|
Description
|
pkcs11Global.h 52 #define CRYPTOKI_VERSION_MINOR 11
Should have been updated to "20". Not doing so causes this code in
$SRC/lib/pkcs11/libpkcs11/common/pkcs11Conf.c
436 /*
437 * Warn the administrator that a provider with
438 * a significantly older or newer version of
439 * CRYPTOKI is being used. It should not cause
440 * problems, but logging a warning makes it easier
441 * to debug later.
442 */
443 if ((prov_info.cryptokiVersion.minor <
444 CRYPTOKI_VERSION_WARN_MINOR) ||
445 (prov_info.cryptokiVersion.minor >
446 CRYPTOKI_VERSION_MINOR)) {
447 cryptoerror(LOG_INFO,
448 "libpkcs11: %s CRYPTOKI minor version, %d, may "
449 "not be compatible with minor version %d.",
450 fullpath, prov_info.cryptokiVersion.minor,
451 CRYPTOKI_VERSION_MINOR);
452 }
To spew messages for every telnet/rlogin and many ssh connections.
There are two problems here:
1) That fact that we are advertising libpkcs11 as being v2.11
when we have plugins we ship that have v2.20 mechs and
features in them.
2) The fact that we warn about this at all at LOG_INFO
this should really just be dropped to LOG_DEBUG since
the Cryptoki working group is well behaved with respect
to API compatibility in minor versions - they are even
more strict than the Solaris requirement of a Stable
library since they don't allow any functions to be added.
|