Removing NSS files and USE_OPENSSL flag

crypto/BUILD.gn

 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import("//build/config/crypto.gni")
 import("//testing/test.gni")
 
 component("crypto") {
   output_name = "crcrypto"  # Avoid colliding with OpenSSL's libcrypto.
   sources = [
     "aead_openssl.cc",
     "aead_openssl.h",
     "apple_keychain.h",
     "apple_keychain_ios.mm",
     "apple_keychain_mac.mm",
     "auto_cbb.h",
     "capi_util.cc",
     "capi_util.h",
     "crypto_export.h",
     "cssm_init.cc",
     "cssm_init.h",
-    "curve25519-donna.c",
     "curve25519.h",
-    "curve25519_nss.cc",
     "curve25519_openssl.cc",
     "ec_private_key.h",
-    "ec_private_key_nss.cc",
     "ec_private_key_openssl.cc",
     "ec_signature_creator.cc",
     "ec_signature_creator.h",
     "ec_signature_creator_impl.h",
-    "ec_signature_creator_nss.cc",
     "ec_signature_creator_openssl.cc",
     "encryptor.cc",
     "encryptor.h",
-    "encryptor_nss.cc",
     "encryptor_openssl.cc",
     "hkdf.cc",
     "hkdf.h",
     "hmac.cc",
     "hmac.h",
-    "hmac_nss.cc",
     "hmac_openssl.cc",
     "mac_security_services_lock.cc",
     "mac_security_services_lock.h",
 
     # TODO(brettw) these mocks should be moved to a test_support_crypto target
     # if possible.
     "mock_apple_keychain.cc",
     "mock_apple_keychain.h",
     "mock_apple_keychain_ios.cc",
     "mock_apple_keychain_mac.cc",
     "nss_key_util.cc",
     "nss_key_util.h",
     "nss_util.cc",
     "nss_util.h",
     "nss_util_internal.h",
     "openssl_bio_string.cc",
     "openssl_bio_string.h",
     "openssl_util.cc",
     "openssl_util.h",
     "p224.cc",
     "p224.h",
     "p224_spake.cc",
     "p224_spake.h",
     "random.cc",
     "random.h",
     "rsa_private_key.h",
-    "rsa_private_key_nss.cc",
     "rsa_private_key_openssl.cc",
     "scoped_capi_types.h",
     "scoped_nss_types.h",
     "secure_hash.h",
-    "secure_hash_default.cc",
     "secure_hash_openssl.cc",
     "secure_util.cc",
     "secure_util.h",
     "sha2.cc",
     "sha2.h",
     "signature_creator.h",
-    "signature_creator_nss.cc",
     "signature_creator_openssl.cc",
     "signature_verifier.h",
-    "signature_verifier_nss.cc",
     "signature_verifier_openssl.cc",
     "symmetric_key.h",
-    "symmetric_key_nss.cc",
     "symmetric_key_openssl.cc",
-    "third_party/nss/chromium-blapi.h",
-    "third_party/nss/chromium-blapit.h",
-    "third_party/nss/chromium-nss.h",
     "third_party/nss/chromium-sha256.h",

[Ryan Sleevi, 2016/04/18 14:23:30]

Why?

[svaldez, 2016/04/18 15:09:35]

nacl_win64 seems to need it.

-    "third_party/nss/pk11akey.cc",
-    "third_party/nss/rsawrapr.c",
-    "third_party/nss/secsign.cc",
     "third_party/nss/sha512.cc",

[Ryan Sleevi, 2016/04/18 14:23:30]

Why? Now that we're using BoringSSl, we shouldn't need a hermetic SHA-256
implementation, should we?

[svaldez, 2016/04/18 15:09:35]

nacl_win64 seems to need it.

[Ryan Sleevi, 2016/04/18 15:31:40]

I guess put differently, should we have nacl_win64 using a hermetic copy of
BoringSSL's SHA-1/SHA-2 implementation, so that we can reduce the number of
unique implementations we're carrying? I would at least think it'd be more
performant there.

I'm not sure whether we should address that before or after, but I definitely
think we should excise these NSS forks (also the //base/sha1 impl)

[davidben, 2016/04/18 16:25:20]

This should be excisable, yeah. Either by pulling in BoringSSL (either trusting
the static linker to drop everything else or making yet another bespoke subset)
or using the Windows native one since we no longer support XP. I had a TODO to
deal with it and it slipped through. But I think it makes sense to do that
separately from this CL.

   ]
 
   # TODO(jschuh): crbug.com/167187 fix size_t to int truncations.
   configs += [ "//build/config/compiler:no_size_t_to_int_warning" ]
 
   deps = [
     ":platform",
     "//base",
     "//base/third_party/dynamic_annotations",
   ]
@@ skipping 16 matching lines @@
       "mac_security_services_lock.h",
     ]
   }
   if (!is_win) {
     sources -= [
       "capi_util.cc",
       "capi_util.h",
     ]
   }
 
-  if (use_openssl) {
-    # Remove NSS files when using OpenSSL
-    sources -= [
-      "curve25519-donna.c",
-      "curve25519_nss.cc",
-      "ec_private_key_nss.cc",
-      "ec_signature_creator_nss.cc",
-      "encryptor_nss.cc",
-      "hmac_nss.cc",
-      "rsa_private_key_nss.cc",
-      "secure_hash_default.cc",
-      "signature_creator_nss.cc",
-      "signature_verifier_nss.cc",
-      "symmetric_key_nss.cc",
-      "third_party/nss/chromium-blapi.h",
-      "third_party/nss/chromium-blapit.h",
-      "third_party/nss/chromium-nss.h",
-      "third_party/nss/pk11akey.cc",
-      "third_party/nss/rsawrapr.c",
-      "third_party/nss/secsign.cc",
-    ]
-  } else {
-    # Remove OpenSSL when using NSS.
-    sources -= [
-      "aead_openssl.cc",
-      "aead_openssl.h",
-      "auto_cbb.h",
-      "curve25519_openssl.cc",
-      "ec_private_key_openssl.cc",
-      "ec_signature_creator_openssl.cc",
-      "encryptor_openssl.cc",
-      "hmac_openssl.cc",
-      "openssl_bio_string.cc",
-      "openssl_bio_string.h",
-      "openssl_util.cc",
-      "openssl_util.h",
-      "rsa_private_key_openssl.cc",
-      "secure_hash_openssl.cc",
-      "signature_creator_openssl.cc",
-      "signature_verifier_openssl.cc",
-      "symmetric_key_openssl.cc",
-    ]
-  }
-
-  # Some files are built when NSS is used at all, either for the internal crypto
-  # library or the platform certificate library.
-  if (use_openssl && !use_nss_certs) {
+  # Some files are built when NSS is used for the platform certificate library.
+  if (!use_nss_certs) {
     sources -= [
       "nss_key_util.cc",
       "nss_key_util.h",
       "nss_util.cc",
       "nss_util.h",
       "nss_util_internal.h",
     ]
   }
 
   defines = [ "CRYPTO_IMPLEMENTATION" ]
@@ skipping 51 matching lines @@
     "p224_unittest.cc",
     "random_unittest.cc",
     "rsa_private_key_unittest.cc",
     "secure_hash_unittest.cc",
     "sha2_unittest.cc",
     "signature_creator_unittest.cc",
     "signature_verifier_unittest.cc",
     "symmetric_key_unittest.cc",
   ]
 
-  # Some files are built when NSS is used at all, either for the internal crypto
-  # library or the platform certificate library.
-  if (use_openssl && !use_nss_certs) {
+  # Some files are built when NSS is used for the platform certificate library.
+  if (!use_nss_certs) {
     sources -= [
       "nss_key_util_unittest.cc",
       "nss_util_unittest.cc",
     ]
   }
 
-  if (!use_openssl) {
-    sources -= [ "openssl_bio_string_unittest.cc" ]
-  }
-
   configs += [ "//build/config/compiler:no_size_t_to_int_warning" ]
 
   deps = [
     ":crypto",
     ":platform",
     ":test_support",
     "//base",
     "//base/test:run_all_unittests",
     "//base/test:test_support",
     "//testing/gmock",
@@ skipping 27 matching lines @@
     sources -= [
       "scoped_test_nss_chromeos_user.cc",
       "scoped_test_nss_chromeos_user.h",
       "scoped_test_system_nss_key_slot.cc",
       "scoped_test_system_nss_key_slot.h",
     ]
   }
 }
 
 config("platform_config") {
-  if ((!use_openssl || use_nss_certs) && is_clang) {
+  if (use_nss_certs && is_clang) {
     # There is a broken header guard in /usr/include/nss/secmod.h:
     # https://bugzilla.mozilla.org/show_bug.cgi?id=884072
     cflags = [ "-Wno-header-guard" ]
   }
 }
 
 # This is a meta-target that forwards to NSS's SSL library or OpenSSL,
 # according to the state of the crypto flags. A target just wanting to depend
 # on the current SSL library should just depend on this.
 group("platform") {
-  if (use_openssl) {
-    public_deps = [
-      "//third_party/boringssl",
-    ]
-  } else {
-    public_deps = [
-      "//net/third_party/nss/ssl:libssl",
-    ]
-  }
+  public_deps = [
+    "//third_party/boringssl",
+  ]
 
-  # Link in NSS if it is used for either the internal crypto library
-  # (!use_openssl) or platform certificate library (use_nss_certs).
-  if (!use_openssl || use_nss_certs) {
-    if (is_linux) {
-      # On Linux, we use the system NSS (excepting SSL where we always use our
-      # own).
-      public_configs = [ ":platform_config" ]
-      if (!use_openssl) {
-        # If using a bundled copy of NSS's SSL library, ensure the bundled SSL
-        # header search path comes before the system one so our versions are
-        # used. The libssl target will add the search path we want, but
-        # according to GN's ordering rules, public_configs' search path will get
-        # applied before ones inherited from our dependencies.  Therefore, we
-        # need to explicitly list our custom libssl's config here before the
-        # system one.
-        public_configs += [ "//net/third_party/nss/ssl:ssl_config" ]
-      }
-      public_configs += [ "//third_party/nss:system_nss_no_ssl_config" ]
-    } else {
-      # Non-Linux platforms use the hermetic NSS from the tree.
-      public_deps += [
-        "//third_party/nss:nspr",
-        "//third_party/nss:nss",
-      ]
-    }
+  # Link in NSS if it is used for the platform certificate library
+  # (use_nss_certs).
+  if (use_nss_certs) {
+    public_configs = [ ":platform_config" ]
+    public_configs += [ "//third_party/nss:system_nss_no_ssl_config" ]
   }
 }