diff --git a/kmip/services/server/crypto/engine.py b/kmip/services/server/crypto/engine.py index 196ee91..49f98b7 100644 --- a/kmip/services/server/crypto/engine.py +++ b/kmip/services/server/crypto/engine.py @@ -835,7 +835,11 @@ class CryptographyEngine(api.CryptographicEngine): "IV/nonce is required." ) if is_gcm_mode: - mode = mode(iv_nonce, tag=auth_tag) + mode = mode( + iv_nonce, + tag=auth_tag, + min_tag_length=len(auth_tag) + ) else: mode = mode(iv_nonce) else: diff --git a/kmip/tests/unit/services/server/crypto/test_engine.py b/kmip/tests/unit/services/server/crypto/test_engine.py index 9f85951..7056207 100644 --- a/kmip/tests/unit/services/server/crypto/test_engine.py +++ b/kmip/tests/unit/services/server/crypto/test_engine.py @@ -1261,6 +1261,9 @@ class TestCryptographyEngine(testtools.TestCase): # TODO(peter-hamilton): Replace this with actual fixture files from NIST CAPV. # Most of these test vectors were obtained from the pyca/cryptography test # suite. +# GCM test vectors were obtained from the NIST CAVP test suite: +# +# https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/gcmtestvectors.zip @pytest.fixture( scope='function', params=[ @@ -1334,30 +1337,55 @@ class TestCryptographyEngine(testtools.TestCase): {'algorithm': enums.CryptographicAlgorithm.AES, 'cipher_mode': enums.BlockCipherMode.GCM, 'key': ( - b'\x6e\xd7\x6d\x2d\x97\xc6\x9f\xd1' - b'\x33\x95\x89\x52\x39\x31\xf2\xa6' - b'\xcf\xf5\x54\xb1\x5f\x73\x8f\x21' - b'\xec\x72\xdd\x97\xa7\x33\x09\x07' + b'\xfe\x32\xb0\xc7\x4c\xd7\x45\x8b' + b'\x75\xcb\x19\x6f\x48\x6b\x35\xc6' + b'\x19\xb7\xc6\xb4\xfe\x3f\x49\x64' + b'\xa4\x9a\xd9\x25\x37\x76\x27\xd7' ), 'iv_nonce': ( - b'\x85\x1e\x87\x64\x77\x6e\x67\x96' - b'\xaa\xb7\x22\xdb\xb6\x44\xac\xe8' + b'\x66\x30\xe6\xd4\xb9\xd9\x04\x1f' + b'\xe2\xba\xf6\xd1\xd6\x88\x7a\x56' + b'\x4e\xfe\xe7\x54\x90\xc2\xdd\x6f' + b'\x5d\x3e\x7f\xb4\xc3\xac\x4d\xe9' + b'\xfd\xa1\x69\x74\x71\xcc\x14\x80' + b'\x3a\x03\x3f\x55\x1d\x2e\x05\x56' + b'\x19\xd9\xb6\x84\x83\x08\xb9\xf2' + b'\x53\x5b\x0d\x85\x43\x8f\x16\x02' + b'\x3c\x1b\x96\x81\xb2\x62\xa5\xf3' + b'\xd5\x43\x95\xec\xd9\x56\x3b\x88' + b'\x10\x8b\xe8\xad\x4a\x78\xee\x2a' + b'\x4d\xec\xe8\x88\xc4\xc3\x4c\xda' + b'\xe6\xaf\x21\xd8\xef\xc5\xcf\x71' + b'\x9e\xfa\x27\x04\x9b\x4a\x45\xcc' + b'\x49\x70\xdb\xba\x37\xef\x57\x15' + b'\xa9\x9a\x96\x44\xae\xd0\xd3\x94' ), 'plain_text': ( - b'\x62\x82\xb8\xc0\x5c\x5c\x15\x30' - b'\xb9\x7d\x48\x16\xca\x43\x47\x62' + b'\x40\x31\x55\x40\x39\x07\x4e\x10' + b'\x5d\xb2\x36\xdd\x8b\x7c\x81\xb6' + b'\x7e\xc1\xd7\xa4\xed\x0d\xd5\x94' + b'\x8e\x85\xa0\x0f\x3f\x6d\x4c\x87' + b'\x2d\xc8\x72\xc8\x7b\x47\xc4\x5a' + b'\xf1\x81\xf0\x39\x58\xc1\xee\xfe' + b'\x60\x62\xff' ), 'auth_additional_data': ( - b'\x61\x75\x74\x68\x2d\x74\x65\x73\x74' + b'\xd3\xc6\x2d\xa2\x77\x97\xba\x8e\x16' + b'\x82\x1a\x1b\xe2\x47\x8a\x6f' ), - 'auth_tag_length': 16, + 'auth_tag_length': 128, 'cipher_text': ( - b'\x09\x45\x1b\x14\xf9\x25\x68\x24' - b'\x55\x50\x13\xb5\x09\xe9\xd6\x63' + b'\xfb\x10\xfa\x35\x45\x92\x53\xab' + b'\x7a\x87\xb3\x27\x32\x63\x56\x05' + b'\x56\xb8\x49\xba\x6b\xf1\xf5\xde' + b'\x46\xd4\xc8\x59\xf8\xad\xa6\xca' + b'\xca\xe4\x53\x9a\x5b\x7e\xaf\x9a' + b'\xd1\x16\xd4\x56\xf5\x0d\x2f\x80' + b'\xb6\x3d\xd7' ), 'auth_tag': ( - b'\xbe\x9f\xef\x78\x5f\x9e\xe6\x16' - b'\x90\xe9\x44\x59\xc1\x84\x44\x7f' + b'\xbd\x9b\x6f\x23\xc9\x39\xa7\xd4' + b'\xf5\xbe\xb0\x9d\x92\xf0\x17\x56' )}, {'algorithm': enums.CryptographicAlgorithm.BLOWFISH, 'cipher_mode': enums.BlockCipherMode.OFB,