From d7a34f2a7ddce937b77220c5f725ff114661a3fd Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 22:39:52 +0100 Subject: [PATCH 01/16] docs: install docs wip Signed-off-by: Ian Jackson --- docs/index.rst | 1 + docs/install.md | 48 ++++++++++++++++++++++++++++++++++-------------- 2 files changed, 35 insertions(+), 14 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 0925038..5abddf2 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -6,6 +6,7 @@ Hippotat - Asinine IP over HTTP :caption: Contents: README + install.md config.md settings.md diff --git a/docs/install.md b/docs/install.md index 9b3a540..0c7e07c 100644 --- a/docs/install.md +++ b/docs/install.md @@ -1,10 +1,10 @@ -Installation and requirements -============================== +Installation +============ Hippotat is written in Rust. The documentation is procssed with Sphinx. -It is must convenient to install (especailly the server) as a `.deb`. +It is most convenient to install (especailly the server) as a `.deb`. Building .debs -------------- @@ -28,18 +28,18 @@ by the `Cargo.lock` file shipped in the Hippotat source tree, provided that `cargo --locked` is used. -Installing ----------- +Installation +------------ * On the server: `apt install hippotat-{server,common}_*.deb` * On the client: `apt install hippotat-{client,common}_*.deb` -This will install the `userv` privsep tool, +This will also install the `userv` privsep tool, and the `userv-ipif` utility for unprivileged network interface management. -System configuration ---------------------- +Configuration +------------- You will need to: @@ -53,18 +53,21 @@ You will need to: 2. Select a private network range for use by the IP-over-HTTP system, and assign addresses to the server and to each client. - 3. Configure your firewall to restrict access from that range + 3. Configure your firewalls to restrict access from that range to internal resources (eg, which might otherwise trust Hippotat addresses due to them being in RFC1918 private use ranges). - Note that Hippotat - **does not provide strong authentication or confidentiality**. + Note that + **Hippotat does not provide strong authentication or confidentiality**. 4. Configure `authbind` to allow the service user `_hippotat` (created by the package installation) - to bind to the port you have chosen. + to bind to the port you have chosen, + on the server. - 5. Configure `ipif` to allow the service user `_hippotat` + 5. Configure `ipif` to allow + the service user `_hippotat` (on the server) + or your own user (on the client) to create network interfaces using addresses in the range you have assigned. @@ -75,8 +78,10 @@ Startup - server ---------------- The `hippotat-server` package +supplies an init script will start the `hippotatd` server program, if `/etc/hippotat/main.cfg` exists. +If you just configured it, `service hippotatd start` will start it. Consult the init script to see options you can put in `/etc/default/hippotat`. @@ -92,8 +97,23 @@ and not needed in a sensible network environment. When you find yourself in a bad network environment, run `hippotat` from a shell. It will bring up the hippotat link. +When you don't need Hippotat any more, simply `^C` it. With the link up you can `ssh` (or, maybe, `mosh`) to the server, using the server's Hippotat IP address. -If you are using [secnet]'s polypath feature, +If you are using [secnet](https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/)'s polypath feature, secnet will automatically start to use hippotat. + +Don't send traffic you care about unencrypted over Hippotat. +Hippotat's security mechanisms are designed +to try to minimise denial of service, +especially by off-path entities, +but **data confidentiality and integrity are not provided**. + + +Troubleshooting +--------------- + +The server will log to syslog, facility `daemon`, by default. + +The client will report its progress to stderr. -- 2.30.2 From 3060654f01c599b59383ef37cf274b392fb0b949 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 23:26:18 +0100 Subject: [PATCH 02/16] docs: install docs wip Signed-off-by: Ian Jackson --- docs/install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install.md b/docs/install.md index 0c7e07c..edc7177 100644 --- a/docs/install.md +++ b/docs/install.md @@ -45,7 +45,7 @@ You will need to: 1. Choose a suitable URL that Hippotat will be able to listen on. This should be port 80, or 443 with TLS. - You can use a reverse proxy, + You can use a reverse proxy (but you may want to suppress some of the logging). If using a reverse proxy, you must choose an internal IP port for the Hippotat server to use. -- 2.30.2 From 59677f37281b41be9ef7b240c6de1910ff1f34e0 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Sun, 25 Sep 2022 18:19:49 +0100 Subject: [PATCH 03/16] draft OpenSSL exception - not signed off yet! --- debian/copyright | 32 ++++++++++++++++++++++++++++++++ src/ini.rs | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/debian/copyright b/debian/copyright index c483ced..4ef56af 100644 --- a/debian/copyright +++ b/debian/copyright @@ -41,3 +41,35 @@ header, probably something like this: // Copyright 2017-2022 Ian Jackson and contributors to Hippotat // SPDX-License-Identifier: AGPL-3.0-or-later // There is NO WARRANTY. + + +Hippotat-OpenSSL-Exception +-------------------------- + +Additional permission under GNU GPL version 3 section 7: + + In addition, as a special exception, the copyright holders give + permission to link the code of this program with the OpenSSL + Library (or with modified versions of OpenSSL that use the same + license as OpenSSL 1.1), and distribute linked combinations + including the two. + + BUT this does NOT apply to version 3.0 or any later version of the + OpenSSL library (nor to any modified versions thereof). + + FURTHERMORE you must obey the GNU Lesser General Public License in + all respects for all of the code used other than OpenSSL. + +This additional permission is indicated in the source code with +the following SPDX licence declaration: + SPDX-License-Identifier: GPL-3.0-or-later WITH Hippotat-OpenSSL-Exception + +If you modify a file, you may extend this exception to your version of +the file, but you are not obligated to do so. If you do not wish to do +so, delete the exception statement from your version, changing it to: + SPDX-License-Identifier: GPL-3.0-or-later + +The authors of Hippotat will probably withdrawn this exception in a +future versions of Hippotat, when OpenSSL 3.0 (which has a +GPLv3+-compatible licence) has become sufficiently widespread. But +that will not affect already-released versions of hippotat. diff --git a/src/ini.rs b/src/ini.rs index 143d0fc..4d5d1e8 100644 --- a/src/ini.rs +++ b/src/ini.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; -- 2.30.2 From 61f3e90636cd68fd5689fb0d083049e47fe98ba1 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Sun, 25 Sep 2022 18:44:16 +0100 Subject: [PATCH 04/16] draft OpenSSL exception - not signed off yet! --- debian/copyright | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/copyright b/debian/copyright index 4ef56af..b00c0d2 100644 --- a/debian/copyright +++ b/debian/copyright @@ -55,7 +55,8 @@ Additional permission under GNU GPL version 3 section 7: including the two. BUT this does NOT apply to version 3.0 or any later version of the - OpenSSL library (nor to any modified versions thereof). + OpenSSL library (nor to any modified versions thereof). (We make + this restriction because the exception is not needed with OpenSSL 3.) FURTHERMORE you must obey the GNU Lesser General Public License in all respects for all of the code used other than OpenSSL. -- 2.30.2 From 60d146dc8d71863c0349cb641d082a2f8e4370c2 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Sun, 25 Sep 2022 18:52:55 +0100 Subject: [PATCH 05/16] draft OpenSSL exception - not signed off yet! --- debian/copyright | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/copyright b/debian/copyright index b00c0d2..102f2f2 100644 --- a/debian/copyright +++ b/debian/copyright @@ -58,8 +58,10 @@ Additional permission under GNU GPL version 3 section 7: OpenSSL library (nor to any modified versions thereof). (We make this restriction because the exception is not needed with OpenSSL 3.) - FURTHERMORE you must obey the GNU Lesser General Public License in - all respects for all of the code used other than OpenSSL. + FURTHERMORE to take advantage of this exception you must obey the + GNU Lesser General Public License (version 3, or, at your option, + any later version) in all respects for all of the code used other + than OpenSSL. This additional permission is indicated in the source code with the following SPDX licence declaration: -- 2.30.2 From ae04fce6e6669ed21674b5b27ed7cf7fb667d795 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 23:31:29 +0100 Subject: [PATCH 06/16] OpenSSL exception as agreed, with new SPDX expression Licence text approved by co-contributor Mark Wooding in personal email. DPDX expression roughly following https://spdx.github.io/spdx-spec/v2.3/using-SPDX-short-identifiers-in-source-files/ which doesn't contemplate using LicenseRef for an exception, but I think the meaning is clear, and it is useful to do it this way. Signed-off-by: Ian Jackson --- debian/copyright | 10 ++++++---- src/ini.rs | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/debian/copyright b/debian/copyright index 102f2f2..1ca4aec 100644 --- a/debian/copyright +++ b/debian/copyright @@ -43,10 +43,11 @@ header, probably something like this: // There is NO WARRANTY. -Hippotat-OpenSSL-Exception --------------------------- +OpenSSL Licence Exception +------------------------- -Additional permission under GNU GPL version 3 section 7: +Additional permission under GNU GPL version 3 section 7 +[LicenseRef-Hippotat-OpenSSL-Exception]: In addition, as a special exception, the copyright holders give permission to link the code of this program with the OpenSSL @@ -65,7 +66,8 @@ Additional permission under GNU GPL version 3 section 7: This additional permission is indicated in the source code with the following SPDX licence declaration: - SPDX-License-Identifier: GPL-3.0-or-later WITH Hippotat-OpenSSL-Exception + SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception +(which is roughly but not exactly in accordance with the SPDX spec.) If you modify a file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do diff --git a/src/ini.rs b/src/ini.rs index 4d5d1e8..de6ea8e 100644 --- a/src/ini.rs +++ b/src/ini.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later WITH Hippotat-OpenSSL-Exception +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; -- 2.30.2 From b95943598c295766155cb5272041b3fb677a9ba6 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 23:37:04 +0100 Subject: [PATCH 07/16] Apply OpenSSL exception to Hippotat files Signed-off-by: Ian Jackson --- Cargo.toml | 2 +- Makefile | 2 +- client/client.rs | 2 +- macros/Cargo.toml | 2 +- macros/macros.rs | 2 +- server/daemon.rs | 2 +- server/server.rs | 2 +- server/slocal.rs | 2 +- server/suser.rs | 2 +- server/sweb.rs | 2 +- src/config.rs | 2 +- src/ipif.rs | 2 +- src/lib.rs | 2 +- src/multipart.rs | 2 +- src/prelude.rs | 2 +- src/queue.rs | 2 +- src/rope.rs | 2 +- src/slip.rs | 2 +- src/types.rs | 2 +- src/utils.rs | 2 +- test/capture-log | 2 +- test/common | 2 +- test/go-with-unshare | 2 +- test/netns-setup | 2 +- test/t-basic | 2 +- test/test.cfg | 2 +- test/with-unshare | 2 +- uml/psusan-uml-run | 2 +- uml/psusan-uml-setup | 2 +- uml/run-test | 2 +- 30 files changed, 30 insertions(+), 30 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 849d8da..639aa11 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. [package] diff --git a/Makefile b/Makefile index 2fee95b..ffb76d8 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ # Copyright 2020-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. SHELL=/bin/bash diff --git a/client/client.rs b/client/client.rs index f623771..17dee6b 100644 --- a/client/client.rs +++ b/client/client.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use hippotat::prelude::*; diff --git a/macros/Cargo.toml b/macros/Cargo.toml index 4da04be..73b7469 100644 --- a/macros/Cargo.toml +++ b/macros/Cargo.toml @@ -1,5 +1,5 @@ # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. [package] diff --git a/macros/macros.rs b/macros/macros.rs index 22b778d..060fe70 100644 --- a/macros/macros.rs +++ b/macros/macros.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use syn::{parse_macro_input, parse_quote}; diff --git a/server/daemon.rs b/server/daemon.rs index c5f6155..3d87a68 100644 --- a/server/daemon.rs +++ b/server/daemon.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use std::convert::TryInto; diff --git a/server/server.rs b/server/server.rs index 3fd58a4..b30e2da 100644 --- a/server/server.rs +++ b/server/server.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use hippotat::prelude::*; diff --git a/server/slocal.rs b/server/slocal.rs index ab2f2fc..32d769d 100644 --- a/server/slocal.rs +++ b/server/slocal.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use super::*; diff --git a/server/suser.rs b/server/suser.rs index b51ea76..68cb4a4 100644 --- a/server/suser.rs +++ b/server/suser.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use super::*; diff --git a/server/sweb.rs b/server/sweb.rs index bd9316a..ecdcc57 100644 --- a/server/sweb.rs +++ b/server/sweb.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use super::*; diff --git a/src/config.rs b/src/config.rs index beedd5f..a668c06 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/ipif.rs b/src/ipif.rs index 3b4da9c..27432a7 100644 --- a/src/ipif.rs +++ b/src/ipif.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/lib.rs b/src/lib.rs index fc641d2..16ef74f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. pub mod prelude; diff --git a/src/multipart.rs b/src/multipart.rs index c2f0ff4..d66342b 100644 --- a/src/multipart.rs +++ b/src/multipart.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/prelude.rs b/src/prelude.rs index a692d06..9f461c7 100644 --- a/src/prelude.rs +++ b/src/prelude.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. pub use std::array; diff --git a/src/queue.rs b/src/queue.rs index 49fd3c4..c78413c 100644 --- a/src/queue.rs +++ b/src/queue.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/rope.rs b/src/rope.rs index 12054ab..8aad943 100644 --- a/src/rope.rs +++ b/src/rope.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/slip.rs b/src/slip.rs index 6476014..c70d658 100644 --- a/src/slip.rs +++ b/src/slip.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/types.rs b/src/types.rs index c5b4737..162b61e 100644 --- a/src/types.rs +++ b/src/types.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/src/utils.rs b/src/utils.rs index e005d68..7911976 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson and contributors to Hippotat -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; diff --git a/test/capture-log b/test/capture-log index 3b4c841..7eb0bab 100755 --- a/test/capture-log +++ b/test/capture-log @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2020-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/test/common b/test/common index 4bbd1fd..14b8d1e 100644 --- a/test/common +++ b/test/common @@ -1,6 +1,6 @@ # -*- shell-script -*- # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -x diff --git a/test/go-with-unshare b/test/go-with-unshare index 96f983f..ac77a98 100755 --- a/test/go-with-unshare +++ b/test/go-with-unshare @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/test/netns-setup b/test/netns-setup index d91e0f9..38ec098 100755 --- a/test/netns-setup +++ b/test/netns-setup @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -ex diff --git a/test/t-basic b/test/t-basic index 046e17e..ab03423 100755 --- a/test/t-basic +++ b/test/t-basic @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/test/test.cfg b/test/test.cfg index d74e8d3..423643f 100644 --- a/test/test.cfg +++ b/test/test.cfg @@ -1,5 +1,5 @@ # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. [SERVER] diff --git a/test/with-unshare b/test/with-unshare index 5d29c87..ba16bf7 100755 --- a/test/with-unshare +++ b/test/with-unshare @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/uml/psusan-uml-run b/uml/psusan-uml-run index 36a4b53..e6c879a 100755 --- a/uml/psusan-uml-run +++ b/uml/psusan-uml-run @@ -1,6 +1,6 @@ #!/bin/sh # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/uml/psusan-uml-setup b/uml/psusan-uml-setup index 5f4afe7..136403a 100755 --- a/uml/psusan-uml-setup +++ b/uml/psusan-uml-setup @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e diff --git a/uml/run-test b/uml/run-test index 07932d4..b8c4e60 100755 --- a/uml/run-test +++ b/uml/run-test @@ -1,6 +1,6 @@ #!/bin/sh # Copyright 2021-2022 Ian Jackson and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. # *** This does not work. *** -- 2.30.2 From c6d5a6e979aeb2a5ff0a529c850418f4932c9f7e Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 23:37:20 +0100 Subject: [PATCH 08/16] Apply OpenSSL exception to files with Eyre content eyre is permissively licenced, and we upgraded the licence when incorporating it, so this is fine. Signed-off-by: Ian Jackson --- src/reporter.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/reporter.rs b/src/reporter.rs index 530534a..692e3ed 100644 --- a/src/reporter.rs +++ b/src/reporter.rs @@ -1,5 +1,5 @@ // Copyright 2021-2022 Ian Jackson, yaahc and contributors to Hippotat and Eyre -// SPDX-License-Identifier: GPL-3.0-or-later +// SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. use crate::prelude::*; -- 2.30.2 From 8b713b3f1807c1618f66930bce7a7b5f5da1d335 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Tue, 27 Sep 2022 23:37:46 +0100 Subject: [PATCH 09/16] Apply OpenSSL exception to files with psusan content psusan (like PuTTY) is permissively licenced, and we upgraded the licence when incorporating it, so this is fine. Signed-off-by: Ian Jackson --- uml/psusan-uml-inside | 2 +- uml/psusan-uml-psusan | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/uml/psusan-uml-inside b/uml/psusan-uml-inside index a0a7ca8..5f72509 100755 --- a/uml/psusan-uml-inside +++ b/uml/psusan-uml-inside @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson, Simon Tatham, and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -ex diff --git a/uml/psusan-uml-psusan b/uml/psusan-uml-psusan index 5296aa5..f132338 100755 --- a/uml/psusan-uml-psusan +++ b/uml/psusan-uml-psusan @@ -1,6 +1,6 @@ #!/bin/bash # Copyright 2021-2022 Ian Jackson, Simon Tatham, and contributors to Hippotat -# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception # There is NO WARRANTY. set -e -- 2.30.2 From 75a55a80d752b8f5920da773c574f92320d89c76 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 19:22:33 +0100 Subject: [PATCH 10/16] docs Signed-off-by: Ian Jackson --- README.md | 62 +++++++++++++++++++++++++++++++++++++++++++++++-- docs/index.rst | 2 +- docs/install.md | 7 ++++-- 3 files changed, 66 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c516b33..0e68dff 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,60 @@ -Introduction -============ +Hippotat - asinine IP over HTTP +=============================== + +Hippotat is a system to allow you to use your normal VPN, +ssh, and other applications, even in broken network environments +that are only ever tested with "web stuff". + +Packets are parcelled up into HTTP POST requests, resembling +form submissions (or JavaScript XMLHttpRequest traffic), +and the returned packets arrive via the HTTP response bodies. + +Scenario +-------- + +You're in a cafe or a hotel, trying to use the provided wifi. +But it's not working. You discover that port 80 and port 443 +are open, but the wifi forbids all other traffic. + +Never mind, start up your hippotat client. Now you have connectivity. +Your VPN and SSH and so on run over Hippotat. +The result is not very efficient, but it does work. + +The design goal is that if the your barista's phone works OK, +or the hotel concierge can see Google on their computer, +you can use the internet properly, despite +whatever breakage and nonsense. + +So Hippotat is an alternative to the futile strategy of +trying to report technical bugs, or stupid portblocks, +in terrible wifi systems. + +Of course it can't always help. +If the wifi is bad enough that one's hosts' +devices don't work reliably either, +hopefully you can probably get them to reboot the magic box, +or maybe get some money off, if wifi was supposed to be included. + +Non-goals +--------- + +**Hippotat does not provide meaningful encryption**. +You should use protocols over the top of it +that you would be happy to run over the public internet: +encrypted ones, like a VPN or SSH. + +Use of Hippotat is not intended to be undetectable, +or even particularly hard to distinguish from other uses of HTTP, +should someone want to go to the effort. +Rather, it is intended to be deployed against idiocy, ignorance, +and incompetence. + +Protection against interference is limited to +trying to defend against off-path attackers, and +arranging that formerly-on-path attackers' +ability to do harm will expire reasonably soon. + +Hippotat is not designed to allow you to "leech" internet access +from "closed" Wifi. +It won't work if "normal web access" doesn't. +You might try IP-over-DNS systems for that. diff --git a/docs/index.rst b/docs/index.rst index 5abddf2..e91ff70 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -5,7 +5,7 @@ Hippotat - Asinine IP over HTTP :maxdepth: 2 :caption: Contents: - README + README.md install.md config.md settings.md diff --git a/docs/install.md b/docs/install.md index edc7177..de829c5 100644 --- a/docs/install.md +++ b/docs/install.md @@ -52,6 +52,8 @@ You will need to: 2. Select a private network range for use by the IP-over-HTTP system, and assign addresses to the server and to each client. + If you use a range from RFC1918, choose it at random, + eg using the [Cambridge G-RIN](https://www.ucam.org/cam-grin/). 3. Configure your firewalls to restrict access from that range to internal resources @@ -79,9 +81,10 @@ Startup - server The `hippotat-server` package supplies an init script -will start the `hippotatd` server program, +which will start the `hippotatd` server program, if `/etc/hippotat/main.cfg` exists. -If you just configured it, `service hippotatd start` will start it. +If you just created that file, +`service hippotatd start` will start the server.. Consult the init script to see options you can put in `/etc/default/hippotat`. -- 2.30.2 From f2290993a37d48e1e4d41d6ba5617a966934b254 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 19:34:05 +0100 Subject: [PATCH 11/16] docs installation code Copied some of the Makefile from my own code in the Otter Makefile. Signed-off-by: Ian Jackson --- Makefile | 17 +++++++++++++++++ docs/colophon.md | 19 +++++++++++++++++++ docs/index.rst | 1 + 3 files changed, 37 insertions(+) create mode 100644 docs/colophon.md diff --git a/Makefile b/Makefile index ffb76d8..3219c50 100644 --- a/Makefile +++ b/Makefile @@ -78,4 +78,21 @@ clean: very-clean: clean $(CARGO) clean +#---------- docs publication ---------- + +PUBLISHED_BRANCH=published +PUBLISH_VERSION=unreleased +PUBLISH_USER=ianmdlvl@login.chiark.greenend.org.uk +PUBLISH_DOC_SPHINX_BASE=public-html/hippotat +PUBLISH_DOC_SPHINX_TAIL=$(PUBLISH_VERSION)/docs +PUBLISH_DOC_SPHINX=$(PUBLISH_USER):$(PUBLISH_DOC_SPHINX_BASE)/$(PUBLISH_DOC_SPHINX_TAIL) + +publish: doc + ssh $(PUBLISH_USER) 'cd $(PUBLISH_DOC_SPHINX_BASE) && mkdir -p $(PUBLISH_DOC_SPHINX_TAIL)' + rsync -r --delete-delay docs/html/. $(PUBLISH_DOC_SPHINX)/. + git branch -f $(PUBLISHED_BRANCH) + +publish-make-current: + ssh $(PUBLISH_USER) 'set -e; cd $(PUBLISH_DOC_SPHINX_BASE); rm -f current.tmp; ln -s $(PUBLISH_VERSION) current.tmp; mv -T current.tmp current' + .PHONY: cargo-build all doc clean diff --git a/docs/colophon.md b/docs/colophon.md new file mode 100644 index 0000000..324f175 --- /dev/null +++ b/docs/colophon.md @@ -0,0 +1,19 @@ +Colophon +======== + +Hippotat is Copyright 2017-2022 Ian Jackson +and contributors. + +Hippotat is released under the GNU GPLv3+ +with an OpenSSL linking exception. +See the file `COPYING` in the source tree +for the full licence text. +There is NO WARRANTY. + +The +[Documentation for the current version](https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/current/docs/) +is online, +as well as [for earlier versons](https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/). + +[Hippotat's source repository](https://salsa.debian.org/iwj/hippotat) +is hosted on Debian Salsa. diff --git a/docs/index.rst b/docs/index.rst index e91ff70..921232c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -9,6 +9,7 @@ Hippotat - Asinine IP over HTTP install.md config.md settings.md + colophon.md Indices and tables ================== -- 2.30.2 From 26bc031a733119783546d1c49d7cf3fc1fb77a43 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 19:52:37 +0100 Subject: [PATCH 12/16] metadata for 1.0 Signed-off-by: Ian Jackson --- Cargo.toml | 7 ++++--- debian/changelog | 6 ++++++ macros/Cargo.toml | 5 +++-- macros/macros.rs | 5 +++++ 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 639aa11..06bd902 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,11 +4,12 @@ [package] name = "hippotat" -version = "0.0.1" +version = "1.0.0" edition = "2018" description="Asinine HTTP-over-IP" -license="GPL-3.0-or-later" +license="GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception" repository="https://salsa.debian.org/iwj/hippotat" +homepage="https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/current/docs/" [workspace] members = ["macros"] @@ -23,7 +24,7 @@ path="server/server.rs" [dependencies] -hippotat-macros = { version = "0.0.1", path = "macros" } +hippotat-macros = { version = "1.0.0", path = "macros" } # versions specified here are mostly just guesses at what is needed # (or currently available): diff --git a/debian/changelog b/debian/changelog index 1dc1d9c..c691172 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +hippotat (1.0) unstable; urgency=medium + + * Initial general release + + -- Ian Jackson Wed, 28 Sep 2022 19:52:51 +0100 + hippotat (0.2) unstable; urgency=medium * Rust version. Testing some packaging. diff --git a/macros/Cargo.toml b/macros/Cargo.toml index 73b7469..7de97bb 100644 --- a/macros/Cargo.toml +++ b/macros/Cargo.toml @@ -4,11 +4,12 @@ [package] name = "hippotat-macros" -version = "0.0.1" +version = "1.0.0" edition = "2018" description="Asinine HTTP-over-IP, proc-macros" -license="GPL-3.0-or-later" +license="GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception" repository="https://salsa.debian.org/iwj/hippotat" +homepage="https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/current/docs/" [dependencies] itertools = "0.10" diff --git a/macros/macros.rs b/macros/macros.rs index 060fe70..6ba21ce 100644 --- a/macros/macros.rs +++ b/macros/macros.rs @@ -2,6 +2,11 @@ // SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception // There is NO WARRANTY. +//! Hippotat - proc macros +//! +//! This crate is an internal detail of hippotat. +//! It does not adhere to semver. + use syn::{parse_macro_input, parse_quote}; use syn::{Data, DataStruct, DeriveInput, LitStr, Meta, NestedMeta}; use quote::{quote, quote_spanned, ToTokens}; -- 2.30.2 From 91c545be4f572078f2e09bde542ed87f7b453e4a Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 19:54:58 +0100 Subject: [PATCH 13/16] suggest cargo build as an alternative Signed-off-by: Ian Jackson --- docs/install.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/install.md b/docs/install.md index de829c5..5083a1b 100644 --- a/docs/install.md +++ b/docs/install.md @@ -6,8 +6,8 @@ The documentation is procssed with Sphinx. It is most convenient to install (especailly the server) as a `.deb`. -Building .debs --------------- +Building +-------- On a system with a new enough `cargo` and `rustc`: @@ -27,6 +27,11 @@ are controlled and checked by the `Cargo.lock` file shipped in the Hippotat source tree, provided that `cargo --locked` is used. +If you don't want to install debs, +you can also just use cargo to build the two binaries, +`hippotat` and `hippotatd`. +You could perhaps even `cargo install hippotat` on a client machine. + Installation ------------ -- 2.30.2 From 6469665b83e65d55a129fb006aa3813041ecc215 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 19:56:55 +0100 Subject: [PATCH 14/16] cargo metadata: Claim the licence is GPL Signed-off-by: Ian Jackson --- Cargo.toml | 3 ++- macros/Cargo.toml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 06bd902..f0ae298 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,8 @@ name = "hippotat" version = "1.0.0" edition = "2018" description="Asinine HTTP-over-IP" -license="GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception" +license="GPL-3.0-or-later" +# ^ Actually, it's WITH LicenseRef-Hippotat-OpenSSL-Exception repository="https://salsa.debian.org/iwj/hippotat" homepage="https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/current/docs/" diff --git a/macros/Cargo.toml b/macros/Cargo.toml index 7de97bb..da72f41 100644 --- a/macros/Cargo.toml +++ b/macros/Cargo.toml @@ -7,7 +7,8 @@ name = "hippotat-macros" version = "1.0.0" edition = "2018" description="Asinine HTTP-over-IP, proc-macros" -license="GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception" +license="GPL-3.0-or-later" +# ^ Actually, it's WITH LicenseRef-Hippotat-OpenSSL-Exception repository="https://salsa.debian.org/iwj/hippotat" homepage="https://www.chiark.greenend.org.uk/~ianmdlvl/hippotat/current/docs/" -- 2.30.2 From bfe741895a7a4859be4b0cdf2a4cdfcbe0e0e61a Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 20:07:19 +0100 Subject: [PATCH 15/16] Fix publish version Signed-off-by: Ian Jackson --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3219c50..5cbb560 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ very-clean: clean #---------- docs publication ---------- PUBLISHED_BRANCH=published -PUBLISH_VERSION=unreleased +PUBLISH_VERSION=1.0.0 PUBLISH_USER=ianmdlvl@login.chiark.greenend.org.uk PUBLISH_DOC_SPHINX_BASE=public-html/hippotat PUBLISH_DOC_SPHINX_TAIL=$(PUBLISH_VERSION)/docs -- 2.30.2 From 56ea06a762b2852efcf2ad3418f11beaf316b12d Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 28 Sep 2022 20:07:59 +0100 Subject: [PATCH 16/16] Revert "Fix publish version" This reverts commit bfe741895a7a4859be4b0cdf2a4cdfcbe0e0e61a. Signed-off-by: Ian Jackson --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5cbb560..3219c50 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ very-clean: clean #---------- docs publication ---------- PUBLISHED_BRANCH=published -PUBLISH_VERSION=1.0.0 +PUBLISH_VERSION=unreleased PUBLISH_USER=ianmdlvl@login.chiark.greenend.org.uk PUBLISH_DOC_SPHINX_BASE=public-html/hippotat PUBLISH_DOC_SPHINX_TAIL=$(PUBLISH_VERSION)/docs -- 2.30.2