3 The per address parameters for OpenSSL overlapped in memory with socket
4 parameters. Magically this did not seem to cause problems except on
5 MacOS Catalina that reported errors like:
6 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
8 Test: OPENSSL_PARA_OVERLAP
9 Thanks to Ryo Ota for reporting this bug.
11 Fixed a few minor coding issues
13 A VSOCK warning message was generated with all listening addresses
14 instead of only with VSOCK-LISTEN
16 When an OPENSSL-CONNECT client presented a certificate with IPv6
17 subject alternate name and the OPENSSL-LISTEN server had no commonname
18 option, the server crashed with SIGSEGV in xioip6_pton().
19 Test: OPENSSL_CLIENT_IP6_CN
21 Thanks to Vlad Slepukhin for reporting this issue and providing a patch
23 Corrected a typo in configure.ac that broke option --enable-openssl-base
24 Thanks to john1doe for reporting this issue.
26 Socat looped endlessly, not responding to SIGTERM, when a service name
27 (for port) could not be resolved.
30 Using options of NAMED group, e.g.chown, with abstract UNIX domain
31 sockets, produced errors because the function was applied with a normal
32 file system related call, e.g.chown(), using file "" (empty name). Instead of
33 chown(), Socat now uses fchown() on the file descriptor. However, such
34 a call usually has no real effect.
36 Thanks to Andreas Fink for reporting this issue.
38 Option -R did not only dump ("sniff") right-to-left, but also
39 left-to-right traffic to the given file.
40 Test: SNIFF_RIGHT_TO_LEFT
41 Thanks to 1314 gsf for reporting this bug and sending a patch.
43 Options -r and -R, when opening a named pipe that has no actual reader,
44 failed with "No such device or address". To solve this problem, Socat
45 now opens the pipe in rw-Mode.
46 Thanks to Cody J.Soultz for sending a patch.
48 The call "socat -r - PIPE" traced to file ./- instead of issuing a
51 Print a message when readbytes option causes EOF
53 The ip-recverr option had no effect. Corrected and improved its
54 handling of ancilliary messages, so it is able to analyze ICMP error
58 Prevent the TIMESTAMP tests from sporadically failing due do seconds
61 Fixed in test.sh a few issues reported by shellcheck
64 Added missing docu of OpenSSL options min-proto-version,
67 ####################### V 1.7.4.1:
70 Socat 1.7.4.0 failed to compile especially on 32 bit systems.
71 Thanks to Wang Mingyu and others for sending a patch or reporting this
74 Under certain conditions OpenSSL stream connections, in particular bulk
75 data transfer in unidirectional mode, failed during transfer or near
76 its with Connection reset by peer on receiver side.
77 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
78 lazy SSL shutdown handling on the sender side in combination with
79 SSL_MODE_AUTO_RETRY turned off.
80 Fix: After SSH_shutdown but before socket shutdown call SSL_read()
81 Test: OPENSSL_STREAM_TO_SERVER
82 Fixes Red Hat issue 1870279.
84 ####################### V 1.7.4.0:
87 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
88 but not checked for integer overflow. This could lead to heap based
89 buffer overflow, assuming the attacker could provide this parameter.
90 Test: BLKSIZE_INT_OVERFL
91 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
95 Socats address parser read over end of string when there were unbalanced
97 Test: UNBALANCED_QUOTE
99 Removed unused usleep() call from sycls.c
101 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
102 building failed on Solaris 9.
103 Thanks to Greg Earle for reporting this issue and providing a patch.
105 Mitigated race condition of quickly terminating SYSTEM or EXEC child
108 Option o-direct might require alignment of read/write buffer to, e.g.,
109 512 bytes, Socat now takes care of this when allocating the buffer.
110 With this fix read() succeeds, however, write() still might fail when
111 not writing complete pages.
114 There was a race condition in the way Socat UDP-RECVFROM and similar
115 addresses with option fork prevents one packet from triggering
116 multiple processes. The symptom was that Socat master process seemed to
117 hang and did not process further packets. The fix makes use of
118 pselect() system call.
119 Thanks to Fulvio Scapin for reporting this issue.
121 UNIX domain client addresses applied file system entry options (group
122 NAMED) to the server socket instead of the client (bind) socket entry.
123 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
124 Thanks to Nico Williams for reporting this major issue.
126 Length of single address options was limited to 511 bytes. This value
127 is now increased to 2047 bytes.
128 Change suggested by Mario Camou.
130 Addresses of type RECVFROM with option fork looped with an error
131 message in case that the second address failed before consuming the
132 packet. The fix makes RECVFROM drop the packet when the second address
133 failed before reading it. Use retry or forever option with the second
134 address if you want to avoid data loss.
135 Thanks to Chunmei Xu for reporting this issue and proving the patch.
137 Socats DTLS implementation has been reworked and appears to work now
139 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
140 OPENSSL-DTLS-CLIENT (DTLS)
141 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
142 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
143 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
146 filan did not output the socket protocol.
147 filan -s assumed each stream socket to be TCP and each datagram socket
148 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
150 Help text showed two parameters for UDP4-RECVFROM address, but only
152 Thanks to John the Scott for reporting this issue.
154 Error messages from SSL_read() and SSL_write() sometimes stated
155 SSL_connect instead of originating function name.
157 Fixed some more non functional minor issues.
160 In gcc version 10 the default changed from -fcommon to -fno-common.
161 Consequently, linking filan and procan failed with error
162 "multiple definition of `deny_severity'" and `allow_severity'
163 Fixed by removing definitions in filan.c and procan.c
165 Thanks to László Böszörményi and others for reporting this issue.
167 Solaris 9 does not provide strndup(); added substitute code.
168 Thanks to Greg Earle for providing a patch.
170 Added configure option --enable-openssl-base to specify the location of
171 a non-OS OpenSSL installation
173 There are systems whose kernel understands SCTP but getaddrinfo does
174 not. As workaround after EIA_SOCKTYPE on name and service resolution
175 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
176 ai_protocol=0 and try again
177 Test: SCTP_SERVICENAME
179 Per file filesystem options were still name ext2-* and depended on
180 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
181 These fs-* options are also available on old systems with ext2_fs.h
183 New options openssl-min-proto-version (min-version) and
184 openssl-max-proto-version (max-version) give access to the related
185 OpenSSL set-macros and substitute deprecated version-specific methods.
186 Test: OPENSSL_MIN_VERSION
188 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
191 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
192 must explicitely be included.
193 Thanks to Rosen Penev for reporting and sending a patch.
196 test.sh now produces a list of tests that could not be performed for
197 any reason. This helps to analyse these cases.
199 OpenSSL s_server appearently started to neglect TCPs half close feature.
200 Test OPENSSL_TCP4 has been changed to tolerate this.
202 OpenSSL changed its behaviour when connection is rejected. Tests
203 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
204 OPENSSL_CN_SERVER_SECURITY now tolerate this.
206 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
207 appropriate tests failed.
208 Fix: use TLSv1.2 for renegotiation tests
209 Tests: OPENSSLRENEG1 OPENSSLRENEG2
211 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
213 Archlinux 2020 has not which command; its ip,ss commands have modified
216 More testing issues solved:
217 * ss to pipe might omit column separator
218 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
220 * renamed testaddrs() to testfeats(), and introduced new testaddrs()
223 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
224 Test: GOPENUNIXSEQPACKET
225 Feature suggested by vi0oss.
227 The generic setsockopt-int and related options are, in case of
228 listening/accepting addresses, applied to the connected socket(s). To enable
229 setting options on the listening socket, a new option setsockopt-listen
230 has been implemented. See the documentation for info on data types.
231 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
232 Thanks to Steven Danna and Korian Edeline for reporting this issue.
234 Filan option -S gives short description like -s but with improved
237 Socat OpenSSL client, when server was specified using IP address, did
238 not verify connection on certificates SubjectAltName IP entries.
239 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
240 Fixes Red Hat bug 1805132
242 Added options -r and -R for raw dump of transferred data to files.
243 Test: OPTION_RAW_DUMP
245 Added option ip-transparent (socket option IP_TRANSPARENT)
246 Thanks to Wang Shanker for sending a patch.
248 OPENSSL-CONNECT now automatically uses the SNI feature, option
249 openssl-no-sni turns it off. Option openssl-snihost overrides the value
250 of option openssl-commonname or the server name.
251 Tests: OPENSSL_SNI OPENSSL_NO_SNI
252 Thanks to Travis Burtrum for providing the initial patch
254 New option accept-timeout (listen-timeout)
258 New option ip-add-source-membership
259 Feature inspired by Brian (b f31415)
261 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
262 of replies, as it did up to version 1.7.3.4. Use option sourceport when
263 you need the old behaviour.
264 Test: UDP_DATAGRAM_SOURCEPORT
265 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
267 New option proxy-authorization-file reads PROXY-CONNECT credentials
268 from file and makes it possible to hide this data from the process
271 Thanks to Charles Stephens for sending an initial patch.
273 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
274 Developed by Stefano Garzarella.
277 Added printf formats for uint16_t etc.
280 Address UDP-RECV does not support option fork.
281 Thanks to Fulvio Scapin for reporting that mistake in docu.
283 TUN address documentation showed TCP for backend which may merge
284 consecutive packets which causes data loss.
285 Thanks to Tomasz Lakota for reporting this issue.
287 ####################### V 1.7.3.4:
290 Header of xiotermios_speed() declared parameter unsigned int instead of
291 speed_t, thus compiling failed on MacOS
292 Thanks to Joe Strout and others for reporting this bug.
293 Thanks to Andrew Childs and others for sending a patch.
295 Under certain circumstances, termios options of the first address were
296 applied to the second address, resulting in error
297 "Inappropriate ioctl for device"
298 This affected version 1.7.3.3 only.
300 Thanks to Ivan J. for reporting this issue.
302 Socat failed to compile when no poll() system call was found by
304 Thanks to Jason White for sending a patch.
306 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
307 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
308 for reporting this problem and sending initial patches.
310 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
311 "ai_socktype not supported" when protocol 6 was addressed.
312 The fix removes the possibility to use service names with SCTP.
314 Thanks to Sören for sending an initial patch.
316 Under certain circumstances, Socat printed the "socket ... is at EOF"
320 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
321 not implemented in older bash versions.
323 ####################### V 1.7.3.3:
326 Makefile.in did not specify dependencies of filan on vsnprintf_r.o
328 Added definition of FILAN_OBJS
329 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
332 configure option --enable-msglevel did not work with numbers
334 The autoconf mechanism for determining SHIFT_OFFSET did not work when
336 Thanks to Max Freisinger from Gentoo for sending a patch.
338 Socat still depended on obsolete gethostbyname() function, thus
339 compiling with MUSL libc failed.
340 Problem reported by Kennedy33.
342 The async signal safe diagnostic system used FDs 3 and 4 internally, so
343 use of appropriate fdin or fdout led to failures.
345 Problem reported by Onur Sentürk.
347 The socket based mechanism for passing messages and signal information
348 from signal handler to process could reach and kill the wrong process.
349 Introduces functions diag_sock_pair(), diag_fork()
350 Thanks to Darren Zhao for analysing and reporting this problem.
352 Option ipv6-join-group did not work because it was applied in the wrong
354 Test: UDP6MULTICAST_UNIDIR
355 Thanks to Angus Gratton for sending a patch.
357 Setting ispeed and ospeed failed for some serial devices because the
358 two settings were applied with two different get/set cycles, Thanks to
359 Alexandre Fenyo for providing an initial patch.
360 However, the actual fix is part of a conceptual change of the termios
361 module that aims for applying all changes in a single tcsetaddr call.
362 Fixes FreeBSD Bug 198441
364 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
365 Thanks to Alan Walters for reporting this bug.
367 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
369 With TCP6-LISTEN and the other passive IPv6 addresses the range option
370 just failed: due to a bug in the syntax parser and two more bugs in
371 the xiocheckrange_ip6() function.
372 The syntax has now been changed from "[::1/128]" to "[::1]/128"!
373 Thanks Leah Neukirchen for sending an initial fix.
375 For name resolution Socat only checked the first character of the host
376 name to decide if it is an IPv4 address. This was not RFC conform. This
377 fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
380 Thanks to Nicolas Fournil for reporting this issue.
382 Print a useful error message when single character options appear to be
383 merged in Socat invocation
384 Test: SOCCAT_OPT_HINT
386 Fixed some docu typos.
387 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
388 Julian Zinn, and Simon Matter
391 OpenSSL functions TLS1_client_method() and similar are
392 deprecated. Socat now uses recommended TLS_client_method(). The old
393 functions and dependend option openssl-method can still be
394 used when configuring socat with --enable-openssl-method
396 Shell scripts in socat distribution are now headed with:
398 to make them better portable to systems without /bin/bash
399 Thanks to Maya Rashish for sending a patch
401 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
402 configure option --enable-res-deprecated.
404 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
405 Solution: clear SSL_MODE_AUTO_RETRY when it is set.
407 Renamed configure.in to configure.ac and set an appropriate symlink for
409 Related Gentoo bug 426262: Warning on configure.in
410 Thanks to Francesco Turco for reporting that warning.
412 Fixed new IPv6 range code for platforms without s6_addr32 component.
415 test.sh: Show a warning when phase-1 (insecure phase) of a security
418 OpenSSL tests failed on actual Linux distributions. Measures:
419 Increased key lengths from 768 to 1024 bits
420 Added test.sh option -C to delete temp certs from prevsious runs
421 Provide DH-parameter in certificate in PEM
422 OpenSSL s_server option -verify 0 must be omitted
423 OpenSSL authentication method aNULL no longer works
424 Failure of cipher aNULL is not a failure
425 Failure of methods SSL3 and SSL23 is desired
427 test.sh depended on ifconfig and netstat utilities which are no longer
428 availabie in some distributions. test.sh now checks for and prefers
430 Thanks to Ruediger Meier for reporting this problem.
432 More corrections to test.sh:
433 Language settings could still influence test results
434 netstat was still required
435 Suppress usleep deprecated messag
436 Force use of IPv4 with some certificates
437 Set timeout for UDPxMAXCHILDREN tests
440 Added missing Config/Makefile.DragonFly-2-8-2,
441 Config/config.DragonFly-2-8-2.h
442 Removed testcert.conf (to be generated by test.sh)
445 Simplified handling of missing termios defines.
448 Permit combined -d options as -dd etc.
451 ext2 options are now fs options.
453 ####################### V 1.7.3.2:
456 SIGSEGV and other signals could lead to a 100% CPU loop
458 Failing name resolution could lead to SIGSEGV
459 Thanks to Max for reporting this issue.
461 Include <stddef.h> for ptrdiff_t
462 Thanks to Jeroen Roovers for reporting this issue.
464 Building with --disable-sycls failed due to missing sslcls.h defines
466 Socat hung when configured with --disable-sycls.
468 Some minor corrections with includes etc.
470 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
473 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
475 Test: EXEC_NOFORK_UNIDIR
476 Thanks to David Reiss for reporting this problem.
478 Socat exited with status 0 even when a program invoked with SYSTEM or
480 Tests: SYSTEM_RC EXEC_RC
481 Issue reported by Felix Winkelmann.
483 AddressSanitizer reported a few buffer overflows (false positives).
484 Nevertheless fixed Socat source.
485 Issue reported by Hanno Böck.
487 Socat did not use option ipv6-join-group.
488 Test: USE_IPV6_JOIN_GROUP
489 Thanks to Linus Lüssing for sending a patch.
491 UDP-LISTEN did not honor the max-children option.
492 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
493 Thanks to Leander Berwers for reporting this issue.
495 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
496 and therefore were useless.
497 Thanks to Steve Borenstein for reporting this issue.
499 Option dhparam was documented as dhparams. Added the alias name
500 dhparams to fix this.
501 Thanks to Alexander Neumann for sending a patch.
503 Options shut-down and shut-close did not work.
504 Thanks to Stefan Schimanski for providing a patch.
506 There was a bug in printing readline log message caused by a misleading
508 Thanks to Paul Wouters for reporting.
510 The internal vsnprintf_r function looped or crashed on size parameter
511 with hexadecimal output.
513 Ignore exit code of child process when it was killed by master due to
516 Corrected byte order on read of IPV6_TCLASS value from ancillary
519 Fixed type of the bool element in options. This had bug caused failures
520 e.g. of ignoreeof on big-endian systems when bool was not based on int.
522 On systems with predefined bool type whose size differs from int some
523 IPv6 and TCP options (per setsockopt()) failed.
525 Length of integral data in ancillary messages varies (TOS: 1 byte,
526 TTL: 4 bytes), the old implementation failed for TTL on big-endian
529 Fixed an issue in options processing: TUN and DNS flags had failed on
530 big-endian systems and the NO- forms had probable never worked.
533 Type conflict between int and sig_atomic_t between declaration and
534 definition of diag_immediate_type and diag_immediate_exit broke
535 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
538 Socat failed to compile on platforms with OpenSSL without
539 DTLSv1_client_method or DTLSv1_server_method.
540 Thanks to Simon Matter for sending a patch.
542 NuttX OS headers do not provide struct ip, thus socat did not compile.
543 Made struct ip subject to configure.
544 Thanks to SP for reporting this issue.
546 Socat failed to compile with OpenSSL version 1.0.2d where
547 SSLv3_server_method and SSLv3_client_method are no longer defined.
548 Thanks to Mischa ter Smitten for reporting this issue and providing
551 configure checked for OpenSSL EC_KEY assuming it is a define but it
552 is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
553 Thanks to Andrey Arapov for reporting this bug.
555 Changes to make socat compile with OpenSSL 1.1.
556 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
557 providing the base patch.
560 Make Socat compatible with BoringSSL.
561 Thanks to Matt Braithwaite for providing a patch.
563 OpenSSL: Use RAND_status to determine PRNG state
564 Thanks to Adam Langley for providing a patch
566 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
567 requirements. Thanks to Garrick Trowsdale for providing a patch
569 LibreSSL support: check for OPENSSL_NO_COMP
570 Thanks to Bernard Spil for providing a patch
573 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
575 test.sh: stderr; option -v (verbose); FDOUT_ERROR description
577 improved proxy.sh - it now also takes hostnames
579 A few corrections in test.sh
581 DTLS1 test hangs on some distributions. Test is now only performed
582 with OpenSSL 1.0.2 or higher.
584 More corrections to test.sh that reveal a mistake with IPV6_TCLASS
587 Corrected source of socat man page to correctly show man references
588 like socket(2); removed obseolete entries from See Also
590 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
591 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
593 Thanks to Zhigang Wang for reporting this issue.
595 Fixed a couple of English spelling and grammar mistakes.
596 Thanks to Jakub Wild for sending the patches.
598 NOEXPAND() was not resolved 2 times.
600 More minor docu corrections
603 Added contributors to copyright notices. Suggested by Matt Braithwaite.
605 ####################### V 1.7.3.1:
608 Socat security advisory 8
609 A stack overflow in vulnerability was found that can be triggered when
610 command line arguments (complete address specifications, host names,
611 file names) are longer than 512 bytes.
612 Successful exploitation might allow an attacker to execute arbitrary
613 code with the privileges of the socat process.
614 This vulnerability can only be exploited when an attacker is able to
615 inject data into socat's command line.
616 A vulnerable scenario would be a CGI script that reads data from clients
617 and uses (parts of) this data as hostname for a Socat invocation.
619 Credits to Takumi Akiyama for finding and reporting this issue.
621 Socat security advisory 7
623 In the OpenSSL address implementation the hard coded 1024 bit DH p
624 parameter was not prime. The effective cryptographic strength of a key
625 exchange using these parameters was weaker than the one one could get by
626 using a prime p. Moreover, since there is no indication of how these
627 parameters were chosen, the existence of a trapdoor that makes possible
628 for an eavesdropper to recover the shared secret from a key exchange
629 that uses them cannot be ruled out.
630 Futhermore, 1024bit is not considered sufficiently secure.
631 Fix: generated a new 2048bit prime.
632 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
633 Research (MSVR) for finding and reporting this issue.
635 ####################### V 1.7.3.0:
638 Socat security advisory 6
639 CVE-2015-1379: Possible DoS with fork
640 Fixed problems with signal handling caused by use of not async signal
641 safe functions in signal handlers that could freeze socat, allowing
642 denial of service attacks.
643 Many changes in signal handling and the diagnostic messages system were
644 applied to make the code async signal safe but still provide detailled
645 logging from signal handlers:
646 Coded function vsnprintf_r() as async signal safe incomplete substitute
648 Coded function snprinterr() to replace %m in strings with a system error
650 Instead of gettimeofday() use clock_gettime() when available
651 Pass Diagnostic messages from signal handler per unix socket to the main
653 Use sigaction() instead of signal() for better control
654 Turn off nested signal handler invocations
655 Thanks to Peter Lobsinger for reporting and explaining this issue.
657 Red Hat issue 1019975: add TLS host name checks
658 OpenSSL client checks if the server certificates names in
659 extensions/subjectAltName/DNS or in subject/commonName match the name
660 used to connect or the value of the openssl-commonname option.
661 Test: OPENSSL_CN_CLIENT_SECURITY
663 OpenSSL server checks if the client certificates names in
664 extensions/subjectAltNames/DNS or subject/commonName match the value of
665 the openssl-commonname option when it is used.
666 Test: OPENSSL_CN_SERVER_SECURITY
668 Red Hat issue 1019964: socat now uses the system certificate store with
669 OPENSSL when neither options cafile nor capath are used
671 Red Hat issue 1019972: needs to specify OpenSSL cipher suites
672 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
673 prevent downgrade attacks
676 OpenSSL addresses set couple of environment variables from values in
677 peer certificate, e.g.:
678 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
679 SOCAT_OPENSSL_X509_COMMONNAME,
680 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
681 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
683 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
684 Tests: OPENSSL_METHOD_*
686 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
689 Added a new option termios-rawer for ptys.
690 Thanks to Christian Vogelgsang for pointing me to this requirement
693 Bind with ABSTRACT commands used non-abstract namespace (Linux).
695 Thanks to Denis Shatov for reporting this bug.
697 Fixed return value of nestlex()
699 Option ignoreeof on the right address hung.
701 Thanks to Franz Fasching for reporting this bug.
703 Address SYSTEM, when terminating, shut down its parent addresses,
704 e.g. an SSL connection which the parent assumed to still be active.
705 Test: SYSTEM_SHUTDOWN
707 Passive (listening or receiving) addresses with empty port field bound
708 to a random port instead of terminating with error.
711 configure with some combination of disable options produced config
712 files that failed to compile due to missing IPPROTO_TCP.
713 Thanks to Thierry Fournier for report and patch.
715 fixed a few minor bugs with OpenSSL in configure and with messages
717 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
718 is required. Thanks to Zhigang Wang for reporting and sending a patch.
720 Christophe Leroy provided a patch that fixes memory leaks reported by
723 Help for filan -L was bad, is now corrected to:
724 "follow symbolic links instead of showing their properties"
726 Address options fdin and fdout were silently ignored when not applicable
727 due to -u or -U option. Now these combinations are caught as errors.
729 Issue reported by Hendrik.
731 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
732 over option raw which is now obsolote. On SysV systems this call is
733 simulated by appropriate setting.
734 Thanks to Youfu Zhang for reporting issue with option raw.
737 Socat included <sys/poll.h> instead of POSIX <poll.h>
738 Thanks to John Spencer for reporting this issue.
740 Version 1.7.2.4 changed the check for gcc in configure.ac; this
741 broke cross compiling. The particular check gets reverted.
742 Thanks to Ross Burton and Danomi Manchego for reporting this issue.
744 Debian Bug#764251: Set the build timestamp to a deterministic time:
745 support external BUILD_DATE env var to allow to build reproducable
748 Joachim Fenkes provided an new adapted spec file.
750 Type bool and macros Min and Max are defined by socat which led to
751 compile errors when they were already provided by build framework.
752 Thanks to Liyu Liu for providing a patch.
754 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
755 support and appropriate files in Config/
757 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
760 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
761 _POSIX_PTHREAD_SEMANTICS; and minor changes
763 Red Hat issue 1182005: socat 1.7.2.4 build failure missing
765 Socat failed to compile on on PPC due to new requirements for
766 including <linux/errqueue.h> and a weakness in the conditional code.
767 Thanks to Michel Normand for reporting this issue.
770 In the man page the PTY example was badly formatted. Thanks to
771 J.F.Sebastian for sending a patch.
773 Added missing CVE ids to security issues in CHANGES
776 Do not distribute testcert.conf with socat source but generate it
777 (and new testcert6.conf) during test.sh run.
779 ####################### V 1.7.2.4:
782 LISTEN based addresses applied some address options, e.g. so-keepalive,
783 to the listening file descriptor instead of the connected file
785 Thanks to Ulises Alonso for reporting this bug
787 make failed after configure with non gcc compiler due to missing
788 include. Thanks to Horacio Mijail for reporting this problem
790 configure checked for --disable-rawsocket but printed
791 --disable-genericsocket in the help text. Thanks to Ben Gardiner for
792 reporting and patching this bug
794 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
796 Thanks to David Binderman for reporting this issue.
798 procan could not cleanly format ulimit values longer than 16 decimal
799 digits. Thanks to Frank Dana for providing a patch that increases field
802 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
804 Thanks to Emile den Tex for reporting this bug.
806 Changed some variable definitions to make gcc -O2 aliasing checker happy
807 Thanks to Ilya Gordeev for reporting these warnings
809 On big endian platforms with type long >32bit the range option applied a
810 bad base address. Thanks to hejia hejia for reporting and fixing this bug.
812 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
814 Red Hat issue 1022063: out-of-range shifts on net mask bits
816 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
818 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
821 Red Hat issue 1021958: fixed a bug with faulty buffer/data length
822 calculation in xio-ascii.c:_xiodump()
824 Red Hat issue 1021972: fixed a missing NUL termination in return string
825 of sysutils.c:sockaddr_info() for the AF_UNIX case
827 fixed some typos and minor issues, including:
828 Red Hat issue 1021967: formatting error in manual page
830 UNIX-LISTEN with fork option did not remove the socket file system entry
831 when exiting. Other file system based passive address types had similar
832 issues or failed to apply options umask, user e.a.
833 Thanks to Lorenzo Monti for pointing me to this issue
836 Red Hat issue 1020203: configure checks fail with some compilers.
839 Performed changes for Fedora release 19
841 Adapted, improved test.sh script
843 Red Hat issue 1021429: getgroupent fails with large number of groups;
844 use getgrouplist() when available instead of sequence of calls to
847 Red Hat issue 1021948: snprintf API change;
848 Implemented xio_snprintf() function as wrapper that tries to emulate C99
849 behaviour on old glibc systems, and adapted all affected calls
852 Mike Frysinger provided a patch that supports long long for time_t,
853 socklen_t and a few other libc types.
855 Artem Mygaiev extended Cedril Priscals Android build script with pty code
857 The check for fips.h required stddef.h
858 Thanks to Matt Hilt for reporting this issue and sending a patch
860 Check for linux/errqueue.h failed on some systems due to lack of
861 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
863 autoconf now prefers configure.ac over configure.in
864 Thanks to Michael Vastola for sending a patch.
866 type of struct cmsghdr.cmsg is system dependend, determine it with
867 configure; some more print format corrections
870 libwrap always logs to syslog
872 added actual text version of GPLv2
874 ####################### V 1.7.2.3:
877 Socat security advisory 5
878 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
879 overflow with data from command line (see socat-secadv5.txt)
880 Credits to Florian Weimer of the Red Hat Product Security Team
882 ####################### V 1.7.2.2:
885 Socat security advisory 4
887 after refusing a client connection due to bad source address or source
888 port socat shutdown() the socket but did not close() it, resulting in
889 a file descriptor leak in the listening process, visible with lsof and
890 possibly resulting in EMFILE Too many open files. This issue could be
891 misused for a denial of service attack.
892 Full credits to Catalin Mitrofan for finding and reporting this issue.
894 ####################### V 1.7.2.1:
897 Socat security advisory 3
899 fixed a possible heap buffer overflow in the readline address. This bug
900 could be exploited when all of the following conditions were met:
901 1) one of the addresses is READLINE without the noprompt and without the
903 2) the other (almost arbitrary address) reads malicious data (which is
904 then transferred by socat to READLINE).
905 Workaround: when using the READLINE address apply option prompt or
907 Full credits to Johan Thillemann for finding and reporting this issue.
909 ####################### V 1.7.2.0:
912 when UNIX-LISTEN was applied to an existing file it failed as expected
913 but removed the file. Thanks to Bjoern Bosselmann for reporting this
916 fixed a bug where socat might crash when connecting to a unix domain
917 socket using address GOPEN. Thanks to Martin Forssen for bug report and
920 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
921 when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
923 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
924 pointed me to that bug
926 TCP-CONNECT with option nonblock reported successful connect even when
929 address option ioctl-intp failed with "unimplemented type 26". Thanks
930 to Jeremy W. Sherman for reporting and fixing that bug
932 socat option -x did not print packet direction, timestamp etc; thanks
933 to Anthony Sharobaiko for sending a patch
935 address PTY does not take any parameters but did not report an error
938 Marcus Meissner provided a patch that fixes invalid output and possible
939 process crash when socat prints info about an unnamed unix domain
942 Michal Soltys reported the following problem and provided an initial
943 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
944 data transfer only parts of the data might have been written.
946 Option o-nonblock in combination with large transfer block sizes
947 may result in partial writes and/or EAGAIN errors that were not handled
948 properly but resulted in data loss or process termination.
950 Fixed a bug that could freeze socat when during assembly of a log
951 message a signal was handled that also printed a log message. socat
952 development had been aware that localtime() is not thread safe but had
953 only expected broken messages, not corrupted stack (glibc 2.11.1,
956 an internal store for child pids was susceptible to pid reuse which
957 could lead to sporadic data loss when both fork option and exec address
958 were used. Thanks to Tetsuya Sodo for reporting this problem and
961 OpenSSL server failed with "no shared cipher" when using cipher aNULL.
962 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
963 for drawing my attention to this issue.
965 UDP-LISTEN slept 1s after accepting a connection. This is not required.
966 Thanks to Peter Valdemar Morch for reporting this issue
968 fixed a bug that could lead to error or socat crash after a client
969 connection with option retry had been established
971 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
974 improved dev_t print format definition
977 Cedril Priscal ported socat to Android (using Googles cross compiler).
978 The port includes the socat_buildscript_for_android.sh script
980 added check for component ipi_spec_dst in struct in_pktinfo so
981 compilation does not fail on Cygwin (thanks to Peter Wagemans for
982 reporting this problem)
984 build failed on RHEL6 due to presence of fips.h; configure now checks
985 for fipsld too. Thanks to Andreas Gruenbacher for reporting this
988 check for netinet6/in6.h only when IPv6 is available and enabled
990 don't fail to compile when the following defines are missing:
991 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
992 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
994 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
995 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
998 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
1001 corrections for OpenEmbedded, especially termios SHIFT values and
1002 ISPEED/OSPEED. Thanks to John Faith for providing the patch
1004 minor corrections to docu and test.sh resulting from local compilation
1007 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
1008 reporting this issue and sending a patch.
1010 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
1011 is now bsd/libutil.h; compiler warns on vars that is only written to
1014 added option max-children that limits the number of concurrent child
1015 processes. Thanks to Sam Liddicott for providing the patch.
1017 Till Maas added support for tun/tap addresses without IP address
1019 added an option openssl-compress that allows to disable the compression
1020 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
1021 providing this contribution (sponsored by Google Inc.)
1024 minor corrections in docu (thanks to Paggas)
1026 client process -> child process
1028 ####################### V 1.7.1.3:
1031 Socat security advisory 2
1033 fixed a stack overflow vulnerability that occurred when command
1034 line arguments (whole addresses, host names, file names) were longer
1036 Note that this could only be exploited when an attacker was able to
1037 inject data into socat's command line.
1038 Full credits to Felix Gröbert, Google Security Team, for finding and
1039 reporting this issue
1041 ####################### V 1.7.1.2:
1044 user-late and group-late, when applied to a pty, affected the system
1045 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
1046 pointing me to this bug)
1048 socats openssl addresses failed with "nonblocking operation did not
1049 complete" when the peer performed a renegotiation. Thanks to Benjamin
1050 Delpy for reporting this bug.
1052 info message during socks connect showed bad port number on little
1053 endian systems due to wrong byte order (thanks to Peter M. Galbavy for
1054 bug report and patch)
1056 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
1057 to default. Thanks to Martin Dorey for reporting this bug.
1060 building socat on systems that predefined the CFLAGS environment to
1061 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
1062 this problem and to Simon Matter for providing the patch
1064 support for Solaris 8 and Sun Studio support (thanks to Sebastian
1065 Kayser for providing the patches)
1067 on some 64bit systems a compiler warning "cast from pointer to integer
1068 of different size" was issued on some option definitions
1070 added struct sockaddr_ll to union sockaddr_union to avoid "strict
1071 aliasing" warnings (problem reported by Paul Wouters)
1074 minor corrections in docu
1076 ####################### V 1.7.1.1:
1079 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
1080 occur under those conditions. Thanks to Toni Mattila for first
1081 reporting this problem.
1083 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
1085 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
1086 thanks to Todd Stansell for reporting this bug
1088 with unidirectional EXEC and SYSTEM a close() operation was performed
1089 on a random number which could result in hanging e.a.
1091 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
1094 docu mentioned option so-bindtodev but correct name is so-bindtodevice.
1095 Thanks to Jim Zimmerman for reporting.
1098 added environment variables example to doc/socat-multicast.html
1100 ####################### V 1.7.1.0:
1103 address options shut-none, shut-down, and shut-close allow to control
1104 socat's half close behaviour
1106 with address option shut-null socat sends an empty packet to the peer
1109 option null-eof changes the behaviour of sockets that receive an empty
1110 packet to see EOF instead of ignoring it
1112 introduced option names substuser-early and su-e, currently equivalent
1113 to option substuser (thanks to Mike Perry for providing the patch)
1116 fixed some typos and improved some comments
1118 ####################### V 1.7.0.1:
1121 fixed possible SIGSEGV in listening addresses when a new connection was
1122 reset by peer before the socket addresses could be retrieved. Thanks to
1123 Mike Perry for sending a patch.
1125 fixed a bug, introduced with version 1.7.0.0, that let client
1126 connections with option connect-timeout fail when the connections
1127 succeeded. Thanks to Bruno De Fraine for reporting this bug.
1129 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
1130 and most UNIX-* and ABSTRACT-*
1132 half close of EXEC and SYSTEM addresses did not work for pipes and
1133 sometimes socketpair
1135 help displayed for some option a wrong type
1137 under some circumstances shutdown was called multiple times for the
1140 ####################### V 1.7.0.0:
1143 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
1144 mode for IPv4 and IPv6; new address options sctp-maxseg and
1145 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
1146 for providing an initial patch)
1148 new address "INTERFACE" for transparent network interface handling
1149 (suggested by Stuart Nicholson)
1151 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
1152 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
1153 protocol independent socket handling; all parameters are explicitely
1154 specified as numbers or hex data
1156 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
1157 ioctl-bin for generic ioctl() calls.
1159 added address options setsockopt-int, setsockopt-bin, and
1160 setsockopt-string for generic setsockopt() calls
1162 option so-type now only affects the socket() and socketpair() calls,
1163 not the name resolution. so-type and so-prototype can now be applied to
1164 all socket based addresses.
1166 new address option "escape" allows to break a socat instance even when
1167 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
1169 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
1170 for use in executed scripts
1172 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
1173 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
1174 suggested by Ed Sawicki)
1176 socat receives all ancillary messages with each received packet on
1177 datagram related addresses. The messages are logged in raw form with
1178 debug level, and broken down with info level. note: each type of
1179 ancillary message must be enabled by appropriate address options.
1181 socat provides the contents of ancillary messages received on RECVFROM
1182 addresses in appropriate environment variables:
1183 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
1184 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
1185 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
1187 the following address options were added to enable ancillary messages:
1188 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
1189 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
1190 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
1191 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
1193 new address options ipv6-tclass and ipv6-unicast-hops set the related
1196 STREAMS (UNIX System V STREAMS) can be configured with the new address
1197 options i-pop-all and i-push (thanks to Michal Rysavy for providing a
1201 some raw IP and UNIX datagram modes failed on BSD systems
1203 when UDP-LISTEN continued to listen after packet dropped by, e.g.,
1204 range option, the old listen socket would not be closed but a new one
1205 created. open sockets could accumulate.
1207 there was a bug in ip*-recv with bind option: it did not bind, and
1208 with the first received packet an error occurred:
1209 socket_init(): unknown address family 0
1210 test: RAWIP4RECVBIND
1212 RECVFROM addresses with FORK option hung after processing the first
1213 packet. test: UDP4RECVFROM_FORK
1215 corrected a few mistakes that caused compiler warnings on 64bit hosts
1216 (thanks to Jonathan Brannan e.a. for providing a patch)
1218 EXEC and SYSTEM with stderr injected socat messages into the data
1219 stream. test: EXECSTDERRLOG
1221 when the EXEC address got a string with consecutive spaces it created
1222 additional empty arguments (thanks to Olivier Hervieu for reporting
1223 this bug). test: EXECSPACES
1225 in ignoreeof polling mode socat also blocked data transfer in the other
1226 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
1229 corrected alphabetical order of options (proxy-auth)
1231 some minor corrections
1233 improved test.sh script: more stable timing, corrections for BSD
1235 replaced the select() calls by poll() to cleanly fix the problems with
1236 many file descriptors already open
1238 socat option -lf did not log to file but to stderr
1240 socat did not compile on Solaris when configured without termios
1241 feature (thanks to Pavan Gadi for reporting this bug)
1244 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
1247 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
1250 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
1253 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
1257 filan -s prefixes output with FD number if more than one FD
1259 Makefile now supports datarootdir (thanks to Camillo Lugaresi for
1260 providing the patch)
1262 cleanup in xio-unix.c
1264 ####################### V 1.6.0.1:
1267 new make target "gitclean"
1269 docu source doc/socat.yo released
1272 exec:...,pty did not kill child process under some circumstances; fixed
1273 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
1274 reporting this problem)
1276 service name resolution failed due to byte order mistake
1277 (thanks to James Sainsbury for reporting this problem)
1279 socat would hang when invoked with many file descriptors already opened
1280 fix: replaced FOPEN_MAX with FD_SETSIZE
1281 thanks to Daniel Lucq for reporting this problem.
1283 fixed bugs where sub processes would become zombies because the master
1284 process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
1285 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
1286 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
1287 (thanks to Fernanda G Weiden for reporting this problem)
1289 fixed a bug where sub processes would become zombies because the master
1290 process caught SIGCHLD but did not wait(). this affected addresses
1291 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
1292 (thanks to Evan Borgstrom for reporting this problem)
1294 corrected option handling with STDIO; usecase: cool-write
1296 configure --disable-pty also disabled option waitlock
1298 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
1299 (thanks to Roland Illig for sending a patch)
1301 corrected name of option intervall to interval (old form still valid
1302 for us German speaking guys)
1304 corrected some print statements and variable names
1306 make uninstall did not uninstall procan
1308 fixed lots of weaknesses in test.sh
1310 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
1313 procan -c prints C defines important for socat
1315 added test OPENSSLEOF for OpenSSL half close
1317 ####################### V 1.6.0.0:
1320 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
1323 new option ip-add-membership for control of multicast group membership
1325 new address TUN for generation of Linux TUN/TAP pseudo network
1326 interfaces (suggested by Mat Caughron); associated options tun-device,
1327 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
1329 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
1330 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
1331 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
1332 socklen parameter on system calls.
1334 option end-close for control of connection closing allows FD sharing
1337 range option supports form address:mask with IPv4
1339 changed behaviour of OPENSSL-LISTEN to require and verify client
1340 certificate per default
1342 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
1343 grained locking on regular files
1345 uninstall target in Makefile (lack reported by Zeeshan Ali)
1348 fixed bug where only first tcpwrap option was applied; fixed bug where
1349 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
1350 and fixing this bug)
1352 filan (and socat -D) could hang when a socket was involved
1354 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
1357 correct bind with udp6-listen (thanks to Jan Horak for reporting this
1360 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
1361 (thanks to Leo Zhadanovsky for reporting this problem)
1363 corrected problem with read data buffered in OpenSSL layer (thanks to
1364 Jon Nelson for reporting this bug)
1366 corrected problem with option readbytes when input stream stayed idle
1369 fixed a bug where a datagram receiver with option fork could fork two
1370 sub processes per packet
1373 moved documentation to new doc/ subdir
1375 new documents (kind of mini tutorials) are provided in doc/
1377 ####################### V 1.5.0.0:
1380 new datagram modes for udp, rawip, unix domain sockets
1382 socat option -T specifies inactivity timeout
1384 rewrote lexical analysis to allow nested socat calls
1386 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
1388 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
1389 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
1391 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
1393 option protocol-family (pf), esp. for openssl-listen
1395 range option supports IPv6 - syntax: range=[::1/128]
1397 option ipv6-v6only (ipv6only)
1399 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
1401 FIPS version of OpenSSL can be integrated - initial patch provided by
1402 David Acker. See README.FIPS
1404 support for resolver options res-debug, aaonly, usevc, primary, igntc,
1405 recurse, defnames, stayopen, dnsrch
1407 options for file attributes on advanced filesystems (ext2, ext3,
1408 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
1409 ext2-noatime, journal-data etc.
1411 option cool-write controls severeness of write failure (EPIPE,
1416 socat option -lh for hostname in log output
1418 traffic dumping provides packet headers
1420 configure.in became part of distribution
1422 socats unpack directory now has full version, e.g. socat-1.5.0.0/
1424 corrected docu of option verify
1427 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
1429 exec with pipes,stderr produced error
1431 setuid-early was ignored with many address types
1433 some minor corrections
1435 ####################### V 1.4.3.1:
1438 PROBLEM: UNIX socket listen accepted only one (or a few) connections.
1439 FIX: do not remove listening UNIX socket in child process
1441 PROBLEM: SIGSEGV when TCP part of SSL connect failed
1442 FIX: check ssl pointer before calling SSL_shutdown
1444 In debug mode, show connect client port even when connect fails
1446 ####################### V 1.4.3.0:
1449 socat options -L, -W for application level locking
1451 options "lockfile", "waitlock" for address level locking
1454 option "readbytes" limits read length (Adam Osuchowski)
1456 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
1458 pty symlink, unix listen socket, and named pipe are per default removed
1459 after use; option unlink-close overrides this new behaviour and also
1460 controls removal of other socat generated files (Stefan Luethje)
1463 option "retry" did not work with tcp-listen
1465 EPIPE condition could result in a 100% CPU loop
1468 support systems without SHUT_RD etc.
1469 handle more size_t types
1470 try to find makedepend options with gcc 3 (richard/OpenMacNews)
1472 ####################### V 1.4.2.0:
1475 option "connect-timeout" limits wait time for connect operations
1476 (requested by Giulio Orsero)
1478 option "dhparam" for explicit Diffie-Hellman parameter file
1481 support for OpenSSL DSA certificates (Miika Komu)
1483 create install directories before copying files (Miika Komu)
1485 when exiting on signal, return status 128+signum instead of 1
1487 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
1490 -lu could cause a core dump on long messages
1493 modifications to simplify using socats features in applications
1495 ####################### V 1.4.1.0:
1498 option "wait-slave" blocks open of pty master side until a client
1499 connects, "pty-intervall" controls polling
1501 option -h as synonym to -? for help (contributed by Christian
1504 filan prints formatted time stamps and rdev (disable with -r)
1506 redirect filan's output, so stdout is not affected (contributed by
1509 filan option -L to follow symbolic links
1511 filan shows termios control characters
1514 proxy address no longer performs unsolicited retries
1516 filan -f no longer needs read permission to analyze a file (but still
1517 needs access permission to directory, of course)
1521 FreeBSD options noopt, nopush, md5sig
1522 OpenBSD options sack-disable, signature-enable
1523 HP-UX, Solaris options abort-threshold, conn-abort-threshold
1524 HP-UX options b900, b3600, b7200
1525 Tru64/OSF1 options keepinit, paws, sackena, tsoptena
1527 further corrections:
1528 address pty now uses ptmx as default if openpty is also available
1530 ####################### V 1.4.0.3:
1533 Socat security advisory 1
1535 fix to a syslog() based format string vulnerability that can lead to
1536 remote code execution. See advisory socat-adv-1.txt
1538 ####################### V 1.4.0.2:
1541 exec'd write-only addresses get a chance to flush before being killed
1543 error handler: print notice on error-exit
1545 filan printed wrong file type information
1547 ####################### V 1.4.0.1:
1550 socks4a constructed invalid header. Problem found, reported, and fixed
1551 by Thomas Themel, by Peter Palfrader, and by rik
1553 with nofork, don't forget to apply some process related options
1554 (chroot, setsid, setpgid, ...)
1556 ####################### V 1.4.0.0:
1559 simple openssl server (ssl-l), experimental openssl trust
1561 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
1564 new options "retry", "forever", and "intervall"
1566 option "fork" for address TCP improves `gender changer´
1568 options "sigint", "sigquit", and "sighup" control passing of signals to
1569 sub process (thanks to David Shea who contributed to this issue)
1571 readline takes respect to the prompt issued by the peer address
1573 options "prompt" and "noprompt" allow to override readline's new
1576 readline supports invisible password with option "noecho"
1578 socat option -lp allows to set hostname in log output
1580 socat option -lu turns on microsecond resolution in log output
1584 before reading available data, check if writing on other channel is
1587 tcp6, udp6: support hostname specification (not only IP address), and
1588 map IP4 names to IP6 addresses
1590 openssl client checks server certificate per default
1592 support unidirectional communication with exec/system subprocess
1594 try to restore original terminal settings when terminating
1596 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
1598 socks4 failed on platforms where long does not have 32 bits
1599 (thanks to Peter Palfrader and Thomas Seyrat)
1601 hstrerror substitute wrote wrong messages (HP-UX, Solaris)
1603 proxy error message was truncated when answer contained multiple spaces
1607 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
1609 ####################### V 1.3.2.2:
1612 PROXY CONNECT failed when the status reply from the proxy server
1613 contained more than one consecutive spaces. Problem reported by
1614 Alexandre Bezroutchko
1616 do not SIGSEGV when proxy address fails to resolve server name
1618 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
1619 Problem reported by Christoph Schittel
1621 test.sh only tests available features
1623 added missing IP and TCP options in filan analyzer
1625 do not apply stdio address options to both directions when in
1628 on systems lacking /dev/*random and egd, provide (weak) entropy from
1633 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
1635 compiles on True64, FreeBSD (again), NetBSD, OpenBSD
1637 support for long long as st_ino type (Cygwin 1.5)
1639 compile on systems where pty can not be featured
1641 ####################### V 1.3.2.1:
1644 "final" solution for the ENOCHLD problem
1646 corrected "make strip"
1648 default gcc debug/opt is "-O" again
1650 check for /proc at runtime, even if configure found it
1652 src.rpm accidently supported SuSE instead of RedHat
1654 ####################### V 1.3.2.0:
1657 option "nofork" connects an exec'd script or program directly
1658 to the file descriptors of the other address, circumventing the socat
1661 support for files >2GB, using ftruncate64(), lseek64(), stat64()
1663 filan has new "simple" output style (filan -s)
1667 options "binary" and "text" for controlling line termination on Cygwin
1668 file system access (hint from Yang Wu-Zhou)
1670 fix by Yang Wu-Zhou for the Cygwin "No Children" problem
1672 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
1675 minor corrections to avoid warnings with gcc 3
1678 further corrections and minor improvements:
1679 configure script is generated with autoconf 2.57 (no longer 2.52)
1681 configure passes CFLAGS to Makefile
1683 option -??? for complete list of address options and their short forms
1685 program name in syslog messages is derived from argv[0]
1687 SIGHUP now prints notice instead of error
1689 EIO during read of pty now gives Notice instead of Error, and
1692 use of hstrerror() for printing resolver error messages
1694 setgrent() got required endgrent()
1696 ####################### V 1.3.1.0:
1699 integration of Wietse Venema's tcpwrapper library (libwrap)
1701 with "proxy" address, option "resolve" controls if hostname or IP
1702 address is sent in request
1704 option "lowport" establishes limited authorization for TCP and UDP
1707 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
1708 An accompanying change in the numbering scheme results in an
1709 incompatibility with earlier socat RPMs!
1712 solved problems and bugs:
1713 PROBLEM: socat daemon terminated when the address of a connecting
1714 client did not match range option value instead of continue listening
1715 SOLVED: in this case, print warning instead of error to keep daemon
1718 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
1720 SOLVED: dont assume that each exiting child process generates SIGCHLD
1722 when converting CRNL to CR, socat converted to NL
1725 further corrections:
1726 configure script now disables features that depend on missing files
1727 making it more robust in "unsupported" environments
1729 server.pem permissions corrected to 600
1731 "make install" now does not strip; use "make strip; make install"
1732 if you like strip (suggested by Peter Bray)
1734 ####################### V 1.3.0.1:
1736 solved problems and bugs:
1737 PROBLEM: OPENSSL did not apply tcp, ip, and socket options
1738 SOLVED: OPENSSL now correctly handles the options list
1740 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
1742 SOLVED: these conversions now simply strip all CR's or NL's from input
1747 SunOS ptys now work on x86, too (thanks to Peter Bray)
1749 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
1752 further corrections:
1753 added WITH_PROXY value to -V output
1755 added compile dependencies of WITH_PTY and WITH_PROXY
1757 -?? did not print option group of proxy options
1759 corrected syntax for bind option in docu
1761 corrected an issue with stdio in unidirectional mode
1763 options socksport and proxyport support service names
1765 ftp.sh script supports proxy address
1767 man page no longer installed with execute permissions (thanks to Peter
1770 fixed a malloc call bug that could cause SIGSEGV or false "out of
1771 memory" errors on EXEC and SYSTEM, depending on program name length and
1774 ####################### V 1.3.0.0:
1777 proxy connect with optional proxy authentication
1779 combined hex and text dump mode, credits to Gregory Margo
1781 address pty applies options user, group, and perm to device
1784 solved problems and bugs:
1785 PROBLEM: option reuseport was not applied (BSD, AIX)
1786 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
1787 credits to Jean-Baptiste Marchand
1789 PROBLEM: ignoreeof with stdio was ignored
1790 SOLVED: ignoreeof now works correctly with address stdio
1792 PROBLEM: ftp.sh did not use user supplied password
1793 SOLVED: ftp.sh now correctly passes password from command line
1795 PROBLEM: server.pem had expired
1796 SOLVED: new server.pem valid for ten years
1798 PROBLEM: socks notice printed wrong port on some platforms
1799 SOLVED: socks now uses correct byte-order for port number in notice
1802 further corrections:
1803 option name o_trunc corrected to o-trunc
1805 combined use of -u and -U is now detected and prevented
1807 made message system a little more robust against format string attacks
1810 ####################### V 1.2.0.0:
1813 address pty for putting socat behind a new pseudo terminal that may
1814 fake a serial line, modem etc.
1816 experimental openssl integration
1817 (it does not provide any trust between the peers because is does not
1818 check certificates!)
1820 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
1821 locking mechanism provided by flock()
1823 options setsid and setpgid now available with all address types
1825 option ctty (controlling terminal) now available for all TERMIOS
1828 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
1829 replaced by options o-trunc and ftruncate=offset
1831 option sourceport now available with TCP and UDP listen addresses to
1832 restrict incoming client connections
1834 unidirectional mode right-to-left (-U)
1837 solved problems and bugs:
1838 PROBLEM: addresses without required parameters but an option containing
1839 a '/' were incorrectly interpreted as implicit GOPEN address
1840 SOLVED: if an address does not have ':' separator but contains '/',
1841 check if the slash is before the first ',' before assuming
1846 ptys under SunOS work now due to use of stream options
1849 further corrections:
1850 with -d -d -d -d -D, don't print debug info during file analysis
1853 ####################### V 1.1.0.1:
1856 .spec file for RPM generation
1859 solved problems and bugs:
1860 PROBLEM: GOPEN on socket did not apply option unlink-late
1861 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
1864 PROBLEM: with unidirectional mode, an unnecessary close timeout was
1866 SOLUTION: in unidirectional mode, terminate without wait time
1868 PROBLEM: using GOPEN on a unix domain socket failed for datagram
1870 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
1873 further corrections:
1875 open() flag options had names starting with "o_", now corrected to "o-"
1877 in docu, *-listen addresses were called *_listen
1879 address unix now called unix-connect because it does not handle unix
1882 in test.sh, apply global command line options with all tests
1885 ####################### V 1.1.0.0:
1888 regular man page and html doc - thanks to kromJx for prototype
1890 new address type "readline", utilizing GNU readline and history libs
1892 address option "history-file" for readline
1894 new option "dash" to "exec" address that allows to start login shells
1896 syslog facility can be set per command line option
1898 new address option "tcp-quickack", found in Linux 2.4
1900 option -g prevents option group checking
1902 filan and procan can print usage
1904 procan prints rlimit infos
1907 solved problems and bugs:
1908 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
1909 SOLVED: set eof flag of channel on shutdown.
1911 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
1912 and has data available while channel 1 reaches EOF, the data is
1914 SOLVED: during one loop run, first handle all data transfers and
1915 _afterwards_ handle EOF.
1917 PROBLEM: despite to option NONBLOCK, the connect() call blocked
1918 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
1920 PROBLEM: UNLINK options issued error when file did not exist,
1922 SOLVED: failure of unlink() is only warning if errno==ENOENT
1924 PROBLEM: TCP6-LISTEN required numeric port specification
1925 SOLVED: now uses common TCP service resolver
1927 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
1928 SOLVED: retrieval of FDs now pays respect to PIPE pecularities
1930 PROBLEM: using address EXEC against an address with IGNOREEOF, socat
1932 SOLVED: corrected EOF handling of sigchld
1936 MacOS and old AIX versions now have pty
1938 flock() now available on Linux (configure check was wrong)
1940 named pipe were generated using mknod(), which requires root under BSD
1941 now they are generated using mkfifo
1944 further corrections:
1945 lots of address options that were "forgotten" at runtime are now
1948 option BINDTODEVICE now also called SO-BINDTODEVICE, IF
1950 "make install" now installs binaries with ownership 0:0
1953 ####################### V 1.0.4.2:
1955 solved problems and bugs:
1956 PROBLEM: EOF of one stream caused close of other stream, giving it no
1957 chance to go down regularly
1958 SOLVED: EOF of one stream now causes shutdown of write part of other
1961 PROBLEM: sending mail via socks address to qmail showed that crlf
1962 option does not work
1963 SOLVED: socks address applies PH_LATE options
1965 PROBLEM: in debug mode, no info about socat and platform was issued
1966 SOLVED: print socat version and uname output in debug mode
1968 PROBLEM: invoking socat with -t and no following parameters caused
1970 SOLVED: -t and -b now check next argv entry
1972 PROBLEM: when opening of logfile (-lf) failed, no error was reported
1973 and no further messages were printed
1974 SOLVED: check result of fopen and print error message if it failed
1977 address type UDP-LISTEN now supports option fork: it internally applies
1978 socket option SO_REUSEADDR so a new UDP socket can bind to port after
1979 `accepting´ a connection (child processes might live forever though)
1980 (suggestion from Damjan Lango)
1983 ####################### V 1.0.4.1:
1985 solved problems and bugs:
1986 PROB: assert in libc caused an endless recursion
1987 SOLVED: no longer catch SIGABRT
1989 PROB: socat printed wrong verbose prefix for "right to left" packets
1990 SOLVED: new parameter for xiotransfer() passes correct prefix
1993 in debug mode, socat prints its command line arguments
1994 in verbose mode, escape special characters and replace unprintables
1995 with '.'. Patch from Adrian Thurston.
1998 ####################### V 1.0.4.0:
2000 solved problems and bugs:
2001 Debug output for lstat and fstat said "stat"
2003 further corrections:
2004 FreeBSD now includes libutil.h
2007 option setsid with exec/pty
2008 option setpgid with exec/pty
2009 option ctty with exec/pty
2011 gettimeofday in sycls.c (no use yet)
2014 before Gethostbyname, invoke inet_aton for MacOSX
2017 ####################### V 1.0.3.0:
2019 solved problems and bugs:
2021 PROB: test 9 of test.sh (echo via file) failed on some platforms,
2022 socat exited without error message
2023 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
2025 PROB: test 17 hung forever
2026 REASON: child death before select loop did not result in EOF
2027 SOLVED: check of existence of children before starting select loop
2029 PROB: test 17 failed
2030 REASON: child dead triggered EOF before last data was read
2031 SOLVED: after child death, read last data before setting EOF
2033 PROB: filan showed that exec processes incorrectly had fd3 open
2034 REASON: inherited open fd3 from main process
2035 SOLVED: set CLOEXEC flag on pty fd in main process
2037 PROB: help printed "undef" instead of group "FORK"
2038 SOLVED: added "FORK" to group name array
2040 PROB: fatal messages did not include severity classifier
2041 SOLVED: added "F" to severity classifier array
2043 PROB: IP6 addresses where printed incorrectly
2044 SOLVED: removed type casts to unsigned short *
2046 further corrections:
2047 socat catches illegal -l modes
2048 corrected error message on setsockopt(linger)
2049 option tabdly is of type uint
2050 correction for UDP over IP6
2051 more cpp conditionals, esp. for IP6 situations
2052 better handling of group NAMED options with listening UNIX sockets
2053 applyopts2 now includes last given phase
2054 corrected option group handling for most address types
2055 introduce dropping of unappliable options (dropopts, dropopts2)
2056 gopen now accepts socket and unix-socket options
2057 exec and system now accept all socket and termios options
2058 child process for exec and system addresses with option pty
2059 improved descriptions and options for EXAMPLES
2060 printf format for file mode changed to "0%03o" with length spec.
2061 added va_end() in branch of msg()
2062 changed phase of lock options from PASTOPEN to FD
2063 support up to four early dying processes
2066 xiosysincludes now includes sysincludes.h for non xio files
2071 TYPE_DOUBLE, u_double
2073 added getsid(), setsid(), send() to sycls
2074 procan prints sid (session id)
2075 mail.sh gets -f (from) option
2076 new EXAMPLEs for file creation
2077 gatherinfo.sh now tells about failures
2078 test.sh can check for much more address/option combinations
2081 ispeed, ospeed for termios on FreeBSD
2082 getpgid() conditional for MacOS 10
2083 added ranlib in Makefile.in for MacOS 10
2084 disable pty option if no pty mechanism is available (MacOS 10)
2085 now compiles and runs on MacOS 10 (still some tests fail)
2086 setgroups() conditional for cygwin
2087 sighandler_t defined conditionally
2088 use gcc option -D_GNU_SOURCE