Skip to content

Commit cc71db2

Browse files
jedisct1jedisct1
committed
Add ipcrypt-pfx
1 parent 8de235a commit cc71db2

File tree

2 files changed

+28
-1
lines changed

2 files changed

+28
-1
lines changed

dnscrypt-proxy/example-dnscrypt-proxy.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -964,6 +964,7 @@ skip_incompatible = false
964964
## - "ipcrypt-deterministic": Deterministic encryption (same IP always encrypts to same value) - requires 16-byte key
965965
## - "ipcrypt-nd": Non-deterministic encryption with 8-byte tweak - requires 16-byte key
966966
## - "ipcrypt-ndx": Non-deterministic encryption with 16-byte tweak (extended) - requires 32-byte key
967+
## - "ipcrypt-pfx": Prefix-preserving encryption (preserves network prefix relationships) - requires 32-byte key
967968

968969
algorithm = "none"
969970

dnscrypt-proxy/ipcrypt.go

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,14 @@ func NewIPCryptConfig(keyHex string, algorithm string) (*IPCryptConfig, error) {
6767
}
6868
config.Tweak = make([]byte, 16)
6969

70+
case "ipcrypt-pfx":
71+
// Prefix-preserving encryption
72+
if len(key) != 32 {
73+
return nil, fmt.Errorf("ipcrypt-pfx requires a 32-byte (64 hex chars) key, got %d bytes", len(key))
74+
}
75+
7076
default:
71-
return nil, fmt.Errorf("unsupported IP encryption algorithm: %s (must be 'ipcrypt-deterministic', 'ipcrypt-nd', 'ipcrypt-ndx', or 'none')", algorithm)
77+
return nil, fmt.Errorf("unsupported IP encryption algorithm: %s (must be 'ipcrypt-deterministic', 'ipcrypt-nd', 'ipcrypt-ndx', 'ipcrypt-pfx', or 'none')", algorithm)
7278
}
7379

7480
return config, nil
@@ -113,6 +119,14 @@ func (config *IPCryptConfig) EncryptIP(ip net.IP) (string, error) {
113119
// Return as hex string for non-deterministic modes
114120
return hex.EncodeToString(encrypted), nil
115121

122+
case "ipcrypt-pfx":
123+
// Prefix-preserving encryption
124+
encrypted, err := ipcrypt.EncryptIPPfx(ip, config.Key)
125+
if err != nil {
126+
return "", fmt.Errorf("failed to encrypt IP (pfx): %w", err)
127+
}
128+
return encrypted.String(), nil
129+
116130
default:
117131
return "", fmt.Errorf("unsupported algorithm: %s", config.Algorithm)
118132
}
@@ -182,6 +196,18 @@ func (config *IPCryptConfig) DecryptIP(encryptedStr string) (string, error) {
182196
}
183197
return decrypted, nil
184198

199+
case "ipcrypt-pfx":
200+
// Decrypt prefix-preserving encrypted IP
201+
ip := net.ParseIP(encryptedStr)
202+
if ip == nil {
203+
return "", fmt.Errorf("invalid encrypted IP address: %s", encryptedStr)
204+
}
205+
decrypted, err := ipcrypt.DecryptIPPfx(ip, config.Key)
206+
if err != nil {
207+
return "", fmt.Errorf("failed to decrypt IP (pfx): %w", err)
208+
}
209+
return decrypted.String(), nil
210+
185211
default:
186212
return "", fmt.Errorf("unsupported algorithm: %s", config.Algorithm)
187213
}

0 commit comments

Comments
 (0)