From caff6e160d5d8e065fb6205f1d9301f99b8f7cf1 Mon Sep 17 00:00:00 2001 From: bert hubert Date: Tue, 6 Feb 2018 13:11:32 +0100 Subject: [PATCH] add key derivatin from password, add ipencrypt/ipdecrypt to pdnsutil & document it --- docs/manpages/pdnsutil.1.rst | 8 ++++++++ pdns/Makefile.am | 1 + pdns/ipcrypt.cc | 15 +++++++++++++++ pdns/ipcrypt.hh | 1 + pdns/pdnsutil.cc | 26 ++++++++++++++++++++++++++ 5 files changed, 51 insertions(+) diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst index 2a5511665b..3b02ccfbc7 100644 --- a/docs/manpages/pdnsutil.1.rst +++ b/docs/manpages/pdnsutil.1.rst @@ -232,6 +232,14 @@ bench-db [*FILE*] *FILE* can be a file with a list, one per line, of domain names to use for this. If *FILE* is not specified, powerdns.com is used. +OTHER TOOLS +----------- +ipencrypt *IP-ADDRESS* passsword + Encrypt an IP address according to the 'ipcipher' standard + +ipdecrypt *IP-ADDRESS* passsword + Encrypt an IP address according to the 'ipcipher' standard + See also -------- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 0e8c9eb1fa..2f3feae43e 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -312,6 +312,7 @@ pdnsutil_SOURCES = \ ednsoptions.cc ednsoptions.hh \ ednssubnet.cc \ gss_context.cc gss_context.hh \ + ipcrypt.cc ipcrypt.hh ../ext/ipcrypt/ipcrypt.c ../ext/ipcrypt/ipcrypt.h \ iputils.cc iputils.hh \ json.cc \ logger.cc \ diff --git a/pdns/ipcrypt.cc b/pdns/ipcrypt.cc index 394843d863..173ec4d69b 100644 --- a/pdns/ipcrypt.cc +++ b/pdns/ipcrypt.cc @@ -1,6 +1,21 @@ #include "ipcrypt.hh" #include "ext/ipcrypt/ipcrypt.h" #include +#include + +/* +int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + int keylen, unsigned char *out); +*/ +std::string makeIPCryptKey(const std::string& password) +{ + static const char* salt="ipcryptipcrypt"; + unsigned char out[16]; + PKCS5_PBKDF2_HMAC_SHA1(password.c_str(), password.size(), (const unsigned char*)salt, sizeof(salt), 50000, sizeof(out), out); + + return std::string((const char*)out, (const char*)out + sizeof(out)); +} static ComboAddress encryptCA4(const ComboAddress& ca, const std::string &key) { diff --git a/pdns/ipcrypt.hh b/pdns/ipcrypt.hh index 1c9faedd31..cbb8dc5387 100644 --- a/pdns/ipcrypt.hh +++ b/pdns/ipcrypt.hh @@ -4,3 +4,4 @@ ComboAddress encryptCA(const ComboAddress& ca, const std::string& key); ComboAddress decryptCA(const ComboAddress& ca, const std::string& key); +std::string makeIPCryptKey(const std::string& password); diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index cd753330f5..8bd356204a 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -20,6 +20,7 @@ #include "zoneparser-tng.hh" #include "signingpipe.hh" #include "dns_random.hh" +#include "ipcrypt.hh" #include #include //termios, TCSANOW, ECHO, ICANON #include "opensslsigners.hh" @@ -1002,6 +1003,20 @@ int editZone(DNSSECKeeper& dk, const DNSName &zone) { return EXIT_SUCCESS; } +static int xcryptIP(const std::string& cmd, const std::string& ip, const std::string& key) +{ + string rkey = makeIPCryptKey(key); + ComboAddress ca(ip), ret; + + if(cmd=="ipencrypt") + ret = encryptCA(ca, rkey); + else + ret = decryptCA(ca, rkey); + + cout<