Android.bp

// Note that some host libraries have the same module name as the target
// libraries. This is currently needed to build, for example, adb. But it's
// probably something that should be changed.

package {
    default_visibility: ["//visibility:private"],
    default_applicable_licenses: ["external_boringssl_license"],
}

// Added automatically by a large-scale-change that took the approach of
// 'apply every license found to every target'. While this makes sure we respect
// every license restriction, it may not be entirely correct.
//
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
//
// Please consider splitting the single license below into multiple licenses,
// taking care not to lose any license_kind information, and overriding the
// default license using the 'licenses: [...]' property on targets as needed.
//
// For unused files, consider creating a 'fileGroup' with "//visibility:private"
// to attach the license to, and including a comment whether the files may be
// used in the current project.
// See: http://go/android-license-faq
license {
    name: "external_boringssl_license",
    visibility: [":__subpackages__"],
    license_kinds: [
        "SPDX-license-identifier-Apache-2.0",
        "SPDX-license-identifier-BSD",
        "SPDX-license-identifier-ISC",
        "SPDX-license-identifier-MIT",
        "SPDX-license-identifier-OpenSSL",
        "legacy_unencumbered",
    ],
    license_text: [
        "NOTICE",
    ],
}

// Pull in the autogenerated sources modules
build = ["sources.bp"]

// Used by libcrypto, libssl, bssl tool, and native tests
cc_defaults {
    name: "boringssl_flags",
    vendor_available: true,
    product_available: true,

    cflags: [
        "-fvisibility=hidden",
        "-DBORINGSSL_SHARED_LIBRARY",
        "-DBORINGSSL_ANDROID_SYSTEM",
        "-DOPENSSL_SMALL",
        "-Werror",
        "-Wno-unused-parameter",
    ],

    cppflags: [
        "-Wall",
        "-Werror",
    ],

    c_std: "gnu11",

    // Build BoringSSL and its tests against the same STL.
    sdk_version: "9",
    target: {
        android: {
            stl: "libc++_static",
        },
    },
}

// Used by libcrypto + libssl
cc_defaults {
    name: "boringssl_defaults",

    local_include_dirs: ["src/include"],
    export_include_dirs: ["src/include"],
    cflags: ["-DBORINGSSL_IMPLEMENTATION"],
}

//// libcrypto
cc_defaults {
    name: "libcrypto_defaults",
    host_supported: true,
    ramdisk_available: true,
    vendor_ramdisk_available: true,

    // Windows and Macs both have problems with assembly files
    target: {
        windows: {
            enabled: true,
            cflags: ["-DOPENSSL_NO_ASM"],
            host_ldlibs: ["-lws2_32"],
        },
        darwin: {
            cflags: ["-DOPENSSL_NO_ASM"],
        },
        host: {
            host_ldlibs: ["-lpthread"],
        },
        android: {
            // On FIPS builds (i.e. Android only) prevent other libraries
            // from pre-empting symbols in libcrypto which could affect FIPS
            // compliance and cause integrity checks to fail. See b/160231064.
            ldflags: ["-Wl,-Bsymbolic"],
        },
    },

    local_include_dirs: ["src/crypto"],
}

cc_object {
    name: "bcm_object",
    device_supported: true,
    recovery_available: true,
    native_bridge_supported: true,
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    sanitize: {
        address: false,
        hwaddress: false,
        fuzzer: false,
    },
    target: {
        android: {
            cflags: [
                "-DBORINGSSL_FIPS",
                "-fPIC",
                // -fno[data|text]-sections required to ensure a
                // single text and data section for FIPS integrity check
                "-fno-data-sections",
                "-fno-function-sections",
            ],
            linker_script: "src/crypto/fipsmodule/fips_shared.lds",
        },
        // Temporary hack to let BoringSSL build with a new compiler.
        // This doesn't enable HWASAN unconditionally, it just causes
        // BoringSSL's asm code to unconditionally use a HWASAN-compatible
        // global variable reference so that the non-HWASANified (because of
        // sanitize: { hwaddress: false } above) code in the BCM can
        // successfully link against the HWASANified code in the rest of
        // BoringSSL in HWASAN builds.
        android_arm64: {
            asflags: [
                "-fsanitize=hwaddress",
            ],
        },
    },
    apex_available: [
        "//apex_available:platform",
        "com.android.adbd",
        "com.android.art",
        "com.android.art.debug",
        "com.android.art.testing",
        "com.android.bluetooth",
        "com.android.compos",
        "com.android.conscrypt",
        "com.android.resolv",
        "com.android.virt",
    ],
    min_sdk_version: "29",
}

bootstrap_go_package {
    name: "bssl_ar",
    pkgPath: "boringssl.googlesource.com/boringssl/util/ar",
    srcs: [
        "src/util/ar/ar.go",
    ],
    testSrcs: [
        "src/util/ar/ar_test.go",
    ],
}

bootstrap_go_package {
    name: "bssl_fipscommon",
    pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon",
    srcs: [
        "src/util/fipstools/fipscommon/const.go",
    ],
}

blueprint_go_binary {
    name: "bssl_inject_hash",
    srcs: [
        "src/util/fipstools/inject_hash/inject_hash.go",
    ],
    deps: [
        "bssl_ar",
        "bssl_fipscommon",
    ],
}

// Target and host library
cc_library {
    name: "libcrypto",
    visibility: ["//visibility:public"],
    vendor_available: true,
    product_available: true,
    native_bridge_supported: true,
    vndk: {
        enabled: true,
    },
    double_loadable: true,
    recovery_available: true,
    defaults: [
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    unique_host_soname: true,
    srcs: [
        ":bcm_object",
    ],
    target: {
        android: {
            cflags: [
                "-DBORINGSSL_FIPS",
            ],
            sanitize: {
                // Disable address sanitizing otherwise libcrypto will not report
                // itself as being in FIPS mode, which causes boringssl_self_test
                // to fail.
                address: false,
            },
            inject_bssl_hash: true,
            static: {
                // Disable the static version of libcrypto, as it causes
                // problems for FIPS certification.  Use libcrypto_static for
                // modules that need static libcrypto but do not need FIPS self
                // testing, or use dynamic libcrypto.
                enabled: false,
            },
        },
    },
    apex_available: [
        "//apex_available:platform",
        "com.android.adbd",
        "com.android.art",
        "com.android.art.debug",
        "com.android.art.testing",
        "com.android.bluetooth",
        "com.android.compos",
        "com.android.conscrypt",
        "com.android.resolv",
        "com.android.virt",
    ],
    min_sdk_version: "29",
}

// Static library
// This version of libcrypto will not have FIPS self tests enabled, so its
// usage is protected through visibility to ensure it doesn't end up used
// somewhere that needs the FIPS version.
cc_library_static {
    name: "libcrypto_static",
    visibility: [
        "//art/build/sdk",
        "//bootable/recovery/updater",
        "//external/conscrypt",
        "//external/python/cpython2",
        "//external/rust/crates/quiche",
        // Strictly, only the *static* toybox for legacy devices should have
        // access to libcrypto_static, but we can't express that.
        "//external/toybox",
        "//hardware/interfaces/confirmationui/1.0/vts/functional",
        "//hardware/interfaces/drm/1.0/vts/functional",
        "//hardware/interfaces/drm/1.2/vts/functional",
        "//hardware/interfaces/drm/1.3/vts/functional",
        "//hardware/interfaces/keymaster/3.0/vts/functional",
        "//hardware/interfaces/keymaster/4.0/vts/functional",
        "//hardware/interfaces/keymaster/4.1/vts/functional",
        "//packages/modules/adb",
        "//packages/modules/DnsResolver/tests:__subpackages__",
        "//packages/modules/NeuralNetworks:__subpackages__",
        "//system/core/init",
        "//system/core/fs_mgr/liblp",
        "//system/core/fs_mgr/liblp/vts_core",
        "//system/core/fs_mgr/libsnapshot",
        "//system/libvintf/test",
        "//system/security/keystore/tests",
        "//test/vts-testcase/security/avb",
    ],
    apex_available: [
        "//apex_available:platform",
        "com.android.neuralnetworks",
    ],
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
    ],
}

// Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic
// libraries for testing and fuzzing only. See src/FUZZING.md.
cc_defaults {
    name: "boringssl_fuzz_unsafe_defaults",
    host_supported: true,
    cflags: [
        "-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE",
        "-DBORINGSSL_UNSAFE_FUZZER_MODE",
    ],
    visibility: [
        "//frameworks/native/libs/binder/tests:__subpackages__",
    ],
}

// Unsafe and deterministic version of libcrypto. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
    name: "libcrypto_fuzz_unsafe",
    ramdisk_available: false,
    vendor_ramdisk_available: false,
    defaults: [
        "libcrypto_bcm_sources",
        "libcrypto_sources",
        "libcrypto_defaults",
        "boringssl_defaults",
        "boringssl_flags",
        "boringssl_fuzz_unsafe_defaults",
    ],
}

//// libssl

// Target static library

// Static and Shared library
cc_library {
    name: "libssl",
    visibility: ["//visibility:public"],
    recovery_available: true,
    vendor_available: true,
    product_available: true,
    native_bridge_supported: true,
    vndk: {
        enabled: true,
    },
    host_supported: true,
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags",
    ],
    target: {
        windows: {
            enabled: true,
        },
    },
    unique_host_soname: true,

    shared_libs: ["libcrypto"],

    apex_available: [
        "//apex_available:platform",
        "com.android.bluetooth",
        "com.android.adbd",
        "com.android.conscrypt",
        "com.android.resolv",
    ],
    min_sdk_version: "29",
}

// Unsafe and deterministic version of libssl. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
    name: "libssl_fuzz_unsafe",
    host_supported: true,
    defaults: [
        "libssl_sources",
        "boringssl_defaults",
        "boringssl_flags",
        "boringssl_fuzz_unsafe_defaults",
    ],
    static_libs: [
        "libcrypto_fuzz_unsafe",
    ],
}

// Tool
cc_binary {
    name: "bssl",
    host_supported: true,
    defaults: [
        "bssl_sources",
        "boringssl_flags",
    ],

    shared_libs: [
        "libcrypto",
        "libssl",
    ],
    target: {
        darwin: {
            enabled: false,
        },
        android: {
            compile_multilib: "both",
        },
    },
    multilib: {
        lib32: {
            suffix: "32",
        },
    },
}

// Used for ACVP testing for FIPS certification.
// Not installed on devices by default.
cc_binary {
    name: "acvp_modulewrapper",
    srcs: [
        "src/util/fipstools/acvp/modulewrapper/main.cc",
    ],
    target: {
        android_x86: {
            enabled: false,
        },
        android_x86_64: {
            enabled: false,
        },
    },
    stem: "modulewrapper",
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
    },

    static_libs: [
        "libacvp_modulewrapper",
    ],
    shared_libs: [
        "libcrypto",
    ],

    defaults: [
        "boringssl_flags",
    ],
}

// ACVP wrapper implementation shared between Android and Trusty
cc_library_static {
    name: "libacvp_modulewrapper",
    host_supported: true,
    vendor_available: true,
    srcs: [
        "src/util/fipstools/acvp/modulewrapper/modulewrapper.cc",
    ],
    target: {
        android: {
            compile_multilib: "both",
        },
    },
    export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"],
    shared_libs: [
        "libcrypto",
    ],

    defaults: [
        "boringssl_flags",
    ],

    visibility: ["//system/core/trusty/utils/acvp"],
}

// Test support library
cc_library_static {
    name: "boringssl_test_support",
    host_supported: true,
    defaults: [
        "boringssl_test_support_sources",
        "boringssl_flags",
    ],

    shared_libs: [
        "libcrypto",
        "libssl",
    ],
}

// Tests
cc_test {
    name: "boringssl_crypto_test",
    test_config: "NativeTests.xml",
    host_supported: false,
    per_testcase_directory: true,
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
        lib64: {
            suffix: "64",
        },
    },
    defaults: [
        "boringssl_crypto_test_sources",
        "boringssl_flags",
    ],
    whole_static_libs: ["boringssl_test_support"],
    // Statically link the library to test to ensure we always pick up the
    // correct version regardless of device linker configuration.
    static_libs: ["libcrypto_static"],
    target: {
        android: {
            test_suites: ["mts-conscrypt"],
        },
    },
}

cc_test {
    name: "boringssl_ssl_test",
    test_config: "NativeTests.xml",
    host_supported: false,
    per_testcase_directory: true,
    compile_multilib: "both",
    multilib: {
        lib32: {
            suffix: "32",
        },
        lib64: {
            suffix: "64",
        },
    },
    defaults: [
        "boringssl_ssl_test_sources",
        "boringssl_flags",
    ],
    whole_static_libs: ["boringssl_test_support"],
    // Statically link the libraries to test to ensure we always pick up the
    // correct version regardless of device linker configuration.
    static_libs: [
        "libcrypto_static",
        "libssl",
    ],
    target: {
        android: {
            test_suites: ["mts-conscrypt"],
        },
    },
}

// Utility binary for CMVP on-site testing.
cc_binary {
    name: "test_fips",
    host_supported: false,
    defaults: [
        "boringssl_flags",
    ],
    shared_libs: [
        "libcrypto",
    ],
    srcs: [
        "src/util/fipstools/test_fips.c",
    ],
}

// Rust bindings
rust_bindgen {
    name: "libbssl_sys_raw",
    source_stem: "bindings",
    crate_name: "bssl_sys_raw",
    host_supported: true,
    wrapper_src: "src/rust/wrapper.h",
    vendor_available: true,
    bindgen_flags: [
        // Adapted from upstream the src/rust/CMakeLists.txt file at:
        // https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt
        "--no-derive-default",
        "--enable-function-attribute-detection",
        "--use-core",
        "--size_t-is-usize",
        "--default-macro-constant-type=signed",
        "--rustified-enum=point_conversion_form_t",
        // These are not BoringSSL symbols, they are from glibc
        // and are not relevant to the build besides throwing warnings
        // about their 'long double' (aka u128) not being FFI safe.
        // We block those functions so that the build doesn't
        // spam warnings.
        //
        // https://github.com/rust-lang/rust-bindgen/issues/1549 describes the current problem
        // and other folks' solutions.
        "--blocklist-function=strtold",
        "--blocklist-function=qecvt",
        "--blocklist-function=qecvt_r",
        "--blocklist-function=qgcvt",
        "--blocklist-function=qfcvt",
        "--blocklist-function=qfcvt_r",
    ],
    shared_libs: [
        "libcrypto",
        "libssl",
    ],
}

// Encapsulate the bindgen-generated layout tests as a test target.
rust_test {
    name: "libbssl_sys_raw_test",
    srcs: [
        ":libbssl_sys_raw",
    ],
    crate_name: "bssl_sys_raw_test",
    test_suites: ["general-tests"],
    auto_gen_config: true,
    clippy_lints: "none",
    lints: "none",
}

// Rust's bindgen doesn't cope with macros, so this target includes C functions that
// do the same thing as macros defined in BoringSSL header files.
cc_library_static {
    name: "libbssl_rust_support",
    host_supported: true,
    defaults: ["boringssl_flags"],
    srcs: ["src/rust/rust_wrapper.c"],
    shared_libs: [
        "libcrypto",
        "libssl",
    ],
}

// Replace the upstream CMake placeholder with a re-export of all of the local bindgen output.
gensrcs {
    name: "libbssl_sys_src",
    srcs: ["src/rust/src/lib.rs"],
    cmd: "sed 's@^.{INCLUDES}@pub use bssl_sys_raw::*;@' $(in) > $(out)",
}

rust_library {
    name: "libbssl_ffi",
    host_supported: true,
    crate_name: "bssl_ffi",
    visibility: [
        "//external/rust/crates/openssl",
        "//system/keymint/boringssl",
        "//system/security/prng_seeder",
    ],
    // Use the modified source with placeholder replaced.
    srcs: [":libbssl_sys_src"],
    vendor_available: true,
    // Since libbssl_sys_raw is not publically visible, we can't
    // accidentally force a double-link by linking statically, so do so.
    rlibs: ["libbssl_sys_raw"],
    static_libs: [
        "libbssl_rust_support",
    ],
}