Branch: refs/heads/add-aes-ctr-support Home: https://github.com/kronosnet/kronosnet Commit: ff7ff1bad0861769059131296cd642715f122213 https://github.com/kronosnet/kronosnet/commit/ff7ff1bad0861769059131296cd642... Author: Fabio M. Di Nitto fdinitto@redhat.com Date: 2026-04-25 (Sat, 25 Apr 2026)
Changed paths: M libknet/crypto_gcrypt.c M libknet/crypto_nss.c M libknet/crypto_openssl.c M libknet/tests/Makefile.am A libknet/tests/fun_config_crypto_ctr_test.c
Log Message: ----------- Add AES-CTR mode support with cross-backend cipher name compatibility
Implements AES-128-CTR, AES-192-CTR, and AES-256-CTR cipher modes for OpenSSL, NSS, and libgcrypt crypto backends. CTR (Counter) mode is a stream cipher that doesn't require padding and offers better performance for parallel encryption/decryption.
Key changes:
1. crypto_nss.c: - Added CTR cipher type enums and mechanism mappings - Implemented CK_AES_CTR_PARAMS parameter structure for CTR mode - NSS/PKCS#11 requires special parameter structure with counter bits - Accepts both formats: aes128-ctr and aes-128-ctr - Sets sec_block_size = 0 for CTR mode (no padding overhead)
2. crypto_gcrypt.c: - Added crypto_cipher_mode field to track CBC vs CTR mode - Strip mode suffix from cipher name before mapping - Made PKCS padding conditional (CTR doesn't need padding) - Normalizes aes-NNN-ctr to aesNNN-ctr format - Accepts both formats: aes128-ctr and aes-128-ctr - Sets sec_block_size = 0 for CTR mode (no padding overhead)
3. crypto_openssl.c: - Normalizes aesNNN-ctr to aes-NNN-ctr format - Accepts both formats: aes128-ctr and aes-128-ctr - Sets sec_block_size = 0 for CTR mode (no padding overhead) - Uses EVP_CIPHER_mode() / EVP_CIPHER_get_mode() to detect CTR
4. New test: fun_config_crypto_ctr_test.c: - Uses knet_get_crypto_list() for runtime crypto module detection - Validates CTR mode support across all available backends - Tests both cipher naming conventions (hyphenated and non-hyphenated) - Performs actual encrypted data transmission via loopback - Verifies send/recv with CTR encryption works correctly - Tests buffer integrity after encryption/decryption - Ensures cross-backend compatibility - Functional test (no API changes)
MTU optimization: CTR mode sets sec_block_size = 0 (instead of 16 for CBC) because it doesn't require padding. This: - Allows up to 16 more bytes of payload per packet vs CBC mode - Fixes MTU/PMTUD calculations in onwire.c and threads_pmtud.c - Prevents wasted overhead for padding that CTR mode doesn't need
This allows users to configure any backend with either naming format: - OpenSSL native: aes-128-ctr, aes-192-ctr, aes-256-ctr - NSS/gcrypt native: aes128-ctr, aes192-ctr, aes256-ctr
Both formats work on all backends for seamless configuration portability.
CTR mode maintains backward compatibility - same on-wire format as CBC, just different encryption algorithm. All tests pass.
Resolves: #460
Signed-off-by: Fabio M. Di Nitto fdinitto@redhat.com Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
To unsubscribe from these emails, change your notification settings at https://github.com/kronosnet/kronosnet/settings/notifications