Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow hwaddr and ipaddr metadata fields #232

Closed
TinCanTech opened this issue Nov 13, 2021 · 2 comments
Closed

Allow hwaddr and ipaddr metadata fields #232

TinCanTech opened this issue Nov 13, 2021 · 2 comments
Assignees
@TinCanTech
Labels
documentation Improvements or additions to documentation Feature request Additional new feature help wanted Extra attention is needed Solution applied This issue has been solved Testing welcome
Milestone
Version 2.8.0

Comments

@TinCanTech
Copy link
Owner

ipaddr can be appended to metadata, in the same manner as hwaddr, and verified during client-connect phase.
@TinCanTech TinCanTech added the Feature request Additional new feature label Nov 13, 2021
@TinCanTech TinCanTech added this to the Version 2.6 milestone Nov 13, 2021
@TinCanTech TinCanTech self-assigned this Nov 13, 2021
@TinCanTech TinCanTech modified the milestone: Version 2.6 Nov 29, 2021
TinCanTech referenced this issue Dec 2, 2021
@TinCanTech
Introduce IP-address in metadata
c4ab7de 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 2, 2021
@TinCanTech
Formalize changes made by IP-Address for metadata
7a02566 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 2, 2021
@TinCanTech
Introduce SOURCE_IP_MATCH to match client IP
4f18b67 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech added Solution applied This issue has been solved Testing welcome documentation Improvements or additions to documentation labels Dec 2, 2021
@TinCanTech
Copy link
Owner Author

Currently, only matches host IP, would be nice to have subnet..

TinCanTech referenced this issue Dec 7, 2021
@TinCanTech
Allow adding IP addresses to TLS-Crypt-V2 Client key metadata
343652d 
This patch also exposes the functions to validate IP addresses.

* ./easytls v4ip 11.22.33.0/24
* ./easytls v6ip 12fc:1918::10:1:101:0/64

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech added help wanted Extra attention is needed and removed Solution applied This issue has been solved Testing welcome labels Dec 7, 2021
TinCanTech referenced this issue Dec 8, 2021
@TinCanTech
Expand TLS-Crypt-V2-Key metadata to include IPv6 client IP filtering
b0bab73 
In IPv6, Easy-TLS uses simple string matching, not methematical techniques.
This is due to the 128bit binary involved. (IPv4 is mathematically evaluated)

To match an IPv6 address to a client address, it is recommanded to use a
subnet/mask (mask <= 124), not a host/128.

Examples:

* Correct: 2000:1:2:3::/64, 2000:1:2:3:abcd::/80, 2000::1:2:3:4/128(+)
(+: Not recommended)
* Incorrect: 2000:1:2:3:abcd::/64, 2000::1:2:3:4/80, :2000:1:2:3:4::/64

Easy-TLS also has some new functions for checking valid IPv4/6:

* v4ip: Validate IPv4 address
* v6ip: Validate IPv6 address
* x6ip: Expand a compressed IPv6 address

Examples:

* ./easytls v4ip 1.2.3.4/24
* ./easytls v6ip 2000::c0ff:ee/64
* ./easytls x6ip 2000::c0ff:ee/64

Note: When expanding an IPv6 address, easytls also verifies that this is
a valid subnet, for use in TLS-Crypt-V2 metadata, according to the rules
outlined here. Thus, some valid IPv6 addresses are not valid in Easy-TLS.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 8, 2021
@TinCanTech
Cut last IP address from metadata list to complete while condition
952ba78 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 9, 2021
@TinCanTech
Save only IPv6 network portion, fully expanded, to metadata
55e9a40 
TLS-Crypt-V2 metadata for IPv6 filtering is done by simple pattern
matching.  Save only the required network portion of `$IPv6/$mask`.

To filter client IPv6 source IP to `2000:1:2:3:4::/80` the following
data is saved to metadata: `2000:0001:0002:0003:0004`.

The full IPv6 address bits must not exceed the required mask-length.
To filter a unique host specify a `/128` mask. (Not recommended)

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 9, 2021
@TinCanTech
Add IPv6 expansion and pattern matching for IPv6 client filtering
1f88059 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Introduce easytls-tctip.lib - Shared IPv4/6 address functions
f85e95e 
Allow all scripts, which process IP addresses, to use common code.
If not present then the script falls back to built-in code.
The built-in code is currently duplicated library code.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Add easytls-tctip.lib to shellcheck test
6b7170c 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Minor corrections
d5d0f37 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Optionally, source easytls-tctip.lib or fall-back to built-in
7732125 
If found, the library is sourced and used. Otherwise, the built-in
code is used.  This patch also duplicated the lib within the scripts.

Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Update change log - easytls-tctip.lib
1a6ec27 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech added Solution applied This issue has been solved Testing welcome labels Dec 11, 2021
TinCanTech referenced this issue Dec 11, 2021
@TinCanTech
Add v4ip, v6ip and x6ip unit test
467ef5c 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 12, 2021
@TinCanTech
Minor corrections/improvements
7640fff 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 12, 2021
@TinCanTech
Add file division markers
0c9267a 
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech referenced this issue Dec 12, 2021
@TinCanTech
Synchronise easytls-tctip.lib with scripts
ac05a2b 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Owner Author

Now,

  • IPv4 binary subnet match
  • IPv6 only matches subnet-portion string - "${string} = ${subnet}" match

@TinCanTech TinCanTech pinned this issue Dec 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
documentation Improvements or additions to documentation Feature request Additional new feature help wanted Extra attention is needed Solution applied This issue has been solved Testing welcome
Projects
None yet
Milestone
Version 2.8.0
Development

No branches or pull requests
1 participant
@TinCanTech