17d9f2add6
This is follow-up of 0d4101fa5da52f242ab0a52955f67769b23485a1 and fix a few format problems of the release note added by that change. - Italic is not quite visible and Bold would be preferred - The release note is not associated with individual change we should not mention "this change". - Add link to bug url so that people can find bug details more easily. Change-Id: Idd83933d14ecbf632b954db0bf898e322616bcde
24 lines
1.1 KiB
YAML
24 lines
1.1 KiB
YAML
---
|
|
deprecations:
|
|
- |
|
|
The ``[p11_crypto_plugin]hmac_keywrap_mechanism`` option has been replaced
|
|
by ``[p11_crypto_plugin]hmac_mechanism``. This option was renamed to avoid
|
|
confusion since this mechanism is only used to sign encrypted data and
|
|
never used for key wrap encryption.
|
|
security:
|
|
- |
|
|
The PKCS#11 backend driver has been updated to support newer Key Wrap
|
|
mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but
|
|
CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for
|
|
compatibility with older devices that have not yet implemented PKCS#11
|
|
Version 3.0.
|
|
fixes:
|
|
- |
|
|
Bug `#2036506 <https://bugs.launchpad.net/barbican/+bug/2036506>`_:
|
|
Replaced the hard-coded CKM_AES_CBC_PAD mechanism used to wrap pKEKs with
|
|
an option to configure this mechanism.
|
|
Two new options have been added to the ``[p11_crypto_plugin]`` section of
|
|
the configuration file: ``key_wrap_mechanism`` and
|
|
``key_wrap_generate_iv``. These options default to ``CKM_AES_CBC_PAD``
|
|
and ``True`` respectively to preserve backwards compatibility.
|