2020-02-23 11:37:19 +00:00
|
|
|
|
|
2023-06-17 06:44:02 +00:00
|
|
|
|
Security:
|
|
|
|
|
Socats OpenSSL addresses do not (and never did) check certificate
|
|
|
|
|
revocation lists (CRLs). Socat now prints a warning about this.
|
|
|
|
|
|
2023-09-30 07:26:13 +00:00
|
|
|
|
Features:
|
|
|
|
|
Added the --experimental option that enables use of features that might
|
|
|
|
|
change in the future.
|
|
|
|
|
|
2023-06-14 09:14:46 +00:00
|
|
|
|
Now warning messages are printed by default. If you want to see only
|
|
|
|
|
errors and fatals as in previous versions, use option -d0;
|
|
|
|
|
option -d4 is equivalent to -dddd and to -d -d -d -d
|
|
|
|
|
The number of warnings has been reduced, e.g.removing a non existing
|
|
|
|
|
file does in most cases no longer log a warning.
|
|
|
|
|
|
2023-06-17 13:31:26 +00:00
|
|
|
|
New option -S <mask> controls catching and logging of signals that are
|
|
|
|
|
not internally used by Socat.
|
|
|
|
|
Tests: SIGTERM_NOLOG SIG31_LOG
|
|
|
|
|
|
2023-06-24 08:40:07 +00:00
|
|
|
|
Added option ipv6-join-source-group.
|
|
|
|
|
Thanks to Martin Buck and David Schweizer for sending patches.
|
|
|
|
|
|
2023-06-17 19:30:37 +00:00
|
|
|
|
Added option http-version to PROXY-CONNECT address to support servers
|
|
|
|
|
that are not able to handle HTTP version 1.0
|
|
|
|
|
Test: PROXY_HTTPVERSION
|
|
|
|
|
Feature inspired by Robin Palotai.
|
|
|
|
|
|
2023-10-26 14:43:20 +00:00
|
|
|
|
New options openssl-maxfraglen and openssl-maxsendfrag for
|
|
|
|
|
functions/macros SSL_CTX_set_tlsext_max_fragment_length() and
|
|
|
|
|
SSL_CTX_set_max_send_fragment().
|
|
|
|
|
Thanks to James Tavares for his contribution.
|
|
|
|
|
|
|
|
|
|
Added Info log of resulting OpenSSL max fragment length.
|
|
|
|
|
|
2023-10-26 14:48:37 +00:00
|
|
|
|
Implemented options rcvtimeo and sndtimeo, the first of which may be
|
|
|
|
|
useful to prevent endlessly hanging DTLS connection etablishment.
|
|
|
|
|
Test: RCVTIMEO_DTLS
|
|
|
|
|
Feature proposed by Vladimir Nikishkin.
|
|
|
|
|
|
2023-10-26 14:57:39 +00:00
|
|
|
|
The file names with -r and -R now may contain environment variable
|
|
|
|
|
references.
|
|
|
|
|
Test: VARS_IN_SNIFFPATH
|
|
|
|
|
|
2023-10-26 16:42:41 +00:00
|
|
|
|
Socat option --statistics logs final byte and packet counter values
|
|
|
|
|
before exit. Signal USR1 logs actual values.
|
|
|
|
|
Tests: OPTION_STATISTICS SIGUSR1_STATISTICS
|
|
|
|
|
|
2023-10-26 16:43:40 +00:00
|
|
|
|
Added option sitout-eio to specify a timerange in which EIO on the pty
|
|
|
|
|
of a sub process is tolerated.
|
|
|
|
|
Red Hat issue 1853102 related.
|
|
|
|
|
Thanks to Jonathan Casiot for sending an initial patch.
|
|
|
|
|
|
2023-10-26 16:44:10 +00:00
|
|
|
|
Socat now installs as socat1 and is referenced by symbolic link socat,
|
|
|
|
|
same with man page (socat1.1 by socat.1)
|
|
|
|
|
|
2023-10-26 16:50:29 +00:00
|
|
|
|
New option children-shutup[=1|2...] decreases severity of log
|
|
|
|
|
messages in LISTEN and CONNECT type sub processes.
|
|
|
|
|
Test: CHILDREN_SHUTUP
|
|
|
|
|
|
2023-09-30 13:18:39 +00:00
|
|
|
|
New option retrieve-vlan for supporting VLANs in INTERFACE addresses:
|
|
|
|
|
Linux normally keeps VLAN tags in outgoing raw packets, but appears to
|
|
|
|
|
strip them from incoming packets and makes them available in
|
|
|
|
|
PACKET_AUXDATA ancillary messages only.
|
|
|
|
|
Up do version 1.7.4.5 Socat did not handle this situation, so the VLAN
|
|
|
|
|
tags where effectively stripped off incoming packets.
|
|
|
|
|
With this option Socat restores the VLAN tag.
|
|
|
|
|
Feature inspired by Zhao Dong.
|
|
|
|
|
|
2023-10-26 17:45:01 +00:00
|
|
|
|
Socket option SO_REUSEADDR is now automatically applied to TCP LISTEN
|
|
|
|
|
addresses. reuseaddr= restores the old behaviour.
|
|
|
|
|
Tests: TCP4_REUSEADDR OPENSSL_6_REUSEADDR REUSEADDR_NULL
|
|
|
|
|
|
2023-10-22 21:15:49 +00:00
|
|
|
|
TCP based client addresses now try all results of name resolution until
|
|
|
|
|
a connection attempt succeeded.
|
|
|
|
|
Tests: TRY_ADDRS_4 TRY_ADDRS_4_6
|
|
|
|
|
Feature recommended by Anand Buddhdev.
|
|
|
|
|
|
2023-06-15 10:53:32 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
When a sub process (EXEC, SYSTEM) terminated with exit code other than
|
|
|
|
|
0, its last sent data might have been lost depending on timing of read/
|
|
|
|
|
write and SIGCHLD in Socat.
|
|
|
|
|
Now the SIGCHLD handler does not simply terminate Socat in this case,
|
|
|
|
|
but remembers the failure and allows further processing.
|
|
|
|
|
Thanks to Luke Jones for reporting this issue.
|
|
|
|
|
|
2023-10-26 12:52:53 +00:00
|
|
|
|
Now catching the case of empty SNI host to prevent OpenSSL error.
|
|
|
|
|
This is related to Red Hat issue 2081414.
|
|
|
|
|
|
2023-10-26 12:56:50 +00:00
|
|
|
|
Better formatted help output; address keywords in help output are now
|
|
|
|
|
printed in uppercase.
|
|
|
|
|
|
2023-06-18 13:58:24 +00:00
|
|
|
|
In previous Socat versions errors EPIPE and ECONNRESET on read() were
|
|
|
|
|
handled at warning level, thus not automatically leading to termination
|
|
|
|
|
with exit code 1. Beginning with this release these conditions are
|
|
|
|
|
handled as errors with termination and exit code 1 to not pretend
|
|
|
|
|
success on possible data loss.
|
|
|
|
|
Problem reported by Scott Burkett.
|
|
|
|
|
|
|
|
|
|
In previous Socat versions errors on shutdown() were ignored (info
|
|
|
|
|
level).
|
2023-10-26 16:50:29 +00:00
|
|
|
|
Now Socat handles EPIPE and ECONNRESET as errors to indicate possible
|
2023-06-18 13:58:24 +00:00
|
|
|
|
failure of data transfer.
|
|
|
|
|
|
2023-10-26 17:08:26 +00:00
|
|
|
|
INTERFACE addresses did not accept options of INTERFACE group (for
|
|
|
|
|
historical reasons they were only available with TUN addresses).
|
|
|
|
|
|
2023-06-14 09:41:44 +00:00
|
|
|
|
Coding:
|
2023-10-26 12:56:50 +00:00
|
|
|
|
Introduced groups_t instead of uint32_t, for more flexibility.
|
2023-06-14 09:41:44 +00:00
|
|
|
|
|
2023-09-30 08:16:01 +00:00
|
|
|
|
Rearranged option group bits to only require 32 bits on older systems.
|
|
|
|
|
|
2023-06-24 06:24:29 +00:00
|
|
|
|
Make gcc happy, replace strncat with "manual" copying
|
|
|
|
|
|
2023-06-23 20:48:26 +00:00
|
|
|
|
On addresses like UDP-RECVFROM with fork option every packet causes a
|
|
|
|
|
new child process which then reads the packet. The parent process must
|
|
|
|
|
wait until the packet has been read before checking again. The former
|
|
|
|
|
synchronization mechanism using SIGUSR1 is now replaced by a
|
|
|
|
|
socketpair. SIGUSR1 is no longer used for internal synchronization.
|
|
|
|
|
Tests: UDP4_FORK UDP6_FORK UNIX_FORK
|
|
|
|
|
|
2023-06-23 14:21:05 +00:00
|
|
|
|
Renamed xioopts_t to xioparms_t to avoid confusion with xioopts module.
|
|
|
|
|
|
2023-06-24 08:21:44 +00:00
|
|
|
|
Moved multicast related code from xioopts.c to xio-ip.c and xio-ip6.c
|
|
|
|
|
|
2023-06-23 18:03:29 +00:00
|
|
|
|
Porting:
|
|
|
|
|
Removed Config/ because its contents have not been maintained for many
|
|
|
|
|
years.
|
|
|
|
|
|
2023-10-26 17:12:38 +00:00
|
|
|
|
Try to not receive outgoing packets on raw (PF_PACKET) sockets - use
|
|
|
|
|
PACKET_IGNORE_OUTGOING socket options when available.
|
|
|
|
|
Test: INTERFACE_IGNOREOUTGOING
|
|
|
|
|
|
2023-06-23 18:02:24 +00:00
|
|
|
|
Testing:
|
|
|
|
|
Removed obselete parts from test.sh
|
|
|
|
|
|
|
|
|
|
Documentation:
|
|
|
|
|
Removed obselete file doc/xio.help
|
|
|
|
|
|
2023-04-24 20:59:33 +00:00
|
|
|
|
Added doc for option ipv6-join-group (ipv6-add-membership)
|
|
|
|
|
Thanks to Martin Buck for sending the patch.
|
|
|
|
|
|
2023-10-26 17:12:38 +00:00
|
|
|
|
Renamed xiogetpacketsrc() to xiogetancillary()
|
|
|
|
|
|
2023-09-30 07:26:13 +00:00
|
|
|
|
####################### V 1.7.4.5 (not released):
|
2023-06-13 14:19:52 +00:00
|
|
|
|
|
2023-01-03 23:54:33 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
On connect() failure and in some other situations Socat tries to get
|
|
|
|
|
detailled information about the error with recvmsg(). Error return of
|
|
|
|
|
this function is now logged as Info instead of Warn.
|
|
|
|
|
|
2022-12-01 18:49:46 +00:00
|
|
|
|
Tests of the correction of the "IP_ADD_SOURCE_MEMBERSHIP but not struct
|
|
|
|
|
ip_mreq_source" issue left an #undef in xiosysincludes.h that disabled
|
|
|
|
|
the ip-add-source-membership option.
|
|
|
|
|
Thanks to Benjamin Poirier for sending a patch.
|
|
|
|
|
|
2023-06-11 20:47:22 +00:00
|
|
|
|
Fixed a bug in dalan module that caused SIGSEGV in, e.g.,
|
|
|
|
|
SOCKET-LISTEN:1:1:'"/tmp/sock"'
|
|
|
|
|
Test: DALAN_NO_SIGSEGV
|
|
|
|
|
|
2022-12-30 10:59:46 +00:00
|
|
|
|
The retry option with some address types (TCP) did not close() the
|
|
|
|
|
sockets after failed attempts, resulting in an FD leak.
|
|
|
|
|
|
2023-06-12 06:04:43 +00:00
|
|
|
|
Filan: Corrected some syntax error messages
|
|
|
|
|
|
2023-06-12 06:37:49 +00:00
|
|
|
|
Filan: Fixed a bug introduced in 1.7.4.4 that broke displaying
|
2023-06-12 06:04:43 +00:00
|
|
|
|
TCP/UDP on options -s, -S
|
|
|
|
|
Test: FILAN_SHORT_TCP
|
|
|
|
|
|
|
|
|
|
Filan: If IP protocol type cannot be retrieved, display at least the
|
|
|
|
|
socket type
|
|
|
|
|
|
2023-01-15 14:50:19 +00:00
|
|
|
|
Filan: Fixed diag_set() call in filan_main.c, bug popped up with C23.
|
|
|
|
|
Thanks to Cristian Rodríguez from openSUSE for reporting this issue.
|
|
|
|
|
|
2023-06-12 06:37:49 +00:00
|
|
|
|
Querying the vsock Context Identifier (CID) requires an FD from opening
|
|
|
|
|
/dev/vsock.
|
|
|
|
|
Thanks to Volker Simonis for sending a patch.
|
|
|
|
|
|
2023-06-12 10:21:09 +00:00
|
|
|
|
Fixed an internal FD leak in the EXEC,SYSTEM addresses.
|
|
|
|
|
|
2023-06-12 10:23:37 +00:00
|
|
|
|
The FDs of the socketpair that queues messages from signal handlers
|
|
|
|
|
lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.
|
|
|
|
|
|
2023-06-12 10:25:54 +00:00
|
|
|
|
Option stderr on addresses EXEC and SYSTEM uses a temporary FD. It
|
|
|
|
|
lacked the FD_CLOEXEC setting and thus leakt into child processes.
|
|
|
|
|
|
2023-02-25 14:40:09 +00:00
|
|
|
|
Restoring of STDIO tty settings failed on Solaris type operating
|
|
|
|
|
systems.
|
|
|
|
|
Thanks to Gordon W.Ross for reporting and fixing this issue.
|
|
|
|
|
Test: RESTORE_TTY
|
|
|
|
|
|
2023-06-12 17:23:09 +00:00
|
|
|
|
The OpenSSL client SNI parameter, when not explicitely specified, is
|
|
|
|
|
derived from option commonname or rom target server name. This is not
|
|
|
|
|
useful with IP addresses, which Socat now checks and avoids.
|
|
|
|
|
|
2023-01-16 00:36:37 +00:00
|
|
|
|
Socat options -L and -W create lock files using mkstemp(), so they had
|
|
|
|
|
permissions 600. There does not seem to be a good reason for this
|
|
|
|
|
restrictive mode. Furthermore Silla Rizzoli experienced that Minicom
|
|
|
|
|
ignores lock files with mode 600, so it is set to 644 now.
|
|
|
|
|
|
2023-01-26 09:06:01 +00:00
|
|
|
|
Procan tries to find out VSOCK CID only when running as root
|
|
|
|
|
|
2023-05-08 20:33:12 +00:00
|
|
|
|
The mechanism for deferring logs from signal handlers had an issue that
|
|
|
|
|
caused lots of unwanted recvfrom() calls.
|
|
|
|
|
|
2023-06-12 19:29:45 +00:00
|
|
|
|
Do not try to remove abstract UNIX socket entries after use.
|
|
|
|
|
|
2023-06-12 06:37:49 +00:00
|
|
|
|
Features:
|
|
|
|
|
VSOCK, VSOCK-L support options pf, socktype, prototype (currently
|
|
|
|
|
useless)
|
|
|
|
|
|
2023-06-11 20:04:25 +00:00
|
|
|
|
Coding:
|
|
|
|
|
New Environment variable SOCAT_TRANSFER_WAIT that Socat sleep before
|
|
|
|
|
starting the data transfer loop. Useful, e.g., to accumulate multiple
|
|
|
|
|
packets in a receiving datagram socket before starting to process them.
|
|
|
|
|
|
2023-06-12 10:28:48 +00:00
|
|
|
|
"//" comments were used for disabling experimental code. These lines
|
|
|
|
|
have now been removed or disabled in other ways to make Socat compile
|
|
|
|
|
with C89/C90 standard again.
|
|
|
|
|
|
2023-06-12 18:56:16 +00:00
|
|
|
|
fcntl() trace prints flags now in hexadecimal.
|
|
|
|
|
|
2023-06-10 09:09:01 +00:00
|
|
|
|
Stream dump options -r and -R now open their pathes with CLOEXEC to
|
|
|
|
|
prevent leaking into sub processes.
|
|
|
|
|
Test: EXEC_SNIFF
|
|
|
|
|
|
|
|
|
|
Stream dump write now warn on write errors and partial writes (but
|
|
|
|
|
still do not recover).
|
|
|
|
|
|
2023-06-12 21:01:54 +00:00
|
|
|
|
Removed trailing white space from *.h and *.c files.
|
|
|
|
|
|
2022-12-25 18:29:14 +00:00
|
|
|
|
Porting:
|
|
|
|
|
Small correction in configure.ac makes Socat C99 able.
|
2023-06-12 18:56:16 +00:00
|
|
|
|
Thanks to Florian Weimer from Red Hat for providing a patch.
|
|
|
|
|
|
|
|
|
|
Documentation:
|
|
|
|
|
Syntax and semantics of some options (esp.unlink-close) were not clear.
|
|
|
|
|
Thanks to Anthony Chavez for reporting this and making suggestions.
|
2022-12-25 18:29:14 +00:00
|
|
|
|
|
2023-06-12 18:51:16 +00:00
|
|
|
|
socat-tun.html described TCP as tunnel medium but this does not keep
|
|
|
|
|
packet boundaries. Changed to UDP.
|
|
|
|
|
|
2023-06-12 18:53:31 +00:00
|
|
|
|
Added examples for DCCP client and server.
|
|
|
|
|
|
2023-04-02 18:55:22 +00:00
|
|
|
|
Complex Socat examples are now displayed in two or three lines for
|
|
|
|
|
better overview.
|
|
|
|
|
dest-unreach.css stylesheet has been improved to support this.
|
|
|
|
|
|
2023-06-11 20:27:12 +00:00
|
|
|
|
Testing:
|
|
|
|
|
Idea: EXEC,SYSTEM addresses can keep packet boundaries when option
|
|
|
|
|
socktype=<val-of-SOCK_DGRAM>
|
|
|
|
|
Tests: EXECSOCKETPAIRPACKETS SYSTEMSOCKETPAIRPACKETS
|
|
|
|
|
|
2023-04-02 16:43:22 +00:00
|
|
|
|
Cosmetic corrections of EXEC,SYSTEM tests.
|
|
|
|
|
|
|
|
|
|
test.sh: Added option --expect-fail to specify comma separated list of
|
|
|
|
|
test numbers whose failure shall not cause a failure of the whole
|
|
|
|
|
script.
|
|
|
|
|
|
|
|
|
|
test.sh: Added help text
|
|
|
|
|
|
2023-03-24 18:44:00 +00:00
|
|
|
|
Speeded up wait loops; more addresses in upper case; more tests with
|
|
|
|
|
command printing ($VERBOSE)
|
|
|
|
|
|
2023-03-24 18:45:37 +00:00
|
|
|
|
test.sh: Check if ports are free before using them for tests
|
|
|
|
|
|
2023-04-02 18:14:00 +00:00
|
|
|
|
Test EXEC_FDS checks with Filan if EXEC address only passes stdio FDs.
|
|
|
|
|
|
2023-05-31 06:39:12 +00:00
|
|
|
|
Improved template; prepared namesFAIL, -d (DEBUG)
|
|
|
|
|
|
2022-10-30 14:58:30 +00:00
|
|
|
|
####################### V 1.7.4.4:
|
|
|
|
|
|
2022-07-09 13:50:18 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
In error.c msg2() there was a stack overflow on long messages: The
|
|
|
|
|
terminating \0 Byte was written behind the last position.
|
|
|
|
|
Thanks to Martin Liška for sending the address sanitizer report.
|
|
|
|
|
|
2022-08-13 10:04:38 +00:00
|
|
|
|
UDP-RECVFROM with fork sometimes terminated when multiple packets
|
|
|
|
|
arrived. This issue was introduced with a bug fix in version 1.7.4.0.
|
|
|
|
|
Reason was not handling EAGAIN on recvmsg().
|
|
|
|
|
Thanks to Jamie McQuillan for reporting this issue.
|
|
|
|
|
|
2022-04-26 18:53:35 +00:00
|
|
|
|
Address TCP with options connect-timeout and retry terminated
|
|
|
|
|
immediately when a connection attempt failed on network error or
|
|
|
|
|
connection refused.
|
|
|
|
|
Test: TCP_TIMEOUT_RETRY
|
|
|
|
|
Thanks to Kamil Holubicki for reporting this issue.
|
|
|
|
|
|
2022-03-25 10:00:00 +00:00
|
|
|
|
There were a couple of weaknesses and errors when accessing invalid or
|
|
|
|
|
incompatible file system entries with UNIX domain, file, and generic
|
|
|
|
|
addresses.
|
|
|
|
|
For example, UNIX-CONNECT, when using a non matching socktype, failed
|
|
|
|
|
with -1 and did not print an error message, instead of printing an
|
|
|
|
|
error message and exiting with rc=1.
|
|
|
|
|
Thanks to Paul Wise for reporting and analyzing the case of accessing
|
|
|
|
|
a left over socket entry with GOPEN.
|
|
|
|
|
|
2022-08-13 15:41:12 +00:00
|
|
|
|
The rawer option failed because it tried to clear CREAD.
|
|
|
|
|
Test: RAWER
|
|
|
|
|
|
2022-07-27 07:17:04 +00:00
|
|
|
|
UDP-SEND and UPD-SENDTO with option lowport always bound to port 1
|
|
|
|
|
instead of a free port in range 640..1023
|
|
|
|
|
Test: UDP_LOWPORT
|
|
|
|
|
|
2022-04-15 09:23:47 +00:00
|
|
|
|
Fixed bad parser error message on "socat /tmp/x\"x/x -"
|
|
|
|
|
|
2022-08-12 11:19:03 +00:00
|
|
|
|
Tightened syntax checks to detect numerical arguments that are missing
|
|
|
|
|
or have trailing garbage.
|
|
|
|
|
Test: INTEGER_GARBAGE
|
|
|
|
|
|
2022-04-08 08:54:00 +00:00
|
|
|
|
ctype(3) functions need there arguments to be unsigned char.
|
|
|
|
|
Thanks to Taylor R Campbell for sending a patch.
|
|
|
|
|
|
2022-08-12 10:33:32 +00:00
|
|
|
|
Filan library uses Socats diag/error message system and therefore had
|
|
|
|
|
always the signal handler messages socket pair open. This fix avoids
|
|
|
|
|
this socketpair in standalone Filan.
|
|
|
|
|
|
2022-10-30 14:50:44 +00:00
|
|
|
|
Corrected printf format for type socklen_t in two places.
|
|
|
|
|
|
2022-07-09 13:29:26 +00:00
|
|
|
|
Porting:
|
|
|
|
|
OpenSSL, at least 1.1 on Ubuntu, crashed with SIGSEGV under certain
|
|
|
|
|
conditions: client connection to server with certificate with empty
|
|
|
|
|
subject, and pressing ^C after successful connect.
|
|
|
|
|
This crash is now prevented by setting OPENSSL_INIT_NO_ATEXIT.
|
|
|
|
|
Thanks to Martin Dorey for reporting and analyzing this issue, and for
|
|
|
|
|
providing an environment for reproduction.
|
|
|
|
|
|
2022-09-15 08:09:05 +00:00
|
|
|
|
Socat failed to compile on platforms that have
|
|
|
|
|
IP_ADD_SOURCE_MEMBERSHIP but not struct ip_mreq_source
|
|
|
|
|
Thanks to Justin Yackoski for sending a patch.
|
|
|
|
|
|
2022-08-13 14:53:11 +00:00
|
|
|
|
configure.ac's detection of getprotobynumber_r() variant did not
|
|
|
|
|
recognize if this function does not exist, e.g. on Musl libc.
|
|
|
|
|
Thanks to Alexander Kanavin and Baruch Siach for sending patches.
|
|
|
|
|
|
2022-08-12 08:54:25 +00:00
|
|
|
|
Corrected message format when no strftime() is available; improved
|
|
|
|
|
handling of very long host or program names
|
|
|
|
|
|
2022-10-29 20:32:14 +00:00
|
|
|
|
Solaris requires that termios options are always applied to the slave
|
|
|
|
|
side of PTY.
|
|
|
|
|
|
2022-09-26 19:56:21 +00:00
|
|
|
|
Fixed ancillary messages on Solaris.
|
|
|
|
|
|
2022-10-29 20:35:10 +00:00
|
|
|
|
Filan: Solaris has the open file path infos in /proc/<pid>/path/
|
|
|
|
|
Thanks to Andy Fiddaman to directing me to the patch.
|
|
|
|
|
|
2022-10-29 20:41:54 +00:00
|
|
|
|
Filan now recognizes and prints Solaris doors and event ports.
|
|
|
|
|
|
|
|
|
|
Solaris derivatives no longer need librt for clock_gettime()
|
|
|
|
|
Thanks to Andy Fiddaman to directing me to the patch.
|
|
|
|
|
|
2023-04-02 14:40:32 +00:00
|
|
|
|
LibreSSL does not have OPENSSL_INIT_new(). This function is now
|
|
|
|
|
guarded. Socat might build with LibreSSL.
|
|
|
|
|
Thanks to Orbea for reporting and helping.
|
|
|
|
|
|
2022-09-15 09:01:32 +00:00
|
|
|
|
Building:
|
|
|
|
|
Failure during building documentation, e.g. due to missing Yodl
|
|
|
|
|
packages, now does not let the build process fail.
|
|
|
|
|
Feature requested by Seyhun.
|
|
|
|
|
|
2022-06-05 08:55:45 +00:00
|
|
|
|
Features:
|
|
|
|
|
Filan prints target of symlink when appropriate
|
|
|
|
|
Test: FILANSYMLINK
|
|
|
|
|
|
2022-10-30 10:25:19 +00:00
|
|
|
|
VSOCK-LISTEN now generates environment variables SOCAT_PEERADDR,
|
|
|
|
|
SOCAT_PEERPORT, SOCAT_SOCKADDR, SOCAT_SOCKPORT
|
|
|
|
|
New address aliases VSOCK, VSOCK-L
|
|
|
|
|
|
2022-10-06 17:39:42 +00:00
|
|
|
|
Documentation:
|
|
|
|
|
Fixed typo in doc/socat-tun.html and link in README.
|
|
|
|
|
Thanks to William Suthers for reporting.
|
|
|
|
|
|
2022-10-11 10:53:15 +00:00
|
|
|
|
Fixed hard coded path in docu examples.
|
|
|
|
|
Thanks to Jakub Wilk for sending a patch.
|
|
|
|
|
|
2022-10-24 18:36:28 +00:00
|
|
|
|
Updated doc/socat-openssltunnel.html: 2048 bits, commonname
|
|
|
|
|
|
2022-10-19 18:56:27 +00:00
|
|
|
|
Testing:
|
|
|
|
|
Unset SOCAT_MAIN_WAIT on informational Socat calls
|
|
|
|
|
|
|
|
|
|
SOCAT=socat used ./socat instead of the version derived by $PATH
|
|
|
|
|
|
|
|
|
|
Do not try VSOCK_ECHO test when feature is not compiled in.
|
|
|
|
|
|
|
|
|
|
Fixed logging of test 220 TUNINTERFACE
|
|
|
|
|
|
2022-10-29 10:01:47 +00:00
|
|
|
|
Musl libc refuses to execve() shell scripts, 2 tests needed to be
|
|
|
|
|
adapted.
|
|
|
|
|
|
|
|
|
|
Musl libc has FOPEN_MAX=1000 which made bash dumping core on test
|
|
|
|
|
EXCEED_FOPEN_MAX.
|
|
|
|
|
|
2022-03-25 08:55:42 +00:00
|
|
|
|
Added tests for failures of UNIX socket and GOPEN accesses to non
|
|
|
|
|
matching file system entries.
|
|
|
|
|
Tests:
|
|
|
|
|
CONNECT_TO_MISSING CONNECT_TO_DENIED CONNECT_TO_DIRECTORY
|
|
|
|
|
CONNECT_TO_ORPHANED CONNECT_TO_FILE CONNECT_TO_DGRAM
|
|
|
|
|
CONNECT_TO_SEQPACKET SEND_TO_MISSING SEND_TO_DENIED SEND_TO_DIRECTORY
|
|
|
|
|
SEND_TO_ORPHANED SEND_TO_FILE SEND_TO_STREAM SEND_TO_SEQPACKET
|
|
|
|
|
SENDTO_TO_MISSING SENDTO_TO_DENIED SENDTO_TO_DIRECTORY
|
|
|
|
|
SENDTO_TO_ORPHANED SENDTO_TO_FILE SENDTO_TO_STREAM SENDTO_TO_SEQPACKET
|
|
|
|
|
SEQPACKET_TO_MISSING SEQPACKET_TO_DENIED SEQPACKET_TO_DIRECTORY
|
|
|
|
|
SEQPACKET_TO_ORPHANED SEQPACKET_TO_FILE SEQPACKET_TO_STREAM
|
|
|
|
|
SEQPACKET_TO_DGRAM UNIX_TO_MISSING UNIX_TO_DENIED UNIX_TO_DIRECTORY
|
|
|
|
|
UNIX_TO_FILE UNIX_TO_ORPHANED GOPEN_TO_DENIED GOPEN_TO_DIRECTORY
|
|
|
|
|
GOPEN_TO_ORPHANED
|
|
|
|
|
|
2022-10-30 14:50:44 +00:00
|
|
|
|
On RHEL-9 SCTP support requires installation of package
|
|
|
|
|
kernel-modules-extra. test.sh now detects when SCTP is missing in
|
|
|
|
|
kernel and reacts with warnings instead of errors.
|
2022-10-29 18:24:09 +00:00
|
|
|
|
|
2022-10-30 10:25:19 +00:00
|
|
|
|
VSOCK loopback still does not seem to work even in kernel 5.13, so just
|
|
|
|
|
issue warning on "No such device".
|
|
|
|
|
|
2022-01-08 22:41:48 +00:00
|
|
|
|
####################### V 1.7.4.3:
|
|
|
|
|
|
2021-11-08 19:57:00 +00:00
|
|
|
|
Corrections:
|
2021-11-27 14:04:08 +00:00
|
|
|
|
Socat crashed with SIGSEGV when peer presented a certificate without
|
|
|
|
|
(or empty?) subject.
|
|
|
|
|
Thanks to Martin Dorey for reporting this issue and sending a patch.
|
|
|
|
|
|
2021-11-08 19:57:00 +00:00
|
|
|
|
Socat 1.7.4.2 did not compile on OmniOS (and probably other OpenSolaris
|
|
|
|
|
distributions)
|
2021-11-21 10:15:08 +00:00
|
|
|
|
Thanks to Andy Fiddaman for sending a patch.
|
|
|
|
|
|
|
|
|
|
Socat since 1.7.4.0 did not compile on Solaris and its derivatives
|
|
|
|
|
because the getprotobynumber_r() function prototype differ from the
|
2021-11-08 21:07:48 +00:00
|
|
|
|
Linux version.
|
2021-11-21 10:15:08 +00:00
|
|
|
|
configure now checks for the variant.
|
|
|
|
|
Thanks to Robert Zybeck for reporting this issue.
|
2021-11-08 19:57:00 +00:00
|
|
|
|
|
2021-11-15 07:45:59 +00:00
|
|
|
|
The variable for the no-sni option was not initialized and could thus
|
|
|
|
|
break OpenSSL certificate verification. E.g., test OPENSSL_SNI on some
|
|
|
|
|
platform succeeded with -g but failed with -O compiler option.
|
|
|
|
|
Thanks to valgrind for quickly finding the cause.
|
|
|
|
|
|
2022-01-02 12:08:29 +00:00
|
|
|
|
Porting:
|
|
|
|
|
Again porting Socat to AIX (7.1) - Fixed configure and compile issues:
|
|
|
|
|
Adapted include requirements for IPv6
|
|
|
|
|
Guarded MSG_DONTWAIT
|
|
|
|
|
|
2022-01-02 20:34:10 +00:00
|
|
|
|
Continued porting Socat to AIX-7.1 - Fixed some runtime errors:
|
|
|
|
|
UNIX domain sockets of type SEQPACKET are not available.
|
|
|
|
|
Connecting to UNIX datagram socket fails with EPROTONOSUPPORT (vs.
|
|
|
|
|
EPROTOTYPE on most other OSes).
|
|
|
|
|
Streams: Must not push ldterm when it is already active (hangs).
|
|
|
|
|
|
2021-11-08 21:07:48 +00:00
|
|
|
|
Building:
|
|
|
|
|
Socats build date and time may now be set externally with environment
|
|
|
|
|
variable SOURCE_DATE_EPOCH.
|
|
|
|
|
Thanks to Viktor Kleinik for sending a patch.
|
|
|
|
|
|
2022-01-08 20:27:56 +00:00
|
|
|
|
Building Socat in a sub directory failed.
|
|
|
|
|
Now the following works even for the docu parts:
|
|
|
|
|
mkdir -p myos; cd myos; ../configure && make; cd ..
|
|
|
|
|
Thanks to Jon Ringle for sending a patch.
|
|
|
|
|
|
2022-01-06 16:13:27 +00:00
|
|
|
|
Testing:
|
|
|
|
|
test.sh: many corrections for AIX's older shell utilities, e.g.sleep(1)
|
|
|
|
|
does not allow fractions of seconds, grep does not understand '\<';
|
|
|
|
|
OpenIndiana/SunOS netstat format;
|
|
|
|
|
many more functional and cosmetic code corrections.
|
2021-11-08 21:07:48 +00:00
|
|
|
|
|
2021-12-26 09:04:13 +00:00
|
|
|
|
Documentation:
|
|
|
|
|
The socktype option was documented unspecifically as type option.
|
|
|
|
|
Thanks to Jonas Metzger for the hint.
|
|
|
|
|
|
2021-10-31 18:06:39 +00:00
|
|
|
|
####################### V 1.7.4.2:
|
|
|
|
|
|
2021-10-31 09:25:33 +00:00
|
|
|
|
Corrections:
|
2021-10-24 11:25:36 +00:00
|
|
|
|
The per address parameters for OpenSSL overlapped in memory with socket
|
|
|
|
|
parameters. Magically this did not seem to cause problems except on
|
|
|
|
|
MacOS Catalina that reported errors like:
|
|
|
|
|
socat[3458] E Select(7, &0x80, NULL, NULL, {140392884396544.000000}):
|
|
|
|
|
Invalid argument
|
|
|
|
|
Test: OPENSSL_PARA_OVERLAP
|
|
|
|
|
Thanks to Ryo Ota for reporting this bug.
|
|
|
|
|
|
2021-10-31 09:25:33 +00:00
|
|
|
|
Fixed a few minor coding issues
|
|
|
|
|
|
2021-10-24 14:38:34 +00:00
|
|
|
|
A VSOCK warning message was generated with all listening addresses
|
|
|
|
|
instead of only with VSOCK-LISTEN
|
|
|
|
|
|
2021-10-26 17:26:18 +00:00
|
|
|
|
When an OPENSSL-CONNECT client presented a certificate with IPv6
|
|
|
|
|
subject alternate name and the OPENSSL-LISTEN server had no commonname
|
|
|
|
|
option, the server crashed with SIGSEGV in xioip6_pton().
|
|
|
|
|
Test: OPENSSL_CLIENT_IP6_CN
|
|
|
|
|
Red Hat bug 1981308
|
|
|
|
|
Thanks to Vlad Slepukhin for reporting this issue and providing a patch
|
|
|
|
|
|
2021-10-26 20:06:46 +00:00
|
|
|
|
Corrected a typo in configure.ac that broke option --enable-openssl-base
|
|
|
|
|
Thanks to john1doe for reporting this issue.
|
|
|
|
|
|
2021-10-26 11:34:38 +00:00
|
|
|
|
Socat looped endlessly, not responding to SIGTERM, when a service name
|
|
|
|
|
(for port) could not be resolved.
|
|
|
|
|
Test: BAD_SERVICE
|
|
|
|
|
|
2021-10-31 10:39:47 +00:00
|
|
|
|
Using options of NAMED group, e.g.chown, with abstract UNIX domain
|
|
|
|
|
sockets, produced errors because the function was applied with a normal
|
|
|
|
|
file system related call, e.g.chown(), using file "" (empty name). Instead of
|
|
|
|
|
chown(), Socat now uses fchown() on the file descriptor. However, such
|
|
|
|
|
a call usually has no real effect.
|
|
|
|
|
Test: ABSTRACT_USER
|
|
|
|
|
Thanks to Andreas Fink for reporting this issue.
|
|
|
|
|
|
2021-10-26 16:41:55 +00:00
|
|
|
|
Option -R did not only dump ("sniff") right-to-left, but also
|
|
|
|
|
left-to-right traffic to the given file.
|
|
|
|
|
Test: SNIFF_RIGHT_TO_LEFT
|
|
|
|
|
Thanks to 1314 gsf for reporting this bug and sending a patch.
|
|
|
|
|
|
2021-10-30 16:10:27 +00:00
|
|
|
|
Options -r and -R, when opening a named pipe that has no actual reader,
|
|
|
|
|
failed with "No such device or address". To solve this problem, Socat
|
|
|
|
|
now opens the pipe in rw-Mode.
|
|
|
|
|
Thanks to Cody J.Soultz for sending a patch.
|
|
|
|
|
|
2021-10-26 18:41:08 +00:00
|
|
|
|
The call "socat -r - PIPE" traced to file ./- instead of issuing a
|
|
|
|
|
syntax error.
|
|
|
|
|
|
2021-10-31 10:07:40 +00:00
|
|
|
|
Print a message when readbytes option causes EOF
|
|
|
|
|
|
2021-10-28 19:21:07 +00:00
|
|
|
|
The ip-recverr option had no effect. Corrected and improved its
|
|
|
|
|
handling of ancilliary messages, so it is able to analyze ICMP error
|
|
|
|
|
packets (Linux only?)
|
|
|
|
|
|
2021-10-31 17:41:25 +00:00
|
|
|
|
Setgui(), Setuid() calls in xio-progcall.c were useless.
|
|
|
|
|
|
2021-10-30 07:34:34 +00:00
|
|
|
|
Testing:
|
|
|
|
|
Prevent the TIMESTAMP tests from sporadically failing due do seconds
|
|
|
|
|
overflow
|
|
|
|
|
|
2021-10-24 13:37:48 +00:00
|
|
|
|
Fixed in test.sh a few issues reported by shellcheck
|
|
|
|
|
|
2021-10-28 20:10:49 +00:00
|
|
|
|
Documentation:
|
|
|
|
|
Added missing docu of OpenSSL options min-proto-version,
|
|
|
|
|
max-proto-version.
|
|
|
|
|
|
2021-10-23 18:15:33 +00:00
|
|
|
|
Added missing closing parenthesis in socat.yo.
|
|
|
|
|
Thanks to Emanuele Torre for reporting this issue.
|
|
|
|
|
|
2021-10-24 07:39:35 +00:00
|
|
|
|
Corrected more typos and added missing bug info to CHANGES, performed
|
2021-10-31 12:04:12 +00:00
|
|
|
|
some non functional corrections.
|
|
|
|
|
|
|
|
|
|
Porting:
|
|
|
|
|
Corrected building when clock_gettime() not available, with or without
|
|
|
|
|
gettimeofday().
|
2021-10-24 07:39:35 +00:00
|
|
|
|
|
2021-01-10 12:45:27 +00:00
|
|
|
|
####################### V 1.7.4.1:
|
|
|
|
|
|
2021-01-08 14:21:32 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
Socat 1.7.4.0 failed to compile especially on 32 bit systems.
|
|
|
|
|
Thanks to Wang Mingyu and others for sending a patch or reporting this
|
|
|
|
|
issue.
|
|
|
|
|
|
2021-01-10 12:32:27 +00:00
|
|
|
|
Under certain conditions OpenSSL stream connections, in particular bulk
|
|
|
|
|
data transfer in unidirectional mode, failed during transfer or near
|
|
|
|
|
its with Connection reset by peer on receiver side.
|
|
|
|
|
This happened with Socat versions 1.7.3.3 to 1.7.4.0. Reasons were
|
|
|
|
|
lazy SSL shutdown handling on the sender side in combination with
|
|
|
|
|
SSL_MODE_AUTO_RETRY turned off.
|
|
|
|
|
Fix: After SSH_shutdown but before socket shutdown call SSL_read()
|
|
|
|
|
Test: OPENSSL_STREAM_TO_SERVER
|
|
|
|
|
Fixes Red Hat issue 1870279.
|
|
|
|
|
|
2021-01-03 21:46:40 +00:00
|
|
|
|
####################### V 1.7.4.0:
|
|
|
|
|
|
2020-10-13 18:08:04 +00:00
|
|
|
|
Security:
|
|
|
|
|
Buffer size option (-b) is internally doubled for CR-CRLF conversion,
|
|
|
|
|
but not checked for integer overflow. This could lead to heap based
|
|
|
|
|
buffer overflow, assuming the attacker could provide this parameter.
|
|
|
|
|
Test: BLKSIZE_INT_OVERFL
|
|
|
|
|
Thanks to Lê Hiếu Bùi for reporting this issue and sending an
|
|
|
|
|
example exploit.
|
|
|
|
|
|
2020-10-13 17:25:21 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
Socats address parser read over end of string when there were unbalanced
|
|
|
|
|
quotes
|
|
|
|
|
Test: UNBALANCED_QUOTE
|
|
|
|
|
|
2020-12-12 11:58:30 +00:00
|
|
|
|
Removed unused usleep() call from sycls.c
|
|
|
|
|
|
2020-11-24 19:22:45 +00:00
|
|
|
|
Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
|
|
|
|
|
building failed on Solaris 9.
|
|
|
|
|
Thanks to Greg Earle for reporting this issue and providing a patch.
|
2020-12-27 23:41:41 +00:00
|
|
|
|
|
2020-12-28 10:10:03 +00:00
|
|
|
|
Mitigated race condition of quickly terminating SYSTEM or EXEC child
|
|
|
|
|
processes.
|
|
|
|
|
|
2020-12-29 04:07:03 +00:00
|
|
|
|
Option o-direct might require alignment of read/write buffer to, e.g.,
|
|
|
|
|
512 bytes, Socat now takes care of this when allocating the buffer.
|
|
|
|
|
With this fix read() succeeds, however, write() still might fail when
|
|
|
|
|
not writing complete pages.
|
|
|
|
|
Test: O_DIRECT
|
|
|
|
|
|
2020-11-28 09:21:39 +00:00
|
|
|
|
There was a race condition in the way Socat UDP-RECVFROM and similar
|
|
|
|
|
addresses with option fork prevents one packet from triggering
|
|
|
|
|
multiple processes. The symptom was that Socat master process seemed to
|
|
|
|
|
hang and did not process further packets. The fix makes use of
|
|
|
|
|
pselect() system call.
|
|
|
|
|
Thanks to Fulvio Scapin for reporting this issue.
|
|
|
|
|
|
2020-12-27 11:39:48 +00:00
|
|
|
|
UNIX domain client addresses applied file system entry options (group
|
|
|
|
|
NAMED) to the server socket instead of the client (bind) socket entry.
|
|
|
|
|
Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
|
|
|
|
|
Thanks to Nico Williams for reporting this major issue.
|
|
|
|
|
|
2020-11-28 19:19:47 +00:00
|
|
|
|
Length of single address options was limited to 511 bytes. This value
|
|
|
|
|
is now increased to 2047 bytes.
|
|
|
|
|
Change suggested by Mario Camou.
|
|
|
|
|
|
2020-12-26 18:03:32 +00:00
|
|
|
|
Addresses of type RECVFROM with option fork looped with an error
|
|
|
|
|
message in case that the second address failed before consuming the
|
|
|
|
|
packet. The fix makes RECVFROM drop the packet when the second address
|
|
|
|
|
failed before reading it. Use retry or forever option with the second
|
|
|
|
|
address if you want to avoid data loss.
|
2021-10-24 07:39:35 +00:00
|
|
|
|
Fixes Red Hat bug 1907718
|
2020-12-26 18:03:32 +00:00
|
|
|
|
Thanks to Chunmei Xu for reporting this issue and proving the patch.
|
|
|
|
|
|
2020-12-30 18:46:42 +00:00
|
|
|
|
Socats DTLS implementation has been reworked and appears to work now
|
|
|
|
|
reasonably over UDP.
|
|
|
|
|
New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
|
|
|
|
|
OPENSSL-DTLS-CLIENT (DTLS)
|
|
|
|
|
Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
|
|
|
|
|
OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
|
|
|
|
|
Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
|
|
|
|
|
sending patches.
|
|
|
|
|
|
2020-12-31 10:57:11 +00:00
|
|
|
|
filan did not output the socket protocol.
|
|
|
|
|
filan -s assumed each stream socket to be TCP and each datagram socket
|
|
|
|
|
to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
|
|
|
|
|
|
2020-03-15 09:50:50 +00:00
|
|
|
|
Help text showed two parameters for UDP4-RECVFROM address, but only
|
|
|
|
|
<port> is allowed.
|
|
|
|
|
Thanks to John the Scott for reporting this issue.
|
|
|
|
|
|
2020-10-13 20:11:05 +00:00
|
|
|
|
Error messages from SSL_read() and SSL_write() sometimes stated
|
|
|
|
|
SSL_connect instead of originating function name.
|
|
|
|
|
|
|
|
|
|
Fixed some more non functional minor issues.
|
|
|
|
|
|
2020-11-14 16:33:58 +00:00
|
|
|
|
Porting:
|
|
|
|
|
In gcc version 10 the default changed from -fcommon to -fno-common.
|
|
|
|
|
Consequently, linking filan and procan failed with error
|
|
|
|
|
"multiple definition of `deny_severity'" and `allow_severity'
|
|
|
|
|
Fixed by removing definitions in filan.c and procan.c
|
|
|
|
|
Debian issue 957823
|
|
|
|
|
Thanks to László Böszörményi and others for reporting this issue.
|
|
|
|
|
|
2020-12-27 23:41:41 +00:00
|
|
|
|
Solaris 9 does not provide strndup(); added substitute code.
|
|
|
|
|
Thanks to Greg Earle for providing a patch.
|
|
|
|
|
|
2020-12-27 23:38:03 +00:00
|
|
|
|
Added configure option --enable-openssl-base to specify the location of
|
|
|
|
|
a non-OS OpenSSL installation
|
|
|
|
|
|
2020-12-11 21:13:08 +00:00
|
|
|
|
There are systems whose kernel understands SCTP but getaddrinfo does
|
|
|
|
|
not. As workaround after EIA_SOCKTYPE on name and service resolution
|
|
|
|
|
fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
|
|
|
|
|
ai_protocol=0 and try again
|
|
|
|
|
Test: SCTP_SERVICENAME
|
|
|
|
|
|
2021-10-24 07:39:35 +00:00
|
|
|
|
Per file filesystem options were still named ext2-* and depended on
|
2020-12-28 11:37:49 +00:00
|
|
|
|
<linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
|
|
|
|
|
These fs-* options are also available on old systems with ext2_fs.h
|
|
|
|
|
|
2020-12-27 19:25:10 +00:00
|
|
|
|
New options openssl-min-proto-version (min-version) and
|
|
|
|
|
openssl-max-proto-version (max-version) give access to the related
|
|
|
|
|
OpenSSL set-macros and substitute deprecated version-specific methods.
|
|
|
|
|
Test: OPENSSL_MIN_VERSION
|
|
|
|
|
|
2021-01-03 06:43:00 +00:00
|
|
|
|
With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
|
|
|
|
|
SSL_library_init.
|
|
|
|
|
|
|
|
|
|
With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
|
|
|
|
|
must explicitely be included.
|
|
|
|
|
Thanks to Rosen Penev for reporting and sending a patch.
|
|
|
|
|
|
2020-10-13 16:34:09 +00:00
|
|
|
|
Testing:
|
|
|
|
|
test.sh now produces a list of tests that could not be performed for
|
|
|
|
|
any reason. This helps to analyse these cases.
|
|
|
|
|
|
2020-10-29 12:16:14 +00:00
|
|
|
|
OpenSSL s_server appearently started to neglect TCPs half close feature.
|
|
|
|
|
Test OPENSSL_TCP4 has been changed to tolerate this.
|
|
|
|
|
|
2020-10-13 19:02:59 +00:00
|
|
|
|
OpenSSL changed its behaviour when connection is rejected. Tests
|
|
|
|
|
OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
|
|
|
|
|
OPENSSL_CN_SERVER_SECURITY now tolerate this.
|
|
|
|
|
|
2020-10-29 12:38:45 +00:00
|
|
|
|
OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
|
|
|
|
|
appropriate tests failed.
|
|
|
|
|
Fix: use TLSv1.2 for renegotiation tests
|
|
|
|
|
Tests: OPENSSLRENEG1 OPENSSLRENEG2
|
|
|
|
|
|
2020-10-29 12:50:51 +00:00
|
|
|
|
Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
|
|
|
|
|
|
2020-10-30 07:22:08 +00:00
|
|
|
|
Archlinux 2020 has not which command; its ip,ss commands have modified
|
|
|
|
|
version strings
|
|
|
|
|
|
2020-12-09 19:54:42 +00:00
|
|
|
|
More testing issues solved:
|
|
|
|
|
* ss to pipe might omit column separator
|
|
|
|
|
* UDP6MULTICAST_UNIDIR fails on newer Linux kernels
|
|
|
|
|
* do not use sort -V
|
|
|
|
|
* renamed testaddrs() to testfeats(), and introduced new testaddrs()
|
|
|
|
|
|
2020-12-29 04:30:52 +00:00
|
|
|
|
New features:
|
|
|
|
|
GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
|
|
|
|
|
Test: GOPENUNIXSEQPACKET
|
|
|
|
|
Feature suggested by vi0oss.
|
|
|
|
|
|
2020-12-29 15:45:33 +00:00
|
|
|
|
The generic setsockopt-int and related options are, in case of
|
|
|
|
|
listening/accepting addresses, applied to the connected socket(s). To enable
|
|
|
|
|
setting options on the listening socket, a new option setsockopt-listen
|
|
|
|
|
has been implemented. See the documentation for info on data types.
|
|
|
|
|
Tests: SETSOCKOPT SETSOCKOPT_LISTEN
|
|
|
|
|
Thanks to Steven Danna and Korian Edeline for reporting this issue.
|
2020-12-31 11:06:32 +00:00
|
|
|
|
|
2020-12-31 10:57:11 +00:00
|
|
|
|
Filan option -S gives short description like -s but with improved
|
|
|
|
|
format
|
2020-12-31 11:06:32 +00:00
|
|
|
|
|
|
|
|
|
Socat OpenSSL client, when server was specified using IP address, did
|
|
|
|
|
not verify connection on certificates SubjectAltName IP entries.
|
|
|
|
|
Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
|
|
|
|
|
Fixes Red Hat bug 1805132
|
2020-12-29 15:45:33 +00:00
|
|
|
|
|
2020-12-31 12:19:19 +00:00
|
|
|
|
Added options -r and -R for raw dump of transferred data to files.
|
|
|
|
|
Test: OPTION_RAW_DUMP
|
|
|
|
|
|
2020-12-12 12:47:40 +00:00
|
|
|
|
Added option ip-transparent (socket option IP_TRANSPARENT)
|
|
|
|
|
Thanks to Wang Shanker for sending a patch.
|
|
|
|
|
|
2020-12-31 13:30:04 +00:00
|
|
|
|
OPENSSL-CONNECT now automatically uses the SNI feature, option
|
|
|
|
|
openssl-no-sni turns it off. Option openssl-snihost overrides the value
|
|
|
|
|
of option openssl-commonname or the server name.
|
|
|
|
|
Tests: OPENSSL_SNI OPENSSL_NO_SNI
|
|
|
|
|
Thanks to Travis Burtrum for providing the initial patch
|
|
|
|
|
|
2020-12-31 13:56:04 +00:00
|
|
|
|
New option accept-timeout (listen-timeout)
|
|
|
|
|
Test: ACCEPTTIMEOUT
|
|
|
|
|
Proposed by Roland
|
|
|
|
|
|
2020-12-13 21:21:06 +00:00
|
|
|
|
New option ip-add-source-membership
|
|
|
|
|
Feature inspired by Brian (b f31415)
|
|
|
|
|
|
2020-12-27 19:43:08 +00:00
|
|
|
|
INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
|
|
|
|
|
of replies, as it did up to version 1.7.3.4. Use option sourceport when
|
|
|
|
|
you need the old behaviour.
|
|
|
|
|
Test: UDP_DATAGRAM_SOURCEPORT
|
|
|
|
|
Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
|
|
|
|
|
|
2020-12-26 15:04:50 +00:00
|
|
|
|
New option proxy-authorization-file reads PROXY-CONNECT credentials
|
|
|
|
|
from file and makes it possible to hide this data from the process
|
|
|
|
|
table.
|
|
|
|
|
Test: PROXYAUTHFILE
|
|
|
|
|
Thanks to Charles Stephens for sending an initial patch.
|
|
|
|
|
|
2020-12-26 21:46:36 +00:00
|
|
|
|
Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
|
|
|
|
|
Developed by Stefano Garzarella.
|
|
|
|
|
|
2021-01-03 06:42:23 +00:00
|
|
|
|
Coding:
|
|
|
|
|
Added printf formats for uint16_t etc.
|
|
|
|
|
|
2020-06-15 19:51:21 +00:00
|
|
|
|
Documentation:
|
|
|
|
|
Address UDP-RECV does not support option fork.
|
|
|
|
|
Thanks to Fulvio Scapin for reporting that mistake in docu.
|
|
|
|
|
|
2020-12-13 21:14:04 +00:00
|
|
|
|
TUN address documentation showed TCP for backend which may merge
|
|
|
|
|
consecutive packets which causes data loss.
|
|
|
|
|
Thanks to Tomasz Lakota for reporting this issue.
|
|
|
|
|
|
2020-01-05 19:26:17 +00:00
|
|
|
|
####################### V 1.7.3.4:
|
|
|
|
|
|
2019-09-08 16:19:57 +00:00
|
|
|
|
Corrections:
|
|
|
|
|
Header of xiotermios_speed() declared parameter unsigned int instead of
|
|
|
|
|
speed_t, thus compiling failed on MacOS
|
|
|
|
|
Thanks to Joe Strout and others for reporting this bug.
|
|
|
|
|
Thanks to Andrew Childs and others for sending a patch.
|
|
|
|
|
|
2019-12-30 09:27:46 +00:00
|
|
|
|
Under certain circumstances, termios options of the first address were
|
|
|
|
|
applied to the second address, resulting in error
|
|
|
|
|
"Inappropriate ioctl for device"
|
|
|
|
|
This affected version 1.7.3.3 only.
|
2020-01-01 13:50:29 +00:00
|
|
|
|
Test: TERMIOS_PH_ALL
|
2019-12-30 09:27:46 +00:00
|
|
|
|
Thanks to Ivan J. for reporting this issue.
|
|
|
|
|
|
2019-09-08 18:22:50 +00:00
|
|
|
|
Socat failed to compile when no poll() system call was found by
|
|
|
|
|
configure.
|
|
|
|
|
Thanks to Jason White for sending a patch.
|
|
|
|
|
|
2019-08-31 16:26:41 +00:00
|
|
|
|
Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
|
|
|
|
|
systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
|
|
|
|
|
for reporting this problem and sending initial patches.
|
|
|
|
|
|
2020-01-01 13:50:29 +00:00
|
|
|
|
getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
|
|
|
|
|
"ai_socktype not supported" when protocol 6 was addressed.
|
|
|
|
|
The fix removes the possibility to use service names with SCTP.
|
|
|
|
|
Test: IP_SENDTO_6
|
2020-02-23 11:37:19 +00:00
|
|
|
|
Thanks to Sören for sending an initial patch.
|
2020-01-01 13:50:29 +00:00
|
|
|
|
|
2019-12-30 09:05:33 +00:00
|
|
|
|
Under certain circumstances, Socat printed the "socket ... is at EOF"
|
|
|
|
|
multiple times.
|
|
|
|
|
Test: MULTIPLE_EOF
|
|
|
|
|
|
2020-01-04 09:32:58 +00:00
|
|
|
|
Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
|
|
|
|
|
not implemented in older bash versions.
|
|
|
|
|
|
2019-04-05 20:24:19 +00:00
|
|
|
|
####################### V 1.7.3.3:
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Corrections:
|
2019-02-24 21:34:18 +00:00
|
|
|
|
Makefile.in did not specify dependencies of filan on vsnprintf_r.o
|
|
|
|
|
and snprinterr.o
|
|
|
|
|
Added definition of FILAN_OBJS
|
|
|
|
|
Thanks to Craig Leres, Clayton Shotwell, and Chris Packham for
|
|
|
|
|
providing patches.
|
|
|
|
|
|
2019-02-24 21:35:45 +00:00
|
|
|
|
configure option --enable-msglevel did not work with numbers
|
|
|
|
|
|
2019-02-24 21:37:08 +00:00
|
|
|
|
The autoconf mechanism for determining SHIFT_OFFSET did not work when
|
|
|
|
|
cross compiling.
|
2019-03-12 21:00:46 +00:00
|
|
|
|
Thanks to Max Freisinger from Gentoo for sending a patch.
|
2019-02-24 21:37:08 +00:00
|
|
|
|
|
2019-02-24 22:17:17 +00:00
|
|
|
|
Socat still depended on obsolete gethostbyname() function, thus
|
|
|
|
|
compiling with MUSL libc failed.
|
|
|
|
|
Problem reported by Kennedy33.
|
|
|
|
|
|
2018-07-29 09:12:30 +00:00
|
|
|
|
The async signal safe diagnostic system used FDs 3 and 4 internally, so
|
|
|
|
|
use of appropriate fdin or fdout led to failures.
|
|
|
|
|
Test: DIAG_FDIN
|
2020-02-23 11:37:19 +00:00
|
|
|
|
Problem reported by Onur Sentürk.
|
2018-07-29 09:12:30 +00:00
|
|
|
|
|
2019-03-03 08:32:22 +00:00
|
|
|
|
The socket based mechanism for passing messages and signal information
|
|
|
|
|
from signal handler to process could reach and kill the wrong process.
|
|
|
|
|
Introduces functions diag_sock_pair(), diag_fork()
|
|
|
|
|
Thanks to Darren Zhao for analysing and reporting this problem.
|
|
|
|
|
|
2019-03-03 09:01:32 +00:00
|
|
|
|
Option ipv6-join-group did not work because it was applied in the wrong
|
|
|
|
|
phase
|
|
|
|
|
Test: UDP6MULTICAST_UNIDIR
|
|
|
|
|
Thanks to Angus Gratton for sending a patch.
|
|
|
|
|
|
2018-01-20 13:04:42 +00:00
|
|
|
|
Setting ispeed and ospeed failed for some serial devices because the
|
|
|
|
|
two settings were applied with two different get/set cycles, Thanks to
|
|
|
|
|
Alexandre Fenyo for providing an initial patch.
|
|
|
|
|
However, the actual fix is part of a conceptual change of the termios
|
2023-04-02 16:43:22 +00:00
|
|
|
|
module that aims for applying all changes in a single tcsetattr call.
|
2018-01-20 13:23:59 +00:00
|
|
|
|
Fixes FreeBSD Bug 198441
|
|
|
|
|
|
|
|
|
|
Termios options TAB0,TAB1,TAB2,TAB3, and XTABS did not have an effect.
|
|
|
|
|
Thanks to Alan Walters for reporting this bug.
|
2018-01-20 13:04:42 +00:00
|
|
|
|
|
2019-03-03 09:12:44 +00:00
|
|
|
|
Substituted cumbersom ISPEED_OFFSET mechanism for cfsetispeed() calls
|
|
|
|
|
|
2018-07-29 10:08:36 +00:00
|
|
|
|
With TCP6-LISTEN and the other passive IPv6 addresses the range option
|
|
|
|
|
just failed: due to a bug in the syntax parser and two more bugs in
|
|
|
|
|
the xiocheckrange_ip6() function.
|
|
|
|
|
The syntax has now been changed from "[::1/128]" to "[::1]/128"!
|
|
|
|
|
Thanks Leah Neukirchen for sending an initial fix.
|
|
|
|
|
|
2018-07-29 09:30:40 +00:00
|
|
|
|
For name resolution Socat only checked the first character of the host
|
|
|
|
|
name to decide if it is an IPv4 address. This was not RFC conform. This
|
|
|
|
|
fix removes the possibility for use of IPv4 addresses with IPv6, e.g.
|
|
|
|
|
TCP6:127.0.0.1:80
|
2020-01-05 15:00:17 +00:00
|
|
|
|
Debian issue 695885
|
2018-07-29 09:30:40 +00:00
|
|
|
|
Thanks to Nicolas Fournil for reporting this issue.
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Print a useful error message when single character options appear to be
|
|
|
|
|
merged in Socat invocation
|
2021-10-24 07:39:35 +00:00
|
|
|
|
Test: SOCAT_OPT_HINT
|
2019-03-03 14:08:02 +00:00
|
|
|
|
|
2019-03-03 14:08:41 +00:00
|
|
|
|
Fixed some docu typos.
|
|
|
|
|
Thanks to Travis Wellman, Thomas <tjps636>, Dan Kenigsberg,
|
|
|
|
|
Julian Zinn, and Simon Matter
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Porting:
|
2019-02-10 12:16:42 +00:00
|
|
|
|
OpenSSL functions TLS1_client_method() and similar are
|
|
|
|
|
deprecated. Socat now uses recommended TLS_client_method(). The old
|
|
|
|
|
functions and dependend option openssl-method can still be
|
|
|
|
|
used when configuring socat with --enable-openssl-method
|
|
|
|
|
|
2018-03-28 16:21:31 +00:00
|
|
|
|
Shell scripts in socat distribution are now headed with:
|
|
|
|
|
#! /usr/bin/env bash
|
|
|
|
|
to make them better portable to systems without /bin/bash
|
|
|
|
|
Thanks to Maya Rashish for sending a patch
|
|
|
|
|
|
2019-03-03 14:57:08 +00:00
|
|
|
|
RES_AAONLY, RES_PRIMARY are deprecated. You can still enable them with
|
|
|
|
|
configure option --enable-res-deprecated.
|
|
|
|
|
|
2019-03-12 20:09:18 +00:00
|
|
|
|
New versions of OpenSSL preset SSL_MODE_AUTO_RETRY which may hang socat.
|
|
|
|
|
Solution: clear SSL_MODE_AUTO_RETRY when it is set.
|
|
|
|
|
|
2019-03-12 21:00:46 +00:00
|
|
|
|
Renamed configure.in to configure.ac and set an appropriate symlink for
|
|
|
|
|
older environments.
|
|
|
|
|
Related Gentoo bug 426262: Warning on configure.in
|
|
|
|
|
Thanks to Francesco Turco for reporting that warning.
|
|
|
|
|
|
2019-03-13 11:44:35 +00:00
|
|
|
|
Fixed new IPv6 range code for platforms without s6_addr32 component.
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Testing:
|
2019-02-24 21:43:36 +00:00
|
|
|
|
test.sh: Show a warning when phase-1 (insecure phase) of a security
|
|
|
|
|
test fails
|
|
|
|
|
|
2019-02-10 08:56:16 +00:00
|
|
|
|
OpenSSL tests failed on actual Linux distributions. Measures:
|
|
|
|
|
Increased key lengths from 768 to 1024 bits
|
|
|
|
|
Added test.sh option -C to delete temp certs from prevsious runs
|
|
|
|
|
Provide DH-parameter in certificate in PEM
|
|
|
|
|
OpenSSL s_server option -verify 0 must be omitted
|
|
|
|
|
OpenSSL authentication method aNULL no longer works
|
|
|
|
|
Failure of cipher aNULL is not a failure
|
|
|
|
|
Failure of methods SSL3 and SSL23 is desired
|
|
|
|
|
|
2018-08-12 16:11:19 +00:00
|
|
|
|
test.sh depended on ifconfig and netstat utilities which are no longer
|
|
|
|
|
availabie in some distributions. test.sh now checks for and prefers
|
|
|
|
|
ip and ss.
|
|
|
|
|
Thanks to Ruediger Meier for reporting this problem.
|
|
|
|
|
|
2019-03-12 20:04:51 +00:00
|
|
|
|
More corrections to test.sh:
|
|
|
|
|
Language settings could still influence test results
|
|
|
|
|
netstat was still required
|
|
|
|
|
Suppress usleep deprecated messag
|
|
|
|
|
Force use of IPv4 with some certificates
|
|
|
|
|
Set timeout for UDPxMAXCHILDREN tests
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Git:
|
2019-02-24 21:25:52 +00:00
|
|
|
|
Added missing Config/Makefile.DragonFly-2-8-2,
|
|
|
|
|
Config/config.DragonFly-2-8-2.h
|
|
|
|
|
Removed testcert.conf (to be generated by test.sh)
|
2008-01-27 12:00:08 +00:00
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
Cosmetics:
|
2018-01-28 15:14:25 +00:00
|
|
|
|
Simplified handling of missing termios defines.
|
|
|
|
|
|
2019-03-03 14:08:02 +00:00
|
|
|
|
New features:
|
|
|
|
|
Permit combined -d options as -dd etc.
|
|
|
|
|
|
2020-12-28 11:37:49 +00:00
|
|
|
|
porting:
|
|
|
|
|
ext2 options are now fs options.
|
2023-05-31 06:39:12 +00:00
|
|
|
|
|
2017-01-23 11:53:12 +00:00
|
|
|
|
####################### V 1.7.3.2:
|
|
|
|
|
|
2016-05-11 18:34:33 +00:00
|
|
|
|
corrections:
|
|
|
|
|
SIGSEGV and other signals could lead to a 100% CPU loop
|
|
|
|
|
|
2016-05-08 11:52:20 +00:00
|
|
|
|
Failing name resolution could lead to SIGSEGV
|
|
|
|
|
Thanks to Max for reporting this issue.
|
|
|
|
|
|
2016-02-06 14:56:11 +00:00
|
|
|
|
Include <stddef.h> for ptrdiff_t
|
|
|
|
|
Thanks to Jeroen Roovers for reporting this issue.
|
|
|
|
|
|
2016-12-09 21:55:05 +00:00
|
|
|
|
Building with --disable-sycls failed due to missing sslcls.h defines
|
|
|
|
|
|
2016-12-09 22:13:35 +00:00
|
|
|
|
Socat hung when configured with --disable-sycls.
|
|
|
|
|
|
2016-12-10 15:21:46 +00:00
|
|
|
|
Some minor corrections with includes etc.
|
|
|
|
|
|
2016-07-24 12:07:56 +00:00
|
|
|
|
Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
|
|
|
|
|
for sending a patch.
|
|
|
|
|
|
2016-02-06 15:36:39 +00:00
|
|
|
|
Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
|
|
|
|
|
incorrectly assigned
|
|
|
|
|
Test: EXEC_NOFORK_UNIDIR
|
|
|
|
|
Thanks to David Reiss for reporting this problem.
|
|
|
|
|
|
2016-07-29 13:58:59 +00:00
|
|
|
|
Socat exited with status 0 even when a program invoked with SYSTEM or
|
|
|
|
|
EXEC failed.
|
|
|
|
|
Tests: SYSTEM_RC EXEC_RC
|
|
|
|
|
Issue reported by Felix Winkelmann.
|
|
|
|
|
|
2017-01-06 16:56:30 +00:00
|
|
|
|
AddressSanitizer reported a few buffer overflows (false positives).
|
|
|
|
|
Nevertheless fixed Socat source.
|
2020-02-23 11:37:19 +00:00
|
|
|
|
Issue reported by Hanno Böck.
|
2017-01-06 16:56:30 +00:00
|
|
|
|
|
2016-08-12 15:13:15 +00:00
|
|
|
|
Socat did not use option ipv6-join-group.
|
|
|
|
|
Test: USE_IPV6_JOIN_GROUP
|
2020-02-23 11:37:19 +00:00
|
|
|
|
Thanks to Linus Lüssing for sending a patch.
|
2016-08-12 15:13:15 +00:00
|
|
|
|
|
2017-01-07 09:46:01 +00:00
|
|
|
|
UDP-LISTEN did not honor the max-children option.
|
|
|
|
|
Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
|
|
|
|
|
Thanks to Leander Berwers for reporting this issue.
|
|
|
|
|
|
2017-01-08 10:12:57 +00:00
|
|
|
|
Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
|
|
|
|
|
and therefore were useless.
|
|
|
|
|
Thanks to Steve Borenstein for reporting this issue.
|
|
|
|
|
|
2017-01-08 10:38:18 +00:00
|
|
|
|
Option dhparam was documented as dhparams. Added the alias name
|
|
|
|
|
dhparams to fix this.
|
|
|
|
|
Thanks to Alexander Neumann for sending a patch.
|
|
|
|
|
|
2017-01-08 14:41:31 +00:00
|
|
|
|
Options shut-down and shut-close did not work.
|
|
|
|
|
Thanks to Stefan Schimanski for providing a patch.
|
|
|
|
|
|
2017-01-15 11:29:26 +00:00
|
|
|
|
There was a bug in printing readline log message caused by a misleading
|
|
|
|
|
indentation.
|
|
|
|
|
Thanks to Paul Wouters for reporting.
|
|
|
|
|
|
2017-01-15 13:35:06 +00:00
|
|
|
|
The internal vsnprintf_r function looped or crashed on size parameter
|
|
|
|
|
with hexadecimal output.
|
|
|
|
|
|
2017-01-21 12:39:58 +00:00
|
|
|
|
Ignore exit code of child process when it was killed by master due to
|
|
|
|
|
EOF
|
|
|
|
|
|
2017-01-21 12:42:09 +00:00
|
|
|
|
Corrected byte order on read of IPV6_TCLASS value from ancillary
|
|
|
|
|
message
|
|
|
|
|
|
2017-01-22 09:48:48 +00:00
|
|
|
|
Fixed type of the bool element in options. This had bug caused failures
|
|
|
|
|
e.g. of ignoreeof on big-endian systems when bool was not based on int.
|
|
|
|
|
|
|
|
|
|
On systems with predefined bool type whose size differs from int some
|
|
|
|
|
IPv6 and TCP options (per setsockopt()) failed.
|
|
|
|
|
|
2017-01-22 17:48:07 +00:00
|
|
|
|
Length of integral data in ancillary messages varies (TOS: 1 byte,
|
|
|
|
|
TTL: 4 bytes), the old implementation failed for TTL on big-endian
|
|
|
|
|
hosts.
|
|
|
|
|
|
2017-01-22 17:48:53 +00:00
|
|
|
|
Fixed an issue in options processing: TUN and DNS flags had failed on
|
|
|
|
|
big-endian systems and the NO- forms had probable never worked.
|
|
|
|
|
|
2016-12-09 21:38:30 +00:00
|
|
|
|
porting:
|
|
|
|
|
Type conflict between int and sig_atomic_t between declaration and
|
|
|
|
|
definition of diag_immediate_type and diag_immediate_exit broke
|
|
|
|
|
compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
|
|
|
|
|
reporting this bug.
|
|
|
|
|
|
2016-12-09 22:16:00 +00:00
|
|
|
|
Socat failed to compile on platforms with OpenSSL without
|
|
|
|
|
DTLSv1_client_method or DTLSv1_server_method.
|
|
|
|
|
Thanks to Simon Matter for sending a patch.
|
|
|
|
|
|
2016-12-10 20:08:37 +00:00
|
|
|
|
NuttX OS headers do not provide struct ip, thus socat did not compile.
|
|
|
|
|
Made struct ip subject to configure.
|
|
|
|
|
Thanks to SP for reporting this issue.
|
|
|
|
|
|
2016-12-10 20:51:27 +00:00
|
|
|
|
Socat failed to compile with OpenSSL version 1.0.2d where
|
|
|
|
|
SSLv3_server_method and SSLv3_client_method are no longer defined.
|
|
|
|
|
Thanks to Mischa ter Smitten for reporting this issue and providing
|
|
|
|
|
a patch.
|
|
|
|
|
|
|
|
|
|
configure checked for OpenSSL EC_KEY assuming it is a define but it
|
|
|
|
|
is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
|
|
|
|
|
Thanks to Andrey Arapov for reporting this bug.
|
|
|
|
|
|
2016-12-05 11:05:02 +00:00
|
|
|
|
Changes to make socat compile with OpenSSL 1.1.
|
|
|
|
|
Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
|
|
|
|
|
providing the base patch.
|
|
|
|
|
Debian Bug#828550
|
2008-01-27 12:00:08 +00:00
|
|
|
|
|
2016-12-12 19:53:08 +00:00
|
|
|
|
Make Socat compatible with BoringSSL.
|
|
|
|
|
Thanks to Matt Braithwaite for providing a patch.
|
|
|
|
|
|
2016-07-24 19:51:33 +00:00
|
|
|
|
OpenSSL: Use RAND_status to determine PRNG state
|
|
|
|
|
Thanks to Adam Langley for providing a patch
|
|
|
|
|
|
2017-01-04 17:57:13 +00:00
|
|
|
|
AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
|
|
|
|
|
requirements. Thanks to Garrick Trowsdale for providing a patch
|
|
|
|
|
|
2015-07-20 10:57:30 +00:00
|
|
|
|
LibreSSL support: check for OPENSSL_NO_COMP
|
|
|
|
|
Thanks to Bernard Spil for providing a patch
|
|
|
|
|
|
2016-05-11 19:06:01 +00:00
|
|
|
|
testing:
|
|
|
|
|
socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
|
|
|
|
|
|
2016-12-09 20:37:24 +00:00
|
|
|
|
test.sh: stderr; option -v (verbose); FDOUT_ERROR description
|
|
|
|
|
|
2013-06-22 10:21:25 +00:00
|
|
|
|
improved proxy.sh - it now also takes hostnames
|
|
|
|
|
|
2017-01-06 16:27:01 +00:00
|
|
|
|
A few corrections in test.sh
|
|
|
|
|
|
2017-01-15 11:23:07 +00:00
|
|
|
|
DTLS1 test hangs on some distributions. Test is now only performed
|
|
|
|
|
with OpenSSL 1.0.2 or higher.
|
|
|
|
|
|
2017-01-21 09:59:43 +00:00
|
|
|
|
More corrections to test.sh that reveal a mistake with IPV6_TCLASS
|
|
|
|
|
|
2016-08-12 14:35:32 +00:00
|
|
|
|
docu:
|
|
|
|
|
Corrected source of socat man page to correctly show man references
|
|
|
|
|
like socket(2); removed obseolete entries from See Also
|
|
|
|
|
|
2017-01-08 10:50:11 +00:00
|
|
|
|
Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
|
|
|
|
|
that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
|
|
|
|
|
are correct).
|
|
|
|
|
Thanks to Zhigang Wang for reporting this issue.
|
|
|
|
|
|
2017-01-08 14:40:48 +00:00
|
|
|
|
Fixed a couple of English spelling and grammar mistakes.
|
|
|
|
|
Thanks to Jakub Wild for sending the patches.
|
|
|
|
|
|
2017-01-15 11:23:07 +00:00
|
|
|
|
NOEXPAND() was not resolved 2 times.
|
|
|
|
|
|
2017-01-08 10:50:11 +00:00
|
|
|
|
More minor docu corrections
|
|
|
|
|
|
2016-07-22 06:54:31 +00:00
|
|
|
|
legal:
|
|
|
|
|
Added contributors to copyright notices. Suggested by Matt Braithwaite.
|
|
|
|
|
|
2016-01-26 18:09:06 +00:00
|
|
|
|
####################### V 1.7.3.1:
|
|
|
|
|
|
2016-01-29 10:29:11 +00:00
|
|
|
|
security:
|
2016-01-26 18:08:18 +00:00
|
|
|
|
Socat security advisory 8
|
|
|
|
|
A stack overflow in vulnerability was found that can be triggered when
|
|
|
|
|
command line arguments (complete address specifications, host names,
|
|
|
|
|
file names) are longer than 512 bytes.
|
|
|
|
|
Successful exploitation might allow an attacker to execute arbitrary
|
|
|
|
|
code with the privileges of the socat process.
|
|
|
|
|
This vulnerability can only be exploited when an attacker is able to
|
|
|
|
|
inject data into socat's command line.
|
|
|
|
|
A vulnerable scenario would be a CGI script that reads data from clients
|
|
|
|
|
and uses (parts of) this data as hostname for a Socat invocation.
|
|
|
|
|
Test: NESTEDOVFL
|
|
|
|
|
Credits to Takumi Akiyama for finding and reporting this issue.
|
|
|
|
|
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 7
|
|
|
|
|
MSVR-1499
|
|
|
|
|
In the OpenSSL address implementation the hard coded 1024 bit DH p
|
|
|
|
|
parameter was not prime. The effective cryptographic strength of a key
|
|
|
|
|
exchange using these parameters was weaker than the one one could get by
|
|
|
|
|
using a prime p. Moreover, since there is no indication of how these
|
|
|
|
|
parameters were chosen, the existence of a trapdoor that makes possible
|
|
|
|
|
for an eavesdropper to recover the shared secret from a key exchange
|
|
|
|
|
that uses them cannot be ruled out.
|
|
|
|
|
Futhermore, 1024bit is not considered sufficiently secure.
|
|
|
|
|
Fix: generated a new 2048bit prime.
|
|
|
|
|
Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
|
|
|
|
|
Research (MSVR) for finding and reporting this issue.
|
|
|
|
|
|
2015-01-24 17:40:49 +00:00
|
|
|
|
####################### V 1.7.3.0:
|
|
|
|
|
|
2015-01-12 20:46:16 +00:00
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 6
|
2016-01-26 18:08:18 +00:00
|
|
|
|
CVE-2015-1379: Possible DoS with fork
|
2015-01-12 20:46:16 +00:00
|
|
|
|
Fixed problems with signal handling caused by use of not async signal
|
|
|
|
|
safe functions in signal handlers that could freeze socat, allowing
|
|
|
|
|
denial of service attacks.
|
|
|
|
|
Many changes in signal handling and the diagnostic messages system were
|
|
|
|
|
applied to make the code async signal safe but still provide detailled
|
|
|
|
|
logging from signal handlers:
|
|
|
|
|
Coded function vsnprintf_r() as async signal safe incomplete substitute
|
|
|
|
|
of libc vsnprintf()
|
|
|
|
|
Coded function snprinterr() to replace %m in strings with a system error
|
|
|
|
|
message
|
|
|
|
|
Instead of gettimeofday() use clock_gettime() when available
|
|
|
|
|
Pass Diagnostic messages from signal handler per unix socket to the main
|
|
|
|
|
program flow
|
|
|
|
|
Use sigaction() instead of signal() for better control
|
|
|
|
|
Turn off nested signal handler invocations
|
|
|
|
|
Thanks to Peter Lobsinger for reporting and explaining this issue.
|
|
|
|
|
|
2015-01-12 22:34:47 +00:00
|
|
|
|
Red Hat issue 1019975: add TLS host name checks
|
|
|
|
|
OpenSSL client checks if the server certificates names in
|
|
|
|
|
extensions/subjectAltName/DNS or in subject/commonName match the name
|
|
|
|
|
used to connect or the value of the openssl-commonname option.
|
|
|
|
|
Test: OPENSSL_CN_CLIENT_SECURITY
|
|
|
|
|
|
|
|
|
|
OpenSSL server checks if the client certificates names in
|
|
|
|
|
extensions/subjectAltNames/DNS or subject/commonName match the value of
|
|
|
|
|
the openssl-commonname option when it is used.
|
|
|
|
|
Test: OPENSSL_CN_SERVER_SECURITY
|
|
|
|
|
|
2014-04-03 10:57:43 +00:00
|
|
|
|
Red Hat issue 1019964: socat now uses the system certificate store with
|
|
|
|
|
OPENSSL when neither options cafile nor capath are used
|
|
|
|
|
|
2014-11-23 12:48:05 +00:00
|
|
|
|
Red Hat issue 1019972: needs to specify OpenSSL cipher suites
|
|
|
|
|
Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to
|
|
|
|
|
prevent downgrade attacks
|
|
|
|
|
|
2015-01-12 22:11:26 +00:00
|
|
|
|
new features:
|
|
|
|
|
OpenSSL addresses set couple of environment variables from values in
|
|
|
|
|
peer certificate, e.g.:
|
|
|
|
|
SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER,
|
|
|
|
|
SOCAT_OPENSSL_X509_COMMONNAME,
|
|
|
|
|
SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS
|
|
|
|
|
Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_*
|
|
|
|
|
|
2015-01-23 17:38:06 +00:00
|
|
|
|
Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1
|
|
|
|
|
Tests: OPENSSL_METHOD_*
|
|
|
|
|
|
2015-01-23 16:31:14 +00:00
|
|
|
|
Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested
|
|
|
|
|
by Andrey Arapov.
|
|
|
|
|
|
2015-01-11 14:29:07 +00:00
|
|
|
|
Added a new option termios-rawer for ptys.
|
|
|
|
|
Thanks to Christian Vogelgsang for pointing me to this requirement
|
|
|
|
|
|
2014-09-28 15:53:50 +00:00
|
|
|
|
corrections:
|
|
|
|
|
Bind with ABSTRACT commands used non-abstract namespace (Linux).
|
|
|
|
|
Test: ABSTRACT_BIND
|
|
|
|
|
Thanks to Denis Shatov for reporting this bug.
|
|
|
|
|
|
2015-01-12 20:57:51 +00:00
|
|
|
|
Fixed return value of nestlex()
|
|
|
|
|
|
2014-11-16 16:28:55 +00:00
|
|
|
|
Option ignoreeof on the right address hung.
|
|
|
|
|
Test: IGNOREEOF_REV
|
|
|
|
|
Thanks to Franz Fasching for reporting this bug.
|
|
|
|
|
|
2014-11-23 16:27:21 +00:00
|
|
|
|
Address SYSTEM, when terminating, shut down its parent addresses,
|
2015-01-12 21:20:35 +00:00
|
|
|
|
e.g. an SSL connection which the parent assumed to still be active.
|
|
|
|
|
Test: SYSTEM_SHUTDOWN
|
|
|
|
|
|
2015-01-12 21:21:36 +00:00
|
|
|
|
Passive (listening or receiving) addresses with empty port field bound
|
|
|
|
|
to a random port instead of terminating with error.
|
|
|
|
|
Test: TCP4_NOPORT
|
|
|
|
|
|
2015-01-12 19:24:29 +00:00
|
|
|
|
configure with some combination of disable options produced config
|
|
|
|
|
files that failed to compile due to missing IPPROTO_TCP.
|
|
|
|
|
Thanks to Thierry Fournier for report and patch.
|
|
|
|
|
|
2015-01-23 17:38:06 +00:00
|
|
|
|
fixed a few minor bugs with OpenSSL in configure and with messages
|
|
|
|
|
|
2015-01-04 15:38:36 +00:00
|
|
|
|
Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime
|
|
|
|
|
is required. Thanks to Zhigang Wang for reporting and sending a patch.
|
|
|
|
|
|
2015-01-06 12:07:15 +00:00
|
|
|
|
Christophe Leroy provided a patch that fixes memory leaks reported by
|
|
|
|
|
valgrind
|
|
|
|
|
|
2014-11-17 08:18:54 +00:00
|
|
|
|
Help for filan -L was bad, is now corrected to:
|
|
|
|
|
"follow symbolic links instead of showing their properties"
|
|
|
|
|
|
2015-01-13 11:12:23 +00:00
|
|
|
|
Address options fdin and fdout were silently ignored when not applicable
|
|
|
|
|
due to -u or -U option. Now these combinations are caught as errors.
|
|
|
|
|
Test: FDOUT_ERROR
|
|
|
|
|
Issue reported by Hendrik.
|
|
|
|
|
|
2015-01-23 20:30:38 +00:00
|
|
|
|
Added option termios-cfmakeraw that calls cfmakeraw() and is preferred
|
|
|
|
|
over option raw which is now obsolote. On SysV systems this call is
|
|
|
|
|
simulated by appropriate setting.
|
|
|
|
|
Thanks to Youfu Zhang for reporting issue with option raw.
|
|
|
|
|
|
2015-01-12 21:22:38 +00:00
|
|
|
|
porting:
|
|
|
|
|
Socat included <sys/poll.h> instead of POSIX <poll.h>
|
|
|
|
|
Thanks to John Spencer for reporting this issue.
|
|
|
|
|
|
2014-11-23 16:27:21 +00:00
|
|
|
|
Version 1.7.2.4 changed the check for gcc in configure.ac; this
|
|
|
|
|
broke cross compiling. The particular check gets reverted.
|
|
|
|
|
Thanks to Ross Burton and Danomi Manchego for reporting this issue.
|
|
|
|
|
|
2015-01-04 19:22:13 +00:00
|
|
|
|
Debian Bug#764251: Set the build timestamp to a deterministic time:
|
|
|
|
|
support external BUILD_DATE env var to allow to build reproducable
|
|
|
|
|
binaries
|
|
|
|
|
|
2015-01-04 14:13:21 +00:00
|
|
|
|
Joachim Fenkes provided an new adapted spec file.
|
|
|
|
|
|
2014-11-16 20:53:36 +00:00
|
|
|
|
Type bool and macros Min and Max are defined by socat which led to
|
|
|
|
|
compile errors when they were already provided by build framework.
|
|
|
|
|
Thanks to Liyu Liu for providing a patch.
|
|
|
|
|
|
2014-11-23 14:03:54 +00:00
|
|
|
|
David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h
|
|
|
|
|
support and appropriate files in Config/
|
|
|
|
|
|
2014-11-16 17:06:13 +00:00
|
|
|
|
Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h
|
|
|
|
|
on Illumos
|
|
|
|
|
|
2015-01-23 16:31:14 +00:00
|
|
|
|
Changes for Openindiana: define _XPG4_2, __EXTENSIONS__,
|
|
|
|
|
_POSIX_PTHREAD_SEMANTICS; and minor changes
|
|
|
|
|
|
2015-01-23 17:46:04 +00:00
|
|
|
|
Red Hat issue 1182005: socat 1.7.2.4 build failure missing
|
|
|
|
|
linux/errqueue.h
|
|
|
|
|
Socat failed to compile on on PPC due to new requirements for
|
|
|
|
|
including <linux/errqueue.h> and a weakness in the conditional code.
|
|
|
|
|
Thanks to Michel Normand for reporting this issue.
|
|
|
|
|
|
2015-01-18 16:44:12 +00:00
|
|
|
|
doc:
|
|
|
|
|
In the man page the PTY example was badly formatted. Thanks to
|
|
|
|
|
J.F.Sebastian for sending a patch.
|
|
|
|
|
|
|
|
|
|
Added missing CVE ids to security issues in CHANGES
|
|
|
|
|
|
2015-01-12 19:14:07 +00:00
|
|
|
|
testing:
|
|
|
|
|
Do not distribute testcert.conf with socat source but generate it
|
|
|
|
|
(and new testcert6.conf) during test.sh run.
|
|
|
|
|
|
2014-03-09 21:08:59 +00:00
|
|
|
|
####################### V 1.7.2.4:
|
|
|
|
|
|
2011-12-30 12:08:54 +00:00
|
|
|
|
corrections:
|
2012-09-26 07:13:31 +00:00
|
|
|
|
LISTEN based addresses applied some address options, e.g. so-keepalive,
|
|
|
|
|
to the listening file descriptor instead of the connected file
|
|
|
|
|
descriptor
|
|
|
|
|
Thanks to Ulises Alonso for reporting this bug
|
|
|
|
|
|
2011-12-30 12:08:54 +00:00
|
|
|
|
make failed after configure with non gcc compiler due to missing
|
|
|
|
|
include. Thanks to Horacio Mijail for reporting this problem
|
|
|
|
|
|
2013-06-22 19:38:02 +00:00
|
|
|
|
configure checked for --disable-rawsocket but printed
|
|
|
|
|
--disable-genericsocket in the help text. Thanks to Ben Gardiner for
|
|
|
|
|
reporting and patching this bug
|
|
|
|
|
|
2014-02-03 09:51:58 +00:00
|
|
|
|
In xioshutdown() a wrong branch was chosen after RECVFROM type addresses.
|
|
|
|
|
Probably no impact.
|
2017-01-08 10:50:11 +00:00
|
|
|
|
Thanks to David Binderman for reporting this issue.
|
2014-02-03 09:51:58 +00:00
|
|
|
|
|
2014-02-03 10:04:09 +00:00
|
|
|
|
procan could not cleanly format ulimit values longer than 16 decimal
|
|
|
|
|
digits. Thanks to Frank Dana for providing a patch that increases field
|
|
|
|
|
width to 24 digits.
|
|
|
|
|
|
2014-02-03 20:08:21 +00:00
|
|
|
|
OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with
|
|
|
|
|
"Invalid argument"
|
|
|
|
|
Thanks to Emile den Tex for reporting this bug.
|
|
|
|
|
|
2014-02-08 12:38:16 +00:00
|
|
|
|
Changed some variable definitions to make gcc -O2 aliasing checker happy
|
|
|
|
|
Thanks to Ilya Gordeev for reporting these warnings
|
|
|
|
|
|
2014-02-15 14:57:40 +00:00
|
|
|
|
On big endian platforms with type long >32bit the range option applied a
|
|
|
|
|
bad base address. Thanks to hejia hejia for reporting and fixing this bug.
|
|
|
|
|
|
2014-01-25 09:35:21 +00:00
|
|
|
|
Red Hat issue 1022070: missing length check in xiolog_ancillary_socket()
|
|
|
|
|
|
2014-01-21 18:26:14 +00:00
|
|
|
|
Red Hat issue 1022063: out-of-range shifts on net mask bits
|
|
|
|
|
|
2014-01-19 15:22:11 +00:00
|
|
|
|
Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4()
|
|
|
|
|
|
2014-01-19 13:35:23 +00:00
|
|
|
|
Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy()
|
|
|
|
|
uses
|
|
|
|
|
|
2013-12-20 16:46:45 +00:00
|
|
|
|
Red Hat issue 1021958: fixed a bug with faulty buffer/data length
|
|
|
|
|
calculation in xio-ascii.c:_xiodump()
|
|
|
|
|
|
2014-01-12 20:40:25 +00:00
|
|
|
|
Red Hat issue 1021972: fixed a missing NUL termination in return string
|
|
|
|
|
of sysutils.c:sockaddr_info() for the AF_UNIX case
|
|
|
|
|
|
2014-03-02 13:53:41 +00:00
|
|
|
|
fixed some typos and minor issues, including:
|
|
|
|
|
Red Hat issue 1021967: formatting error in manual page
|
|
|
|
|
|
2014-02-12 16:00:33 +00:00
|
|
|
|
UNIX-LISTEN with fork option did not remove the socket file system entry
|
|
|
|
|
when exiting. Other file system based passive address types had similar
|
|
|
|
|
issues or failed to apply options umask, user e.a.
|
|
|
|
|
Thanks to Lorenzo Monti for pointing me to this issue
|
|
|
|
|
|
2014-01-12 20:07:38 +00:00
|
|
|
|
porting:
|
2014-03-01 14:58:06 +00:00
|
|
|
|
Red Hat issue 1020203: configure checks fail with some compilers.
|
|
|
|
|
Use case: clang
|
|
|
|
|
|
2014-01-12 20:07:38 +00:00
|
|
|
|
Performed changes for Fedora release 19
|
|
|
|
|
|
2014-02-26 17:19:37 +00:00
|
|
|
|
Adapted, improved test.sh script
|
|
|
|
|
|
2014-01-26 14:24:55 +00:00
|
|
|
|
Red Hat issue 1021429: getgroupent fails with large number of groups;
|
|
|
|
|
use getgrouplist() when available instead of sequence of calls to
|
|
|
|
|
getgrent()
|
|
|
|
|
|
2014-01-26 16:45:09 +00:00
|
|
|
|
Red Hat issue 1021948: snprintf API change;
|
|
|
|
|
Implemented xio_snprintf() function as wrapper that tries to emulate C99
|
|
|
|
|
behaviour on old glibc systems, and adapted all affected calls
|
|
|
|
|
appropriately
|
|
|
|
|
|
2013-06-21 14:55:15 +00:00
|
|
|
|
Mike Frysinger provided a patch that supports long long for time_t,
|
|
|
|
|
socklen_t and a few other libc types.
|
|
|
|
|
|
2013-06-22 12:39:16 +00:00
|
|
|
|
Artem Mygaiev extended Cedril Priscals Android build script with pty code
|
|
|
|
|
|
2014-03-01 17:24:34 +00:00
|
|
|
|
The check for fips.h required stddef.h
|
|
|
|
|
Thanks to Matt Hilt for reporting this issue and sending a patch
|
|
|
|
|
|
2014-03-09 14:47:56 +00:00
|
|
|
|
Check for linux/errqueue.h failed on some systems due to lack of
|
|
|
|
|
linux/types.h inclusion. Thanks to Michael Vastola for sending a patch.
|
|
|
|
|
|
2014-03-09 14:50:19 +00:00
|
|
|
|
autoconf now prefers configure.ac over configure.in
|
|
|
|
|
Thanks to Michael Vastola for sending a patch.
|
|
|
|
|
|
2014-03-09 21:08:19 +00:00
|
|
|
|
type of struct cmsghdr.cmsg is system dependend, determine it with
|
|
|
|
|
configure; some more print format corrections
|
|
|
|
|
|
2013-06-23 06:14:32 +00:00
|
|
|
|
docu:
|
|
|
|
|
libwrap always logs to syslog
|
|
|
|
|
|
|
|
|
|
added actual text version of GPLv2
|
|
|
|
|
|
2014-01-25 16:44:55 +00:00
|
|
|
|
####################### V 1.7.2.3:
|
|
|
|
|
|
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 5
|
2014-01-25 16:44:55 +00:00
|
|
|
|
CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
|
|
|
|
|
overflow with data from command line (see socat-secadv5.txt)
|
|
|
|
|
Credits to Florian Weimer of the Red Hat Product Security Team
|
|
|
|
|
|
2013-03-25 19:42:58 +00:00
|
|
|
|
####################### V 1.7.2.2:
|
|
|
|
|
|
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 4
|
2015-01-18 16:44:12 +00:00
|
|
|
|
CVE-2013-3571:
|
2013-03-25 19:42:58 +00:00
|
|
|
|
after refusing a client connection due to bad source address or source
|
|
|
|
|
port socat shutdown() the socket but did not close() it, resulting in
|
|
|
|
|
a file descriptor leak in the listening process, visible with lsof and
|
|
|
|
|
possibly resulting in EMFILE Too many open files. This issue could be
|
|
|
|
|
misused for a denial of service attack.
|
|
|
|
|
Full credits to Catalin Mitrofan for finding and reporting this issue.
|
|
|
|
|
|
2012-04-24 05:30:01 +00:00
|
|
|
|
####################### V 1.7.2.1:
|
|
|
|
|
|
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 3
|
2015-01-18 16:44:12 +00:00
|
|
|
|
CVE-2012-0219:
|
2012-04-24 05:30:01 +00:00
|
|
|
|
fixed a possible heap buffer overflow in the readline address. This bug
|
|
|
|
|
could be exploited when all of the following conditions were met:
|
|
|
|
|
1) one of the addresses is READLINE without the noprompt and without the
|
|
|
|
|
prompt options.
|
|
|
|
|
2) the other (almost arbitrary address) reads malicious data (which is
|
|
|
|
|
then transferred by socat to READLINE).
|
|
|
|
|
Workaround: when using the READLINE address apply option prompt or
|
|
|
|
|
noprompt.
|
|
|
|
|
Full credits to Johan Thillemann for finding and reporting this issue.
|
|
|
|
|
|
2011-12-05 21:28:49 +00:00
|
|
|
|
####################### V 1.7.2.0:
|
|
|
|
|
|
2010-10-03 13:46:10 +00:00
|
|
|
|
corrections:
|
2010-10-03 14:28:06 +00:00
|
|
|
|
when UNIX-LISTEN was applied to an existing file it failed as expected
|
|
|
|
|
but removed the file. Thanks to Bjoern Bosselmann for reporting this
|
|
|
|
|
problem
|
|
|
|
|
|
2010-10-03 13:46:10 +00:00
|
|
|
|
fixed a bug where socat might crash when connecting to a unix domain
|
|
|
|
|
socket using address GOPEN. Thanks to Martin Forssen for bug report and
|
|
|
|
|
patch.
|
|
|
|
|
|
2010-10-03 14:38:04 +00:00
|
|
|
|
UDP-LISTEN would alway set SO_REUSEADDR even without fork option and
|
|
|
|
|
when user set it to 0. Thanks to Michal Svoboda for reporting this bug.
|
|
|
|
|
|
2010-10-03 22:18:13 +00:00
|
|
|
|
UNIX-CONNECT did not support half-close. Thanks to Greg Hughes who
|
|
|
|
|
pointed me to that bug
|
|
|
|
|
|
2010-10-05 05:35:02 +00:00
|
|
|
|
TCP-CONNECT with option nonblock reported successful connect even when
|
|
|
|
|
it was still pending
|
|
|
|
|
|
2010-10-05 07:11:47 +00:00
|
|
|
|
address option ioctl-intp failed with "unimplemented type 26". Thanks
|
|
|
|
|
to Jeremy W. Sherman for reporting and fixing that bug
|
|
|
|
|
|
2010-12-08 09:58:25 +00:00
|
|
|
|
socat option -x did not print packet direction, timestamp etc; thanks
|
|
|
|
|
to Anthony Sharobaiko for sending a patch
|
|
|
|
|
|
2011-03-10 06:55:03 +00:00
|
|
|
|
address PTY does not take any parameters but did not report an error
|
|
|
|
|
when some were given
|
|
|
|
|
|
2011-10-08 09:10:58 +00:00
|
|
|
|
Marcus Meissner provided a patch that fixes invalid output and possible
|
|
|
|
|
process crash when socat prints info about an unnamed unix domain
|
|
|
|
|
socket
|
|
|
|
|
|
2011-10-09 07:18:31 +00:00
|
|
|
|
Michal Soltys reported the following problem and provided an initial
|
|
|
|
|
patch: when socat was interrupted, e.g. by SIGSTOP, and resumed during
|
|
|
|
|
data transfer only parts of the data might have been written.
|
|
|
|
|
|
|
|
|
|
Option o-nonblock in combination with large transfer block sizes
|
|
|
|
|
may result in partial writes and/or EAGAIN errors that were not handled
|
|
|
|
|
properly but resulted in data loss or process termination.
|
|
|
|
|
|
2011-11-10 08:09:04 +00:00
|
|
|
|
Fixed a bug that could freeze socat when during assembly of a log
|
|
|
|
|
message a signal was handled that also printed a log message. socat
|
|
|
|
|
development had been aware that localtime() is not thread safe but had
|
|
|
|
|
only expected broken messages, not corrupted stack (glibc 2.11.1,
|
|
|
|
|
Ubuntu 10.4)
|
|
|
|
|
|
2011-11-18 17:07:39 +00:00
|
|
|
|
an internal store for child pids was susceptible to pid reuse which
|
|
|
|
|
could lead to sporadic data loss when both fork option and exec address
|
|
|
|
|
were used. Thanks to Tetsuya Sodo for reporting this problem and
|
|
|
|
|
sending a patch
|
|
|
|
|
|
2011-11-22 09:42:38 +00:00
|
|
|
|
OpenSSL server failed with "no shared cipher" when using cipher aNULL.
|
|
|
|
|
Fixed by providing temporary DH parameters. Thanks to Philip Rowlands
|
|
|
|
|
for drawing my attention to this issue.
|
|
|
|
|
|
2011-11-26 13:09:02 +00:00
|
|
|
|
UDP-LISTEN slept 1s after accepting a connection. This is not required.
|
|
|
|
|
Thanks to Peter Valdemar Morch for reporting this issue
|
2011-11-27 09:49:28 +00:00
|
|
|
|
|
|
|
|
|
fixed a bug that could lead to error or socat crash after a client
|
|
|
|
|
connection with option retry had been established
|
2011-11-27 10:03:56 +00:00
|
|
|
|
|
|
|
|
|
fixed configure.in bug on net/if.h check that caused IF_NAMESIZE to be
|
|
|
|
|
undefined
|
2011-11-27 10:37:32 +00:00
|
|
|
|
|
|
|
|
|
improved dev_t print format definition
|
2011-11-26 13:09:02 +00:00
|
|
|
|
|
2011-11-22 09:58:15 +00:00
|
|
|
|
porting:
|
|
|
|
|
Cedril Priscal ported socat to Android (using Googles cross compiler).
|
|
|
|
|
The port includes the socat_buildscript_for_android.sh script
|
|
|
|
|
|
2011-11-22 10:24:35 +00:00
|
|
|
|
added check for component ipi_spec_dst in struct in_pktinfo so
|
|
|
|
|
compilation does not fail on Cygwin (thanks to Peter Wagemans for
|
|
|
|
|
reporting this problem)
|
|
|
|
|
|
2011-11-22 11:48:22 +00:00
|
|
|
|
build failed on RHEL6 due to presence of fips.h; configure now checks
|
|
|
|
|
for fipsld too. Thanks to Andreas Gruenbacher for reporting this
|
|
|
|
|
problem
|
|
|
|
|
|
2011-11-22 12:11:51 +00:00
|
|
|
|
check for netinet6/in6.h only when IPv6 is available and enabled
|
|
|
|
|
|
|
|
|
|
don't fail to compile when the following defines are missing:
|
|
|
|
|
IPV6_PKTINFO IPV6_RTHDR IPV6_DSTOPTS IPV6_HOPOPTS IPV6_HOPLIMIT
|
|
|
|
|
Thanks to Jerry Jacobs for reporting this problem (Mac OS X Lion 10.7)
|
|
|
|
|
|
2011-11-22 12:20:02 +00:00
|
|
|
|
check if define __APPLE_USE_RFC_2292 helps to enable IPV6_* (MacOSX
|
|
|
|
|
Lion 7.1); thanks to Jerry Jacobs to reporting this problem and
|
|
|
|
|
proposing a solution
|
|
|
|
|
|
2011-11-22 12:37:23 +00:00
|
|
|
|
fixed compiler warnings on Mac OS X 64bit. Thanks to Guy Harris for
|
|
|
|
|
providing the patch.
|
|
|
|
|
|
2011-11-22 12:47:58 +00:00
|
|
|
|
corrections for OpenEmbedded, especially termios SHIFT values and
|
|
|
|
|
ISPEED/OSPEED. Thanks to John Faith for providing the patch
|
|
|
|
|
|
2011-11-22 12:57:46 +00:00
|
|
|
|
minor corrections to docu and test.sh resulting from local compilation
|
|
|
|
|
on Openmoko SHR
|
|
|
|
|
|
2011-11-26 13:56:19 +00:00
|
|
|
|
fixed sa_family_t compile error on DragonFly. Thanks to Tony Young for
|
|
|
|
|
reporting this issue and sending a patch.
|
|
|
|
|
|
2011-12-04 14:14:34 +00:00
|
|
|
|
Ubuntu Oneiric: OpenSSL no longer provides SSLv2 functions; libutil.sh
|
|
|
|
|
is now bsd/libutil.h; compiler warns on vars that is only written to
|
|
|
|
|
|
2011-11-26 13:24:09 +00:00
|
|
|
|
new features:
|
|
|
|
|
added option max-children that limits the number of concurrent child
|
|
|
|
|
processes. Thanks to Sam Liddicott for providing the patch.
|
|
|
|
|
|
2011-11-26 13:25:27 +00:00
|
|
|
|
Till Maas added support for tun/tap addresses without IP address
|
|
|
|
|
|
2011-11-26 13:27:02 +00:00
|
|
|
|
added an option openssl-compress that allows to disable the compression
|
|
|
|
|
feature of newer OpenSSL versions. Thanks to Michael Hanselmann for
|
|
|
|
|
providing this contribution (sponsored by Google Inc.)
|
|
|
|
|
|
2011-11-26 13:49:51 +00:00
|
|
|
|
docu:
|
|
|
|
|
minor corrections in docu (thanks to Paggas)
|
|
|
|
|
|
|
|
|
|
client process -> child process
|
|
|
|
|
|
2010-10-03 09:37:29 +00:00
|
|
|
|
####################### V 1.7.1.3:
|
|
|
|
|
|
2010-10-03 09:36:50 +00:00
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 2
|
2015-01-18 16:44:12 +00:00
|
|
|
|
CVE-2010-2799:
|
2010-10-03 09:36:50 +00:00
|
|
|
|
fixed a stack overflow vulnerability that occurred when command
|
|
|
|
|
line arguments (whole addresses, host names, file names) were longer
|
|
|
|
|
than 512 bytes.
|
|
|
|
|
Note that this could only be exploited when an attacker was able to
|
|
|
|
|
inject data into socat's command line.
|
|
|
|
|
Full credits to Felix Gröbert, Google Security Team, for finding and
|
|
|
|
|
reporting this issue
|
|
|
|
|
|
2010-01-10 14:20:37 +00:00
|
|
|
|
####################### V 1.7.1.2:
|
|
|
|
|
|
2010-01-09 12:35:24 +00:00
|
|
|
|
corrections:
|
2010-01-09 14:51:28 +00:00
|
|
|
|
user-late and group-late, when applied to a pty, affected the system
|
|
|
|
|
device /dev/ptmx instead of the pty (thanks to Matthew Cloke for
|
|
|
|
|
pointing me to this bug)
|
|
|
|
|
|
2010-01-09 12:35:24 +00:00
|
|
|
|
socats openssl addresses failed with "nonblocking operation did not
|
|
|
|
|
complete" when the peer performed a renegotiation. Thanks to Benjamin
|
|
|
|
|
Delpy for reporting this bug.
|
|
|
|
|
|
2009-12-31 09:16:15 +00:00
|
|
|
|
info message during socks connect showed bad port number on little
|
|
|
|
|
endian systems due to wrong byte order (thanks to Peter M. Galbavy for
|
|
|
|
|
bug report and patch)
|
|
|
|
|
|
2009-12-30 20:12:31 +00:00
|
|
|
|
Debian bug 531078: socat execs children with SIGCHLD ignored; corrected
|
|
|
|
|
to default. Thanks to Martin Dorey for reporting this bug.
|
|
|
|
|
|
2010-01-08 06:26:33 +00:00
|
|
|
|
porting:
|
|
|
|
|
building socat on systems that predefined the CFLAGS environment to
|
|
|
|
|
contain -Wall failed (esp.RedHat). Thanks to Paul Wouters for reporting
|
|
|
|
|
this problem and to Simon Matter for providing the patch
|
|
|
|
|
|
2010-01-09 12:29:28 +00:00
|
|
|
|
support for Solaris 8 and Sun Studio support (thanks to Sebastian
|
|
|
|
|
Kayser for providing the patches)
|
2010-01-09 14:43:10 +00:00
|
|
|
|
|
2010-01-09 12:32:23 +00:00
|
|
|
|
on some 64bit systems a compiler warning "cast from pointer to integer
|
|
|
|
|
of different size" was issued on some option definitions
|
2010-01-09 14:43:10 +00:00
|
|
|
|
|
2010-01-04 11:59:56 +00:00
|
|
|
|
added struct sockaddr_ll to union sockaddr_union to avoid "strict
|
|
|
|
|
aliasing" warnings (problem reported by Paul Wouters)
|
|
|
|
|
|
2010-01-09 15:08:24 +00:00
|
|
|
|
docu:
|
2010-01-03 22:00:44 +00:00
|
|
|
|
minor corrections in docu
|
|
|
|
|
|
2009-05-08 14:02:00 +00:00
|
|
|
|
####################### V 1.7.1.1:
|
|
|
|
|
|
2009-05-06 04:28:33 +00:00
|
|
|
|
corrections:
|
2009-05-05 20:34:05 +00:00
|
|
|
|
corrected the "fixed possible SIGSEGV" fix because SIGSEGV still might
|
|
|
|
|
occur under those conditions. Thanks to Toni Mattila for first
|
|
|
|
|
reporting this problem.
|
|
|
|
|
|
2009-05-05 20:42:50 +00:00
|
|
|
|
ftruncate64 cut its argument to 32 bits on systems with 32 bit long type
|
|
|
|
|
|
2009-05-06 04:28:33 +00:00
|
|
|
|
socat crashed on systems without setenv() (esp. SunOS up to Solaris 9);
|
|
|
|
|
thanks to Todd Stansell for reporting this bug
|
|
|
|
|
|
2009-05-06 06:28:53 +00:00
|
|
|
|
with unidirectional EXEC and SYSTEM a close() operation was performed
|
|
|
|
|
on a random number which could result in hanging e.a.
|
|
|
|
|
|
|
|
|
|
fixed a compile problem caused by size_t/socklen_t mismatch on 64bit
|
|
|
|
|
systems
|
|
|
|
|
|
2009-05-08 14:02:00 +00:00
|
|
|
|
docu mentioned option so-bindtodev but correct name is so-bindtodevice.
|
2009-05-06 06:34:02 +00:00
|
|
|
|
Thanks to Jim Zimmerman for reporting.
|
|
|
|
|
|
2009-05-08 14:02:00 +00:00
|
|
|
|
docu changes:
|
|
|
|
|
added environment variables example to doc/socat-multicast.html
|
2009-05-06 06:34:02 +00:00
|
|
|
|
|
2009-04-02 19:30:50 +00:00
|
|
|
|
####################### V 1.7.1.0:
|
|
|
|
|
|
2009-04-02 06:52:11 +00:00
|
|
|
|
new features:
|
2009-04-02 15:02:29 +00:00
|
|
|
|
address options shut-none, shut-down, and shut-close allow to control
|
|
|
|
|
socat's half close behaviour
|
|
|
|
|
|
|
|
|
|
with address option shut-null socat sends an empty packet to the peer
|
|
|
|
|
to indicate EOF
|
|
|
|
|
|
|
|
|
|
option null-eof changes the behaviour of sockets that receive an empty
|
|
|
|
|
packet to see EOF instead of ignoring it
|
2009-04-02 06:52:11 +00:00
|
|
|
|
|
2009-04-02 07:28:58 +00:00
|
|
|
|
introduced option names substuser-early and su-e, currently equivalent
|
|
|
|
|
to option substuser (thanks to Mike Perry for providing the patch)
|
|
|
|
|
|
2009-04-02 08:29:06 +00:00
|
|
|
|
corrections:
|
2009-04-02 15:13:45 +00:00
|
|
|
|
fixed some typos and improved some comments
|
2009-04-02 08:29:06 +00:00
|
|
|
|
|
2009-04-01 14:50:51 +00:00
|
|
|
|
####################### V 1.7.0.1:
|
|
|
|
|
|
2008-10-28 16:48:57 +00:00
|
|
|
|
corrections:
|
2009-03-31 21:16:47 +00:00
|
|
|
|
fixed possible SIGSEGV in listening addresses when a new connection was
|
|
|
|
|
reset by peer before the socket addresses could be retrieved. Thanks to
|
|
|
|
|
Mike Perry for sending a patch.
|
|
|
|
|
|
2009-03-31 19:58:30 +00:00
|
|
|
|
fixed a bug, introduced with version 1.7.0.0, that let client
|
|
|
|
|
connections with option connect-timeout fail when the connections
|
|
|
|
|
succeeded. Thanks to Bruno De Fraine for reporting this bug.
|
|
|
|
|
|
2009-03-12 05:31:42 +00:00
|
|
|
|
option end-close "did not apply" to addresses PTY, SOCKET-CONNECT,
|
|
|
|
|
and most UNIX-* and ABSTRACT-*
|
|
|
|
|
|
2009-03-31 20:46:41 +00:00
|
|
|
|
half close of EXEC and SYSTEM addresses did not work for pipes and
|
|
|
|
|
sometimes socketpair
|
|
|
|
|
|
2009-04-01 14:50:51 +00:00
|
|
|
|
help displayed for some option a wrong type
|
2008-10-28 16:48:57 +00:00
|
|
|
|
|
2008-10-28 20:07:47 +00:00
|
|
|
|
under some circumstances shutdown was called multiple times for the
|
|
|
|
|
same fd
|
|
|
|
|
|
2008-10-15 20:54:47 +00:00
|
|
|
|
####################### V 1.7.0.0:
|
|
|
|
|
|
2008-09-20 21:01:10 +00:00
|
|
|
|
new features:
|
2008-09-22 21:21:26 +00:00
|
|
|
|
new address types SCTP-CONNECT and SCTP-LISTEN implement SCTP stream
|
|
|
|
|
mode for IPv4 and IPv6; new address options sctp-maxseg and
|
2008-10-15 20:54:47 +00:00
|
|
|
|
sctp-nodelay (suggested by David A. Madore; thanks to Jonathan Brannan
|
2008-09-22 22:09:19 +00:00
|
|
|
|
for providing an initial patch)
|
|
|
|
|
|
2008-10-15 20:54:47 +00:00
|
|
|
|
new address "INTERFACE" for transparent network interface handling
|
2008-09-20 21:37:56 +00:00
|
|
|
|
(suggested by Stuart Nicholson)
|
2008-09-22 21:21:26 +00:00
|
|
|
|
|
2008-08-17 21:28:11 +00:00
|
|
|
|
added generic socket addresses: SOCKET-CONNECT, SOCKET-LISTEN,
|
|
|
|
|
SOCKET-SENDTO, SOCKET-RECVFROM, SOCKET-RECV, SOCKET-DATAGRAM allow
|
|
|
|
|
protocol independent socket handling; all parameters are explicitely
|
|
|
|
|
specified as numbers or hex data
|
|
|
|
|
|
2008-05-03 19:44:48 +00:00
|
|
|
|
added address options ioctl-void, ioctl-int, ioctl-intp, ioctl-string,
|
|
|
|
|
ioctl-bin for generic ioctl() calls.
|
|
|
|
|
|
|
|
|
|
added address options setsockopt-int, setsockopt-bin, and
|
2008-10-15 20:54:47 +00:00
|
|
|
|
setsockopt-string for generic setsockopt() calls
|
2008-05-02 16:44:54 +00:00
|
|
|
|
|
2008-10-15 20:54:47 +00:00
|
|
|
|
option so-type now only affects the socket() and socketpair() calls,
|
|
|
|
|
not the name resolution. so-type and so-prototype can now be applied to
|
|
|
|
|
all socket based addresses.
|
2008-09-22 20:52:03 +00:00
|
|
|
|
|
2008-09-20 21:01:10 +00:00
|
|
|
|
new address option "escape" allows to break a socat instance even when
|
2008-10-15 20:54:47 +00:00
|
|
|
|
raw terminal mode prevents ^C etc. (feature suggested by Guido Trotter)
|
2008-09-20 21:01:10 +00:00
|
|
|
|
|
2008-09-22 20:17:55 +00:00
|
|
|
|
socat sets environment variables SOCAT_VERSION, SOCAT_PID, SOCAT_PPID
|
|
|
|
|
for use in executed scripts
|
|
|
|
|
|
|
|
|
|
socat sets environment variables SOCAT_SOCKADDR, SOCAT_SOCKPORT,
|
|
|
|
|
SOCAT_PEERADDR, SOCAT_PEERPORT in LISTEN type addresses (feature
|
|
|
|
|
suggested by Ed Sawicki)
|
|
|
|
|
|
|
|
|
|
socat receives all ancillary messages with each received packet on
|
|
|
|
|
datagram related addresses. The messages are logged in raw form with
|
|
|
|
|
debug level, and broken down with info level. note: each type of
|
|
|
|
|
ancillary message must be enabled by appropriate address options.
|
|
|
|
|
|
|
|
|
|
socat provides the contents of ancillary messages received on RECVFROM
|
|
|
|
|
addresses in appropriate environment variables:
|
2008-10-15 20:54:47 +00:00
|
|
|
|
SOCAT_TIMESTAMP, SOCAT_IP_DSTADDR, SOCAT_IP_IF, SOCAT_IP_LOCADDR,
|
|
|
|
|
SOCAT_IP_OPTIONS, SOCAT_IP_TOS, SOCAT_IP_TTL, SOCAT_IPV6_DSTADDR,
|
|
|
|
|
SOCAT_IPV6_HOPLIMIT, SOCAT_IPV6_TCLASS
|
2008-09-22 20:17:55 +00:00
|
|
|
|
|
|
|
|
|
the following address options were added to enable ancillary messages:
|
2008-10-15 20:54:47 +00:00
|
|
|
|
so-timestamp, ip-pktinfo (not BSD), ip-recvdstaddr (BSD), ip-recverr,
|
|
|
|
|
ip-recvif (BSD), ip-recvopts, ip-recvtos, ip-recvttl, ipv6-recvdstopts,
|
|
|
|
|
ipv6-recverr, ipv6-recvhoplimit, ipv6-recvhopopts, ipv6-recvpathmtu,
|
2008-09-22 20:17:55 +00:00
|
|
|
|
ipv6-recvpktinfo, ipv6-recvrthdr, ipv6-recvtclass
|
|
|
|
|
|
|
|
|
|
new address options ipv6-tclass and ipv6-unicast-hops set the related
|
|
|
|
|
socket options.
|
|
|
|
|
|
2008-09-26 14:58:08 +00:00
|
|
|
|
STREAMS (UNIX System V STREAMS) can be configured with the new address
|
2008-10-15 20:54:47 +00:00
|
|
|
|
options i-pop-all and i-push (thanks to Michal Rysavy for providing a
|
|
|
|
|
patch)
|
2008-09-26 14:58:08 +00:00
|
|
|
|
|
2008-05-22 08:02:04 +00:00
|
|
|
|
corrections:
|
2008-09-14 16:33:28 +00:00
|
|
|
|
some raw IP and UNIX datagram modes failed on BSD systems
|
|
|
|
|
|
2008-09-04 21:30:59 +00:00
|
|
|
|
when UDP-LISTEN continued to listen after packet dropped by, e.g.,
|
|
|
|
|
range option, the old listen socket would not be closed but a new one
|
|
|
|
|
created. open sockets could accumulate.
|
|
|
|
|
|
2008-05-22 08:02:04 +00:00
|
|
|
|
there was a bug in ip*-recv with bind option: it did not bind, and
|
|
|
|
|
with the first received packet an error occurred:
|
|
|
|
|
socket_init(): unknown address family 0
|
2008-09-22 20:17:55 +00:00
|
|
|
|
test: RAWIP4RECVBIND
|
2008-05-22 08:02:04 +00:00
|
|
|
|
|
2008-05-22 11:54:10 +00:00
|
|
|
|
RECVFROM addresses with FORK option hung after processing the first
|
2008-09-22 20:17:55 +00:00
|
|
|
|
packet. test: UDP4RECVFROM_FORK
|
2008-05-22 11:54:10 +00:00
|
|
|
|
|
2008-05-22 18:09:48 +00:00
|
|
|
|
corrected a few mistakes that caused compiler warnings on 64bit hosts
|
2008-10-15 20:54:47 +00:00
|
|
|
|
(thanks to Jonathan Brannan e.a. for providing a patch)
|
2008-05-22 18:09:48 +00:00
|
|
|
|
|
2008-06-07 08:14:56 +00:00
|
|
|
|
EXEC and SYSTEM with stderr injected socat messages into the data
|
|
|
|
|
stream. test: EXECSTDERRLOG
|
|
|
|
|
|
2008-07-17 19:49:52 +00:00
|
|
|
|
when the EXEC address got a string with consecutive spaces it created
|
|
|
|
|
additional empty arguments (thanks to Olivier Hervieu for reporting
|
2008-09-22 20:17:55 +00:00
|
|
|
|
this bug). test: EXECSPACES
|
2008-07-17 19:49:52 +00:00
|
|
|
|
|
2008-09-19 07:03:59 +00:00
|
|
|
|
in ignoreeof polling mode socat also blocked data transfer in the other
|
|
|
|
|
direction during the 1s wait intervalls (thanks to Jorgen Cederlof for
|
|
|
|
|
reporting this bug)
|
|
|
|
|
|
2008-07-24 05:32:56 +00:00
|
|
|
|
corrected alphabetical order of options (proxy-auth)
|
|
|
|
|
|
|
|
|
|
some minor corrections
|
|
|
|
|
|
2008-09-14 16:33:28 +00:00
|
|
|
|
improved test.sh script: more stable timing, corrections for BSD
|
2008-07-23 18:56:48 +00:00
|
|
|
|
|
2008-07-24 19:51:38 +00:00
|
|
|
|
replaced the select() calls by poll() to cleanly fix the problems with
|
|
|
|
|
many file descriptors already open
|
|
|
|
|
|
2008-10-15 20:54:47 +00:00
|
|
|
|
socat option -lf did not log to file but to stderr
|
|
|
|
|
|
2008-09-24 06:31:00 +00:00
|
|
|
|
socat did not compile on Solaris when configured without termios
|
|
|
|
|
feature (thanks to Pavan Gadi for reporting this bug)
|
|
|
|
|
|
2008-09-21 16:08:26 +00:00
|
|
|
|
porting:
|
2008-10-15 20:54:47 +00:00
|
|
|
|
socat compiles and runs on AIX with gcc (thanks to Andi Mather for his
|
|
|
|
|
help)
|
|
|
|
|
|
|
|
|
|
socat compiles and runs on Cygwin (thanks to Jan Just Keijser for his
|
|
|
|
|
help)
|
|
|
|
|
|
|
|
|
|
socat compiles and runs on HP-UX with gcc (thanks to Michal Rysavy for
|
|
|
|
|
his help)
|
2008-10-12 16:56:01 +00:00
|
|
|
|
|
2008-10-15 20:54:47 +00:00
|
|
|
|
socat compiles and runs on MacOS X (thanks to Camillo Lugaresi for his
|
|
|
|
|
help)
|
2008-09-21 16:08:26 +00:00
|
|
|
|
|
2008-02-11 20:54:01 +00:00
|
|
|
|
further changes:
|
|
|
|
|
filan -s prefixes output with FD number if more than one FD
|
|
|
|
|
|
2008-09-22 20:04:12 +00:00
|
|
|
|
Makefile now supports datarootdir (thanks to Camillo Lugaresi for
|
|
|
|
|
providing the patch)
|
|
|
|
|
|
2008-08-24 09:04:08 +00:00
|
|
|
|
cleanup in xio-unix.c
|
|
|
|
|
|
2008-02-09 21:57:30 +00:00
|
|
|
|
####################### V 1.6.0.1:
|
|
|
|
|
|
2008-01-28 19:33:15 +00:00
|
|
|
|
new features:
|
2008-01-28 21:04:20 +00:00
|
|
|
|
new make target "gitclean"
|
|
|
|
|
|
2008-01-28 19:33:15 +00:00
|
|
|
|
docu source doc/socat.yo released
|
|
|
|
|
|
2008-01-28 21:53:18 +00:00
|
|
|
|
corrections:
|
2008-01-29 21:29:28 +00:00
|
|
|
|
exec:...,pty did not kill child process under some circumstances; fixed
|
2008-01-29 22:08:52 +00:00
|
|
|
|
by correcting typo in xio-progcall.c (thanks to Ralph Forsythe for
|
|
|
|
|
reporting this problem)
|
|
|
|
|
|
|
|
|
|
service name resolution failed due to byte order mistake
|
|
|
|
|
(thanks to James Sainsbury for reporting this problem)
|
2008-01-29 21:29:28 +00:00
|
|
|
|
|
2008-02-01 21:26:01 +00:00
|
|
|
|
socat would hang when invoked with many file descriptors already opened
|
|
|
|
|
fix: replaced FOPEN_MAX with FD_SETSIZE
|
|
|
|
|
thanks to Daniel Lucq for reporting this problem.
|
|
|
|
|
|
2008-02-01 22:15:14 +00:00
|
|
|
|
fixed bugs where sub processes would become zombies because the master
|
|
|
|
|
process did not catch SIGCHLD. this affected addresses UDP-LISTEN,
|
|
|
|
|
UDP-CONNECT, TCP-CONNECT, OPENSSL, PROXY, UNIX-CONNECT, UNIX-CLIENT,
|
|
|
|
|
ABSTRACT-CONNECT, ABSTRACT-CLIENT, SOCKSA, SOCKS4A
|
|
|
|
|
(thanks to Fernanda G Weiden for reporting this problem)
|
|
|
|
|
|
2008-02-01 22:38:16 +00:00
|
|
|
|
fixed a bug where sub processes would become zombies because the master
|
|
|
|
|
process caught SIGCHLD but did not wait(). this affected addresses
|
|
|
|
|
UDP-RECVFROM, IP-RECVFROM, UNIX-RECVFROM, ABSTRACT-RECVFROM
|
|
|
|
|
(thanks to Evan Borgstrom for reporting this problem)
|
|
|
|
|
|
2008-02-03 09:26:21 +00:00
|
|
|
|
corrected option handling with STDIO; usecase: cool-write
|
|
|
|
|
|
2008-02-06 05:41:05 +00:00
|
|
|
|
configure --disable-pty also disabled option waitlock
|
|
|
|
|
|
2008-02-03 19:56:52 +00:00
|
|
|
|
fixed small bugs on systems with struct ip_mreq without struct ip_mreqn
|
|
|
|
|
(thanks to Roland Illig for sending a patch)
|
|
|
|
|
|
2008-02-03 11:14:36 +00:00
|
|
|
|
corrected name of option intervall to interval (old form still valid
|
|
|
|
|
for us German speaking guys)
|
|
|
|
|
|
2008-01-29 21:11:28 +00:00
|
|
|
|
corrected some print statements and variable names
|
|
|
|
|
|
2008-01-28 21:53:18 +00:00
|
|
|
|
make uninstall did not uninstall procan
|
|
|
|
|
|
2008-01-28 21:57:36 +00:00
|
|
|
|
fixed lots of weaknesses in test.sh
|
|
|
|
|
|
2008-01-29 06:59:12 +00:00
|
|
|
|
corrected some bugs and typos in doc/socat.yo, EXAMPLES, C comments
|
2008-01-29 04:20:54 +00:00
|
|
|
|
|
2008-01-29 20:35:15 +00:00
|
|
|
|
further changes:
|
2008-01-31 20:41:13 +00:00
|
|
|
|
procan -c prints C defines important for socat
|
|
|
|
|
|
2008-01-29 20:35:15 +00:00
|
|
|
|
added test OPENSSLEOF for OpenSSL half close
|
|
|
|
|
|
2008-01-27 12:00:08 +00:00
|
|
|
|
####################### V 1.6.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
new addresses IP-DATAGRAM and UDP-DATAGRAM allow versatile broadcast
|
|
|
|
|
and multicast modes
|
|
|
|
|
|
|
|
|
|
new option ip-add-membership for control of multicast group membership
|
|
|
|
|
|
|
|
|
|
new address TUN for generation of Linux TUN/TAP pseudo network
|
|
|
|
|
interfaces (suggested by Mat Caughron); associated options tun-device,
|
|
|
|
|
tun-name, tun-type; iff-up, iff-promisc, iff-noarp, iff-no-pi etc.
|
|
|
|
|
|
|
|
|
|
new addresses ABSTRACT-CONNECT, ABSTRACT-LISTEN, ABSTRACT-SENDTO,
|
|
|
|
|
ABSTRACT-RECV, and ABSTRACT-RECVFROM for abstract UNIX domain addresses
|
|
|
|
|
on Linux (requested by Zeeshan Ali); option unix-tightsocklen controls
|
|
|
|
|
socklen parameter on system calls.
|
|
|
|
|
|
|
|
|
|
option end-close for control of connection closing allows FD sharing
|
|
|
|
|
by sub processes
|
|
|
|
|
|
|
|
|
|
range option supports form address:mask with IPv4
|
|
|
|
|
|
2017-01-08 10:50:11 +00:00
|
|
|
|
changed behaviour of OPENSSL-LISTEN to require and verify client
|
2008-01-27 12:00:08 +00:00
|
|
|
|
certificate per default
|
|
|
|
|
|
|
|
|
|
options f-setlkw-rd, f-setlkw-wr, f-setlk-rd, f-setlk-wr allow finer
|
|
|
|
|
grained locking on regular files
|
|
|
|
|
|
|
|
|
|
uninstall target in Makefile (lack reported by Zeeshan Ali)
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
fixed bug where only first tcpwrap option was applied; fixed bug where
|
|
|
|
|
tcpwrap IPv6 check always failed (thanks to Rudolf Cejka for reporting
|
|
|
|
|
and fixing this bug)
|
|
|
|
|
|
|
|
|
|
filan (and socat -D) could hang when a socket was involved
|
|
|
|
|
|
|
|
|
|
corrected PTYs on HP-UX (and maybe others) using STREAMS (inspired by
|
|
|
|
|
Roberto Mackun)
|
|
|
|
|
|
|
|
|
|
correct bind with udp6-listen (thanks to Jan Horak for reporting this
|
|
|
|
|
bug)
|
|
|
|
|
|
|
|
|
|
corrected filan.c peekbuff[0] which did not compile with Sun Studio Pro
|
|
|
|
|
(thanks to Leo Zhadanovsky for reporting this problem)
|
|
|
|
|
|
|
|
|
|
corrected problem with read data buffered in OpenSSL layer (thanks to
|
|
|
|
|
Jon Nelson for reporting this bug)
|
|
|
|
|
|
|
|
|
|
corrected problem with option readbytes when input stream stayed idle
|
|
|
|
|
after so many bytes
|
|
|
|
|
|
|
|
|
|
fixed a bug where a datagram receiver with option fork could fork two
|
|
|
|
|
sub processes per packet
|
|
|
|
|
|
|
|
|
|
further changes:
|
|
|
|
|
moved documentation to new doc/ subdir
|
|
|
|
|
|
|
|
|
|
new documents (kind of mini tutorials) are provided in doc/
|
|
|
|
|
|
|
|
|
|
####################### V 1.5.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
new datagram modes for udp, rawip, unix domain sockets
|
|
|
|
|
|
|
|
|
|
socat option -T specifies inactivity timeout
|
|
|
|
|
|
|
|
|
|
rewrote lexical analysis to allow nested socat calls
|
|
|
|
|
|
|
|
|
|
addresses tcp, udp, tcp-l, udp-l, and rawip now support IPv4 and IPv6
|
|
|
|
|
|
|
|
|
|
socat options -4, -6 and environment variables SOCAT_DEFAULT_LISTEN_IP,
|
|
|
|
|
SOCAT_PREFERRED_RESOLVE_IP for control of protocol selection
|
|
|
|
|
|
|
|
|
|
addresses ssl, ssl-l, socks, proxy now support IPv4 and IPv6
|
|
|
|
|
|
|
|
|
|
option protocol-family (pf), esp. for openssl-listen
|
|
|
|
|
|
|
|
|
|
range option supports IPv6 - syntax: range=[::1/128]
|
|
|
|
|
|
|
|
|
|
option ipv6-v6only (ipv6only)
|
|
|
|
|
|
|
|
|
|
new tcp-wrappers options allow-table, deny-table, tcpwrap-etc
|
|
|
|
|
|
|
|
|
|
FIPS version of OpenSSL can be integrated - initial patch provided by
|
|
|
|
|
David Acker. See README.FIPS
|
|
|
|
|
|
|
|
|
|
support for resolver options res-debug, aaonly, usevc, primary, igntc,
|
|
|
|
|
recurse, defnames, stayopen, dnsrch
|
|
|
|
|
|
|
|
|
|
options for file attributes on advanced filesystems (ext2, ext3,
|
|
|
|
|
reiser): secrm, unrm, compr, ext2-sync, immutable, ext2-append, nodump,
|
|
|
|
|
ext2-noatime, journal-data etc.
|
|
|
|
|
|
|
|
|
|
option cool-write controls severeness of write failure (EPIPE,
|
|
|
|
|
ECONNRESET)
|
|
|
|
|
|
|
|
|
|
option o-noatime
|
|
|
|
|
|
|
|
|
|
socat option -lh for hostname in log output
|
|
|
|
|
|
|
|
|
|
traffic dumping provides packet headers
|
|
|
|
|
|
|
|
|
|
configure.in became part of distribution
|
|
|
|
|
|
|
|
|
|
socats unpack directory now has full version, e.g. socat-1.5.0.0/
|
|
|
|
|
|
|
|
|
|
corrected docu of option verify
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
fixed tcpwrappers integration - initial fix provided by Rudolf Cejka
|
|
|
|
|
|
|
|
|
|
exec with pipes,stderr produced error
|
|
|
|
|
|
|
|
|
|
setuid-early was ignored with many address types
|
|
|
|
|
|
|
|
|
|
some minor corrections
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.3.1:
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
PROBLEM: UNIX socket listen accepted only one (or a few) connections.
|
|
|
|
|
FIX: do not remove listening UNIX socket in child process
|
|
|
|
|
|
|
|
|
|
PROBLEM: SIGSEGV when TCP part of SSL connect failed
|
|
|
|
|
FIX: check ssl pointer before calling SSL_shutdown
|
|
|
|
|
|
|
|
|
|
In debug mode, show connect client port even when connect fails
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.3.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
socat options -L, -W for application level locking
|
|
|
|
|
|
|
|
|
|
options "lockfile", "waitlock" for address level locking
|
|
|
|
|
(Stefan Luethje)
|
|
|
|
|
|
|
|
|
|
option "readbytes" limits read length (Adam Osuchowski)
|
|
|
|
|
|
|
|
|
|
option "retry" for unix-connect, unix-listen, tcp6-listen (Dale Dude)
|
|
|
|
|
|
|
|
|
|
pty symlink, unix listen socket, and named pipe are per default removed
|
|
|
|
|
after use; option unlink-close overrides this new behaviour and also
|
|
|
|
|
controls removal of other socat generated files (Stefan Luethje)
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
option "retry" did not work with tcp-listen
|
|
|
|
|
|
|
|
|
|
EPIPE condition could result in a 100% CPU loop
|
|
|
|
|
|
|
|
|
|
further changes:
|
|
|
|
|
support systems without SHUT_RD etc.
|
|
|
|
|
handle more size_t types
|
|
|
|
|
try to find makedepend options with gcc 3 (richard/OpenMacNews)
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.2.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
option "connect-timeout" limits wait time for connect operations
|
|
|
|
|
(requested by Giulio Orsero)
|
|
|
|
|
|
|
|
|
|
option "dhparam" for explicit Diffie-Hellman parameter file
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
support for OpenSSL DSA certificates (Miika Komu)
|
|
|
|
|
|
|
|
|
|
create install directories before copying files (Miika Komu)
|
|
|
|
|
|
|
|
|
|
when exiting on signal, return status 128+signum instead of 1
|
|
|
|
|
|
|
|
|
|
on EPIPE and ECONNRESET, only issue a warning (Santiago Garcia
|
|
|
|
|
Mantinan)
|
|
|
|
|
|
|
|
|
|
-lu could cause a core dump on long messages
|
|
|
|
|
|
|
|
|
|
further changes:
|
|
|
|
|
modifications to simplify using socats features in applications
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.1.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
option "wait-slave" blocks open of pty master side until a client
|
|
|
|
|
connects, "pty-intervall" controls polling
|
|
|
|
|
|
|
|
|
|
option -h as synonym to -? for help (contributed by Christian
|
|
|
|
|
Lademann)
|
|
|
|
|
|
|
|
|
|
filan prints formatted time stamps and rdev (disable with -r)
|
|
|
|
|
|
|
|
|
|
redirect filan's output, so stdout is not affected (contributed by
|
|
|
|
|
Luigi Iotti)
|
|
|
|
|
|
|
|
|
|
filan option -L to follow symbolic links
|
|
|
|
|
|
|
|
|
|
filan shows termios control characters
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
proxy address no longer performs unsolicited retries
|
|
|
|
|
|
|
|
|
|
filan -f no longer needs read permission to analyze a file (but still
|
|
|
|
|
needs access permission to directory, of course)
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
Option dsusp
|
|
|
|
|
FreeBSD options noopt, nopush, md5sig
|
|
|
|
|
OpenBSD options sack-disable, signature-enable
|
|
|
|
|
HP-UX, Solaris options abort-threshold, conn-abort-threshold
|
|
|
|
|
HP-UX options b900, b3600, b7200
|
|
|
|
|
Tru64/OSF1 options keepinit, paws, sackena, tsoptena
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
address pty now uses ptmx as default if openpty is also available
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.0.3:
|
|
|
|
|
|
2015-01-18 16:44:12 +00:00
|
|
|
|
security:
|
2016-01-29 10:29:11 +00:00
|
|
|
|
Socat security advisory 1
|
2015-01-18 16:44:12 +00:00
|
|
|
|
CVE-2004-1484:
|
2008-01-27 12:00:08 +00:00
|
|
|
|
fix to a syslog() based format string vulnerability that can lead to
|
|
|
|
|
remote code execution. See advisory socat-adv-1.txt
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.0.2:
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
exec'd write-only addresses get a chance to flush before being killed
|
|
|
|
|
|
|
|
|
|
error handler: print notice on error-exit
|
|
|
|
|
|
|
|
|
|
filan printed wrong file type information
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.0.1:
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
socks4a constructed invalid header. Problem found, reported, and fixed
|
|
|
|
|
by Thomas Themel, by Peter Palfrader, and by rik
|
|
|
|
|
|
|
|
|
|
with nofork, don't forget to apply some process related options
|
|
|
|
|
(chroot, setsid, setpgid, ...)
|
|
|
|
|
|
|
|
|
|
####################### V 1.4.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
simple openssl server (ssl-l), experimental openssl trust
|
|
|
|
|
|
|
|
|
|
new options "cafile", "capath", "key", "cert", "egd", and "pseudo" for
|
|
|
|
|
openssl
|
|
|
|
|
|
|
|
|
|
new options "retry", "forever", and "intervall"
|
|
|
|
|
|
2020-02-23 11:37:19 +00:00
|
|
|
|
option "fork" for address TCP improves `gender changer´
|
2008-01-27 12:00:08 +00:00
|
|
|
|
|
|
|
|
|
options "sigint", "sigquit", and "sighup" control passing of signals to
|
|
|
|
|
sub process (thanks to David Shea who contributed to this issue)
|
|
|
|
|
|
|
|
|
|
readline takes respect to the prompt issued by the peer address
|
|
|
|
|
|
|
|
|
|
options "prompt" and "noprompt" allow to override readline's new
|
|
|
|
|
default behaviour
|
|
|
|
|
|
|
|
|
|
readline supports invisible password with option "noecho"
|
|
|
|
|
|
|
|
|
|
socat option -lp allows to set hostname in log output
|
|
|
|
|
|
|
|
|
|
socat option -lu turns on microsecond resolution in log output
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
before reading available data, check if writing on other channel is
|
|
|
|
|
possible
|
|
|
|
|
|
|
|
|
|
tcp6, udp6: support hostname specification (not only IP address), and
|
|
|
|
|
map IP4 names to IP6 addresses
|
|
|
|
|
|
|
|
|
|
openssl client checks server certificate per default
|
|
|
|
|
|
|
|
|
|
support unidirectional communication with exec/system subprocess
|
|
|
|
|
|
|
|
|
|
try to restore original terminal settings when terminating
|
|
|
|
|
|
|
|
|
|
test.sh uses tmp dir /tmp/$USER/$$ instead of /tmp/$$
|
|
|
|
|
|
|
|
|
|
socks4 failed on platforms where long does not have 32 bits
|
|
|
|
|
(thanks to Peter Palfrader and Thomas Seyrat)
|
|
|
|
|
|
|
|
|
|
hstrerror substitute wrote wrong messages (HP-UX, Solaris)
|
|
|
|
|
|
|
|
|
|
proxy error message was truncated when answer contained multiple spaces
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
compiles with AIX xlc, HP-UX cc, Tru64 cc (but might not link)
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.2.2:
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
PROXY CONNECT failed when the status reply from the proxy server
|
|
|
|
|
contained more than one consecutive spaces. Problem reported by
|
|
|
|
|
Alexandre Bezroutchko
|
|
|
|
|
|
|
|
|
|
do not SIGSEGV when proxy address fails to resolve server name
|
|
|
|
|
|
|
|
|
|
udp-listen failed on systems where AF_INET != SOCK_DGRAM (e.g. SunOS).
|
|
|
|
|
Problem reported by Christoph Schittel
|
|
|
|
|
|
|
|
|
|
test.sh only tests available features
|
|
|
|
|
|
|
|
|
|
added missing IP and TCP options in filan analyzer
|
|
|
|
|
|
|
|
|
|
do not apply stdio address options to both directions when in
|
|
|
|
|
unidirectional mode
|
|
|
|
|
|
|
|
|
|
on systems lacking /dev/*random and egd, provide (weak) entropy from
|
|
|
|
|
libc random()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
changes for HP-UX (VREPRINT, h_NETDB_INTERNAL)
|
|
|
|
|
|
|
|
|
|
compiles on True64, FreeBSD (again), NetBSD, OpenBSD
|
|
|
|
|
|
|
|
|
|
support for long long as st_ino type (Cygwin 1.5)
|
|
|
|
|
|
|
|
|
|
compile on systems where pty can not be featured
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.2.1:
|
|
|
|
|
|
|
|
|
|
corrections:
|
|
|
|
|
"final" solution for the ENOCHLD problem
|
|
|
|
|
|
|
|
|
|
corrected "make strip"
|
|
|
|
|
|
|
|
|
|
default gcc debug/opt is "-O" again
|
|
|
|
|
|
|
|
|
|
check for /proc at runtime, even if configure found it
|
|
|
|
|
|
|
|
|
|
src.rpm accidently supported SuSE instead of RedHat
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.2.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
option "nofork" connects an exec'd script or program directly
|
|
|
|
|
to the file descriptors of the other address, circumventing the socat
|
|
|
|
|
transfer engine
|
|
|
|
|
|
|
|
|
|
support for files >2GB, using ftruncate64(), lseek64(), stat64()
|
|
|
|
|
|
|
|
|
|
filan has new "simple" output style (filan -s)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
options "binary" and "text" for controlling line termination on Cygwin
|
|
|
|
|
file system access (hint from Yang Wu-Zhou)
|
|
|
|
|
|
|
|
|
|
fix by Yang Wu-Zhou for the Cygwin "No Children" problem
|
|
|
|
|
|
|
|
|
|
improved support for OSR: _SVID3; no IS_SOCK, no F_GETOWN (thanks to
|
|
|
|
|
John DuBois)
|
|
|
|
|
|
|
|
|
|
minor corrections to avoid warnings with gcc 3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections and minor improvements:
|
|
|
|
|
configure script is generated with autoconf 2.57 (no longer 2.52)
|
|
|
|
|
|
|
|
|
|
configure passes CFLAGS to Makefile
|
|
|
|
|
|
|
|
|
|
option -??? for complete list of address options and their short forms
|
|
|
|
|
|
|
|
|
|
program name in syslog messages is derived from argv[0]
|
|
|
|
|
|
|
|
|
|
SIGHUP now prints notice instead of error
|
|
|
|
|
|
|
|
|
|
EIO during read of pty now gives Notice instead of Error, and
|
|
|
|
|
triggers EOF
|
|
|
|
|
|
|
|
|
|
use of hstrerror() for printing resolver error messages
|
|
|
|
|
|
|
|
|
|
setgrent() got required endgrent()
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.1.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
integration of Wietse Venema's tcpwrapper library (libwrap)
|
|
|
|
|
|
|
|
|
|
with "proxy" address, option "resolve" controls if hostname or IP
|
|
|
|
|
address is sent in request
|
|
|
|
|
|
|
|
|
|
option "lowport" establishes limited authorization for TCP and UDP
|
|
|
|
|
connections
|
|
|
|
|
|
|
|
|
|
improvement of .spec file for RPM creation (thanks to Gerd v. Egidy)
|
|
|
|
|
An accompanying change in the numbering scheme results in an
|
|
|
|
|
incompatibility with earlier socat RPMs!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: socat daemon terminated when the address of a connecting
|
|
|
|
|
client did not match range option value instead of continue listening
|
|
|
|
|
SOLVED: in this case, print warning instead of error to keep daemon
|
|
|
|
|
active
|
|
|
|
|
|
|
|
|
|
PROBLEM: tcp-listen with fork sometimes left excessive number of zombie
|
|
|
|
|
processes
|
|
|
|
|
SOLVED: dont assume that each exiting child process generates SIGCHLD
|
|
|
|
|
|
|
|
|
|
when converting CRNL to CR, socat converted to NL
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
configure script now disables features that depend on missing files
|
|
|
|
|
making it more robust in "unsupported" environments
|
|
|
|
|
|
|
|
|
|
server.pem permissions corrected to 600
|
|
|
|
|
|
|
|
|
|
"make install" now does not strip; use "make strip; make install"
|
|
|
|
|
if you like strip (suggested by Peter Bray)
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.0.1:
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: OPENSSL did not apply tcp, ip, and socket options
|
|
|
|
|
SOLVED: OPENSSL now correctly handles the options list
|
|
|
|
|
|
|
|
|
|
PROBLEM: CRNL to NL and CRNL to CR conversions failed when CRNL crossed
|
|
|
|
|
block boundary
|
|
|
|
|
SOLVED: these conversions now simply strip all CR's or NL's from input
|
|
|
|
|
stream
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
SunOS ptys now work on x86, too (thanks to Peter Bray)
|
|
|
|
|
|
|
|
|
|
configure looks for freeware libs in /pkgs/lib/ (thanks to Peter Bray)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
added WITH_PROXY value to -V output
|
|
|
|
|
|
|
|
|
|
added compile dependencies of WITH_PTY and WITH_PROXY
|
|
|
|
|
|
|
|
|
|
-?? did not print option group of proxy options
|
|
|
|
|
|
|
|
|
|
corrected syntax for bind option in docu
|
|
|
|
|
|
|
|
|
|
corrected an issue with stdio in unidirectional mode
|
|
|
|
|
|
|
|
|
|
options socksport and proxyport support service names
|
|
|
|
|
|
|
|
|
|
ftp.sh script supports proxy address
|
|
|
|
|
|
|
|
|
|
man page no longer installed with execute permissions (thanks to Peter
|
2015-01-12 22:34:47 +00:00
|
|
|
|
Bray)
|
2008-01-27 12:00:08 +00:00
|
|
|
|
|
|
|
|
|
fixed a malloc call bug that could cause SIGSEGV or false "out of
|
|
|
|
|
memory" errors on EXEC and SYSTEM, depending on program name length and
|
|
|
|
|
libc.
|
|
|
|
|
|
|
|
|
|
####################### V 1.3.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
proxy connect with optional proxy authentication
|
|
|
|
|
|
|
|
|
|
combined hex and text dump mode, credits to Gregory Margo
|
|
|
|
|
|
|
|
|
|
address pty applies options user, group, and perm to device
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: option reuseport was not applied (BSD, AIX)
|
|
|
|
|
SOLVED: option reuseport now in phase PASTSOCKET instead of PREBIND,
|
|
|
|
|
credits to Jean-Baptiste Marchand
|
|
|
|
|
|
|
|
|
|
PROBLEM: ignoreeof with stdio was ignored
|
|
|
|
|
SOLVED: ignoreeof now works correctly with address stdio
|
|
|
|
|
|
|
|
|
|
PROBLEM: ftp.sh did not use user supplied password
|
|
|
|
|
SOLVED: ftp.sh now correctly passes password from command line
|
|
|
|
|
|
|
|
|
|
PROBLEM: server.pem had expired
|
|
|
|
|
SOLVED: new server.pem valid for ten years
|
|
|
|
|
|
|
|
|
|
PROBLEM: socks notice printed wrong port on some platforms
|
|
|
|
|
SOLVED: socks now uses correct byte-order for port number in notice
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
option name o_trunc corrected to o-trunc
|
|
|
|
|
|
|
|
|
|
combined use of -u and -U is now detected and prevented
|
|
|
|
|
|
|
|
|
|
made message system a little more robust against format string attacks
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.2.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
address pty for putting socat behind a new pseudo terminal that may
|
|
|
|
|
fake a serial line, modem etc.
|
|
|
|
|
|
|
|
|
|
experimental openssl integration
|
|
|
|
|
(it does not provide any trust between the peers because is does not
|
|
|
|
|
check certificates!)
|
|
|
|
|
|
|
|
|
|
options flock-ex, flock-ex-nb, flock-sh, flock-sh-nb to control all
|
|
|
|
|
locking mechanism provided by flock()
|
|
|
|
|
|
|
|
|
|
options setsid and setpgid now available with all address types
|
|
|
|
|
|
|
|
|
|
option ctty (controlling terminal) now available for all TERMIOS
|
|
|
|
|
addresses
|
|
|
|
|
|
|
|
|
|
option truncate (a hybrid of open(.., O_TRUNC) and ftruncate()) is
|
|
|
|
|
replaced by options o-trunc and ftruncate=offset
|
|
|
|
|
|
|
|
|
|
option sourceport now available with TCP and UDP listen addresses to
|
|
|
|
|
restrict incoming client connections
|
|
|
|
|
|
|
|
|
|
unidirectional mode right-to-left (-U)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: addresses without required parameters but an option containing
|
|
|
|
|
a '/' were incorrectly interpreted as implicit GOPEN address
|
|
|
|
|
SOLVED: if an address does not have ':' separator but contains '/',
|
|
|
|
|
check if the slash is before the first ',' before assuming
|
|
|
|
|
implicit GOPEN.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
ptys under SunOS work now due to use of stream options
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
with -d -d -d -d -D, don't print debug info during file analysis
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.1.0.1:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
.spec file for RPM generation
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: GOPEN on socket did not apply option unlink-late
|
|
|
|
|
SOLUTION: GOPEN for socket now applies group NAMED, phase PASTOPEN
|
|
|
|
|
options
|
|
|
|
|
|
|
|
|
|
PROBLEM: with unidirectional mode, an unnecessary close timeout was
|
|
|
|
|
applied
|
|
|
|
|
SOLUTION: in unidirectional mode, terminate without wait time
|
|
|
|
|
|
|
|
|
|
PROBLEM: using GOPEN on a unix domain socket failed for datagram
|
|
|
|
|
sockets
|
|
|
|
|
SOLUTION: when connect() fails with EPROTOTYPE, use a datagram socket
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
|
|
|
|
|
open() flag options had names starting with "o_", now corrected to "o-"
|
|
|
|
|
|
|
|
|
|
in docu, *-listen addresses were called *_listen
|
|
|
|
|
|
|
|
|
|
address unix now called unix-connect because it does not handle unix
|
|
|
|
|
datagram sockets
|
|
|
|
|
|
|
|
|
|
in test.sh, apply global command line options with all tests
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.1.0.0:
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
regular man page and html doc - thanks to kromJx for prototype
|
|
|
|
|
|
|
|
|
|
new address type "readline", utilizing GNU readline and history libs
|
|
|
|
|
|
|
|
|
|
address option "history-file" for readline
|
|
|
|
|
|
|
|
|
|
new option "dash" to "exec" address that allows to start login shells
|
|
|
|
|
|
|
|
|
|
syslog facility can be set per command line option
|
|
|
|
|
|
|
|
|
|
new address option "tcp-quickack", found in Linux 2.4
|
|
|
|
|
|
|
|
|
|
option -g prevents option group checking
|
|
|
|
|
|
|
|
|
|
filan and procan can print usage
|
|
|
|
|
|
|
|
|
|
procan prints rlimit infos
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: raw IP socket SIGSEGV'ed when it had been shut down.
|
|
|
|
|
SOLVED: set eof flag of channel on shutdown.
|
|
|
|
|
|
|
|
|
|
PROBLEM: if channel 2 uses a single non-socket FD in bidirectional mode
|
|
|
|
|
and has data available while channel 1 reaches EOF, the data is
|
|
|
|
|
lost.
|
|
|
|
|
SOLVED: during one loop run, first handle all data transfers and
|
|
|
|
|
_afterwards_ handle EOF.
|
|
|
|
|
|
|
|
|
|
PROBLEM: despite to option NONBLOCK, the connect() call blocked
|
|
|
|
|
SOLVED: option NONBLOCK is now applied in phase FD instead of LATE
|
|
|
|
|
|
|
|
|
|
PROBLEM: UNLINK options issued error when file did not exist,
|
|
|
|
|
terminating socat
|
|
|
|
|
SOLVED: failure of unlink() is only warning if errno==ENOENT
|
|
|
|
|
|
|
|
|
|
PROBLEM: TCP6-LISTEN required numeric port specification
|
|
|
|
|
SOLVED: now uses common TCP service resolver
|
|
|
|
|
|
|
|
|
|
PROBLEM: with PIPE, wrong FDs were shown for data transfer loop
|
|
|
|
|
SOLVED: retrieval of FDs now pays respect to PIPE pecularities
|
|
|
|
|
|
|
|
|
|
PROBLEM: using address EXEC against an address with IGNOREEOF, socat
|
|
|
|
|
never terminated
|
|
|
|
|
SOLVED: corrected EOF handling of sigchld
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
MacOS and old AIX versions now have pty
|
|
|
|
|
|
|
|
|
|
flock() now available on Linux (configure check was wrong)
|
|
|
|
|
|
|
|
|
|
named pipe were generated using mknod(), which requires root under BSD
|
|
|
|
|
now they are generated using mkfifo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
lots of address options that were "forgotten" at runtime are now
|
|
|
|
|
available
|
|
|
|
|
|
|
|
|
|
option BINDTODEVICE now also called SO-BINDTODEVICE, IF
|
|
|
|
|
|
|
|
|
|
"make install" now installs binaries with ownership 0:0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.0.4.2:
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROBLEM: EOF of one stream caused close of other stream, giving it no
|
|
|
|
|
chance to go down regularly
|
|
|
|
|
SOLVED: EOF of one stream now causes shutdown of write part of other
|
|
|
|
|
stream
|
|
|
|
|
|
|
|
|
|
PROBLEM: sending mail via socks address to qmail showed that crlf
|
|
|
|
|
option does not work
|
|
|
|
|
SOLVED: socks address applies PH_LATE options
|
|
|
|
|
|
|
|
|
|
PROBLEM: in debug mode, no info about socat and platform was issued
|
|
|
|
|
SOLVED: print socat version and uname output in debug mode
|
|
|
|
|
|
|
|
|
|
PROBLEM: invoking socat with -t and no following parameters caused
|
|
|
|
|
SIGSEGV
|
|
|
|
|
SOLVED: -t and -b now check next argv entry
|
|
|
|
|
|
|
|
|
|
PROBLEM: when opening of logfile (-lf) failed, no error was reported
|
|
|
|
|
and no further messages were printed
|
|
|
|
|
SOLVED: check result of fopen and print error message if it failed
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
address type UDP-LISTEN now supports option fork: it internally applies
|
|
|
|
|
socket option SO_REUSEADDR so a new UDP socket can bind to port after
|
2020-02-23 11:37:19 +00:00
|
|
|
|
`accepting´ a connection (child processes might live forever though)
|
2008-01-27 12:00:08 +00:00
|
|
|
|
(suggestion from Damjan Lango)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.0.4.1:
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
PROB: assert in libc caused an endless recursion
|
|
|
|
|
SOLVED: no longer catch SIGABRT
|
|
|
|
|
|
|
|
|
|
PROB: socat printed wrong verbose prefix for "right to left" packets
|
|
|
|
|
SOLVED: new parameter for xiotransfer() passes correct prefix
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
in debug mode, socat prints its command line arguments
|
|
|
|
|
in verbose mode, escape special characters and replace unprintables
|
|
|
|
|
with '.'. Patch from Adrian Thurston.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.0.4.0:
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
Debug output for lstat and fstat said "stat"
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
FreeBSD now includes libutil.h
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
option setsid with exec/pty
|
|
|
|
|
option setpgid with exec/pty
|
|
|
|
|
option ctty with exec/pty
|
|
|
|
|
TCP V6 connect test
|
|
|
|
|
gettimeofday in sycls.c (no use yet)
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
before Gethostbyname, invoke inet_aton for MacOSX
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
####################### V 1.0.3.0:
|
|
|
|
|
|
|
|
|
|
solved problems and bugs:
|
|
|
|
|
|
|
|
|
|
PROB: test 9 of test.sh (echo via file) failed on some platforms,
|
|
|
|
|
socat exited without error message
|
|
|
|
|
SOLVED: _xioopen_named_early(): preset statbuf.st_mode with 0
|
|
|
|
|
|
|
|
|
|
PROB: test 17 hung forever
|
|
|
|
|
REASON: child death before select loop did not result in EOF
|
|
|
|
|
SOLVED: check of existence of children before starting select loop
|
|
|
|
|
|
|
|
|
|
PROB: test 17 failed
|
|
|
|
|
REASON: child dead triggered EOF before last data was read
|
|
|
|
|
SOLVED: after child death, read last data before setting EOF
|
|
|
|
|
|
|
|
|
|
PROB: filan showed that exec processes incorrectly had fd3 open
|
|
|
|
|
REASON: inherited open fd3 from main process
|
|
|
|
|
SOLVED: set CLOEXEC flag on pty fd in main process
|
|
|
|
|
|
|
|
|
|
PROB: help printed "undef" instead of group "FORK"
|
|
|
|
|
SOLVED: added "FORK" to group name array
|
|
|
|
|
|
|
|
|
|
PROB: fatal messages did not include severity classifier
|
|
|
|
|
SOLVED: added "F" to severity classifier array
|
|
|
|
|
|
|
|
|
|
PROB: IP6 addresses where printed incorrectly
|
|
|
|
|
SOLVED: removed type casts to unsigned short *
|
|
|
|
|
|
|
|
|
|
further corrections:
|
|
|
|
|
socat catches illegal -l modes
|
|
|
|
|
corrected error message on setsockopt(linger)
|
|
|
|
|
option tabdly is of type uint
|
|
|
|
|
correction for UDP over IP6
|
|
|
|
|
more cpp conditionals, esp. for IP6 situations
|
|
|
|
|
better handling of group NAMED options with listening UNIX sockets
|
|
|
|
|
applyopts2 now includes last given phase
|
|
|
|
|
corrected option group handling for most address types
|
|
|
|
|
introduce dropping of unappliable options (dropopts, dropopts2)
|
|
|
|
|
gopen now accepts socket and unix-socket options
|
|
|
|
|
exec and system now accept all socket and termios options
|
|
|
|
|
child process for exec and system addresses with option pty
|
|
|
|
|
improved descriptions and options for EXAMPLES
|
|
|
|
|
printf format for file mode changed to "0%03o" with length spec.
|
|
|
|
|
added va_end() in branch of msg()
|
|
|
|
|
changed phase of lock options from PASTOPEN to FD
|
|
|
|
|
support up to four early dying processes
|
|
|
|
|
|
|
|
|
|
structural changes:
|
|
|
|
|
xiosysincludes now includes sysincludes.h for non xio files
|
|
|
|
|
|
|
|
|
|
new features:
|
|
|
|
|
option umask
|
|
|
|
|
CHANGES file
|
|
|
|
|
TYPE_DOUBLE, u_double
|
|
|
|
|
OFUNC_OFFSET
|
|
|
|
|
added getsid(), setsid(), send() to sycls
|
|
|
|
|
procan prints sid (session id)
|
|
|
|
|
mail.sh gets -f (from) option
|
|
|
|
|
new EXAMPLEs for file creation
|
|
|
|
|
gatherinfo.sh now tells about failures
|
|
|
|
|
test.sh can check for much more address/option combinations
|
|
|
|
|
|
|
|
|
|
porting:
|
|
|
|
|
ispeed, ospeed for termios on FreeBSD
|
|
|
|
|
getpgid() conditional for MacOS 10
|
|
|
|
|
added ranlib in Makefile.in for MacOS 10
|
|
|
|
|
disable pty option if no pty mechanism is available (MacOS 10)
|
|
|
|
|
now compiles and runs on MacOS 10 (still some tests fail)
|
|
|
|
|
setgroups() conditional for cygwin
|
|
|
|
|
sighandler_t defined conditionally
|
|
|
|
|
use gcc option -D_GNU_SOURCE
|