// Note that some host libraries have the same module name as the target
// libraries. This is currently needed to build, for example, adb. But it's
// probably something that should be changed.

package {
    default_visibility: ["//visibility:private"],
    default_applicable_licenses: ["external_boringssl_license"],
}

// Added automatically by a large-scale-change that took the approach of
// 'apply every license found to every target'. While this makes sure we respect
// every license restriction, it may not be entirely correct.
//
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
//
// Please consider splitting the single license below into multiple licenses,
// taking care not to lose any license_kind information, and overriding the
// default license using the 'licenses: [...]' property on targets as needed.
//
// For unused files, consider creating a 'fileGroup' with "//visibility:private"
// to attach the license to, and including a comment whether the files may be
// used in the current project.
// See: http://go/android-license-faq
license {
    name: "external_boringssl_license",
    visibility: [":__subpackages__"],
    license_kinds: [
        "SPDX-license-identifier-Apache-2.0",
        "SPDX-license-identifier-BSD",
        "SPDX-license-identifier-ISC",
        "SPDX-license-identifier-MIT",
        "SPDX-license-identifier-OpenSSL",
        "legacy_unencumbered",
    ],
    license_text: [
        "NOTICE",
    ],
}

// Pull in the autogenerated sources modules
build = ["sources.bp"]

// Used by libcrypto, libssl, bssl tool, and native tests
cc_defaults {
    // This contains the common options between boringssl_flags and
    // boringssl_flags_baremetal. Nothing else should include this target
    // directly.
    name: "boringssl_flags_common",

    cflags: [
        "-fvisibility=hidden",
        "-DBORINGSSL_SHARED_LIBRARY",
        "-DOPENSSL_SMALL",
        "-Werror",
        "-Wno-unused-parameter",
    ],

    cppflags: [
        "-Wall",
        "-Werror",
    ],

    // Build BoringSSL and its tests against the same STL.
    stl: "libc++_static",
}

cc_defaults {
    name: "boringssl_flags",
    vendor_available: true,
    product_available: true,
    cflags: ["-DBORINGSSL_ANDROID_SYSTEM"],
    defaults: ["boringssl_flags_common"],
    sdk_version: "9",
}

cc_defaults {
    name: "boringssl_flags_baremetal",
    cflags: [
        "-DBORINGSSL_NO_STATIC_INITIALIZER",
        "-DANDROID_BAREMETAL",
    ],
    defaults: ["boringssl_flags_common"],
    apex_available: [
        "com.android.virt",
    ],
}

// Used by libcrypto + libssl
cc_defaults {
    name: "boringssl_defaults",

    local_include_dirs: ["src/include"],
    export_include_dirs: ["src/include"],
    cflags: ["-DBORINGSSL_IMPLEMENTATION"],
}

//// libcrypto, but not libcrypto_baremetal. libcrypto_baremetal is a single
//// target, so there is no need for a libcrypto_defaults_baremetal.
cc_defaults {
    name: "libcrypto_defaults",
    host_supported: true,
    ramdisk_available: true,
    vendor_ramdisk_available: true,

    target: {
        windows: {
            enabled: true,
            host_ldlibs: ["-lws2_32"],
        },
        host: {
            host_ldlibs: ["-lpthread"],
        },
        android: {
            // On FIPS builds (i.e. Android only) prevent other libraries
            // from pre-empting symbols in libcrypto which could affect FIPS
            // compliance and cause integrity checks to fail. See b/160231064.
            ldflags: ["-Wl,-Bsymbolic"],
        },
    },

    stl: "none",
}

// Boring Crypto Module object file.
// Common settings between bcm_object and bcm_object_for_testing.
cc_defaults {
    name: "bcm_object_defaults",
    device_supported: true,
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    sanitize: {
        address: false,
        hwaddress: false,
        memtag_stack: false,
        memtag_globals: false,
        fuzzer: false,
    },
    target: {
        android: {
            cflags: [
                "-DBORINGSSL_FIPS",
                "-fPIC",
                // -fno[data|text]-sections required to ensure a
                // single text and data section for FIPS integrity check
                "-fno-data-sections",
                "-fno-function-sections",
            ],
            linker_script: "src/crypto/fipsmodule/fips_shared.lds",
        },
        // Temporary hack to let BoringSSL build with a new compiler.
        // This doesn't enable HWASAN unconditionally, it just causes
        // BoringSSL's asm code to unconditionally use a HWASAN-compatible
        // global variable reference so that the non-HWASANified (because of
        // sanitize: { hwaddress: false } above) code in the BCM can
        // successfully link against the HWASANified code in the rest of
        // BoringSSL in HWASAN builds.
        android_arm64: {
            asflags: [
                "-fsanitize=hwaddress",
            ],
        },
    },
    min_sdk_version: "29",
}

cc_object {
    name: "bcm_object",
    recovery_available: true,
    native_bridge_supported: true,
    defaults: [
        "bcm_object_defaults",
    ],
    apex_available: [
        "//apex_available:platform",
        "com.android.adbd",
        "com.android.adservices",
        "com.android.art",
        "com.android.art.debug",
        "com.android.art.testing",
        "com.android.btservices",
        "com.android.compos",
        "com.android.conscrypt",
        "com.android.extservices",
        "com.android.resolv",
        "com.android.virt",
    ],
}

// Version of bcm_object built with BORINGSSL_FIPS_BREAK_TESTS defined.
// Only for use with the FIPS break-tests.sh script.
cc_object {
    name: "bcm_object_for_testing",
    visibility: [
        "//external/boringssl",
    ],
    defaults: [
        "bcm_object_defaults",
    ],
    target: {
        android: {
            cflags: ["-DBORINGSSL_FIPS_BREAK_TESTS"],
        },
    },
}

bootstrap_go_package {
    name: "bssl_ar",
    pkgPath: "boringssl.googlesource.com/boringssl/util/ar",
    srcs: [
        "src/util/ar/ar.go",
    ],
    testSrcs: [
        "src/util/ar/ar_test.go",
    ],
}

bootstrap_go_package {
    name: "bssl_fipscommon",
    pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon",
    srcs: [
        "src/util/fipstools/fipscommon/const.go",
    ],
}

blueprint_go_binary {
    name: "bssl_inject_hash",
    srcs: [
        "src/util/fipstools/inject_hash/inject_hash.go",
    ],
    deps: [
        "bssl_ar",
        "bssl_fipscommon",
    ],
}

// Target and host library.
// Any changes here must also be reflected in libcrypto_for_test below.
cc_library {
    name: "libcrypto",
    visibility: ["//visibility:public"],
    vendor_available: true,
    product_available: true,
    native_bridge_supported: true,
    vndk: {
        enabled: true,
    },
    double_loadable: true,
    recovery_available: true,
    defaults: [
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    unique_host_soname: true,
    srcs: [
        ":bcm_object",
    ],
    target: {
        android: {
            cflags: [
                "-DBORINGSSL_FIPS",
            ],
            sanitize: {
                // Disable address sanitizing otherwise libcrypto will not report
                // itself as being in FIPS mode, which causes boringssl_self_test
                // to fail.
                address: false,
            },
            inject_bssl_hash: true,
            static: {
                // Disable the static version of libcrypto, as it causes
                // problems for FIPS certification.  Use libcrypto_static for
                // modules that need static libcrypto but do not need FIPS self
                // testing, or use dynamic libcrypto.
                enabled: false,
            },
        },
    },
    apex_available: [
        "//apex_available:platform",
        "com.android.adbd",
        "com.android.adservices",
        "com.android.art",
        "com.android.art.debug",
        "com.android.art.testing",
        "com.android.btservices",
        "com.android.compos",
        "com.android.conscrypt",
        "com.android.extservices",
        "com.android.resolv",
        "com.android.virt",
    ],
    min_sdk_version: "29",
    afdo: true,
}

// Version of libcrypto build with BORINGSSL_FIPS_BREAK_TESTS defined
// Only for use with the FIPS break-tests.sh script.
// Must be kept in sync with libcrypto.
cc_library {
    name: "libcrypto_for_testing",
    visibility: [
        "//external/boringssl",
    ],
    defaults: [
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    unique_host_soname: true,
    srcs: [
        ":bcm_object_for_testing",
    ],
    target: {
        android: {
            cflags: [
                "-DBORINGSSL_FIPS",
                "-DBORINGSSL_FIPS_BREAK_TESTS",
            ],
            sanitize: {
                // Disable address sanitizing otherwise libcrypto will not report
                // itself as being in FIPS mode, which causes boringssl_self_test
                // to fail.
                address: false,
            },
            inject_bssl_hash: true,
            static: {
                // Disable the static version of libcrypto, as it causes
                // problems for FIPS certification.  Use libcrypto_static for
                // modules that need static libcrypto but do not need FIPS self
                // testing, or use dynamic libcrypto.
                enabled: false,
            },
        },
    },
    min_sdk_version: "29",
}

// Static library
// This version of libcrypto will not have FIPS self tests enabled, so its
// usage is protected through visibility to ensure it doesn't end up used
// somewhere that needs the FIPS version.
cc_library_static {
    name: "libcrypto_static",
    visibility: [
        "//art/build/sdk",
        "//bootable/recovery/updater",
        "//external/conscrypt",
        "//external/python/cpython2",
        "//external/rust/crates/quiche",
        // Strictly, only the *static* toybox for legacy devices should have
        // access to libcrypto_static, but we can't express that.
        "//external/toybox",
        "//hardware/interfaces/confirmationui/1.0/vts/functional",
        "//hardware/interfaces/drm/1.0/vts/functional",
        "//hardware/interfaces/drm/1.2/vts/functional",
        "//hardware/interfaces/drm/1.3/vts/functional",
        "//hardware/interfaces/keymaster/3.0/vts/functional",
        "//hardware/interfaces/keymaster/4.0/vts/functional",
        "//hardware/interfaces/keymaster/4.1/vts/functional",
        "//packages/modules/adb",
        "//packages/modules/AdServices:__subpackages__",
        "//packages/modules/DnsResolver/tests:__subpackages__",
        "//packages/modules/NeuralNetworks:__subpackages__",
        "//system/core/init",
        "//system/core/fs_mgr/liblp",
        "//system/core/fs_mgr/liblp/vts_core",
        "//system/core/fs_mgr/libsnapshot",
        "//system/libvintf/test",
        "//system/security/keystore/tests",
        "//system/security/provisioner",
        "//test/vts-testcase/security/avb",
    ],
    min_sdk_version: "29",
    apex_available: [
        "//apex_available:platform",
        "com.android.adservices",
        "com.android.extservices",
        "com.android.neuralnetworks",
    ],
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
}

// Static library for use in bare-metal environments
cc_library_static {
    name: "libcrypto_baremetal",
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_sources",
        "boringssl_defaults",
        "boringssl_flags_baremetal",
    ],
    visibility: [
        "//external/avb:__subpackages__",
        "//external/open-dice",
        "//packages/modules/Virtualization:__subpackages__",
        "//system/security/diced/open_dice",
    ],
}

// Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic
// libraries for testing and fuzzing only. See src/FUZZING.md.
cc_defaults {
    name: "boringssl_fuzz_unsafe_defaults",
    host_supported: true,
    cflags: [
        "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE",
        "-DBORINGSSL_UNSAFE_FUZZER_MODE",
    ],
    visibility: [
        "//frameworks/native/libs/binder/tests:__subpackages__",
    ],
}

// Unsafe and deterministic version of libcrypto. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
    name: "libcrypto_fuzz_unsafe",
    ramdisk_available: false,
    vendor_ramdisk_available: false,
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
        "boringssl_fuzz_unsafe_defaults",
    ],
}

//// libssl

// Target static library

// Static and Shared library
cc_library {
    name: "libssl",
    visibility: ["//visibility:public"],
    recovery_available: true,
    vendor_available: true,
    product_available: true,
    native_bridge_supported: true,
    vndk: {
        enabled: true,
    },
    host_supported: true,
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    target: {
        windows: {
            enabled: true,
        },
    },
    unique_host_soname: true,

    shared_libs: ["libcrypto"],

    apex_available: [
        "//apex_available:platform",
        "com.android.btservices",
        "com.android.adbd",
        "com.android.conscrypt",
        "com.android.resolv",
        "com.android.virt",
    ],
    min_sdk_version: "29",
}

cc_library_static {
    name: "libssl_baremetal",
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags_baremetal",
    ],
    static_libs: ["libcrypto_baremetal"],
}

cc_library_host_static {
    name: "libssl_static",
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    static_libs: ["libcrypto_static"],
}

// Unsafe and deterministic version of libssl. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
    name: "libssl_fuzz_unsafe",
    host_supported: true,
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags",
        "boringssl_fuzz_unsafe_defaults",
    ],
    static_libs: [
        "libcrypto_fuzz_unsafe",
    ],
}

// Tool
cc_binary {
    name: "bssl",
    host_supported: true,
    defaults: [
        "bssl_sources",
        "boringssl_flags",
    ],

    shared_libs: [
        "libcrypto",
        "libssl",
    ],
    target: {
        darwin: {
            enabled: false,
        },
        android: {
            compile_multilib: "both",
        },
    },
    multilib: {
        lib32: {
            suffix: "32",
        },
    },
}

// Used for ACVP testing for FIPS certification.
// Not installed on devices by default.
cc_binary {
    name: "acvp_modulewrapper",
    srcs: [
        "src/util/fipstools/acvp/modulewrapper/main.cc",
    ],
    target: {
        android_x86: {
            enabled: false,
        },
        android_x86_64: {
            enabled: false,
        },
    },
    stem: "modulewrapper",
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
    },

    static_libs: [
        "libacvp_modulewrapper",
    ],
    shared_libs: [
        "libcrypto",
    ],

    defaults: [
        "boringssl_flags",
    ],
}

// ACVP wrapper implementation shared between Android and Trusty
cc_library_static {
    name: "libacvp_modulewrapper",
    host_supported: true,
    vendor_available: true,
    srcs: [
        "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc",
    ],
    target: {
        android: {
            compile_multilib: "both",
        },
    },
    export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"],
    shared_libs: [
        "libcrypto",
    ],

    defaults: [
        "boringssl_flags",
    ],

    visibility: ["//system/core/trusty/utils/acvp"],
}

// Test support library
cc_test_library {
    name: "boringssl_test_support",
    host_supported: true,
    defaults: [
        "boringssl_test_support_sources",
        "boringssl_flags",
    ],

    shared_libs: [
        "libcrypto",
    ],
}

// Tests
cc_test {
    name: "boringssl_crypto_test",
    test_config: "CryptoNativeTests.xml",
    host_supported: false,
    vendor_available: false,
    product_available: false,
    per_testcase_directory: true,
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
        lib64: {
            suffix: "64",
        },
    },
    defaults: [
        "boringssl_crypto_test_sources",
        "boringssl_flags",
    ],
    whole_static_libs: ["boringssl_test_support"],
    // Statically link the library to test to ensure we always pick up the
    // correct version regardless of device linker configuration.
    static_libs: [
        "libcrypto_static",
        "libgmock_ndk",
    ],
    target: {
        android: {
            test_suites: ["mts-conscrypt"],
        },
    },
}

cc_test {
    name: "boringssl_ssl_test",
    test_config: "SslNativeTests.xml",
    host_supported: false,
    vendor_available: false,
    product_available: false,
    per_testcase_directory: true,
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
        lib64: {
            suffix: "64",
        },
    },
    defaults: [
        "boringssl_ssl_test_sources",
        "boringssl_flags",
    ],
    whole_static_libs: ["boringssl_test_support"],
    // Statically link the libraries to test to ensure we always pick up the
    // correct version regardless of device linker configuration.
    static_libs: [
        "libcrypto_static",
        "libgmock_ndk",
        "libssl",
    ],
    target: {
        android: {
            test_suites: ["mts-conscrypt"],
        },
    },
}

// Utility binary for CMVP on-site testing.
cc_binary {
    name: "test_fips",
    host_supported: false,
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
        lib64: {
            suffix: "",
        },
    },
    defaults: [
        "boringssl_flags",
    ],
    shared_libs: [
        "libcrypto",
    ],
    srcs: [
        "src/util/fipstools/test_fips.c",
    ],
    required: [
        "adb",
        "libcrypto_for_testing",
    ],
}

libbssl_sys_raw_flags = [
    // Adapted from upstream the src/rust/CMakeLists.txt file at:
    // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt
    "--no-derive-default",
    "--enable-function-attribute-detection",
    "--use-core",
    "--default-macro-constant-type=signed",
    "--rustified-enum=point_conversion_form_t",
    // These regexes use [[:punct:]] instead of / to handle Windows file paths.
    // Ideally we would write [/\\], but escaping rules are complex, and often
    // ill-defined, in some build systems, so align on [[:punct:]].
    "--allowlist-file=.*[[:punct:]]include[[:punct:]]openssl[[:punct:]].*\\.h",
    "--allowlist-file=.*[[:punct:]]rust_wrapper\\.h",
]

// Rust bindings
rust_bindgen {
    name: "libbssl_sys_raw",
    source_stem: "bindings",
    crate_name: "bssl_sys_raw",
    host_supported: true,
    wrapper_src: "src/rust/bssl-sys/wrapper.h",
    vendor_available: true,
    product_available: true,
    bindgen_flags: libbssl_sys_raw_flags,
    shared_libs: [
        "libcrypto",
        "libssl",
    ],
    apex_available: [
        "//apex_available:platform",
        "com.android.virt",
    ],
}

rust_bindgen {
    name: "libbssl_sys_raw_nostd",
    source_stem: "bindings",
    crate_name: "bssl_sys_raw",
    wrapper_src: "src/rust/bssl-sys/wrapper.h",
    bindgen_flags: [
        "--raw-line=#![no_std]",
        "--ctypes-prefix=core::ffi",
    ] + libbssl_sys_raw_flags,
    header_libs: [
        "libcrypto_baremetal",
        "libssl_baremetal",
    ],
    apex_available: [
        "com.android.virt",
    ],
}

// Encapsulate the bindgen-generated layout tests as a test target.
rust_test {
    name: "libbssl_sys_raw_test",
    srcs: [
        ":libbssl_sys_raw",
    ],
    crate_name: "bssl_sys_raw_test",
    test_suites: ["general-tests"],
    auto_gen_config: true,
    clippy_lints: "none",
    lints: "none",
}

// Rust's bindgen doesn't cope with macros, so this target includes C functions that
// do the same thing as macros defined in BoringSSL header files.
cc_library_static {
    name: "libbssl_rust_support",
    host_supported: true,
    defaults: ["boringssl_flags"],
    srcs: ["src/rust/bssl-sys/rust_wrapper.c"],
    shared_libs: [
        "libcrypto",
        "libssl",
    ],
    apex_available: [
        "//apex_available:platform",
        "com.android.virt",
    ],
}

cc_library_static {
    name: "libbssl_rust_support_baremetal",
    defaults: ["boringssl_flags_baremetal"],
    srcs: ["src/rust/bssl-sys/rust_wrapper.c"],
    static_libs: [
        "libcrypto_baremetal",
        "libssl_baremetal",
    ],
}

cc_library_host_static {
    name: "libbssl_rust_support_static",
    defaults: ["boringssl_flags"],
    srcs: ["src/rust/bssl-sys/rust_wrapper.c"],
    whole_static_libs: [
        "libcrypto_static",
        "libssl_static",
    ],
}

// Replace the upstream CMake placeholder with a re-export of all of the local bindgen output.
genrule {
    name: "libbssl_sys_src",
    srcs: ["src/rust/bssl-sys/src/lib.rs"],
    out: ["lib.rs"],
    cmd: "sed 's@^include!(env!(\"BINDGEN_RS_FILE\"));@pub use bssl_sys_raw::*;@' $(in) > $(out)",
}

rust_defaults {
    name: "libbssl_sys_defaults",
    host_supported: true,
    crate_name: "bssl_sys",
    visibility: [
        "//external/rust/crates/openssl",
        "//system/keymint/boringssl",
        "//system/security/prng_seeder",
    ],
    // Use the modified source with placeholder replaced.
    srcs: [":libbssl_sys_src"],
    vendor_available: true,
    product_available: true,
    // Since libbssl_sys_raw is not publicly visible, we can't accidentally
    // force a double-link by linking statically, so do so.
    rlibs: ["libbssl_sys_raw"],
}

rust_library {
    name: "libbssl_sys",
    defaults: ["libbssl_sys_defaults"],
    whole_static_libs: [
        "libbssl_rust_support",
    ],
    apex_available: [
        "//apex_available:platform",
        "com.android.virt",
    ],
}

rust_library_host_rlib {
    name: "libbssl_sys_static",
    defaults: ["libbssl_sys_defaults"],
    whole_static_libs: [
        "libbssl_rust_support_static",
    ],
}

genrule {
    name: "libbssl_sys_src_nostd",
    srcs: [":libbssl_sys_src"],
    out: ["lib.rs"],
    cmd: "(echo '#![no_std]' && cat $(in)) > $(out)",
}

rust_library_rlib {
    name: "libbssl_sys_nostd",
    crate_name: "bssl_sys",
    visibility: [
        "//packages/modules/Virtualization:__subpackages__",
    ],
    srcs: [":libbssl_sys_src_nostd"],
    rlibs: ["libbssl_sys_raw_nostd"],
    prefer_rlib: true,
    no_stdlibs: true,
    stdlibs: [
        "libcompiler_builtins.rust_sysroot",
        "libcore.rust_sysroot",
    ],
    whole_static_libs: [
        "libbssl_rust_support_baremetal",
    ],
}

// High-level Rust crate `bssl-crypto`

rust_defaults {
    name: "libbssl_crypto_defaults",
    crate_name: "bssl_crypto",
    srcs: ["src/rust/bssl-crypto/src/lib.rs"],
    rustlibs: ["libbssl_sys"],
}

rust_library {
    name: "libbssl_crypto",
    defaults: ["libbssl_crypto_defaults"],
    host_supported: true,
    apex_available: [
        "//apex_available:platform",
        "com.android.virt",
    ],
    visibility: [
        "//external/rust/beto-rust/nearby",
    ],
    vendor_available: true,
    product_available: true,
}

rust_test {
    name: "libbssl_crypto_test",
    defaults: ["libbssl_crypto_defaults"],
    crate_name: "bssl_crypto_test",
    test_suites: ["general-tests"],
    auto_gen_config: true,
}