Support building BoringSSL with NSS certificates.

crypto/BUILD.gn

 # Copyright (c) 2013 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import("//build/config/crypto.gni")
 import("//testing/test.gni")
 
 component("crypto") {
   output_name = "crcrypto"  # Avoid colliding with OpenSSL's libcrypto.
   sources = [
@@ skipping 118 matching lines @@
     deps += [ "//third_party/android_tools:cpu_features" ]
   }
 
   if (use_openssl) {
     # Remove NSS files when using OpenSSL
     sources -= [
       "ec_private_key_nss.cc",
       "ec_signature_creator_nss.cc",
       "encryptor_nss.cc",
       "hmac_nss.cc",
-      "nss_util.cc",
-      "nss_util.h",
-      "nss_util_internal.h",
       "rsa_private_key_nss.cc",
       "secure_hash_default.cc",
       "signature_creator_nss.cc",
       "signature_verifier_nss.cc",
       "symmetric_key_nss.cc",
       "third_party/nss/chromium-blapi.h",
       "third_party/nss/chromium-blapit.h",
       "third_party/nss/chromium-nss.h",
       "third_party/nss/pk11akey.cc",
       "third_party/nss/rsawrapr.c",
@@ skipping 11 matching lines @@
       "openssl_util.cc",
       "openssl_util.h",
       "rsa_private_key_openssl.cc",
       "secure_hash_openssl.cc",
       "signature_creator_openssl.cc",
       "signature_verifier_openssl.cc",
       "symmetric_key_openssl.cc",
     ]
   }
 
+  # Remove nss_util when NSS is used for neither the internal crypto library
+  # nor the platform certificate library.
+  if (use_openssl && !use_nss_certs) {
+    sources -= [
+      "nss_util.cc",
+      "nss_util.h",
+      "nss_util_internal.h",
+    ]
+  }
+
   defines = [ "CRYPTO_IMPLEMENTATION" ]
 }
 
 # TODO(GYP): TODO(dpranke), fix the compile errors for this stuff
 # and make it work.
 if (false && is_win) {
   # A minimal crypto subset for hmac-related stuff that small standalone
   # targets can use to reduce code size on Windows. This does not depend on
   # OpenSSL/NSS but will use Windows APIs for that functionality.
   source_set("crypto_minimal_win") {
@@ skipping 39 matching lines @@
     "random_unittest.cc",
     "rsa_private_key_nss_unittest.cc",
     "rsa_private_key_unittest.cc",
     "secure_hash_unittest.cc",
     "sha2_unittest.cc",
     "signature_creator_unittest.cc",
     "signature_verifier_unittest.cc",
     "symmetric_key_unittest.cc",
   ]
 
-  if (use_openssl || !is_linux) {
-    sources -= [ "rsa_private_key_nss_unittest.cc" ]
+  # Remove nss_util when NSS is used for neither the internal crypto library
+  # nor the platform certificate library.
+  if (use_openssl && !use_nss_certs) {
+    sources -= [ "nss_util_unittest.cc" ]
   }
 
   if (use_openssl) {
-    sources -= [ "nss_util_unittest.cc" ]
+    sources -= [ "rsa_private_key_nss_unittest.cc" ]
   } else {
     sources -= [ "openssl_bio_string_unittest.cc" ]
   }
 
   configs += [ "//build/config/compiler:no_size_t_to_int_warning" ]
 
   deps = [
     ":crypto",
     ":platform",
     ":test_support",
@@ skipping 31 matching lines @@
     sources -= [
       "scoped_test_nss_chromeos_user.cc",
       "scoped_test_nss_chromeos_user.h",
       "scoped_test_system_nss_key_slot.cc",
       "scoped_test_system_nss_key_slot.h",
     ]
   }
 }
 
 config("platform_config") {
-  if (!use_openssl && is_clang) {
+  if ((!use_openssl || use_nss_certs) && is_clang) {
     # There is a broken header guard in /usr/include/nss/secmod.h:
     # https://bugzilla.mozilla.org/show_bug.cgi?id=884072
     cflags = [ "-Wno-header-guard" ]
   }
 }
 
 # This is a meta-target that forwards to NSS's SSL library or OpenSSL,
 # according to the state of the crypto flags. A target just wanting to depend
 # on the current SSL library should just depend on this.
 group("platform") {
   if (use_openssl) {
     deps = [
       "//third_party/boringssl",
     ]
   } else {
     deps = [
       "//net/third_party/nss/ssl:libssl",
     ]
+  }
+
+  # Link in NSS if it is used for either the internal crypto library
+  # (!use_openssl) or platform certificate library (use_nss_certs).
+  if (!use_openssl || use_nss_certs) {
     if (is_linux) {
       # On Linux, we use the system NSS (excepting SSL where we always use our
       # own).
-      #
-      # We always need our SSL header search path to come before the system one
-      # so our versions are used. The libssl target will add the search path we
-      # want, but according to GN's ordering rules, public_configs' search path
-      # will get applied before ones inherited from our dependencies.
-      # Therefore, we need to explicitly list our custom libssl's config here
-      # before the system one.
-      public_configs = [
-        ":platform_config",
-        "//net/third_party/nss/ssl:ssl_config",
-        "//third_party/nss:system_nss_no_ssl_config",
-      ]
+      public_configs = [ ":platform_config" ]
+      if (!use_openssl) {
+        # If using a bundled copy of NSS's SSL library, ensure the bundled SSL
+        # header search path comes before the system one so our versions are
+        # used. The libssl target will add the search path we want, but
+        # according to GN's ordering rules, public_configs' search path will get
+        # applied before ones inherited from our dependencies.  Therefore, we
+        # need to explicitly list our custom libssl's config here before the
+        # system one.
+        public_configs += [ "//net/third_party/nss/ssl:ssl_config" ]
+      }
+      public_configs += [ "//third_party/nss:system_nss_no_ssl_config" ]
     } else {
       # Non-Linux platforms use the hermetic NSS from the tree.
       deps += [
         "//third_party/nss:nspr",
         "//third_party/nss:nss",
       ]
     }
   }
 }