import os
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Random import get_random_bytes

SECRET = "BBLBTV-DNS-PASSWORDS"
SALT_SIZE = 16
KEY_SIZE = 32
ITERATIONS = 100000

def encrypt_password(clear_string):
    salt = get_random_bytes(SALT_SIZE)
    key = PBKDF2(SECRET, salt, dkLen=KEY_SIZE, count=ITERATIONS)
    cipher = AES.new(key, AES.MODE_GCM)
    ciphertext, tag = cipher.encrypt_and_digest(clear_string.encode())
    return (salt + cipher.nonce + tag + ciphertext).hex()

def decrypt_password(encrypted_string):
    data = bytes.fromhex(encrypted_string)
    salt = data[:SALT_SIZE]
    nonce = data[SALT_SIZE:SALT_SIZE + 16]
    tag = data[SALT_SIZE + 16:SALT_SIZE + 32]
    ciphertext = data[SALT_SIZE + 32:]
    key = PBKDF2(SECRET, salt, dkLen=KEY_SIZE, count=ITERATIONS)
    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
    return cipher.decrypt_and_verify(ciphertext, tag).decode()