I wanted to test something and noticed that socat was a bit outdated. There are a few security fixes and lots of small other fixes. http://www.dest-unreach.org/socat/doc/CHANGES
The SSL EGD and compression stuff is now properly ifdef'ed so we can get rid of a lot of patching. New patch due to non-portable getprotobynumber_r use. I added a test target, so tests can be run from the ports directory. The test results look about the same between 1.7.3.1 and 1.7.4.1. I haven't investigated deeply. Someone with more IPv6 knowledge may want to take a closer look. Index: Makefile =================================================================== RCS file: /cvs/ports/net/socat/Makefile,v retrieving revision 1.22 diff -u -p -r1.22 Makefile --- Makefile 12 Jul 2019 20:48:49 -0000 1.22 +++ Makefile 13 Mar 2021 18:39:13 -0000 @@ -2,9 +2,8 @@ COMMENT= relay for bidirectional data transfer -DISTNAME= socat-1.7.3.1 +DISTNAME= socat-1.7.4.1 CATEGORIES= net -REVISION= 0 HOMEPAGE= http://www.dest-unreach.org/socat/ @@ -15,9 +14,12 @@ PERMIT_PACKAGE= Yes MASTER_SITES= ${HOMEPAGE}/download/ -WANTLIB= curses c readline crypto util ssl +WANTLIB= c readline crypto util ssl -NO_TEST= Yes +TEST_DEPENDS= shells/bash + +do-test: + cd ${WRKSRC} && ${SETENV} bash test.sh CONFIGURE_STYLE=gnu Index: distinfo =================================================================== RCS file: /cvs/ports/net/socat/distinfo,v retrieving revision 1.14 diff -u -p -r1.14 distinfo --- distinfo 2 Feb 2016 10:40:32 -0000 1.14 +++ distinfo 13 Mar 2021 15:19:05 -0000 @@ -1,2 +1,2 @@ -SHA256 (socat-1.7.3.1.tar.gz) = qMsHsSvNBMmPT/wcaLeVR/XdTiPdzLEylA9tVVZcf3k= -SIZE (socat-1.7.3.1.tar.gz) = 606049 +SHA256 (socat-1.7.4.1.tar.gz) = DH5jUHCvG5A3/ZaGn8RerPmEXLVFR2gd6diFBEU4c20= +SIZE (socat-1.7.4.1.tar.gz) = 648888 Index: patches/patch-doc_socat_1 =================================================================== RCS file: /cvs/ports/net/socat/patches/patch-doc_socat_1,v retrieving revision 1.7 diff -u -p -r1.7 patch-doc_socat_1 --- patches/patch-doc_socat_1 13 Apr 2015 14:43:28 -0000 1.7 +++ patches/patch-doc_socat_1 13 Mar 2021 17:56:35 -0000 @@ -1,18 +1,8 @@ $OpenBSD: patch-doc_socat_1,v 1.7 2015/04/13 14:43:28 jasper Exp $ ---- doc/socat.1.orig Sat Jan 24 17:30:52 2015 -+++ doc/socat.1 Mon Apr 13 14:58:09 2015 -@@ -2904,10 +2904,6 @@ in this file\&. - Specifies the directory with the trusted (root) certificates\&. The directory - must contain certificates in PEM format and their hashes (see OpenSSL - documentation) --.IP "\fB\f(CWegd=<filename>\fP\fP" --On some systems, openssl requires an explicit source of random data\&. Specify --the socket name where an entropy gathering daemon like egd provides random --data, e\&.g\&. /dev/egd\-pool\&. - .IP "\fB\f(CWpseudo\fP\fP" - On systems where openssl cannot find an entropy source and where no entropy - gathering daemon can be utilized, this option activates a mechanism for -@@ -3397,11 +3393,11 @@ connection, invokes a shell\&. This shell has its stdi +Index: doc/socat.1 +--- doc/socat.1.orig ++++ doc/socat.1 +@@ -3639,11 +3635,11 @@ connection, invokes a shell\&. This shell has its stdi connected to the TCP socket (nofork)\&. The shell starts filan and lets it print the socket addresses to stderr (your terminal window)\&. .IP @@ -26,7 +16,7 @@ $OpenBSD: patch-doc_socat_1,v 1.7 2015/0 to make the squid executable from Cygwin run under Windows, actual per May 2004)\&. .IP .IP "\fB\f(CWsocat \- tcp:www\&.blackhat\&.org:31337,readbytes=1000\fP\fP" -@@ -3524,11 +3520,11 @@ error\&. +@@ -3810,11 +3806,11 @@ error\&. .SH "FILES" .PP Index: patches/patch-doc_socat_html =================================================================== RCS file: /cvs/ports/net/socat/patches/patch-doc_socat_html,v retrieving revision 1.2 diff -u -p -r1.2 patch-doc_socat_html --- patches/patch-doc_socat_html 13 Apr 2015 14:43:28 -0000 1.2 +++ patches/patch-doc_socat_html 13 Mar 2021 16:31:30 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-doc_socat_html,v 1.2 2015/04/13 14:43:28 jasper Exp $ ---- doc/socat.html.orig Sat Jan 24 17:31:04 2015 -+++ doc/socat.html Mon Apr 13 14:58:09 2015 -@@ -2781,10 +2781,6 @@ These options apply to the <a href="socat.html#ADDRESS +Index: doc/socat.html +--- doc/socat.html.orig ++++ doc/socat.html +@@ -2931,10 +2931,6 @@ These options apply to the <a href="socat.html#ADDRESS Specifies the directory with the trusted (root) certificates. The directory must contain certificates in PEM format and their hashes (see OpenSSL documentation) @@ -12,7 +13,7 @@ $OpenBSD: patch-doc_socat_html,v 1.2 201 <a name="OPTION_OPENSSL_PSEUDO"></a><p><dt><strong><strong><code>pseudo</code></strong></strong><dd> On systems where openssl cannot find an entropy source and where no entropy gathering daemon can be utilized, this option activates a mechanism for -@@ -3309,10 +3305,10 @@ connection, invokes a shell. This shell has its stdin +@@ -3509,10 +3505,10 @@ connection, invokes a shell. This shell has its stdin connected to the TCP socket (<a href="socat.html#OPTION_NOFORK">nofork</a>). The shell starts filan and lets it print the socket addresses to stderr (your terminal window). <p> @@ -25,7 +26,7 @@ $OpenBSD: patch-doc_socat_html,v 1.2 201 to make the squid executable from Cygwin run under Windows, actual per May 2004). <p> <p><dt><strong><strong><code>socat - tcp:www.blackhat.org:31337,readbytes=1000</code></strong></strong><dd> -@@ -3430,9 +3426,9 @@ error. +@@ -3669,9 +3665,9 @@ error. <a name="FILES"></a> <h2>FILES</h2> <p> Index: patches/patch-fdname_c =================================================================== RCS file: patches/patch-fdname_c diff -N patches/patch-fdname_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-fdname_c 13 Mar 2021 16:27:50 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ + +Index: fdname.c +--- fdname.c.orig ++++ fdname.c +@@ -254,10 +254,14 @@ int sockname(int fd, FILE *outfile, char style) { + + #if defined(SO_PROTOCOL) || defined(SO_PROTOTYPE) + #if HAVE_GETPROTOBYNUMBER_R +- rc = getprotobynumber_r(proto, &protoent, protoname, sizeof(protoname), &protoentp); +- if (protoentp == NULL) { ++ struct protoent_data pdata; ++ memset(&protoent, 0, sizeof(protoent)); ++ memset(&pdata, 0, sizeof(pdata)); ++ rc = getprotobynumber_r(proto, &protoent, &pdata); ++ protoentp = &protoent; ++ if (rc == -1) { + Warn2("sockname(): getprotobynumber_r(proto=%d, ...): %s", +- proto, strerror(rc)); ++ proto, strerror(errno)); + } + strncpy(protoname, protoentp->p_name, sizeof(protoname)); + #elif HAVE_GETPROTOBYNUMBER Index: patches/patch-sslcls_c =================================================================== RCS file: patches/patch-sslcls_c diff -N patches/patch-sslcls_c --- patches/patch-sslcls_c 20 Jul 2015 01:12:09 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,53 +0,0 @@ -$OpenBSD: patch-sslcls_c,v 1.4 2015/07/20 01:12:09 jca Exp $ ---- sslcls.c.orig Sat Jan 24 03:15:22 2015 -+++ sslcls.c Sat Jul 18 20:01:59 2015 -@@ -55,6 +55,7 @@ const SSL_METHOD *sycSSLv2_server_method(void) { - } - #endif - -+#ifdef HAVE_SSLv3_client_method - const SSL_METHOD *sycSSLv3_client_method(void) { - const SSL_METHOD *result; - Debug("SSLv3_client_method()"); -@@ -62,7 +63,9 @@ const SSL_METHOD *sycSSLv3_client_method(void) { - Debug1("SSLv3_client_method() -> %p", result); - return result; - } -+#endif - -+#ifdef HAVE_SSLv3_server_method - const SSL_METHOD *sycSSLv3_server_method(void) { - const SSL_METHOD *result; - Debug("SSLv3_server_method()"); -@@ -70,6 +73,7 @@ const SSL_METHOD *sycSSLv3_server_method(void) { - Debug1("SSLv3_server_method() -> %p", result); - return result; - } -+#endif - - const SSL_METHOD *sycSSLv23_client_method(void) { - const SSL_METHOD *result; -@@ -331,14 +335,6 @@ void sycSSL_free(SSL *ssl) { - return; - } - --int sycRAND_egd(const char *path) { -- int result; -- Debug1("RAND_egd(\"%s\")", path); -- result = RAND_egd(path); -- Debug1("RAND_egd() -> %d", result); -- return result; --} -- - DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) { - DH *result; - Debug4("PEM_read_bio_DHparams(%p, %p, %p, %p)", -@@ -375,7 +371,7 @@ int sycFIPS_mode_set(int onoff) { - } - #endif /* WITH_FIPS */ - --#if OPENSSL_VERSION_NUMBER >= 0x00908000L -+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP) - const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl) { - const COMP_METHOD *result; - Debug1("SSL_get_current_compression(%p)", ssl); Index: patches/patch-sslcls_h =================================================================== RCS file: patches/patch-sslcls_h diff -N patches/patch-sslcls_h --- patches/patch-sslcls_h 13 Apr 2015 14:43:28 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,28 +0,0 @@ -$OpenBSD: patch-sslcls_h,v 1.3 2015/04/13 14:43:28 jasper Exp $ ---- sslcls.h.orig Sat Jan 24 11:15:22 2015 -+++ sslcls.h Mon Apr 13 14:58:09 2015 -@@ -47,7 +47,6 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl); - int sycSSL_shutdown(SSL *ssl); - void sycSSL_CTX_free(SSL_CTX *ctx); - void sycSSL_free(SSL *ssl); --int sycRAND_egd(const char *path); - - DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); - -@@ -55,7 +54,7 @@ BIO *sycBIO_new_file(const char *filename, const char - - int sycFIPS_mode_set(int onoff); - --#if OPENSSL_VERSION_NUMBER >= 0x00908000L -+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP) - const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl); - const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl); - const char *sycSSL_COMP_get_name(const COMP_METHOD *comp); -@@ -98,7 +97,6 @@ const char *sycSSL_COMP_get_name(const COMP_METHOD *co - #define sycSSL_shutdown(s) SSL_shutdown(s) - #define sycSSL_CTX_free(c) SSL_CTX_free(c) - #define sycSSL_free(s) SSL_free(s) --#define sycRAND_egd(p) RAND_egd(p) - - #define sycPEM_read_bio_DHparams(b,x,p,u) PEM_read_bio_DHparams(b,x,p,u) - Index: patches/patch-test_sh =================================================================== RCS file: /cvs/ports/net/socat/patches/patch-test_sh,v retrieving revision 1.2 diff -u -p -r1.2 patch-test_sh --- patches/patch-test_sh 13 Apr 2015 14:43:28 -0000 1.2 +++ patches/patch-test_sh 13 Mar 2021 16:31:30 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-test_sh,v 1.2 2015/04/13 14:43:28 jasper Exp $ ---- test.sh.orig Sat Jan 24 11:15:22 2015 -+++ test.sh Mon Apr 13 14:58:09 2015 -@@ -576,9 +576,6 @@ filloptionvalues() { +Index: test.sh +--- test.sh.orig ++++ test.sh +@@ -735,9 +735,6 @@ filloptionvalues() { *,dh,*) OPTS=$(echo "$OPTS" |sed "s/,dh,/,dh=/tmp/hugo,/g");; esac case "$OPTS" in Index: patches/patch-xio-openssl_c =================================================================== RCS file: patches/patch-xio-openssl_c diff -N patches/patch-xio-openssl_c --- patches/patch-xio-openssl_c 2 Feb 2016 10:40:32 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,56 +0,0 @@ -$OpenBSD: patch-xio-openssl_c,v 1.4 2016/02/02 10:40:32 sthen Exp $ ---- xio-openssl.c.orig Fri Jan 29 10:28:38 2016 -+++ xio-openssl.c Mon Feb 1 16:30:57 2016 -@@ -108,7 +108,6 @@ const struct optdesc opt_openssl_key = { "open - const struct optdesc opt_openssl_dhparam = { "openssl-dhparam", "dh", OPT_OPENSSL_DHPARAM, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; - const struct optdesc opt_openssl_cafile = { "openssl-cafile", "cafile", OPT_OPENSSL_CAFILE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; - const struct optdesc opt_openssl_capath = { "openssl-capath", "capath", OPT_OPENSSL_CAPATH, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; --const struct optdesc opt_openssl_egd = { "openssl-egd", "egd", OPT_OPENSSL_EGD, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC }; - const struct optdesc opt_openssl_pseudo = { "openssl-pseudo", "pseudo", OPT_OPENSSL_PSEUDO, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC }; - #if OPENSSL_VERSION_NUMBER >= 0x00908000L - const struct optdesc opt_openssl_compress = { "openssl-compress", "compress", OPT_OPENSSL_COMPRESS, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC }; -@@ -147,7 +146,7 @@ int xio_reset_fips_mode(void) { - static void openssl_conn_loginfo(SSL *ssl) { - Notice1("SSL connection using %s", SSL_get_cipher(ssl)); - --#if OPENSSL_VERSION_NUMBER >= 0x00908000L -+#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) && !defined(OPENSSL_NO_COMP) - { - const COMP_METHOD *comp, *expansion; - -@@ -722,7 +721,6 @@ int - char *opt_dhparam = NULL; /* file name of DH params */ - char *opt_cafile = NULL; /* certificate authority file */ - char *opt_capath = NULL; /* certificate authority directory */ -- char *opt_egd = NULL; /* entropy gathering daemon socket path */ - #if OPENSSL_VERSION_NUMBER >= 0x00908000L - char *opt_compress = NULL; /* compression method */ - #endif -@@ -741,7 +739,6 @@ int - retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath); - retropt_string(opts, OPT_OPENSSL_KEY, &opt_key); - retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam); -- retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd); - retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo); - #if OPENSSL_VERSION_NUMBER >= 0x00908000L - retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress); -@@ -877,10 +874,6 @@ int - } - } - -- if (opt_egd) { -- sycRAND_egd(opt_egd); -- } -- - if (opt_pseudo) { - long int randdata; - /* initialize libc random from actual microseconds */ -@@ -1105,7 +1098,7 @@ static int openssl_SSL_ERROR_SSL(int level, const char - if (e == ((ERR_LIB_RAND<<24)| - (RAND_F_SSLEAY_RAND_BYTES<<12)| - (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) { -- Error("too few entropy; use options \"egd\" or \"pseudo\""); -+ Error("too few entropy; use option \"pseudo\""); - stat = STAT_NORETRY; - } else { - Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf)); Index: patches/patch-xio-openssl_h =================================================================== RCS file: patches/patch-xio-openssl_h diff -N patches/patch-xio-openssl_h --- patches/patch-xio-openssl_h 24 Apr 2014 15:17:08 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,11 +0,0 @@ -$OpenBSD: patch-xio-openssl_h,v 1.1 2014/04/24 15:17:08 sthen Exp $ ---- xio-openssl.h.orig Sun Jun 23 07:16:48 2013 -+++ xio-openssl.h Sat Apr 19 15:58:21 2014 -@@ -21,7 +21,6 @@ extern const struct optdesc opt_openssl_key; - extern const struct optdesc opt_openssl_dhparam; - extern const struct optdesc opt_openssl_cafile; - extern const struct optdesc opt_openssl_capath; --extern const struct optdesc opt_openssl_egd; - extern const struct optdesc opt_openssl_pseudo; - #if OPENSSL_VERSION_NUMBER >= 0x00908000L - extern const struct optdesc opt_openssl_compress; Index: patches/patch-xioopts_c =================================================================== RCS file: patches/patch-xioopts_c diff -N patches/patch-xioopts_c --- patches/patch-xioopts_c 13 Apr 2015 14:43:28 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,19 +0,0 @@ -$OpenBSD: patch-xioopts_c,v 1.2 2015/04/13 14:43:28 jasper Exp $ ---- xioopts.c.orig Sat Jan 24 11:15:22 2015 -+++ xioopts.c Mon Apr 13 14:58:09 2015 -@@ -412,7 +412,6 @@ const struct optname optionnames[] = { - #ifdef ECHOPRT - IF_TERMIOS("echoprt", &opt_echoprt) - #endif -- IF_OPENSSL("egd", &opt_openssl_egd) - IF_ANY ("end-close", &opt_end_close) - IF_TERMIOS("eof", &opt_veof) - IF_TERMIOS("eol", &opt_veol) -@@ -1102,7 +1101,6 @@ const struct optname optionnames[] = { - IF_OPENSSL("openssl-compress", &opt_openssl_compress) - #endif - IF_OPENSSL("openssl-dhparam", &opt_openssl_dhparam) -- IF_OPENSSL("openssl-egd", &opt_openssl_egd) - #if WITH_FIPS - IF_OPENSSL("openssl-fips", &opt_openssl_fips) - #endif Index: patches/patch-xioopts_h =================================================================== RCS file: patches/patch-xioopts_h diff -N patches/patch-xioopts_h --- patches/patch-xioopts_h 13 Apr 2015 14:43:28 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,11 +0,0 @@ -$OpenBSD: patch-xioopts_h,v 1.2 2015/04/13 14:43:28 jasper Exp $ ---- xioopts.h.orig Sat Jan 24 11:15:22 2015 -+++ xioopts.h Mon Apr 13 14:58:09 2015 -@@ -478,7 +478,6 @@ enum e_optcode { - OPT_OPENSSL_COMPRESS, - #endif - OPT_OPENSSL_DHPARAM, -- OPT_OPENSSL_EGD, - OPT_OPENSSL_FIPS, - OPT_OPENSSL_KEY, - OPT_OPENSSL_METHOD,
