Fix CKM_AES_GCM encryption

This patch fixes a parameter mismatch bug when using the CKM_AES_GCM
mechanism.  This bug also renames the 'generate_iv' option to
'aes_gcm_generate_iv' to reflect the fact that it only applies to
the CKM_AES_GCM mechanism since IVs will always be generated when
using CKM_AES_CBC.

Change-Id: Iaa94b5cf2b2f77aaed72ec6b8b11e5ccf1fc3cca
This commit is contained in:
Douglas Mendizábal 2018-08-27 13:57:31 -05:00
parent dffba064eb
commit e4d09f5848
3 changed files with 13 additions and 5 deletions

View File

@ -78,9 +78,9 @@ p11_crypto_plugin_opts = [
cfg.StrOpt('plugin_name', cfg.StrOpt('plugin_name',
help=u._('User friendly plugin name'), help=u._('User friendly plugin name'),
default='PKCS11 HSM'), default='PKCS11 HSM'),
cfg.BoolOpt('generate_iv', cfg.BoolOpt('aes_gcm_generate_iv',
help=u._('Flag for plugin generated iv case'), help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
default=False), default=True, deprecated_name='generate_iv'),
] ]
CONF.register_group(p11_crypto_plugin_group) CONF.register_group(p11_crypto_plugin_group)
CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group) CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -301,7 +301,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
encryption_mechanism=plugin_conf.encryption_mechanism, encryption_mechanism=plugin_conf.encryption_mechanism,
ffi=ffi, ffi=ffi,
seed_random_buffer=seed_random_buffer, seed_random_buffer=seed_random_buffer,
generate_iv=plugin_conf.generate_iv, generate_iv=plugin_conf.aes_gcm_generate_iv,
) )
def _reinitialize_pkcs11(self): def _reinitialize_pkcs11(self):

View File

@ -561,7 +561,9 @@ class PKCS11(object):
return self._VENDOR_SAFENET_CKM_AES_GCM_encrypt(key, pt_data, session) return self._VENDOR_SAFENET_CKM_AES_GCM_encrypt(key, pt_data, session)
def _CKM_AES_GCM_decrypt(self, key, iv, ct_data, session): def _CKM_AES_GCM_decrypt(self, key, iv, ct_data, session):
return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(key, ct_data, session) return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(
key, iv, ct_data, session
)
def decrypt(self, mechanism, key, iv, ct_data, session): def decrypt(self, mechanism, key, iv, ct_data, session):
if mechanism not in _ENCRYPTION_MECHANISMS: if mechanism not in _ENCRYPTION_MECHANISMS:

View File

@ -0,0 +1,6 @@
---
deprecations:
- |
Deprecated the `generate_iv` option name. It has been renamed to
`aes_gcm_generate_iv` to reflect the fact that it only applies to the
CKM_AES_GCM mechanism.