# (GNU) Makefile for Cryptech PKCS #11 implementation. # # Author: Rob Austein # Copyright (c) 2015-2016, NORDUnet A/S # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # - Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # # - Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # - Neither the name of the NORDUnet nor the names of its contributors may # be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A # PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Locations of libraries on which this code depends. ifndef CRYPTECH_ROOT CRYPTECH_ROOT := $(abspath ../..) endif PKCS11_DIR ?= ${CRYPTECH_ROOT}/sw/pkcs11 LIBHAL_DIR ?= ${PKCS11_DIR}/libhal LIBTFM_DIR ?= ${PKCS11_DIR}/libtfm SQLITE3_DIR ?= ${PKCS11_DIR}/sqlite3 # Whether to enable threading. Main reason for being able to turn it # off is that gdb on the Novena (sometimes) goes bananas when # threading is enabled. ENABLE_THREADS ?= yes # Whether to enable debugging code that prints diagnostic information # to stderr on various conditions (mostly failures). ENABLE_DEBUGGING ?= no # Whether to disable #warning statements; generally these are present for # a reason, but they can get distracting when one is attempting to debug # something else. ENABLE_FOOTNOTE_WARNINGS ?= yes # Whether to build and use our own copy of the sqlite3 library. ENABLE_OWN_SQLITE_LIBRARY ?= $(if $(wildcard ${CRYPTECH_ROOT}/sw/thirdparty/sqlite3),yes,no) # Target platform for shared library. Every platform has its own # kinks, as does GNU libtool, so we just suck it up and do the # necessary kinks for the platforms we support. Yuck. UNAME := $(shell uname) # Compilation flags, etc. CFLAGS := -g3 -fPIC -Wall -std=c99 -I${CRYPTECH_ROOT}/sw/libhal LIBS := ${LIBHAL_DIR}/libhal.a ${LIBTFM_DIR}/libtfm.a ifeq "${UNAME}" "Darwin" SONAME := libpkcs11.dylib SOFLAGS := -dynamiclib else SONAME := libpkcs11.so SOFLAGS := -Wl,-Bsymbolic-functions -Wl,-Bsymbolic -Wl,-z,noexecstack -Wl,-soname,${SONAME}.0 endif ifeq "${ENABLE_FOOTNOTE_WARNINGS}" "no" CFLAGS += -Wno-\#warnings -Wno-cpp endif ifneq "${ENABLE_THREADS}" "yes" CFLAGS += -DUSE_PTHREADS=0 else ifneq "${UNAME}" "Darwin" CFLAGS += -pthread endif ifeq "${ENABLE_DEBUGGING}" "yes" CFLAGS += -DDEBUG_HAL=1 -DDEBUG_PKCS11=1 endif ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" CFLAGS += -I${SQLITE3_DIR} SOFLAGS += ${SQLITE3_DIR}/libsqlite3.a else SOFLAGS += -lsqlite3 endif ifndef OBJCOPY OBJCOPY := objcopy endif all: ${SONAME} p11util py11/attribute_map.py clean: rm -rf *.o ${SONAME}* p11util schema.h attributes.h cd libtfm; ${MAKE} $@ cd libhal; ${MAKE} $@ ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" cd sqlite3; ${MAKE} $@ endif distclean: clean rm -f TAGS .FORCE: ${LIBTFM_DIR}/libtfm.a: .FORCE cd libtfm; ${MAKE} ${LIBHAL_DIR}/libhal.a: .FORCE ${LIBTFM_DIR}/libtfm.a cd libhal; ${MAKE} daemon ${SQLITE3_DIR}/libsqlite3.a: .FORCE cd sqlite3; ${MAKE} schema.h: schema.sql scripts/convert-schema.sed GNUmakefile sed -f scripts/convert-schema.sed schema.h attributes.h: attributes.yaml scripts/build-attributes GNUmakefile python scripts/build-attributes attributes.yaml attributes.h py11/attribute_map.py: attributes.yaml scripts/build-py11-attributes GNUmakefile python scripts/build-py11-attributes attributes.yaml py11/attribute_map.py pkcs11.o: pkcs11.c schema.h attributes.h ${LIBS} ${CC} ${CFLAGS} -c $< ifeq "${ENABLE_OWN_SQLITE_LIBRARY}" "yes" pkcs11.o: ${SQLITE3_DIR}/libsqlite3.a endif ifeq "${UNAME}" "Darwin" ${SONAME}: pkcs11.o ${LIBS} nm $< | awk 'NF == 3 && $$2 == "T" && $$3 ~ /^_C_/ {print $$3}' >$@.tmp ${CC} -Wl,-exported_symbols_list,$@.tmp -o $@ $^ ${SOFLAGS} ${LDFLAGS} rm -f $@.tmp else ${SONAME}: pkcs11.o ${LIBS} ${CC} ${CFLAGS} -shared -o $@.tmp $^ ${SOFLAGS} ${LDFLAGS} ${OBJCOPY} -w -G 'C_*' $@.tmp $@ rm -f $@.tmp endif p11util.o: p11util.c schema.h ${CC} ${CFLAGS} -c $< p11util: p11util.o ${LIBS} ${CC} ${CFLAGS} -o $@ $^ ${LDFLAGS} tags: TAGS TAGS: *.[ch] etags $^ # Basic testing, via the Python unittest library and our py11 interface code test: all sudo python unit_tests.py # Further testing using hsmbully, if we can find a copy of it. HSMBULLY := $(firstword $(wildcard $(addsuffix /hsmbully,$(subst :, ,.:${PATH})))) ifneq "${HSMBULLY}" "" HSMBULLY_OPTIONS := \ --pin fnord --so-pin fnord --pkcs11lib $(abspath ${SONAME}) \ --verbose=9 --fast-and-frivolous --skip-fragmentation --skip-keysizing HSMBULLY_DATABASE=$(abspath hsmbully.pkcs11.db) HSMBULLY_KS_CLIENT=$(abspath hsmbully.client-keystore) HSMBULLY_KS_SERVER=$(abspath hsmbully.server-keystore) HSMBULLY_SERVER_BIN=$(wildcard $(abspath ../libhal/tests/test-rpc_server)) bully: all set -x; \ sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER}; \ if test -x '${HSMBULLY_SERVER_BIN}'; \ then \ sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_SERVER} ${HSMBULLY_SERVER_BIN} & \ pid=$$!; \ sleep 5; \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ sudo kill $$pid; \ else \ (echo YouReallyNeedToChangeThisPINRightNowWeAreNotKidding; echo fnord; echo fnord) | \ sudo CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ./p11util --set-so-pin --set-user-pin --pin-from-stdin; \ sudo PKCS11_DATABASE=${HSMBULLY_DATABASE} CRYPTECH_KEYSTORE=${HSMBULLY_KS_CLIENT} ${HSMBULLY} ${HSMBULLY_OPTIONS}; \ fi; \ sudo rm -f ${HSMBULLY_DATABASE} ${HSMBULLY_DATABASE}-journal ${HSMBULLY_KS_CLIENT} ${HSMBULLY_KS_SERVER} endif