Support building BoringSSL with NSS certificates.

crypto/BUILD.gn

 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import("//build/config/crypto.gni")
 import("//testing/test.gni")
 
 component("crypto") {
   output_name = "crcrypto"  # Avoid colliding with OpenSSL's libcrypto.
   sources = [
@@ skipping 118 matching lines @@
     deps += [ "//third_party/android_tools:cpu_features" ]
   }
 
   if (use_openssl) {
     # Remove NSS files when using OpenSSL
     sources -= [
       "ec_private_key_nss.cc",
       "ec_signature_creator_nss.cc",
       "encryptor_nss.cc",
       "hmac_nss.cc",
-      "nss_util.cc",
-      "nss_util.h",
-      "nss_util_internal.h",
       "rsa_private_key_nss.cc",
       "secure_hash_default.cc",
       "signature_creator_nss.cc",
       "signature_verifier_nss.cc",
       "symmetric_key_nss.cc",
       "third_party/nss/chromium-blapi.h",
       "third_party/nss/chromium-blapit.h",
       "third_party/nss/chromium-nss.h",
       "third_party/nss/pk11akey.cc",
       "third_party/nss/rsawrapr.c",
@@ skipping 11 matching lines @@
       "openssl_util.cc",
       "openssl_util.h",
       "rsa_private_key_openssl.cc",
       "secure_hash_openssl.cc",
       "signature_creator_openssl.cc",
       "signature_verifier_openssl.cc",
       "symmetric_key_openssl.cc",
     ]
   }
 
+  # NSS is used for neither the internal crypto library nor the platform
+  # certificate library.
+  if (use_openssl && !use_nss_certs) {
+    sources -= [
+      "nss_util.cc",
+      "nss_util.h",
+      "nss_util_internal.h",
+    ]
+  }
+
   defines = [ "CRYPTO_IMPLEMENTATION" ]
 }
 
 # TODO(GYP): TODO(dpranke), fix the compile errors for this stuff
 # and make it work.
 if (false && is_win) {
   # A minimal crypto subset for hmac-related stuff that small standalone
   # targets can use to reduce code size on Windows. This does not depend on
   # OpenSSL/NSS but will use Windows APIs for that functionality.
   source_set("crypto_minimal_win") {
@@ skipping 41 matching lines @@
       "random_unittest.cc",
       "rsa_private_key_nss_unittest.cc",
       "rsa_private_key_unittest.cc",
       "secure_hash_unittest.cc",
       "sha2_unittest.cc",
       "signature_creator_unittest.cc",
       "signature_verifier_unittest.cc",
       "symmetric_key_unittest.cc",
     ]
 
-    if (use_openssl || !is_linux) {
-      sources -= [ "rsa_private_key_nss_unittest.cc" ]
+    if (use_openssl && !use_nss_certs) {
+      # nss_util is built if NSS is used for either the internal crypto library
+      # or the platform certificate library.
+      sources -= [ "nss_util_unittest.cc" ]
     }
 
     if (use_openssl) {
-      sources -= [ "nss_util_unittest.cc" ]
+      sources -= [ "rsa_private_key_nss_unittest.cc" ]
     } else {
       sources -= [ "openssl_bio_string_unittest.cc" ]
     }
 
     deps = [
       ":crypto",
       ":platform",
       ":test_support",
       "//base",
       "//base/test:run_all_unittests",
@@ skipping 30 matching lines @@
     sources -= [
       "scoped_test_nss_chromeos_user.cc",
       "scoped_test_nss_chromeos_user.h",
       "scoped_test_system_nss_key_slot.cc",
       "scoped_test_system_nss_key_slot.h",
     ]
   }
 }
 
 config("platform_config") {
-  if (!use_openssl && is_clang) {
+  if ((!use_openssl || use_nss_certs) && is_clang) {
     # There is a broken header guard in /usr/include/nss/secmod.h:
     # https://bugzilla.mozilla.org/show_bug.cgi?id=884072
     cflags = [ "-Wno-header-guard" ]
   }
 }
 
 # This is a meta-target that forwards to NSS's SSL library or OpenSSL,
 # according to the state of the crypto flags. A target just wanting to depend
 # on the current SSL library should just depend on this.
 group("platform") {
   if (use_openssl) {
     deps = [
       "//third_party/boringssl",
     ]
   } else {
     deps = [
       "//net/third_party/nss/ssl:libssl",
     ]
+  }
+
+  # Link in NSS if it is used for either the internal crypto library
+  # (!use_openssl) or platform certificate library (use_nss_certs).
+  if (!use_openssl || use_nss_certs) {
     if (is_linux) {
       # On Linux, we use the system NSS (excepting SSL where we always use our
       # own).
-      #
-      # We always need our SSL header search path to come before the system one
-      # so our versions are used. The libssl target will add the search path we
-      # want, but according to GN's ordering rules, public_configs' search path
-      # will get applied before ones inherited from our dependencies.
-      # Therefore, we need to explicitly list our custom libssl's config here
-      # before the system one.
-      public_configs = [
-        ":platform_config",
-        "//net/third_party/nss/ssl:ssl_config",
-        "//third_party/nss:system_nss_no_ssl_config",
-      ]
+      public_configs = [ ":platform_config" ]
+      if (!use_openssl) {
+        # If using a bundled copy of NSS's SSL library, ensure the bundled SSL
+        # header search path comes before the system one so our versions are
+        # used. The libssl target will add the search path we want, but
+        # according to GN's ordering rules, public_configs' search path will get
+        # applied before ones inherited from our dependencies.  Therefore, we
+        # need to explicitly list our custom libssl's config here before the
+        # system one.
+        public_configs += [ "//net/third_party/nss/ssl:ssl_config" ]
+      }
+      public_configs += [ "//third_party/nss:system_nss_no_ssl_config" ]
     } else {
       # Non-Linux platforms use the hermetic NSS from the tree.
       deps += [
         "//third_party/nss:nspr",
         "//third_party/nss:nss",
       ]
     }
   }
 }