From 4e4b62b4c9ec8dc5eea025af31ae5761fdd127dd Mon Sep 17 00:00:00 2001 From: Kefu Chai Date: Wed, 21 Jun 2017 14:25:01 +0800 Subject: [PATCH] crypto: allow PK11 module to load even if it's already initialized there is chance that other pieces of application loads PK11 module already and does not finalize it before calling common_init_finish(). also, upon fork, PK11 module resets its entire status including `nsc_init`, by which PK11 module tell if it is initialized or not. so the behavior of NSS_InitContext() could be different before and after fork. that's another reason to ignore CKR_CRYPTOKI_ALREADY_INITIALIZED error (see NSS_GetError()). Fixes: http://tracker.ceph.com/issues/19741 Signed-off-by: Kefu Chai (cherry picked from commit fcc3effd8b447ef0c54b4c806b8f6e996d7467dd) --- src/common/ceph_crypto.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/ceph_crypto.cc b/src/common/ceph_crypto.cc index 6da3232b1dc42..eadc37e7f3555 100644 --- a/src/common/ceph_crypto.cc +++ b/src/common/ceph_crypto.cc @@ -66,7 +66,7 @@ void ceph::crypto::init(CephContext *cct) memset(&init_params, 0, sizeof(init_params)); init_params.length = sizeof(init_params); - uint32_t flags = NSS_INIT_READONLY; + uint32_t flags = (NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); if (cct->_conf->nss_db_path.empty()) { flags |= (NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB); } -- 2.39.5