Initial support for using BoringSSL with NSS certificates.

This switches the USE_OPENSSL Linux and CrOS builds to continue setting USE_NSS_CERTS. This lets it use BoringSSL for the crypto and SSL stack and NSS for certificate verification. See design doc for details on the flags: https://docs.google.com/document/d/1x4DOCKwFkAxl9MGfd6snIzFigO4ku6Shuci0r5BzasQ/edit On Linux, only client auth and OCSP stapling are missing. On ChromeOS, there are some problematic USE_NSS_CERTS APIs in RSAPrivateKey to resolve. We also still need to resolve crbug.com/347404 to maintain parity. As a follow-up, USE_OPENSSL_CERTS on non-Android can now be removed (it was never supported anyway). BUG=462040 Review URL: https://codereview.chromium.org/881213004 Cr-Commit-Position: refs/heads/master@{#326222}
author: davidben <davidben@chromium.org> 2015-04-21 19:36:41 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-04-22 02:36:54 +0000
commit: 2bcbc6bceb6017c762ef01553a55a12fe390de16 (patch)
tree: b44d9b97e521927703b146fc348f9e45096ce603 /build
parent: 0c71fc50716dcf2fef839bde83ef09287c64202b (diff)
download: chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.zip
chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.gz
chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.bz2
5 files changed, 40 insertions, 36 deletions
diff --git a/build/build_config.h b/build/build_config.h
index 7137b4b..d8c3db6 100644
--- a/build/build_config.h
+++ b/build/build_config.h
@@ -61,11 +61,8 @@
 #error Please add support for your platform in build/build_config.h
 #endif
 
-#if defined(USE_OPENSSL) && defined(USE_NSS_CERTS)
-// TODO(davidben): This constraint compares somewhat orthogonal things and will
-// be fixed when BoringSSL with NSS for certificates is added as a build
-// configuration. See https://crbug.com/462040.
-#error Cannot use both OpenSSL and NSS
+#if defined(USE_OPENSSL_CERTS) && defined(USE_NSS_CERTS)
+#error Cannot use both OpenSSL and NSS for certificates
 #endif
 
 // For access to standard BSD features, use OS_BSD instead of a
diff --git a/build/common.gypi b/build/common.gypi
index c5a8e73..7c3074b 100644
--- a/build/common.gypi
+++ b/build/common.gypi
@@ -70,7 +70,10 @@
           # certificates, use_openssl_certs must be set.
           'use_openssl%': 0,
 
-          # Typedef X509Certificate::OSCertHandle to OpenSSL's struct X509*.
+          # Use OpenSSL for representing certificates. When targeting Android,
+          # the platform certificate library is used for certificate
+          # verification. On other targets, this flag also enables OpenSSL for
+          # certificate verification, but this configuration is unsupported.
           'use_openssl_certs%': 0,
 
           # Disable viewport meta tag by default.
@@ -681,20 +684,12 @@
         }],
 
         # NSS usage.
-        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==0', {
+        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris")', {
           'use_nss_certs%': 1,
         }, {
           'use_nss_certs%': 0,
         }],
 
-        # When OpenSSL is used for SSL and crypto on Unix-like systems, use
-        # OpenSSL's certificate definition.
-        ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==1', {
-          'use_openssl_certs%': 1,
-        }, {
-          'use_openssl_certs%': 0,
-        }],
-
         # libudev usage.  This currently only affects the content layer.
         ['OS=="linux" and embedded==0', {
           'use_udev%': 1,
diff --git a/build/config/BUILD.gn b/build/config/BUILD.gn
index 471994d..22cb45a 100644
--- a/build/config/BUILD.gn
+++ b/build/config/BUILD.gn
@@ -122,10 +122,11 @@ config("feature_flags") {
   }
   if (use_openssl) {
     defines += [ "USE_OPENSSL=1" ]
-    if (use_openssl_certs) {
-      defines += [ "USE_OPENSSL_CERTS=1" ]
-    }
-  } else if (use_nss_certs) {
+  }
+  if (use_openssl_certs) {
+    defines += [ "USE_OPENSSL_CERTS=1" ]
+  }
+  if (use_nss_certs) {
     defines += [ "USE_NSS_CERTS=1" ]
   }
   if (use_ozone) {
diff --git a/build/config/crypto.gni b/build/config/crypto.gni
index ee23569..7f090b7 100644
--- a/build/config/crypto.gni
+++ b/build/config/crypto.gni
@@ -14,10 +14,13 @@ declare_args() {
   use_openssl = is_android || is_mac || is_nacl || is_win
 }
 
-# True when we're using OpenSSL for certificate verification and storage. We
-# only do this when we're using OpenSSL on desktop Linux systems. For other
-# systems (Mac/Win/Android) we use the system certificate features.
-use_openssl_certs = use_openssl && (is_linux || is_android)
+# True when we're using OpenSSL for representing certificates. When targeting
+# Android, the platform certificate library is used for certificate
+# verification. On other targets, this flag also enables OpenSSL for certificate
+# verification, but this configuration is unsupported.
+use_openssl_certs = is_android
 
-# Same meaning as use_openssl_certs but for NSS.
-use_nss_certs = !use_openssl && is_linux
+# True if NSS is used for certificate verification. Note that this is
+# independent from use_openssl. It is possible to use OpenSSL for the crypto
+# library, but NSS for the platform certificate library.
+use_nss_certs = is_linux
diff --git a/build/linux/system.gyp b/build/linux/system.gyp
index 5333798..cc6e81b 100644
--- a/build/linux/system.gyp
+++ b/build/linux/system.gyp
@@ -1180,8 +1180,7 @@
               'dependencies': [
                 '../../third_party/boringssl/boringssl.gyp:boringssl',
               ],
-            }],
-            ['use_openssl==0', {
+            }, {
               'dependencies': [
                 '../../net/third_party/nss/ssl.gyp:libssl',
               ],
@@ -1191,6 +1190,13 @@
                   # before other includes, as we are shadowing system headers.
                   '<(DEPTH)/net/third_party/nss/ssl',
                 ],
+              },
+            }],
+            # Link in the system NSS if it is used for either the internal
+            # crypto library (use_openssl==0) or platform certificate
+            # library (use_nss_certs==1).
+            ['use_openssl==0 or use_nss_certs==1', {
+              'direct_dependent_settings': {
                 'cflags': [
                   '<!@(<(pkg-config) --cflags nss)',
                 ],
@@ -1203,15 +1209,17 @@
                   '<!@(<(pkg-config) --libs-only-l nss | sed -e "s/-lssl3//")',
                 ],
               },
-            }],
-            ['use_openssl==0 and clang==1', {
-              'direct_dependent_settings': {
-                'cflags': [
-                  # There is a broken header guard in /usr/include/nss/secmod.h:
-                  # https://bugzilla.mozilla.org/show_bug.cgi?id=884072
-                  '-Wno-header-guard',
-                ],
-              },
+              'conditions': [
+                ['clang==1', {
+                  'direct_dependent_settings': {
+                    'cflags': [
+                      # There is a broken header guard in /usr/include/nss/secmod.h:
+                      # https://bugzilla.mozilla.org/show_bug.cgi?id=884072
+                      '-Wno-header-guard',
+                    ],
+                  },
+                }],
+              ],
             }],
           ]
         }],
author	davidben <davidben@chromium.org>	2015-04-21 19:36:41 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-04-22 02:36:54 +0000
commit	2bcbc6bceb6017c762ef01553a55a12fe390de16 (patch)
tree	b44d9b97e521927703b146fc348f9e45096ce603 /build
parent	0c71fc50716dcf2fef839bde83ef09287c64202b (diff)
download	chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.zip chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.gz chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.bz2