Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for encrypting IP addresses #gdpr #7481

Merged
merged 21 commits into from Apr 4, 2019

Conversation

Projects
None yet
2 participants
@rgacogne
Copy link
Member

commented Feb 13, 2019

Short description

Based on #6242, with the following changes:

  • Rebased on current master
  • Add IP pseudonymization options to RemoteLog{,Response}Action
  • Add regression tests for protobuf pseudonymization
  • Minor cleanup (only link OpenSSL's libssl or GnuTLS when needed, remove trailing whitespaces, build ipcrypt as a separate (static) library since it's written in C)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Feb 13, 2019

We might want to squash a bit before merging, if only to make sure that all commits compile.

@rgacogne rgacogne force-pushed the rgacogne:ipcrypt branch 2 times, most recently from 2929377 to e85b2cf Feb 14, 2019

ahupowerdns and others added some commits Feb 2, 2018

Add support for encrypting IP addresses #gdpr
With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This CR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.
Build ipcrypt as a separate (static) library since it's written in C
Otherwise we could compile it as C++ code, leading to this warning
from the compiler:

```
cc1: warning: command line option ‘-std=c++11’ is valid for C++/ObjC++ but not for C
```

@rgacogne rgacogne force-pushed the rgacogne:ipcrypt branch from e85b2cf to f29fabd Mar 25, 2019

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Mar 25, 2019

Rebased to fix a conflict.

@rgacogne rgacogne merged commit 839195e into PowerDNS:master Apr 4, 2019

2 checks passed

ci/circleci: build Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@rgacogne rgacogne deleted the rgacogne:ipcrypt branch Apr 4, 2019

@Habbie Habbie referenced this pull request Apr 5, 2019

Merged

dnsdist: honor libcrypto include path #7674

0 of 8 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.