[kronosnet/kronosnet] ad7029: Add AES-CTR mode support with cross-backend cipher... - Commits

7 May 2026


      Branch: refs/heads/main
  Home:   https://github.com/kronosnet/kronosnet
  Commit: ad7029948c74a26c42a9ac3e1c5dff458dd8cbd4
      https://github.com/kronosnet/kronosnet/commit/ad7029948c74a26c42a9ac3e1c5dff...
  Author: Fabio M. Di Nitto fdinitto@redhat.com
  Date:   2026-05-07 (Thu, 07 May 2026)
Changed paths:
    M libknet/crypto_gcrypt.c
    M libknet/crypto_nss.c
    M libknet/crypto_openssl.c
    M libknet/onwire.c
    M libknet/tests/Makefile.am
    M libknet/tests/api_knet_handle_crypto_set_config.c
    A libknet/tests/fun_config_crypto_ctr_test.c
Log Message:
  -----------
  Add AES-CTR mode support with cross-backend cipher name compatibility
Implements AES-128-CTR, AES-192-CTR, and AES-256-CTR cipher modes for
OpenSSL, NSS, and libgcrypt crypto backends. CTR (Counter) mode is a
stream cipher that doesn't require padding and offers better performance
for parallel encryption/decryption.
Key changes:
1. Crypto backend implementations (crypto_nss.c, crypto_gcrypt.c, crypto_openssl.c):
   - Added CTR cipher type enums and mode detection
   - Implemented CTR-specific parameter handling (NSS CK_AES_CTR_PARAMS)
   - Accepts both cipher name formats: aes128-ctr and aes-128-ctr
   - Sets sec_block_size appropriately for each mode:
     * CTR mode: sec_block_size = 0 (no padding overhead)
     * CBC mode: sec_block_size = 16 (PKCS padding overhead)
2. Mode validation:
   - Added explicit validation for cipher modes
   - Only CBC and CTR modes are supported
   - Rejects unsupported modes (GCM, OFB, CFB, ECB, XTS) with clear error
   - Uses whitelist approach (check for supported) vs blacklist
3. OpenSSL improvements:
   - Use EVP_CIPHER_fetch() for OpenSSL 3.x (avoids refetching)
   - Use EVP_CIPHER_get_block_size() for OpenSSL 3.x
   - Maintain OpenSSL 1.x compatibility for RHEL 8 (EOL 2029)
   - Added comprehensive version support policy documentation
4. sec_block_size rationale (extensive documentation):
   - sec_block_size represents PADDING OVERHEAD, not cipher block size
   - CTR mode: Stream cipher, no padding (100 bytes → 100 bytes)
     * Library APIs return 1 or 16 for block size
     * But CTR adds NO padding overhead
     * Setting sec_block_size=0 correctly represents "no padding"
     * The if (sec_block_size) check in onwire.c skips padding calculation
   - CBC mode: Block cipher, PKCS padding required
     * Block size is 16 for AES
     * Adds padding to align to block boundaries
     * Example: 100 bytes → 112 bytes (12 bytes padding)
   - Documented in all crypto modules and onwire.c
5. New test: fun_config_crypto_ctr_test.c:
   - Uses knet_get_crypto_list() for runtime crypto module detection
   - Validates CTR mode support across all available backends
   - Tests both cipher naming conventions (hyphenated and non-hyphenated)
   - Performs actual encrypted data transmission via loopback
   - Verifies send/recv with CTR encryption works correctly
   - Tests buffer integrity after encryption/decryption
   - Ensures cross-backend compatibility
6. Extended test: api_knet_handle_crypto_set_config_test:
   - Added tests for unsupported cipher mode rejection
   - Tests GCM, OFB, ECB, XTS modes (all should fail with ENXIO)
   - Tests CTR mode in both naming formats (should succeed)
   - Verifies config preservation after rejecting bad modes
MTU optimization:
CTR mode sets sec_block_size = 0 (instead of 16 for CBC) because it doesn't
require padding. This:
- Allows up to 16 more bytes of payload per packet vs CBC mode
- Fixes MTU/PMTUD calculations in onwire.c and threads_pmtud.c
- Prevents wasted overhead for padding that CTR mode doesn't need
This allows users to configure any backend with either naming format:
- OpenSSL native: aes-128-ctr, aes-192-ctr, aes-256-ctr
- NSS/gcrypt native: aes128-ctr, aes192-ctr, aes256-ctr
Both formats work on all backends for seamless configuration portability.
CTR mode maintains backward compatibility - same on-wire format as CBC,
just different encryption algorithm. All tests pass.
Addresses all PR #477 review feedback:
- Mode validation and error handling
- sec_block_size rationale extensively documented
- OpenSSL 3.x API improvements (EVP_CIPHER_fetch, EVP_CIPHER_get_block_size)
- OpenSSL 1.x support policy documented
Resolves: #460
Signed-off-by: Fabio M. Di Nitto fdinitto@redhat.com
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
Commit: f227fc63efd3799a6f9248c973bc8e5be26e9265
      https://github.com/kronosnet/kronosnet/commit/f227fc63efd3799a6f9248c973bc8e...
  Author: Fabio M. Di Nitto fdinitto@redhat.com
  Date:   2026-05-07 (Thu, 07 May 2026)
Changed paths:
    M libknet/crypto_gcrypt.c
    M libknet/crypto_nss.c
    M libknet/crypto_openssl.c
    M libknet/onwire.c
    M libknet/tests/Makefile.am
    M libknet/tests/api_knet_handle_crypto_set_config.c
    A libknet/tests/fun_config_crypto_ctr_test.c
Log Message:
  -----------
  Merge pull request #477 from kronosnet/add-aes-ctr-support
Add AES-CTR mode support with cross-backend compatibility
Compare: https://github.com/kronosnet/kronosnet/compare/602320f4c32a...f227fc63efd3
To unsubscribe from these emails, change your notification settings at https://github.com/kronosnet/kronosnet/settings/notifications