Bump BoringSSL submodule to 4a3cda40b (API version 40)

Update the BoringSSL submodule from 91a66a59b (API version 37) to
4a3cda40b965bbda7cebf86e35c1ed6890ebcc34 (API version 40), moving the
dependency forward by 653 commits.

Changes:

boring-pq.patch:
  Updated context lines in crypto/obj/obj_dat.h and tool/client.cc to
  match the new BoringSSL source.

rpk.patch removed:
  Raw Public Key (RPK) support is now native to upstream BoringSSL as
  of this version, so the Cloudflare-maintained patch is no longer
  needed. The upstream implementation provides equivalent functionality
  under different API names:

    SSL_CREDENTIAL_new_raw_public_key(void)  -> SSL_CREDENTIAL_new_raw_public_key(EVP_PKEY*)
    SSL_get0_peer_pubkey                     -> SSL_get0_peer_rpk
    SSL_CTX_set_server_certificate_types     -> SSL_CTX_set1_accepted_peer_cert_types
    SSL_set_server_certificate_types         -> SSL_set1_accepted_peer_cert_types
    SSL_get_server_certificate_type_selected -> SSL_get_peer_cert_type
    TLS_CERTIFICATE_TYPE_X509               -> TLSEXT_cert_type_x509
    TLS_CERTIFICATE_TYPE_RAW_PUBLIC_KEY      -> TLSEXT_cert_type_rpk

  SSL_CREDENTIAL_set1_spki has no upstream equivalent; the upstream
  constructor takes EVP_PKEY* directly, so set_spki_bytes is removed
  from the Rust API.

  SSL_CTX_get0_server_certificate_types and
  SSL_get0_server_certificate_types have no upstream equivalent and
  are removed from the Rust API.

  The rpk Cargo feature flag is preserved and continues to gate the
  Rust API surface.

boring-sys/Cargo.toml:
  Added *.cpp and *.in to the include list for cargo publish, as the
  new BoringSSL version includes third_party/benchmark files that use
  these extensions.

Author: johnhurt

boring-sys/Cargo.toml

@@ -33,6 +33,8 @@ include = [
     "/deps/boringssl/crypto/err/*.errordata",
     "/deps/boringssl/**/*.bzl",
     "/deps/boringssl/**/*.cc",
+    "/deps/boringssl/**/*.cpp",
+    "/deps/boringssl/**/*.in",
     "/deps/boringssl/**/CMakeLists.txt",
     "/deps/boringssl/**/sources.cmake",
     "/deps/boringssl/**/util/go_tests.txt",

boring-sys/build/config.rs

@@ -107,7 +107,7 @@ impl Config {
             );
         }
 
-        let features_with_patches_enabled = self.features.rpk || self.features.underscore_wildcards;
+        let features_with_patches_enabled = self.features.underscore_wildcards;
 
         let patches_required = features_with_patches_enabled && !self.env.assume_patched;
 

boring-sys/build/main.rs

@@ -443,13 +443,10 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {
             native BoringSSL is expected to have the patches included"
         );
         return Ok(());
-    } else if config.env.source_path.is_some()
-        && (config.features.rpk || config.features.underscore_wildcards)
-    {
+    } else if config.env.source_path.is_some() && config.features.underscore_wildcards {
         panic!(
             "BORING_BSSL_ASSUME_PATCHED must be set when setting
-               BORING_BSSL_SOURCE_PATH and using any of the following
-               features: rpk, underscore-wildcards"
+               BORING_BSSL_SOURCE_PATH and using the underscore-wildcards feature"
         );
     }
 
@@ -467,10 +464,7 @@ fn ensure_patches_applied(config: &Config) -> io::Result<()> {
     println!("cargo:warning=applying post quantum crypto patch to boringssl");
     apply_patch(config, "boring-pq.patch")?;
 
-    if config.features.rpk {
-        println!("cargo:warning=applying RPK patch to boringssl");
-        apply_patch(config, "rpk.patch")?;
-    }
+    // RPK support is now native to BoringSSL; no patch needed.
 
     if config.features.underscore_wildcards {
         println!("cargo:warning=applying underscore wildcards patch to boringssl");