1// Note that some host libraries have the same module name as the target 2// libraries. This is currently needed to build, for example, adb. But it's 3// probably something that should be changed. 4 5package { 6 default_visibility: ["//visibility:private"], 7 default_applicable_licenses: ["external_boringssl_license"], 8} 9 10// Added automatically by a large-scale-change that took the approach of 11// 'apply every license found to every target'. While this makes sure we respect 12// every license restriction, it may not be entirely correct. 13// 14// e.g. GPL in an MIT project might only apply to the contrib/ directory. 15// 16// Please consider splitting the single license below into multiple licenses, 17// taking care not to lose any license_kind information, and overriding the 18// default license using the 'licenses: [...]' property on targets as needed. 19// 20// For unused files, consider creating a 'fileGroup' with "//visibility:private" 21// to attach the license to, and including a comment whether the files may be 22// used in the current project. 23// See: http://go/android-license-faq 24license { 25 name: "external_boringssl_license", 26 visibility: [":__subpackages__"], 27 license_kinds: [ 28 "SPDX-license-identifier-Apache-2.0", 29 "SPDX-license-identifier-BSD", 30 "SPDX-license-identifier-ISC", 31 "SPDX-license-identifier-MIT", 32 "SPDX-license-identifier-OpenSSL", 33 "legacy_unencumbered", 34 ], 35 license_text: [ 36 "NOTICE", 37 ], 38} 39 40// Pull in the autogenerated sources modules 41build = ["sources.bp"] 42 43// Used by libcrypto, libssl, bssl tool, and native tests 44cc_defaults { 45 name: "boringssl_flags", 46 vendor_available: true, 47 product_available: true, 48 49 cflags: [ 50 "-fvisibility=hidden", 51 "-DBORINGSSL_SHARED_LIBRARY", 52 "-DBORINGSSL_ANDROID_SYSTEM", 53 "-DOPENSSL_SMALL", 54 "-Werror", 55 "-Wno-unused-parameter", 56 ], 57 58 cppflags: [ 59 "-Wall", 60 "-Werror", 61 ], 62 63 c_std: "gnu11", 64 65 // Build BoringSSL and its tests against the same STL. 66 sdk_version: "9", 67 target: { 68 android: { 69 stl: "libc++_static", 70 }, 71 }, 72} 73 74// Used by libcrypto + libssl 75cc_defaults { 76 name: "boringssl_defaults", 77 78 local_include_dirs: ["src/include"], 79 export_include_dirs: ["src/include"], 80 cflags: ["-DBORINGSSL_IMPLEMENTATION"], 81} 82 83//// libcrypto 84cc_defaults { 85 name: "libcrypto_defaults", 86 host_supported: true, 87 ramdisk_available: true, 88 vendor_ramdisk_available: true, 89 90 // Windows and Macs both have problems with assembly files 91 target: { 92 windows: { 93 enabled: true, 94 cflags: ["-DOPENSSL_NO_ASM"], 95 host_ldlibs: ["-lws2_32"], 96 }, 97 darwin: { 98 cflags: ["-DOPENSSL_NO_ASM"], 99 }, 100 host: { 101 host_ldlibs: ["-lpthread"], 102 }, 103 android: { 104 // On FIPS builds (i.e. Android only) prevent other libraries 105 // from pre-empting symbols in libcrypto which could affect FIPS 106 // compliance and cause integrity checks to fail. See b/160231064. 107 ldflags: ["-Wl,-Bsymbolic"], 108 }, 109 }, 110 111 local_include_dirs: ["src/crypto"], 112} 113 114cc_object { 115 name: "bcm_object", 116 device_supported: true, 117 recovery_available: true, 118 native_bridge_supported: true, 119 defaults: [ 120 "libcrypto_bcm_sources", 121 "libcrypto_defaults", 122 "boringssl_defaults", 123 "boringssl_flags", 124 ], 125 sanitize: { 126 address: false, 127 hwaddress: false, 128 fuzzer: false, 129 }, 130 target: { 131 android: { 132 cflags: [ 133 "-DBORINGSSL_FIPS", 134 "-fPIC", 135 // -fno[data|text]-sections required to ensure a 136 // single text and data section for FIPS integrity check 137 "-fno-data-sections", 138 "-fno-function-sections", 139 ], 140 linker_script: "src/crypto/fipsmodule/fips_shared.lds", 141 }, 142 // Temporary hack to let BoringSSL build with a new compiler. 143 // This doesn't enable HWASAN unconditionally, it just causes 144 // BoringSSL's asm code to unconditionally use a HWASAN-compatible 145 // global variable reference so that the non-HWASANified (because of 146 // sanitize: { hwaddress: false } above) code in the BCM can 147 // successfully link against the HWASANified code in the rest of 148 // BoringSSL in HWASAN builds. 149 android_arm64: { 150 asflags: [ 151 "-fsanitize=hwaddress", 152 ], 153 }, 154 }, 155 apex_available: [ 156 "//apex_available:platform", 157 "com.android.adbd", 158 "com.android.art", 159 "com.android.art.debug", 160 "com.android.art.testing", 161 "com.android.bluetooth", 162 "com.android.compos", 163 "com.android.conscrypt", 164 "com.android.resolv", 165 "com.android.virt", 166 ], 167 min_sdk_version: "29", 168} 169 170bootstrap_go_package { 171 name: "bssl_ar", 172 pkgPath: "boringssl.googlesource.com/boringssl/util/ar", 173 srcs: [ 174 "src/util/ar/ar.go", 175 ], 176 testSrcs: [ 177 "src/util/ar/ar_test.go", 178 ], 179} 180 181bootstrap_go_package { 182 name: "bssl_fipscommon", 183 pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon", 184 srcs: [ 185 "src/util/fipstools/fipscommon/const.go", 186 ], 187} 188 189blueprint_go_binary { 190 name: "bssl_inject_hash", 191 srcs: [ 192 "src/util/fipstools/inject_hash/inject_hash.go", 193 ], 194 deps: [ 195 "bssl_ar", 196 "bssl_fipscommon", 197 ], 198} 199 200// Target and host library 201cc_library { 202 name: "libcrypto", 203 visibility: ["//visibility:public"], 204 vendor_available: true, 205 product_available: true, 206 native_bridge_supported: true, 207 vndk: { 208 enabled: true, 209 }, 210 double_loadable: true, 211 recovery_available: true, 212 defaults: [ 213 "libcrypto_sources", 214 "libcrypto_defaults", 215 "boringssl_defaults", 216 "boringssl_flags", 217 ], 218 unique_host_soname: true, 219 srcs: [ 220 ":bcm_object", 221 ], 222 target: { 223 android: { 224 cflags: [ 225 "-DBORINGSSL_FIPS", 226 ], 227 sanitize: { 228 // Disable address sanitizing otherwise libcrypto will not report 229 // itself as being in FIPS mode, which causes boringssl_self_test 230 // to fail. 231 address: false, 232 }, 233 inject_bssl_hash: true, 234 static: { 235 // Disable the static version of libcrypto, as it causes 236 // problems for FIPS certification. Use libcrypto_static for 237 // modules that need static libcrypto but do not need FIPS self 238 // testing, or use dynamic libcrypto. 239 enabled: false, 240 }, 241 }, 242 }, 243 apex_available: [ 244 "//apex_available:platform", 245 "com.android.adbd", 246 "com.android.art", 247 "com.android.art.debug", 248 "com.android.art.testing", 249 "com.android.bluetooth", 250 "com.android.compos", 251 "com.android.conscrypt", 252 "com.android.resolv", 253 "com.android.virt", 254 ], 255 min_sdk_version: "29", 256} 257 258// Static library 259// This version of libcrypto will not have FIPS self tests enabled, so its 260// usage is protected through visibility to ensure it doesn't end up used 261// somewhere that needs the FIPS version. 262cc_library_static { 263 name: "libcrypto_static", 264 visibility: [ 265 "//art/build/sdk", 266 "//bootable/recovery/updater", 267 "//external/conscrypt", 268 "//external/python/cpython2", 269 "//external/rust/crates/quiche", 270 // Strictly, only the *static* toybox for legacy devices should have 271 // access to libcrypto_static, but we can't express that. 272 "//external/toybox", 273 "//hardware/interfaces/confirmationui/1.0/vts/functional", 274 "//hardware/interfaces/drm/1.0/vts/functional", 275 "//hardware/interfaces/drm/1.2/vts/functional", 276 "//hardware/interfaces/drm/1.3/vts/functional", 277 "//hardware/interfaces/keymaster/3.0/vts/functional", 278 "//hardware/interfaces/keymaster/4.0/vts/functional", 279 "//hardware/interfaces/keymaster/4.1/vts/functional", 280 "//packages/modules/adb", 281 "//packages/modules/DnsResolver/tests:__subpackages__", 282 "//packages/modules/NeuralNetworks:__subpackages__", 283 "//system/core/init", 284 "//system/core/fs_mgr/liblp", 285 "//system/core/fs_mgr/liblp/vts_core", 286 "//system/core/fs_mgr/libsnapshot", 287 "//system/libvintf/test", 288 "//system/security/keystore/tests", 289 "//test/vts-testcase/security/avb", 290 ], 291 apex_available: [ 292 "//apex_available:platform", 293 "com.android.neuralnetworks", 294 ], 295 defaults: [ 296 "libcrypto_bcm_sources", 297 "libcrypto_sources", 298 "libcrypto_defaults", 299 "boringssl_defaults", 300 "boringssl_flags", 301 ], 302} 303 304// Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic 305// libraries for testing and fuzzing only. See src/FUZZING.md. 306cc_defaults { 307 name: "boringssl_fuzz_unsafe_defaults", 308 host_supported: true, 309 cflags: [ 310 "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE", 311 "-DBORINGSSL_UNSAFE_FUZZER_MODE", 312 ], 313 visibility: [ 314 "//frameworks/native/libs/binder/tests:__subpackages__", 315 ], 316} 317 318// Unsafe and deterministic version of libcrypto. For testing and fuzzing only. 319// See src/FUZZING.md. 320cc_test_library { 321 name: "libcrypto_fuzz_unsafe", 322 ramdisk_available: false, 323 vendor_ramdisk_available: false, 324 defaults: [ 325 "libcrypto_bcm_sources", 326 "libcrypto_sources", 327 "libcrypto_defaults", 328 "boringssl_defaults", 329 "boringssl_flags", 330 "boringssl_fuzz_unsafe_defaults", 331 ], 332} 333 334//// libssl 335 336// Target static library 337 338// Static and Shared library 339cc_library { 340 name: "libssl", 341 visibility: ["//visibility:public"], 342 recovery_available: true, 343 vendor_available: true, 344 product_available: true, 345 native_bridge_supported: true, 346 vndk: { 347 enabled: true, 348 }, 349 host_supported: true, 350 defaults: [ 351 "libssl_sources", 352 "boringssl_defaults", 353 "boringssl_flags", 354 ], 355 target: { 356 windows: { 357 enabled: true, 358 }, 359 }, 360 unique_host_soname: true, 361 362 shared_libs: ["libcrypto"], 363 364 apex_available: [ 365 "//apex_available:platform", 366 "com.android.bluetooth", 367 "com.android.adbd", 368 "com.android.conscrypt", 369 "com.android.resolv", 370 ], 371 min_sdk_version: "29", 372} 373 374// Unsafe and deterministic version of libssl. For testing and fuzzing only. 375// See src/FUZZING.md. 376cc_test_library { 377 name: "libssl_fuzz_unsafe", 378 host_supported: true, 379 defaults: [ 380 "libssl_sources", 381 "boringssl_defaults", 382 "boringssl_flags", 383 "boringssl_fuzz_unsafe_defaults", 384 ], 385 static_libs: [ 386 "libcrypto_fuzz_unsafe", 387 ], 388} 389 390// Tool 391cc_binary { 392 name: "bssl", 393 host_supported: true, 394 defaults: [ 395 "bssl_sources", 396 "boringssl_flags", 397 ], 398 399 shared_libs: [ 400 "libcrypto", 401 "libssl", 402 ], 403 target: { 404 darwin: { 405 enabled: false, 406 }, 407 android: { 408 compile_multilib: "both", 409 }, 410 }, 411 multilib: { 412 lib32: { 413 suffix: "32", 414 }, 415 }, 416} 417 418// Used for ACVP testing for FIPS certification. 419// Not installed on devices by default. 420cc_binary { 421 name: "acvp_modulewrapper", 422 srcs: [ 423 "src/util/fipstools/acvp/modulewrapper/main.cc", 424 ], 425 target: { 426 android_x86: { 427 enabled: false, 428 }, 429 android_x86_64: { 430 enabled: false, 431 }, 432 }, 433 stem: "modulewrapper", 434 compile_multilib: "both", 435 multilib: { 436 lib32: { 437 suffix: "32", 438 }, 439 }, 440 441 static_libs: [ 442 "libacvp_modulewrapper", 443 ], 444 shared_libs: [ 445 "libcrypto", 446 ], 447 448 defaults: [ 449 "boringssl_flags", 450 ], 451} 452 453// ACVP wrapper implementation shared between Android and Trusty 454cc_library_static { 455 name: "libacvp_modulewrapper", 456 host_supported: true, 457 vendor_available: true, 458 srcs: [ 459 "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc", 460 ], 461 target: { 462 android: { 463 compile_multilib: "both", 464 }, 465 }, 466 export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"], 467 shared_libs: [ 468 "libcrypto", 469 ], 470 471 defaults: [ 472 "boringssl_flags", 473 ], 474 475 visibility: ["//system/core/trusty/utils/acvp"], 476} 477 478// Test support library 479cc_library_static { 480 name: "boringssl_test_support", 481 host_supported: true, 482 defaults: [ 483 "boringssl_test_support_sources", 484 "boringssl_flags", 485 ], 486 487 shared_libs: [ 488 "libcrypto", 489 "libssl", 490 ], 491} 492 493// Tests 494cc_test { 495 name: "boringssl_crypto_test", 496 test_config: "NativeTests.xml", 497 host_supported: false, 498 per_testcase_directory: true, 499 compile_multilib: "both", 500 multilib: { 501 lib32: { 502 suffix: "32", 503 }, 504 lib64: { 505 suffix: "64", 506 }, 507 }, 508 defaults: [ 509 "boringssl_crypto_test_sources", 510 "boringssl_flags", 511 ], 512 whole_static_libs: ["boringssl_test_support"], 513 // Statically link the library to test to ensure we always pick up the 514 // correct version regardless of device linker configuration. 515 static_libs: ["libcrypto_static"], 516 target: { 517 android: { 518 test_suites: ["mts-conscrypt"], 519 }, 520 }, 521} 522 523cc_test { 524 name: "boringssl_ssl_test", 525 test_config: "NativeTests.xml", 526 host_supported: false, 527 per_testcase_directory: true, 528 compile_multilib: "both", 529 multilib: { 530 lib32: { 531 suffix: "32", 532 }, 533 lib64: { 534 suffix: "64", 535 }, 536 }, 537 defaults: [ 538 "boringssl_ssl_test_sources", 539 "boringssl_flags", 540 ], 541 whole_static_libs: ["boringssl_test_support"], 542 // Statically link the libraries to test to ensure we always pick up the 543 // correct version regardless of device linker configuration. 544 static_libs: [ 545 "libcrypto_static", 546 "libssl", 547 ], 548 target: { 549 android: { 550 test_suites: ["mts-conscrypt"], 551 }, 552 }, 553} 554 555// Utility binary for CMVP on-site testing. 556cc_binary { 557 name: "test_fips", 558 host_supported: false, 559 defaults: [ 560 "boringssl_flags", 561 ], 562 shared_libs: [ 563 "libcrypto", 564 ], 565 srcs: [ 566 "src/util/fipstools/test_fips.c", 567 ], 568} 569 570// Rust bindings 571rust_bindgen { 572 name: "libbssl_sys_raw", 573 source_stem: "bindings", 574 crate_name: "bssl_sys_raw", 575 host_supported: true, 576 wrapper_src: "src/rust/wrapper.h", 577 vendor_available: true, 578 bindgen_flags: [ 579 // Adapted from upstream the src/rust/CMakeLists.txt file at: 580 // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt 581 "--no-derive-default", 582 "--enable-function-attribute-detection", 583 "--use-core", 584 "--size_t-is-usize", 585 "--default-macro-constant-type=signed", 586 "--rustified-enum=point_conversion_form_t", 587 // These are not BoringSSL symbols, they are from glibc 588 // and are not relevant to the build besides throwing warnings 589 // about their 'long double' (aka u128) not being FFI safe. 590 // We block those functions so that the build doesn't 591 // spam warnings. 592 // 593 // https://github.com/rust-lang/rust-bindgen/issues/1549 describes the current problem 594 // and other folks' solutions. 595 "--blocklist-function=strtold", 596 "--blocklist-function=qecvt", 597 "--blocklist-function=qecvt_r", 598 "--blocklist-function=qgcvt", 599 "--blocklist-function=qfcvt", 600 "--blocklist-function=qfcvt_r", 601 ], 602 shared_libs: [ 603 "libcrypto", 604 "libssl", 605 ], 606} 607 608// Encapsulate the bindgen-generated layout tests as a test target. 609rust_test { 610 name: "libbssl_sys_raw_test", 611 srcs: [ 612 ":libbssl_sys_raw", 613 ], 614 crate_name: "bssl_sys_raw_test", 615 test_suites: ["general-tests"], 616 auto_gen_config: true, 617 clippy_lints: "none", 618 lints: "none", 619} 620 621// Rust's bindgen doesn't cope with macros, so this target includes C functions that 622// do the same thing as macros defined in BoringSSL header files. 623cc_library_static { 624 name: "libbssl_rust_support", 625 host_supported: true, 626 defaults: ["boringssl_flags"], 627 srcs: ["src/rust/rust_wrapper.c"], 628 shared_libs: [ 629 "libcrypto", 630 "libssl", 631 ], 632} 633 634// Replace the upstream CMake placeholder with a re-export of all of the local bindgen output. 635gensrcs { 636 name: "libbssl_sys_src", 637 srcs: ["src/rust/src/lib.rs"], 638 cmd: "sed 's@^.{INCLUDES}@pub use bssl_sys_raw::*;@' $(in) > $(out)", 639} 640 641rust_library { 642 name: "libbssl_ffi", 643 host_supported: true, 644 crate_name: "bssl_ffi", 645 visibility: [ 646 "//external/rust/crates/openssl", 647 "//system/keymint/boringssl", 648 "//system/security/prng_seeder", 649 ], 650 // Use the modified source with placeholder replaced. 651 srcs: [":libbssl_sys_src"], 652 vendor_available: true, 653 // Since libbssl_sys_raw is not publically visible, we can't 654 // accidentally force a double-link by linking statically, so do so. 655 rlibs: ["libbssl_sys_raw"], 656 static_libs: [ 657 "libbssl_rust_support", 658 ], 659} 660