Commits

commits@lists.kronosnet.org

2 participants
41823 discussions

[kronosnet/kronosnet] ccba36: Add AES-CTR mode support with cross-backend cipher...
by Fabio M. Di Nitto 07 May '26

07 May '26

Branch: refs/heads/add-aes-ctr-support Home: https://github.com/kronosnet/kronosnet Commit: ccba36d576a300af5558e912c4d6b460653b2473 https://github.com/kronosnet/kronosnet/commit/ccba36d576a300af5558e912c4d6b… Author: Fabio M. Di Nitto <fdinitto(a)redhat.com> Date: 2026-05-07 (Thu, 07 May 2026) Changed paths: M libknet/crypto_gcrypt.c M libknet/crypto_nss.c M libknet/crypto_openssl.c M libknet/onwire.c M libknet/tests/Makefile.am M libknet/tests/api_knet_handle_crypto_set_config.c A libknet/tests/fun_config_crypto_ctr_test.c Log Message: ----------- Add AES-CTR mode support with cross-backend cipher name compatibility Implements AES-128-CTR, AES-192-CTR, and AES-256-CTR cipher modes for OpenSSL, NSS, and libgcrypt crypto backends. CTR (Counter) mode is a stream cipher that doesn't require padding and offers better performance for parallel encryption/decryption. Key changes: 1. Crypto backend implementations (crypto_nss.c, crypto_gcrypt.c, crypto_openssl.c): - Added CTR cipher type enums and mode detection - Implemented CTR-specific parameter handling (NSS CK_AES_CTR_PARAMS) - Accepts both cipher name formats: aes128-ctr and aes-128-ctr - Sets sec_block_size appropriately for each mode: * CTR mode: sec_block_size = 0 (no padding overhead) * CBC mode: sec_block_size = 16 (PKCS padding overhead) 2. Mode validation: - Added explicit validation for cipher modes - Only CBC and CTR modes are supported - Rejects unsupported modes (GCM, OFB, CFB, ECB, XTS) with clear error - Uses whitelist approach (check for supported) vs blacklist 3. OpenSSL improvements: - Use EVP_CIPHER_fetch() for OpenSSL 3.x (avoids refetching) - Use EVP_CIPHER_get_block_size() for OpenSSL 3.x - Maintain OpenSSL 1.x compatibility for RHEL 8 (EOL 2029) - Added comprehensive version support policy documentation 4. sec_block_size rationale (extensive documentation): - sec_block_size represents PADDING OVERHEAD, not cipher block size - CTR mode: Stream cipher, no padding (100 bytes → 100 bytes) * Library APIs return 1 or 16 for block size * But CTR adds NO padding overhead * Setting sec_block_size=0 correctly represents "no padding" * The if (sec_block_size) check in onwire.c skips padding calculation - CBC mode: Block cipher, PKCS padding required * Block size is 16 for AES * Adds padding to align to block boundaries * Example: 100 bytes → 112 bytes (12 bytes padding) - Documented in all crypto modules and onwire.c 5. New test: fun_config_crypto_ctr_test.c: - Uses knet_get_crypto_list() for runtime crypto module detection - Validates CTR mode support across all available backends - Tests both cipher naming conventions (hyphenated and non-hyphenated) - Performs actual encrypted data transmission via loopback - Verifies send/recv with CTR encryption works correctly - Tests buffer integrity after encryption/decryption - Ensures cross-backend compatibility 6. Extended test: api_knet_handle_crypto_set_config_test: - Added tests for unsupported cipher mode rejection - Tests GCM, OFB, ECB, XTS modes (all should fail with ENXIO) - Tests CTR mode in both naming formats (should succeed) - Verifies config preservation after rejecting bad modes MTU optimization: CTR mode sets sec_block_size = 0 (instead of 16 for CBC) because it doesn't require padding. This: - Allows up to 16 more bytes of payload per packet vs CBC mode - Fixes MTU/PMTUD calculations in onwire.c and threads_pmtud.c - Prevents wasted overhead for padding that CTR mode doesn't need This allows users to configure any backend with either naming format: - OpenSSL native: aes-128-ctr, aes-192-ctr, aes-256-ctr - NSS/gcrypt native: aes128-ctr, aes192-ctr, aes256-ctr Both formats work on all backends for seamless configuration portability. CTR mode maintains backward compatibility - same on-wire format as CBC, just different encryption algorithm. All tests pass. Addresses all PR #477 review feedback: - Mode validation and error handling - sec_block_size rationale extensively documented - OpenSSL 3.x API improvements (EVP_CIPHER_fetch, EVP_CIPHER_get_block_size) - OpenSSL 1.x support policy documented Resolves: #460 Signed-off-by: Fabio M. Di Nitto <fdinitto(a)redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply(a)anthropic.com> To unsubscribe from these emails, change your notification settings at https://github.com/kronosnet/kronosnet/settings/notifications

1 0

[jenkins] kronosnet PR-477 (build 2) succeeded but with 2/86 non-voting fails
by jenkins＠kronosnet.org 07 May '26

07 May '26

Failed jobs: alpine-x86-64(nonvoting-clang: Build source) alpine-x86-64(nonvoting-clang_debug: Build source) Run reason: Pull request #477 updated Total runtime: 1 hr 19 min Split logs: https://ci.kronosnet.org/job/kronosnet/job/kronosnet-pipeline/job/PR-477/2/… Full log: https://ci.kronosnet.org/job/kronosnet/job/kronosnet-pipeline/job/PR-477/2/… Failed logs: https://ci.kronosnet.org/job/kronosnet/job/kronosnet-pipeline/job/PR-477/2/… https://ci.kronosnet.org/job/kronosnet/job/kronosnet-pipeline/job/PR-477/2/… Full Coverity results: http://ci.kronosnet.org/coverity/kronosnet/rhel-8-coverity-x86-64/pr477//2 http://ci.kronosnet.org/coverity/kronosnet/rhel-10-coverity-x86-64/pr477//2 http://ci.kronosnet.org/coverity/kronosnet/rhel-9-coverity-x86-64/pr477//2

1 0

[kronosnet/kronosnet] 8e9a02: Add AES-CTR mode support with cross-backend cipher...
by Fabio M. Di Nitto 07 May '26

07 May '26

Branch: refs/heads/add-aes-ctr-support Home: https://github.com/kronosnet/kronosnet Commit: 8e9a02b1dc7485cd75cb51449e78ac8a3df72890 https://github.com/kronosnet/kronosnet/commit/8e9a02b1dc7485cd75cb51449e78a… Author: Fabio M. Di Nitto <fdinitto(a)redhat.com> Date: 2026-05-07 (Thu, 07 May 2026) Changed paths: M libknet/crypto_gcrypt.c M libknet/crypto_nss.c M libknet/crypto_openssl.c M libknet/onwire.c M libknet/tests/Makefile.am M libknet/tests/api_knet_handle_crypto_set_config.c A libknet/tests/fun_config_crypto_ctr_test.c Log Message: ----------- Add AES-CTR mode support with cross-backend cipher name compatibility Implements AES-128-CTR, AES-192-CTR, and AES-256-CTR cipher modes for OpenSSL, NSS, and libgcrypt crypto backends. CTR (Counter) mode is a stream cipher that doesn't require padding and offers better performance for parallel encryption/decryption. Key changes: 1. Crypto backend implementations (crypto_nss.c, crypto_gcrypt.c, crypto_openssl.c): - Added CTR cipher type enums and mode detection - Implemented CTR-specific parameter handling (NSS CK_AES_CTR_PARAMS) - Accepts both cipher name formats: aes128-ctr and aes-128-ctr - Sets sec_block_size appropriately for each mode: * CTR mode: sec_block_size = 0 (no padding overhead) * CBC mode: sec_block_size = 16 (PKCS padding overhead) 2. Mode validation: - Added explicit validation for cipher modes - Only CBC and CTR modes are supported - Rejects unsupported modes (GCM, OFB, CFB, ECB, XTS) with clear error - Uses whitelist approach (check for supported) vs blacklist 3. OpenSSL improvements: - Use EVP_CIPHER_fetch() for OpenSSL 3.x (avoids refetching) - Use EVP_CIPHER_get_block_size() for OpenSSL 3.x - Maintain OpenSSL 1.x compatibility for RHEL 8 (EOL 2029) - Added comprehensive version support policy documentation 4. sec_block_size rationale (extensive documentation): - sec_block_size represents PADDING OVERHEAD, not cipher block size - CTR mode: Stream cipher, no padding (100 bytes → 100 bytes) * Library APIs return 1 or 16 for block size * But CTR adds NO padding overhead * Setting sec_block_size=0 correctly represents "no padding" * The if (sec_block_size) check in onwire.c skips padding calculation - CBC mode: Block cipher, PKCS padding required * Block size is 16 for AES * Adds padding to align to block boundaries * Example: 100 bytes → 112 bytes (12 bytes padding) - Documented in all crypto modules and onwire.c 5. New test: fun_config_crypto_ctr_test.c: - Uses knet_get_crypto_list() for runtime crypto module detection - Validates CTR mode support across all available backends - Tests both cipher naming conventions (hyphenated and non-hyphenated) - Performs actual encrypted data transmission via loopback - Verifies send/recv with CTR encryption works correctly - Tests buffer integrity after encryption/decryption - Ensures cross-backend compatibility 6. Extended test: api_knet_handle_crypto_set_config_test: - Added tests for unsupported cipher mode rejection - Tests GCM, OFB, ECB, XTS modes (all should fail with ENXIO) - Tests CTR mode in both naming formats (should succeed) - Verifies config preservation after rejecting bad modes MTU optimization: CTR mode sets sec_block_size = 0 (instead of 16 for CBC) because it doesn't require padding. This: - Allows up to 16 more bytes of payload per packet vs CBC mode - Fixes MTU/PMTUD calculations in onwire.c and threads_pmtud.c - Prevents wasted overhead for padding that CTR mode doesn't need This allows users to configure any backend with either naming format: - OpenSSL native: aes-128-ctr, aes-192-ctr, aes-256-ctr - NSS/gcrypt native: aes128-ctr, aes192-ctr, aes256-ctr Both formats work on all backends for seamless configuration portability. CTR mode maintains backward compatibility - same on-wire format as CBC, just different encryption algorithm. All tests pass. Addresses all PR #477 review feedback: - Mode validation and error handling - sec_block_size rationale extensively documented - OpenSSL 3.x API improvements (EVP_CIPHER_fetch, EVP_CIPHER_get_block_size) - OpenSSL 1.x support policy documented Resolves: #460 Signed-off-by: Fabio M. Di Nitto <fdinitto(a)redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply(a)anthropic.com> To unsubscribe from these emails, change your notification settings at https://github.com/kronosnet/kronosnet/settings/notifications

1 0

[jenkins] pacemaker main (build 915) success
by jenkins＠kronosnet.org 07 May '26

07 May '26

1 0

[jenkins] pacemaker PR-4104 (build 2) success
by jenkins＠kronosnet.org 06 May '26

06 May '26

Run reason: Pull request #4104 updated Total runtime: 2 hr 13 min Split logs: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4104/2… Full log: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4104/2… Full Coverity results: http://ci.kronosnet.org/coverity/pacemaker/rhel-8-coverity-x86-64/pr4104//2 http://ci.kronosnet.org/coverity/pacemaker/rhel-9-coverity-x86-64/pr4104//2 http://ci.kronosnet.org/coverity/pacemaker/rhel-10-coverity-x86-64/pr4104//2

1 0

[jenkins] pacemaker PR-4102 (build 3) success
by jenkins＠kronosnet.org 06 May '26

06 May '26

Run reason: Pull request #4102 updated Total runtime: 2 hr 34 min Split logs: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4102/3… Full log: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4102/3… Full Coverity results: http://ci.kronosnet.org/coverity/pacemaker/rhel-9-coverity-x86-64/pr4102//3 http://ci.kronosnet.org/coverity/pacemaker/rhel-8-coverity-x86-64/pr4102//3 http://ci.kronosnet.org/coverity/pacemaker/rhel-10-coverity-x86-64/pr4102//3

1 0

[jenkins] pacemaker PR-4093 (build 4) success
by jenkins＠kronosnet.org 06 May '26

06 May '26

Run reason: Pull request #4093 updated Total runtime: 3 hr 39 min Split logs: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4093/4… Full log: https://ci.kronosnet.org/job/pacemaker/job/pacemaker-pipeline/job/PR-4093/4… Full Coverity results: http://ci.kronosnet.org/coverity/pacemaker/rhel-9-coverity-x86-64/pr4093//4 http://ci.kronosnet.org/coverity/pacemaker/rhel-8-coverity-x86-64/pr4093//4 http://ci.kronosnet.org/coverity/pacemaker/rhel-10-coverity-x86-64/pr4093//4

1 0

[jenkins] fence-agents PR-651 (build 1) aborted
by jenkins＠kronosnet.org 06 May '26

06 May '26

Run reason: Pull request #651 opened Total runtime: 1 day 0 hr Full log: https://ci.kronosnet.org/job/fence-agents/job/fence-agents-pipeline/job/PR-…

1 0

jenkins-fence-agents-fence-agents-pipeline-PR-651-1 from user ZhichaoTJ - timeout-out waiting for admin response
by jenkins＠kronosnet.org 06 May '26

06 May '26

see https://haci.fast.eng.rdu2.dc.redhat.com/job/fence-agents/job/fence-agents-…

1 0

[jenkins] pacemaker main (build 914) success
by jenkins＠kronosnet.org 06 May '26

06 May '26

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

Commits