Support building BoringSSL with NSS certificates.

crypto/BUILD.gn

 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import("//build/config/crypto.gni")
 import("//testing/test.gni")
 
 component("crypto") {
   output_name = "crcrypto"  # Avoid colliding with OpenSSL's libcrypto.
   sources = [
@@ skipping 118 matching lines @@
     deps += [ "//third_party/android_tools:cpu_features" ]
   }
 
   if (use_openssl) {
     # Remove NSS files when using OpenSSL
     sources -= [
       "ec_private_key_nss.cc",
       "ec_signature_creator_nss.cc",
       "encryptor_nss.cc",
       "hmac_nss.cc",
-      "nss_util.cc",
-      "nss_util.h",
-      "nss_util_internal.h",
       "rsa_private_key_nss.cc",
       "secure_hash_default.cc",
       "signature_creator_nss.cc",
       "signature_verifier_nss.cc",
       "symmetric_key_nss.cc",
       "third_party/nss/chromium-blapi.h",
       "third_party/nss/chromium-blapit.h",
       "third_party/nss/chromium-nss.h",
       "third_party/nss/pk11akey.cc",
       "third_party/nss/rsawrapr.c",
@@ skipping 11 matching lines @@
       "openssl_util.cc",
       "openssl_util.h",
       "rsa_private_key_openssl.cc",
       "secure_hash_openssl.cc",
       "signature_creator_openssl.cc",
       "signature_verifier_openssl.cc",
       "symmetric_key_openssl.cc",
     ]
   }
 
+  # NSS is used for neither the internal crypto library nor the platform
+  # certificate library.
+  if (use_openssl && !use_nss_certs) {
+    sources -= [
+      "nss_util.cc",
+      "nss_util.h",
+      "nss_util_internal.h",
+    ]
+  }
+
   defines = [ "CRYPTO_IMPLEMENTATION" ]
 }
 
 # TODO(GYP): TODO(dpranke), fix the compile errors for this stuff
 # and make it work.
 if (false && is_win) {
   # A minimal crypto subset for hmac-related stuff that small standalone
   # targets can use to reduce code size on Windows. This does not depend on
   # OpenSSL/NSS but will use Windows APIs for that functionality.
   source_set("crypto_minimal_win") {
@@ skipping 41 matching lines @@
       "random_unittest.cc",
       "rsa_private_key_unittest.cc",
       "rsa_private_key_nss_unittest.cc",
       "secure_hash_unittest.cc",
       "sha2_unittest.cc",
       "signature_creator_unittest.cc",
       "signature_verifier_unittest.cc",
       "symmetric_key_unittest.cc",
     ]
 
-    if (use_openssl || !is_linux) {
-      sources -= [ "rsa_private_key_nss_unittest.cc" ]
+    if (use_openssl && !use_nss_certs) {
+      # nss_util is built if NSS is used for either the internal crypto library
+      # or the platform certificate library.
+      sources -= [ "nss_util_unittest.cc" ]
     }
 
     if (use_openssl) {
-      sources -= [ "nss_util_unittest.cc" ]
+      sources -= [ "rsa_private_key_nss_unittest.cc" ]
     } else {
       sources -= [ "openssl_bio_string_unittest.cc" ]
     }
 
     deps = [
       ":crypto",
       ":platform",
       ":test_support",
       "//base",
       "//base/test:run_all_unittests",
@@ skipping 41 matching lines @@
 # on the current SSL library should just depend on this.
 group("platform") {
   if (use_openssl) {
     deps = [
       "//third_party/boringssl",
     ]
   } else {
     deps = [
       "//net/third_party/nss/ssl:libssl",
     ]
+  }
+
+  # Link in NSS if it is used for either the internal crypto library
+  # (use_openssl==0) or platform certificate library (use_nss==1).
+  if (use_nss_certs || !use_openssl) {
     if (is_linux) {
       # On Linux, we use the system NSS (excepting SSL where we always use our
       # own).
       #
       # We always need our SSL header search path to come before the system one
       # so our versions are used. The libssl target will add the search path we
       # want, but according to GN's ordering rules, public_configs' search path
       # will get applied before ones inherited from our dependencies.
       # Therefore, we need to explicitly list our custom libssl's config here
       # before the system one.
       public_configs = [
         "//net/third_party/nss/ssl:ssl_config",

[Ryan Sleevi, 2015/02/26 00:35:36]

This doesn't seem right for the use_nss_certs case

[davidben, 2015/02/26 22:59:24]

Yeah, you're right. I've tweaked it a little...

I'm not very happy with how many cases there are in the new version. It's really
much simpler because use_nss_certs = is_linux. But we've historically
conditioned the system vs. bundled bit on NSS with is_linux (even though the
bundled NSS port, iOS, doesn't even set use_nss_certs), so I kept it consistent
with that.

         "//third_party/nss:system_nss_no_ssl_config",
       ]
     } else {
       # Non-Linux platforms use the hermetic NSS from the tree.
       deps += [
         "//third_party/nss:nspr",
         "//third_party/nss:nss",
       ]
     }
   }
 }