[kronosnet/kronosnet] 1de925: Add API to enumerate supported cipher modes and ha... - Commits

7 May 2026


      Branch: refs/heads/add-crypto-enumeration-api
  Home:   https://github.com/kronosnet/kronosnet
  Commit: 1de925a9723a372b5782792f5f841745d4858080
      https://github.com/kronosnet/kronosnet/commit/1de925a9723a372b5782792f5f8417...
  Author: Fabio M. Di Nitto fdinitto@redhat.com
  Date:   2026-05-07 (Thu, 07 May 2026)
Changed paths:
    M libknet/crypto.c
    M libknet/crypto_nss.c
    M libknet/libknet.h
    M libknet/libknet_exported_syms
    M libknet/tests/api-check.mk
    A libknet/tests/api_knet_get_crypto_cipher_list.c
    A libknet/tests/api_knet_get_crypto_hash_list.c
    M man/Makefile.am
Log Message:
  -----------
  Add API to enumerate supported cipher modes and hash algorithms
Implements issue #478 by introducing two new API functions:
- knet_get_crypto_cipher_list(): Returns AES cipher modes (CBC/CTR) supported across all crypto backends
- knet_get_crypto_hash_list(): Returns hash algorithms supported across all crypto backends
The functions return the intersection of capabilities across OpenSSL, NSS, and libgcrypt backends,
ensuring applications can reliably use any returned cipher/hash combination regardless of which
crypto module is loaded at runtime.
Key implementation decisions:
- Uses hardcoded lists to avoid loading all crypto modules unconditionally
- Flattened cipher list includes both OpenSSL (hyphenated) and NSS/gcrypt (non-hyphenated) naming
  conventions as separate entries to simplify application logic
- Cipher list: 12 entries covering AES-128/192/256 in CBC and CTR modes
- Hash list: 5 entries covering md5, sha1, sha256, sha384, sha512
- Structure field sizes match knet_handle_crypto_cfg (16 bytes for name fields)
New structures:
- knet_crypto_cipher_info: name[16], mode[8], key_bits
- knet_crypto_hash_info: name[16], hash_bits
Includes comprehensive API tests that verify all returned cipher and hash names
work correctly with all three crypto backends (NSS, OpenSSL, libgcrypt).
Fixed NSS parser to accept "-cbc" suffix variants (aes-128-cbc, aes-192-cbc, aes-256-cbc)
in addition to existing non-hyphenated CBC names (aes128, aes192, aes256).
Signed-off-by: Fabio M. Di Nitto fabbione@kronosnet.org
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
libknet/tests: fix stringop-truncation warnings in crypto enumeration tests
Use memcpy instead of strncpy when copying cipher and hash names from the
enumeration arrays to crypto_cfg structure fields. This avoids GCC's
stringop-truncation warning that triggers at -O3 with -D_FORTIFY_SOURCE=3.
GCC's flow analysis sees array element pointers (cipher_list[j].name) as
potentially pointing to the entire remaining array, reporting the cumulative
size rather than the individual 16-byte field size. Using memcpy avoids
this warning while maintaining the same functionality:
- Both source and destination are exactly 16 bytes
- crypto_cfg is zero-initialized by memset beforehand
- We copy 15 bytes, leaving the last byte as null terminator
Signed-off-by: Fabio M. Di Nitto fabbione@kronosnet.org
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com
To unsubscribe from these emails, change your notification settings at https://github.com/kronosnet/kronosnet/settings/notifications