libcrypto: update build to apply all patches

Also refresh all the patches from upstream and change
the starting number to be in line with other packages

Author: vigh-m

packages/libcrypto/0001-Cherry-pick-BORINGSSL_bcm_text_hash-Go-utility-2221.patch renamed to packages/libcrypto/1001-Cherry-pick-BORINGSSL_bcm_text_hash-Go-utility-2221.patch

@@ -152,6 +152,3 @@ index 000000000..cda6a1385
 +
 +	return hashSymbolSectionData[hashSymbolOffset : hashSymbolOffset+hashSymbol.Size], nil
 +}
--- 
-2.48.1
-

packages/libcrypto/0002-Cherry-pick-Fix-out-of-bound-OOB-input-read-in-AES-X.patch renamed to packages/libcrypto/1002-Cherry-pick-Fix-out-of-bound-OOB-input-read-in-AES-X.patch

@@ -215,6 +215,3 @@ index 039f0c7ac..1aabee193 100644
  	add	rcx,0x100
  	vpxorq	zmm1,zmm1,zmm9
  	vpxorq	zmm2,zmm2,zmm10
--- 
-2.48.1
-

packages/libcrypto/1003-Move-OCSP-ASN1-type-functions-to-public-header-2239.patch

@@ -0,0 +1,41 @@
+From 9083ae0244fbab6064c892e6e7e8e9fc47a7b9f7 Mon Sep 17 00:00:00 2001
+From: Sean McGrail <[email protected]>
+Date: Thu, 6 Mar 2025 17:31:04 +0000
+Subject: [PATCH] Move OCSP ASN1 type functions to public header (#2239)
+
+### Description of changes:
+Improve compatibility with OpenSSL APIs for OCSP.
+
+By submitting this pull request, I confirm that my contribution is made
+under the terms of the Apache 2.0 license and the ISC license.
+
+(cherry picked from commit b74d80de10cbeccbd357262c0402f90102d21ce8)
+---
+ crypto/ocsp/internal.h | 1 -
+ include/openssl/ocsp.h | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/ocsp/internal.h b/crypto/ocsp/internal.h
+index c780fb6bf..04c17d22c 100644
+--- a/crypto/ocsp/internal.h
++++ b/crypto/ocsp/internal.h
+@@ -233,7 +233,6 @@ struct ocsp_basic_response_st {
+   STACK_OF(X509) *certs;
+ };
+ 
+-DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
+ DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
+ DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
+ DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
+index 2f7d249f6..32936ec0e 100644
+--- a/include/openssl/ocsp.h
++++ b/include/openssl/ocsp.h
+@@ -112,6 +112,7 @@ DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
+ DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
+ DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
+ DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
++DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
+ 
+ // d2i_OCSP_REQUEST_bio parses a DER-encoded OCSP request from |bp|, converts it
+ // into an |OCSP_REQUEST|, and writes the result in |preq|.

packages/libcrypto/1004-Add-test-around-OpenSSL-behavior-for-BIO_get_mem_dat.patch

@@ -0,0 +1,35 @@
+From 6f95c7dfa9d569b2c78475aee0516e36df5b2c4a Mon Sep 17 00:00:00 2001
+From: Sean McGrail <[email protected]>
+Date: Mon, 10 Mar 2025 17:54:59 +0000
+Subject: [PATCH] Add test around OpenSSL behavior for BIO_get_mem_data macro
+
+(cherry picked from commit 94b8cb68e8f3f93c5bdd78a3c23fc23baf410132)
+---
+ crypto/bio/bio_test.cc | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/crypto/bio/bio_test.cc b/crypto/bio/bio_test.cc
+index 822a831ba..8fe742568 100644
+--- a/crypto/bio/bio_test.cc
++++ b/crypto/bio/bio_test.cc
+@@ -1275,3 +1275,20 @@ TEST(BIOTest, TestCtrlCallback) {
+   bio_callback_cleanup();
+   ASSERT_EQ(BIO_free(bio), 1);
+ }
++
++TEST(BIOTest, GetMemDataBackwardsCompat) {
++  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
++  ASSERT_TRUE(bio);
++
++  const uint8_t contents[] = {0x72, 0x61, 0x63, 0x63, 0x6f, 0x6f, 0x6e};
++
++  // Write some test data
++  int write_len = BIO_write(bio.get(), contents, sizeof(contents));
++  ASSERT_EQ(sizeof(contents), (size_t)write_len);
++
++  // Yes, this is something gRPC does
++  const uint8_t *ptr = NULL;
++  long data_len = BIO_get_mem_data(bio.get(), &ptr);
++  ASSERT_EQ((size_t)data_len, sizeof(contents));
++  EXPECT_EQ(Bytes(contents, sizeof(contents)), Bytes(ptr, data_len));
++}

packages/libcrypto/0003-Cherry-pick-support-for-CMake-4.0-to-fips-2024-09-27.patch renamed to packages/libcrypto/1005-Cherry-pick-support-for-CMake-4.0-to-fips-2024-09-27.patch

@@ -43,6 +43,3 @@ index 1090cd53e..b4c6302cc 100644
 
  if(POLICY CMP0091)
  cmake_policy(SET CMP0091 NEW)
--- 
-2.48.1
-

packages/libcrypto/1006-Remove-some-indirection-in-SSL_certs_clear.patch

@@ -0,0 +1,122 @@
+From 792613641e28dda603369bc34bc32263f24de8ac Mon Sep 17 00:00:00 2001
+From: David Benjamin <[email protected]>
+Date: Mon, 12 Feb 2024 18:09:37 -0500
+Subject: [PATCH] Remove some indirection in SSL_certs_clear
+
+If we move SSL_certs_clear to ssl_cert.cc, ssl_cert_clear_certs does not
+need to be in the header. Moreover, its only other caller, ~CERT(), does
+not need to call it. Now that everything outside of SSL_X509_METHOD is
+managed with scopers, the destructor does it automatically. And
+cert_free on SSL_X509_METHOD already automatically calls cert_clear, so
+it's a no-op to do it again.
+
+Change-Id: Ief9c704cc45440288783564ac4db4a27fbec1bfc
+Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66370
+Commit-Queue: David Benjamin <[email protected]>
+Reviewed-by: Bob Beck <[email protected]>
+---
+ ssl/internal.h  |  1 -
+ ssl/ssl_cert.cc | 45 +++++++++++++++++++++------------------------
+ ssl/ssl_lib.cc  |  7 -------
+ 3 files changed, 21 insertions(+), 32 deletions(-)
+
+diff --git a/ssl/internal.h b/ssl/internal.h
+index 80d0675d8..38617640c 100644
+--- a/ssl/internal.h
++++ b/ssl/internal.h
+@@ -3341,7 +3341,6 @@ struct SSL_CONFIG {
+ static const size_t kMaxEarlyDataAccepted = 14336;
+ 
+ UniquePtr<CERT> ssl_cert_dup(CERT *cert);
+-void ssl_cert_clear_certs(CERT *cert);
+ bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
+ bool ssl_is_key_type_supported(int key_type);
+ // ssl_compare_public_and_private_key returns true if |pubkey| is the public
+diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
+index 163c3f4cd..6a4b63c54 100644
+--- a/ssl/ssl_cert.cc
++++ b/ssl/ssl_cert.cc
+@@ -143,10 +143,7 @@ CERT::CERT(const SSL_X509_METHOD *x509_method_arg)
+   }
+ }
+ 
+-CERT::~CERT() {
+-  ssl_cert_clear_certs(this);
+-  x509_method->cert_free(this);
+-}
++CERT::~CERT() { x509_method->cert_free(this); }
+ 
+ static CRYPTO_BUFFER *buffer_up_ref(const CRYPTO_BUFFER *buffer) {
+   CRYPTO_BUFFER_up_ref(const_cast<CRYPTO_BUFFER *>(buffer));
+@@ -218,26 +215,6 @@ UniquePtr<CERT> ssl_cert_dup(CERT *cert) {
+   return ret;
+ }
+ 
+-// Free up and clear all certificates and chains
+-void ssl_cert_clear_certs(CERT *cert) {
+-  if (cert == nullptr) {
+-    return;
+-  }
+-
+-  cert->x509_method->cert_clear(cert);
+-
+-  cert->cert_private_key_idx = -1;
+-  for (auto &cert_private_key : cert->cert_private_keys) {
+-    cert_private_key.chain.reset();
+-    cert_private_key.privatekey.reset();
+-  }
+-  cert->key_method = nullptr;
+-
+-  cert->dc.reset();
+-  cert->dc_privatekey.reset();
+-  cert->dc_key_method = nullptr;
+-}
+-
+ static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),
+                                  void *arg) {
+   cert->cert_cb = cb;
+@@ -984,6 +961,26 @@ int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
+                                 privkey_method);
+ }
+ 
++void SSL_certs_clear(SSL *ssl) {
++  if (!ssl->config) {
++    return;
++  }
++
++  CERT *cert = ssl->config->cert.get();
++  cert->x509_method->cert_clear(cert);
++
++  cert->cert_private_key_idx = -1;
++  for (auto &cert_private_key : cert->cert_private_keys) {
++    cert_private_key.chain.reset();
++    cert_private_key.privatekey.reset();
++  }
++  cert->key_method = nullptr;
++
++  cert->dc.reset();
++  cert->dc_privatekey.reset();
++  cert->dc_key_method = nullptr;
++}
++
+ const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(const SSL_CTX *ctx) {
+   if (!ssl_cert_check_cert_private_keys_usage(ctx->cert.get())) {
+     return nullptr;
+diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
+index c74aa04b1..092dbef31 100644
+--- a/ssl/ssl_lib.cc
++++ b/ssl/ssl_lib.cc
+@@ -1614,13 +1614,6 @@ const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {
+   return ssl->config->cert->sid_ctx;
+ }
+ 
+-void SSL_certs_clear(SSL *ssl) {
+-  if (!ssl->config) {
+-    return;
+-  }
+-  ssl_cert_clear_certs(ssl->config->cert.get());
+-}
+-
+ int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }
+ 
+ int SSL_get_rfd(const SSL *ssl) {