PKCS#11 Library Initialization - issues in multithreaded env - apache worker mode

[Rafal77x]

When PKCS11 Lib is loaded first time following code is used - p11_load.c:
int pkcs11_CTX_load(PKCS11_CTX *ctx, const char *name)
{
PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
CK_C_INITIALIZE_ARGS args;
CK_INFO ck_info;
int rv;

cpriv->handle = C_LoadModule(name, &cpriv->method);
if (!cpriv->handle) {
	P11err(P11_F_PKCS11_CTX_LOAD, P11_R_LOAD_MODULE_ERROR);
	return -1;
}

/* Tell the PKCS11 to initialize itself */
memset(&args, 0, sizeof(args));
/* Unconditionally say using OS locking primitives is OK */
args.flags |= CKF_OS_LOCKING_OK;
args.pReserved = cpriv->init_args;
rv = cpriv->method->C_Initialize(&args);

After fork, code below is used which calls C_Initialize in single threaded mode
/*

• Reinitialize (e.g., after a fork).
  */
  int pkcs11_CTX_reload(PKCS11_CTX_private *ctx)
  {
  CK_C_INITIALIZE_ARGS _args;
  CK_C_INITIALIZE_ARGS *args = NULL;
  int rv;

  if (!ctx->method) /* Module not loaded */
  return 0;

  /* Tell the PKCS11 to initialize itself */
  if (ctx->init_args) {
  memset(&_args, 0, sizeof(_args));
  args = &_args;
  args->pReserved = ctx->init_args;
  }
  rv = ctx->method->C_Initialize(args);

This impacts issuess with some PKCS11 libraries and HSMs configured with libp11 04.12, OpenSSL and apache - ie. after 1st call apache is not able to serve content - SSL error -> eror in pkcs11_private_encrypt function.
Adding CKF_OS_LOCKING_OK to flags in pkcs11_CTX_reload solves the issue. Is there any reason it was not done before ?

[mtrojnar]

Adding CKF_OS_LOCKING_OK to flags in pkcs11_CTX_reload solves the issue. Is there any reason it was not done before ?

I don't think so. Apparently, you are the first person to notice the problem since pkcs11_CTX_reload() was added to libp11 8 years ago. Please submit a PR.