openssl: Re-add compatibility with Android CA certificates

The CA certificates bundles included in Android are hashed using MD5
(as used by OpenSSL pre-1.0.0) instead of SHA1 (used in 1.0.0+). The
patch to use X509_NAME_hash_old() does no longer apply; hence import
the proposed patch at openssl/openssl#24002

Also, pick the part of the old patch that configured the CA certificates
path to be /system/etc/security/cacerts on Android and split it into its
own patch.

Author: aperezdc

recipes/libsoup.recipe

@@ -11,8 +11,7 @@ class Recipe(recipe.Recipe):
     url = 'gnome://'
     tarball_checksum = '9b54c76f5276b05bebcaf2b6c2a141a188fc7bb1d0624eda259dac13a6665c8a'
     meson_options = {'vapi': 'disabled', 'tls_check': 'false', 'tests' : 'false'}
-    # TODO: deps = ['libxml2', 'glib', 'glib-networking', 'libpsl', 'nghttp2']
-    deps = ['glib', 'glib-networking', 'libpsl', 'nghttp2']
+    deps = ['libxml2', 'glib', 'glib-networking', 'libpsl', 'nghttp2']
 
     # sqlite ships with the system on macOS and iOS. Android also ships with
     # sqlite3, but it's not available from the NDK; only from Java.
@@ -30,8 +29,7 @@ class Recipe(recipe.Recipe):
 
     def post_install(self):
         soup_deps = ['gio-2.0', 'gmodule-2.0', 'gobject-2.0', 'glib-2.0',
-                     # TODO: 'ffi', 'xml2', 'psl', 'z', 'nghttp2']
-                     'ffi', 'psl', 'z', 'nghttp2']
+                     'ffi', 'xml2', 'psl', 'z', 'nghttp2']
         if self.config.target_platform not in (Platform.IOS, Platform.DARWIN):
             soup_deps += ['sqlite3']
         # Meson does not generate la files

recipes/openssl.recipe

@@ -26,8 +26,6 @@ class Recipe(recipe.Recipe):
         # Portable prefix with SSL certs
         'openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch',
         # MSVC and UWP support
-        # TODO: Android support
-        # TODO: 'openssl/0003-openssl-Support-loading-ca-certificates-on-Android.patch',
         'openssl/0002-windows-makefile.tmpl-Generate-and-install-pkgconfig.patch',
     ]
 
@@ -178,6 +176,10 @@ class Recipe(recipe.Recipe):
         if self.config.target_platform == Platform.IOS:
             self.library_type = LibraryType.STATIC
         if self.config.target_platform == Platform.ANDROID:
+            self.patches += [
+                'openssl/0001-Android-Use-etc-system-security-cacerts-for-CA-certi.patch',
+                'openssl/0005-get_cert_by_subject-backward-compatibility.patch',
+            ]
             self.prepend_env('PATH', self.get_env('ANDROID_NDK_TOOLCHAIN_BIN'), sep=os.pathsep)
             self.set_env('ANDROID_NDK_ROOT', self.get_env('ANDROID_NDK_HOME'))
 

recipes/openssl/0001-Android-Use-etc-system-security-cacerts-for-CA-certi.patch

@@ -0,0 +1,28 @@
+From 56ac18ba7a3f0a50cb368eb1c5bfa101ab06f39d Mon Sep 17 00:00:00 2001
+From: Adrian Perez de Castro <[email protected]>
+Date: Tue, 27 May 2025 17:08:50 +0300
+Subject: Android: Use /etc/system/security/cacerts for CA certificates
+
+---
+ include/internal/common.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/internal/common.h b/include/internal/common.h
+index 0c0415b..f7fcd43 100644
+--- a/include/internal/common.h
++++ b/include/internal/common.h
+@@ -82,7 +82,11 @@ __owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr,
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
++# if defined(ANDROID) || defined(__ANDROID__)
++#  define X509_CERT_DIR           "/system/etc/security/cacerts"
++# else
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
++# endif
+ #  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+-- 
+2.49.0
+