# (GNU) Makefile for Cryptech PKCS #11 implementation. # # Author: Rob Austein # Copyright (c) 2015-2016, NORDUnet A/S # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # - Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # - Neither the name of the NORDUnet nor the names of its contributors may # be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Locations of libraries on which this code depends. # This will probably need to change if we go to VPATHs. LIBHAL_DIR = ../libhal LIBTFM_DIR = ../thirdparty/libtfm SQLITE3_DIR = ../thirdparty/sqlite3 # Whether to enable threading. Main reason for being able to turn it # off is that gdb on the Novena (sometimes) goes bananas when # threading is enabled. ifndef ENABLE_THREADS ENABLE_THREADS := yes endif # Whether to enable debugging code that prints diagnostic information # to stderr on various conditions (mostly failures). ifndef ENABLE_DEBUGGING ENABLE_DEBUGGING := no endif # Whether to disable #warning statements; generally these are present for # a reason, but they can get distracting when one is attempting to debug # something else. ifndef ENABLE_FOOTNOTE_WARNINGS ENABLE_FOOTNOTE_WARNINGS := yes endif # Whether to build and use our own copy of the sqlite3 library. ifndef ENABLE_OWN_SQLITE_LIBRARY ENABLE_OWN_SQLITE_LIBRARY := $(if $(wildcard ${SQLITE3_DIR}),yes,no) endif CFLAGS := -g3 -fPIC -Wall -std=c99 -I${LIBHAL_DIR} SOFLAGS := -Wl,-Bsymbolic-functions -Wl,-Bsymbolic -Wl,-z,noexecstack -Wl,-soname,libpkcs11.so.0 LIBS := ${LIBHAL_DIR}/libhal.a ${LIBTFM_DIR}/libtfm.a ifeq "${ENABLE_FOOTNOTE_WARNINGS}" "no" CFLAGS += -Wno-\#warnings -Wno-cpp endif ifeq "${ENABLE_THREADS}" "yes" CFLAGS += -pthread else CFLAGS += -DUSE_PTHREADS=0 endif ifeq "${ENABLE_DEBUGGING}" "yes" CFLAGS += -DDEBUG_HAL=1 -DDEBUG_PKCS11=1 endif ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" CFLAGS += -I${SQLITE3_DIR} SOFLAGS += ${SQLITE3_DIR}/libsqlite3.a else SOFLAGS += -lsqlite3 endif ifndef OBJCOPY OBJCOPY := objcopy endif all: libpkcs11.so p11util py11/attribute_map.py clean: rm -rf pkcs11.o pkcs11.so libpkcs11.so* p11util p11util.o schema.h attributes.h distclean: clean rm -f TAGS schema.h: schema.sql scripts/convert-schema.sed GNUmakefile sed -f scripts/convert-schema.sed schema.h attributes.h: attributes.yaml scripts/build-attributes GNUmakefile python scripts/build-attributes attributes.yaml attributes.h py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes GNUmakefile python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py pkcs11.o: pkcs11.c schema.h attributes.h ${CC} ${CFLAGS} -c $< pkcs11.so: pkcs11.o ${LIBS} ${CC} ${CFLAGS} -shared -o $@ ${SOFLAGS} ${LDFLAGS} $^ libpkcs11.so: pkcs11.so ${OBJCOPY} -w -G 'C_*' $< $@ p11util.o: p11util.c schema.h ${CC} ${CFLAGS} -c $< p11util: p11util.o ${LIBS} ${CC} ${CFLAGS} -o $@ ${LDFLAGS} $^ tags: TAGS TAGS: *.[ch] etags $^ # Basic testing, via the Python unittest library and our py11 interface code test: all sudo python unit_tests.py # Further testing using hsmbully, if we can find a copy of it. HSMBULLY := $(firstword $(wildcard $(addsuffix /hsmbully,$(subst :, ,.:${PATH})))) ifneq "${HSMBULLY}" "" HSMBULLY_OPTIONS := \ --pin fnord --so-pin fnord --pkcs11lib $(abspath libpkcs11.so) \ --verbose=9 --fast-and-frivolous --skip-fragmentation --skip-keysizing HSMBULLY_DATABASE=$(abspath hsmbully.pkcs11.db) HSMBULLY_KS_CLIENT=$(abspath hsmbully.client-keystore) HSMBULLY_KS_SERVER=$(abspath hsmbully.server-keystore) HSMBULLY_SERVER_BIN=$(wildcard $(abspath ../libhal/tests/test-rpc_server)) bully: all set -x; \ sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER}; \ if test -x '${HSMBULLY_SERVER_BIN}'; \ then \ sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_SERVER} ${HSMBULLY_SERVER_BIN} & \ pid=$$!; \ sleep 5; \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ sudo kill $$pid; \ else \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ sudo PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ fi; \ sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER} endif