// Note that some host libraries have the same module name as the target // libraries. This is currently needed to build, for example, adb. But it's // probably something that should be changed. package { default_visibility: ["//visibility:private"], default_applicable_licenses: ["external_boringssl_license"], } // Added automatically by a large-scale-change that took the approach of // 'apply every license found to every target'. While this makes sure we respect // every license restriction, it may not be entirely correct. // // e.g. GPL in an MIT project might only apply to the contrib/ directory. // // Please consider splitting the single license below into multiple licenses, // taking care not to lose any license_kind information, and overriding the // default license using the 'licenses: [...]' property on targets as needed. // // For unused files, consider creating a 'fileGroup' with "//visibility:private" // to attach the license to, and including a comment whether the files may be // used in the current project. // See: http://go/android-license-faq license { name: "external_boringssl_license", visibility: [":__subpackages__"], license_kinds: [ "SPDX-license-identifier-Apache-2.0", "SPDX-license-identifier-BSD", "SPDX-license-identifier-ISC", "SPDX-license-identifier-MIT", "SPDX-license-identifier-OpenSSL", "legacy_unencumbered", ], license_text: [ "NOTICE", ], } // Pull in the autogenerated sources modules build = ["sources.bp"] // Used by libcrypto, libssl, bssl tool, and native tests cc_defaults { name: "boringssl_flags", vendor_available: true, product_available: true, cflags: [ "-fvisibility=hidden", "-DBORINGSSL_SHARED_LIBRARY", "-DBORINGSSL_ANDROID_SYSTEM", "-DOPENSSL_SMALL", "-Werror", "-Wno-unused-parameter", ], cppflags: [ "-Wall", "-Werror", ], // Build BoringSSL and its tests against the same STL. sdk_version: "9", stl: "libc++_static", } // Used by libcrypto + libssl cc_defaults { name: "boringssl_defaults", local_include_dirs: ["src/include"], export_include_dirs: ["src/include"], cflags: ["-DBORINGSSL_IMPLEMENTATION"], } //// libcrypto cc_defaults { name: "libcrypto_defaults", host_supported: true, ramdisk_available: true, vendor_ramdisk_available: true, // Windows and Macs both have problems with assembly files target: { windows: { enabled: true, cflags: ["-DOPENSSL_NO_ASM"], host_ldlibs: ["-lws2_32"], }, darwin: { cflags: ["-DOPENSSL_NO_ASM"], }, host: { host_ldlibs: ["-lpthread"], }, android: { // On FIPS builds (i.e. Android only) prevent other libraries // from pre-empting symbols in libcrypto which could affect FIPS // compliance and cause integrity checks to fail. See b/160231064. ldflags: ["-Wl,-Bsymbolic"], }, }, local_include_dirs: ["src/crypto"], stl: "none", } // Boring Crypto Module object file. // Any changes here must also be reflected in bcm_object_for_testing below. cc_object { name: "bcm_object", device_supported: true, recovery_available: true, native_bridge_supported: true, defaults: [ "libcrypto_bcm_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], sanitize: { address: false, hwaddress: false, memtag_stack: false, fuzzer: false, }, target: { android: { cflags: [ "-DBORINGSSL_FIPS", "-fPIC", // -fno[data|text]-sections required to ensure a // single text and data section for FIPS integrity check "-fno-data-sections", "-fno-function-sections", ], linker_script: "src/crypto/fipsmodule/fips_shared.lds", }, // Temporary hack to let BoringSSL build with a new compiler. // This doesn't enable HWASAN unconditionally, it just causes // BoringSSL's asm code to unconditionally use a HWASAN-compatible // global variable reference so that the non-HWASANified (because of // sanitize: { hwaddress: false } above) code in the BCM can // successfully link against the HWASANified code in the rest of // BoringSSL in HWASAN builds. android_arm64: { asflags: [ "-fsanitize=hwaddress", ], }, }, apex_available: [ "//apex_available:platform", "com.android.adbd", "com.android.adservices", "com.android.art", "com.android.art.debug", "com.android.art.testing", "com.android.btservices", "com.android.compos", "com.android.conscrypt", "com.android.extservices", "com.android.resolv", "com.android.virt", ], min_sdk_version: "29", } // Version of bcm_object built with BORINGSSL_FIPS_BREAK_TESTS defined. // Only for use with the FIPS break-tests.sh script. // Must be kept in sync with bcm_object. cc_object { name: "bcm_object_for_testing", visibility: [ "//external/boringssl", ], device_supported: true, defaults: [ "libcrypto_bcm_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], sanitize: { address: false, hwaddress: false, fuzzer: false, }, target: { android: { cflags: [ "-DBORINGSSL_FIPS", "-DBORINGSSL_FIPS_BREAK_TESTS", "-fPIC", // -fno[data|text]-sections required to ensure a // single text and data section for FIPS integrity check "-fno-data-sections", "-fno-function-sections", ], linker_script: "src/crypto/fipsmodule/fips_shared.lds", }, // Temporary hack to let BoringSSL build with a new compiler. // This doesn't enable HWASAN unconditionally, it just causes // BoringSSL's asm code to unconditionally use a HWASAN-compatible // global variable reference so that the non-HWASANified (because of // sanitize: { hwaddress: false } above) code in the BCM can // successfully link against the HWASANified code in the rest of // BoringSSL in HWASAN builds. android_arm64: { asflags: [ "-fsanitize=hwaddress", ], }, }, min_sdk_version: "29", } bootstrap_go_package { name: "bssl_ar", pkgPath: "boringssl.googlesource.com/boringssl/util/ar", srcs: [ "src/util/ar/ar.go", ], testSrcs: [ "src/util/ar/ar_test.go", ], } bootstrap_go_package { name: "bssl_fipscommon", pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon", srcs: [ "src/util/fipstools/fipscommon/const.go", ], } blueprint_go_binary { name: "bssl_inject_hash", srcs: [ "src/util/fipstools/inject_hash/inject_hash.go", ], deps: [ "bssl_ar", "bssl_fipscommon", ], } // Target and host library. // Any changes here must also be reflected in libcrypto_for_test below. cc_library { name: "libcrypto", visibility: ["//visibility:public"], vendor_available: true, product_available: true, native_bridge_supported: true, vndk: { enabled: true, }, double_loadable: true, recovery_available: true, defaults: [ "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], unique_host_soname: true, srcs: [ ":bcm_object", ], target: { android: { cflags: [ "-DBORINGSSL_FIPS", ], sanitize: { // Disable address sanitizing otherwise libcrypto will not report // itself as being in FIPS mode, which causes boringssl_self_test // to fail. address: false, }, inject_bssl_hash: true, static: { // Disable the static version of libcrypto, as it causes // problems for FIPS certification. Use libcrypto_static for // modules that need static libcrypto but do not need FIPS self // testing, or use dynamic libcrypto. enabled: false, }, }, }, apex_available: [ "//apex_available:platform", "com.android.adbd", "com.android.adservices", "com.android.art", "com.android.art.debug", "com.android.art.testing", "com.android.btservices", "com.android.compos", "com.android.conscrypt", "com.android.extservices", "com.android.resolv", "com.android.virt", ], min_sdk_version: "29", } // Version of libcrypto build with BORINGSSL_FIPS_BREAK_TESTS defined // Only for use with the FIPS break-tests.sh script. // Must be kept in sync with libcrypto. cc_library { name: "libcrypto_for_testing", visibility: [ "//external/boringssl", ], defaults: [ "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], unique_host_soname: true, srcs: [ ":bcm_object_for_testing", ], target: { android: { cflags: [ "-DBORINGSSL_FIPS", "-DBORINGSSL_FIPS_BREAK_TESTS", ], sanitize: { // Disable address sanitizing otherwise libcrypto will not report // itself as being in FIPS mode, which causes boringssl_self_test // to fail. address: false, }, inject_bssl_hash: true, static: { // Disable the static version of libcrypto, as it causes // problems for FIPS certification. Use libcrypto_static for // modules that need static libcrypto but do not need FIPS self // testing, or use dynamic libcrypto. enabled: false, }, }, }, min_sdk_version: "29", } // Static library // This version of libcrypto will not have FIPS self tests enabled, so its // usage is protected through visibility to ensure it doesn't end up used // somewhere that needs the FIPS version. cc_library_static { name: "libcrypto_static", visibility: [ "//art/build/sdk", "//bootable/recovery/updater", "//external/conscrypt", "//external/python/cpython2", "//external/rust/crates/quiche", // Strictly, only the *static* toybox for legacy devices should have // access to libcrypto_static, but we can't express that. "//external/toybox", "//hardware/interfaces/confirmationui/1.0/vts/functional", "//hardware/interfaces/drm/1.0/vts/functional", "//hardware/interfaces/drm/1.2/vts/functional", "//hardware/interfaces/drm/1.3/vts/functional", "//hardware/interfaces/keymaster/3.0/vts/functional", "//hardware/interfaces/keymaster/4.0/vts/functional", "//hardware/interfaces/keymaster/4.1/vts/functional", "//packages/modules/adb", "//packages/modules/Bluetooth:__subpackages__", "//packages/modules/DnsResolver/tests:__subpackages__", "//packages/modules/NeuralNetworks:__subpackages__", "//system/core/init", "//system/core/fs_mgr/liblp", "//system/core/fs_mgr/liblp/vts_core", "//system/core/fs_mgr/libsnapshot", "//system/libvintf/test", "//system/security/keystore/tests", "//test/vts-testcase/security/avb", ], min_sdk_version: "29", apex_available: [ "//apex_available:platform", "com.android.neuralnetworks", ], defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], } // Static library for use in bare-metal environments cc_library_static { name: "libcrypto_baremetal", defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", ], cflags: [ "-DBORINGSSL_NO_STATIC_INITIALIZER", "-DOPENSSL_SMALL", "-DOPENSSL_STATIC_ARMCAP", "-D__TRUSTY__", ], visibility: [ "//external/avb", "//external/open-dice", "//packages/modules/Virtualization:__subpackages__", "//system/security/diced/open_dice", ], apex_available: ["com.android.virt"], } // Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic // libraries for testing and fuzzing only. See src/FUZZING.md. cc_defaults { name: "boringssl_fuzz_unsafe_defaults", host_supported: true, cflags: [ "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE", "-DBORINGSSL_UNSAFE_FUZZER_MODE", ], visibility: [ "//frameworks/native/libs/binder/tests:__subpackages__", ], } // Unsafe and deterministic version of libcrypto. For testing and fuzzing only. // See src/FUZZING.md. cc_test_library { name: "libcrypto_fuzz_unsafe", ramdisk_available: false, vendor_ramdisk_available: false, defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", "libcrypto_defaults", "boringssl_defaults", "boringssl_flags", "boringssl_fuzz_unsafe_defaults", ], } //// libssl // Target static library // Static and Shared library cc_library { name: "libssl", visibility: ["//visibility:public"], recovery_available: true, vendor_available: true, product_available: true, native_bridge_supported: true, vndk: { enabled: true, }, host_supported: true, defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", ], target: { windows: { enabled: true, }, }, unique_host_soname: true, shared_libs: ["libcrypto"], apex_available: [ "//apex_available:platform", "com.android.btservices", "com.android.adbd", "com.android.conscrypt", "com.android.resolv", "com.android.virt", ], min_sdk_version: "29", } cc_library_static { name: "libssl_baremetal", defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", ], static_libs: ["libcrypto_baremetal"], } // Unsafe and deterministic version of libssl. For testing and fuzzing only. // See src/FUZZING.md. cc_test_library { name: "libssl_fuzz_unsafe", host_supported: true, defaults: [ "libssl_sources", "boringssl_defaults", "boringssl_flags", "boringssl_fuzz_unsafe_defaults", ], static_libs: [ "libcrypto_fuzz_unsafe", ], } // Tool cc_binary { name: "bssl", host_supported: true, defaults: [ "bssl_sources", "boringssl_flags", ], shared_libs: [ "libcrypto", "libssl", ], target: { darwin: { enabled: false, }, android: { compile_multilib: "both", }, }, multilib: { lib32: { suffix: "32", }, }, } // Used for ACVP testing for FIPS certification. // Not installed on devices by default. cc_binary { name: "acvp_modulewrapper", srcs: [ "src/util/fipstools/acvp/modulewrapper/main.cc", ], target: { android_x86: { enabled: false, }, android_x86_64: { enabled: false, }, }, stem: "modulewrapper", compile_multilib: "both", multilib: { lib32: { suffix: "32", }, }, static_libs: [ "libacvp_modulewrapper", ], shared_libs: [ "libcrypto", ], defaults: [ "boringssl_flags", ], } // ACVP wrapper implementation shared between Android and Trusty cc_library_static { name: "libacvp_modulewrapper", host_supported: true, vendor_available: true, srcs: [ "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc", ], target: { android: { compile_multilib: "both", }, }, export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"], shared_libs: [ "libcrypto", ], defaults: [ "boringssl_flags", ], visibility: ["//system/core/trusty/utils/acvp"], } // Test support library cc_library_static { name: "boringssl_test_support", host_supported: true, defaults: [ "boringssl_test_support_sources", "boringssl_flags", ], shared_libs: [ "libcrypto", ], } // Tests cc_test { name: "boringssl_crypto_test", test_config: "CryptoNativeTests.xml", host_supported: false, per_testcase_directory: true, compile_multilib: "both", multilib: { lib32: { suffix: "32", }, lib64: { suffix: "64", }, }, defaults: [ "boringssl_crypto_test_sources", "boringssl_flags", ], whole_static_libs: ["boringssl_test_support"], // Statically link the library to test to ensure we always pick up the // correct version regardless of device linker configuration. static_libs: ["libcrypto_static"], target: { android: { test_suites: ["mts-conscrypt"], }, }, } cc_test { name: "boringssl_ssl_test", test_config: "SslNativeTests.xml", host_supported: false, per_testcase_directory: true, compile_multilib: "both", multilib: { lib32: { suffix: "32", }, lib64: { suffix: "64", }, }, defaults: [ "boringssl_ssl_test_sources", "boringssl_flags", ], whole_static_libs: ["boringssl_test_support"], // Statically link the libraries to test to ensure we always pick up the // correct version regardless of device linker configuration. static_libs: [ "libcrypto_static", "libssl", ], target: { android: { test_suites: ["mts-conscrypt"], }, }, } // Utility binary for CMVP on-site testing. cc_binary { name: "test_fips", host_supported: false, defaults: [ "boringssl_flags", ], shared_libs: [ "libcrypto", ], srcs: [ "src/util/fipstools/test_fips.c", ], required: [ "adb", "libcrypto_for_testing", ], } libbssl_sys_raw_flags = [ // Adapted from upstream the src/rust/CMakeLists.txt file at: // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt "--no-derive-default", "--enable-function-attribute-detection", "--use-core", "--size_t-is-usize", "--default-macro-constant-type=signed", "--rustified-enum=point_conversion_form_t", "--allowlist-file=.*/include/openssl/.*\\.h", "--allowlist-file=.*/rust_wrapper\\.h", // These are not BoringSSL symbols, they are from glibc // and are not relevant to the build besides throwing warnings // about their 'long double' (aka u128) not being FFI safe. // We block those functions so that the build doesn't // spam warnings. // // https://github.com/rust-lang/rust-bindgen/issues/1549 describes the current problem // and other folks' solutions. "--blocklist-function=strtold", "--blocklist-function=qecvt", "--blocklist-function=qecvt_r", "--blocklist-function=qgcvt", "--blocklist-function=qfcvt", "--blocklist-function=qfcvt_r", ] // Rust bindings rust_bindgen { name: "libbssl_sys_raw", source_stem: "bindings", crate_name: "bssl_sys_raw", host_supported: true, wrapper_src: "src/rust/bssl-sys/wrapper.h", vendor_available: true, product_available: true, bindgen_flags: libbssl_sys_raw_flags, shared_libs: [ "libcrypto", "libssl", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], } rust_bindgen { name: "libbssl_sys_raw_nostd", source_stem: "bindings", crate_name: "bssl_sys_raw", wrapper_src: "src/rust/bssl-sys/wrapper.h", bindgen_flags: [ "--raw-line=#![no_std]", "--ctypes-prefix=core::ffi", ] + libbssl_sys_raw_flags, header_libs: [ "libcrypto_baremetal", "libssl_baremetal", ], } // Encapsulate the bindgen-generated layout tests as a test target. rust_test { name: "libbssl_sys_raw_test", srcs: [ ":libbssl_sys_raw", ], crate_name: "bssl_sys_raw_test", test_suites: ["general-tests"], auto_gen_config: true, clippy_lints: "none", lints: "none", } // Rust's bindgen doesn't cope with macros, so this target includes C functions that // do the same thing as macros defined in BoringSSL header files. cc_library_static { name: "libbssl_rust_support", host_supported: true, defaults: ["boringssl_flags"], srcs: ["src/rust/bssl-sys/rust_wrapper.c"], shared_libs: [ "libcrypto", "libssl", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], } cc_library_static { name: "libbssl_rust_support_baremetal", defaults: ["boringssl_flags"], srcs: ["src/rust/bssl-sys/rust_wrapper.c"], static_libs: [ "libcrypto_baremetal", "libssl_baremetal", ], } // Replace the upstream CMake placeholder with a re-export of all of the local bindgen output. gensrcs { name: "libbssl_sys_src", srcs: ["src/rust/bssl-sys/src/lib.rs"], cmd: "sed 's@^.{INCLUDES}@pub use bssl_sys_raw::*;@' $(in) > $(out)", } rust_library { name: "libbssl_ffi", host_supported: true, crate_name: "bssl_ffi", visibility: [ "//external/rust/crates/openssl", "//system/keymint/boringssl", "//system/security/prng_seeder", ], // Use the modified source with placeholder replaced. srcs: [":libbssl_sys_src"], vendor_available: true, product_available: true, // Since libbssl_sys_raw is not publicly visible, we can't accidentally // force a double-link by linking statically, so do so. rlibs: ["libbssl_sys_raw"], whole_static_libs: [ "libbssl_rust_support", ], apex_available: [ "//apex_available:platform", "com.android.virt", ], } gensrcs { name: "libbssl_sys_src_nostd", srcs: [":libbssl_sys_src"], cmd: "(echo '#![no_std]' && cat $(in)) > $(out)", } rust_library_rlib { name: "libbssl_ffi_nostd", crate_name: "bssl_ffi", visibility: [ "//packages/modules/Virtualization/pvmfw", ], srcs: [":libbssl_sys_src_nostd"], rlibs: ["libbssl_sys_raw_nostd"], prefer_rlib: true, no_stdlibs: true, stdlibs: [ "libcompiler_builtins.rust_sysroot", "libcore.rust_sysroot", ], whole_static_libs: [ "libbssl_rust_support_baremetal", ], }