| // Note that some host libraries have the same module name as the target |
| // libraries. This is currently needed to build, for example, adb. But it's |
| // probably something that should be changed. |
| |
| package { |
| default_visibility: ["//visibility:private"], |
| default_applicable_licenses: ["external_boringssl_license"], |
| } |
| |
| // Added automatically by a large-scale-change that took the approach of |
| // 'apply every license found to every target'. While this makes sure we respect |
| // every license restriction, it may not be entirely correct. |
| // |
| // e.g. GPL in an MIT project might only apply to the contrib/ directory. |
| // |
| // Please consider splitting the single license below into multiple licenses, |
| // taking care not to lose any license_kind information, and overriding the |
| // default license using the 'licenses: [...]' property on targets as needed. |
| // |
| // For unused files, consider creating a 'fileGroup' with "//visibility:private" |
| // to attach the license to, and including a comment whether the files may be |
| // used in the current project. |
| // See: http://go/android-license-faq |
| license { |
| name: "external_boringssl_license", |
| visibility: [":__subpackages__"], |
| license_kinds: [ |
| "SPDX-license-identifier-Apache-2.0", |
| "SPDX-license-identifier-BSD", |
| "SPDX-license-identifier-ISC", |
| "SPDX-license-identifier-MIT", |
| "SPDX-license-identifier-OpenSSL", |
| "legacy_unencumbered", |
| ], |
| license_text: [ |
| "NOTICE", |
| ], |
| } |
| |
| // Pull in the autogenerated sources modules |
| build = ["sources.bp"] |
| |
| // Used by libcrypto, libssl, bssl tool, and native tests |
| cc_defaults { |
| name: "boringssl_flags", |
| vendor_available: true, |
| product_available: true, |
| |
| cflags: [ |
| "-fvisibility=hidden", |
| "-DBORINGSSL_SHARED_LIBRARY", |
| "-DBORINGSSL_ANDROID_SYSTEM", |
| "-DOPENSSL_SMALL", |
| "-Werror", |
| "-Wno-unused-parameter", |
| ], |
| |
| cppflags: [ |
| "-Wall", |
| "-Werror", |
| ], |
| |
| // Build BoringSSL and its tests against the same STL. |
| sdk_version: "9", |
| target: { |
| android: { |
| stl: "libc++_static", |
| }, |
| }, |
| } |
| |
| // Used by libcrypto + libssl |
| cc_defaults { |
| name: "boringssl_defaults", |
| |
| local_include_dirs: ["src/include"], |
| export_include_dirs: ["src/include"], |
| cflags: ["-DBORINGSSL_IMPLEMENTATION"], |
| } |
| |
| //// libcrypto |
| cc_defaults { |
| name: "libcrypto_defaults", |
| host_supported: true, |
| ramdisk_available: true, |
| vendor_ramdisk_available: true, |
| |
| // Windows and Macs both have problems with assembly files |
| target: { |
| windows: { |
| enabled: true, |
| cflags: ["-DOPENSSL_NO_ASM"], |
| host_ldlibs: ["-lws2_32"], |
| }, |
| darwin: { |
| cflags: ["-DOPENSSL_NO_ASM"], |
| }, |
| host: { |
| host_ldlibs: ["-lpthread"], |
| }, |
| android: { |
| // On FIPS builds (i.e. Android only) prevent other libraries |
| // from pre-empting symbols in libcrypto which could affect FIPS |
| // compliance and cause integrity checks to fail. See b/160231064. |
| ldflags: ["-Wl,-Bsymbolic"], |
| }, |
| }, |
| |
| local_include_dirs: ["src/crypto"], |
| } |
| |
| cc_object { |
| name: "bcm_object", |
| device_supported: true, |
| recovery_available: true, |
| native_bridge_supported: true, |
| defaults: [ |
| "libcrypto_bcm_sources", |
| "libcrypto_defaults", |
| "boringssl_defaults", |
| "boringssl_flags", |
| ], |
| sanitize: { |
| address: false, |
| hwaddress: false, |
| fuzzer: false, |
| }, |
| target: { |
| android: { |
| cflags: [ |
| "-DBORINGSSL_FIPS", |
| "-fPIC", |
| // -fno[data|text]-sections required to ensure a |
| // single text and data section for FIPS integrity check |
| "-fno-data-sections", |
| "-fno-function-sections", |
| ], |
| linker_script: "src/crypto/fipsmodule/fips_shared.lds", |
| }, |
| // Temporary hack to let BoringSSL build with a new compiler. |
| // This doesn't enable HWASAN unconditionally, it just causes |
| // BoringSSL's asm code to unconditionally use a HWASAN-compatible |
| // global variable reference so that the non-HWASANified (because of |
| // sanitize: { hwaddress: false } above) code in the BCM can |
| // successfully link against the HWASANified code in the rest of |
| // BoringSSL in HWASAN builds. |
| android_arm64: { |
| asflags: [ |
| "-fsanitize=hwaddress", |
| ], |
| }, |
| }, |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.adbd", |
| "com.android.art", |
| "com.android.art.debug", |
| "com.android.art.testing", |
| "com.android.bluetooth", |
| "com.android.compos", |
| "com.android.conscrypt", |
| "com.android.resolv", |
| "com.android.virt", |
| ], |
| min_sdk_version: "29", |
| } |
| |
| bootstrap_go_package { |
| name: "bssl_ar", |
| pkgPath: "boringssl.googlesource.com/boringssl/util/ar", |
| srcs: [ |
| "src/util/ar/ar.go", |
| ], |
| testSrcs: [ |
| "src/util/ar/ar_test.go", |
| ], |
| } |
| |
| bootstrap_go_package { |
| name: "bssl_fipscommon", |
| pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon", |
| srcs: [ |
| "src/util/fipstools/fipscommon/const.go", |
| ], |
| } |
| |
| blueprint_go_binary { |
| name: "bssl_inject_hash", |
| srcs: [ |
| "src/util/fipstools/inject_hash/inject_hash.go", |
| ], |
| deps: [ |
| "bssl_ar", |
| "bssl_fipscommon", |
| ], |
| } |
| |
| // Target and host library |
| cc_library { |
| name: "libcrypto", |
| visibility: ["//visibility:public"], |
| vendor_available: true, |
| product_available: true, |
| native_bridge_supported: true, |
| vndk: { |
| enabled: true, |
| }, |
| double_loadable: true, |
| recovery_available: true, |
| defaults: [ |
| "libcrypto_sources", |
| "libcrypto_defaults", |
| "boringssl_defaults", |
| "boringssl_flags", |
| ], |
| unique_host_soname: true, |
| srcs: [ |
| ":bcm_object", |
| ], |
| target: { |
| android: { |
| cflags: [ |
| "-DBORINGSSL_FIPS", |
| ], |
| sanitize: { |
| // Disable address sanitizing otherwise libcrypto will not report |
| // itself as being in FIPS mode, which causes boringssl_self_test |
| // to fail. |
| address: false, |
| }, |
| inject_bssl_hash: true, |
| static: { |
| // Disable the static version of libcrypto, as it causes |
| // problems for FIPS certification. Use libcrypto_static for |
| // modules that need static libcrypto but do not need FIPS self |
| // testing, or use dynamic libcrypto. |
| enabled: false, |
| }, |
| }, |
| }, |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.adbd", |
| "com.android.art", |
| "com.android.art.debug", |
| "com.android.art.testing", |
| "com.android.bluetooth", |
| "com.android.compos", |
| "com.android.conscrypt", |
| "com.android.resolv", |
| "com.android.virt", |
| ], |
| min_sdk_version: "29", |
| } |
| |
| // Static library |
| // This version of libcrypto will not have FIPS self tests enabled, so its |
| // usage is protected through visibility to ensure it doesn't end up used |
| // somewhere that needs the FIPS version. |
| cc_library_static { |
| name: "libcrypto_static", |
| visibility: [ |
| "//art/build/sdk", |
| "//bootable/recovery/updater", |
| "//external/conscrypt", |
| "//external/python/cpython2", |
| "//external/rust/crates/quiche", |
| // Strictly, only the *static* toybox for legacy devices should have |
| // access to libcrypto_static, but we can't express that. |
| "//external/toybox", |
| "//hardware/interfaces/confirmationui/1.0/vts/functional", |
| "//hardware/interfaces/drm/1.0/vts/functional", |
| "//hardware/interfaces/drm/1.2/vts/functional", |
| "//hardware/interfaces/drm/1.3/vts/functional", |
| "//hardware/interfaces/keymaster/3.0/vts/functional", |
| "//hardware/interfaces/keymaster/4.0/vts/functional", |
| "//hardware/interfaces/keymaster/4.1/vts/functional", |
| "//packages/modules/adb", |
| "//packages/modules/DnsResolver/tests:__subpackages__", |
| "//packages/modules/NeuralNetworks:__subpackages__", |
| "//system/core/init", |
| "//system/core/fs_mgr/liblp", |
| "//system/core/fs_mgr/liblp/vts_core", |
| "//system/core/fs_mgr/libsnapshot", |
| "//system/libvintf/test", |
| "//system/security/keystore/tests", |
| "//test/vts-testcase/security/avb", |
| ], |
| min_sdk_version: "29", |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.neuralnetworks", |
| ], |
| defaults: [ |
| "libcrypto_bcm_sources", |
| "libcrypto_sources", |
| "libcrypto_defaults", |
| "boringssl_defaults", |
| "boringssl_flags", |
| ], |
| } |
| |
| // Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic |
| // libraries for testing and fuzzing only. See src/FUZZING.md. |
| cc_defaults { |
| name: "boringssl_fuzz_unsafe_defaults", |
| host_supported: true, |
| cflags: [ |
| "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE", |
| "-DBORINGSSL_UNSAFE_FUZZER_MODE", |
| ], |
| visibility: [ |
| "//frameworks/native/libs/binder/tests:__subpackages__", |
| ], |
| } |
| |
| // Unsafe and deterministic version of libcrypto. For testing and fuzzing only. |
| // See src/FUZZING.md. |
| cc_test_library { |
| name: "libcrypto_fuzz_unsafe", |
| ramdisk_available: false, |
| vendor_ramdisk_available: false, |
| defaults: [ |
| "libcrypto_bcm_sources", |
| "libcrypto_sources", |
| "libcrypto_defaults", |
| "boringssl_defaults", |
| "boringssl_flags", |
| "boringssl_fuzz_unsafe_defaults", |
| ], |
| } |
| |
| //// libssl |
| |
| // Target static library |
| |
| // Static and Shared library |
| cc_library { |
| name: "libssl", |
| visibility: ["//visibility:public"], |
| recovery_available: true, |
| vendor_available: true, |
| product_available: true, |
| native_bridge_supported: true, |
| vndk: { |
| enabled: true, |
| }, |
| host_supported: true, |
| defaults: [ |
| "libssl_sources", |
| "boringssl_defaults", |
| "boringssl_flags", |
| ], |
| target: { |
| windows: { |
| enabled: true, |
| }, |
| }, |
| unique_host_soname: true, |
| |
| shared_libs: ["libcrypto"], |
| |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.bluetooth", |
| "com.android.adbd", |
| "com.android.conscrypt", |
| "com.android.resolv", |
| "com.android.virt", |
| ], |
| min_sdk_version: "29", |
| } |
| |
| // Unsafe and deterministic version of libssl. For testing and fuzzing only. |
| // See src/FUZZING.md. |
| cc_test_library { |
| name: "libssl_fuzz_unsafe", |
| host_supported: true, |
| defaults: [ |
| "libssl_sources", |
| "boringssl_defaults", |
| "boringssl_flags", |
| "boringssl_fuzz_unsafe_defaults", |
| ], |
| static_libs: [ |
| "libcrypto_fuzz_unsafe", |
| ], |
| } |
| |
| // Tool |
| cc_binary { |
| name: "bssl", |
| host_supported: true, |
| defaults: [ |
| "bssl_sources", |
| "boringssl_flags", |
| ], |
| |
| shared_libs: [ |
| "libcrypto", |
| "libssl", |
| ], |
| target: { |
| darwin: { |
| enabled: false, |
| }, |
| android: { |
| compile_multilib: "both", |
| }, |
| }, |
| multilib: { |
| lib32: { |
| suffix: "32", |
| }, |
| }, |
| } |
| |
| // Used for ACVP testing for FIPS certification. |
| // Not installed on devices by default. |
| cc_binary { |
| name: "acvp_modulewrapper", |
| srcs: [ |
| "src/util/fipstools/acvp/modulewrapper/main.cc", |
| ], |
| target: { |
| android_x86: { |
| enabled: false, |
| }, |
| android_x86_64: { |
| enabled: false, |
| }, |
| }, |
| stem: "modulewrapper", |
| compile_multilib: "both", |
| multilib: { |
| lib32: { |
| suffix: "32", |
| }, |
| }, |
| |
| static_libs: [ |
| "libacvp_modulewrapper", |
| ], |
| shared_libs: [ |
| "libcrypto", |
| ], |
| |
| defaults: [ |
| "boringssl_flags", |
| ], |
| } |
| |
| // ACVP wrapper implementation shared between Android and Trusty |
| cc_library_static { |
| name: "libacvp_modulewrapper", |
| host_supported: true, |
| vendor_available: true, |
| srcs: [ |
| "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc", |
| ], |
| target: { |
| android: { |
| compile_multilib: "both", |
| }, |
| }, |
| export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"], |
| shared_libs: [ |
| "libcrypto", |
| ], |
| |
| defaults: [ |
| "boringssl_flags", |
| ], |
| |
| visibility: ["//system/core/trusty/utils/acvp"], |
| } |
| |
| // Test support library |
| cc_library_static { |
| name: "boringssl_test_support", |
| host_supported: true, |
| defaults: [ |
| "boringssl_test_support_sources", |
| "boringssl_flags", |
| ], |
| |
| shared_libs: [ |
| "libcrypto", |
| "libssl", |
| ], |
| } |
| |
| // Tests |
| cc_test { |
| name: "boringssl_crypto_test", |
| test_config: "NativeTests.xml", |
| host_supported: false, |
| per_testcase_directory: true, |
| compile_multilib: "both", |
| multilib: { |
| lib32: { |
| suffix: "32", |
| }, |
| lib64: { |
| suffix: "64", |
| }, |
| }, |
| defaults: [ |
| "boringssl_crypto_test_sources", |
| "boringssl_flags", |
| ], |
| whole_static_libs: ["boringssl_test_support"], |
| // Statically link the library to test to ensure we always pick up the |
| // correct version regardless of device linker configuration. |
| static_libs: ["libcrypto_static"], |
| target: { |
| android: { |
| test_suites: ["mts-conscrypt"], |
| }, |
| }, |
| } |
| |
| cc_test { |
| name: "boringssl_ssl_test", |
| test_config: "NativeTests.xml", |
| host_supported: false, |
| per_testcase_directory: true, |
| compile_multilib: "both", |
| multilib: { |
| lib32: { |
| suffix: "32", |
| }, |
| lib64: { |
| suffix: "64", |
| }, |
| }, |
| defaults: [ |
| "boringssl_ssl_test_sources", |
| "boringssl_flags", |
| ], |
| whole_static_libs: ["boringssl_test_support"], |
| // Statically link the libraries to test to ensure we always pick up the |
| // correct version regardless of device linker configuration. |
| static_libs: [ |
| "libcrypto_static", |
| "libssl", |
| ], |
| target: { |
| android: { |
| test_suites: ["mts-conscrypt"], |
| }, |
| }, |
| } |
| |
| // Utility binary for CMVP on-site testing. |
| cc_binary { |
| name: "test_fips", |
| host_supported: false, |
| defaults: [ |
| "boringssl_flags", |
| ], |
| shared_libs: [ |
| "libcrypto", |
| ], |
| srcs: [ |
| "src/util/fipstools/test_fips.c", |
| ], |
| } |
| |
| // Rust bindings |
| rust_bindgen { |
| name: "libbssl_sys_raw", |
| source_stem: "bindings", |
| crate_name: "bssl_sys_raw", |
| host_supported: true, |
| wrapper_src: "src/rust/wrapper.h", |
| vendor_available: true, |
| bindgen_flags: [ |
| // Adapted from upstream the src/rust/CMakeLists.txt file at: |
| // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt |
| "--no-derive-default", |
| "--enable-function-attribute-detection", |
| "--use-core", |
| "--size_t-is-usize", |
| "--default-macro-constant-type=signed", |
| "--rustified-enum=point_conversion_form_t", |
| // These are not BoringSSL symbols, they are from glibc |
| // and are not relevant to the build besides throwing warnings |
| // about their 'long double' (aka u128) not being FFI safe. |
| // We block those functions so that the build doesn't |
| // spam warnings. |
| // |
| // https://github.com/rust-lang/rust-bindgen/issues/1549 describes the current problem |
| // and other folks' solutions. |
| "--blocklist-function=strtold", |
| "--blocklist-function=qecvt", |
| "--blocklist-function=qecvt_r", |
| "--blocklist-function=qgcvt", |
| "--blocklist-function=qfcvt", |
| "--blocklist-function=qfcvt_r", |
| ], |
| shared_libs: [ |
| "libcrypto", |
| "libssl", |
| ], |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.virt", |
| ], |
| } |
| |
| // Encapsulate the bindgen-generated layout tests as a test target. |
| rust_test { |
| name: "libbssl_sys_raw_test", |
| srcs: [ |
| ":libbssl_sys_raw", |
| ], |
| crate_name: "bssl_sys_raw_test", |
| test_suites: ["general-tests"], |
| auto_gen_config: true, |
| clippy_lints: "none", |
| lints: "none", |
| } |
| |
| // Rust's bindgen doesn't cope with macros, so this target includes C functions that |
| // do the same thing as macros defined in BoringSSL header files. |
| cc_library_static { |
| name: "libbssl_rust_support", |
| host_supported: true, |
| defaults: ["boringssl_flags"], |
| srcs: ["src/rust/rust_wrapper.c"], |
| shared_libs: [ |
| "libcrypto", |
| "libssl", |
| ], |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.virt", |
| ], |
| } |
| |
| // Replace the upstream CMake placeholder with a re-export of all of the local bindgen output. |
| gensrcs { |
| name: "libbssl_sys_src", |
| srcs: ["src/rust/src/lib.rs"], |
| cmd: "sed 's@^.{INCLUDES}@pub use bssl_sys_raw::*;@' $(in) > $(out)", |
| } |
| |
| rust_library { |
| name: "libbssl_ffi", |
| host_supported: true, |
| crate_name: "bssl_ffi", |
| visibility: [ |
| "//external/rust/crates/openssl", |
| "//system/keymint/boringssl", |
| ], |
| // Use the modified source with placeholder replaced. |
| srcs: [":libbssl_sys_src"], |
| vendor_available: true, |
| // Since libbssl_sys_raw is not publically visible, we can't |
| // accidentally force a double-link by linking statically, so do so. |
| rlibs: ["libbssl_sys_raw"], |
| static_libs: [ |
| "libbssl_rust_support", |
| ], |
| apex_available: [ |
| "//apex_available:platform", |
| "com.android.virt", |
| ], |
| } |
