// Note that some host libraries have the same module name as the target // libraries. This is currently needed to build, for example, adb. But it's // probably something that should be changed. package { default_visibility: ["//visibility:private"], default_applicable_licenses: ["external_boringssl_license"], } // Added automatically by a large-scale-change that took the approach of // 'apply every license found to every target'. While this makes sure we respect // every license restriction, it may not be entirely correct. // // e.g. GPL in an MIT project might only apply to the contrib/ directory. // // Please consider splitting the single license below into multiple licenses, // taking care not to lose any license_kind information, and overriding the // default license using the 'licenses: [...]' property on targets as needed. // // For unused files, consider creating a 'fileGroup' with "//visibility:private" // to attach the license to, and including a comment whether the files may be // used in the current project. // See: http://go/android-license-faq license { name: "external_boringssl_license", visibility: [":__subpackages__"], license_kinds: [ "SPDX-license-identifier-Apache-2.0", "SPDX-license-identifier-BSD", "SPDX-license-identifier-ISC", "SPDX-license-identifier-MIT", "SPDX-license-identifier-OpenSSL", "legacy_unencumbered", ], license_text: [ "NOTICE", ], } // Pull in the autogenerated sources modules build = ["sources.bp"] // Used by libcrypto, libssl, bssl tool, and native tests cc_defaults { // This contains the common options between boringssl_flags and // boringssl_flags_baremetal. Nothing else should include this target // directly. name: "boringssl_flags_common", cflags: [ "-fvisibility=hidden", "-DBORINGSSL_SHARED_LIBRARY", "-DOPENSSL_SMALL", "-Werror", "-Wno-unused-parameter", ], cppflags: [ "-Wall", "-Werror", ], // Build BoringSSL and its tests against the same STL. stl: "libc++_static", } cc_defaults { name: "boringssl_flags", vendor_available: true, product_available: true, cflags: ["-DBORINGSSL_ANDROID_SYSTEM"], defaults: ["boringssl_flags_common"], sdk_version: "9", } cc_defaults { name: "boringssl_flags_baremetal", cflags: [ "-DBORINGSSL_NO_STATIC_INITIALIZER", "-DANDROID_BAREMETAL", ], defaults: ["boringssl_flags_common"], apex_available: [ "com.android.virt", ], } // Used by libcrypto + libssl cc_defaults { name: "boringssl_defaults", local_include_dirs: ["src/include"], export_include_dirs: ["src/include"], cflags: ["-DBORINGSSL_IMPLEMENTATION"], } //// libcrypto, but not libcrypto_baremetal. libcrypto_baremetal is a single //// target, so there is no need for a libcrypto_defaults_baremetal. cc_defaults { name: "libcrypto_defaults", host_supported: true, ramdisk_available: true, vendor_ramdisk_available: true, target: { windows: { enabled: true, host_ldlibs: ["-lws2_32"], }, host: { host_ldlibs: ["-lpthread"], }, android: { // On FIPS builds (i.e. Android only) prevent other libraries // from pre-empting symbols in libcrypto which could affect FIPS // compliance and cause integrity checks to fail. See b/160231064. ldflags: ["-Wl,-Bsymbolic"], }, }, stl: "none", } // Boring Crypto Module object file. // Common settings between bcm_object and bcm_object_for_testing. cc_defaults { name: "bcm_object_defaults", device_supported: true, defaults: [ "libcrypto_bcm_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], sanitize: { address: false, hwaddress: false, memtag_stack: false, memtag_globals: false, fuzzer: false, }, target: { android: { cflags: [ "-DBORINGSSL_FIPS", "-fPIC", // -fno[data|text]-sections required to ensure a // single text and data section for FIPS integrity check "-fno-data-sections", "-fno-function-sections", ], linker_script: "src/crypto/fipsmodule/fips_shared.lds", }, // Temporary hack to let BoringSSL build with a new compiler. // This doesn't enable HWASAN unconditionally, it just causes // BoringSSL's asm code to unconditionally use a HWASAN-compatible // global variable reference so that the non-HWASANified (because of // sanitize: { hwaddress: false } above) code in the BCM can // successfully link against the HWASANified code in the rest of // BoringSSL in HWASAN builds. android_arm64: { asflags: [ "-fsanitize=hwaddress", ], }, }, min_sdk_version: "29", } cc_object { name: "bcm_object", recovery_available: true, native_bridge_supported: true, defaults: [ "bcm_object_defaults", ], apex_available: [ "//apex_available:platform", "com.android.adbd", "com.android.adservices", "com.android.btservices", "com.android.compos", "com.android.conscrypt", "com.android.extservices", "com.android.ondevicepersonalization", "com.android.resolv", "com.android.virt", ], } // Version of bcm_object built with BORINGSSL_FIPS_BREAK_TESTS defined. // Only for use with the FIPS break-tests.sh script. cc_object { name: "bcm_object_for_testing", visibility: [ "//external/boringssl", ], defaults: [ "bcm_object_defaults", ], target: { android: { cflags: ["-DBORINGSSL_FIPS_BREAK_TESTS"], }, }, } bootstrap_go_package { name: "bssl_ar", pkgPath: "boringssl.googlesource.com/boringssl/util/ar", srcs: [ "src/util/ar/ar.go", ], testSrcs: [ "src/util/ar/ar_test.go", ], } bootstrap_go_package { name: "bssl_fipscommon", pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon", srcs: [ "src/util/fipstools/fipscommon/const.go", ], } blueprint_go_binary { name: "bssl_inject_hash", srcs: [ "src/util/fipstools/inject_hash/inject_hash.go", ], deps: [ "bssl_ar", "bssl_fipscommon", ], } // Target and host library. // Any changes here must also be reflected in libcrypto_for_test below. cc_library { name: "libcrypto", visibility: ["//visibility:public"], vendor_available: true, product_available: true, native_bridge_supported: true, double_loadable: true, recovery_available: true, defaults: [ "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], unique_host_soname: true, srcs: [ ":bcm_object", ], target: { android: { cflags: [ "-DBORINGSSL_FIPS", ], sanitize: { // Disable address sanitizing otherwise libcrypto will not report // itself as being in FIPS mode, which causes boringssl_self_test // to fail. address: false, }, inject_bssl_hash: true, static: { // Disable the static version of libcrypto, as it causes // problems for FIPS certification. Use libcrypto_static for // modules that need static libcrypto but do not need FIPS self // testing, or use dynamic libcrypto. enabled: false, }, }, }, apex_available: [ "//apex_available:platform", "com.android.adbd", "com.android.adservices", "com.android.btservices", "com.android.compos", "com.android.conscrypt", "com.android.extservices", "com.android.resolv", "com.android.ondevicepersonalization", "com.android.virt", ], min_sdk_version: "29", afdo: true, } // Version of libcrypto build with BORINGSSL_FIPS_BREAK_TESTS defined // Only for use with the FIPS break-tests.sh script. // Must be kept in sync with libcrypto. cc_library { name: "libcrypto_for_testing", visibility: [ "//external/boringssl", ], defaults: [ "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], unique_host_soname: true, srcs: [ ":bcm_object_for_testing", ], target: { android: { cflags: [ "-DBORINGSSL_FIPS", "-DBORINGSSL_FIPS_BREAK_TESTS", ], sanitize: { // Disable address sanitizing otherwise libcrypto will not report // itself as being in FIPS mode, which causes boringssl_self_test // to fail. address: false, }, inject_bssl_hash: true, static: { // Disable the static version of libcrypto, as it causes // problems for FIPS certification. Use libcrypto_static for // modules that need static libcrypto but do not need FIPS self // testing, or use dynamic libcrypto. enabled: false, }, }, }, min_sdk_version: "29", } // Static library // This version of libcrypto will not have FIPS self tests enabled, so its // usage is protected through visibility to ensure it doesn't end up used // somewhere that needs the FIPS version. cc_library_static { name: "libcrypto_static", visibility: [ "//bootable/recovery/updater", "//bootable/deprecated-ota/updater", "//external/conscrypt", "//external/python/cpython2", "//external/rust/crates/quiche", // Strictly, only the *static* toybox for legacy devices should have // access to libcrypto_static, but we can't express that. "//external/toybox", "//hardware/interfaces/confirmationui/1.0/vts/functional", "//hardware/interfaces/drm/1.0/vts/functional", "//hardware/interfaces/drm/1.2/vts/functional", "//hardware/interfaces/drm/1.3/vts/functional", "//hardware/interfaces/keymaster/3.0/vts/functional", "//hardware/interfaces/keymaster/4.0/vts/functional", "//hardware/interfaces/keymaster/4.1/vts/functional", "//packages/modules/adb", "//packages/modules/AdServices:__subpackages__", "//packages/modules/DnsResolver/tests:__subpackages__", "//packages/modules/NeuralNetworks:__subpackages__", "//system/core/init", "//system/core/fs_mgr/liblp", "//system/core/fs_mgr/liblp/vts_core", "//system/core/fs_mgr/libsnapshot", "//system/libvintf/test", "//system/security/keystore/tests", "//system/security/provisioner", "//test/vts-testcase/security/avb", "//vendor:__subpackages__", ], min_sdk_version: "29", apex_available: [ "//apex_available:platform", "com.android.adservices", "com.android.extservices", "com.android.neuralnetworks", ], defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], } // Static library for use in bare-metal environments cc_library_static { name: "libcrypto_baremetal", defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "boringssl_defaults", "boringssl_flags_baremetal", ], visibility: [ "//external/avb:__subpackages__", "//external/open-dice", "//packages/modules/Virtualization:__subpackages__", "//system/security/diced/open_dice", ], } // For static linking into the ART module to provide limited functionality: // bignums and SHA1 for ELF checksums. cc_library_static { name: "libcrypto_for_art", defaults: [ "libcrypto_defaults", "boringssl_defaults", ], srcs: [ "src/crypto/cpu_*.c", "src/crypto/crypto.c", "src/crypto/err/err.c", "src/crypto/fipsmodule/bn/*.c", "src/crypto/fipsmodule/bn/asm/*.c", "src/crypto/fipsmodule/rand/*.c", "src/crypto/fipsmodule/sha/sha1.c", "src/crypto/mem.c", "src/crypto/stack/stack.c", "src/crypto/thread_pthread.c", "src/gen/crypto/err_data.c", ], target: { linux: { srcs: [ "src/gen/bcm/*-linux.S", ], }, }, visibility: [ "//art:__subpackages__", "//libcore:__subpackages__", ], apex_available: [ "com.android.art", "com.android.art.debug", "com.android.art.testing", ], min_sdk_version: "29", } // Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic // libraries for testing and fuzzing only. See src/FUZZING.md. cc_defaults { name: "boringssl_fuzz_unsafe_defaults", host_supported: true, cflags: [ "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE", "-DBORINGSSL_UNSAFE_FUZZER_MODE", ], visibility: [ "//frameworks/native/libs/binder/tests:__subpackages__", ], } // Unsafe and deterministic version of libcrypto. For testing and fuzzing only. // See src/FUZZING.md. cc_test_library { name: "libcrypto_fuzz_unsafe", ramdisk_available: false, vendor_ramdisk_available: false, defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", "boringssl_fuzz_unsafe_defaults", ], } //// libssl // Target static library // Static and Shared library cc_library { name: "libssl", visibility: ["//visibility:public"], recovery_available: true, vendor_available: true, product_available: true, native_bridge_supported: true, host_supported: true, defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", ], target: { windows: { enabled: true, }, }, unique_host_soname: true, shared_libs: ["libcrypto"], apex_available: [ "//apex_available:platform", "com.android.btservices", "com.android.adbd", "com.android.conscrypt", "com.android.resolv", "com.android.virt", ], min_sdk_version: "29", } cc_library_static { name: "libssl_baremetal", defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags_baremetal", ], static_libs: ["libcrypto_baremetal"], } cc_library_host_static { name: "libssl_static", defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", ], static_libs: ["libcrypto_static"], } // Unsafe and deterministic version of libssl. For testing and fuzzing only. // See src/FUZZING.md. cc_test_library { name: "libssl_fuzz_unsafe", host_supported: true, defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", "boringssl_fuzz_unsafe_defaults", ], static_libs: [ "libcrypto_fuzz_unsafe", ], } // Tool cc_binary { name: "bssl", host_supported: true, defaults: [ "bssl_sources", "boringssl_flags", ], shared_libs: [ "libcrypto", "libssl", ], target: { darwin: { enabled: false, }, android: { compile_multilib: "both", }, }, multilib: { lib32: { suffix: "32", }, }, } // Used for ACVP testing for FIPS certification. // Not installed on devices by default. cc_binary { name: "acvp_modulewrapper", srcs: [ "src/util/fipstools/acvp/modulewrapper/main.cc", ], target: { android_x86: { enabled: false, }, android_x86_64: { enabled: false, }, }, stem: "modulewrapper", compile_multilib: "both", multilib: { lib32: { suffix: "32", }, }, static_libs: [ "libacvp_modulewrapper", ], shared_libs: [ "libcrypto", ], defaults: [ "boringssl_flags", ], } // ACVP wrapper implementation shared between Android and Trusty cc_library_static { name: "libacvp_modulewrapper", host_supported: true, vendor_available: true, srcs: [ "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc", ], target: { android: { compile_multilib: "both", }, }, export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"], shared_libs: [ "libcrypto", ], defaults: [ "boringssl_flags", ], visibility: ["//system/core/trusty/utils/acvp"], } // Test support library cc_test_library { name: "boringssl_test_support", host_supported: true, defaults: [ "boringssl_test_support_sources", "boringssl_flags", ], shared_libs: [ "libcrypto", ], } // Tests cc_test { name: "boringssl_crypto_test", test_config: "CryptoNativeTests.xml", host_supported: false, vendor_available: false, product_available: false, per_testcase_directory: true, compile_multilib: "both", multilib: { lib32: { suffix: "32", }, lib64: { suffix: "64", }, }, defaults: [ "boringssl_crypto_test_sources", "boringssl_flags", ], whole_static_libs: ["boringssl_test_support"], // Statically link the library to test to ensure we always pick up the // correct version regardless of device linker configuration. static_libs: [ "libcrypto_static", "libgmock_ndk", ], target: { android: { test_suites: ["mts-conscrypt"], }, }, } cc_test { name: "boringssl_ssl_test", test_config: "SslNativeTests.xml", host_supported: false, vendor_available: false, product_available: false, per_testcase_directory: true, compile_multilib: "both", multilib: { lib32: { suffix: "32", }, lib64: { suffix: "64", }, }, defaults: [ "boringssl_ssl_test_sources", "boringssl_flags", ], whole_static_libs: ["boringssl_test_support"], // Statically link the libraries to test to ensure we always pick up the // correct version regardless of device linker configuration. static_libs: [ "libcrypto_static", "libgmock_ndk", "libssl", ], target: { android: { test_suites: ["mts-conscrypt"], }, }, } // Utility binary for CMVP on-site testing. cc_binary { name: "test_fips", host_supported: false, compile_multilib: "both", multilib: { lib32: { suffix: "32", }, lib64: { suffix: "", }, }, defaults: [ "boringssl_flags", ], shared_libs: [ "libcrypto", ], srcs: [ "src/util/fipstools/test_fips.c", ], required: [ "adb", "libcrypto_for_testing", ], } libbssl_sys_raw_flags = [ // Adapted from upstream the src/rust/CMakeLists.txt file at: // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt "--no-derive-default", "--enable-function-attribute-detection", "--use-core", "--default-macro-constant-type=signed", "--rustified-enum=point_conversion_form_t", // These regexes use [[:punct:]] instead of / to handle Windows file paths. // Ideally we would write [/\\], but escaping rules are complex, and often // ill-defined, in some build systems, so align on [[:punct:]]. "--allowlist-file=.*[[:punct:]]include[[:punct:]]openssl[[:punct:]].*\\.h", "--allowlist-file=.*[[:punct:]]rust_wrapper\\.h", ] // Rust bindings rust_bindgen { name: "libbssl_sys_raw", source_stem: "bssl_sys_bindings", crate_name: "bssl_sys_raw", host_supported: true, wrapper_src: "src/rust/bssl-sys/wrapper.h", vendor_available: true, product_available: true, bindgen_flags: libbssl_sys_raw_flags, shared_libs: [ "libcrypto", "libssl", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], } rust_bindgen { name: "libbssl_sys_raw_nostd", source_stem: "bssl_sys_bindings", crate_name: "bssl_sys_raw", wrapper_src: "src/rust/bssl-sys/wrapper.h", bindgen_flags: [ "--ctypes-prefix=core::ffi", ] + libbssl_sys_raw_flags, header_libs: [ "libcrypto_baremetal", "libssl_baremetal", ], apex_available: [ "com.android.virt", ], } // Encapsulate the bindgen-generated layout tests as a test target. rust_test { name: "libbssl_sys_raw_test", srcs: [ ":libbssl_sys_raw", ], crate_name: "bssl_sys_raw_test", test_suites: ["general-tests"], auto_gen_config: true, clippy_lints: "none", lints: "none", } // Rust's bindgen doesn't cope with macros, so this target includes C functions that // do the same thing as macros defined in BoringSSL header files. cc_library_static { name: "libbssl_rust_support", host_supported: true, defaults: ["boringssl_flags"], srcs: ["src/rust/bssl-sys/rust_wrapper.c"], shared_libs: [ "libcrypto", "libssl", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], } cc_library_static { name: "libbssl_rust_support_baremetal", defaults: ["boringssl_flags_baremetal"], srcs: ["src/rust/bssl-sys/rust_wrapper.c"], static_libs: [ "libcrypto_baremetal", "libssl_baremetal", ], } cc_library_host_static { name: "libbssl_rust_support_static", defaults: ["boringssl_flags"], srcs: ["src/rust/bssl-sys/rust_wrapper.c"], whole_static_libs: [ "libcrypto_static", "libssl_static", ], } rust_defaults { name: "libbssl_sys_defaults", host_supported: true, crate_name: "bssl_sys", visibility: [ "//external/rust/crates/openssl", "//system/keymint/boringssl", "//system/security/prng_seeder", ], srcs: [ "src/rust/bssl-sys/src/lib.rs", ":libbssl_sys_raw", ], shared_libs: [ "libcrypto", "libssl", ], vendor_available: true, product_available: true, } rust_library { name: "libbssl_sys", defaults: ["libbssl_sys_defaults"], whole_static_libs: [ "libbssl_rust_support", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], cfgs: ["unsupported_inline_wrappers"], } rust_library_host_rlib { name: "libbssl_sys_static", defaults: ["libbssl_sys_defaults"], whole_static_libs: [ "libbssl_rust_support_static", ], cfgs: ["unsupported_inline_wrappers"], } genrule { name: "libbssl_sys_src_nostd", srcs: ["src/rust/bssl-sys/src/lib.rs"], out: ["lib.rs"], cmd: "(echo '#![no_std]' && cat $(in)) > $(out)", } rust_library_rlib { name: "libbssl_sys_nostd", crate_name: "bssl_sys", visibility: [ "//packages/modules/Virtualization:__subpackages__", ], srcs: [ ":libbssl_sys_src_nostd", ":libbssl_sys_raw_nostd", ], prefer_rlib: true, no_stdlibs: true, stdlibs: [ "libcompiler_builtins.rust_sysroot", "libcore.rust_sysroot", ], whole_static_libs: [ "libbssl_rust_support_baremetal", ], cfgs: ["unsupported_inline_wrappers"], } // High-level Rust crate `bssl-crypto` rust_defaults { name: "libbssl_crypto_defaults", crate_name: "bssl_crypto", srcs: ["src/rust/bssl-crypto/src/lib.rs"], rustlibs: ["libbssl_sys"], } rust_library { name: "libbssl_crypto", defaults: ["libbssl_crypto_defaults"], host_supported: true, apex_available: [ "//apex_available:platform", "com.android.virt", ], visibility: [ "//external/rust/beto-rust/nearby", ], vendor_available: true, product_available: true, } rust_test { name: "libbssl_crypto_test", defaults: ["libbssl_crypto_defaults"], crate_name: "bssl_crypto_test", test_suites: ["general-tests"], auto_gen_config: true, }