Merge "Fix CKM_AES_GCM encryption"

barbican/plugin/crypto/p11_crypto.py

@@ -78,9 +78,9 @@ p11_crypto_plugin_opts = [
     cfg.StrOpt('plugin_name',
                help=u._('User friendly plugin name'),
                default='PKCS11 HSM'),
-    cfg.BoolOpt('generate_iv',
+    cfg.BoolOpt('aes_gcm_generate_iv',
-                help=u._('Flag for plugin generated iv case'),
+                help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
-                default=False),
+                default=True, deprecated_name='generate_iv'),
 ]
 CONF.register_group(p11_crypto_plugin_group)
 CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@@ -301,7 +301,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
             encryption_mechanism=plugin_conf.encryption_mechanism,
             ffi=ffi,
             seed_random_buffer=seed_random_buffer,
-            generate_iv=plugin_conf.generate_iv,
+            generate_iv=plugin_conf.aes_gcm_generate_iv,
         )
 
     def _reinitialize_pkcs11(self):

barbican/plugin/crypto/pkcs11.py

@@ -561,7 +561,9 @@ class PKCS11(object):
         return self._VENDOR_SAFENET_CKM_AES_GCM_encrypt(key, pt_data, session)
 
     def _CKM_AES_GCM_decrypt(self, key, iv, ct_data, session):
-        return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(key, ct_data, session)
+        return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(
+            key, iv, ct_data, session
+        )
 
     def decrypt(self, mechanism, key, iv, ct_data, session):
         if mechanism not in _ENCRYPTION_MECHANISMS:

releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    Deprecated the `generate_iv` option name.  It has been renamed to
+    `aes_gcm_generate_iv` to reflect the fact that it only applies to the
+    CKM_AES_GCM mechanism.