diff options
author | davidben <davidben@chromium.org> | 2015-04-21 19:36:41 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-04-22 02:36:54 +0000 |
commit | 2bcbc6bceb6017c762ef01553a55a12fe390de16 (patch) | |
tree | b44d9b97e521927703b146fc348f9e45096ce603 /build | |
parent | 0c71fc50716dcf2fef839bde83ef09287c64202b (diff) | |
download | chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.zip chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.gz chromium_src-2bcbc6bceb6017c762ef01553a55a12fe390de16.tar.bz2 |
Initial support for using BoringSSL with NSS certificates.
This switches the USE_OPENSSL Linux and CrOS builds to continue
setting USE_NSS_CERTS. This lets it use BoringSSL for the crypto
and SSL stack and NSS for certificate verification. See design
doc for details on the flags:
https://docs.google.com/document/d/1x4DOCKwFkAxl9MGfd6snIzFigO4ku6Shuci0r5BzasQ/edit
On Linux, only client auth and OCSP stapling are missing. On ChromeOS,
there are some problematic USE_NSS_CERTS APIs in RSAPrivateKey to
resolve. We also still need to resolve crbug.com/347404 to maintain
parity.
As a follow-up, USE_OPENSSL_CERTS on non-Android can now be
removed (it was never supported anyway).
BUG=462040
Review URL: https://codereview.chromium.org/881213004
Cr-Commit-Position: refs/heads/master@{#326222}
Diffstat (limited to 'build')
-rw-r--r-- | build/build_config.h | 7 | ||||
-rw-r--r-- | build/common.gypi | 15 | ||||
-rw-r--r-- | build/config/BUILD.gn | 9 | ||||
-rw-r--r-- | build/config/crypto.gni | 15 | ||||
-rw-r--r-- | build/linux/system.gyp | 30 |
5 files changed, 40 insertions, 36 deletions
diff --git a/build/build_config.h b/build/build_config.h index 7137b4b..d8c3db6 100644 --- a/build/build_config.h +++ b/build/build_config.h @@ -61,11 +61,8 @@ #error Please add support for your platform in build/build_config.h #endif -#if defined(USE_OPENSSL) && defined(USE_NSS_CERTS) -// TODO(davidben): This constraint compares somewhat orthogonal things and will -// be fixed when BoringSSL with NSS for certificates is added as a build -// configuration. See https://crbug.com/462040. -#error Cannot use both OpenSSL and NSS +#if defined(USE_OPENSSL_CERTS) && defined(USE_NSS_CERTS) +#error Cannot use both OpenSSL and NSS for certificates #endif // For access to standard BSD features, use OS_BSD instead of a diff --git a/build/common.gypi b/build/common.gypi index c5a8e73..7c3074b 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -70,7 +70,10 @@ # certificates, use_openssl_certs must be set. 'use_openssl%': 0, - # Typedef X509Certificate::OSCertHandle to OpenSSL's struct X509*. + # Use OpenSSL for representing certificates. When targeting Android, + # the platform certificate library is used for certificate + # verification. On other targets, this flag also enables OpenSSL for + # certificate verification, but this configuration is unsupported. 'use_openssl_certs%': 0, # Disable viewport meta tag by default. @@ -681,20 +684,12 @@ }], # NSS usage. - ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==0', { + ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris")', { 'use_nss_certs%': 1, }, { 'use_nss_certs%': 0, }], - # When OpenSSL is used for SSL and crypto on Unix-like systems, use - # OpenSSL's certificate definition. - ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") and use_openssl==1', { - 'use_openssl_certs%': 1, - }, { - 'use_openssl_certs%': 0, - }], - # libudev usage. This currently only affects the content layer. ['OS=="linux" and embedded==0', { 'use_udev%': 1, diff --git a/build/config/BUILD.gn b/build/config/BUILD.gn index 471994d..22cb45a 100644 --- a/build/config/BUILD.gn +++ b/build/config/BUILD.gn @@ -122,10 +122,11 @@ config("feature_flags") { } if (use_openssl) { defines += [ "USE_OPENSSL=1" ] - if (use_openssl_certs) { - defines += [ "USE_OPENSSL_CERTS=1" ] - } - } else if (use_nss_certs) { + } + if (use_openssl_certs) { + defines += [ "USE_OPENSSL_CERTS=1" ] + } + if (use_nss_certs) { defines += [ "USE_NSS_CERTS=1" ] } if (use_ozone) { diff --git a/build/config/crypto.gni b/build/config/crypto.gni index ee23569..7f090b7 100644 --- a/build/config/crypto.gni +++ b/build/config/crypto.gni @@ -14,10 +14,13 @@ declare_args() { use_openssl = is_android || is_mac || is_nacl || is_win } -# True when we're using OpenSSL for certificate verification and storage. We -# only do this when we're using OpenSSL on desktop Linux systems. For other -# systems (Mac/Win/Android) we use the system certificate features. -use_openssl_certs = use_openssl && (is_linux || is_android) +# True when we're using OpenSSL for representing certificates. When targeting +# Android, the platform certificate library is used for certificate +# verification. On other targets, this flag also enables OpenSSL for certificate +# verification, but this configuration is unsupported. +use_openssl_certs = is_android -# Same meaning as use_openssl_certs but for NSS. -use_nss_certs = !use_openssl && is_linux +# True if NSS is used for certificate verification. Note that this is +# independent from use_openssl. It is possible to use OpenSSL for the crypto +# library, but NSS for the platform certificate library. +use_nss_certs = is_linux diff --git a/build/linux/system.gyp b/build/linux/system.gyp index 5333798..cc6e81b 100644 --- a/build/linux/system.gyp +++ b/build/linux/system.gyp @@ -1180,8 +1180,7 @@ 'dependencies': [ '../../third_party/boringssl/boringssl.gyp:boringssl', ], - }], - ['use_openssl==0', { + }, { 'dependencies': [ '../../net/third_party/nss/ssl.gyp:libssl', ], @@ -1191,6 +1190,13 @@ # before other includes, as we are shadowing system headers. '<(DEPTH)/net/third_party/nss/ssl', ], + }, + }], + # Link in the system NSS if it is used for either the internal + # crypto library (use_openssl==0) or platform certificate + # library (use_nss_certs==1). + ['use_openssl==0 or use_nss_certs==1', { + 'direct_dependent_settings': { 'cflags': [ '<!@(<(pkg-config) --cflags nss)', ], @@ -1203,15 +1209,17 @@ '<!@(<(pkg-config) --libs-only-l nss | sed -e "s/-lssl3//")', ], }, - }], - ['use_openssl==0 and clang==1', { - 'direct_dependent_settings': { - 'cflags': [ - # There is a broken header guard in /usr/include/nss/secmod.h: - # https://bugzilla.mozilla.org/show_bug.cgi?id=884072 - '-Wno-header-guard', - ], - }, + 'conditions': [ + ['clang==1', { + 'direct_dependent_settings': { + 'cflags': [ + # There is a broken header guard in /usr/include/nss/secmod.h: + # https://bugzilla.mozilla.org/show_bug.cgi?id=884072 + '-Wno-header-guard', + ], + }, + }], + ], }], ] }], |