From e4d09f5848b3cb9fc8ce0905a2f91f9b2ca36f41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Mon, 27 Aug 2018 13:57:31 -0500 Subject: [PATCH] Fix CKM_AES_GCM encryption This patch fixes a parameter mismatch bug when using the CKM_AES_GCM mechanism. This bug also renames the 'generate_iv' option to 'aes_gcm_generate_iv' to reflect the fact that it only applies to the CKM_AES_GCM mechanism since IVs will always be generated when using CKM_AES_CBC. Change-Id: Iaa94b5cf2b2f77aaed72ec6b8b11e5ccf1fc3cca --- barbican/plugin/crypto/p11_crypto.py | 8 ++++---- barbican/plugin/crypto/pkcs11.py | 4 +++- .../renamed-generate-iv-option-29770cfcff8e3b83.yaml | 6 ++++++ 3 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py index 59c94409e..ee8dcd506 100644 --- a/barbican/plugin/crypto/p11_crypto.py +++ b/barbican/plugin/crypto/p11_crypto.py @@ -78,9 +78,9 @@ p11_crypto_plugin_opts = [ cfg.StrOpt('plugin_name', help=u._('User friendly plugin name'), default='PKCS11 HSM'), - cfg.BoolOpt('generate_iv', - help=u._('Flag for plugin generated iv case'), - default=False), + cfg.BoolOpt('aes_gcm_generate_iv', + help=u._('Generate IVs for CKM_AES_GCM mechanism.'), + default=True, deprecated_name='generate_iv'), ] CONF.register_group(p11_crypto_plugin_group) CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group) @@ -301,7 +301,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase): encryption_mechanism=plugin_conf.encryption_mechanism, ffi=ffi, seed_random_buffer=seed_random_buffer, - generate_iv=plugin_conf.generate_iv, + generate_iv=plugin_conf.aes_gcm_generate_iv, ) def _reinitialize_pkcs11(self): diff --git a/barbican/plugin/crypto/pkcs11.py b/barbican/plugin/crypto/pkcs11.py index 6597c0fe9..d33e7fcfb 100644 --- a/barbican/plugin/crypto/pkcs11.py +++ b/barbican/plugin/crypto/pkcs11.py @@ -561,7 +561,9 @@ class PKCS11(object): return self._VENDOR_SAFENET_CKM_AES_GCM_encrypt(key, pt_data, session) def _CKM_AES_GCM_decrypt(self, key, iv, ct_data, session): - return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(key, ct_data, session) + return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt( + key, iv, ct_data, session + ) def decrypt(self, mechanism, key, iv, ct_data, session): if mechanism not in _ENCRYPTION_MECHANISMS: diff --git a/releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml b/releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml new file mode 100644 index 000000000..dbb941c39 --- /dev/null +++ b/releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml @@ -0,0 +1,6 @@ +--- +deprecations: + - | + Deprecated the `generate_iv` option name. It has been renamed to + `aes_gcm_generate_iv` to reflect the fact that it only applies to the + CKM_AES_GCM mechanism.