boringssl: Add build script for boringssl Add build scripts for compiling boringssl library. An emply place holder entropy implementation is added. Change-Id: I41ac3ccef74f1d3654833bbd4a159dce05094963 Reviewed-on: https://pigweed-review.googlesource.com/c/pigweed/pigweed/+/45241 Commit-Queue: Yecheng Zhao <zyecheng@google.com> Reviewed-by: Ali Zhang <alizhang@google.com>
diff --git a/third_party/boringssl/BUILD b/third_party/boringssl/BUILD new file mode 100644 index 0000000..31cc840 --- /dev/null +++ b/third_party/boringssl/BUILD
@@ -0,0 +1,28 @@ +# Copyright 2020 The Pigweed Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. +# + +load( + "//pw_build:pigweed.bzl", + "pw_cc_library", +) + +pw_cc_library( + name = "sysdeps", + hdrs = [ "sysdeps/sys/socket.h" ], + includes = [ "sysdeps" ], + srcs = [ "crypto_sysrand.cc" ] +) + +# TODO(zyecheng): Add build recipes for BoringSSL
diff --git a/third_party/boringssl/BUILD.gn b/third_party/boringssl/BUILD.gn new file mode 100644 index 0000000..03e2855 --- /dev/null +++ b/third_party/boringssl/BUILD.gn
@@ -0,0 +1,95 @@ +# Copyright 2021 The Pigweed Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +import("//build_overrides/pigweed.gni") +import("$dir_pw_build/target_types.gni") + +declare_args() { + # If compiling backends with boringssl, this variable is set to the path to the + # boringssl source code. When set, a pw_source_set for the boringssl library is + # created at "$dir_pw_third_party/boringssl". + dir_pw_third_party_boringssl = "" +} + +if (dir_pw_third_party_boringssl != "") { + import("$dir_pw_third_party_boringssl/BUILD.generated.gni") + + config("boringssl_public_config") { + include_dirs = [ + "$dir_pw_third_party_boringssl/src/include", + "public", + ] + cflags = [ + "-Wno-cast-qual", + "-Wno-ignored-qualifiers", + ] + + # This can be removed once boringssl threading primitives are implemented, + # i.e. using pw_sync, and when we have a posix style socket layer. + defines = + [ "OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED" ] + } + + config("boringssl_internal_config") { + defines = [ + # Enable virtual desctructor and compile-time check of pure virtual base class + "BORINGSSL_ALLOW_CXX_RUNTIME", + + # Code size optimiaztion + "OPENSSL_SMALL", + + # The ARM assembly code is only for cortex-A. + "OPENSSL_NO_ASM", + + # Disable assert, which may additionally link in unwanted binaries via + # argument evaluation. + "NDEBUG", + ] + cflags = [ + "-Wno-unused-function", + "-Wno-conversion", + "-Wno-unused-parameter", + "-Wno-char-subscripts", + ] + cflags_cc = [ + "-fpermissive", + "-Wno-error", # To get through the -Werror=permissive error + ] + include_dirs = [ "$dir_pw_third_party_boringssl" ] + } + + # Remove sources that require file system and posix socket support + excluded_sources = [ + "src/crypto/bio/connect.c", + "src/crypto/bio/fd.c", + "src/crypto/bio/socket.c", + "src/crypto/bio/socket_helper.c", + ] + + pw_source_set("boringssl") { + sources = [ "crypto_sysrand.cc" ] + foreach(source, crypto_sources - excluded_sources + ssl_sources) { + sources += [ "$dir_pw_third_party_boringssl/$source" ] + } + public_configs = [ ":boringssl_public_config" ] + configs = [ ":boringssl_internal_config" ] + + # Contains a faked "sysdeps/sys/socket.h" + # Can be removed once posix socket layer in Pigweed is supported. + include_dirs = [ "sysdeps" ] + } +} else { + group("boringssl") { + } +}
diff --git a/third_party/boringssl/README.md b/third_party/boringssl/README.md new file mode 100644 index 0000000..0d3e06d --- /dev/null +++ b/third_party/boringssl/README.md
@@ -0,0 +1,10 @@ +# BoringSSL Library + +The folder provides build scripts for building the BoringSSL library. The +source code needs to be downloaded by the user. It is recommended to download +via "pw package install boringssl". This ensures that necessary build files +are generated. It als downloads the chromium verifier library, which will be +used as the default certificate verifier for boringssl in pw_tls_client. +For gn build, set `dir_pw_third_party_boringssl` to point to the +path of the source code. For applications using BoringSSL, add +`$dir_pw_third_party/boringssl` to the dependency list.
diff --git a/third_party/boringssl/crypto_sysrand.cc b/third_party/boringssl/crypto_sysrand.cc new file mode 100644 index 0000000..34fe1bb --- /dev/null +++ b/third_party/boringssl/crypto_sysrand.cc
@@ -0,0 +1,51 @@ +// Copyright 2021 The Pigweed Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); you may not +// use this file except in compliance with the License. You may obtain a copy of +// the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +// License for the specific language governing permissions and limitations under +// the License. + +#include "src/crypto/fipsmodule/rand/internal.h" + +extern "C" { +// OPENSSL_URANDOM is defined automatically based on platform flags. +// See crypto/fipsmodule/rand/internal.h +#ifdef OPENSSL_URANDOM +// When OPENSSL_URANDOM is defined, boringssl assumes linux and +// reads from "dev/urandom" for generating randoms bytes. +// We mock the required file io functions to accomodate it for now. +// TODO(zyecheng): Ask BoringSSL team if there are ways to disable +// OPENSSL_URANDOM, potentially by adding a OPENSSL_PIGWEED flag in +// crypto/fipsmodule/rand/internal.h. If not, we need to keep these +// mockings. + +#define URANDOM_FILE_FD 123 +int open(const char* file, int, ...) { + if (strcmp(file, "/dev/urandom") == 0) { + return URANDOM_FILE_FD; + } + return -1; +} + +ssize_t read(int fd, void*, size_t len) { + if (fd == URANDOM_FILE_FD) { + // TODO(zyecheng): Add code to generate random bytes. + } + return static_cast<ssize_t>(len); +} + +#else +// When OPENSSL_URANDOM is not defined, BoringSSL expects an implementation of +// the following function for generating random bytes. +void CRYPTO_sysrand(uint8_t*, size_t) { + // TODO(zyecheng): Add code to generate random bytes. +} +#endif +}
diff --git a/third_party/boringssl/sysdeps/sys/socket.h b/third_party/boringssl/sysdeps/sys/socket.h new file mode 100644 index 0000000..9ba1f9f --- /dev/null +++ b/third_party/boringssl/sysdeps/sys/socket.h
@@ -0,0 +1,17 @@ +// Copyright 2021 The Pigweed Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); you may not +// use this file except in compliance with the License. You may obtain a copy of +// the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +// License for the specific language governing permissions and limitations under +// the License. + +// Nothing. For place-holder only. + +#pragma once