1 2####################### V 1.7.4.2: 3 4Corrections: 5 The per address parameters for OpenSSL overlapped in memory with socket 6 parameters. Magically this did not seem to cause problems except on 7 MacOS Catalina that reported errors like: 8 socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}): 9 Invalid argument 10 Test: OPENSSL_PARA_OVERLAP 11 Thanks to Ryo Ota for reporting this bug. 12 13 Fixed a few minor coding issues 14 15 A VSOCK warning message was generated with all listening addresses 16 instead of only with VSOCK-LISTEN 17 18 When an OPENSSL-CONNECT client presented a certificate with IPv6 19 subject alternate name and the OPENSSL-LISTEN server had no commonname 20 option, the server crashed with SIGSEGV in xioip6_pton(). 21 Test: OPENSSL_CLIENT_IP6_CN 22 Red Hat bug 1981308 23 Thanks to Vlad Slepukhin for reporting this issue and providing a patch 24 25 Corrected a typo in configure.ac that broke option --enable-openssl-base 26 Thanks to john1doe for reporting this issue. 27 28 Socat looped endlessly, not responding to SIGTERM, when a service name 29 (for port) could not be resolved. 30 Test: BAD_SERVICE 31 32 Using options of NAMED group, e.g.chown, with abstract UNIX domain 33 sockets, produced errors because the function was applied with a normal 34 file system related call, e.g.chown(), using file "" (empty name). Instead of 35 chown(), Socat now uses fchown() on the file descriptor. However, such 36 a call usually has no real effect. 37 Test: ABSTRACT_USER 38 Thanks to Andreas Fink for reporting this issue. 39 40 Option -R did not only dump ("sniff") right-to-left, but also 41 left-to-right traffic to the given file. 42 Test: SNIFF_RIGHT_TO_LEFT 43 Thanks to 1314 gsf for reporting this bug and sending a patch. 44 45 Options -r and -R, when opening a named pipe that has no actual reader, 46 failed with "No such device or address". To solve this problem, Socat 47 now opens the pipe in rw-Mode. 48 Thanks to Cody J.Soultz for sending a patch. 49 50 The call "socat -r - PIPE" traced to file ./- instead of issuing a 51 syntax error. 52 53 Print a message when readbytes option causes EOF 54 55 The ip-recverr option had no effect. Corrected and improved its 56 handling of ancilliary messages, so it is able to analyze ICMP error 57 packets (Linux only?) 58 59 Setgui(), Setuid() calls in xio-progcall.c were useless. 60 61Testing: 62 Prevent the TIMESTAMP tests from sporadically failing due do seconds 63 overflow 64 65 Fixed in test.sh a few issues reported by shellcheck 66 67Documentation: 68 Added missing docu of OpenSSL options min-proto-version, 69 max-proto-version. 70 71 Added missing closing parenthesis in socat.yo. 72 Thanks to Emanuele Torre for reporting this issue. 73 74 Corrected more typos and added missing bug info to CHANGES, performed 75 some non functional corrections. 76 77Porting: 78 Corrected building when clock_gettime() not available, with or without 79 gettimeofday(). 80 81####################### V 1.7.4.1: 82 83Corrections: 84 Socat 1.7.4.0 failed to compile especially on 32 bit systems. 85 Thanks to Wang Mingyu and others for sending a patch or reporting this 86 issue. 87 88 Under certain conditions OpenSSL stream connections, in particular bulk 89 data transfer in unidirectional mode, failed during transfer or near 90 its with Connection reset by peer on receiver side. 91 This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were 92 lazy SSL shutdown handling on the sender side in combination with 93 SSL_MODE_AUTO_RETRY turned off. 94 Fix: After SSH_shutdown but before socket shutdown call SSL_read() 95 Test: OPENSSL_STREAM_TO_SERVER 96 Fixes Red Hat issue 1870279. 97 98####################### V 1.7.4.0: 99 100Security: 101 Buffer size option (-b) is internally doubled for CR-CRLF conversion, 102 but not checked for integer overflow. This could lead to heap based 103 buffer overflow, assuming the attacker could provide this parameter. 104 Test: BLKSIZE_INT_OVERFL 105 Thanks to Lê Hiếu Bùi for reporting this issue and sending an 106 example exploit. 107 108Corrections: 109 Socats address parser read over end of string when there were unbalanced 110 quotes 111 Test: UNBALANCED_QUOTE 112 113 Removed unused usleep() call from sycls.c 114 115 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus 116 building failed on Solaris 9. 117 Thanks to Greg Earle for reporting this issue and providing a patch. 118 119 Mitigated race condition of quickly terminating SYSTEM or EXEC child 120 processes. 121 122 Option o-direct might require alignment of read/write buffer to, e.g., 123 512 bytes, Socat now takes care of this when allocating the buffer. 124 With this fix read() succeeds, however, write() still might fail when 125 not writing complete pages. 126 Test: O_DIRECT 127 128 There was a race condition in the way Socat UDP-RECVFROM and similar 129 addresses with option fork prevents one packet from triggering 130 multiple processes. The symptom was that Socat master process seemed to 131 hang and did not process further packets. The fix makes use of 132 pselect() system call. 133 Thanks to Fulvio Scapin for reporting this issue. 134 135 UNIX domain client addresses applied file system entry options (group 136 NAMED) to the server socket instead of the client (bind) socket entry. 137 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK 138 Thanks to Nico Williams for reporting this major issue. 139 140 Length of single address options was limited to 511 bytes. This value 141 is now increased to 2047 bytes. 142 Change suggested by Mario Camou. 143 144 Addresses of type RECVFROM with option fork looped with an error 145 message in case that the second address failed before consuming the 146 packet. The fix makes RECVFROM drop the packet when the second address 147 failed before reading it. Use retry or forever option with the second 148 address if you want to avoid data loss. 149 Fixes Red Hat bug 1907718 150 Thanks to Chunmei Xu for reporting this issue and proving the patch. 151 152 Socats DTLS implementation has been reworked and appears to work now 153 reasonably over UDP. 154 New addresses: OPENSSL-DTLS-SERVER (DTLS-L), 155 OPENSSL-DTLS-CLIENT (DTLS) 156 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER 157 OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2 158 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for 159 sending patches. 160 161 filan did not output the socket protocol. 162 filan -s assumed each stream socket to be TCP and each datagram socket 163 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output. 164 165 Help text showed two parameters for UDP4-RECVFROM address, but only 166 <port> is allowed. 167 Thanks to John the Scott for reporting this issue. 168 169 Error messages from SSL_read() and SSL_write() sometimes stated 170 SSL_connect instead of originating function name. 171 172 Fixed some more non functional minor issues. 173 174Porting: 175 In gcc version 10 the default changed from -fcommon to -fno-common. 176 Consequently, linking filan and procan failed with error 177 "multiple definition of `deny_severity'" and `allow_severity' 178 Fixed by removing definitions in filan.c and procan.c 179 Debian issue 957823 180 Thanks to László Böszörményi and others for reporting this issue. 181 182 Solaris 9 does not provide strndup(); added substitute code. 183 Thanks to Greg Earle for providing a patch. 184 185 Added configure option --enable-openssl-base to specify the location of 186 a non-OS OpenSSL installation 187 188 There are systems whose kernel understands SCTP but getaddrinfo does 189 not. As workaround after EIA_SOCKTYPE on name and service resolution 190 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set 191 ai_protocol=0 and try again 192 Test: SCTP_SERVICENAME 193 194 Per file filesystem options were still named ext2-* and depended on 195 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>. 196 These fs-* options are also available on old systems with ext2_fs.h 197 198 New options openssl-min-proto-version (min-version) and 199 openssl-max-proto-version (max-version) give access to the related 200 OpenSSL set-macros and substitute deprecated version-specific methods. 201 Test: OPENSSL_MIN_VERSION 202 203 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated 204 SSL_library_init. 205 206 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h 207 must explicitely be included. 208 Thanks to Rosen Penev for reporting and sending a patch. 209 210Testing: 211 test.sh now produces a list of tests that could not be performed for 212 any reason. This helps to analyse these cases. 213 214 OpenSSL s_server appearently started to neglect TCPs half close feature. 215 Test OPENSSL_TCP4 has been changed to tolerate this. 216 217 OpenSSL changed its behaviour when connection is rejected. Tests 218 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and 219 OPENSSL_CN_SERVER_SECURITY now tolerate this. 220 221 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the 222 appropriate tests failed. 223 Fix: use TLSv1.2 for renegotiation tests 224 Tests: OPENSSLRENEG1 OPENSSLRENEG2 225 226 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL 227 228 Archlinux 2020 has not which command; its ip,ss commands have modified 229 version strings 230 231 More testing issues solved: 232 * ss to pipe might omit column separator 233 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels 234 * do not use sort -V 235 * renamed testaddrs() to testfeats(), and introduced new testaddrs() 236 237New features: 238 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET. 239 Test: GOPENUNIXSEQPACKET 240 Feature suggested by vi0oss. 241 242 The generic setsockopt-int and related options are, in case of 243 listening/accepting addresses, applied to the connected socket(s). To enable 244 setting options on the listening socket, a new option setsockopt-listen 245 has been implemented. See the documentation for info on data types. 246 Tests: SETSOCKOPT SETSOCKOPT_LISTEN 247 Thanks to Steven Danna and Korian Edeline for reporting this issue. 248 249 Filan option -S gives short description like -s but with improved 250 format 251 252 Socat OpenSSL client, when server was specified using IP address, did 253 not verify connection on certificates SubjectAltName IP entries. 254 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH 255 Fixes Red Hat bug 1805132 256 257 Added options -r and -R for raw dump of transferred data to files. 258 Test: OPTION_RAW_DUMP 259 260 Added option ip-transparent (socket option IP_TRANSPARENT) 261 Thanks to Wang Shanker for sending a patch. 262 263 OPENSSL-CONNECT now automatically uses the SNI feature, option 264 openssl-no-sni turns it off. Option openssl-snihost overrides the value 265 of option openssl-commonname or the server name. 266 Tests: OPENSSL_SNI OPENSSL_NO_SNI 267 Thanks to Travis Burtrum for providing the initial patch 268 269 New option accept-timeout (listen-timeout) 270 Test: ACCEPTTIMEOUT 271 Proposed by Roland 272 273 New option ip-add-source-membership 274 Feature inspired by Brian (b f31415) 275 276 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport 277 of replies, as it did up to version 1.7.3.4. Use option sourceport when 278 you need the old behaviour. 279 Test: UDP_DATAGRAM_SOURCEPORT 280 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP) 281 282 New option proxy-authorization-file reads PROXY-CONNECT credentials 283 from file and makes it possible to hide this data from the process 284 table. 285 Test: PROXYAUTHFILE 286 Thanks to Charles Stephens for sending an initial patch. 287 288 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses. 289 Developed by Stefano Garzarella. 290 291Coding: 292 Added printf formats for uint16_t etc. 293 294Documentation: 295 Address UDP-RECV does not support option fork. 296 Thanks to Fulvio Scapin for reporting that mistake in docu. 297 298 TUN address documentation showed TCP for backend which may merge 299 consecutive packets which causes data loss. 300 Thanks to Tomasz Lakota for reporting this issue. 301 302####################### V 1.7.3.4: 303 304Corrections: 305 Header of xiotermios_speed() declared parameter unsigned int instead of 306 speed_t, thus compiling failed on MacOS 307 Thanks to Joe Strout and others for reporting this bug. 308 Thanks to Andrew Childs and others for sending a patch. 309 310 Under certain circumstances, termios options of the first address were 311 applied to the second address, resulting in error 312 "Inappropriate ioctl for device" 313 This affected version 1.7.3.3 only. 314 Test: TERMIOS_PH_ALL 315 Thanks to Ivan J. for reporting this issue. 316 317 Socat failed to compile when no poll() system call was found by 318 configure. 319 Thanks to Jason White for sending a patch. 320 321 Due to use of SSL_CTX_clear_mode() Socat failed to compile on old 322 systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B. 323 for reporting this problem and sending initial patches. 324 325 getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with 326 "ai_socktype not supported" when protocol 6 was addressed. 327 The fix removes the possibility to use service names with SCTP. 328 Test: IP_SENDTO_6 329 Thanks to Sören for sending an initial patch. 330 331 Under certain circumstances, Socat printed the "socket ... is at EOF" 332 multiple times. 333 Test: MULTIPLE_EOF 334 335 Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are 336 not implemented in older bash versions. 337 338####################### V 1.7.3.3: 339 340Corrections: 341 Makefile.in did not specify dependencies of filan on vsnprintf_r.o 342 and snprinterr.o 343 Added definition of FILAN_OBJS 344 Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for 345 providing patches. 346 347 configure option --enable-msglevel did not work with numbers 348 349 The autoconf mechanism for determining SHIFT_OFFSET did not work when 350 cross compiling. 351 Thanks to Max Freisinger from Gentoo for sending a patch. 352 353 Socat still depended on obsolete gethostbyname() function, thus 354 compiling with MUSL libc failed. 355 Problem reported by Kennedy33. 356 357 The async signal safe diagnostic system used FDs 3 and 4 internally, so 358 use of appropriate fdin or fdout led to failures. 359 Test: DIAG_FDIN 360 Problem reported by Onur Sentürk. 361 362 The socket based mechanism for passing messages and signal information 363 from signal handler to process could reach and kill the wrong process. 364 Introduces functions diag_sock_pair(), diag_fork() 365 Thanks to Darren Zhao for analysing and reporting this problem. 366 367 Option ipv6-join-group did not work because it was applied in the wrong 368 phase 369 Test: UDP6MULTICAST_UNIDIR 370 Thanks to Angus Gratton for sending a patch. 371 372 Setting ispeed and ospeed failed for some serial devices because the 373 two settings were applied with two different get/set cycles, Thanks to 374 Alexandre Fenyo for providing an initial patch. 375 However, the actual fix is part of a conceptual change of the termios 376 module that aims for applying all changes in a single tcsetaddr call. 377 Fixes FreeBSD Bug 198441 378 379 Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect. 380 Thanks to Alan Walters for reporting this bug. 381 382 Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls 383 384 With TCP6-LISTEN and the other passive IPv6 addresses the range option 385 just failed: due to a bug in the syntax parser and two more bugs in 386 the xiocheckrange_ip6() function. 387 The syntax has now been changed from "[::1/128]" to "[::1]/128"! 388 Thanks Leah Neukirchen for sending an initial fix. 389 390 For name resolution Socat only checked the first character of the host 391 name to decide if it is an IPv4 address. This was not RFC conform. This 392 fix removes the possibility for use of IPv4 addresses with IPv6, e.g. 393 TCP6:127.0.0.1:80 394 Debian issue 695885 395 Thanks to Nicolas Fournil for reporting this issue. 396 397 Print a useful error message when single character options appear to be 398 merged in Socat invocation 399 Test: SOCAT_OPT_HINT 400 401 Fixed some docu typos. 402 Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg, 403 Julian Zinn, and Simon Matter 404 405Porting: 406 OpenSSL functions TLS1_client_method() and similar are 407 deprecated. Socat now uses recommended TLS_client_method(). The old 408 functions and dependend option openssl-method can still be 409 used when configuring socat with --enable-openssl-method 410 411 Shell scripts in socat distribution are now headed with: 412 #! /usr/bin/env bash 413 to make them better portable to systems without /bin/bash 414 Thanks to Maya Rashish for sending a patch 415 416 RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with 417 configure option --enable-res-deprecated. 418 419 New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat. 420 Solution: clear SSL_MODE_AUTO_RETRY when it is set. 421 422 Renamed configure.in to configure.ac and set an appropriate symlink for 423 older environments. 424 Related Gentoo bug 426262: Warning on configure.in 425 Thanks to Francesco Turco for reporting that warning. 426 427 Fixed new IPv6 range code for platforms without s6_addr32 component. 428 429Testing: 430 test.sh: Show a warning when phase-1 (insecure phase) of a security 431 test fails 432 433 OpenSSL tests failed on actual Linux distributions. Measures: 434 Increased key lengths from 768 to 1024 bits 435 Added test.sh option -C to delete temp certs from prevsious runs 436 Provide DH-parameter in certificate in PEM 437 OpenSSL s_server option -verify 0 must be omitted 438 OpenSSL authentication method aNULL no longer works 439 Failure of cipher aNULL is not a failure 440 Failure of methods SSL3 and SSL23 is desired 441 442 test.sh depended on ifconfig and netstat utilities which are no longer 443 availabie in some distributions. test.sh now checks for and prefers 444 ip and ss. 445 Thanks to Ruediger Meier for reporting this problem. 446 447 More corrections to test.sh: 448 Language settings could still influence test results 449 netstat was still required 450 Suppress usleep deprecated messag 451 Force use of IPv4 with some certificates 452 Set timeout for UDPxMAXCHILDREN tests 453 454Git: 455 Added missing Config/Makefile.DragonFly-2-8-2, 456 Config/config.DragonFly-2-8-2.h 457 Removed testcert.conf (to be generated by test.sh) 458 459Cosmetics: 460 Simplified handling of missing termios defines. 461 462New features: 463 Permit combined -d options as -dd etc. 464 465porting: 466 ext2 options are now fs options. 467 468####################### V 1.7.3.2: 469 470corrections: 471 SIGSEGV and other signals could lead to a 100% CPU loop 472 473 Failing name resolution could lead to SIGSEGV 474 Thanks to Max for reporting this issue. 475 476 Include <stddef.h> for ptrdiff_t 477 Thanks to Jeroen Roovers for reporting this issue. 478 479 Building with --disable-sycls failed due to missing sslcls.h defines 480 481 Socat hung when configured with --disable-sycls. 482 483 Some minor corrections with includes etc. 484 485 Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu 486 for sending a patch. 487 488 Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout 489 incorrectly assigned 490 Test: EXEC_NOFORK_UNIDIR 491 Thanks to David Reiss for reporting this problem. 492 493 Socat exited with status 0 even when a program invoked with SYSTEM or 494 EXEC failed. 495 Tests: SYSTEM_RC EXEC_RC 496 Issue reported by Felix Winkelmann. 497 498 AddressSanitizer reported a few buffer overflows (false positives). 499 Nevertheless fixed Socat source. 500 Issue reported by Hanno Böck. 501 502 Socat did not use option ipv6-join-group. 503 Test: USE_IPV6_JOIN_GROUP 504 Thanks to Linus Lüssing for sending a patch. 505 506 UDP-LISTEN did not honor the max-children option. 507 Test: UDP4MAXCHILDREN UDP6MAXCHILDREN 508 Thanks to Leander Berwers for reporting this issue. 509 510 Options so-rcvtimeo and so-sndtimeo do not work with poll()/select() 511 and therefore were useless. 512 Thanks to Steve Borenstein for reporting this issue. 513 514 Option dhparam was documented as dhparams. Added the alias name 515 dhparams to fix this. 516 Thanks to Alexander Neumann for sending a patch. 517 518 Options shut-down and shut-close did not work. 519 Thanks to Stefan Schimanski for providing a patch. 520 521 There was a bug in printing readline log message caused by a misleading 522 indentation. 523 Thanks to Paul Wouters for reporting. 524 525 The internal vsnprintf_r function looped or crashed on size parameter 526 with hexadecimal output. 527 528 Ignore exit code of child process when it was killed by master due to 529 EOF 530 531 Corrected byte order on read of IPV6_TCLASS value from ancillary 532 message 533 534 Fixed type of the bool element in options. This had bug caused failures 535 e.g. of ignoreeof on big-endian systems when bool was not based on int. 536 537 On systems with predefined bool type whose size differs from int some 538 IPv6 and TCP options (per setsockopt()) failed. 539 540 Length of integral data in ancillary messages varies (TOS: 1 byte, 541 TTL: 4 bytes), the old implementation failed for TTL on big-endian 542 hosts. 543 544 Fixed an issue in options processing: TUN and DNS flags had failed on 545 big-endian systems and the NO- forms had probable never worked. 546 547porting: 548 Type conflict between int and sig_atomic_t between declaration and 549 definition of diag_immediate_type and diag_immediate_exit broke 550 compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for 551 reporting this bug. 552 553 Socat failed to compile on platforms with OpenSSL without 554 DTLSv1_client_method or DTLSv1_server_method. 555 Thanks to Simon Matter for sending a patch. 556 557 NuttX OS headers do not provide struct ip, thus socat did not compile. 558 Made struct ip subject to configure. 559 Thanks to SP for reporting this issue. 560 561 Socat failed to compile with OpenSSL version 1.0.2d where 562 SSLv3_server_method and SSLv3_client_method are no longer defined. 563 Thanks to Mischa ter Smitten for reporting this issue and providing 564 a patch. 565 566 configure checked for OpenSSL EC_KEY assuming it is a define but it 567 is a type, thus OpenSSL ECDHE ciphers failed even on Linux. 568 Thanks to Andrey Arapov for reporting this bug. 569 570 Changes to make socat compile with OpenSSL 1.1. 571 Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for 572 providing the base patch. 573 Debian Bug#828550 574 575 Make Socat compatible with BoringSSL. 576 Thanks to Matt Braithwaite for providing a patch. 577 578 OpenSSL: Use RAND_status to determine PRNG state 579 Thanks to Adam Langley for providing a patch 580 581 AIX-7 uses an extended O_ACCMODE that does not fit socat's internal 582 requirements. Thanks to Garrick Trowsdale for providing a patch 583 584 LibreSSL support: check for OPENSSL_NO_COMP 585 Thanks to Bernard Spil for providing a patch 586 587testing: 588 socks4echo.sh and socks4a-echo.sh hung with new bash with read -n 589 590 test.sh: stderr; option -v (verbose); FDOUT_ERROR description 591 592 improved proxy.sh - it now also takes hostnames 593 594 A few corrections in test.sh 595 596 DTLS1 test hangs on some distributions. Test is now only performed 597 with OpenSSL 1.0.2 or higher. 598 599 More corrections to test.sh that reveal a mistake with IPV6_TCLASS 600 601docu: 602 Corrected source of socat man page to correctly show man references 603 like socket(2); removed obseolete entries from See Also 604 605 Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT 606 that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL 607 are correct). 608 Thanks to Zhigang Wang for reporting this issue. 609 610 Fixed a couple of English spelling and grammar mistakes. 611 Thanks to Jakub Wild for sending the patches. 612 613 NOEXPAND() was not resolved 2 times. 614 615 More minor docu corrections 616 617legal: 618 Added contributors to copyright notices. Suggested by Matt Braithwaite. 619 620####################### V 1.7.3.1: 621 622security: 623 Socat security advisory 8 624 A stack overflow in vulnerability was found that can be triggered when 625 command line arguments (complete address specifications, host names, 626 file names) are longer than 512 bytes. 627 Successful exploitation might allow an attacker to execute arbitrary 628 code with the privileges of the socat process. 629 This vulnerability can only be exploited when an attacker is able to 630 inject data into socat's command line. 631 A vulnerable scenario would be a CGI script that reads data from clients 632 and uses (parts of) this data as hostname for a Socat invocation. 633 Test: NESTEDOVFL 634 Credits to Takumi Akiyama for finding and reporting this issue. 635 636 Socat security advisory 7 637 MSVR-1499 638 In the OpenSSL address implementation the hard coded 1024 bit DH p 639 parameter was not prime. The effective cryptographic strength of a key 640 exchange using these parameters was weaker than the one one could get by 641 using a prime p. Moreover, since there is no indication of how these 642 parameters were chosen, the existence of a trapdoor that makes possible 643 for an eavesdropper to recover the shared secret from a key exchange 644 that uses them cannot be ruled out. 645 Futhermore, 1024bit is not considered sufficiently secure. 646 Fix: generated a new 2048bit prime. 647 Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability 648 Research (MSVR) for finding and reporting this issue. 649 650####################### V 1.7.3.0: 651 652security: 653 Socat security advisory 6 654 CVE-2015-1379: Possible DoS with fork 655 Fixed problems with signal handling caused by use of not async signal 656 safe functions in signal handlers that could freeze socat, allowing 657 denial of service attacks. 658 Many changes in signal handling and the diagnostic messages system were 659 applied to make the code async signal safe but still provide detailled 660 logging from signal handlers: 661 Coded function vsnprintf_r() as async signal safe incomplete substitute 662 of libc vsnprintf() 663 Coded function snprinterr() to replace %m in strings with a system error 664 message 665 Instead of gettimeofday() use clock_gettime() when available 666 Pass Diagnostic messages from signal handler per unix socket to the main 667 program flow 668 Use sigaction() instead of signal() for better control 669 Turn off nested signal handler invocations 670 Thanks to Peter Lobsinger for reporting and explaining this issue. 671 672 Red Hat issue 1019975: add TLS host name checks 673 OpenSSL client checks if the server certificates names in 674 extensions/subjectAltName/DNS or in subject/commonName match the name 675 used to connect or the value of the openssl-commonname option. 676 Test: OPENSSL_CN_CLIENT_SECURITY 677 678 OpenSSL server checks if the client certificates names in 679 extensions/subjectAltNames/DNS or subject/commonName match the value of 680 the openssl-commonname option when it is used. 681 Test: OPENSSL_CN_SERVER_SECURITY 682 683 Red Hat issue 1019964: socat now uses the system certificate store with 684 OPENSSL when neither options cafile nor capath are used 685 686 Red Hat issue 1019972: needs to specify OpenSSL cipher suites 687 Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to 688 prevent downgrade attacks 689 690new features: 691 OpenSSL addresses set couple of environment variables from values in 692 peer certificate, e.g.: 693 SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER, 694 SOCAT_OPENSSL_X509_COMMONNAME, 695 SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS 696 Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_* 697 698 Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1 699 Tests: OPENSSL_METHOD_* 700 701 Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested 702 by Andrey Arapov. 703 704 Added a new option termios-rawer for ptys. 705 Thanks to Christian Vogelgsang for pointing me to this requirement 706 707corrections: 708 Bind with ABSTRACT commands used non-abstract namespace (Linux). 709 Test: ABSTRACT_BIND 710 Thanks to Denis Shatov for reporting this bug. 711 712 Fixed return value of nestlex() 713 714 Option ignoreeof on the right address hung. 715 Test: IGNOREEOF_REV 716 Thanks to Franz Fasching for reporting this bug. 717 718 Address SYSTEM, when terminating, shut down its parent addresses, 719 e.g. an SSL connection which the parent assumed to still be active. 720 Test: SYSTEM_SHUTDOWN 721 722 Passive (listening or receiving) addresses with empty port field bound 723 to a random port instead of terminating with error. 724 Test: TCP4_NOPORT 725 726 configure with some combination of disable options produced config 727 files that failed to compile due to missing IPPROTO_TCP. 728 Thanks to Thierry Fournier for report and patch. 729 730 fixed a few minor bugs with OpenSSL in configure and with messages 731 732 Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime 733 is required. Thanks to Zhigang Wang for reporting and sending a patch. 734 735 Christophe Leroy provided a patch that fixes memory leaks reported by 736 valgrind 737 738 Help for filan -L was bad, is now corrected to: 739 "follow symbolic links instead of showing their properties" 740 741 Address options fdin and fdout were silently ignored when not applicable 742 due to -u or -U option. Now these combinations are caught as errors. 743 Test: FDOUT_ERROR 744 Issue reported by Hendrik. 745 746 Added option termios-cfmakeraw that calls cfmakeraw() and is preferred 747 over option raw which is now obsolote. On SysV systems this call is 748 simulated by appropriate setting. 749 Thanks to Youfu Zhang for reporting issue with option raw. 750 751porting: 752 Socat included <sys/poll.h> instead of POSIX <poll.h> 753 Thanks to John Spencer for reporting this issue. 754 755 Version 1.7.2.4 changed the check for gcc in configure.ac; this 756 broke cross compiling. The particular check gets reverted. 757 Thanks to Ross Burton and Danomi Manchego for reporting this issue. 758 759 Debian Bug#764251: Set the build timestamp to a deterministic time: 760 support external BUILD_DATE env var to allow to build reproducable 761 binaries 762 763 Joachim Fenkes provided an new adapted spec file. 764 765 Type bool and macros Min and Max are defined by socat which led to 766 compile errors when they were already provided by build framework. 767 Thanks to Liyu Liu for providing a patch. 768 769 David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h 770 support and appropriate files in Config/ 771 772 Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h 773 on Illumos 774 775 Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, 776 _POSIX_PTHREAD_SEMANTICS; and minor changes 777 778 Red Hat issue 1182005: socat 1.7.2.4 build failure missing 779 linux/errqueue.h 780 Socat failed to compile on on PPC due to new requirements for 781 including <linux/errqueue.h> and a weakness in the conditional code. 782 Thanks to Michel Normand for reporting this issue. 783 784doc: 785 In the man page the PTY example was badly formatted. Thanks to 786 J.F.Sebastian for sending a patch. 787 788 Added missing CVE ids to security issues in CHANGES 789 790testing: 791 Do not distribute testcert.conf with socat source but generate it 792 (and new testcert6.conf) during test.sh run. 793 794####################### V 1.7.2.4: 795 796corrections: 797 LISTEN based addresses applied some address options, e.g. so-keepalive, 798 to the listening file descriptor instead of the connected file 799 descriptor 800 Thanks to Ulises Alonso for reporting this bug 801 802 make failed after configure with non gcc compiler due to missing 803 include. Thanks to Horacio Mijail for reporting this problem 804 805 configure checked for --disable-rawsocket but printed 806 --disable-genericsocket in the help text. Thanks to Ben Gardiner for 807 reporting and patching this bug 808 809 In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. 810 Probably no impact. 811 Thanks to David Binderman for reporting this issue. 812 813 procan could not cleanly format ulimit values longer than 16 decimal 814 digits. Thanks to Frank Dana for providing a patch that increases field 815 width to 24 digits. 816 817 OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with 818 "Invalid argument" 819 Thanks to Emile den Tex for reporting this bug. 820 821 Changed some variable definitions to make gcc -O2 aliasing checker happy 822 Thanks to Ilya Gordeev for reporting these warnings 823 824 On big endian platforms with type long >32bit the range option applied a 825 bad base address. Thanks to hejia hejia for reporting and fixing this bug. 826 827 Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() 828 829 Red Hat issue 1022063: out-of-range shifts on net mask bits 830 831 Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() 832 833 Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() 834 uses 835 836 Red Hat issue 1021958: fixed a bug with faulty buffer/data length 837 calculation in xio-ascii.c:_xiodump() 838 839 Red Hat issue 1021972: fixed a missing NUL termination in return string 840 of sysutils.c:sockaddr_info() for the AF_UNIX case 841 842 fixed some typos and minor issues, including: 843 Red Hat issue 1021967: formatting error in manual page 844 845 UNIX-LISTEN with fork option did not remove the socket file system entry 846 when exiting. Other file system based passive address types had similar 847 issues or failed to apply options umask, user e.a. 848 Thanks to Lorenzo Monti for pointing me to this issue 849 850porting: 851 Red Hat issue 1020203: configure checks fail with some compilers. 852 Use case: clang 853 854 Performed changes for Fedora release 19 855 856 Adapted, improved test.sh script 857 858 Red Hat issue 1021429: getgroupent fails with large number of groups; 859 use getgrouplist() when available instead of sequence of calls to 860 getgrent() 861 862 Red Hat issue 1021948: snprintf API change; 863 Implemented xio_snprintf() function as wrapper that tries to emulate C99 864 behaviour on old glibc systems, and adapted all affected calls 865 appropriately 866 867 Mike Frysinger provided a patch that supports long long for time_t, 868 socklen_t and a few other libc types. 869 870 Artem Mygaiev extended Cedril Priscals Android build script with pty code 871 872 The check for fips.h required stddef.h 873 Thanks to Matt Hilt for reporting this issue and sending a patch 874 875 Check for linux/errqueue.h failed on some systems due to lack of 876 linux/types.h inclusion. Thanks to Michael Vastola for sending a patch. 877 878 autoconf now prefers configure.ac over configure.in 879 Thanks to Michael Vastola for sending a patch. 880 881 type of struct cmsghdr.cmsg is system dependend, determine it with 882 configure; some more print format corrections 883 884docu: 885 libwrap always logs to syslog 886 887 added actual text version of GPLv2 888 889####################### V 1.7.2.3: 890 891security: 892 Socat security advisory 5 893 CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer 894 overflow with data from command line (see socat-secadv5.txt) 895 Credits to Florian Weimer of the Red Hat Product Security Team 896 897####################### V 1.7.2.2: 898 899security: 900 Socat security advisory 4 901 CVE-2013-3571: 902 after refusing a client connection due to bad source address or source 903 port socat shutdown() the socket but did not close() it, resulting in 904 a file descriptor leak in the listening process, visible with lsof and 905 possibly resulting in EMFILE Too many open files. This issue could be 906 misused for a denial of service attack. 907 Full credits to Catalin Mitrofan for finding and reporting this issue. 908 909####################### V 1.7.2.1: 910 911security: 912 Socat security advisory 3 913 CVE-2012-0219: 914 fixed a possible heap buffer overflow in the readline address. This bug 915 could be exploited when all of the following conditions were met: 916 1) one of the addresses is READLINE without the noprompt and without the 917 prompt options. 918 2) the other (almost arbitrary address) reads malicious data (which is 919 then transferred by socat to READLINE). 920 Workaround: when using the READLINE address apply option prompt or 921 noprompt. 922 Full credits to Johan Thillemann for finding and reporting this issue. 923 924####################### V 1.7.2.0: 925 926corrections: 927 when UNIX-LISTEN was applied to an existing file it failed as expected 928 but removed the file. Thanks to Bjoern Bosselmann for reporting this 929 problem 930 931 fixed a bug where socat might crash when connecting to a unix domain 932 socket using address GOPEN. Thanks to Martin Forssen for bug report and 933 patch. 934 935 UDP-LISTEN would alway set SO_REUSEADDR even without fork option and 936 when user set it to 0. Thanks to Michal Svoboda for reporting this bug. 937 938 UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who 939 pointed me to that bug 940 941 TCP-CONNECT with option nonblock reported successful connect even when 942 it was still pending 943 944 address option ioctl-intp failed with "unimplemented type 26". Thanks 945 to Jeremy W. Sherman for reporting and fixing that bug 946 947 socat option -x did not print packet direction, timestamp etc; thanks 948 to Anthony Sharobaiko for sending a patch 949 950 address PTY does not take any parameters but did not report an error 951 when some were given 952 953 Marcus Meissner provided a patch that fixes invalid output and possible 954 process crash when socat prints info about an unnamed unix domain 955 socket 956 957 Michal Soltys reported the following problem and provided an initial 958 patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during 959 data transfer only parts of the data might have been written. 960 961 Option o-nonblock in combination with large transfer block sizes 962 may result in partial writes and/or EAGAIN errors that were not handled 963 properly but resulted in data loss or process termination. 964 965 Fixed a bug that could freeze socat when during assembly of a log 966 message a signal was handled that also printed a log message. socat 967 development had been aware that localtime() is not thread safe but had 968 only expected broken messages, not corrupted stack (glibc 2.11.1, 969 Ubuntu 10.4) 970 971 an internal store for child pids was susceptible to pid reuse which 972 could lead to sporadic data loss when both fork option and exec address 973 were used. Thanks to Tetsuya Sodo for reporting this problem and 974 sending a patch 975 976 OpenSSL server failed with "no shared cipher" when using cipher aNULL. 977 Fixed by providing temporary DH parameters. Thanks to Philip Rowlands 978 for drawing my attention to this issue. 979 980 UDP-LISTEN slept 1s after accepting a connection. This is not required. 981 Thanks to Peter Valdemar Morch for reporting this issue 982 983 fixed a bug that could lead to error or socat crash after a client 984 connection with option retry had been established 985 986 fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be 987 undefined 988 989 improved dev_t print format definition 990 991porting: 992 Cedril Priscal ported socat to Android (using Googles cross compiler). 993 The port includes the socat_buildscript_for_android.sh script 994 995 added check for component ipi_spec_dst in struct in_pktinfo so 996 compilation does not fail on Cygwin (thanks to Peter Wagemans for 997 reporting this problem) 998 999 build failed on RHEL6 due to presence of fips.h; configure now checks 1000 for fipsld too. Thanks to Andreas Gruenbacher for reporting this 1001 problem 1002 1003 check for netinet6/in6.h only when IPv6 is available and enabled 1004 1005 don't fail to compile when the following defines are missing: 1006 IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT 1007 Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7) 1008 1009 check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX 1010 Lion 7.1); thanks to Jerry Jacobs to reporting this problem and 1011 proposing a solution 1012 1013 fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for 1014 providing the patch. 1015 1016 corrections for OpenEmbedded, especially termios SHIFT values and 1017 ISPEED/OSPEED. Thanks to John Faith for providing the patch 1018 1019 minor corrections to docu and test.sh resulting from local compilation 1020 on Openmoko SHR 1021 1022 fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for 1023 reporting this issue and sending a patch. 1024 1025 Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh 1026 is now bsd/libutil.h; compiler warns on vars that is only written to 1027 1028new features: 1029 added option max-children that limits the number of concurrent child 1030 processes. Thanks to Sam Liddicott for providing the patch. 1031 1032 Till Maas added support for tun/tap addresses without IP address 1033 1034 added an option openssl-compress that allows to disable the compression 1035 feature of newer OpenSSL versions. Thanks to Michael Hanselmann for 1036 providing this contribution (sponsored by Google Inc.) 1037 1038docu: 1039 minor corrections in docu (thanks to Paggas) 1040 1041 client process -> child process 1042 1043####################### V 1.7.1.3: 1044 1045security: 1046 Socat security advisory 2 1047 CVE-2010-2799: 1048 fixed a stack overflow vulnerability that occurred when command 1049 line arguments (whole addresses, host names, file names) were longer 1050 than 512 bytes. 1051 Note that this could only be exploited when an attacker was able to 1052 inject data into socat's command line. 1053 Full credits to Felix Gröbert, Google Security Team, for finding and 1054 reporting this issue 1055 1056####################### V 1.7.1.2: 1057 1058corrections: 1059 user-late and group-late, when applied to a pty, affected the system 1060 device /dev/ptmx instead of the pty (thanks to Matthew Cloke for 1061 pointing me to this bug) 1062 1063 socats openssl addresses failed with "nonblocking operation did not 1064 complete" when the peer performed a renegotiation. Thanks to Benjamin 1065 Delpy for reporting this bug. 1066 1067 info message during socks connect showed bad port number on little 1068 endian systems due to wrong byte order (thanks to Peter M. Galbavy for 1069 bug report and patch) 1070 1071 Debian bug 531078: socat execs children with SIGCHLD ignored; corrected 1072 to default. Thanks to Martin Dorey for reporting this bug. 1073 1074porting: 1075 building socat on systems that predefined the CFLAGS environment to 1076 contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting 1077 this problem and to Simon Matter for providing the patch 1078 1079 support for Solaris 8 and Sun Studio support (thanks to Sebastian 1080 Kayser for providing the patches) 1081 1082 on some 64bit systems a compiler warning "cast from pointer to integer 1083 of different size" was issued on some option definitions 1084 1085 added struct sockaddr_ll to union sockaddr_union to avoid "strict 1086 aliasing" warnings (problem reported by Paul Wouters) 1087 1088docu: 1089 minor corrections in docu 1090 1091####################### V 1.7.1.1: 1092 1093corrections: 1094 corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might 1095 occur under those conditions. Thanks to Toni Mattila for first 1096 reporting this problem. 1097 1098 ftruncate64 cut its argument to 32 bits on systems with 32 bit long type 1099 1100 socat crashed on systems without setenv() (esp. SunOS up to Solaris 9); 1101 thanks to Todd Stansell for reporting this bug 1102 1103 with unidirectional EXEC and SYSTEM a close() operation was performed 1104 on a random number which could result in hanging e.a. 1105 1106 fixed a compile problem caused by size_t/socklen_t mismatch on 64bit 1107 systems 1108 1109 docu mentioned option so-bindtodev but correct name is so-bindtodevice. 1110 Thanks to Jim Zimmerman for reporting. 1111 1112docu changes: 1113 added environment variables example to doc/socat-multicast.html 1114 1115####################### V 1.7.1.0: 1116 1117new features: 1118 address options shut-none, shut-down, and shut-close allow to control 1119 socat's half close behaviour 1120 1121 with address option shut-null socat sends an empty packet to the peer 1122 to indicate EOF 1123 1124 option null-eof changes the behaviour of sockets that receive an empty 1125 packet to see EOF instead of ignoring it 1126 1127 introduced option names substuser-early and su-e, currently equivalent 1128 to option substuser (thanks to Mike Perry for providing the patch) 1129 1130corrections: 1131 fixed some typos and improved some comments 1132 1133####################### V 1.7.0.1: 1134 1135corrections: 1136 fixed possible SIGSEGV in listening addresses when a new connection was 1137 reset by peer before the socket addresses could be retrieved. Thanks to 1138 Mike Perry for sending a patch. 1139 1140 fixed a bug, introduced with version 1.7.0.0, that let client 1141 connections with option connect-timeout fail when the connections 1142 succeeded. Thanks to Bruno De Fraine for reporting this bug. 1143 1144 option end-close "did not apply" to addresses PTY, SOCKET-CONNECT, 1145 and most UNIX-* and ABSTRACT-* 1146 1147 half close of EXEC and SYSTEM addresses did not work for pipes and 1148 sometimes socketpair 1149 1150 help displayed for some option a wrong type 1151 1152 under some circumstances shutdown was called multiple times for the 1153 same fd 1154 1155####################### V 1.7.0.0: 1156 1157new features: 1158 new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream 1159 mode for IPv4 and IPv6; new address options sctp-maxseg and 1160 sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan 1161 for providing an initial patch) 1162 1163 new address "INTERFACE" for transparent network interface handling 1164 (suggested by Stuart Nicholson) 1165 1166 added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN, 1167 SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow 1168 protocol independent socket handling; all parameters are explicitely 1169 specified as numbers or hex data 1170 1171 added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string, 1172 ioctl-bin for generic ioctl() calls. 1173 1174 added address options setsockopt-int, setsockopt-bin, and 1175 setsockopt-string for generic setsockopt() calls 1176 1177 option so-type now only affects the socket() and socketpair() calls, 1178 not the name resolution. so-type and so-prototype can now be applied to 1179 all socket based addresses. 1180 1181 new address option "escape" allows to break a socat instance even when 1182 raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter) 1183 1184 socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID 1185 for use in executed scripts 1186 1187 socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT, 1188 SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature 1189 suggested by Ed Sawicki) 1190 1191 socat receives all ancillary messages with each received packet on 1192 datagram related addresses. The messages are logged in raw form with 1193 debug level, and broken down with info level. note: each type of 1194 ancillary message must be enabled by appropriate address options. 1195 1196 socat provides the contents of ancillary messages received on RECVFROM 1197 addresses in appropriate environment variables: 1198 SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR, 1199 SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR, 1200 SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS 1201 1202 the following address options were added to enable ancillary messages: 1203 so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr, 1204 ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts, 1205 ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu, 1206 ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass 1207 1208 new address options ipv6-tclass and ipv6-unicast-hops set the related 1209 socket options. 1210 1211 STREAMS (UNIX System V STREAMS) can be configured with the new address 1212 options i-pop-all and i-push (thanks to Michal Rysavy for providing a 1213 patch) 1214 1215corrections: 1216 some raw IP and UNIX datagram modes failed on BSD systems 1217 1218 when UDP-LISTEN continued to listen after packet dropped by, e.g., 1219 range option, the old listen socket would not be closed but a new one 1220 created. open sockets could accumulate. 1221 1222 there was a bug in ip*-recv with bind option: it did not bind, and 1223 with the first received packet an error occurred: 1224 socket_init(): unknown address family 0 1225 test: RAWIP4RECVBIND 1226 1227 RECVFROM addresses with FORK option hung after processing the first 1228 packet. test: UDP4RECVFROM_FORK 1229 1230 corrected a few mistakes that caused compiler warnings on 64bit hosts 1231 (thanks to Jonathan Brannan e.a. for providing a patch) 1232 1233 EXEC and SYSTEM with stderr injected socat messages into the data 1234 stream. test: EXECSTDERRLOG 1235 1236 when the EXEC address got a string with consecutive spaces it created 1237 additional empty arguments (thanks to Olivier Hervieu for reporting 1238 this bug). test: EXECSPACES 1239 1240 in ignoreeof polling mode socat also blocked data transfer in the other 1241 direction during the 1s wait intervalls (thanks to Jorgen Cederlof for 1242 reporting this bug) 1243 1244 corrected alphabetical order of options (proxy-auth) 1245 1246 some minor corrections 1247 1248 improved test.sh script: more stable timing, corrections for BSD 1249 1250 replaced the select() calls by poll() to cleanly fix the problems with 1251 many file descriptors already open 1252 1253 socat option -lf did not log to file but to stderr 1254 1255 socat did not compile on Solaris when configured without termios 1256 feature (thanks to Pavan Gadi for reporting this bug) 1257 1258porting: 1259 socat compiles and runs on AIX with gcc (thanks to Andi Mather for his 1260 help) 1261 1262 socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his 1263 help) 1264 1265 socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for 1266 his help) 1267 1268 socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his 1269 help) 1270 1271further changes: 1272 filan -s prefixes output with FD number if more than one FD 1273 1274 Makefile now supports datarootdir (thanks to Camillo Lugaresi for 1275 providing the patch) 1276 1277 cleanup in xio-unix.c 1278 1279####################### V 1.6.0.1: 1280 1281new features: 1282 new make target "gitclean" 1283 1284 docu source doc/socat.yo released 1285 1286corrections: 1287 exec:...,pty did not kill child process under some circumstances; fixed 1288 by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for 1289 reporting this problem) 1290 1291 service name resolution failed due to byte order mistake 1292 (thanks to James Sainsbury for reporting this problem) 1293 1294 socat would hang when invoked with many file descriptors already opened 1295 fix: replaced FOPEN_MAX with FD_SETSIZE 1296 thanks to Daniel Lucq for reporting this problem. 1297 1298 fixed bugs where sub processes would become zombies because the master 1299 process did not catch SIGCHLD. this affected addresses UDP-LISTEN, 1300 UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT, 1301 ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A 1302 (thanks to Fernanda G Weiden for reporting this problem) 1303 1304 fixed a bug where sub processes would become zombies because the master 1305 process caught SIGCHLD but did not wait(). this affected addresses 1306 UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM 1307 (thanks to Evan Borgstrom for reporting this problem) 1308 1309 corrected option handling with STDIO; usecase: cool-write 1310 1311 configure --disable-pty also disabled option waitlock 1312 1313 fixed small bugs on systems with struct ip_mreq without struct ip_mreqn 1314 (thanks to Roland Illig for sending a patch) 1315 1316 corrected name of option intervall to interval (old form still valid 1317 for us German speaking guys) 1318 1319 corrected some print statements and variable names 1320 1321 make uninstall did not uninstall procan 1322 1323 fixed lots of weaknesses in test.sh 1324 1325 corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments 1326 1327further changes: 1328 procan -c prints C defines important for socat 1329 1330 added test OPENSSLEOF for OpenSSL half close 1331 1332####################### V 1.6.0.0: 1333 1334new features: 1335 new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast 1336 and multicast modes 1337 1338 new option ip-add-membership for control of multicast group membership 1339 1340 new address TUN for generation of Linux TUN/TAP pseudo network 1341 interfaces (suggested by Mat Caughron); associated options tun-device, 1342 tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc. 1343 1344 new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO, 1345 ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses 1346 on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls 1347 socklen parameter on system calls. 1348 1349 option end-close for control of connection closing allows FD sharing 1350 by sub processes 1351 1352 range option supports form address:mask with IPv4 1353 1354 changed behaviour of OPENSSL-LISTEN to require and verify client 1355 certificate per default 1356 1357 options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer 1358 grained locking on regular files 1359 1360 uninstall target in Makefile (lack reported by Zeeshan Ali) 1361 1362corrections: 1363 fixed bug where only first tcpwrap option was applied; fixed bug where 1364 tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting 1365 and fixing this bug) 1366 1367 filan (and socat -D) could hang when a socket was involved 1368 1369 corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by 1370 Roberto Mackun) 1371 1372 correct bind with udp6-listen (thanks to Jan Horak for reporting this 1373 bug) 1374 1375 corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro 1376 (thanks to Leo Zhadanovsky for reporting this problem) 1377 1378 corrected problem with read data buffered in OpenSSL layer (thanks to 1379 Jon Nelson for reporting this bug) 1380 1381 corrected problem with option readbytes when input stream stayed idle 1382 after so many bytes 1383 1384 fixed a bug where a datagram receiver with option fork could fork two 1385 sub processes per packet 1386 1387further changes: 1388 moved documentation to new doc/ subdir 1389 1390 new documents (kind of mini tutorials) are provided in doc/ 1391 1392####################### V 1.5.0.0: 1393 1394new features: 1395 new datagram modes for udp, rawip, unix domain sockets 1396 1397 socat option -T specifies inactivity timeout 1398 1399 rewrote lexical analysis to allow nested socat calls 1400 1401 addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6 1402 1403 socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP, 1404 SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection 1405 1406 addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6 1407 1408 option protocol-family (pf), esp. for openssl-listen 1409 1410 range option supports IPv6 - syntax: range=[::1/128] 1411 1412 option ipv6-v6only (ipv6only) 1413 1414 new tcp-wrappers options allow-table, deny-table, tcpwrap-etc 1415 1416 FIPS version of OpenSSL can be integrated - initial patch provided by 1417 David Acker. See README.FIPS 1418 1419 support for resolver options res-debug, aaonly, usevc, primary, igntc, 1420 recurse, defnames, stayopen, dnsrch 1421 1422 options for file attributes on advanced filesystems (ext2, ext3, 1423 reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump, 1424 ext2-noatime, journal-data etc. 1425 1426 option cool-write controls severeness of write failure (EPIPE, 1427 ECONNRESET) 1428 1429 option o-noatime 1430 1431 socat option -lh for hostname in log output 1432 1433 traffic dumping provides packet headers 1434 1435 configure.in became part of distribution 1436 1437 socats unpack directory now has full version, e.g. socat-1.5.0.0/ 1438 1439 corrected docu of option verify 1440 1441corrections: 1442 fixed tcpwrappers integration - initial fix provided by Rudolf Cejka 1443 1444 exec with pipes,stderr produced error 1445 1446 setuid-early was ignored with many address types 1447 1448 some minor corrections 1449 1450####################### V 1.4.3.1: 1451 1452corrections: 1453 PROBLEM: UNIX socket listen accepted only one (or a few) connections. 1454 FIX: do not remove listening UNIX socket in child process 1455 1456 PROBLEM: SIGSEGV when TCP part of SSL connect failed 1457 FIX: check ssl pointer before calling SSL_shutdown 1458 1459 In debug mode, show connect client port even when connect fails 1460 1461####################### V 1.4.3.0: 1462 1463new features: 1464 socat options -L, -W for application level locking 1465 1466 options "lockfile", "waitlock" for address level locking 1467 (Stefan Luethje) 1468 1469 option "readbytes" limits read length (Adam Osuchowski) 1470 1471 option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude) 1472 1473 pty symlink, unix listen socket, and named pipe are per default removed 1474 after use; option unlink-close overrides this new behaviour and also 1475 controls removal of other socat generated files (Stefan Luethje) 1476 1477corrections: 1478 option "retry" did not work with tcp-listen 1479 1480 EPIPE condition could result in a 100% CPU loop 1481 1482further changes: 1483 support systems without SHUT_RD etc. 1484 handle more size_t types 1485 try to find makedepend options with gcc 3 (richard/OpenMacNews) 1486 1487####################### V 1.4.2.0: 1488 1489new features: 1490 option "connect-timeout" limits wait time for connect operations 1491 (requested by Giulio Orsero) 1492 1493 option "dhparam" for explicit Diffie-Hellman parameter file 1494 1495corrections: 1496 support for OpenSSL DSA certificates (Miika Komu) 1497 1498 create install directories before copying files (Miika Komu) 1499 1500 when exiting on signal, return status 128+signum instead of 1 1501 1502 on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia 1503 Mantinan) 1504 1505 -lu could cause a core dump on long messages 1506 1507further changes: 1508 modifications to simplify using socats features in applications 1509 1510####################### V 1.4.1.0: 1511 1512new features: 1513 option "wait-slave" blocks open of pty master side until a client 1514 connects, "pty-intervall" controls polling 1515 1516 option -h as synonym to -? for help (contributed by Christian 1517 Lademann) 1518 1519 filan prints formatted time stamps and rdev (disable with -r) 1520 1521 redirect filan's output, so stdout is not affected (contributed by 1522 Luigi Iotti) 1523 1524 filan option -L to follow symbolic links 1525 1526 filan shows termios control characters 1527 1528corrections: 1529 proxy address no longer performs unsolicited retries 1530 1531 filan -f no longer needs read permission to analyze a file (but still 1532 needs access permission to directory, of course) 1533 1534porting: 1535 Option dsusp 1536 FreeBSD options noopt, nopush, md5sig 1537 OpenBSD options sack-disable, signature-enable 1538 HP-UX, Solaris options abort-threshold, conn-abort-threshold 1539 HP-UX options b900, b3600, b7200 1540 Tru64/OSF1 options keepinit, paws, sackena, tsoptena 1541 1542further corrections: 1543 address pty now uses ptmx as default if openpty is also available 1544 1545####################### V 1.4.0.3: 1546 1547security: 1548 Socat security advisory 1 1549 CVE-2004-1484: 1550 fix to a syslog() based format string vulnerability that can lead to 1551 remote code execution. See advisory socat-adv-1.txt 1552 1553####################### V 1.4.0.2: 1554 1555corrections: 1556 exec'd write-only addresses get a chance to flush before being killed 1557 1558 error handler: print notice on error-exit 1559 1560 filan printed wrong file type information 1561 1562####################### V 1.4.0.1: 1563 1564corrections: 1565 socks4a constructed invalid header. Problem found, reported, and fixed 1566 by Thomas Themel, by Peter Palfrader, and by rik 1567 1568 with nofork, don't forget to apply some process related options 1569 (chroot, setsid, setpgid, ...) 1570 1571####################### V 1.4.0.0: 1572 1573new features: 1574 simple openssl server (ssl-l), experimental openssl trust 1575 1576 new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for 1577 openssl 1578 1579 new options "retry", "forever", and "intervall" 1580 1581 option "fork" for address TCP improves `gender changer´ 1582 1583 options "sigint", "sigquit", and "sighup" control passing of signals to 1584 sub process (thanks to David Shea who contributed to this issue) 1585 1586 readline takes respect to the prompt issued by the peer address 1587 1588 options "prompt" and "noprompt" allow to override readline's new 1589 default behaviour 1590 1591 readline supports invisible password with option "noecho" 1592 1593 socat option -lp allows to set hostname in log output 1594 1595 socat option -lu turns on microsecond resolution in log output 1596 1597 1598corrections: 1599 before reading available data, check if writing on other channel is 1600 possible 1601 1602 tcp6, udp6: support hostname specification (not only IP address), and 1603 map IP4 names to IP6 addresses 1604 1605 openssl client checks server certificate per default 1606 1607 support unidirectional communication with exec/system subprocess 1608 1609 try to restore original terminal settings when terminating 1610 1611 test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$ 1612 1613 socks4 failed on platforms where long does not have 32 bits 1614 (thanks to Peter Palfrader and Thomas Seyrat) 1615 1616 hstrerror substitute wrote wrong messages (HP-UX, Solaris) 1617 1618 proxy error message was truncated when answer contained multiple spaces 1619 1620 1621porting: 1622 compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link) 1623 1624####################### V 1.3.2.2: 1625 1626corrections: 1627 PROXY CONNECT failed when the status reply from the proxy server 1628 contained more than one consecutive spaces. Problem reported by 1629 Alexandre Bezroutchko 1630 1631 do not SIGSEGV when proxy address fails to resolve server name 1632 1633 udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS). 1634 Problem reported by Christoph Schittel 1635 1636 test.sh only tests available features 1637 1638 added missing IP and TCP options in filan analyzer 1639 1640 do not apply stdio address options to both directions when in 1641 unidirectional mode 1642 1643 on systems lacking /dev/*random and egd, provide (weak) entropy from 1644 libc random() 1645 1646 1647porting: 1648 changes for HP-UX (VREPRINT, h_NETDB_INTERNAL) 1649 1650 compiles on True64, FreeBSD (again), NetBSD, OpenBSD 1651 1652 support for long long as st_ino type (Cygwin 1.5) 1653 1654 compile on systems where pty can not be featured 1655 1656####################### V 1.3.2.1: 1657 1658corrections: 1659 "final" solution for the ENOCHLD problem 1660 1661 corrected "make strip" 1662 1663 default gcc debug/opt is "-O" again 1664 1665 check for /proc at runtime, even if configure found it 1666 1667 src.rpm accidently supported SuSE instead of RedHat 1668 1669####################### V 1.3.2.0: 1670 1671new features: 1672 option "nofork" connects an exec'd script or program directly 1673 to the file descriptors of the other address, circumventing the socat 1674 transfer engine 1675 1676 support for files >2GB, using ftruncate64(), lseek64(), stat64() 1677 1678 filan has new "simple" output style (filan -s) 1679 1680 1681porting: 1682 options "binary" and "text" for controlling line termination on Cygwin 1683 file system access (hint from Yang Wu-Zhou) 1684 1685 fix by Yang Wu-Zhou for the Cygwin "No Children" problem 1686 1687 improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to 1688 John DuBois) 1689 1690 minor corrections to avoid warnings with gcc 3 1691 1692 1693further corrections and minor improvements: 1694 configure script is generated with autoconf 2.57 (no longer 2.52) 1695 1696 configure passes CFLAGS to Makefile 1697 1698 option -??? for complete list of address options and their short forms 1699 1700 program name in syslog messages is derived from argv[0] 1701 1702 SIGHUP now prints notice instead of error 1703 1704 EIO during read of pty now gives Notice instead of Error, and 1705 triggers EOF 1706 1707 use of hstrerror() for printing resolver error messages 1708 1709 setgrent() got required endgrent() 1710 1711####################### V 1.3.1.0: 1712 1713new features: 1714 integration of Wietse Venema's tcpwrapper library (libwrap) 1715 1716 with "proxy" address, option "resolve" controls if hostname or IP 1717 address is sent in request 1718 1719 option "lowport" establishes limited authorization for TCP and UDP 1720 connections 1721 1722 improvement of .spec file for RPM creation (thanks to Gerd v. Egidy) 1723 An accompanying change in the numbering scheme results in an 1724 incompatibility with earlier socat RPMs! 1725 1726 1727solved problems and bugs: 1728 PROBLEM: socat daemon terminated when the address of a connecting 1729 client did not match range option value instead of continue listening 1730 SOLVED: in this case, print warning instead of error to keep daemon 1731 active 1732 1733 PROBLEM: tcp-listen with fork sometimes left excessive number of zombie 1734 processes 1735 SOLVED: dont assume that each exiting child process generates SIGCHLD 1736 1737 when converting CRNL to CR, socat converted to NL 1738 1739 1740further corrections: 1741 configure script now disables features that depend on missing files 1742 making it more robust in "unsupported" environments 1743 1744 server.pem permissions corrected to 600 1745 1746 "make install" now does not strip; use "make strip; make install" 1747 if you like strip (suggested by Peter Bray) 1748 1749####################### V 1.3.0.1: 1750 1751solved problems and bugs: 1752 PROBLEM: OPENSSL did not apply tcp, ip, and socket options 1753 SOLVED: OPENSSL now correctly handles the options list 1754 1755 PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed 1756 block boundary 1757 SOLVED: these conversions now simply strip all CR's or NL's from input 1758 stream 1759 1760 1761porting: 1762 SunOS ptys now work on x86, too (thanks to Peter Bray) 1763 1764 configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray) 1765 1766 1767further corrections: 1768 added WITH_PROXY value to -V output 1769 1770 added compile dependencies of WITH_PTY and WITH_PROXY 1771 1772 -?? did not print option group of proxy options 1773 1774 corrected syntax for bind option in docu 1775 1776 corrected an issue with stdio in unidirectional mode 1777 1778 options socksport and proxyport support service names 1779 1780 ftp.sh script supports proxy address 1781 1782 man page no longer installed with execute permissions (thanks to Peter 1783 Bray) 1784 1785 fixed a malloc call bug that could cause SIGSEGV or false "out of 1786 memory" errors on EXEC and SYSTEM, depending on program name length and 1787 libc. 1788 1789####################### V 1.3.0.0: 1790 1791new features: 1792 proxy connect with optional proxy authentication 1793 1794 combined hex and text dump mode, credits to Gregory Margo 1795 1796 address pty applies options user, group, and perm to device 1797 1798 1799solved problems and bugs: 1800 PROBLEM: option reuseport was not applied (BSD, AIX) 1801 SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND, 1802 credits to Jean-Baptiste Marchand 1803 1804 PROBLEM: ignoreeof with stdio was ignored 1805 SOLVED: ignoreeof now works correctly with address stdio 1806 1807 PROBLEM: ftp.sh did not use user supplied password 1808 SOLVED: ftp.sh now correctly passes password from command line 1809 1810 PROBLEM: server.pem had expired 1811 SOLVED: new server.pem valid for ten years 1812 1813 PROBLEM: socks notice printed wrong port on some platforms 1814 SOLVED: socks now uses correct byte-order for port number in notice 1815 1816 1817further corrections: 1818 option name o_trunc corrected to o-trunc 1819 1820 combined use of -u and -U is now detected and prevented 1821 1822 made message system a little more robust against format string attacks 1823 1824 1825####################### V 1.2.0.0: 1826 1827new features: 1828 address pty for putting socat behind a new pseudo terminal that may 1829 fake a serial line, modem etc. 1830 1831 experimental openssl integration 1832 (it does not provide any trust between the peers because is does not 1833 check certificates!) 1834 1835 options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all 1836 locking mechanism provided by flock() 1837 1838 options setsid and setpgid now available with all address types 1839 1840 option ctty (controlling terminal) now available for all TERMIOS 1841 addresses 1842 1843 option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is 1844 replaced by options o-trunc and ftruncate=offset 1845 1846 option sourceport now available with TCP and UDP listen addresses to 1847 restrict incoming client connections 1848 1849 unidirectional mode right-to-left (-U) 1850 1851 1852solved problems and bugs: 1853 PROBLEM: addresses without required parameters but an option containing 1854 a '/' were incorrectly interpreted as implicit GOPEN address 1855 SOLVED: if an address does not have ':' separator but contains '/', 1856 check if the slash is before the first ',' before assuming 1857 implicit GOPEN. 1858 1859 1860porting: 1861 ptys under SunOS work now due to use of stream options 1862 1863 1864further corrections: 1865 with -d -d -d -d -D, don't print debug info during file analysis 1866 1867 1868####################### V 1.1.0.1: 1869 1870new features: 1871 .spec file for RPM generation 1872 1873 1874solved problems and bugs: 1875 PROBLEM: GOPEN on socket did not apply option unlink-late 1876 SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN 1877 options 1878 1879 PROBLEM: with unidirectional mode, an unnecessary close timeout was 1880 applied 1881 SOLUTION: in unidirectional mode, terminate without wait time 1882 1883 PROBLEM: using GOPEN on a unix domain socket failed for datagram 1884 sockets 1885 SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket 1886 1887 1888further corrections: 1889 1890 open() flag options had names starting with "o_", now corrected to "o-" 1891 1892 in docu, *-listen addresses were called *_listen 1893 1894 address unix now called unix-connect because it does not handle unix 1895 datagram sockets 1896 1897 in test.sh, apply global command line options with all tests 1898 1899 1900####################### V 1.1.0.0: 1901 1902new features: 1903 regular man page and html doc - thanks to kromJx for prototype 1904 1905 new address type "readline", utilizing GNU readline and history libs 1906 1907 address option "history-file" for readline 1908 1909 new option "dash" to "exec" address that allows to start login shells 1910 1911 syslog facility can be set per command line option 1912 1913 new address option "tcp-quickack", found in Linux 2.4 1914 1915 option -g prevents option group checking 1916 1917 filan and procan can print usage 1918 1919 procan prints rlimit infos 1920 1921 1922solved problems and bugs: 1923 PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down. 1924 SOLVED: set eof flag of channel on shutdown. 1925 1926 PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode 1927 and has data available while channel 1 reaches EOF, the data is 1928 lost. 1929 SOLVED: during one loop run, first handle all data transfers and 1930 _afterwards_ handle EOF. 1931 1932 PROBLEM: despite to option NONBLOCK, the connect() call blocked 1933 SOLVED: option NONBLOCK is now applied in phase FD instead of LATE 1934 1935 PROBLEM: UNLINK options issued error when file did not exist, 1936 terminating socat 1937 SOLVED: failure of unlink() is only warning if errno==ENOENT 1938 1939 PROBLEM: TCP6-LISTEN required numeric port specification 1940 SOLVED: now uses common TCP service resolver 1941 1942 PROBLEM: with PIPE, wrong FDs were shown for data transfer loop 1943 SOLVED: retrieval of FDs now pays respect to PIPE pecularities 1944 1945 PROBLEM: using address EXEC against an address with IGNOREEOF, socat 1946 never terminated 1947 SOLVED: corrected EOF handling of sigchld 1948 1949 1950porting: 1951 MacOS and old AIX versions now have pty 1952 1953 flock() now available on Linux (configure check was wrong) 1954 1955 named pipe were generated using mknod(), which requires root under BSD 1956 now they are generated using mkfifo 1957 1958 1959further corrections: 1960 lots of address options that were "forgotten" at runtime are now 1961 available 1962 1963 option BINDTODEVICE now also called SO-BINDTODEVICE, IF 1964 1965 "make install" now installs binaries with ownership 0:0 1966 1967 1968####################### V 1.0.4.2: 1969 1970solved problems and bugs: 1971 PROBLEM: EOF of one stream caused close of other stream, giving it no 1972 chance to go down regularly 1973 SOLVED: EOF of one stream now causes shutdown of write part of other 1974 stream 1975 1976 PROBLEM: sending mail via socks address to qmail showed that crlf 1977 option does not work 1978 SOLVED: socks address applies PH_LATE options 1979 1980 PROBLEM: in debug mode, no info about socat and platform was issued 1981 SOLVED: print socat version and uname output in debug mode 1982 1983 PROBLEM: invoking socat with -t and no following parameters caused 1984 SIGSEGV 1985 SOLVED: -t and -b now check next argv entry 1986 1987 PROBLEM: when opening of logfile (-lf) failed, no error was reported 1988 and no further messages were printed 1989 SOLVED: check result of fopen and print error message if it failed 1990 1991new features: 1992 address type UDP-LISTEN now supports option fork: it internally applies 1993 socket option SO_REUSEADDR so a new UDP socket can bind to port after 1994 `accepting´ a connection (child processes might live forever though) 1995 (suggestion from Damjan Lango) 1996 1997 1998####################### V 1.0.4.1: 1999 2000solved problems and bugs: 2001 PROB: assert in libc caused an endless recursion 2002 SOLVED: no longer catch SIGABRT 2003 2004 PROB: socat printed wrong verbose prefix for "right to left" packets 2005 SOLVED: new parameter for xiotransfer() passes correct prefix 2006 2007new features: 2008 in debug mode, socat prints its command line arguments 2009 in verbose mode, escape special characters and replace unprintables 2010 with '.'. Patch from Adrian Thurston. 2011 2012 2013####################### V 1.0.4.0: 2014 2015solved problems and bugs: 2016 Debug output for lstat and fstat said "stat" 2017 2018further corrections: 2019 FreeBSD now includes libutil.h 2020 2021new features: 2022 option setsid with exec/pty 2023 option setpgid with exec/pty 2024 option ctty with exec/pty 2025 TCP V6 connect test 2026 gettimeofday in sycls.c (no use yet) 2027 2028porting: 2029 before Gethostbyname, invoke inet_aton for MacOSX 2030 2031 2032####################### V 1.0.3.0: 2033 2034solved problems and bugs: 2035 2036 PROB: test 9 of test.sh (echo via file) failed on some platforms, 2037 socat exited without error message 2038 SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0 2039 2040 PROB: test 17 hung forever 2041 REASON: child death before select loop did not result in EOF 2042 SOLVED: check of existence of children before starting select loop 2043 2044 PROB: test 17 failed 2045 REASON: child dead triggered EOF before last data was read 2046 SOLVED: after child death, read last data before setting EOF 2047 2048 PROB: filan showed that exec processes incorrectly had fd3 open 2049 REASON: inherited open fd3 from main process 2050 SOLVED: set CLOEXEC flag on pty fd in main process 2051 2052 PROB: help printed "undef" instead of group "FORK" 2053 SOLVED: added "FORK" to group name array 2054 2055 PROB: fatal messages did not include severity classifier 2056 SOLVED: added "F" to severity classifier array 2057 2058 PROB: IP6 addresses where printed incorrectly 2059 SOLVED: removed type casts to unsigned short * 2060 2061further corrections: 2062 socat catches illegal -l modes 2063 corrected error message on setsockopt(linger) 2064 option tabdly is of type uint 2065 correction for UDP over IP6 2066 more cpp conditionals, esp. for IP6 situations 2067 better handling of group NAMED options with listening UNIX sockets 2068 applyopts2 now includes last given phase 2069 corrected option group handling for most address types 2070 introduce dropping of unappliable options (dropopts, dropopts2) 2071 gopen now accepts socket and unix-socket options 2072 exec and system now accept all socket and termios options 2073 child process for exec and system addresses with option pty 2074 improved descriptions and options for EXAMPLES 2075 printf format for file mode changed to "0%03o" with length spec. 2076 added va_end() in branch of msg() 2077 changed phase of lock options from PASTOPEN to FD 2078 support up to four early dying processes 2079 2080structural changes: 2081 xiosysincludes now includes sysincludes.h for non xio files 2082 2083new features: 2084 option umask 2085 CHANGES file 2086 TYPE_DOUBLE, u_double 2087 OFUNC_OFFSET 2088 added getsid(), setsid(), send() to sycls 2089 procan prints sid (session id) 2090 mail.sh gets -f (from) option 2091 new EXAMPLEs for file creation 2092 gatherinfo.sh now tells about failures 2093 test.sh can check for much more address/option combinations 2094 2095porting: 2096 ispeed, ospeed for termios on FreeBSD 2097 getpgid() conditional for MacOS 10 2098 added ranlib in Makefile.in for MacOS 10 2099 disable pty option if no pty mechanism is available (MacOS 10) 2100 now compiles and runs on MacOS 10 (still some tests fail) 2101 setgroups() conditional for cygwin 2102 sighandler_t defined conditionally 2103 use gcc option -D_GNU_SOURCE 2104