Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for encrypting IP addresses #gdpr #7481

Merged
merged 21 commits into from Apr 4, 2019
Merged

Add support for encrypting IP addresses #gdpr #7481

merged 21 commits into from Apr 4, 2019

Conversation

rgacogne
Copy link
Member

Short description

Based on #6242, with the following changes:

  • Rebased on current master
  • Add IP pseudonymization options to RemoteLog{,Response}Action
  • Add regression tests for protobuf pseudonymization
  • Minor cleanup (only link OpenSSL's libssl or GnuTLS when needed, remove trailing whitespaces, build ipcrypt as a separate (static) library since it's written in C)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@rgacogne
Copy link
Member Author

We might want to squash a bit before merging, if only to make sure that all commits compile.

@rgacogne rgacogne force-pushed the ipcrypt branch 2 times, most recently from 2929377 to e85b2cf Compare February 20, 2019 10:10
ahupowerdns and others added 21 commits March 25, 2019 10:22
@ahupowerdns @rgacogne
Add support for encrypting IP addresses #gdpr
7d28034 
With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This CR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.
@ahupowerdns @rgacogne
add in symlinks for dnsdist
2512085
@ahupowerdns @rgacogne
replace links
87e10bf
@ahupowerdns @rgacogne
fix ipcrypt.h in testrunner Makefile
e99fc82
@ahupowerdns @rgacogne
add documentation to dnsdist
83cfcca
@ahupowerdns @rgacogne
add key derivatin from password, add ipencrypt/ipdecrypt to pdnsutil …
caff6e1 
…& document it
@ahupowerdns @rgacogne
rename ipcrypt/ipcipher
5d5d8c2
@ahupowerdns @rgacogne
fix up salt for pbkdf2
51d33cc
@ahupowerdns @rgacogne
salt was confusing, should be ipcipheripcipher
f920428
@ahupowerdns @rgacogne
hook up makeIPCipherKey in dnsdist
01223eb
@ahupowerdns @rgacogne
dnswasher comment
726b013
@ahupowerdns @rgacogne
made dnswasher support ipcipher
152b080
@ahupowerdns @rgacogne
document dnswasher flags
2e10bea
@ahupowerdns @rgacogne
update docs to key derivation & proper link
1be8bf1
@ahupowerdns @rgacogne
fix testrunner
cd63f25
@ahupowerdns @rgacogne
make pdnsutil support base64 encoded keys for ipcipher
2ae24e0
@rgacogne
dnsdist: Don't link OpenSSL's libssl or GnuTLS unless DoT is enabled
f4b1f1f
@rgacogne
dnsdist: Add IP 'encryption' options to RemoteLog{,Response}Action
af7afec
@rgacogne
Remove trailing whitespaces
488bcb3
@rgacogne
Build ipcrypt as a separate (static) library since it's written in C
496151c 
Otherwise we could compile it as C++ code, leading to this warning
from the compiler:

```
cc1: warning: command line option ‘-std=c++11’ is valid for C++/ObjC++ but not for C
```
@rgacogne
dnsdist: Add regression tests for protobuf pseudonymization
f29fabd
@rgacogne
Copy link
Member Author

Rebased to fix a conflict.

@rgacogne rgacogne merged commit 839195e into PowerDNS:master Apr 4, 2019
@rgacogne rgacogne deleted the ipcrypt branch April 4, 2019 09:31
This was referenced Apr 4, 2019
Closed
Closed
@Habbie Habbie mentioned this pull request Apr 5, 2019
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
auth dnsdist enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rgacogne @ahupowerdns