test: SYSTEM_SHUTDOWN
738 Passive (listening or receiving) addresses with empty port field bound
739 to a random port instead of terminating with error.
742 configure with some combination of disable options produced config
743 files that failed to compile due to missing IPPROTO_TCP.
744 Thanks to Thierry Fournier for report and patch.
746 fixed a few minor bugs with OpenSSL in configure and with messages
748 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
749 is required. Thanks to Zhigang Wang for reporting and sending a patch.
751 Christophe Leroy provided a patch that fixes memory leaks reported by
754 Help for filan -L was bad, is now corrected to:
755 "follow symbolic links instead of showing their properties"
757 Address options fdin and fdout were silently ignored when not applicable
758 due to -u or -U option. Now these combinations are caught as errors.
760 Issue reported by Hendrik.
762 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
763 over option raw which is now obsolote. On SysV systems this call is
764 simulated by appropriate setting.
765 Thanks to Youfu Zhang for reporting issue with option raw.
768 Socat included <sys/poll.h> instead of POSIX <poll.h>
769 Thanks to John Spencer for reporting this issue.
771 Version 1.7.2.4 changed the check for gcc in configure.ac; this
772 broke cross compiling. The particular check gets reverted.
773 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
775 Debian Bug#764251: Set the build timestamp to a deterministic time:
776 support external BUILD_DATE env var to allow to build reproducable
779 Joachim Fenkes provided an new adapted spec file.
781 Type bool and macros Min and Max are defined by socat which led to
782 compile errors when they were already provided by build framework.
783 Thanks to Liyu Liu for providing a patch.
785 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
786 support and appropriate files in Config/
788 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
791 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
792 _POSIX_PTHREAD_SEMANTICS; and minor changes
794 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
796 Socat failed to compile on on PPC due to new requirements for
797 including <linux/errqueue.h> and a weakness in the conditional code.
798 Thanks to Michel Normand for reporting this issue.
801 In the man page the PTY example was badly formatted. Thanks to
802 J.F.Sebastian for sending a patch.
804 Added missing CVE ids to security issues in CHANGES
807 Do not distribute testcert.conf with socat source but generate it
808 (and new testcert6.conf) during test.sh run.
810 ####################### V 1.7.2.4:
813 LISTEN based addresses applied some address options, e.g. so-keepalive,
814 to the listening file descriptor instead of the connected file
816 Thanks to Ulises Alonso for reporting this bug
818 make failed after configure with non gcc compiler due to missing
819 include. Thanks to Horacio Mijail for reporting this problem
821 configure checked for --disable-rawsocket but printed
822 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
823 reporting and patching this bug
825 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
827 Thanks to David Binderman for reporting this issue.
829 procan could not cleanly format ulimit values longer than 16 decimal
830 digits. Thanks to Frank Dana for providing a patch that increases field
833 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
835 Thanks to Emile den Tex for reporting this bug.
837 Changed some variable definitions to make gcc -O2 aliasing checker happy
838 Thanks to Ilya Gordeev for reporting these warnings
840 On big endian platforms with type long >32bit the range option applied a
841 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
843 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
845 Red Hat issue 1022063: out-of-range shifts on net mask bits
847 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
849 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
852 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
853 calculation in xio-ascii.c:_xiodump()
855 Red Hat issue 1021972: fixed a missing NUL termination in return string
856 of sysutils.c:sockaddr_info() for the AF_UNIX case
858 fixed some typos and minor issues, including:
859 Red Hat issue 1021967: formatting error in manual page
861 UNIX-LISTEN with fork option did not remove the socket file system entry
862 when exiting. Other file system based passive address types had similar
863 issues or failed to apply options umask, user e.a.
864 Thanks to Lorenzo Monti for pointing me to this issue
867 Red Hat issue 1020203: configure checks fail with some compilers.
870 Performed changes for Fedora release 19
872 Adapted, improved test.sh script
874 Red Hat issue 1021429: getgroupent fails with large number of groups;
875 use getgrouplist() when available instead of sequence of calls to
878 Red Hat issue 1021948: snprintf API change;
879 Implemented xio_snprintf() function as wrapper that tries to emulate C99
880 behaviour on old glibc systems, and adapted all affected calls
883 Mike Frysinger provided a patch that supports long long for time_t,
884 socklen_t and a few other libc types.
886 Artem Mygaiev extended Cedril Priscals Android build script with pty code
888 The check for fips.h required stddef.h
889 Thanks to Matt Hilt for reporting this issue and sending a patch
891 Check for linux/errqueue.h failed on some systems due to lack of
892 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
894 autoconf now prefers configure.ac over configure.in
895 Thanks to Michael Vastola for sending a patch.
897 type of struct cmsghdr.cmsg is system dependend, determine it with
898 configure; some more print format corrections
901 libwrap always logs to syslog
903 added actual text version of GPLv2
905 ####################### V 1.7.2.3:
908 Socat security advisory 5
909 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
910 overflow with data from command line (see socat-secadv5.txt)
911 Credits to Florian Weimer of the Red Hat Product Security Team
913 ####################### V 1.7.2.2:
916 Socat security advisory 4
918 after refusing a client connection due to bad source address or source
919 port socat shutdown() the socket but did not close() it, resulting in
920 a file descriptor leak in the listening process, visible with lsof and
921 possibly resulting in EMFILE Too many open files. This issue could be
922 misused for a denial of service attack.
923 Full credits to Catalin Mitrofan for finding and reporting this issue.
925 ####################### V 1.7.2.1:
928 Socat security advisory 3
930 fixed a possible heap buffer overflow in the readline address. This bug
931 could be exploited when all of the following conditions were met:
932 1) one of the addresses is READLINE without the noprompt and without the
934 2) the other (almost arbitrary address) reads malicious data (which is
935 then transferred by socat to READLINE).
936 Workaround: when using the READLINE address apply option prompt or
938 Full credits to Johan Thillemann for finding and reporting this issue.
940 ####################### V 1.7.2.0:
943 when UNIX-LISTEN was applied to an existing file it failed as expected
944 but removed the file. Thanks to Bjoern Bosselmann for reporting this
947 fixed a bug where socat might crash when connecting to a unix domain
948 socket using address GOPEN. Thanks to Martin Forssen for bug report and
951 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
952 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
954 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
955 pointed me to that bug
957 TCP-CONNECT with option nonblock reported successful connect even when
960 address option ioctl-intp failed with "unimplemented type 26". Thanks
961 to Jeremy W. Sherman for reporting and fixing that bug
963 socat option -x did not print packet direction, timestamp etc; thanks
964 to Anthony Sharobaiko for sending a patch
966 address PTY does not take any parameters but did not report an error
969 Marcus Meissner provided a patch that fixes invalid output and possible
970 process crash when socat prints info about an unnamed unix domain
973 Michal Soltys reported the following problem and provided an initial
974 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
975 data transfer only parts of the data might have been written.
977 Option o-nonblock in combination with large transfer block sizes
978 may result in partial writes and/or EAGAIN errors that were not handled
979 properly but resulted in data loss or process termination.
981 Fixed a bug that could freeze socat when during assembly of a log
982 message a signal was handled that also printed a log message. socat
983 development had been aware that localtime() is not thread safe but had
984 only expected broken messages, not corrupted stack (glibc 2.11.1,
987 an internal store for child pids was susceptible to pid reuse which
988 could lead to sporadic data loss when both fork option and exec address
989 were used. Thanks to Tetsuya Sodo for reporting this problem and
992 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
993 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
994 for drawing my attention to this issue.
996 UDP-LISTEN slept 1s after accepting a connection. This is not required.
997 Thanks to Peter Valdemar Morch for reporting this issue
999 fixed a bug that could lead to error or socat crash after a client
1000 connection with option retry had been established
1002 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
1005 improved dev_t print format definition
1008 Cedril Priscal ported socat to Android (using Googles cross compiler).
1009 The port includes the socat_buildscript_for_android.sh script
1011 added check for component ipi_spec_dst in struct in_pktinfo so
1012 compilation does not fail on Cygwin (thanks to Peter Wagemans for
1013 reporting this problem)
1015 build failed on RHEL6 due to presence of fips.h; configure now checks
1016 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
1019 check for netinet6/in6.h only when IPv6 is available and enabled
1021 don't fail to compile when the following defines are missing:
1022 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
1023 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
1025 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
1026 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
1027 proposing a solution
1029 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
1030 providing the patch.
1032 corrections for OpenEmbedded, especially termios SHIFT values and
1033 ISPEED/OSPEED. Thanks to John Faith for providing the patch
1035 minor corrections to docu and test.sh resulting from local compilation
1038 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
1039 reporting this issue and sending a patch.
1041 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
1042 is now bsd/libutil.h; compiler warns on vars that is only written to
1045 added option max-children that limits the number of concurrent child
1046 processes. Thanks to Sam Liddicott for providing the patch.
1048 Till Maas added support for tun/tap addresses without IP address
1050 added an option openssl-compress that allows to disable the compression
1051 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
1052 providing this contribution (sponsored by Google Inc.)
1055 minor corrections in docu (thanks to Paggas)
1057 client process -> child process
1059 ####################### V 1.7.1.3:
1062 Socat security advisory 2
1064 fixed a stack overflow vulnerability that occurred when command
1065 line arguments (whole addresses, host names, file names) were longer
1067 Note that this could only be exploited when an attacker was able to
1068 inject data into socat's command line.
1069 Full credits to Felix Gröbert, Google Security Team, for finding and
1070 reporting this issue
1072 ####################### V 1.7.1.2:
1075 user-late and group-late, when applied to a pty, affected the system
1076 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
1077 pointing me to this bug)
1079 socats openssl addresses failed with "nonblocking operation did not
1080 complete" when the peer performed a renegotiation. Thanks to Benjamin
1081 Delpy for reporting this bug.
1083 info message during socks connect showed bad port number on little
1084 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
1085 bug report and patch)
1087 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
1088 to default. Thanks to Martin Dorey for reporting this bug.
1091 building socat on systems that predefined the CFLAGS environment to
1092 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
1093 this problem and to Simon Matter for providing the patch
1095 support for Solaris 8 and Sun Studio support (thanks to Sebastian
1096 Kayser for providing the patches)
1098 on some 64bit systems a compiler warning "cast from pointer to integer
1099 of different size" was issued on some option definitions
1101 added struct sockaddr_ll to union sockaddr_union to avoid "strict
1102 aliasing" warnings (problem reported by Paul Wouters)
1105 minor corrections in docu
1107 ####################### V 1.7.1.1:
1110 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
1111 occur under those conditions. Thanks to Toni Mattila for first
1112 reporting this problem.
1114 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
1116 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
1117 thanks to Todd Stansell for reporting this bug
1119 with unidirectional EXEC and SYSTEM a close() operation was performed
1120 on a random number which could result in hanging e.a.
1122 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
1125 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
1126 Thanks to Jim Zimmerman for reporting.
1129 added environment variables example to doc/socat-multicast.html
1131 ####################### V 1.7.1.0:
1134 address options shut-none, shut-down, and shut-close allow to control
1135 socat's half close behaviour
1137 with address option shut-null socat sends an empty packet to the peer
1140 option null-eof changes the behaviour of sockets that receive an empty
1141 packet to see EOF instead of ignoring it
1143 introduced option names substuser-early and su-e, currently equivalent
1144 to option substuser (thanks to Mike Perry for providing the patch)
1147 fixed some typos and improved some comments
1149 ####################### V 1.7.0.1:
1152 fixed possible SIGSEGV in listening addresses when a new connection was
1153 reset by peer before the socket addresses could be retrieved. Thanks to
1154 Mike Perry for sending a patch.
1156 fixed a bug, introduced with version 1.7.0.0, that let client
1157 connections with option connect-timeout fail when the connections
1158 succeeded. Thanks to Bruno De Fraine for reporting this bug.
1160 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
1161 and most UNIX-* and ABSTRACT-*
1163 half close of EXEC and SYSTEM addresses did not work for pipes and
1164 sometimes socketpair
1166 help displayed for some option a wrong type
1168 under some circumstances shutdown was called multiple times for the
1171 ####################### V 1.7.0.0:
1174 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1175 mode for IPv4 and IPv6; new address options sctp-maxseg and
1176 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1177 for providing an initial patch)
1179 new address "INTERFACE" for transparent network interface handling
1180 (suggested by Stuart Nicholson)
1182 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1183 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1184 protocol independent socket handling; all parameters are explicitely
1185 specified as numbers or hex data
1187 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1188 ioctl-bin for generic ioctl() calls.
1190 added address options setsockopt-int, setsockopt-bin, and
1191 setsockopt-string for generic setsockopt() calls
1193 option so-type now only affects the socket() and socketpair() calls,
1194 not the name resolution. so-type and so-prototype can now be applied to
1195 all socket based addresses.
1197 new address option "escape" allows to break a socat instance even when
1198 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1200 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1201 for use in executed scripts
1203 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1204 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1205 suggested by Ed Sawicki)
1207 socat receives all ancillary messages with each received packet on
1208 datagram related addresses. The messages are logged in raw form with
1209 debug level, and broken down with info level. note: each type of
1210 ancillary message must be enabled by appropriate address options.
1212 socat provides the contents of ancillary messages received on RECVFROM
1213 addresses in appropriate environment variables:
1214 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1215 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1216 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1218 the following address options were added to enable ancillary messages:
1219 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1220 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1221 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1222 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1224 new address options ipv6-tclass and ipv6-unicast-hops set the related
1227 STREAMS (UNIX System V STREAMS) can be configured with the new address
1228 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1232 some raw IP and UNIX datagram modes failed on BSD systems
1234 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1235 range option, the old listen socket would not be closed but a new one
1236 created. open sockets could accumulate.
1238 there was a bug in ip*-recv with bind option: it did not bind, and
1239 with the first received packet an error occurred:
1240 socket_init(): unknown address family 0
1241 test: RAWIP4RECVBIND
1243 RECVFROM addresses with FORK option hung after processing the first
1244 packet. test: UDP4RECVFROM_FORK
1246 corrected a few mistakes that caused compiler warnings on 64bit hosts
1247 (thanks to Jonathan Brannan e.a. for providing a patch)
1249 EXEC and SYSTEM with stderr injected socat messages into the data
1250 stream. test: EXECSTDERRLOG
1252 when the EXEC address got a string with consecutive spaces it created
1253 additional empty arguments (thanks to Olivier Hervieu for reporting
1254 this bug). test: EXECSPACES
1256 in ignoreeof polling mode socat also blocked data transfer in the other
1257 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
1260 corrected alphabetical order of options (proxy-auth)
1262 some minor corrections
1264 improved test.sh script: more stable timing, corrections for BSD
1266 replaced the select() calls by poll() to cleanly fix the problems with
1267 many file descriptors already open
1269 socat option -lf did not log to file but to stderr
1271 socat did not compile on Solaris when configured without termios
1272 feature (thanks to Pavan Gadi for reporting this bug)
1275 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
1278 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
1281 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
1284 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
1288 filan -s prefixes output with FD number if more than one FD
1290 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
1291 providing the patch)
1293 cleanup in xio-unix.c
1295 ####################### V 1.6.0.1:
1298 new make target "gitclean"
1300 docu source doc/socat.yo released
1303 exec:...,pty did not kill child process under some circumstances; fixed
1304 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
1305 reporting this problem)
1307 service name resolution failed due to byte order mistake
1308 (thanks to James Sainsbury for reporting this problem)
1310 socat would hang when invoked with many file descriptors already opened
1311 fix: replaced FOPEN_MAX with FD_SETSIZE
1312 thanks to Daniel Lucq for reporting this problem.
1314 fixed bugs where sub processes would become zombies because the master
1315 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
1316 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
1317 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
1318 (thanks to Fernanda G Weiden for reporting this problem)
1320 fixed a bug where sub processes would become zombies because the master
1321 process caught SIGCHLD but did not wait(). this affected addresses
1322 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1323 (thanks to Evan Borgstrom for reporting this problem)
1325 corrected option handling with STDIO; usecase: cool-write
1327 configure --disable-pty also disabled option waitlock
1329 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1330 (thanks to Roland Illig for sending a patch)
1332 corrected name of option intervall to interval (old form still valid
1333 for us German speaking guys)
1335 corrected some print statements and variable names
1337 make uninstall did not uninstall procan
1339 fixed lots of weaknesses in test.sh
1341 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1344 procan -c prints C defines important for socat
1346 added test OPENSSLEOF for OpenSSL half close
1348 ####################### V 1.6.0.0:
1351 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1354 new option ip-add-membership for control of multicast group membership
1356 new address TUN for generation of Linux TUN/TAP pseudo network
1357 interfaces (suggested by Mat Caughron); associated options tun-device,
1358 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1360 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1361 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1362 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1363 socklen parameter on system calls.
1365 option end-close for control of connection closing allows FD sharing
1368 range option supports form address:mask with IPv4
1370 changed behaviour of OPENSSL-LISTEN to require and verify client
1371 certificate per default
1373 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
1374 grained locking on regular files
1376 uninstall target in Makefile (lack reported by Zeeshan Ali)
1379 fixed bug where only first tcpwrap option was applied; fixed bug where
1380 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
1381 and fixing this bug)
1383 filan (and socat -D) could hang when a socket was involved
1385 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
1388 correct bind with udp6-listen (thanks to Jan Horak for reporting this
1391 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
1392 (thanks to Leo Zhadanovsky for reporting this problem)
1394 corrected problem with read data buffered in OpenSSL layer (thanks to
1395 Jon Nelson for reporting this bug)
1397 corrected problem with option readbytes when input stream stayed idle
1400 fixed a bug where a datagram receiver with option fork could fork two
1401 sub processes per packet
1404 moved documentation to new doc/ subdir
1406 new documents (kind of mini tutorials) are provided in doc/
1408 ####################### V 1.5.0.0:
1411 new datagram modes for udp, rawip, unix domain sockets
1413 socat option -T specifies inactivity timeout
1415 rewrote lexical analysis to allow nested socat calls
1417 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
1419 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
1420 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
1422 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
1424 option protocol-family (pf), esp. for openssl-listen
1426 range option supports IPv6 - syntax: range=[::1/128]
1428 option ipv6-v6only (ipv6only)
1430 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
1432 FIPS version of OpenSSL can be integrated - initial patch provided by
1433 David Acker. See README.FIPS
1435 support for resolver options res-debug, aaonly, usevc, primary, igntc,
1436 recurse, defnames, stayopen, dnsrch
1438 options for file attributes on advanced filesystems (ext2, ext3,
1439 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
1440 ext2-noatime, journal-data etc.
1442 option cool-write controls severeness of write failure (EPIPE,
1447 socat option -lh for hostname in log output
1449 traffic dumping provides packet headers
1451 configure.in became part of distribution
1453 socats unpack directory now has full version, e.g. socat-1.5.0.0/
1455 corrected docu of option verify
1458 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
1460 exec with pipes,stderr produced error
1462 setuid-early was ignored with many address types
1464 some minor corrections
1466 ####################### V 1.4.3.1:
1469 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
1470 FIX: do not remove listening UNIX socket in child process
1472 PROBLEM: SIGSEGV when TCP part of SSL connect failed
1473 FIX: check ssl pointer before calling SSL_shutdown
1475 In debug mode, show connect client port even when connect fails
1477 ####################### V 1.4.3.0:
1480 socat options -L, -W for application level locking
1482 options "lockfile", "waitlock" for address level locking
1485 option "readbytes" limits read length (Adam Osuchowski)
1487 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
1489 pty symlink, unix listen socket, and named pipe are per default removed
1490 after use; option unlink-close overrides this new behaviour and also
1491 controls removal of other socat generated files (Stefan Luethje)
1494 option "retry" did not work with tcp-listen
1496 EPIPE condition could result in a 100% CPU loop
1499 support systems without SHUT_RD etc.
1500 handle more size_t types
1501 try to find makedepend options with gcc 3 (richard/OpenMacNews)
1503 ####################### V 1.4.2.0:
1506 option "connect-timeout" limits wait time for connect operations
1507 (requested by Giulio Orsero)
1509 option "dhparam" for explicit Diffie-Hellman parameter file
1512 support for OpenSSL DSA certificates (Miika Komu)
1514 create install directories before copying files (Miika Komu)
1516 when exiting on signal, return status 128+signum instead of 1
1518 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
1521 -lu could cause a core dump on long messages
1524 modifications to simplify using socats features in applications
1526 ####################### V 1.4.1.0:
1529 option "wait-slave" blocks open of pty master side until a client
1530 connects, "pty-intervall" controls polling
1532 option -h as synonym to -? for help (contributed by Christian
1535 filan prints formatted time stamps and rdev (disable with -r)
1537 redirect filan's output, so stdout is not affected (contributed by
1540 filan option -L to follow symbolic links
1542 filan shows termios control characters
1545 proxy address no longer performs unsolicited retries
1547 filan -f no longer needs read permission to analyze a file (but still
1548 needs access permission to directory, of course)
1552 FreeBSD options noopt, nopush, md5sig
1553 OpenBSD options sack-disable, signature-enable
1554 HP-UX, Solaris options abort-threshold, conn-abort-threshold
1555 HP-UX options b900, b3600, b7200
1556 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
1558 further corrections:
1559 address pty now uses ptmx as default if openpty is also available
1561 ####################### V 1.4.0.3:
1564 Socat security advisory 1
1566 fix to a syslog() based format string vulnerability that can lead to
1567 remote code execution. See advisory socat-adv-1.txt
1569 ####################### V 1.4.0.2:
1572 exec'd write-only addresses get a chance to flush before being killed
1574 error handler: print notice on error-exit
1576 filan printed wrong file type information
1578 ####################### V 1.4.0.1:
1581 socks4a constructed invalid header. Problem found, reported, and fixed
1582 by Thomas Themel, by Peter Palfrader, and by rik
1584 with nofork, don't forget to apply some process related options
1585 (chroot, setsid, setpgid, ...)
1587 ####################### V 1.4.0.0:
1590 simple openssl server (ssl-l), experimental openssl trust
1592 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
1595 new options "retry", "forever", and "intervall"
1597 option "fork" for address TCP improves `gender changer´
1599 options "sigint", "sigquit", and "sighup" control passing of signals to
1600 sub process (thanks to David Shea who contributed to this issue)
1602 readline takes respect to the prompt issued by the peer address
1604 options "prompt" and "noprompt" allow to override readline's new
1607 readline supports invisible password with option "noecho"
1609 socat option -lp allows to set hostname in log output
1611 socat option -lu turns on microsecond resolution in log output
1615 before reading available data, check if writing on other channel is
1618 tcp6, udp6: support hostname specification (not only IP address), and
1619 map IP4 names to IP6 addresses
1621 openssl client checks server certificate per default
1623 support unidirectional communication with exec/system subprocess
1625 try to restore original terminal settings when terminating
1627 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
1629 socks4 failed on platforms where long does not have 32 bits
1630 (thanks to Peter Palfrader and Thomas Seyrat)
1632 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
1634 proxy error message was truncated when answer contained multiple spaces
1638 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
1640 ####################### V 1.3.2.2:
1643 PROXY CONNECT failed when the status reply from the proxy server
1644 contained more than one consecutive spaces. Problem reported by
1645 Alexandre Bezroutchko
1647 do not SIGSEGV when proxy address fails to resolve server name
1649 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
1650 Problem reported by Christoph Schittel
1652 test.sh only tests available features
1654 added missing IP and TCP options in filan analyzer
1656 do not apply stdio address options to both directions when in
1659 on systems lacking /dev/*random and egd, provide (weak) entropy from
1664 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
1666 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
1668 support for long long as st_ino type (Cygwin 1.5)
1670 compile on systems where pty can not be featured
1672 ####################### V 1.3.2.1:
1675 "final" solution for the ENOCHLD problem
1677 corrected "make strip"
1679 default gcc debug/opt is "-O" again
1681 check for /proc at runtime, even if configure found it
1683 src.rpm accidently supported SuSE instead of RedHat
1685 ####################### V 1.3.2.0:
1688 option "nofork" connects an exec'd script or program directly
1689 to the file descriptors of the other address, circumventing the socat
1692 support for files >2GB, using ftruncate64(), lseek64(), stat64()
1694 filan has new "simple" output style (filan -s)
1698 options "binary" and "text" for controlling line termination on Cygwin
1699 file system access (hint from Yang Wu-Zhou)
1701 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
1703 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
1706 minor corrections to avoid warnings with gcc 3
1709 further corrections and minor improvements:
1710 configure script is generated with autoconf 2.57 (no longer 2.52)
1712 configure passes CFLAGS to Makefile
1714 option -??? for complete list of address options and their short forms
1716 program name in syslog messages is derived from argv[0]
1718 SIGHUP now prints notice instead of error
1720 EIO during read of pty now gives Notice instead of Error, and
1723 use of hstrerror() for printing resolver error messages
1725 setgrent() got required endgrent()
1727 ####################### V 1.3.1.0:
1730 integration of Wietse Venema's tcpwrapper library (libwrap)
1732 with "proxy" address, option "resolve" controls if hostname or IP
1733 address is sent in request
1735 option "lowport" establishes limited authorization for TCP and UDP
1738 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
1739 An accompanying change in the numbering scheme results in an
1740 incompatibility with earlier socat RPMs!
1743 solved problems and bugs:
1744 PROBLEM: socat daemon terminated when the address of a connecting
1745 client did not match range option value instead of continue listening
1746 SOLVED: in this case, print warning instead of error to keep daemon
1749 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
1751 SOLVED: dont assume that each exiting child process generates SIGCHLD
1753 when converting CRNL to CR, socat converted to NL
1756 further corrections:
1757 configure script now disables features that depend on missing files
1758 making it more robust in "unsupported" environments
1760 server.pem permissions corrected to 600
1762 "make install" now does not strip; use "make strip; make install"
1763 if you like strip (suggested by Peter Bray)
1765 ####################### V 1.3.0.1:
1767 solved problems and bugs:
1768 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
1769 SOLVED: OPENSSL now correctly handles the options list
1771 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
1773 SOLVED: these conversions now simply strip all CR's or NL's from input
1778 SunOS ptys now work on x86, too (thanks to Peter Bray)
1780 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
1783 further corrections:
1784 added WITH_PROXY value to -V output
1786 added compile dependencies of WITH_PTY and WITH_PROXY
1788 -?? did not print option group of proxy options
1790 corrected syntax for bind option in docu
1792 corrected an issue with stdio in unidirectional mode
1794 options socksport and proxyport support service names
1796 ftp.sh script supports proxy address
1798 man page no longer installed with execute permissions (thanks to Peter
1801 fixed a malloc call bug that could cause SIGSEGV or false "out of
1802 memory" errors on EXEC and SYSTEM, depending on program name length and
1805 ####################### V 1.3.0.0:
1808 proxy connect with optional proxy authentication
1810 combined hex and text dump mode, credits to Gregory Margo
1812 address pty applies options user, group, and perm to device
1815 solved problems and bugs:
1816 PROBLEM: option reuseport was not applied (BSD, AIX)
1817 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
1818 credits to Jean-Baptiste Marchand
1820 PROBLEM: ignoreeof with stdio was ignored
1821 SOLVED: ignoreeof now works correctly with address stdio
1823 PROBLEM: ftp.sh did not use user supplied password
1824 SOLVED: ftp.sh now correctly passes password from command line
1826 PROBLEM: server.pem had expired
1827 SOLVED: new server.pem valid for ten years
1829 PROBLEM: socks notice printed wrong port on some platforms
1830 SOLVED: socks now uses correct byte-order for port number in notice
1833 further corrections:
1834 option name o_trunc corrected to o-trunc
1836 combined use of -u and -U is now detected and prevented
1838 made message system a little more robust against format string attacks
1841 ####################### V 1.2.0.0:
1844 address pty for putting socat behind a new pseudo terminal that may
1845 fake a serial line, modem etc.
1847 experimental openssl integration
1848 (it does not provide any trust between the peers because is does not
1849 check certificates!)
1851 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
1852 locking mechanism provided by flock()
1854 options setsid and setpgid now available with all address types
1856 option ctty (controlling terminal) now available for all TERMIOS
1859 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
1860 replaced by options o-trunc and ftruncate=offset
1862 option sourceport now available with TCP and UDP listen addresses to
1863 restrict incoming client connections
1865 unidirectional mode right-to-left (-U)
1868 solved problems and bugs:
1869 PROBLEM: addresses without required parameters but an option containing
1870 a '/' were incorrectly interpreted as implicit GOPEN address
1871 SOLVED: if an address does not have ':' separator but contains '/',
1872 check if the slash is before the first ',' before assuming
1877 ptys under SunOS work now due to use of stream options
1880 further corrections:
1881 with -d -d -d -d -D, don't print debug info during file analysis
1884 ####################### V 1.1.0.1:
1887 .spec file for RPM generation
1890 solved problems and bugs:
1891 PROBLEM: GOPEN on socket did not apply option unlink-late
1892 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
1895 PROBLEM: with unidirectional mode, an unnecessary close timeout was
1897 SOLUTION: in unidirectional mode, terminate without wait time
1899 PROBLEM: using GOPEN on a unix domain socket failed for datagram
1901 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
1904 further corrections:
1906 open() flag options had names starting with "o_", now corrected to "o-"
1908 in docu, *-listen addresses were called *_listen
1910 address unix now called unix-connect because it does not handle unix
1913 in test.sh, apply global command line options with all tests
1916 ####################### V 1.1.0.0:
1919 regular man page and html doc - thanks to kromJx for prototype
1921 new address type "readline", utilizing GNU readline and history libs
1923 address option "history-file" for readline
1925 new option "dash" to "exec" address that allows to start login shells
1927 syslog facility can be set per command line option
1929 new address option "tcp-quickack", found in Linux 2.4
1931 option -g prevents option group checking
1933 filan and procan can print usage
1935 procan prints rlimit infos
1938 solved problems and bugs:
1939 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
1940 SOLVED: set eof flag of channel on shutdown.
1942 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
1943 and has data available while channel 1 reaches EOF, the data is
1945 SOLVED: during one loop run, first handle all data transfers and
1946 _afterwards_ handle EOF.
1948 PROBLEM: despite to option NONBLOCK, the connect() call blocked
1949 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
1951 PROBLEM: UNLINK options issued error when file did not exist,
1953 SOLVED: failure of unlink() is only warning if errno==ENOENT
1955 PROBLEM: TCP6-LISTEN required numeric port specification
1956 SOLVED: now uses common TCP service resolver
1958 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
1959 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
1961 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
1963 SOLVED: corrected EOF handling of sigchld
1967 MacOS and old AIX versions now have pty
1969 flock() now available on Linux (configure check was wrong)
1971 named pipe were generated using mknod(), which requires root under BSD
1972 now they are generated using mkfifo
1975 further corrections:
1976 lots of address options that were "forgotten" at runtime are now
1979 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
1981 "make install" now installs binaries with ownership 0:0
1984 ####################### V 1.0.4.2:
1986 solved problems and bugs:
1987 PROBLEM: EOF of one stream caused close of other stream, giving it no
1988 chance to go down regularly
1989 SOLVED: EOF of one stream now causes shutdown of write part of other
1992 PROBLEM: sending mail via socks address to qmail showed that crlf
1993 option does not work
1994 SOLVED: socks address applies PH_LATE options
1996 PROBLEM: in debug mode, no info about socat and platform was issued
1997 SOLVED: print socat version and uname output in debug mode
1999 PROBLEM: invoking socat with -t and no following parameters caused
2001 SOLVED: -t and -b now check next argv entry
2003 PROBLEM: when opening of logfile (-lf) failed, no error was reported
2004 and no further messages were printed
2005 SOLVED: check result of fopen and print error message if it failed
2008 address type UDP-LISTEN now supports option fork: it internally applies
2009 socket option SO_REUSEADDR so a new UDP socket can bind to port after
2010 `accepting´ a connection (child processes might live forever though)
2011 (suggestion from Damjan Lango)
2014 ####################### V 1.0.4.1:
2016 solved problems and bugs:
2017 PROB: assert in libc caused an endless recursion
2018 SOLVED: no longer catch SIGABRT
2020 PROB: socat printed wrong verbose prefix for "right to left" packets
2021 SOLVED: new parameter for xiotransfer() passes correct prefix
2024 in debug mode, socat prints its command line arguments
2025 in verbose mode, escape special characters and replace unprintables
2026 with '.'. Patch from Adrian Thurston.
2029 ####################### V 1.0.4.0:
2031 solved problems and bugs:
2032 Debug output for lstat and fstat said "stat"
2034 further corrections:
2035 FreeBSD now includes libutil.h
2038 option setsid with exec/pty
2039 option setpgid with exec/pty
2040 option ctty with exec/pty
2042 gettimeofday in sycls.c (no use yet)
2045 before Gethostbyname, invoke inet_aton for MacOSX
2048 ####################### V 1.0.3.0:
2050 solved problems and bugs:
2052 PROB: test 9 of test.sh (echo via file) failed on some platforms,
2053 socat exited without error message
2054 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
2056 PROB: test 17 hung forever
2057 REASON: child death before select loop did not result in EOF
2058 SOLVED: check of existence of children before starting select loop
2060 PROB: test 17 failed
2061 REASON: child dead triggered EOF before last data was read
2062 SOLVED: after child death, read last data before setting EOF
2064 PROB: filan showed that exec processes incorrectly had fd3 open
2065 REASON: inherited open fd3 from main process
2066 SOLVED: set CLOEXEC flag on pty fd in main process
2068 PROB: help printed "undef" instead of group "FORK"
2069 SOLVED: added "FORK" to group name array
2071 PROB: fatal messages did not include severity classifier
2072 SOLVED: added "F" to severity classifier array
2074 PROB: IP6 addresses where printed incorrectly
2075 SOLVED: removed type casts to unsigned short *
2077 further corrections:
2078 socat catches illegal -l modes
2079 corrected error message on setsockopt(linger)
2080 option tabdly is of type uint
2081 correction for UDP over IP6
2082 more cpp conditionals, esp. for IP6 situations
2083 better handling of group NAMED options with listening UNIX sockets
2084 applyopts2 now includes last given phase
2085 corrected option group handling for most address types
2086 introduce dropping of unappliable options (dropopts, dropopts2)
2087 gopen now accepts socket and unix-socket options
2088 exec and system now accept all socket and termios options
2089 child process for exec and system addresses with option pty
2090 improved descriptions and options for EXAMPLES
2091 printf format for file mode changed to "0%03o" with length spec.
2092 added va_end() in branch of msg()
2093 changed phase of lock options from PASTOPEN to FD
2094 support up to four early dying processes
2097 xiosysincludes now includes sysincludes.h for non xio files
2102 TYPE_DOUBLE, u_double
2104 added getsid(), setsid(), send() to sycls
2105 procan prints sid (session id)
2106 mail.sh gets -f (from) option
2107 new EXAMPLEs for file creation
2108 gatherinfo.sh now tells about failures
2109 test.sh can check for much more address/option combinations
2112 ispeed, ospeed for termios on FreeBSD
2113 getpgid() conditional for MacOS 10
2114 added ranlib in Makefile.in for MacOS 10
2115 disable pty option if no pty mechanism is available (MacOS 10)
2116 now compiles and runs on MacOS 10 (still some tests fail)
2117 setgroups() conditional for cygwin
2118 sighandler_t defined conditionally
2119 use gcc option -D_GNU_SOURCE