pdns/ipcipher.cc

   1 #include "ipcipher.hh"
   2 #include "ext/ipcrypt/ipcrypt.h"
   3 #include <openssl/aes.h>
   4 #include <openssl/evp.h>
   5
   6 /*
   7 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
   8                            const unsigned char *salt, int saltlen, int iter,
   9                            int keylen, unsigned char *out);
  10 */
  11 std::string makeIPCipherKey(const std::string& password)
  12 {
  13   static const char salt[]="ipcipheripcipher";
  14   unsigned char out[16];
  15
  16   PKCS5_PBKDF2_HMAC_SHA1(password.c_str(), password.size(), (const unsigned char*)salt, sizeof(salt)-1, 50000, sizeof(out), out);
  17
  18   return std::string((const char*)out, (const char*)out + sizeof(out));
  19 }
  20
  21 static ComboAddress encryptCA4(const ComboAddress& ca, const std::string &key)
  22 {
  23   if(key.size() != 16)
  24     throw std::runtime_error("Need 128 bits of key for ipcrypt");
  25
  26   ComboAddress ret=ca;
  27
  28   // always returns 0, has no failure mode
  29   ipcrypt_encrypt(      (unsigned char*)&ret.sin4.sin_addr.s_addr,
  30                  (const unsigned char*)  &ca.sin4.sin_addr.s_addr,
  31                  (const unsigned char*)key.c_str());
  32   return ret;
  33 }
  34
  35 static ComboAddress decryptCA4(const ComboAddress& ca, const std::string &key)
  36 {
  37   if(key.size() != 16)
  38     throw std::runtime_error("Need 128 bits of key for ipcrypt");
  39
  40   ComboAddress ret=ca;
  41
  42   // always returns 0, has no failure mode
  43   ipcrypt_decrypt(      (unsigned char*)&ret.sin4.sin_addr.s_addr,
  44                  (const unsigned char*)  &ca.sin4.sin_addr.s_addr,
  45                  (const unsigned char*)key.c_str());
  46   return ret;
  47 }
  48
  49
  50 static ComboAddress encryptCA6(const ComboAddress& ca, const std::string &key)
  51 {
  52   if(key.size() != 16)
  53     throw std::runtime_error("Need 128 bits of key for ipcrypt");
  54
  55   ComboAddress ret=ca;
  56
  57   AES_KEY wctx;
  58   AES_set_encrypt_key((const unsigned char*)key.c_str(), 128, &wctx);
  59   AES_encrypt((const unsigned char*)&ca.sin6.sin6_addr.s6_addr,
  60               (unsigned char*)&ret.sin6.sin6_addr.s6_addr, &wctx);
  61
  62   return ret;
  63 }
  64
  65 static ComboAddress decryptCA6(const ComboAddress& ca, const std::string &key)
  66 {
  67   if(key.size() != 16)
  68     throw std::runtime_error("Need 128 bits of key for ipcrypt");
  69
  70   ComboAddress ret=ca;
  71   AES_KEY wctx;
  72   AES_set_decrypt_key((const unsigned char*)key.c_str(), 128, &wctx);
  73   AES_decrypt((const unsigned char*)&ca.sin6.sin6_addr.s6_addr,
  74               (unsigned char*)&ret.sin6.sin6_addr.s6_addr, &wctx);
  75
  76   return ret;
  77 }
  78
  79
  80 ComboAddress encryptCA(const ComboAddress& ca, const std::string& key)
  81 {
  82   if(ca.sin4.sin_family == AF_INET)
  83     return encryptCA4(ca, key);
  84   else if(ca.sin4.sin_family == AF_INET6)
  85     return encryptCA6(ca, key);
  86   else
  87     throw std::runtime_error("ipcrypt can't encrypt non-IP addresses");
  88 }
  89
  90 ComboAddress decryptCA(const ComboAddress& ca, const std::string& key)
  91 {
  92   if(ca.sin4.sin_family == AF_INET)
  93     return decryptCA4(ca, key);
  94   else if(ca.sin4.sin_family == AF_INET6)
  95     return decryptCA6(ca, key);
  96   else
  97     throw std::runtime_error("ipcrypt can't decrypt non-IP addresses");
  98
  99 }