Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for encrypting IP addresses #gdpr #7481

Merged
merged 21 commits into from Apr 4, 2019
Merged

Conversation

@rgacogne
Copy link
Member

@rgacogne rgacogne commented Feb 13, 2019

Short description

Based on #6242, with the following changes:

  • Rebased on current master
  • Add IP pseudonymization options to RemoteLog{,Response}Action
  • Add regression tests for protobuf pseudonymization
  • Minor cleanup (only link OpenSSL's libssl or GnuTLS when needed, remove trailing whitespaces, build ipcrypt as a separate (static) library since it's written in C)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Feb 13, 2019

We might want to squash a bit before merging, if only to make sure that all commits compile.

@rgacogne rgacogne force-pushed the rgacogne:ipcrypt branch 2 times, most recently from 2929377 to e85b2cf Feb 14, 2019
ahupowerdns and others added 21 commits Feb 2, 2018
With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This CR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.
Otherwise we could compile it as C++ code, leading to this warning
from the compiler:

```
cc1: warning: command line option ‘-std=c++11’ is valid for C++/ObjC++ but not for C
```
@rgacogne rgacogne force-pushed the rgacogne:ipcrypt branch from e85b2cf to f29fabd Mar 25, 2019
@rgacogne
Copy link
Member Author

@rgacogne rgacogne commented Mar 25, 2019

Rebased to fix a conflict.

@rgacogne rgacogne merged commit 839195e into PowerDNS:master Apr 4, 2019
2 checks passed
2 checks passed
ci/circleci: build Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:ipcrypt branch Apr 4, 2019
@Habbie Habbie mentioned this pull request Apr 5, 2019
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants