Fix CKM_AES_GCM encryption

This patch fixes a parameter mismatch bug when using the CKM_AES_GCM mechanism. This bug also renames the 'generate_iv' option to 'aes_gcm_generate_iv' to reflect the fact that it only applies to the CKM_AES_GCM mechanism since IVs will always be generated when using CKM_AES_CBC. Change-Id: Iaa94b5cf2b2f77aaed72ec6b8b11e5ccf1fc3cca
2018-08-27 13:57:31 -05:00 · 2018-08-27 13:57:31 -05:00 · e4d09f5848
parent dffba064eb
commit e4d09f5848
3 changed files with 13 additions and 5 deletions
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@ -78,9 +78,9 @@ p11_crypto_plugin_opts = [
    cfg.StrOpt('plugin_name',
               help=u._('User friendly plugin name'),
               default='PKCS11 HSM'),
-    cfg.BoolOpt('generate_iv',
-                help=u._('Flag for plugin generated iv case'),
-                default=False),
+    cfg.BoolOpt('aes_gcm_generate_iv',
+                help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
+                default=True, deprecated_name='generate_iv'),
 ]
 CONF.register_group(p11_crypto_plugin_group)
 CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -301,7 +301,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
            encryption_mechanism=plugin_conf.encryption_mechanism,
            ffi=ffi,
            seed_random_buffer=seed_random_buffer,
-            generate_iv=plugin_conf.generate_iv,
+            generate_iv=plugin_conf.aes_gcm_generate_iv,
        )

    def _reinitialize_pkcs11(self):
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@ -561,7 +561,9 @@ class PKCS11(object):
        return self._VENDOR_SAFENET_CKM_AES_GCM_encrypt(key, pt_data, session)

    def _CKM_AES_GCM_decrypt(self, key, iv, ct_data, session):
-        return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(key, ct_data, session)
+        return self._VENDOR_SAFENET_CKM_AES_GCM_decrypt(
+            key, iv, ct_data, session
+        )

    def decrypt(self, mechanism, key, iv, ct_data, session):
        if mechanism not in _ENCRYPTION_MECHANISMS:
--- a/releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml
+++ b/releasenotes/notes/renamed-generate-iv-option-29770cfcff8e3b83.yaml
@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    Deprecated the `generate_iv` option name.  It has been renamed to
+    `aes_gcm_generate_iv` to reflect the fact that it only applies to the
+    CKM_AES_GCM mechanism.