From e41aadebfe3f2f702a12d8b85d59f4111c322f64 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 8 Nov 2021 12:14:31 +0100
Subject: [PATCH] auth,dnsdist: Add an option to disable 'ipcipher' during
 configure

---
 configure.ac                                   |  2 ++
 m4/pdns_enable_ipcipher.m4                     | 18 ++++++++++++++++++
 pdns/dnsdist-console.cc                        |  2 ++
 pdns/dnsdist-lua-actions.cc                    | 10 ++++------
 pdns/dnsdist.cc                                |  2 +-
 pdns/dnsdistdist/configure.ac                  |  3 ++-
 .../dnsdist-lua-bindings-protobuf.cc           |  9 +++------
 pdns/dnsdistdist/m4/pdns_enable_ipcipher.m4    |  1 +
 pdns/dnswasher.cc                              | 10 ++++++++++
 pdns/ipcipher.cc                               |  3 +++
 pdns/ipcipher.hh                               |  4 ++++
 pdns/pdnsutil.cc                               |  8 +++++++-
 pdns/test-ipcrypt_cc.cc                        |  6 +++++-
 13 files changed, 62 insertions(+), 16 deletions(-)
 create mode 100644 m4/pdns_enable_ipcipher.m4
 create mode 120000 pdns/dnsdistdist/m4/pdns_enable_ipcipher.m4

diff --git a/configure.ac b/configure.ac
index 249f2cdb39..efa0adfa78 100644
--- a/configure.ac
+++ b/configure.ac
@@ -106,6 +106,8 @@ AS_IF([test "x$enable_dns_over_tls" != "xno"], [
   ])
 ])
 
+PDNS_ENABLE_IPCIPHER
+
 PDNS_CHECK_RAGEL([pdns/dnslabeltext.cc], [www.powerdns.com])
 PDNS_CHECK_CLOCK_GETTIME
 
diff --git a/m4/pdns_enable_ipcipher.m4 b/m4/pdns_enable_ipcipher.m4
new file mode 100644
index 0000000000..9b0343c3c2
--- /dev/null
+++ b/m4/pdns_enable_ipcipher.m4
@@ -0,0 +1,18 @@
+AC_DEFUN([PDNS_ENABLE_IPCIPHER], [
+  AC_MSG_CHECKING([whether to enable ipcipher support])
+  AC_ARG_ENABLE([ipcipher],
+    AS_HELP_STRING([--enable-ipcipher], [enable ipcipher support (requires libcrypto) @<:@default=yes@:>@]),
+    [enable_ipcipher=$enableval],
+    [enable_ipcipher=yes]
+  )
+  AC_MSG_RESULT([$enable_ipcipher])
+  AM_CONDITIONAL([IPCIPHER], [test "x$enable_ipcipher" != "xno"])
+
+  AM_COND_IF([IPCIPHER], [
+    AM_COND_IF([HAVE_LIBCRYPTO], [
+      AC_DEFINE([HAVE_IPCIPHER], [1], [Define to 1 if you enable ipcipher support])
+    ],[
+      AC_MSG_ERROR([ipcipher support requested but libcrypto is not available])
+    ])
+  ])
+])
diff --git a/pdns/dnsdist-console.cc b/pdns/dnsdist-console.cc
index b7951303f7..7682d432a8 100644
--- a/pdns/dnsdist-console.cc
+++ b/pdns/dnsdist-console.cc
@@ -505,7 +505,9 @@ const std::vector<ConsoleKeyword> g_consoleKeywords{
   { "LuaFFIRule", true, "function", "Invoke a Lua FFI function that filters DNS questions" },
   { "LuaResponseAction", true, "function", "Invoke a Lua function that accepts a DNSResponse" },
   { "LuaRule", true, "function", "Invoke a Lua function that filters DNS questions" },
+#ifdef HAVE_IPCIPHER
   { "makeIPCipherKey", true, "password", "generates a 16-byte key that can be used to pseudonymize IP addresses with IP cipher" },
+#endif /* HAVE_IPCIPHER */
   { "makeKey", true, "", "generate a new server access key, emit configuration line ready for pasting" },
   { "makeRule", true, "rule", "Make a NetmaskGroupRule() or a SuffixMatchNodeRule(), depending on how it is called" }  ,
   { "MaxQPSIPRule", true, "qps, [v4Mask=32 [, v6Mask=64 [, burst=qps [, expiration=300 [, cleanupDelay=60]]]]]", "matches traffic exceeding the qps limit per subnet" },
diff --git a/pdns/dnsdist-lua-actions.cc b/pdns/dnsdist-lua-actions.cc
index 2fc71acfa6..490a8b152a 100644
--- a/pdns/dnsdist-lua-actions.cc
+++ b/pdns/dnsdist-lua-actions.cc
@@ -39,9 +39,7 @@
 
 #include <boost/optional/optional_io.hpp>
 
-#ifdef HAVE_LIBCRYPTO
 #include "ipcipher.hh"
-#endif /* HAVE_LIBCRYPTO */
 
 class DropAction : public DNSAction
 {
@@ -1469,12 +1467,12 @@ public:
       message.setServerIdentity(d_serverID);
     }
 
-#if HAVE_LIBCRYPTO
+#if HAVE_IPCIPHER
     if (!d_ipEncryptKey.empty())
     {
       message.setRequestor(encryptCA(*dq->remote, d_ipEncryptKey));
     }
-#endif /* HAVE_LIBCRYPTO */
+#endif /* HAVE_IPCIPHER */
 
     if (d_alterFunc) {
       auto lock = g_lua.lock();
@@ -1599,12 +1597,12 @@ public:
       message.setServerIdentity(d_serverID);
     }
 
-#if HAVE_LIBCRYPTO
+#if HAVE_IPCIPHER
     if (!d_ipEncryptKey.empty())
     {
       message.setRequestor(encryptCA(*dr->remote, d_ipEncryptKey));
     }
-#endif /* HAVE_LIBCRYPTO */
+#endif /* HAVE_IPCIPHER */
 
     if (d_alterFunc) {
       auto lock = g_lua.lock();
diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc
index 896075afea..6f97643911 100644
--- a/pdns/dnsdist.cc
+++ b/pdns/dnsdist.cc
@@ -2378,7 +2378,7 @@ int main(int argc, char** argv)
 #ifdef HAVE_FSTRM
         cout<<"fstrm ";
 #endif
-#ifdef HAVE_LIBCRYPTO
+#ifdef HAVE_IPCIPHER
         cout<<"ipcipher ";
 #endif
 #ifdef HAVE_LIBSODIUM
diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac
index 774ace1c45..eb1006f3b8 100644
--- a/pdns/dnsdistdist/configure.ac
+++ b/pdns/dnsdistdist/configure.ac
@@ -100,6 +100,7 @@ PDNS_WITH_NGHTTP2
 
 PDNS_CHECK_CDB
 PDNS_CHECK_LMDB
+PDNS_ENABLE_IPCIPHER
 
 AX_CXX_COMPILE_STDCXX_17([noext], [mandatory])
 
@@ -182,7 +183,7 @@ AS_IF([test "x$systemd" != "xn"],
   [AC_MSG_NOTICE([systemd: yes])],
   [AC_MSG_NOTICE([systemd: no])]
 )
-AS_IF([test "x$LIBCRYPTO_LIBS" != "x"],
+AS_IF([test "x$enable_ipcipher" != "xno"],
   [AC_MSG_NOTICE([ipcipher: yes])],
   [AC_MSG_NOTICE([ipcipher: no])]
 )
diff --git a/pdns/dnsdistdist/dnsdist-lua-bindings-protobuf.cc b/pdns/dnsdistdist/dnsdist-lua-bindings-protobuf.cc
index 373c8412c6..734eb8178d 100644
--- a/pdns/dnsdistdist/dnsdist-lua-bindings-protobuf.cc
+++ b/pdns/dnsdistdist/dnsdist-lua-bindings-protobuf.cc
@@ -26,11 +26,8 @@
 #include "dnsdist-protobuf.hh"
 #include "dnstap.hh"
 #include "fstrm_logger.hh"
-#include "remote_logger.hh"
-
-#ifdef HAVE_LIBCRYPTO
 #include "ipcipher.hh"
-#endif /* HAVE_LIBCRYPTO */
+#include "remote_logger.hh"
 
 #ifdef HAVE_FSTRM
 static void parseFSTRMOptions(const boost::optional<std::unordered_map<std::string, unsigned int>>& params, std::unordered_map<string, unsigned int>& options)
@@ -51,7 +48,7 @@ static void parseFSTRMOptions(const boost::optional<std::unordered_map<std::stri
 
 void setupLuaBindingsProtoBuf(LuaContext& luaCtx, bool client, bool configCheck)
 {
-#ifdef HAVE_LIBCRYPTO
+#ifdef HAVE_IPCIPHER
   luaCtx.registerFunction<ComboAddress(ComboAddress::*)(const std::string& key)const>("ipencrypt", [](const ComboAddress& ca, const std::string& key) {
       return encryptCA(ca, key);
     });
@@ -62,7 +59,7 @@ void setupLuaBindingsProtoBuf(LuaContext& luaCtx, bool client, bool configCheck)
   luaCtx.writeFunction("makeIPCipherKey", [](const std::string& password) {
       return makeIPCipherKey(password);
     });
-#endif /* HAVE_LIBCRYPTO */
+#endif /* HAVE_IPCIPHER */
 
   /* ProtobufMessage */
   luaCtx.registerFunction<void(DNSDistProtoBufMessage::*)(std::string)>("setTag", [](DNSDistProtoBufMessage& message, const std::string& strValue) {
diff --git a/pdns/dnsdistdist/m4/pdns_enable_ipcipher.m4 b/pdns/dnsdistdist/m4/pdns_enable_ipcipher.m4
new file mode 120000
index 0000000000..547f4b1afa
--- /dev/null
+++ b/pdns/dnsdistdist/m4/pdns_enable_ipcipher.m4
@@ -0,0 +1 @@
+../../../m4/pdns_enable_ipcipher.m4
\ No newline at end of file
diff --git a/pdns/dnswasher.cc b/pdns/dnswasher.cc
index c9d09d7a4c..5a6b2001f5 100644
--- a/pdns/dnswasher.cc
+++ b/pdns/dnswasher.cc
@@ -37,6 +37,8 @@ otherwise, obfuscate the response IP address
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
+
+#ifdef HAVE_IPCIPHER
 #include "statbag.hh"
 #include "dnspcap.hh"
 #include "iputils.hh"
@@ -272,3 +274,11 @@ catch(std::exception& e)
 {
   cerr<<"Fatal: "<<e.what()<<endl;
 }
+
+#else
+int main()
+{
+  cerr<<"dnswasher requires ipcipher support, which is not available"<<endl;
+  exit(1);
+}
+#endif /* HAVE_IPCIPHER */
diff --git a/pdns/ipcipher.cc b/pdns/ipcipher.cc
index 57a2aa3f8a..90a2bcc655 100644
--- a/pdns/ipcipher.cc
+++ b/pdns/ipcipher.cc
@@ -3,6 +3,7 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 
+#ifdef HAVE_IPCIPHER
 /*
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
                            const unsigned char *salt, int saltlen, int iter,
@@ -97,3 +98,5 @@ ComboAddress decryptCA(const ComboAddress& ca, const std::string& key)
     throw std::runtime_error("ipcrypt can't decrypt non-IP addresses");
 
 }
+
+#endif /* HAVE_IPCIPHER */
diff --git a/pdns/ipcipher.hh b/pdns/ipcipher.hh
index cbb932d8f3..64037de212 100644
--- a/pdns/ipcipher.hh
+++ b/pdns/ipcipher.hh
@@ -1,9 +1,13 @@
 #pragma once
+#include "config.h"
+
 #include "iputils.hh"
 #include <string>
 
 // see https://powerdns.org/ipcipher
 
+#ifdef HAVE_IPCIPHER
 ComboAddress encryptCA(const ComboAddress& ca, const std::string& key);
 ComboAddress decryptCA(const ComboAddress& ca, const std::string& key);
 std::string makeIPCipherKey(const std::string& password);
+#endif /* HAVE_IPCIPHER */
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 130fc2a4ee..4792fae681 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1344,6 +1344,7 @@ static int editZone(const DNSName &zone) {
   return EXIT_SUCCESS;
 }
 
+#ifdef HAVE_IPCIPHER
 static int xcryptIP(const std::string& cmd, const std::string& ip, const std::string& rkey)
 {
 
@@ -1357,7 +1358,7 @@ static int xcryptIP(const std::string& cmd, const std::string& ip, const std::st
   cout<<ret.toString()<<endl;
   return EXIT_SUCCESS;
 }
-
+#endif /* HAVE_IPCIPHER */
 
 static int loadZone(const DNSName& zone, const string& fname) {
   UeberBackend B;
@@ -2434,6 +2435,7 @@ try
       cerr<<"Syntax: pdnsutil [ipencrypt|ipdecrypt] IP passphrase [key]"<<endl;
       return 0;
     }
+#ifdef HAVE_IPCIPHER
     string key;
     if(cmds.size()==4) {
       if (B64Decode(cmds.at(2), key) < 0) {
@@ -2445,6 +2447,10 @@ try
       key = makeIPCipherKey(cmds.at(2));
     }
     exit(xcryptIP(cmds.at(0), cmds.at(1), key));
+#else
+    cerr<<cmds.at(0)<<" requires ipcipher support which is not available"<<endl;
+    return 0;
+#endif /* HAVE_IPCIPHER */
   }
 
   if (cmds.at(0) == "test-algorithms") {
diff --git a/pdns/test-ipcrypt_cc.cc b/pdns/test-ipcrypt_cc.cc
index a3eae8ea9f..7c55af0348 100644
--- a/pdns/test-ipcrypt_cc.cc
+++ b/pdns/test-ipcrypt_cc.cc
@@ -3,6 +3,9 @@
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
+
+#ifdef HAVE_IPCIPHER
+
 #include <boost/test/unit_test.hpp>
 #include "ipcipher.hh"
 #include "misc.hh"
@@ -66,5 +69,6 @@ BOOST_AUTO_TEST_CASE(test_ipcrypt6)
   BOOST_CHECK_EQUAL(ca.toString(), decrypted.toString());
 }
 
-
 BOOST_AUTO_TEST_SUITE_END()
+
+#endif /* HAVE_IPCIPHER */
-- 
2.47.2