Log message:
security/gnutls: remove unknown configure options

The option --enable-lzo was removed in 2011, the option
--enable-local-libopts was removed in January 2022.

Bump PKGREVISION.

Log message:
gnutls: updated to 3.7.3

Version 3.7.3 (released 2022-01-17)

** libgnutls: The allowlisting configuration mode has been added to the system-wide
   settings. In this mode, all the algorithms are initially marked as insecure
   or disabled, while the applications can re-enable them either through the
   [overrides] section of the configuration file or the new API.

** The build infrastructure no longer depends on GNU AutoGen for generating
   command-line option handling, template file parsing in certtool, and
   documentation generation. This change also removes run-time or
   bundled dependency on the libopts library, and requires Python 3.6 or later
   to regenerate the distribution tarball.

   Note that this brings in known backward incompatibility in command-line
   tools, such as long options are now case sensitive, while previously they
   were treated in a case insensitive manner: for example --RSA is no longer a
   valid option of certtool. The existing scripts using GnuTLS tools may need
   adjustment for this change.

** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
   used as a gnutls_privkey_t. The code was originally written for the
   OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
   tpm2tss-genkey tool from tpm2-tss-engine:
   https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
   or the tpm2_encodeobject tool from unreleased tpm2-tools.

** libgnutls: The library now transparently enables Linux KTLS
   (kernel TLS) when the feature is compiled in with --enable-ktls configuration
   option. If the KTLS initialization fails it automatically falls back
   to the user space implementation.

** certtool: The certtool command can now read the Certificate Transparency
   (RFC 6962) SCT extension.  New API functions are also provided to
   access and manipulate the extension values.

** certtool: The certtool command can now generate, manipulate, and evaluate
   x25519 and x448 public keys, private keys, and certificates.

** libgnutls: Disabling a hashing algorithm through "insecure-hash"
   configuration directive now also disables TLS ciphersuites that use it as a
   PRF algorithm.

** libgnutls: PKCS#12 files are now created with modern algorithms by default.
   Previously certtool used PKCS12-3DES-SHA1 for key derivation and
   HMAC-SHA1 as an integity measure in PKCS#12.  Now it uses AES-128-CBC with
   PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
   default PBKDF2 iteration count has been increased to 600000.

** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
   HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
   conform with the latest TC-26 requirements.

** libgnutls: The library now provides a means to report the status of approved
   cryptographic operations. To adhere to the FIPS140-3 IG 2.4.C., this
   complements the existing mechanism to prohibit the use of unapproved
   algorithms by making the library unusable state.

** gnutls-cli: The gnutls-cli command now provides a --list-config option to
   print the library configuration.

** libgnutls: Fixed possible race condition in
   gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
   among multiple threads. [GNUTLS-SA-2022-01-17, CVSS: low]

** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function

Log message:
gnutls: add lzo option

Based on PR 56601 by Vladimir Stupin.

Log message:
gnutls: fix builds on Solaris 10

Addresses PR pkg/56500 from Claes Nästén.

Log message:
revbump for icu and libffi

Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
revbump for boost-libs

Log message:
gnutls: update to 3.7.2.

* Version 3.7.2 (released 2021-05-29)

** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
   to disable TLS 1.3 middlebox compatibility mode

** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
   This can be enabled with --enable-afalg configure option, when libkcapi
   package is installed (#308).

** libgnutls: Fixed timing of early data exchange. Previously, the client was
   sending early data after receiving Server Hello, which not only negates the
   benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
   same ciphersuite is selected in initial and resumption handshake) (#1146).

** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
   copied from the signing CA by default (#1126).

** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
   GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
   deprecated and will be removed in the future releases.

** certtool: When producing certificates and certificate requests, subject DN
   components that are provided individually will now be ordered by
   assumed scale (e.g. Country before State, Organization before
   OrganizationalUnit).  This change also affects the order in which
   certtool prompts interactively.  Please rely on the template
   mechanism for automated use of certtool! (#1243)

** API and ABI modifications:
gnutls_early_cipher_get: Added
gnutls_early_prf_hash_get: Added

Log message:
*: recursive bump for perl 5.34