Skip to content

Commit cef59de

Browse files
jedisct1jedisct1
committed
No need for a global tweak in non-deterministic ipcrypt
1 parent c7ce866 commit cef59de

1 file changed

Lines changed: 10 additions & 12 deletions

File tree

dnscrypt-proxy/ipcrypt.go

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ import (
1515
type IPCryptConfig struct {
1616
Key []byte
1717
Algorithm string
18-
Tweak []byte // For non-deterministic modes
1918
}
2019

2120
// NewIPCryptConfig creates a new IPCryptConfig from configuration values
@@ -58,14 +57,12 @@ func NewIPCryptConfig(keyHex string, algorithm string) (*IPCryptConfig, error) {
5857
if len(key) != 16 {
5958
return nil, fmt.Errorf("ipcrypt-nd requires a 16-byte (32 hex chars) key, got %d bytes", len(key))
6059
}
61-
config.Tweak = make([]byte, 8)
6260

6361
case "ipcrypt-ndx":
6462
// Extended non-deterministic with 16-byte tweak
6563
if len(key) != 32 {
6664
return nil, fmt.Errorf("ipcrypt-ndx requires a 32-byte (64 hex chars) key, got %d bytes", len(key))
6765
}
68-
config.Tweak = make([]byte, 16)
6966

7067
case "ipcrypt-pfx":
7168
// Prefix-preserving encryption
@@ -96,23 +93,24 @@ func (config *IPCryptConfig) EncryptIP(ip net.IP) (string, error) {
9693
return encrypted.String(), nil
9794

9895
case "ipcrypt-nd":
99-
// Non-deterministic: generate random tweak for this encryption
100-
if _, err := rand.Read(config.Tweak); err != nil {
96+
// Non-deterministic with 8-byte random tweak
97+
tweak := make([]byte, 8)
98+
if _, err := rand.Read(tweak); err != nil {
10199
return "", fmt.Errorf("failed to generate random tweak: %w", err)
102100
}
103-
encrypted, err := ipcrypt.EncryptIPNonDeterministic(ip.String(), config.Key, config.Tweak)
101+
encrypted, err := ipcrypt.EncryptIPNonDeterministic(ip.String(), config.Key, tweak)
104102
if err != nil {
105103
return "", fmt.Errorf("failed to encrypt IP (nd): %w", err)
106104
}
107-
// Return as hex string for non-deterministic modes since they return bytes
108105
return hex.EncodeToString(encrypted), nil
109106

110107
case "ipcrypt-ndx":
111-
// Extended non-deterministic: generate random tweak
112-
if _, err := rand.Read(config.Tweak); err != nil {
108+
// Extended non-deterministic with 16-byte random tweak
109+
tweak := make([]byte, 16)
110+
if _, err := rand.Read(tweak); err != nil {
113111
return "", fmt.Errorf("failed to generate random tweak: %w", err)
114112
}
115-
encrypted, err := ipcrypt.EncryptIPNonDeterministicX(ip.String(), config.Key, config.Tweak)
113+
encrypted, err := ipcrypt.EncryptIPNonDeterministicX(ip.String(), config.Key, tweak)
116114
if err != nil {
117115
return "", fmt.Errorf("failed to encrypt IP (ndx): %w", err)
118116
}
@@ -146,8 +144,8 @@ func (config *IPCryptConfig) EncryptIPString(ipStr string) string {
146144

147145
encrypted, err := config.EncryptIP(ip)
148146
if err != nil {
149-
dlog.Warnf("Failed to encrypt IP %s: %v", ipStr, err)
150-
return ipStr
147+
dlog.Warnf("Failed to encrypt IP: %v", err)
148+
return "[encrypted]"
151149
}
152150

153151
return encrypted

0 commit comments

Comments
 (0)