crypto: allow PK11 module to load even if it's already initialized

there is chance that other pieces of application loads PK11 module
already and does not finalize it before calling common_init_finish().

also, upon fork, PK11 module resets its entire status including `nsc_init`,
by which PK11 module tell if it is initialized or not. so the behavior
of NSS_InitContext() could be different before and after fork. that's
another reason to ignore CKR_CRYPTOKI_ALREADY_INITIALIZED error (see
NSS_GetError()).

Fixes: http://tracker.ceph.com/issues/19741
Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit fcc3effd8b447ef0c54b4c806b8f6e996d7467dd)

diff --git a/src/common/ceph_crypto.cc b/src/common/ceph_crypto.cc
index 6da3232b1dc421e8e0e5f6cbaefc4fb1693c0787..eadc37e7f3555aaa0de4a95b02c8a8ab7462fdd6 100644 (file)
--- a/src/common/ceph_crypto.cc
+++ b/src/common/ceph_crypto.cc
@@ -66,7 +66,7 @@ void ceph::crypto::init(CephContext *cct)
     memset(&init_params, 0, sizeof(init_params));
     init_params.length = sizeof(init_params);
 
-    uint32_t flags = NSS_INIT_READONLY;
+    uint32_t flags = (NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
     if (cct->_conf->nss_db_path.empty()) {
       flags |= (NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB);
     }