Merge branch 'master' of github.com:DNSCrypt/dnscrypt-proxy

Author: Gedsh

.github/workflows/codeql-analysis.yml

@@ -13,12 +13,12 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         fetch-depth: 2
 
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
 

.github/workflows/releases.yml

@@ -35,10 +35,10 @@ jobs:
           echo "Tag version: $VERSION"
 
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: 1
           check-latest: true

ChangeLog

@@ -1,4 +1,10 @@
-# Version 2.1.14 (not released yet)
+# Version 2.1.14
+ - Added support for client IP address encryption in logs using IPCrypt
+(https://ipcrypt-std.github.io/). Three algorithms are supported:
+deterministic, non-deterministic with 8-byte tweak, and extended
+non-deterministic with 16-byte tweak.
+ - Enhanced pattern rule documentation with better examples.
+ - Fixed an issue where nil client addresses could cause crashes.
 
 # Version 2.1.13
  - Fixed race conditions in WebSocket handling for the monitoring dashboard,

dnscrypt-proxy/common.go

@@ -161,7 +161,7 @@ func ExtractHostAndPort(str string, defaultPort int) (host string, port int) {
 			host, port = host[:idx], portX
 		}
 	}
-	return
+	return host, port
 }
 
 // ReadTextFile reads a file and returns its contents as a string.
@@ -180,6 +180,9 @@ func isDigit(b byte) bool { return b >= '0' && b <= '9' }
 
 // ExtractClientIPStr extracts client IP string from pluginsState based on protocol
 func ExtractClientIPStr(pluginsState *PluginsState) (string, bool) {
+	if pluginsState.clientAddr == nil {
+		return "", false
+	}
 	switch pluginsState.clientProto {
 	case "udp":
 		return (*pluginsState.clientAddr).(*net.UDPAddr).IP.String(), true
@@ -190,6 +193,15 @@ func ExtractClientIPStr(pluginsState *PluginsState) (string, bool) {
 	}
 }
 
+// ExtractClientIPStrEncrypted extracts and optionally encrypts client IP string
+func ExtractClientIPStrEncrypted(pluginsState *PluginsState, ipCryptConfig *IPCryptConfig) (string, bool) {
+	ipStr, ok := ExtractClientIPStr(pluginsState)
+	if !ok || ipCryptConfig == nil {
+		return ipStr, ok
+	}
+	return ipCryptConfig.EncryptIPString(ipStr), ok
+}
+
 // FormatLogLine formats a log line based on the specified format (tsv or ltsv)
 func FormatLogLine(format, clientIP, qName, reason string, additionalFields ...string) (string, error) {
 	if format == "tsv" {

dnscrypt-proxy/common_test.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	"net"
+	"testing"
+)
+
+func TestExtractClientIPStr(t *testing.T) {
+	tests := []struct {
+		name         string
+		pluginsState *PluginsState
+		wantIP       string
+		wantOK       bool
+	}{
+		{
+			name: "nil clientAddr should return empty",
+			pluginsState: &PluginsState{
+				clientProto: "tcp",
+				clientAddr:  nil,
+			},
+			wantIP: "",
+			wantOK: false,
+		},
+		{
+			name: "valid UDP address",
+			pluginsState: &PluginsState{
+				clientProto: "udp",
+				clientAddr: func() *net.Addr {
+					addr := net.Addr(
+						&net.UDPAddr{
+							IP:   net.ParseIP("192.168.1.1"),
+							Port: 53,
+						},
+					)
+					return &addr
+				}(),
+			},
+			wantIP: "192.168.1.1",
+			wantOK: true,
+		},
+		{
+			name: "valid TCP address",
+			pluginsState: &PluginsState{
+				clientProto: "tcp",
+				clientAddr: func() *net.Addr {
+					addr := net.Addr(
+						&net.TCPAddr{
+							IP:   net.ParseIP("10.0.0.1"),
+							Port: 53,
+						},
+					)
+					return &addr
+				}(),
+			},
+			wantIP: "10.0.0.1",
+			wantOK: true,
+		},
+		{
+			name: "unknown protocol",
+			pluginsState: &PluginsState{
+				clientProto: "unknown",
+				clientAddr: func() *net.Addr {
+					addr := net.Addr(
+						&net.TCPAddr{
+							IP:   net.ParseIP("10.0.0.1"),
+							Port: 53,
+						},
+					)
+					return &addr
+				}(),
+			},
+			wantIP: "",
+			wantOK: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotIP, gotOK := ExtractClientIPStr(tt.pluginsState)
+			if gotIP != tt.wantIP {
+				t.Errorf("ExtractClientIPStr() IP = %v, want %v", gotIP, tt.wantIP)
+			}
+			if gotOK != tt.wantOK {
+				t.Errorf("ExtractClientIPStr() OK = %v, want %v", gotOK, tt.wantOK)
+			}
+		})
+	}
+}

dnscrypt-proxy/config.go

@@ -105,6 +105,7 @@ type Config struct {
 	DoHClientX509AuthLegacy  DoHClientX509AuthConfig     `toml:"tls_client_auth"`
 	DNS64                    DNS64Config                 `toml:"dns64"`
 	EDNSClientSubnet         []string                    `toml:"edns_client_subnet"`
+	IPEncryption             IPEncryptionConfig          `toml:"ip_encryption"`
 }
 
 func newConfig() Config {
@@ -291,6 +292,11 @@ type DNS64Config struct {
 	Resolvers []string `toml:"resolver"`
 }
 
+type IPEncryptionConfig struct {
+	Key       string `toml:"key"`
+	Algorithm string `toml:"algorithm"`
+}
+
 type CaptivePortalsConfig struct {
 	MapFile string `toml:"map_file"`
 }
@@ -449,6 +455,11 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 	// Configure DNS64
 	configureDNS64(proxy, &config)
 
+	// Configure IP encryption
+	if err := configureIPEncryption(proxy, &config); err != nil {
+		return err
+	}
+
 	// Configure source restrictions
 	configureSourceRestrictions(proxy, flags, &config)
 
@@ -544,6 +555,19 @@ func configureDNS64(proxy *Proxy, config *Config) {
 	proxy.dns64Resolvers = config.DNS64.Resolvers
 }
 
+// configureIPEncryption - Helper function for IP encryption
+func configureIPEncryption(proxy *Proxy, config *Config) error {
+	ipCryptConfig, err := NewIPCryptConfig(
+		config.IPEncryption.Key,
+		config.IPEncryption.Algorithm,
+	)
+	if err != nil {
+		return fmt.Errorf("IP encryption configuration error: %w", err)
+	}
+	proxy.ipCryptConfig = ipCryptConfig
+	return nil
+}
+
 func (config *Config) printRegisteredServers(proxy *Proxy, jsonOutput bool, includeRelays bool) error {
 	var summary []ServerSummary
 	if includeRelays {

dnscrypt-proxy/crypto.go

@@ -69,7 +69,7 @@ func ComputeSharedKey(
 			}
 		}
 	}
-	return
+	return sharedKey
 }
 
 func (proxy *Proxy) Encrypt(
@@ -116,7 +116,7 @@ func (proxy *Proxy) Encrypt(
 	}
 	if QueryOverhead+len(packet)+1 > paddedLength {
 		err = errors.New("Question too large; cannot be padded")
-		return
+		return sharedKey, encrypted, clientNonce, err
 	}
 	encrypted = append(serverInfo.MagicQuery[:], publicKey[:]...)
 	encrypted = append(encrypted, nonce[:HalfNonceSize]...)
@@ -128,7 +128,7 @@ func (proxy *Proxy) Encrypt(
 		copy(xsalsaNonce[:], nonce)
 		encrypted = secretbox.Seal(encrypted, padded, &xsalsaNonce, sharedKey)
 	}
-	return
+	return sharedKey, encrypted, clientNonce, err
 }
 
 func (proxy *Proxy) Decrypt(

dnscrypt-proxy/dnscrypt_certs.go

@@ -74,7 +74,7 @@ func FetchCurrentDNSCryptCert(
 	now := uint32(time.Now().Unix())
 	certInfo := CertInfo{CryptoConstruction: UndefinedConstruction}
 	highestSerial := uint32(0)
-	var certCountStr string
+	certCountStr := ""
 	for _, answerRr := range in.Answer {
 		var txt string
 		if t, ok := answerRr.(*dns.TXT); !ok {

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -790,7 +790,7 @@ prefix = ''
 ### Quad9
 
 # [sources.quad9-resolvers]
-#   urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md', 'https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md']
+#   urls = ['https://quad9.net/dnscrypt/quad9-resolvers.md']
 #   minisign_key = 'RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN'
 #   cache_file = 'quad9-resolvers.md'
 #   prefix = 'quad9-'
@@ -949,6 +949,36 @@ skip_incompatible = false
 # resolver = ['[2606:4700:4700::64]:53', '[2001:4860:4860::64]:53']
 
 
+###############################################################################
+#                           IP Encryption                                      #
+###############################################################################
+
+[ip_encryption]
+
+## Encrypt client IP addresses in plugin logs using IPCrypt
+## This provides privacy for client IP addresses while maintaining
+## the ability to distinguish between different clients in logs
+
+## Encryption algorithm (default: "none")
+## - "none": No encryption (default)
+## - "ipcrypt-deterministic": Deterministic encryption (same IP always encrypts to same value) - requires 16-byte key
+## - "ipcrypt-nd": Non-deterministic encryption with 8-byte tweak - requires 16-byte key
+## - "ipcrypt-ndx": Non-deterministic encryption with 16-byte tweak (extended) - requires 32-byte key
+
+algorithm = "none"
+
+## Encryption key in hexadecimal format (required if algorithm is not "none")
+## Key size depends on algorithm:
+## - ipcrypt-deterministic: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
+## - ipcrypt-nd: 32 hex chars (16 bytes) - Generate with: openssl rand -hex 16
+## - ipcrypt-ndx: 64 hex chars (32 bytes) - Generate with: openssl rand -hex 32
+## Example for deterministic/nd: key = "1234567890abcdef1234567890abcdef"
+## Example for ndx: key = "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
+## IMPORTANT: Keep this key secret
+
+key = ""
+
+
 ###############################################################################
 #                            Monitoring UI                                     #
 ###############################################################################