introduce GENCMP_NO_SECUTILS and GENCMP_NO_TLS

CMakeLists.txt

@@ -116,6 +116,9 @@ add_executable(cmpClient
   ${SRC_DIR}/cmpClient.c
 )
 
+# TODO support GENCMP_NO_SECUTILS, which disables libSecUtils use and CLI
+# TODO support GENCMP_NO_TLS     , which disables SSL/TLS use
+
 target_link_libraries(cmpClient
   ${LIBGENCMP_NAME}
   security-utilities::library

Makefile_src

@@ -7,6 +7,7 @@
 # Optional LIBCMP_INC defines the directory of the libcmp header files, must be non-empty if and only if libcmp is used (USE_LIBCMP).
 # All paths may be absolute or relative to the directory containing this Makefile.
 # With USE_LIBCMP, setting STATIC_LIBCMP leads to static linking with libcmp.a .
+# Optional GENCMP_NO_SECUTILS disables libSecUtils use, CLI, demos, and tests
 # Optional DEBUG_FLAGS may set to prepend to local CFLAGS and LDFLAGS (default see below).
 # OSSL_VERSION_QUIRKS maybe be needed to provide for setting OpenSSL compilation version quirks.
 
@@ -97,7 +98,9 @@ override CFLAGS += \
 override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement -Wno-expansion-to-defined \
   -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils
 ifeq ($(LPATH),)
-   override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include
+  ifndef GENCMP_NO_SECUTILS
+    override CFLAGS += -I$(SECUTILS_DIR)/src/libsecutils/include
+  endif
 endif
 ifneq ($(LIBCMP_INC),)
     ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging
@@ -124,15 +127,21 @@ ifneq ($(LIBCMP_INC),)
 endif
 # important: place libcmp before libcrypto such that its contents are preferred
 
-override LIBS += -lsecutils
-ifdef SECUTILS_NO_TLS
-    override CFLAGS += -DSECUTILS_NO_TLS=1
+ifndef GENCMP_NO_SECUTILS
+    override LIBS += -lsecutils
+else
+    override CFLAGS += -DGENCMP_NO_SECUTILS=1
+endif
+ifdef GENCMP_NO_TLS
+    override CFLAGS += -DGENCMP_NO_TLS=1
 else
     override LIBS += -lssl
 endif
 override LIBS += -lcrypto
-ifdef SECUTILS_USE_UTA
+ifndef GENCMP_NO_SECUTILS
+  ifdef SECUTILS_USE_UTA
     override LIBS += -luta
+  endif
 endif
 
 override LDFLAGS += $(DEBUG_FLAGS) # needed for -fsanitize=...
@@ -157,14 +166,18 @@ ifeq ($(LPATH),)
         # endif
     endif
 #   not needed due to OUT_DIR set also for libsecutils and cmpossl:
-#   override LDFLAGS += -L $(SECUTILS_DIR)
+#   ifndef GENCMP_NO_SECUTILS
+#       override LDFLAGS += -L $(SECUTILS_DIR)
+#   endif
 #   ifneq ($(LIBCMP_INC),)
 #       override LDFLAGS += -L $(LIBCMP_DIR)
 #   endif
     ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging
         ifneq ($(PREFIX),)
 #           not needed due to OUT_DIR set also for libsecutils and cmpossl:
-#           override LDFLAGS += -Wl,-rpath,$(SECUTILS_DIR_)
+#           ifndef GENCMP_NO_SECUTILS
+#               override LDFLAGS += -Wl,-rpath,$(SECUTILS_DIR_)
+#           endif
 #           ifneq ($(LIBCMP_INC),)
 #               override LDFLAGS += -Wl,-rpath,$(LIBCMP_DIR_)
 #           endif
@@ -199,10 +212,14 @@ DEPS = $(SRCS:.c=.d)
 
 CMPCLIENT = $(PREFIX)$(BIN_DIR)/cmpClient$(EXE)
 
-ifeq ($(BIN_DIR),)
-BINARIES =
+ifdef GENCMP_NO_SECUTILS
+    BINARIES =
 else
-BINARIES = $(CMPCLIENT)
+    ifeq ($(BIN_DIR),)
+        BINARIES =
+    else
+        BINARIES = $(CMPCLIENT)
+    endif
 endif
 
 ########## rules and targets
@@ -214,9 +231,11 @@ ifeq ($(LPATH),)
 	@echo "Copying OpenSSL DLLs to base directory for convenient use with Windows"
 	@cp --preserve=timestamps $(OPENSSL_LIB)/$(OPENSSL_DLLS) $(PREFIX_DEST)
 endif
+ifndef GENCMP_NO_SECUTILS
 	@echo "Copying SecUtils DLL to base directory for convenient use with Windows"
 	@cp --preserve=timestamps $(SECUTILS_LIB) $(PREFIX_DEST) # $(OPENSSL_LIB)/*{crypto,ssl}*.dll
 endif
+endif
 
 ifeq ($(findstring clean,$(MAKECMDGOALS)),)
 -include $(DEPS)

Makefile_v1

@@ -1,6 +1,8 @@
 #!/usr/bin/make
 
 # Optional USE_LIBCMP requires the use of the intermediate libcmp
+# Optional GENCMP_NO_SECUTILS disables libSecUtils use, CLI, demos, and tests
+# Optional GENCMP_NO_TLS disables SSL/TLS use
 # Optional LPATH defines where to find any pre-installed libsecutils and UTA libraries, e.g., /usr/lib
 # Optional OPENSSL_DIR defines where to find the OpenSSL installation
 #   with header files at include/openssl (default: will try, e.g., /usr).
@@ -9,7 +11,7 @@
 # Optional CFLAGS and LDFLAGS are appended by local settings.
 # Optional DEBUG_FLAGS may set to prepend to local CFLAGS and LDFLAGS. Also CFLAGS is passed to build goals.
 # Builds are done in release mode if optional NDEBUG is defined.
-# Optional OUT_DIR defines where libsecutils, libgencmp, and (optional) libcmp shall be placed (default: LPATH if set, otherwise '.').
+# Optional OUT_DIR defines where libsecutils (unless disabled), libgencmp, and (optional) libcmp shall be placed (default: LPATH if set, otherwise '.').
 # Optional BIN_DIR defines where the CLI application shall be placed (default: OUT_DIR)
 # Optional DESTDIR defines a prefix for the installation target directories.
 # Optional OPENSSL specifies the OpenSSL CLI application (including path) to use
@@ -265,15 +267,24 @@ default: $(OUT_DIR_BIN)
 $(OUT_DIR_BIN): | build # if $OUT_DIR_BIN already exists, would be nice not to run 'build'
 # but even the 'order-only' prerequisite does not prevent running 'build'
 
+ifdef GENCMP_NO_TLS
+    export GENCMP_NO_TLS=1
+    export SECUTILS_NO_TLS=1
+endif
+ifdef GENCMP_NO_SECUTILS
+    export GENCMP_NO_SECUTILS=1
+else
 ifdef SECUTILS_USE_ICV
     export SECUTILS_USE_ICV=1
 endif
 ifdef SECUTILS_USE_UTA
     export SECUTILS_USE_UTA=1
 endif
 ifdef SECUTILS_NO_TLS
+    export GENCMP_NO_TLS=1
     export SECUTILS_NO_TLS=1
 endif
+endif # def GENCMP_NO_SECUTILS
 
 .phony: submodules
 ifneq ($(LPATH),)
@@ -285,7 +296,10 @@ submodules: build_submodules
 build_submodules: get_submodules build_secutils build_cmpossl
 # might use $(SECUTILS_LIB) $(LIBCMP_INC) instead but does not check for updates
 
+get_submodules:
+ifndef GENCMP_NO_SECUTILS
 get_submodules: $(SECUTILS_DIR)/src/libsecutils/include
+endif
 ifdef USE_LIBCMP
 get_submodules: $(LIBCMP_DIR)/include
 endif
@@ -295,6 +309,7 @@ update: update_secutils update_cmpossl
 	git rebase
 	git submodule update
 
+ifndef GENCMP_NO_SECUTILS
 $(SECUTILS_DIR)/src/libsecutils/include:
 	$(MAKE) -f Makefile_v1 update_secutils
 
@@ -306,15 +321,20 @@ else
 endif
 $(SECUTILS_OUT_LIB):
 	build_secutils
+endif
 
 .phony: update_secutils build_secutils
 update_secutils:
+ifndef GENCMP_NO_SECUTILS
 	git submodule update $(GIT_PROGRESS) --init $(GIT_DEPTH) $(SECUTILS_DIR)
 SECUTILS_FLAGS = SECUTILS_NO_TLS=$(SECUTILS_NO_TLS) \
     SECUTILS_USE_ICV=$(SECUTILS_USE_ICV) SECUTILS_USE_UTA=$(SECUTILS_USE_UTA)
+endif
 build_secutils: # not: update_secutils
+ifndef GENCMP_NO_SECUTILS
 	@ # cannot split line using '\' as Debian packaging cannot handle this
 	$(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 build_all $(SECUTILS_FLAGS) $(BUILD_SUBDIRS) $(BUILD_FLAGS) -s
+endif
 
 ifdef USE_LIBCMP
 $(LIBCMP_DIR)/include:
@@ -343,7 +363,9 @@ ifdef USE_LIBCMP
 endif
 
 clean_submodules:
+ifndef GENCMP_NO_SECUTILS
 	rm -rf $(SECUTILS_DIR) $(SECUTILS_OUT_LIB)*
+endif
 ifdef USE_LIBCMP
 	rm -rf $(LIBCMP_DIR) $(LIBCMP_OUT_LIB)*
 endif
@@ -364,11 +386,13 @@ ifeq ($(DEB_BUILD_ARCH),) # avoid weird syntax error on '\' with Debian packagin
 	    echo "WARNING: OpenSSL version '$$LIBCMP_OPENSSL_VERSION' used for building libcmp does not match '$(OPENSSL_VERSION)' to be used for building cmpClient"; \
 	fi
     endif
+    ifndef GENCMP_NO_SECUTILS
 	@export SECUTILS_OPENSSL_VERSION=`$(MAKE) -s 2>/dev/null --no-print-directory -f OpenSSL_version.mk SOURCE="$(SECUTILS_OUT_LIB)"` && \
 	if [[ "$$SECUTILS_OPENSSL_VERSION" != "$(OPENSSL_VERSION)" && \
 	      "$$SECUTILS_OPENSSL_VERSION" != "$(OPENSSL_MAJOR_VERSION)" ]]; then \
 	    echo "WARNING: OpenSSL version '$$SECUTILS_OPENSSL_VERSION' used for building libsecutils does not match '$(OPENSSL_VERSION)' to be used for building cmpClient"; \
 	fi
+    endif
 endif
 
 GENCMPCLIENT_CONFIG=include/genericCMPClient_config.h
@@ -390,14 +414,17 @@ endif
 BUILD_ONLY_DIRS = OUT_DIR="$(OUT_DIR)" BIN_DIR="$(BIN_DIR)" \
     LIB_NAME="$(OUTLIB)" VERSION="$(VERSION)" LIBCMP_INC="$(LIBCMP_INC)" \
     OPENSSL_DIR="$(OPENSSL_DIR)" OPENSSL_LIB="$(OPENSSL_LIB)" \
+    GENCMP_NO_SECUTILS=$(GENCMP_NO_SECUTILS) GENCMP_NO_TLS=$(GENCMP_NO_TLS) \
     INSTALL_DEB_PKGS=$(INSTALL_DEB_PKGS) DEB_TARGET_ARCH=$(DEB_TARGET_ARCH)
 build_only: $(GENCMPCLIENT_CONFIG)
 	@ # cannot split line using '\' as Debian packaging cannot handle this
 	$(MAKE) -f Makefile_src build $(BUILD_ONLY_DIRS) $(BUILD_FLAGS)
 
 build_no_tls:
+ifndef GENCMP_NO_SECUTILS
 	$(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 clean_config
-	$(MAKE) -f Makefile_v1 build $(BUILD_FLAGS) SECUTILS_NO_TLS=1
+endif
+	$(MAKE) -f Makefile_v1 build $(BUILD_FLAGS) GENCMP_NO_TLS=1
 
 
 # cleaning #####################################################################
@@ -444,6 +471,9 @@ clean_all: clean clean_deb
 	rm -f install_manifest*.txt compile_commands.json
 	rm -f doc/$(OUT_DOC) doc/cmpClient.md CMakeDoxyfile.in
 
+
+ifndef GENCMP_NO_SECUTILS
+
 # get CRLs #####################################################################
 
 creds/crls:
@@ -677,10 +707,14 @@ test: clean build_no_tls
 	$(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 clean_config
 	@$(MAKE) -f Makefile_v1 clean $(OUT_DIR_BIN) demo_Insta $(BUILD_FLAGS)
 
+endif # ndef GENCMP_NO_SECUTILS
+
 # doc and zip ##################################################################
 
 doc: doc_this get_submodules
+ifndef GENCMP_NO_SECUTILS
 	$(MAKE) -C $(SECUTILS_DIR) -f Makefile_v1 doc -s
+endif
 
 doc/$(OUT_DEV_DOC): doc/Generic_CMP_client_API.odt # to be done manually
 
@@ -714,8 +748,11 @@ zip:
 ## 'install' static libs to lib, headers to include, dynamic libs and bin to bin
 ################################################################
 
+
 # triggering build #############################################################
 
+ifndef GENCMP_NO_SECUTILS
+
 ROOTDIR=$(PWD)
 TAR=$(SECUTILS_DIR)/tar
 
@@ -757,6 +794,7 @@ clean_openssl:
 .phony: buildCMPforOpenSSL
 buildCMPforOpenSSL: openssl ${makeCMPforOpenSSL_trigger}
 
+endif # ndef GENCMP_NO_SECUTILS
 
 ################################################################
 # Debian packaging
@@ -770,10 +808,12 @@ deb: doc # just to make sure that transforming the doc files will work fine
 ifneq ($(INSTALL_DEB_PKGS),)
 deb: get_submodules
 ifeq ($(LPATH),)
-    ifneq ($(wildcard $(SECUTILS_DIR)),)
-        ifeq ($(shell dpkg -l | grep "ii  libsecutils "),)
-            $(MAKE) deb -C $(SECUTILS_DIR) -f Makefile_v1
-            sudo dpkg -i libsecutils{,-dev}_*.deb
+    ifndef GENCMP_NO_SECUTILS
+        ifneq ($(wildcard $(SECUTILS_DIR)),)
+            ifeq ($(shell dpkg -l | grep "ii  libsecutils "),)
+                $(MAKE) deb -C $(SECUTILS_DIR) -f Makefile_v1
+                sudo dpkg -i libsecutils{,-dev}_*.deb
+            endif
         endif
     endif
     ifdef USE_LIBCMP

README.md

@@ -79,7 +79,7 @@ The [CHANGELOG.md](CHANGELOG.md) contains a coarse release history.
 The Generic CMP client API specification and CLI documentation
 are available in the [`doc`](doc/) folder.
 
-The Doxygen documentation of the underlying Security Utilities library is available
+The Doxygen documentation of the Security Utilities library is available
 via a link in its [README file](https://github.com/siemens/libsecutils/blob/master/README.md).
 
 
@@ -102,6 +102,7 @@ The following OSS components are used.
 * OpenSSL development edition; curently supported versions include 3.0, 3.1, 3.2, 3.3, 3.4
   <!-- (formerly also versions 1.0.2, 1.1.0, and 1.1.1) -->
 * [Security Utilities (libsecutils)](https://github.com/siemens/libsecutils)
+  unless the environment variable `GENCMP_NO_SECUTILS` is defined.
 * [CMPforOpenSSL](https://github.com/mpeylo/cmpossl),
   a CMP+CRMF+HTTP extension to OpenSSL, needed when using OpenSSL 1.x
   or if the latest CMP features not yet available in OpenSSL are required,
@@ -233,8 +234,9 @@ make -f Makefile_v1 get_submodules
 ```
 
 This will fetch also the underlying
-[CMPforOpenSSL extension to OpenSSL](https://github.com/mpeylo/cmpossl) if needed and
-the [Security Utilities (libsecutils)](https://github.com/siemens/libsecutils) library.
+[CMPforOpenSSL extension to OpenSSL](https://github.com/mpeylo/cmpossl) and
+the [Security Utilities (libsecutils)](https://github.com/siemens/libsecutils)
+library if needed.
 
 For using the project as a git submodule,
 do for instance the following in the directory where you want to integrate it:
@@ -322,7 +324,7 @@ the following environment variables are inherited.
 to be integrity protected with an Integrity Check Value (ICV),
 which may be produced using `util/icvutil`.
 * Use of the UTA library can be enabled by setting `SECUTILS_USE_UTA`.
-* The TLS-related functions may be disabled by setting `SECUTILS_NO_TLS`.
+* The TLS-related functions may be disabled by setting `SECUTILS_NO_TLS` or `GENCMP_NO_TLS`.
 
 Since genCMPClient version 2, it is recommended to use CMake
 to produce the `Makefile`, for instance as follows:
@@ -517,9 +519,9 @@ for instance as given in the example outer [`Makefile.mk`](Makefile.mk).
 
 For compiling applications using the library,
 you will need to `#include` the header file [`genericCMPClient.h`](include/genericCMPClient.h)
-and add the directories [`include`](include/) and
-[`libsecutils/include`](
-https://github.com/siemens/libsecutils/blob/master/include/) to your C headers path.
+and add [`include`](include/) to your C headers path the directories.
+Unless `GENCMP_NO_SECUTILS` is set, also [`libsecutils/src/libsecutils/include`](
+https://github.com/siemens/libsecutils/blob/master/include/) needs to be added.
 When the intermediate library `libcmp` is used, you need to
 add also the directory [`cmpossl/include/cmp`](
 https://github.com/mpeylo/cmpossl/tree/cmp/include/cmp/),
@@ -565,5 +567,5 @@ LocalWords:  util icvutil NDEBUG DCMAKE ln usr libgencmp CC lssl lcmp
 LocalWords:  cmpClient src DESTDIR ROOTFS cmpclient tarball deb rpath
 LocalWords:  debhelper dh devscripts debuild dpkg ecparam FI cr lgencmp
 LocalWords:  genkey insta ref cmd newkey certout noout creds Wl ICV
-LocalWords:  genericCMPClient
+LocalWords:  genericCMPClient GENCMP
 -->