2024.2 Series Release Notes¶
19.0.0-3¶
Deprecation Notes¶
The [p11_crypto_plugin]hmac_keywrap_mechanism option has been replaced by [p11_crypto_plugin]hmac_mechanism. This option was renamed to avoid confusion since this mechanism is only used to sign encrypted data and never used for key wrap encryption.
Security Issues¶
The PKCS#11 backend driver has been updated to support newer Key Wrap mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for compatibility with older devices that have not yet implemented PKCS#11 Version 3.0.
Bug Fixes¶
Fixed Bug #2036506 - This patch replaces the hard-coded CKM_AES_CBC_PAD mechanism used to wrap pKEKs with an option to configure this mechanism. Two new options have been added to the [p11_crypto_plugin] section of the configuration file: key_wrap_mechanism and key_wrap_generate_iv. These options default to CKM_AES_CBC_PAD and True respectively to preserve backwards compatibility.
19.0.0¶
New Features¶
Now Barbican uses oslo.db for database connection. The features implemented in oslo.db can be now leveraged in Barbican.
Upgrade Notes¶
The following deprecated database options were effectively removed. Use the equivalent oslo.db library options instead.
[DEFAULT] sql_connection
[DEFAULT] sql_idle_timeout
[DEFAULT] sql_max_retries
[DEFAULT] sql_retry_interval
[DEFAULT] sql_pool_size
[DEFAULT] sql_pool_max_overflow