Update CRT submodules to latest releases

[monthonk]

Description of change

Pull in the latest CRT libraries and scope down some exclude entries.

Full CRT changelog

Submodule mountpoint-s3-crt-sys/crt/aws-lc 2f187975..8b2ebfcf:
  > Prepare release 1.36.1 (#1906)
  > Add and move OCSP no-op flags to own section (#1902)
  > Detect all Apple M* CPUs and enable the wide multiplier assembly implementations (#1901)
  > Github action asserting license statement in PR description (#1892)
  > Fix OCSP timebomb in tests (#1891)
  > Use larger instance for c6g fips (#1899)
  > Improve build and fix X509 test failures for Ruby (#1887)
  > Remove nginx-tests patch now that upstream supports AWS-LC (#1898)
  > Fix pkg-config files (#1890)
  > Prepare release v1.36.0 (#1885)
  > Add explanation for FIPS 203 encaps and decaps input validation (#1884)
  > Add KBKDF counter HMAC KAT to self-test. (#1882)
  > ML-KEM encaps key modulus check optimization (#1874)
  > Fix flaky ssl BadKemKeyShare tests (#1876)
  > Adding a runtime dis/enabler of DIT Capability on AArch64. (#1783)
  > Extend #1869, update Intel SDE; Enable Linux AVX512 IFMA usage (#1871)
  > Update Service Indicator to handle custom crypto through *_METHOD structs (#1857)
  > support building on illumos systems (#1854)
  > ML-KEM decapsulation key hash check (#1873)
  > Add docker image for gcc 7.2 (#1863)
  > ML-KEM encapsulation key modulus check (#1868)
  > Map certs with ITUT X509 to our RSA implementation (#1754)
  > Add return checks on SHA3 functions in ML-KEM (#1859)
  > Update s2n-bignum subtree (#1865)
  > Quell static-analysis concern about div-by-0 (#1866)
  > Check for null return pointers in pem_test.cc (#1855)
  > preparing for v1.35.1 release (#1867)
  > Disable CRYPTO_is_AVX512IFMA_capable (#1858)
  > Add asserts in testing to fix Coverity alert (#1864)
  > Update s2n-bignum subtree  (#1861)
  > add support for PEM_write_bio_PrivateKey_traditional (#1845)
  > Add MLKEM768 Hybrid Groups to libssl (#1849)
  > Implementation of EVP_PKEY_CTX_ctrl_str for various key types (#1850)
  > More tweaks for Ruby integration (#1852)
  > prepare for v1.35.0 release (#1853)
  > AVX-512 support for RSA Signing (#1273)
  > Migrated ML-KEM SHA3/SHAKE usage to fipsmodule (#1851)
  > Added SHA3/SHAKE XOF functionality (#1839)
  > Add support for `EVP_PKEY_CTX_ctrl_str` - Step #1 (#1842)
  > Ensure SSE2 is enabled when using optimized assembly for 32-bit x86 (#1841)
  > Add OpenVPN tip of main to CI (#1843)
  > Add support for PEM Parameters without ASN1 hooks (#1831)
  > Make EDDSA/Ed25519 POST lazy initalized (#1848)
  > Add ED25519 ACVP Testing (#1818)
  > Update Allowed RSA KeySize Generation to FIPS 186-5 specification (#1823)
  > ED25519 Service Indicator (#1829)
  > Add ML-KEM CAST for KeyGen, Encaps, and Decaps (#1846)
  > ML-KEM Service Indicator for EVP_PKEY_keygen, EVP_PKEY_encapsulate, EVP_PKEY_decapsulate (#1844)
  > ACVP ECDSA SHA3 Digest Testing (#1819)
  > ACVP ML-KEM testing (#1840)
  > ED25519 Power-on Self Test / CAST / KAT (#1834)
  > More minor symbols Ruby depends on (#1837)
  > Move EVP KEM implementation to in-module and correct OID (#1838)
  > Pre jail unit test (#1835)
  > Update benchmark documentation in tool/readme.md (#1812)
  > Refactor RSA_METHOD and expand API (#1790)
  > Retire out-of-module KEM folder (#1832)
  > fix socat integration CI (#1833)
  > Move KEM API and ML-KEM definitions to FIPS module (#1828)
  > Run clang-format on pkcs7 code (#1830)
  > Add various PKCS7 getters and setters (#1780)
  > Add OCSP round trip integration test with minor fixes (#1811)
  > Improve pre-sandbox setup (#1825)
  > Avoid C11 Atomics on Windows (#1824)
  > Move EVP ed25519 function table under FIPS module (#1826)
  > Begin tracking RelWithDebInfo library statistics (#1822)
  > Make SHA3 (not SHAKE) Approved for EVP_DigestSign/Verify, RSA and ECDSA. (#1821)
  > Wire-up ACVP Testing for SHA3 Signatures with RSA (#1805)
  > Add EVP_Digest one-shot test XOFs (#1820)
  > Add KDA OneStep (SSKDF_digest and SSKDF_hmac) to FIPS indicator (#1793)
  > Cherrypick "Add some barebones support for DH in EVP"  (#1813)
  > Replace ECDSA_METHOD with EC_KEY_METHOD and add the associated API (#1785)
  > Upstream merge 2024 08 23 (#1799)
  > Improve portability of CI integration script (#1815)
  > Add EVP_PKEY_asn1_* functions (#1751)
  > Add ML-KEM to speed.cc, bump AWSLC_API_VERSION to 30 (#1817)
  > Update x509 tool to write all output to common BIO which is a file or stdout (#1800)
  > KBKDF_ctr_hmac FIPS Service Indicator (#1798)
  > Fix GitHub/CodeBuild Purge Lambda (#1808)
  > add support for OCSP_request_verify (#1778)
  > Add KDF in counter mode ACVP Testing (#1810)
  > NASM use default debug format (#1747)
  > Remove custom PKCS7 ASN1 functions, add new structs (#1726)
  > Add CAST for SP 800-56Cr2 One-Step function (#1803)
  > Move curve25519 implementations to fips module except spake25519 (#1809)
  > Add CI for FreeBSD (#1787)
  > Avoid matching prefixes of a symbol as arm registers (#1807)
  > Check at runtime that the tool is loading the same libcrypto it was built with (#1716)
  > bn: Move x86-64 argument-based dispatching of bn_mul_mont to C. (#1795)
  > Refactor ENGINE API and memory around METHOD structs (#1776)
  > Reduce collision probability for variable names (#1804)
  > ML-KEM move to the FIPS module (#1802)
  > Upstream merge 2024 08 19 (#1781)
  > Drop "ipd" suffix from ML-KEM related code (#1797)
  > No-op impls for several EVP_PKEY_CTX functions (#1759)
  > Updating erroneous documentation for BIO_get_mem_data and subsequent usage (#1752)
  > Add KDA OneStep testing to ACVP (#1792)
  > ML-KEM-IPD to ML-KEM as defined in FIPS 203 (#1796)
  > ML-KEM refactor (#1763)
  > Use OPENSSL_STATIC_ASSERT which handles all the platform/compiler/C s… (#1791)
Submodule mountpoint-s3-crt-sys/crt/s2n-tls 08d413a0..ead40c53:
  > refactor: make s2n_array_len constant (#4801)
  > feature(bindings): scheduled renegotiation via poll_recv (#4764)
  > Update PQ code to be generic over EVP_KEM API's (#4810)
  > refactor(bindings): add general bindings error context (#4811)
  > ci: adding CTest memcheck to CodeBuild (#4776)
  > Revert "test: disallow explict use of "default" policy in tests (#4750)" (#4812)
  > ci: check for s2n_array_len in loop bounds  (#4802)
  > ci: use clang to build awslc (#4794)
  > ci: run clippy on all features (#4809)
  > docs: Update certificate loading documentation (#4790)
  > test: only build requested unit tests in nix (#4770)
  > refactor: clean up CMakelists.txt (#4779)
  > fix: pem parsing should allow single dashes in comments (#4787)
  > ci: use temporary directory for s2n_head build (#4771)
  > fix(bindings): handle failures from wipe (#4798)
  > fix: don't iterate over certs if not validating certs (#4797)
  > ci: add buildspec file for scheduled fuzzing (#4763)
  > Al2023 codebuild (#4756)
  > test: disallow explict use of "default" policy in tests (#4750)
  > chore: bindings release 0.3.3 (#4791)
  > docs: clarify pre-TLS1.2 support (#4780)
  > fix: update ja4 compliance (#4773)
  > chore(bindings): pin unicode-width (#4785)
  > ci: refactor fuzz buildspec (#4783)
  > docs(bindings): example for Policy::from_version (#4731)
  > test: refactor pcap test to use version from rtshark (#4774)
  > test: use seccomp on handshake test (#4768)
  > ci: use newer version of libFuzzer (#4762)
  > test: avoid mutating static configs in tests (#4749)
  > chore(bindings): release 0.3.2 (#4760)
  > ci: Emit CloudWatch metrics from rust benchmarks (#4742)
  > CI: enable fuzz test build with cmake (#4743)
  > fix: update handling of ja4 alpn edge cases (#4755)
  > fix(bindings): update cc and unpin jobserver (#4758)
  > fix: add missing null-checks in s2n_connection.c (#4754)

Does this change impact existing behavior?

No

Does this change need a changelog entry in any of the crates?

No

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the Developer Certificate of Origin (DCO).

[dannycjones]

LGTM, thanks for adding the scoping on .txt