# (GNU) Makefile for Cryptech PKCS #11 implementation. # # Author: Rob Austein # Copyright (c) 2015-2016, NORDUnet A/S # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # - Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # - Neither the name of the NORDUnet nor the names of its contributors may # be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Locations of libraries on which this code depends. ifndef CRYPTECH_ROOT CRYPTECH_ROOT := $(abspath ../..) endif PKCS11_DIR ?= ${CRYPTECH_ROOT}/sw/pkcs11 LIBHAL_SRC ?= ${CRYPTECH_ROOT}/sw/libhal LIBHAL_BLD ?= ${PKCS11_DIR}/libhal LIBTFM_SRC ?= ${CRYPTECH_ROOT}/sw/thirdparty/libtfm LIBTFM_BLD ?= ${PKCS11_DIR}/libtfm SQLITE3_SRC ?= ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3 SQLITE3_BLD ?= ${PKCS11_DIR}/sqlite3 # Whether to enable threading. Main reason for being able to turn it # off is that gdb on the Novena (sometimes) goes bananas when # threading is enabled. ENABLE_THREADS ?= yes # Whether to enable debugging code that prints diagnostic information # to stderr on various conditions (mostly failures). ENABLE_DEBUGGING ?= no # Whether to disable #warning statements; generally these are present for # a reason, but they can get distracting when one is attempting to debug # something else. ENABLE_FOOTNOTE_WARNINGS ?= yes # Whether to build and use our own copy of the sqlite3 library. ENABLE_OWN_SQLITE_LIBRARY ?= $(if $(wildcard ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3),yes,no) # Target platform for shared library. Every platform has its own # kinks, as does GNU libtool, so we just suck it up and do the # necessary kinks for the platforms we support. Yuck. UNAME := $(shell uname) # Compilation flags, etc. CFLAGS += -g3 -fPIC -Wall -std=c99 -I${LIBHAL_SRC} LIBS := ${LIBHAL_BLD}/libhal.a ${LIBTFM_BLD}/libtfm.a # At present, the RPC daemon works on Linux but not on OSX, because the current daemon # protocol runs over SOCK_SEQPACKET sockets, which Apple doesn't support. In the long run # this will be a non-issue, as we expect to reimplement the daemon protocol using a secure # channel which will almost certainly run over SOCK_STREAM instead of SOCK_SEQPACKET. # # But this is all moot, because the HSM code to support use of multiple FPGA cores in # parallel doesn't quite work properly yet, so the daemon doesn't really buy us anything # useful, and just adds a bit of extra complexity to setup on Linux. # # So, for the moment, the default LIBHAL_TARGET is "serial" on all platforms. If for some # reason you want to try out the daemon on Linux, just change this to "daemon". LIBHAL_TARGET := serial ifeq "${UNAME}" "Darwin" SONAME := libcryptech-pkcs11.dylib SOFLAGS := -dynamiclib # LIBHAL_TARGET := serial else SONAME := libcryptech-pkcs11.so SOFLAGS := -Wl,-Bsymbolic-functions -Wl,-Bsymbolic -Wl,-z,noexecstack -Wl,-soname,${SONAME}.0 # LIBHAL_TARGET := daemon endif ifeq "${ENABLE_FOOTNOTE_WARNINGS}" "no" CFLAGS += -Wno-\#warnings -Wno-cpp endif ifneq "${ENABLE_THREADS}" "yes" CFLAGS += -DUSE_PTHREADS=0 else ifneq "${UNAME}" "Darwin" CFLAGS += -pthread endif ifeq "${ENABLE_DEBUGGING}" "yes" CFLAGS += -DDEBUG_HAL=1 -DDEBUG_PKCS11=1 endif ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" CFLAGS += -I${SQLITE3_BLD} SOFLAGS += ${SQLITE3_BLD}/libsqlite3.a else SOFLAGS += -lsqlite3 endif ifndef OBJCOPY OBJCOPY := objcopy endif all: ${SONAME} p11util py11/attribute_map.py clean: rm -rf *.o ${SONAME}* p11util schema.h attributes.h py11/*.pyc ${MAKE} -C libtfm $@ ${MAKE} -C libhal $@ ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" ${MAKE} -C sqlite3 $@ endif distclean: clean rm -f TAGS .FORCE: ${LIBTFM_BLD}/libtfm.a: .FORCE ${MAKE} -C libtfm ${LIBHAL_BLD}/libhal.a: .FORCE ${LIBTFM_BLD}/libtfm.a ${MAKE} -C libhal ${LIBHAL_TARGET} ${SQLITE3_BLD}/libsqlite3.a: .FORCE ${MAKE} -C sqlite3 schema.h: schema.sql scripts/convert-schema.sed Makefile sed -f scripts/convert-schema.sed schema.h attributes.h: attributes.yaml scripts/build-attributes Makefile python scripts/build-attributes attributes.yaml attributes.h py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes Makefile python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py pkcs11.o: pkcs11.c schema.h attributes.h ${LIBS} ${CC} ${CFLAGS} -c $< ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" pkcs11.o: ${SQLITE3_BLD}/libsqlite3.a endif ifeq "${UNAME}" "Darwin" ${SONAME}: pkcs11.o ${LIBS} nm $< | awk 'NF == 3 && $$2 == "T" && $$3 ~ /^_C_/ {print $$3}' >$@.tmp ${CC} -Wl,-exported_symbols_list,$@.tmp -o $@ $^ ${SOFLAGS} ${LDFLAGS} rm -f $@.tmp else ${SONAME}: pkcs11.o ${LIBS} ${CC} ${CFLAGS} -Wl,--version-script=libcryptech-pkcs11.map -shared -o $@ $^ ${SOFLAGS} ${LDFLAGS} endif p11util.o: p11util.c schema.h ${CC} ${CFLAGS} -c $< p11util: p11util.o ${LIBS} ${CC} ${CFLAGS} -o $@ $^ ${LDFLAGS} tags: TAGS TAGS: *.[ch] etags $^ # Basic testing, via the Python unittest library and our py11 interface code test: all python unit_tests.py # Further testing using hsmbully, if we can find a copy of it. HSMBULLY := $(firstword $(wildcard $(addsuffix /hsmbully,$(subst :, ,.:${PATH})))) ifneq "${HSMBULLY}" "" HSMBULLY_OPTIONS := \ --pin fnord --so-pin fnord --pkcs11lib $(abspath ${SONAME}) \ --verbose=9 --fast-and-frivolous --skip-fragmentation --skip-keysizing HSMBULLY_DATABASE=$(abspath hsmbully.pkcs11.db) HSMBULLY_KS_CLIENT=$(abspath hsmbully.client-keystore) HSMBULLY_KS_SERVER=$(abspath hsmbully.server-keystore) HSMBULLY_SERVER_BIN=$(wildcard $(abspath ../libhal/tests/test-rpc_server)) bully: all set -x; \ rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER}; \ if test -x '${HSMBULLY_SERVER_BIN}'; \ then \ CRYPTECH_KEYSTORE=${HSMBULLY_KS_SERVER} ${HSMBULLY_SERVER_BIN} & \ pid=$$!; \ sleep 5; \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ kill $$pid; \ else \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ fi; \ rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER} endif