Log message:
security/botan: fix build on 32-bit powerpc systems (non-VSX).

Ref. https://github.com/randombit/botan/issues/3958

Log message:
botan3: uses sqlite3_changes64, so needs sqlite3 3.37.0

Log message:
*: recursive bump for botan3

Log message:
botan3: remove merged patch

Log message:
*botan3: update to 3.3.0

Version 3.3.0, 2024-02-20
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Fix a potential denial of service caused by accepting arbitrary
  length primes as potential elliptic curve parameters in ASN.1
  encodings. With very large inputs the primality verification
  can become computationally expensive. Now any prime field larger
  than 1024 bits is rejected immediately. Reported by Bing Shi.
  (GH #3913)

* Add FrodoKEM post-quantum KEM (GH #3679 #3807 #3892)

* Add support for Blake2s (GH #3796)

* Add support for RFC 7250 in TLS 1.3 to allow authenticating peers
  using raw public keys (GH #3771)

* Update the BSI TLS policy to match the latest TR, particularly
  enabling support for TLS 1.3 (GH #3809)

* Add AsymmetricKey::generate_another() to generate a new key of the
  same type and parameters as an existing key (GH #3770 #3786)

* Add Private_Key::remaining_operations() that indicates the number of
  remaining signatures for stateful hash-based signatures (GH #3821)

* Add implementation of EC_PrivateKey::check_key() (GH #3782 #3804)

* Add hardware acceleration for SHA-512 on ARMv8 (GH #3860 #3864)

* X.509 certificates that contain Authority Information Access (AIA)
  extensions can now be encoded (GH #3784)

* Various functions defined in ``mem_ops.h`` are now deprecated
  for public use (GH #3759 #3752 #3757)

* The ASIO TLS stream can now be used with C++20 coroutines (GH #3764)

* New public header asio_compat.h to check compatibility of the ASIO
  TLS stream with the available boost version (1.73.0+) (GH #3765)

* Flatten input buffer sequences in the ASIO TLS stream to avoid
  creating unnecessarily small TLS records (GH #3839)

* Hard-rename the potentially harmful build configuration flag
  --terminate-on-asserts to --unsafe-terminate-on-asserts (GH #3755)

* Use modern SQLite3 APIs with integer width annotations from SQLite3 3.37
  (GH #3788 #3793)

* Generate and install a CMake package config file (botan-config.cmake)
  (GH #3722 #3827 #3830 #3825)

* Add TLS::Channel::is_handshake_complete() predicate method (GH #3762)

* Add support for setting thread names on Haiku OS and DragonflyBSD
  (GH #3758 #3785)

* Use /Zc:throwingNew with MSVC (GH #3858)

* Work around a warning in GCC 13 (GH #3852)

* Add a CLI utility for testing RSA side channels using the MARVIN
  toolkit (GH #3749)

* CLI utility 'tls_http_server' is now based on Boost Beast
  (GH #3763 #3791)

* CLI utility 'tls_client_hello' can detect and handle TLS 1.3 messages
  (GH #3820)

* Add a detailed migration guide for users of OpenSSL 1.1 (GH #3815)

* Various updates to the documentation and code examples
  (GH #3777 #3805 #3802 #3794 #3815 #3823 #3828 #3842 #3841 #3849 #3745)

* Fixes and improvements to the build experience using ``ninja``
  (GH #3751 #3750 #3769 #3798 #3848)

* Fix handling of cofactors when performing scalar blinding in EC (GH #3803)

* Fix potential timing side channels in Kyber (GH #3846 #3874)

* Fix a potential dangling reference resulting in a crash in the OCB
  mode of operation (GH #3814)

* Fix validity checks in the construction of the ASIO TLS stream
  (GH #3766)

* Fix error code handling in ASIO TLS stream (GH #3795 #3801 #3773)

* Fix a TLS 1.3 assertion failure that would trigger if the
  application callback returned an empty certificate chain. (GH #3754)

* Fix a RFC 7919 conformance bug introduced in 3.2.0, where the TLS
  server would fail to reject a client hello that advertised (only)
  FFDHE groups that are not known to us. (GH #3743 #3742 #3729)

* Fix that modifications made in TLS::Callbacks::tls_modify_extensions()
  for the TLS 1.3 Certificate message were not being applied. (GH #3792)

* Fix string mapping of the PKCS#11 mechanism RSA signing mechanism that
  use SHA-384 (GH #3868)

* Fix a build issue on NetBSD (GH #3767)

* Fix the configure.py to avoid recursing out of our source tree (GH #3748)

* Fix various clang-tidy warnings (GH #3822)

* Fix CLI tests on windows and enable them in CI (GH #3845)

* Use ``BufferStuffer`` and ``concat`` helpers in public key code
  (GH #3756 #3753)

* Add a nightly test to ensure hybrid TLS 1.3 PQ/T compatibility with
  external implementations (GH #3740)

* Internal memory operation helpers are now memory container agnostic
  using C++20 ranges (GH #3715 #3707)

* Public and internal headers are now clearly separated in the build
  directory. That restricts the examples build target to public headers.
  (GH #3880)

* House keeping for better code formatting with clang-format
  (GH #3862 #3865)

* Build documentation in CI and fail on warnings or errors (GH #3838)

* Work around a GitHub Actions CI issue (actions/runner-images#8659)
  (GH #3783 #3833 #3888)

Log message:
revbump for boost-libs

Log message:
*: recursive bump for icu 74.1

Log message:
botan3: add upstream bug report URL

Log message:
botan3: update to 3.2.0.

Version 3.2.0, 2023-10-09
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Add support for (experimental!) post-quantum secure key exchange
  in TLS 1.3 (GH #3609 #3732 #3733 #3739)

* Add support for TLS PSK (GH #3618)

* Add a first class interface for XOFs (GH #3671 #3672 #3701)

* Add KMAC from NIST SP 800-185 (GH #3689)

* Add cSHAKE XOF; currently this is not exposed to library users but
  is only for deriving further cSHAKE derived functions. (GH #3671)

* Add improved APIs for key encapsulation (GH #3611 #3652 #3653)

* As Kyber's 90s mode is not included in the NIST draft specification,
  and most implementations only support the SHAKE based mechanism,
  the Kyber 90s mode is now deprecated. (GH #3695)

* Previously ``KyberMode`` enums had elements like ``Kyber512`` to identify the
  scheme. These have changed to have ``_R3`` suffixes (like ``Kyber512_R3``) to
  clearly indicate these are not the final version but is instead the version
  from round3 of the PQC competition. The old names continue on as (deprecated)
  aliases. (GH #3695)

* Fix bugs in various signature algorithms where if a signature
  operation was used after the key object had been deleted, a use
  after free would occur. (GH #3702)

* The types defined in pubkey.h can now be moved (GH #3655)

* Add the Russian block cipher Kuznyechik (GH #3680 #3724)

* The ``TLS::Group_Params`` enum is now a class which emulates the
  behavior of the enumeration. (GH #3729)

* Implement serialization for the Certificate Authority TLS extension
  (GH #3687)

* Refactored the internal buffering logic of most hash functions
  (GH #3705 #3693 #3736)

* Add OS support for naming threads; now Botan thread pool threads
  are identified by name. (GH #3628 #3738)

* Updated the TLS documentation to reflect TLS 1.3 support and
  the removal of TLS 1.0 and 1.1. (GH #3708)

* Upon deserialization, the ``EC_Group`` type now tracks the encoding
  which was used to create it. This is necessary to implement policies
  which prohibit use of explicit curve encodings (which are in any case
  deprecated). (GH #3665)

* If compiling against an old glibc which does not support the ``getrandom``
  call, now the raw syscall is used instead. (GH #3688 #3685)

* On MinGW the global thread pool is disabled by default (GH #3726 #2582)

* Various internal functions now use ``std::span`` instead of raw pointers
  plus length field. NOTE: any implementations of ``BlockCipher``, ``HashFunction``
  etc that live outside the library will have to be updated. This is not covered
  by the SemVer guarantee; see ``doc/sem_ver.rst`` (GH #3684 #3681 #3713 #3714
  #3698 #3696)

* Add helper for buffer alignment, and adopt it within the hash function
  implementations. (GH #3693)

* Added support for encoding CRL Distribution Points extension in new
  certificates (GH #3712)

* Internal refactoring of SHA-3 to support further SHA-3 derived functionality
  (GH #3673)

* Add support for testing using TLS-Anvil (GH #3651) and fix a few cases
  where the TLS implementation sent the incorrect alert type in various
  error cases which were discovered using TLS-Anvil (GH #3676)

* Add initial (currently somewhat experimental) support for using the ninja
  build system as an alternative to make. (GH #3677)

* Remove an unused variable in BLAKE2b (GH #3624)

* Fix a number of clang-tidy warnings in the headers (GH #3646)

* Add checks for invalid length AD in Argon2 (GH #3626)

* CI now uses Android NDK 26, and earlier NDKs are not supported
  due to limitations of the C++ library in earlier NDKs (GH #3718)

* Improve support for IBM's XLC compiler (GH #3730)

* Avoid compilation failures when using ``-Werror`` mode with GCC 12
  due to spurious warnings in that version. (GH #3711 #3709)

Log message:
botan3: add missing ${.CURDIR}