Bug#1125519: Acknowledgement ((no subject))

[Claudio Ferreira Filho]

From: Claudio Ferreira Filho <claudio.filho at dataprev.gov.br>
Date: Tue, 14 Jan 2026 15:30:00 -0300
Subject: [PATCH] pkcs11: Add fallback for modules that reject initialization flags

Some PKCS#11 modules (e.g., SafeSign IC 3.8.0.0) reject any flags in
C_Initialize() and return CKR_ARGUMENTS_BAD, but work correctly when
called with flags=0.

This patch adds a fallback attempt with flags=0 when a module returns
CKR_ARGUMENTS_BAD, maintaining compatibility with non-conforming modules
while preserving the current behavior for properly implemented modules.

Tested with:
- SafeSign IC Standard Linux 3.8.0.0 (AET Europe B.V.)
- Token: Giesecke & Devrient StarSign CUT S
- System: Debian GNU/Linux sid (GnuTLS 3.8.11)

Signed-off-by: Claudio Ferreira Filho <claudio.filho at dataprev.gov.br>
---
 lib/pkcs11.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 1234567..abcdefg 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -290,6 +290,13 @@ static int pkcs11_provider_init(struct gnutls_pkcs11_provider_st *provider,
 	args.reserved = (void *)reserved;
 	rv = module->C_Initialize(&args);
 
+	/* Some modules (e.g., SafeSign) reject any flags and only accept flags=0 */
+	if (rv == CKR_ARGUMENTS_BAD) {
+		_gnutls_debug_log("p11: Module %s rejected flags, trying with flags=0\n", name);
+		args.flags = 0;
+		rv = module->C_Initialize(&args);
+	}
+
 	if (rv == CKR_CANT_LOCK) {
 		args = no_thread_init_args;
 		args.reserved = (void *)reserved;
-- 
2.43.0