rpms
/
gnutls
7
0
Fork 0
Code Issues Pull Requests Releases Activity
gnutls/SOURCES/gnutls-3.7.2-config-allowli...

8353 lines
350 KiB
Diff
Raw Permalink Normal View History

import gnutls-3.7.2-4.el9
2021-11-04 00:21:16 +00:00
diff -ruN gnutls-3.7.2/aminclude_static.am gnutls-3.7.2-bootstrapped/aminclude_static.am
--- gnutls-3.7.2/aminclude_static.am 2021-05-29 10:11:18.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/aminclude_static.am 2021-06-28 09:11:35.000000000 +0200
@@ -1,6 +1,6 @@
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
# Code coverage
diff -ruN gnutls-3.7.2/AUTHORS gnutls-3.7.2-bootstrapped/AUTHORS
--- gnutls-3.7.2/AUTHORS 2021-05-29 10:22:59.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/AUTHORS 2021-06-28 09:56:13.000000000 +0200
@@ -37,8 +37,8 @@
Kevin Cernekee <cernekee at gmail.com>
Nikolay Sivov <nsivov at codeweavers.com>
Sahana Prasad <sahana at redhat.com>
-Michael Catanzaro <mcatanzaro at gnome.org>
Alexander Sosedkin <asosedkin at redhat.com>
+Michael Catanzaro <mcatanzaro at gnome.org>
Daniel Lenski <dlenski at gmail.com>
JonasZhou <JonasZhou at zhaoxin.com>
Stefan Sørensen <stefan.sorensen at spectralink.com>
diff -ruN gnutls-3.7.2/ChangeLog gnutls-3.7.2-bootstrapped/ChangeLog
--- gnutls-3.7.2/ChangeLog 2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/ChangeLog 2021-06-28 09:56:40.000000000 +0200
@@ -1,4 +1,63 @@
Author: Daiki Ueno <ueno@gnu.org>
+Date: Mon Jun 28 07:04:55 2021 +0200
+
+ tests: set SH_LOG_COMPILER so sh tests run under $(SHELL)
+
+ This omits the need of setting executable bits on shell script tests.
+
+ Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date: Thu May 6 12:41:40 2021 +0200
+
+ priority: support allowlisting in configuration file
+
+ This adds a new mode of interpreting the [overrides] section. If
+ "override-mode" is set to "allowlisting" in the [global] section, all
+ the algorithms (hashes, signature algorithms, curves, and versions)
+ are initially marked as insecure/disabled. Then the user can enable
+ them by specifying allowlisting keywords such as "secure-hash" in the
+ [overrides] section.
+
+ Signed-off-by: Daiki Ueno <ueno@gnu.org>
+ Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date: Wed May 5 16:27:55 2021 +0200
+
+ priority: refactor config file parsing
+
+ This adds the following refactoring:
+
+ - avoid side-effects during parsing the config file, by separating
+ application phase; the parsed configuration can be applied globally
+ with cfg_apply, after validation
+ - make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
+ name
+
+ Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date: Fri Jun 11 06:58:43 2021 +0200
+
+ priority: reflect system wide config when constructing sigalgs
+
+ Otherwise the client would advertise signature algorithms which it
+ cannot use and cause handshake to fail.
+
+ Reported by Philip Schaten in:
+ https://lists.gnupg.org/pipermail/gnutls-help/2021-June/004711.html
+
+ Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
+Date: Wed Jun 9 14:29:11 2021 +0200
+
+ p11tool: mention how CKA_IDs of certs are calculated upon --write
+
+ Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Author: Daiki Ueno <ueno@gnu.org>
Date: Sat May 29 07:18:17 2021 +0200
Release 3.7.2
@@ -49224,3 +49283,13 @@
Date: Fri Nov 7 10:22:11 2014 +0100
doc: corrected values for INSECURE level
+
+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri Nov 7 08:55:40 2014 +0100
+
+ pkcs11: support the CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE flags
+
+Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Fri Nov 7 08:44:46 2014 +0100
+
+ pkcs11: added the flag GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH
diff -ruN gnutls-3.7.2/doc/cha-config.texi gnutls-3.7.2-bootstrapped/doc/cha-config.texi
--- gnutls-3.7.2/doc/cha-config.texi 2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/cha-config.texi 2021-06-28 09:09:14.000000000 +0200
@@ -74,6 +74,7 @@
@item @code{insecure-sig-for-cert}: to mark the signature algorithm as insecure when used in certificates.
@item @code{insecure-sig}: to mark the signature algorithm as insecure for any use.
@item @code{insecure-hash}: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
+@item @code{disabled-curve}: to disable the specified elliptic curve.
@item @code{disabled-version}: to disable the specified TLS versions.
@item @code{tls-disabled-cipher}: to disable the specified ciphers for use in the TLS or DTLS protocols.
@item @code{tls-disabled-mac}: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
@@ -82,11 +83,39 @@
@end itemize
Each of the options can be repeated multiple times when multiple values need
-to be disabled.
+to be disabled or enabled.
The valid values for the options above can be found in the 'Protocols', 'Digests'
'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of the output of @code{gnutls-cli --list}.
+Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults. GnuTLS provides an
+alternative mode of overriding: allowlisting.
+
+In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the @code{[overrides]} section. Those options are mutually
+exclusive to the above ones for the blocklisting mode (the default)
+@itemize
+@item @code{secure-sig-for-cert}: to mark the signature algorithm as secure when used in certificates.
+@item @code{secure-sig}: to mark the signature algorithm as secure for any use.
+@item @code{secure-hash}: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
+@item @code{enabled-curve}: to enable the specified elliptic curve.
+@item @code{enabled-version}: to enable the specified TLS versions.
+@item @code{tls-enabled-cipher}: to enable the specified ciphers for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-mac}: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-group}: to enable the specified group for use in the TLS or DTLS protocols.
+@item @code{tls-enabled-kx}: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
+@end itemize
+
+The allowlisting mode can be enabled by adding @code{override-mode =
+allowlist} in the @code{[global]} section.
+
+When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
+
+@showfuncD{gnutls_ecc_curve_mark_enabled,gnutls_sign_mark_secure,gnutls_digest_mark_secure,gnutls_protocol_mark_enabled}
+@showfuncD{gnutls_ecc_curve_mark_disabled,gnutls_sign_mark_insecure,gnutls_digest_mark_insecure,gnutls_protocol_mark_disabled}
+
@subsection Examples
The following example marks as insecure all digital signature algorithms
@@ -120,6 +149,20 @@
tls-disabled-group = group-ffdhe8192
@end example
+The following example demonstrates the use of the allowlisting
+mode. It disables all the signature algorithms but
+@code{RSA-SHA256}. Note that the hash algorithm @code{SHA256} also
+needs to be explicitly enabled.
+
+@example
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+@end example
+
@node Querying for disabled algorithms and protocols
@section Querying for disabled algorithms and protocols
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,12 @@
+
+
+
+
+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Mark @code{dig} as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_insecure.short 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,12 @@
+
+
+
+
+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Invalidate previous system wide setting that marked @code{dig} as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short
--- gnutls-3.7.2/doc/functions/gnutls_digest_mark_secure.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_digest_mark_secure.short 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,15 @@
+
+
+
+
+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Mark @code{curve} as disabled system wide. This setting can be reverted with
+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
+uses the allowlisting mode.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,15 @@
+
+
+
+
+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Invalidate previous system wide setting that marked @code{curve} as disabled. This
+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or
+through the allowlisting mode in the configuration file.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short
--- gnutls-3.7.2/doc/functions/gnutls_ecc_curve_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_ecc_curve_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,10 @@
+
+
+
+
+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Mark @code{version} as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_disabled.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_disabled.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,11 @@
+
+
+
+
+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Invalidate previous system wide setting that marked @code{version} as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short
--- gnutls-3.7.2/doc/functions/gnutls_protocol_mark_enabled.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_protocol_mark_enabled.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,18 @@
+
+
+
+
+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
+
+Mark @code{sign} as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_insecure.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_insecure.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure 2021-06-28 09:39:50.000000000 +0200
@@ -0,0 +1,22 @@
+
+
+
+
+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
+
+Invalidate previous system wide setting that marked @code{sign} as
+insecure. This only works if the algorithm is marked as insecure
+with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode
+in the configuration file.
+
+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+
+@strong{Since:} 3.7.3
+@end deftypefun
diff -ruN gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short
--- gnutls-3.7.2/doc/functions/gnutls_sign_mark_secure.short 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/functions/gnutls_sign_mark_secure.short 2021-06-28 09:39:51.000000000 +0200
@@ -0,0 +1 @@
+@item @var{int} @ref{gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
diff -ruN gnutls-3.7.2/doc/gnutls-api.texi gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi
--- gnutls-3.7.2/doc/gnutls-api.texi 2021-05-29 10:19:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls-api.texi 2021-06-28 09:39:50.000000000 +0200
@@ -2706,6 +2706,28 @@
integers indicating the available digests.
@end deftypefun
+@subheading gnutls_digest_mark_insecure
+@anchor{gnutls_digest_mark_insecure}
+@deftypefun {int} {gnutls_digest_mark_insecure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Mark @code{dig} as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_digest_mark_secure
+@anchor{gnutls_digest_mark_secure}
+@deftypefun {int} {gnutls_digest_mark_secure} (gnutls_digest_algorithm_t @var{dig})
+@var{dig}: is a digest algorithm
+
+Invalidate previous system wide setting that marked @code{dig} as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
@subheading gnutls_early_cipher_get
@anchor{gnutls_early_cipher_get}
@deftypefun {gnutls_cipher_algorithm_t} {gnutls_early_cipher_get} (gnutls_session_t @var{session})
@@ -2820,6 +2842,34 @@
integers indicating the available curves.
@end deftypefun
+@subheading gnutls_ecc_curve_mark_disabled
+@anchor{gnutls_ecc_curve_mark_disabled}
+@deftypefun {int} {gnutls_ecc_curve_mark_disabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Mark @code{curve} as disabled system wide. This setting can be reverted with
+@code{gnutls_ecc_curve_mark_enabled()} . This only works if the configuration file
+uses the allowlisting mode.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_ecc_curve_mark_enabled
+@anchor{gnutls_ecc_curve_mark_enabled}
+@deftypefun {int} {gnutls_ecc_curve_mark_enabled} (gnutls_ecc_curve_t @var{curve})
+@var{curve}: is an ECC curve
+
+Invalidate previous system wide setting that marked @code{curve} as disabled. This
+only works if the curve is disabled with @code{gnutls_ecc_curve_mark_disabled()} or
+through the allowlisting mode in the configuration file.
+
+@strong{Returns:} 0 on success or negative error code otherwise.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
@subheading gnutls_error_is_fatal
@anchor{gnutls_error_is_fatal}
@deftypefun {int} {gnutls_error_is_fatal} (int @var{error})
@@ -5026,6 +5076,25 @@
indicating the available protocols.
@end deftypefun
+@subheading gnutls_protocol_mark_disabled
+@anchor{gnutls_protocol_mark_disabled}
+@deftypefun {int} {gnutls_protocol_mark_disabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Mark @code{version} as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+@end deftypefun
+
+@subheading gnutls_protocol_mark_enabled
+@anchor{gnutls_protocol_mark_enabled}
+@deftypefun {int} {gnutls_protocol_mark_enabled} (gnutls_protocol_t @var{version})
+@var{version}: is a (gnutls) version number
+
+Invalidate previous system wide setting that marked @code{version} as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+@end deftypefun
+
@subheading gnutls_psk_allocate_client_credentials
@anchor{gnutls_psk_allocate_client_credentials}
@deftypefun {int} {gnutls_psk_allocate_client_credentials} (gnutls_psk_client_credentials_t * @var{sc})
@@ -7027,6 +7096,44 @@
integers indicating the available ciphers.
@end deftypefun
+@subheading gnutls_sign_mark_insecure
+@anchor{gnutls_sign_mark_insecure}
+@deftypefun {int} {gnutls_sign_mark_insecure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
+
+Mark @code{sign} as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
+@subheading gnutls_sign_mark_secure
+@anchor{gnutls_sign_mark_secure}
+@deftypefun {int} {gnutls_sign_mark_secure} (gnutls_sign_algorithm_t @var{sign}, unsigned @var{flags})
+@var{sign}: the sign algorithm
+
+@var{flags}: @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} or 0
+
+Invalidate previous system wide setting that marked @code{sign} as
+insecure. This only works if the algorithm is marked as insecure
+with @code{gnutls_sign_mark_insecure()} or through the allowlisting mode
+in the configuration file.
+
+If @code{flags} has @code{GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS} bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+
+@strong{Since:} 3.7.3
+@end deftypefun
+
@subheading gnutls_sign_supports_pk_algorithm
@anchor{gnutls_sign_supports_pk_algorithm}
@deftypefun {unsigned} {gnutls_sign_supports_pk_algorithm} (gnutls_sign_algorithm_t @var{sign}, gnutls_pk_algorithm_t @var{pk})
diff -ruN gnutls-3.7.2/doc/gnutls.html gnutls-3.7.2-bootstrapped/doc/gnutls.html
--- gnutls-3.7.2/doc/gnutls.html 2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.html 2021-06-28 09:56:40.000000000 +0200
@@ -8018,8 +8018,9 @@
</p><span id="write-option_002e"></span><h4 class="subsubheading">write option.</h4>
<span id="p11tool-write"></span>
<p>This is the &ldquo;writes the loaded objects to a pkcs #11 token&rdquo; option.
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
- one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of &ndash;load-privkey, &ndash;load-pubkey, &ndash;load-certificate option.
+</p>
+<p>When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
</p><span id="id-option_002e"></span><h4 class="subsubheading">id option.</h4>
<span id="p11tool-id"></span>
<p>This is the &ldquo;sets an id for the write operation&rdquo; option.
@@ -16992,6 +16993,7 @@
<li> <code>insecure-sig-for-cert</code>: to mark the signature algorithm as insecure when used in certificates.
</li><li> <code>insecure-sig</code>: to mark the signature algorithm as insecure for any use.
</li><li> <code>insecure-hash</code>: to mark the hash algorithm as insecure for digital signature use (provides a more generic way to disable digital signatures for broken hash algorithms).
+</li><li> <code>disabled-curve</code>: to disable the specified elliptic curve.
</li><li> <code>disabled-version</code>: to disable the specified TLS versions.
</li><li> <code>tls-disabled-cipher</code>: to disable the specified ciphers for use in the TLS or DTLS protocols.
</li><li> <code>tls-disabled-mac</code>: to disable the specified MAC algorithms for use in the TLS or DTLS protocols.
@@ -17000,11 +17002,49 @@
</li></ul>
<p>Each of the options can be repeated multiple times when multiple values need
-to be disabled.
+to be disabled or enabled.
</p>
<p>The valid values for the options above can be found in the &rsquo;Protocols&rsquo;, &rsquo;Digests&rsquo;
&rsquo;PK-signatures&rsquo;, &rsquo;Protocols&rsquo;, &rsquo;Ciphrers&rsquo;, and &rsquo;MACs&rsquo; fields of the output of <code>gnutls-cli --list</code>.
</p>
+<p>Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults. GnuTLS provides an
+alternative mode of overriding: allowlisting.
+</p>
+<p>In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the <code>[overrides]</code> section. Those options are mutually
+exclusive to the above ones for the blocklisting mode (the default)
+</p><ul>
+<li> <code>secure-sig-for-cert</code>: to mark the signature algorithm as secure when used in certificates.
+</li><li> <code>secure-sig</code>: to mark the signature algorithm as secure for any use.
+</li><li> <code>secure-hash</code>: to mark the hash algorithm as secure for digital signature use (provides a more generic way to enable digital signatures for broken hash algorithms).
+</li><li> <code>enabled-curve</code>: to enable the specified elliptic curve.
+</li><li> <code>enabled-version</code>: to enable the specified TLS versions.
+</li><li> <code>tls-enabled-cipher</code>: to enable the specified ciphers for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-mac</code>: to enable the specified MAC algorithms for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-group</code>: to enable the specified group for use in the TLS or DTLS protocols.
+</li><li> <code>tls-enabled-kx</code>: to enable the specified key exchange algorithms for use in the TLS or DTLS protocols (applies to TLS1.2 or earlier).
+</li></ul>
+
+<p>The allowlisting mode can be enabled by adding <code>override-mode =
+allowlist</code> in the <code>[global]</code> section.
+</p>
+<p>When the allowlisting mode is in effect, it is also possible for the applications to modify the setting through the API.
+</p>
+<dl compact="compact">
+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fenabled">gnutls_ecc_curve_mark_enabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005fsecure">gnutls_sign_mark_secure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005fsecure">gnutls_digest_mark_secure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fenabled">gnutls_protocol_mark_enabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
+</dl>
+<dl compact="compact">
+<dt><code><var>int</var> <a href="#gnutls_005fecc_005fcurve_005fmark_005fdisabled">gnutls_ecc_curve_mark_disabled</a> (gnutls_ecc_curve_t <var>curve</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fsign_005fmark_005finsecure">gnutls_sign_mark_insecure</a> (gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fdigest_005fmark_005finsecure">gnutls_digest_mark_insecure</a> (gnutls_digest_algorithm_t <var>dig</var>)</code></dt>
+<dt><code><var>int</var> <a href="#gnutls_005fprotocol_005fmark_005fdisabled">gnutls_protocol_mark_disabled</a> (gnutls_protocol_t <var>version</var>)</code></dt>
+</dl>
+
<span id="Examples"></span><h4 class="subsection">8.2.1 Examples</h4>
<p>The following example marks as insecure all digital signature algorithms
@@ -17038,6 +17078,20 @@
tls-disabled-group = group-ffdhe8192
</pre></div>
+<p>The following example demonstrates the use of the allowlisting
+mode. It disables all the signature algorithms but
+<code>RSA-SHA256</code>. Note that the hash algorithm <code>SHA256</code> also
+needs to be explicitly enabled.
+</p>
+<div class="example">
+<pre class="example">[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+</pre></div>
+
<hr>
<span id="Querying-for-disabled-algorithms-and-protocols"></span><div class="header">
<p>
@@ -23658,6 +23712,28 @@
integers indicating the available digests.
</p></dd></dl>
+<span id="gnutls_005fdigest_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_digest_mark_insecure</h4>
+<span id="gnutls_005fdigest_005fmark_005finsecure"></span><dl>
+<dt id="index-gnutls_005fdigest_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_digest_mark_insecure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
+<dd><p><var>dig</var>: is a digest algorithm
+</p>
+<p>Mark <code>dig</code> as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fdigest_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_digest_mark_secure</h4>
+<span id="gnutls_005fdigest_005fmark_005fsecure"></span><dl>
+<dt id="index-gnutls_005fdigest_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_digest_mark_secure</strong> <em>(gnutls_digest_algorithm_t <var>dig</var>)</em></dt>
+<dd><p><var>dig</var>: is a digest algorithm
+</p>
+<p>Invalidate previous system wide setting that marked <code>dig</code> as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
<span id="gnutls_005fearly_005fcipher_005fget-1"></span><h4 class="subheading">gnutls_early_cipher_get</h4>
<span id="gnutls_005fearly_005fcipher_005fget"></span><dl>
<dt id="index-gnutls_005fearly_005fcipher_005fget">Function: <em>gnutls_cipher_algorithm_t</em> <strong>gnutls_early_cipher_get</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
@@ -23772,6 +23848,34 @@
integers indicating the available curves.
</p></dd></dl>
+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_disabled</h4>
+<span id="gnutls_005fecc_005fcurve_005fmark_005fdisabled"></span><dl>
+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_disabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
+<dd><p><var>curve</var>: is an ECC curve
+</p>
+<p>Mark <code>curve</code> as disabled system wide. This setting can be reverted with
+<code>gnutls_ecc_curve_mark_enabled()</code> . This only works if the configuration file
+uses the allowlisting mode.
+</p>
+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_ecc_curve_mark_enabled</h4>
+<span id="gnutls_005fecc_005fcurve_005fmark_005fenabled"></span><dl>
+<dt id="index-gnutls_005fecc_005fcurve_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_ecc_curve_mark_enabled</strong> <em>(gnutls_ecc_curve_t <var>curve</var>)</em></dt>
+<dd><p><var>curve</var>: is an ECC curve
+</p>
+<p>Invalidate previous system wide setting that marked <code>curve</code> as disabled. This
+only works if the curve is disabled with <code>gnutls_ecc_curve_mark_disabled()</code> or
+through the allowlisting mode in the configuration file.
+</p>
+<p><strong>Returns:</strong> 0 on success or negative error code otherwise.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
<span id="gnutls_005ferror_005fis_005ffatal-1"></span><h4 class="subheading">gnutls_error_is_fatal</h4>
<span id="gnutls_005ferror_005fis_005ffatal"></span><dl>
<dt id="index-gnutls_005ferror_005fis_005ffatal-1">Function: <em>int</em> <strong>gnutls_error_is_fatal</strong> <em>(int <var>error</var>)</em></dt>
@@ -25978,6 +26082,25 @@
indicating the available protocols.
</p></dd></dl>
+<span id="gnutls_005fprotocol_005fmark_005fdisabled-1"></span><h4 class="subheading">gnutls_protocol_mark_disabled</h4>
+<span id="gnutls_005fprotocol_005fmark_005fdisabled"></span><dl>
+<dt id="index-gnutls_005fprotocol_005fmark_005fdisabled">Function: <em>int</em> <strong>gnutls_protocol_mark_disabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
+<dd><p><var>version</var>: is a (gnutls) version number
+</p>
+<p>Mark <code>version</code> as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+</p></dd></dl>
+
+<span id="gnutls_005fprotocol_005fmark_005fenabled-1"></span><h4 class="subheading">gnutls_protocol_mark_enabled</h4>
+<span id="gnutls_005fprotocol_005fmark_005fenabled"></span><dl>
+<dt id="index-gnutls_005fprotocol_005fmark_005fenabled">Function: <em>int</em> <strong>gnutls_protocol_mark_enabled</strong> <em>(gnutls_protocol_t <var>version</var>)</em></dt>
+<dd><p><var>version</var>: is a (gnutls) version number
+</p>
+<p>Invalidate previous system wide setting that marked <code>version</code> as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+</p></dd></dl>
+
<span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials-1"></span><h4 class="subheading">gnutls_psk_allocate_client_credentials</h4>
<span id="gnutls_005fpsk_005fallocate_005fclient_005fcredentials"></span><dl>
<dt id="index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials">Function: <em>int</em> <strong>gnutls_psk_allocate_client_credentials</strong> <em>(gnutls_psk_client_credentials_t * <var>sc</var>)</em></dt>
@@ -27979,6 +28102,44 @@
integers indicating the available ciphers.
</p></dd></dl>
+<span id="gnutls_005fsign_005fmark_005finsecure-1"></span><h4 class="subheading">gnutls_sign_mark_insecure</h4>
+<span id="gnutls_005fsign_005fmark_005finsecure"></span><dl>
+<dt id="index-gnutls_005fsign_005fmark_005finsecure">Function: <em>int</em> <strong>gnutls_sign_mark_insecure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
+<dd><p><var>sign</var>: the sign algorithm
+</p>
+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code> or 0
+</p>
+<p>Mark <code>sign</code> as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+</p>
+<p>If <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code> bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
+<span id="gnutls_005fsign_005fmark_005fsecure-1"></span><h4 class="subheading">gnutls_sign_mark_secure</h4>
+<span id="gnutls_005fsign_005fmark_005fsecure"></span><dl>
+<dt id="index-gnutls_005fsign_005fmark_005fsecure">Function: <em>int</em> <strong>gnutls_sign_mark_secure</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, unsigned <var>flags</var>)</em></dt>
+<dd><p><var>sign</var>: the sign algorithm
+</p>
+<p><var>flags</var>: <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code> or 0
+</p>
+<p>Invalidate previous system wide setting that marked <code>sign</code> as
+insecure. This only works if the algorithm is marked as insecure
+with <code>gnutls_sign_mark_insecure()</code> or through the allowlisting mode
+in the configuration file.
+</p>
+<p>If <code>flags</code> has <code>GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS</code> bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+&quot;secure, but not for certificates&quot; at most,
+but it won&rsquo;t restrict anything either.
+</p>
+<p><strong>Since:</strong> 3.7.3
+</p></dd></dl>
+
<span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm-1"></span><h4 class="subheading">gnutls_sign_supports_pk_algorithm</h4>
<span id="gnutls_005fsign_005fsupports_005fpk_005falgorithm"></span><dl>
<dt id="index-gnutls_005fsign_005fsupports_005fpk_005falgorithm">Function: <em>unsigned</em> <strong>gnutls_sign_supports_pk_algorithm</strong> <em>(gnutls_sign_algorithm_t <var>sign</var>, gnutls_pk_algorithm_t <var>pk</var>)</em></dt>
@@ -45743,6 +45904,8 @@
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005fname"><code>gnutls_digest_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fget_005foid"><code>gnutls_digest_get_oid</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005flist"><code>gnutls_digest_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005finsecure"><code>gnutls_digest_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fdigest_005fmark_005fsecure"><code>gnutls_digest_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fsend"><code>gnutls_dtls_cookie_send</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fcookie_005fverify"><code>gnutls_dtls_cookie_verify</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fdtls_005fget_005fdata_005fmtu"><code>gnutls_dtls_get_data_mtu</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Datagram-TLS-API">Datagram TLS API</a></td></tr>
@@ -45762,6 +45925,8 @@
<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fpk"><code>gnutls_ecc_curve_get_pk</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fget_005fsize"><code>gnutls_ecc_curve_get_size</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005flist"><code>gnutls_ecc_curve_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fdisabled"><code>gnutls_ecc_curve_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fecc_005fcurve_005fmark_005fenabled"><code>gnutls_ecc_curve_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fber_005fdigest_005finfo"><code>gnutls_encode_ber_digest_info</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005fgost_005frs_005fvalue"><code>gnutls_encode_gost_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fencode_005frs_005fvalue"><code>gnutls_encode_rs_value</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Cryptographic-API">Cryptographic API</a></td></tr>
@@ -46151,6 +46316,8 @@
<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fname"><code>gnutls_protocol_get_name</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fget_005fversion"><code>gnutls_protocol_get_version</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005flist"><code>gnutls_protocol_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fdisabled"><code>gnutls_protocol_mark_disabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fprotocol_005fmark_005fenabled"><code>gnutls_protocol_mark_enabled</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fclient_005fcredentials"><code>gnutls_psk_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fallocate_005fserver_005fcredentials"><code>gnutls_psk_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fpsk_005fclient_005fget_005fhint"><code>gnutls_psk_client_get_hint</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
@@ -46325,6 +46492,8 @@
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure"><code>gnutls_sign_is_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fis_005fsecure2"><code>gnutls_sign_is_secure2</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005flist"><code>gnutls_sign_list</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005finsecure"><code>gnutls_sign_mark_insecure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
+<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fmark_005fsecure"><code>gnutls_sign_mark_secure</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsign_005fsupports_005fpk_005falgorithm"><code>gnutls_sign_supports_pk_algorithm</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fclient_005fcredentials"><code>gnutls_srp_allocate_client_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-gnutls_005fsrp_005fallocate_005fserver_005fcredentials"><code>gnutls_srp_allocate_server_credentials</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Core-TLS-API">Core TLS API</a></td></tr>
diff -ruN gnutls-3.7.2/doc/gnutls.info gnutls-3.7.2-bootstrapped/doc/gnutls.info
--- gnutls-3.7.2/doc/gnutls.info 2021-05-29 10:23:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info 2021-06-28 09:56:40.000000000 +0200
@@ -29,12 +29,12 @@

Indirect:
gnutls.info-1: 1291
-gnutls.info-2: 322163
-gnutls.info-3: 605942
-gnutls.info-4: 1147244
-gnutls.info-5: 1463965
-gnutls.info-6: 1515571
-gnutls.info-7: 1896190
+gnutls.info-2: 322461
+gnutls.info-3: 606240
+gnutls.info-4: 1153831
+gnutls.info-5: 1470552
+gnutls.info-6: 1522158
+gnutls.info-7: 1903361

Tag Table:
(Indirect)
@@ -324,1507 +324,1515 @@
Ref: p11tool set-id312425
Ref: p11tool set-label312850
Ref: p11tool write313198
-Ref: p11tool id313462
-Ref: p11tool mark-wrap313719
-Ref: p11tool mark-trusted313966
-Ref: p11tool mark-distrusted314330
-Ref: p11tool mark-decrypt314784
-Ref: p11tool mark-sign315061
-Ref: p11tool mark-ca315338
-Ref: p11tool mark-private315611
-Ref: p11tool ca315909
-Ref: p11tool private316043
-Ref: p11tool secret-key316198
-Ref: p11tool other-options316361
-Ref: p11tool debug316463
-Ref: p11tool so-login316604
-Ref: p11tool admin-login316848
-Ref: p11tool test-sign316989
-Ref: p11tool sign-params317283
-Ref: p11tool hash317623
-Ref: p11tool generate-random317919
-Ref: p11tool inder318093
-Ref: p11tool inraw318318
-Ref: p11tool outder318444
-Ref: p11tool outraw318696
-Ref: p11tool provider318829
-Ref: p11tool provider-opts319038
-Ref: p11tool batch319311
-Ref: p11tool exit status319464
-Ref: p11tool See Also319694
-Ref: p11tool Examples319742
-Node: Trusted Platform Module322163
-Ref: Trusted Platform Module-Footnote-1323956
-Ref: Trusted Platform Module-Footnote-2324004
-Node: Keys in TPM324061
-Node: Key generation325545
-Node: Using keys327813
-Node: tpmtool Invocation331458
-Ref: tpmtool usage331884
-Ref: tpmtool debug335196
-Ref: tpmtool generate-rsa335337
-Ref: tpmtool user335608
-Ref: tpmtool system335967
-Ref: tpmtool test-sign336321
-Ref: tpmtool sec-param336604
-Ref: tpmtool inder336930
-Ref: tpmtool outder337231
-Ref: tpmtool srk-well-known337450
-Ref: tpmtool exit status337606
-Ref: tpmtool See Also337836
-Ref: tpmtool Examples337897
-Node: How to use GnuTLS in applications338514
-Node: Introduction to the library339083
-Node: General idea339682
-Ref: fig-gnutls-design340531
-Ref: General idea-Footnote-1341836
-Node: Error handling341881
-Node: Common types344108
-Node: Debugging and auditing345442
-Ref: tab:environment346313
-Node: Thread safety349180
-Ref: Thread safety-Footnote-1351326
-Node: Running in a sandbox351538
-Node: Sessions and fork352932
-Node: Callback functions353484
-Node: Preparation354452
-Node: Headers354871
-Node: Initialization355160
-Ref: Initialization-Footnote-1356154
-Node: Version check356447
-Node: Building the source357322
-Node: Session initialization359433
-Ref: gnutls_init_flags_t360910
-Node: Associating the credentials367923
-Ref: tab:key-exchange-cred368699
-Node: Certificate credentials369830
-Node: Raw public-key credentials385415
-Node: SRP credentials386715
-Node: PSK credentials391613
-Node: Anonymous credentials395548
-Node: Setting up the transport layer396394
-Node: Asynchronous operation405947
-Node: Reducing round-trips410248
-Node: Zero-roundtrip mode413688
-Node: Anti-replay protection415893
-Node: DTLS sessions419538
-Ref: DTLS sessions-Footnote-1421842
-Node: DTLS and SCTP421919
-Node: TLS handshake422939
-Node: Data transfer and termination426857
-Node: Buffered data transfer435999
-Node: Handling alerts437800
-Node: Priority Strings441182
-Ref: tab:prio-keywords443782
-Ref: tab:prio-algorithms450860
-Ref: tab:prio-special1456290
-Ref: tab:prio-special2460137
-Ref: Priority Strings-Footnote-1466758
-Node: Selecting cryptographic key sizes466980
-Ref: tab:key-sizes467629
-Node: Advanced topics472378
-Node: Virtual hosts and credentials472876
-Node: Session resumption476201
-Node: Certificate verification484108
-Ref: dane_verify_status_t493829
-Node: TLS 1.2 re-authentication494234
-Node: TLS 1.3 re-authentication and re-key499091
-Node: Parameter generation500750
-Node: Deriving keys for other applications/protocols503397
-Node: Channel Bindings506627
-Node: Interoperability508166
-Node: Compatibility with the OpenSSL library509484
-Node: GnuTLS application examples510211
-Ref: examples510430
-Node: Client examples510723
-Node: Client example with X.509 certificate support511250
-Ref: ex-verify511488
-Node: Datagram TLS client example516532
-Node: Client using a smart card with TLS520937
-Ref: ex-pkcs11-client521174
-Node: Client with Resume capability example526469
-Ref: ex-resume-client526753
-Node: Client example with SSH-style certificate verification531940
-Node: Server examples536147
-Node: Echo server with X.509 authentication536501
-Node: DTLS echo server with X.509 authentication544225
-Node: More advanced client and servers558636
-Node: Client example with anonymous authentication559493
-Node: Using a callback to select the certificate to use563417
-Node: Obtaining session information569800
-Node: Advanced certificate verification example574013
-Ref: ex-verify2574289
-Node: Client example with PSK authentication579719
-Node: Client example with SRP authentication584085
-Node: Legacy client example with X.509 certificate support588369
-Ref: ex-verify-legacy588686
-Node: Client example in C++594639
-Node: Echo server with PSK authentication597211
-Node: Echo server with SRP authentication605942
-Node: Echo server with anonymous authentication612860
-Node: Helper functions for TCP connections618188
-Node: Helper functions for UDP connections619780
-Node: OCSP example621685
-Ref: Generate OCSP request621868
-Node: Miscellaneous examples631475
-Node: Checking for an alert631801
-Node: X.509 certificate parsing example633250
-Ref: ex-x509-info633507
-Node: Listing the ciphersuites in a priority string637536
-Node: PKCS12 structure generation example639853
-Node: System-wide configuration of the library644058
-Node: Application-specific priority strings645885
-Node: Disabling algorithms and protocols647333
-Node: Querying for disabled algorithms and protocols650217
-Node: Overriding the parameter verification profile651339
-Node: Overriding the default priority string652341
-Node: Using GnuTLS as a cryptographic library652958
-Ref: Using GnuTLS as a cryptographic library-Footnote-1653814
-Node: Symmetric algorithms653871
-Ref: gnutls_cipher_algorithm_t654631
-Ref: Symmetric algorithms-Footnote-1663061
-Node: Public key algorithms663146
-Node: Cryptographic Message Syntax / PKCS7667868
-Ref: gnutls_pkcs7_sign_flags671307
-Node: Hash and MAC functions672775
-Ref: gnutls_mac_algorithm_t673387
-Ref: gnutls_digest_algorithm_t676759
-Node: Random number generation677810
-Ref: gnutls_rnd_level_t678172
-Node: Overriding algorithms679279
-Node: Other included programs685597
-Node: gnutls-cli Invocation686168
-Ref: gnutls-cli usage686730
-Ref: gnutls-cli debug694480
-Ref: gnutls-cli tofu694621
-Ref: gnutls-cli strict-tofu695084
-Ref: gnutls-cli dane695486
-Ref: gnutls-cli local-dns695829
-Ref: gnutls-cli ca-verification696144
-Ref: gnutls-cli ocsp696499
-Ref: gnutls-cli resume696741
-Ref: gnutls-cli rehandshake696887
-Ref: gnutls-cli sni-hostname697054
-Ref: gnutls-cli verify-hostname697580
-Ref: gnutls-cli starttls697813
-Ref: gnutls-cli app-proto697997
-Ref: gnutls-cli starttls-proto698159
-Ref: gnutls-cli save-ocsp-multi698670
-Ref: gnutls-cli dh-bits699127
-Ref: gnutls-cli priority699478
-Ref: gnutls-cli rawpkkeyfile699856
-Ref: gnutls-cli rawpkfile700313
-Ref: gnutls-cli ranges700854
-Ref: gnutls-cli benchmark-ciphers701104
-Ref: gnutls-cli benchmark-tls-ciphers701422
-Ref: gnutls-cli list701741
-Ref: gnutls-cli priority-list702108
-Ref: gnutls-cli noticket702354
-Ref: gnutls-cli alpn702515
-Ref: gnutls-cli disable-extensions702824
-Ref: gnutls-cli single-key-share703056
-Ref: gnutls-cli post-handshake-auth703272
-Ref: gnutls-cli inline-commands703469
-Ref: gnutls-cli inline-commands-prefix703789
-Ref: gnutls-cli provider704192
-Ref: gnutls-cli logfile704389
-Ref: gnutls-cli waitresumption704746
-Ref: gnutls-cli ca-auto-retrieve705003
-Ref: gnutls-cli exit status705407
-Ref: gnutls-cli See Also705643
-Ref: gnutls-cli Examples705720
-Node: gnutls-serv Invocation709927
-Ref: gnutls-serv usage710404
-Ref: gnutls-serv debug715924
-Ref: gnutls-serv sni-hostname716065
-Ref: gnutls-serv alpn716397
-Ref: gnutls-serv require-client-cert716684
-Ref: gnutls-serv verify-client-cert716928
-Ref: gnutls-serv heartbeat717157
-Ref: gnutls-serv priority717308
-Ref: gnutls-serv x509keyfile717677
-Ref: gnutls-serv x509certfile718194
-Ref: gnutls-serv x509dsakeyfile718711
-Ref: gnutls-serv x509dsacertfile718875
-Ref: gnutls-serv x509ecckeyfile719042
-Ref: gnutls-serv x509ecccertfile719204
-Ref: gnutls-serv rawpkkeyfile719371
-Ref: gnutls-serv rawpkfile720190
-Ref: gnutls-serv ocsp-response721045
-Ref: gnutls-serv ignore-ocsp-response-errors721362
-Ref: gnutls-serv list721609
-Ref: gnutls-serv provider721847
-Ref: gnutls-serv exit status722044
-Ref: gnutls-serv See Also722282
-Ref: gnutls-serv Examples722360
-Node: gnutls-cli-debug Invocation727668
-Ref: gnutls-cli-debug usage728490
-Ref: gnutls-cli-debug debug730745
-Ref: gnutls-cli-debug app-proto730886
-Ref: gnutls-cli-debug starttls-proto731054
-Ref: gnutls-cli-debug exit status731433
-Ref: gnutls-cli-debug See Also731681
-Ref: gnutls-cli-debug Examples731764
-Node: Internal architecture of GnuTLS735261
-Node: The TLS Protocol735867
-Ref: fig-client-server736343
-Node: TLS Handshake Protocol736433
-Ref: fig-gnutls-handshake736875
-Ref: fig-gnutls-handshake-sequence737384
-Node: TLS Authentication Methods737482
-Ref: TLS Authentication Methods-Footnote-1739786
-Node: TLS Hello Extension Handling739852
-Node: Cryptographic Backend752954
-Ref: fig-crypto-layers753637
-Ref: Cryptographic Backend-Footnote-1756919
-Ref: Cryptographic Backend-Footnote-2757004
-Node: Random Number Generators-internals757112
-Node: FIPS140-2 mode764476
-Ref: gnutls_fips_mode_t767112
-Node: Upgrading from previous versions769259
-Node: Support783253
-Node: Getting help783501
-Node: Commercial Support784089
-Node: Bug Reports784360
-Node: Contributing785724
-Node: Certification787750
-Node: Error codes788214
-Node: Supported ciphersuites812847
-Ref: ciphersuites813020
-Node: API reference828064
-Node: Core TLS API828474
-Ref: gnutls_alert_get828701
-Ref: gnutls_alert_get_name829320
-Ref: gnutls_alert_get_strname829705
-Ref: gnutls_alert_send830040
-Ref: gnutls_alert_send_appropriate830918
-Ref: gnutls_alert_set_read_function831885
-Ref: gnutls_alpn_get_selected_protocol832269
-Ref: gnutls_alpn_set_protocols832933
-Ref: gnutls_anon_allocate_client_credentials833770
-Ref: gnutls_anon_allocate_server_credentials834155
-Ref: gnutls_anon_free_client_credentials834532
-Ref: gnutls_anon_free_server_credentials834821
-Ref: gnutls_anon_set_params_function835102
-Ref: gnutls_anon_set_server_dh_params835778
-Ref: gnutls_anon_set_server_known_dh_params836438
-Ref: gnutls_anon_set_server_params_function837347
-Ref: gnutls_anti_replay_deinit838010
-Ref: gnutls_anti_replay_enable838324
-Ref: gnutls_anti_replay_init838672
-Ref: gnutls_anti_replay_set_add_function839200
-Ref: gnutls_anti_replay_set_ptr840218
-Ref: gnutls_anti_replay_set_window840553
-Ref: gnutls_auth_client_get_type841321
-Ref: gnutls_auth_get_type841948
-Ref: gnutls_auth_server_get_type842760
-Ref: gnutls_base64_decode2843389
-Ref: gnutls_base64_encode2843945
-Ref: gnutls_buffer_append_data844565
-Ref: gnutls_bye844963
-Ref: gnutls_certificate_activation_time_peers846564
-Ref: gnutls_certificate_allocate_credentials846982
-Ref: gnutls_certificate_client_get_request_status847379
-Ref: gnutls_certificate_expiration_time_peers847787
-Ref: gnutls_certificate_free_ca_names848191
-Ref: gnutls_certificate_free_cas848860
-Ref: gnutls_certificate_free_credentials849263
-Ref: gnutls_certificate_free_crls849697
-Ref: gnutls_certificate_free_keys849997
-Ref: gnutls_certificate_get_crt_raw850431
-Ref: gnutls_certificate_get_issuer851502
-Ref: gnutls_certificate_get_ocsp_expiration852585
-Ref: gnutls_certificate_get_ours853756
-Ref: gnutls_certificate_get_peers854586
-Ref: gnutls_certificate_get_peers_subkey_id855709
-Ref: gnutls_certificate_get_verify_flags856065
-Ref: gnutls_certificate_get_x509_crt856478
-Ref: gnutls_certificate_get_x509_key858122
-Ref: gnutls_certificate_send_x509_rdn_sequence859437
-Ref: gnutls_certificate_server_set_request860144
-Ref: gnutls_certificate_set_dh_params860934
-Ref: gnutls_certificate_set_flags861753
-Ref: gnutls_certificate_set_known_dh_params862278
-Ref: gnutls_certificate_set_ocsp_status_request_file863206
-Ref: gnutls_certificate_set_ocsp_status_request_file2865112
-Ref: gnutls_certificate_set_ocsp_status_request_function866630
-Ref: gnutls_certificate_set_ocsp_status_request_function2868118
-Ref: gnutls_certificate_set_ocsp_status_request_mem870084
-Ref: gnutls_certificate_set_params_function871859
-Ref: gnutls_certificate_set_pin_function872556
-Ref: gnutls_certificate_set_rawpk_key_file873209
-Ref: gnutls_certificate_set_rawpk_key_mem876513
-Ref: gnutls_certificate_set_retrieve_function879660
-Ref: gnutls_certificate_set_verify_flags881790
-Ref: gnutls_certificate_set_verify_function882283
-Ref: gnutls_certificate_set_verify_limits883347
-Ref: gnutls_certificate_set_x509_crl884028
-Ref: gnutls_certificate_set_x509_crl_file884856
-Ref: gnutls_certificate_set_x509_crl_mem885637
-Ref: gnutls_certificate_set_x509_key886414
-Ref: gnutls_certificate_set_x509_key_file888082
-Ref: gnutls_certificate_set_x509_key_file2890318
-Ref: gnutls_certificate_set_x509_key_mem892852
-Ref: gnutls_certificate_set_x509_key_mem2894500
-Ref: gnutls_certificate_set_x509_simple_pkcs12_file896313
-Ref: gnutls_certificate_set_x509_simple_pkcs12_mem898443
-Ref: gnutls_certificate_set_x509_system_trust900543
-Ref: gnutls_certificate_set_x509_trust901113
-Ref: gnutls_certificate_set_x509_trust_dir902093
-Ref: gnutls_certificate_set_x509_trust_file902831
-Ref: gnutls_certificate_set_x509_trust_mem904007
-Ref: gnutls_certificate_type_get904950
-Ref: gnutls_certificate_type_get2905797
-Ref: gnutls_certificate_type_get_id907182
-Ref: gnutls_certificate_type_get_name907579
-Ref: gnutls_certificate_type_list907962
-Ref: gnutls_certificate_verification_status_print908316
-Ref: gnutls_certificate_verify_peers909074
-Ref: gnutls_certificate_verify_peers2911870
-Ref: gnutls_certificate_verify_peers3913785
-Ref: gnutls_check_version916095
-Ref: gnutls_cipher_get916837
-Ref: gnutls_cipher_get_id917142
-Ref: gnutls_cipher_get_key_size917524
-Ref: gnutls_cipher_get_name917888
-Ref: gnutls_cipher_list918235
-Ref: gnutls_cipher_suite_get_name918795
-Ref: gnutls_cipher_suite_info919663
-Ref: gnutls_credentials_clear920846
-Ref: gnutls_credentials_get921074
-Ref: gnutls_credentials_set922029
-Ref: gnutls_db_check_entry923393
-Ref: gnutls_db_check_entry_expire_time923850
-Ref: gnutls_db_check_entry_time924256
-Ref: gnutls_db_get_default_cache_expiration924647
-Ref: gnutls_db_get_ptr924842
-Ref: gnutls_db_remove_session925154
-Ref: gnutls_db_set_cache_expiration925691
-Ref: gnutls_db_set_ptr926112
-Ref: gnutls_db_set_remove_function926447
-Ref: gnutls_db_set_retrieve_function926950
-Ref: gnutls_db_set_store_function927636
-Ref: gnutls_deinit928103
-Ref: gnutls_dh_get_group928442
-Ref: gnutls_dh_get_peers_public_bits929294
-Ref: gnutls_dh_get_prime_bits929738
-Ref: gnutls_dh_get_pubkey930378
-Ref: gnutls_dh_get_secret_bits931076
-Ref: gnutls_dh_params_cpy931508
-Ref: gnutls_dh_params_deinit932016
-Ref: gnutls_dh_params_export2_pkcs3932257
-Ref: gnutls_dh_params_export_pkcs3933078
-Ref: gnutls_dh_params_export_raw934097
-Ref: gnutls_dh_params_generate2934850
-Ref: gnutls_dh_params_import_dsa936104
-Ref: gnutls_dh_params_import_pkcs3936581
-Ref: gnutls_dh_params_import_raw937320
-Ref: gnutls_dh_params_import_raw2937950
-Ref: gnutls_dh_params_import_raw3938664
-Ref: gnutls_dh_params_init939364
-Ref: gnutls_dh_set_prime_bits939695
-Ref: gnutls_digest_get_id940798
-Ref: gnutls_digest_get_name941224
-Ref: gnutls_digest_get_oid941570
-Ref: gnutls_digest_list941961
-Ref: gnutls_early_cipher_get942332
-Ref: gnutls_early_prf_hash_get942705
-Ref: gnutls_ecc_curve_get943123
-Ref: gnutls_ecc_curve_get_id943524
-Ref: gnutls_ecc_curve_get_name943905
-Ref: gnutls_ecc_curve_get_oid944239
-Ref: gnutls_ecc_curve_get_pk944584
-Ref: gnutls_ecc_curve_get_size944888
-Ref: gnutls_ecc_curve_list945117
-Ref: gnutls_error_is_fatal945440
-Ref: gnutls_error_to_alert946242
-Ref: gnutls_est_record_overhead_size946974
-Ref: gnutls_ext_get_current_msg947882
-Ref: gnutls_ext_get_data948573
-Ref: gnutls_ext_get_name949088
-Ref: gnutls_ext_get_name2949406
-Ref: gnutls_ext_raw_parse949916
-Ref: gnutls_ext_register951066
-Ref: gnutls_ext_set_data952701
-Ref: gnutls_fingerprint953212
-Ref: gnutls_fips140_mode_enabled954218
-Ref: gnutls_fips140_set_mode954772
-Ref: gnutls_get_system_config_file955825
-Ref: gnutls_global_deinit956201
-Ref: gnutls_global_init956651
-Ref: gnutls_global_set_audit_log_function957926
-Ref: gnutls_global_set_log_function958633
-Ref: gnutls_global_set_log_level959141
-Ref: gnutls_global_set_mutex959629
-Ref: gnutls_global_set_time_function960731
-Ref: gnutls_gost_paramset_get_name961168
-Ref: gnutls_gost_paramset_get_oid961544
-Ref: gnutls_group_get961921
-Ref: gnutls_group_get_id962291
-Ref: gnutls_group_get_name962638
-Ref: gnutls_group_list962958
-Ref: gnutls_handshake963280
-Ref: gnutls_handshake_description_get_name965385
-Ref: gnutls_handshake_get_last_in965773
-Ref: gnutls_handshake_get_last_out966398
-Ref: gnutls_handshake_set_hook_function967030
-Ref: gnutls_handshake_set_max_packet_length968422
-Ref: gnutls_handshake_set_post_client_hello_function969207
-Ref: gnutls_handshake_set_private_extensions970533
-Ref: gnutls_handshake_set_random971212
-Ref: gnutls_handshake_set_read_function971932
-Ref: gnutls_handshake_set_secret_function972333
-Ref: gnutls_handshake_set_timeout972712
-Ref: gnutls_handshake_write973402
-Ref: gnutls_heartbeat_allowed974103
-Ref: gnutls_heartbeat_enable974577
-Ref: gnutls_heartbeat_get_timeout975415
-Ref: gnutls_heartbeat_ping975954
-Ref: gnutls_heartbeat_pong977086
-Ref: gnutls_heartbeat_set_timeouts977493
-Ref: gnutls_hex2bin978264
-Ref: gnutls_hex_decode978983
-Ref: gnutls_hex_decode2979709
-Ref: gnutls_hex_encode980138
-Ref: gnutls_hex_encode2980735
-Ref: gnutls_idna_map981250
-Ref: gnutls_idna_reverse_map982380
-Ref: gnutls_init983145
-Ref: gnutls_key_generate983973
-Ref: gnutls_kx_get984390
-Ref: gnutls_kx_get_id984976
-Ref: gnutls_kx_get_name985320
-Ref: gnutls_kx_list985665
-Ref: gnutls_load_file985993
-Ref: gnutls_mac_get986765
-Ref: gnutls_mac_get_id987070
-Ref: gnutls_mac_get_key_size987483
-Ref: gnutls_mac_get_name987820
-Ref: gnutls_mac_list988139
-Ref: gnutls_memcmp988527
-Ref: gnutls_memset989087
-Ref: gnutls_ocsp_status_request_enable_client989481
-Ref: gnutls_ocsp_status_request_get990492
-Ref: gnutls_ocsp_status_request_get2991154
-Ref: gnutls_ocsp_status_request_is_checked992149
-Ref: gnutls_oid_to_digest993537
-Ref: gnutls_oid_to_ecc_curve993946
-Ref: gnutls_oid_to_gost_paramset994272
-Ref: gnutls_oid_to_mac994683
-Ref: gnutls_oid_to_pk995096
-Ref: gnutls_oid_to_sign995468
-Ref: gnutls_openpgp_send_cert995872
-Ref: gnutls_packet_deinit996174
-Ref: gnutls_packet_get996448
-Ref: gnutls_pem_base64_decode996953
-Ref: gnutls_pem_base64_decode2997808
-Ref: gnutls_pem_base64_encode998803
-Ref: gnutls_pem_base64_encode2999632
-Ref: gnutls_perror1000568
-Ref: gnutls_pk_algorithm_get_name1000864
-Ref: gnutls_pk_bits_to_sec_param1001220
-Ref: gnutls_pk_get_id1001694
-Ref: gnutls_pk_get_name1002212
-Ref: gnutls_pk_get_oid1002580
-Ref: gnutls_pk_list1002979
-Ref: gnutls_pk_to_sign1003312
-Ref: gnutls_prf1003723
-Ref: gnutls_prf_early1005718
-Ref: gnutls_prf_hash_get1007373
-Ref: gnutls_prf_raw1007905
-Ref: gnutls_prf_rfc57051009789
-Ref: gnutls_priority_certificate_type_list1011466
-Ref: gnutls_priority_certificate_type_list21012162
-Ref: gnutls_priority_cipher_list1012778
-Ref: gnutls_priority_deinit1013165
-Ref: gnutls_priority_ecc_curve_list1013408
-Ref: gnutls_priority_get_cipher_suite_index1013940
-Ref: gnutls_priority_group_list1014856
-Ref: gnutls_priority_init1015237
-Ref: gnutls_priority_init21016317
-Ref: gnutls_priority_kx_list1020691
-Ref: gnutls_priority_mac_list1021096
-Ref: gnutls_priority_protocol_list1021501
-Ref: gnutls_priority_set1021903
-Ref: gnutls_priority_set_direct1022558
-Ref: gnutls_priority_sign_list1023491
-Ref: gnutls_priority_string_list1023907
-Ref: gnutls_protocol_get_id1024539
-Ref: gnutls_protocol_get_name1024855
-Ref: gnutls_protocol_get_version1025214
-Ref: gnutls_protocol_list1025512
-Ref: gnutls_psk_allocate_client_credentials1025882
-Ref: gnutls_psk_allocate_server_credentials1026302
-Ref: gnutls_psk_client_get_hint1026698
-Ref: gnutls_psk_free_client_credentials1027325
-Ref: gnutls_psk_free_server_credentials1027608
-Ref: gnutls_psk_server_get_username1027883
-Ref: gnutls_psk_server_get_username21028590
-Ref: gnutls_psk_set_client_credentials1029284
-Ref: gnutls_psk_set_client_credentials21030307
-Ref: gnutls_psk_set_client_credentials_function1031087
-Ref: gnutls_psk_set_client_credentials_function21032090
-Ref: gnutls_psk_set_params_function1033247
-Ref: gnutls_psk_set_server_credentials_file1033927
-Ref: gnutls_psk_set_server_credentials_function1034788
-Ref: gnutls_psk_set_server_credentials_function21035742
-Ref: gnutls_psk_set_server_credentials_hint1036865
-Ref: gnutls_psk_set_server_dh_params1037489
-Ref: gnutls_psk_set_server_known_dh_params1038174
-Ref: gnutls_psk_set_server_params_function1039071
-Ref: gnutls_random_art1039712
-Ref: gnutls_range_split1040574
-Ref: gnutls_reauth1041656
-Ref: gnutls_record_can_use_length_hiding1043758
-Ref: gnutls_record_check_corked1044509
-Ref: gnutls_record_check_pending1044892
-Ref: gnutls_record_cork1045303
-Ref: gnutls_record_disable_padding1045717
-Ref: gnutls_record_discard_queued1046325
-Ref: gnutls_record_get_direction1046942
-Ref: gnutls_record_get_max_early_data_size1047923
-Ref: gnutls_record_get_max_size1048475
-Ref: gnutls_record_get_state1048842
-Ref: gnutls_record_overhead_size1049864
-Ref: gnutls_record_recv1050251
-Ref: gnutls_record_recv_early_data1051701
-Ref: gnutls_record_recv_packet1052763
-Ref: gnutls_record_recv_seq1053642
-Ref: gnutls_record_send1054628
-Ref: gnutls_record_send21056686
-Ref: gnutls_record_send_early_data1057838
-Ref: gnutls_record_send_range1058894
-Ref: gnutls_record_set_max_early_data_size1060073
-Ref: gnutls_record_set_max_recv_size1060719
-Ref: gnutls_record_set_max_size1061423
-Ref: gnutls_record_set_state1062602
-Ref: gnutls_record_set_timeout1063260
-Ref: gnutls_record_uncork1063861
-Ref: gnutls_rehandshake1064801
-Ref: gnutls_safe_renegotiation_status1066583
-Ref: gnutls_sec_param_get_name1066998
-Ref: gnutls_sec_param_to_pk_bits1067372
-Ref: gnutls_sec_param_to_symmetric_bits1068042
-Ref: gnutls_server_name_get1068426
-Ref: gnutls_server_name_set1069898
-Ref: gnutls_session_channel_binding1071056
-Ref: gnutls_session_enable_compatibility_mode1071774
-Ref: gnutls_session_etm_status1072481
-Ref: gnutls_session_ext_master_secret_status1072884
-Ref: gnutls_session_ext_register1073375
-Ref: gnutls_session_force_valid1075637
-Ref: gnutls_session_get_data1076058
-Ref: gnutls_session_get_data21076718
-Ref: gnutls_session_get_desc1078991
-Ref: gnutls_session_get_flags1079513
-Ref: gnutls_session_get_id1080051
-Ref: gnutls_session_get_id21081574
-Ref: gnutls_session_get_keylog_function1083044
-Ref: gnutls_session_get_master_secret1083451
-Ref: gnutls_session_get_ptr1083935
-Ref: gnutls_session_get_random1084330
-Ref: gnutls_session_get_verify_cert_status1084951
-Ref: gnutls_session_is_resumed1085624
-Ref: gnutls_session_key_update1085994
-Ref: gnutls_session_resumption_requested1086942
-Ref: gnutls_session_set_data1087324
-Ref: gnutls_session_set_id1088165
-Ref: gnutls_session_set_keylog_function1088840
-Ref: gnutls_session_set_premaster1089239
-Ref: gnutls_session_set_ptr1090334
-Ref: gnutls_session_set_verify_cert1090734
-Ref: gnutls_session_set_verify_cert21092078
-Ref: gnutls_session_set_verify_function1093262
-Ref: gnutls_session_supplemental_register1094374
-Ref: gnutls_session_ticket_enable_client1095632
-Ref: gnutls_session_ticket_enable_server1096125
-Ref: gnutls_session_ticket_key_generate1096919
-Ref: gnutls_session_ticket_send1097347
-Ref: gnutls_set_default_priority1097931
-Ref: gnutls_set_default_priority_append1099016
-Ref: gnutls_sign_algorithm_get1100358
-Ref: gnutls_sign_algorithm_get_client1100801
-Ref: gnutls_sign_algorithm_get_requested1101268
-Ref: gnutls_sign_get_hash_algorithm1102295
-Ref: gnutls_sign_get_id1102707
-Ref: gnutls_sign_get_name1103070
-Ref: gnutls_sign_get_oid1103402
-Ref: gnutls_sign_get_pk_algorithm1103788
-Ref: gnutls_sign_is_secure1104395
-Ref: gnutls_sign_is_secure21104665
-Ref: gnutls_sign_list1105001
-Ref: gnutls_sign_supports_pk_algorithm1105361
-Ref: gnutls_srp_allocate_client_credentials1105945
-Ref: gnutls_srp_allocate_server_credentials1106346
-Ref: gnutls_srp_base64_decode1106719
-Ref: gnutls_srp_base64_decode21107424
-Ref: gnutls_srp_base64_encode1108092
-Ref: gnutls_srp_base64_encode21108893
-Ref: gnutls_srp_free_client_credentials1109624
-Ref: gnutls_srp_free_server_credentials1109907
-Ref: gnutls_srp_server_get_username1110182
-Ref: gnutls_srp_set_client_credentials1110636
-Ref: gnutls_srp_set_client_credentials_function1111526
-Ref: gnutls_srp_set_prime_bits1112773
-Ref: gnutls_srp_set_server_credentials_file1113458
-Ref: gnutls_srp_set_server_credentials_function1114184
-Ref: gnutls_srp_set_server_fake_salt_seed1115899
-Ref: gnutls_srp_verifier1117402
-Ref: gnutls_srtp_get_keys1118330
-Ref: gnutls_srtp_get_mki1119724
-Ref: gnutls_srtp_get_profile_id1120293
-Ref: gnutls_srtp_get_profile_name1120751
-Ref: gnutls_srtp_get_selected_profile1121172
-Ref: gnutls_srtp_set_mki1121616
-Ref: gnutls_srtp_set_profile1122065
-Ref: gnutls_srtp_set_profile_direct1122597
-Ref: gnutls_store_commitment1123320
-Ref: gnutls_store_pubkey1124619
-Ref: gnutls_strerror1126406
-Ref: gnutls_strerror_name1126891
-Ref: gnutls_supplemental_get_name1127360
-Ref: gnutls_supplemental_recv1127782
-Ref: gnutls_supplemental_register1128252
-Ref: gnutls_supplemental_send1129364
-Ref: gnutls_system_recv_timeout1129809
-Ref: gnutls_tdb_deinit1130551
-Ref: gnutls_tdb_init1130766
-Ref: gnutls_tdb_set_store_commitment_func1131125
-Ref: gnutls_tdb_set_store_func1131806
-Ref: gnutls_tdb_set_verify_func1132395
-Ref: gnutls_transport_get_int1133139
-Ref: gnutls_transport_get_int21133547
-Ref: gnutls_transport_get_ptr1134050
-Ref: gnutls_transport_get_ptr21134466
-Ref: gnutls_transport_set_errno1135000
-Ref: gnutls_transport_set_errno_function1135987
-Ref: gnutls_transport_set_int1136524
-Ref: gnutls_transport_set_int21137078
-Ref: gnutls_transport_set_ptr1137807
-Ref: gnutls_transport_set_ptr21138220
-Ref: gnutls_transport_set_pull_function1138864
-Ref: gnutls_transport_set_pull_timeout_function1139644
-Ref: gnutls_transport_set_push_function1141347
-Ref: gnutls_transport_set_vec_push_function1142192
-Ref: gnutls_url_is_supported1142888
-Ref: gnutls_utf8_password_normalize1143308
-Ref: gnutls_verify_stored_pubkey1144097
-Node: Datagram TLS API1147244
-Ref: gnutls_dtls_cookie_send1147520
-Ref: gnutls_dtls_cookie_verify1148775
-Ref: gnutls_dtls_get_data_mtu1149719
-Ref: gnutls_dtls_get_mtu1150162
-Ref: gnutls_dtls_get_timeout1150605
-Ref: gnutls_dtls_prestate_set1151148
-Ref: gnutls_dtls_set_data_mtu1151732
-Ref: gnutls_dtls_set_mtu1152706
-Ref: gnutls_dtls_set_timeouts1153313
-Ref: gnutls_record_get_discarded1154317
-Node: X509 certificate API1154591
-Ref: gnutls_certificate_get_trust_list1154940
-Ref: gnutls_certificate_set_trust_list1155588
-Ref: gnutls_certificate_verification_profile_get_id1156363
-Ref: gnutls_certificate_verification_profile_get_name1156910
-Ref: gnutls_pkcs8_info1157293
-Ref: gnutls_pkcs_schema_get_name1158811
-Ref: gnutls_pkcs_schema_get_oid1159216
-Ref: gnutls_session_set_verify_output_function1159643
-Ref: gnutls_subject_alt_names_deinit1160800
-Ref: gnutls_subject_alt_names_get1161079
-Ref: gnutls_subject_alt_names_init1162089
-Ref: gnutls_subject_alt_names_set1162469
-Ref: gnutls_x509_aia_deinit1163288
-Ref: gnutls_x509_aia_get1163522
-Ref: gnutls_x509_aia_init1164681
-Ref: gnutls_x509_aia_set1165016
-Ref: gnutls_x509_aki_deinit1165811
-Ref: gnutls_x509_aki_get_cert_issuer1166075
-Ref: gnutls_x509_aki_get_id1167141
-Ref: gnutls_x509_aki_init1167680
-Ref: gnutls_x509_aki_set_cert_issuer1168029
-Ref: gnutls_x509_aki_set_id1169144
-Ref: gnutls_x509_cidr_to_rfc52801169573
-Ref: gnutls_x509_crl_check_issuer1170471
-Ref: gnutls_x509_crl_deinit1170919
-Ref: gnutls_x509_crl_dist_points_deinit1171151
-Ref: gnutls_x509_crl_dist_points_get1171446
-Ref: gnutls_x509_crl_dist_points_init1172420
-Ref: gnutls_x509_crl_dist_points_set1172816
-Ref: gnutls_x509_crl_export1173519
-Ref: gnutls_x509_crl_export21174402
-Ref: gnutls_x509_crl_get_authority_key_gn_serial1175122
-Ref: gnutls_x509_crl_get_authority_key_id1176436
-Ref: gnutls_x509_crl_get_crt_count1177499
-Ref: gnutls_x509_crl_get_crt_serial1177857
-Ref: gnutls_x509_crl_get_dn_oid1178761
-Ref: gnutls_x509_crl_get_extension_data1179567
-Ref: gnutls_x509_crl_get_extension_data21180684
-Ref: gnutls_x509_crl_get_extension_info1181563
-Ref: gnutls_x509_crl_get_extension_oid1182827
-Ref: gnutls_x509_crl_get_issuer_dn1183679
-Ref: gnutls_x509_crl_get_issuer_dn21184680
-Ref: gnutls_x509_crl_get_issuer_dn31185514
-Ref: gnutls_x509_crl_get_issuer_dn_by_oid1186492
-Ref: gnutls_x509_crl_get_next_update1188003
-Ref: gnutls_x509_crl_get_number1188437
-Ref: gnutls_x509_crl_get_raw_issuer_dn1189162
-Ref: gnutls_x509_crl_get_signature1189616
-Ref: gnutls_x509_crl_get_signature_algorithm1190163
-Ref: gnutls_x509_crl_get_signature_oid1190725
-Ref: gnutls_x509_crl_get_this_update1191386
-Ref: gnutls_x509_crl_get_version1191711
-Ref: gnutls_x509_crl_import1192019
-Ref: gnutls_x509_crl_init1192643
-Ref: gnutls_x509_crl_iter_crt_serial1193232
-Ref: gnutls_x509_crl_iter_deinit1194378
-Ref: gnutls_x509_crl_list_import1194623
-Ref: gnutls_x509_crl_list_import21195625
-Ref: gnutls_x509_crl_print1196491
-Ref: gnutls_x509_crl_set_authority_key_id1197140
-Ref: gnutls_x509_crl_set_crt1197793
-Ref: gnutls_x509_crl_set_crt_serial1198366
-Ref: gnutls_x509_crl_set_next_update1198998
-Ref: gnutls_x509_crl_set_number1199615
-Ref: gnutls_x509_crl_set_this_update1200192
-Ref: gnutls_x509_crl_set_version1200596
-Ref: gnutls_x509_crl_sign1201139
-Ref: gnutls_x509_crl_sign21201832
-Ref: gnutls_x509_crl_verify1203068
-Ref: gnutls_x509_crq_deinit1204312
-Ref: gnutls_x509_crq_export1204550
-Ref: gnutls_x509_crq_export21205547
-Ref: gnutls_x509_crq_get_attribute_by_oid1206321
-Ref: gnutls_x509_crq_get_attribute_data1207346
-Ref: gnutls_x509_crq_get_attribute_info1208458
-Ref: gnutls_x509_crq_get_basic_constraints1209655
-Ref: gnutls_x509_crq_get_challenge_password1210908
-Ref: gnutls_x509_crq_get_dn1211520
-Ref: gnutls_x509_crq_get_dn21212469
-Ref: gnutls_x509_crq_get_dn31213326
-Ref: gnutls_x509_crq_get_dn_by_oid1214334
-Ref: gnutls_x509_crq_get_dn_oid1215795
-Ref: gnutls_x509_crq_get_extension_by_oid1216582
-Ref: gnutls_x509_crq_get_extension_by_oid21217739
-Ref: gnutls_x509_crq_get_extension_data1218821
-Ref: gnutls_x509_crq_get_extension_data21219951
-Ref: gnutls_x509_crq_get_extension_info1220830
-Ref: gnutls_x509_crq_get_key_id1222091
-Ref: gnutls_x509_crq_get_key_purpose_oid1223158
-Ref: gnutls_x509_crq_get_key_rsa_raw1224173
-Ref: gnutls_x509_crq_get_key_usage1224797
-Ref: gnutls_x509_crq_get_pk_algorithm1225883
-Ref: gnutls_x509_crq_get_pk_oid1226604
-Ref: gnutls_x509_crq_get_private_key_usage_period1227261
-Ref: gnutls_x509_crq_get_signature_algorithm1227976
-Ref: gnutls_x509_crq_get_signature_oid1228615
-Ref: gnutls_x509_crq_get_spki1229276
-Ref: gnutls_x509_crq_get_subject_alt_name1229836
-Ref: gnutls_x509_crq_get_subject_alt_othername_oid1231394
-Ref: gnutls_x509_crq_get_tlsfeatures1232874
-Ref: gnutls_x509_crq_get_version1234003
-Ref: gnutls_x509_crq_import1234349
-Ref: gnutls_x509_crq_init1235031
-Ref: gnutls_x509_crq_print1235379
-Ref: gnutls_x509_crq_set_attribute_by_oid1236035
-Ref: gnutls_x509_crq_set_basic_constraints1236900
-Ref: gnutls_x509_crq_set_challenge_password1237644
-Ref: gnutls_x509_crq_set_dn1238095
-Ref: gnutls_x509_crq_set_dn_by_oid1238713
-Ref: gnutls_x509_crq_set_extension_by_oid1239843
-Ref: gnutls_x509_crq_set_key1240622
-Ref: gnutls_x509_crq_set_key_purpose_oid1241085
-Ref: gnutls_x509_crq_set_key_rsa_raw1241865
-Ref: gnutls_x509_crq_set_key_usage1242441
-Ref: gnutls_x509_crq_set_private_key_usage_period1242945
-Ref: gnutls_x509_crq_set_spki1243450
-Ref: gnutls_x509_crq_set_subject_alt_name1244321
-Ref: gnutls_x509_crq_set_subject_alt_othername1245147
-Ref: gnutls_x509_crq_set_tlsfeatures1245985
-Ref: gnutls_x509_crq_set_version1246535
-Ref: gnutls_x509_crq_sign1247020
-Ref: gnutls_x509_crq_sign21247791
-Ref: gnutls_x509_crq_verify1249123
-Ref: gnutls_x509_crt_check_email1249716
-Ref: gnutls_x509_crt_check_hostname1250244
-Ref: gnutls_x509_crt_check_hostname21250956
-Ref: gnutls_x509_crt_check_ip1252707
-Ref: gnutls_x509_crt_check_issuer1253321
-Ref: gnutls_x509_crt_check_key_purpose1254059
-Ref: gnutls_x509_crt_check_revocation1254753
-Ref: gnutls_x509_crt_cpy_crl_dist_points1255402
-Ref: gnutls_x509_crt_deinit1255991
-Ref: gnutls_x509_crt_equals1256209
-Ref: gnutls_x509_crt_equals21256591
-Ref: gnutls_x509_crt_export1257015
-Ref: gnutls_x509_crt_export21257926
-Ref: gnutls_x509_crt_get_activation_time1258624
-Ref: gnutls_x509_crt_get_authority_info_access1259002
-Ref: gnutls_x509_crt_get_authority_key_gn_serial1262476
-Ref: gnutls_x509_crt_get_authority_key_id1263917
-Ref: gnutls_x509_crt_get_basic_constraints1265048
-Ref: gnutls_x509_crt_get_ca_status1266262
-Ref: gnutls_x509_crt_get_crl_dist_points1267261
-Ref: gnutls_x509_crt_get_dn1268586
-Ref: gnutls_x509_crt_get_dn21269781
-Ref: gnutls_x509_crt_get_dn31270590
-Ref: gnutls_x509_crt_get_dn_by_oid1271550
-Ref: gnutls_x509_crt_get_dn_oid1273319
-Ref: gnutls_x509_crt_get_expiration_time1274347
-Ref: gnutls_x509_crt_get_extension_by_oid1274713
-Ref: gnutls_x509_crt_get_extension_by_oid21275840
-Ref: gnutls_x509_crt_get_extension_data1276913
-Ref: gnutls_x509_crt_get_extension_data21278002
-Ref: gnutls_x509_crt_get_extension_info1278867
-Ref: gnutls_x509_crt_get_extension_oid1280279
-Ref: gnutls_x509_crt_get_fingerprint1281242
-Ref: gnutls_x509_crt_get_inhibit_anypolicy1282130
-Ref: gnutls_x509_crt_get_issuer1283099
-Ref: gnutls_x509_crt_get_issuer_alt_name1283737
-Ref: gnutls_x509_crt_get_issuer_alt_name21285537
-Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1287119
-Ref: gnutls_x509_crt_get_issuer_dn1288768
-Ref: gnutls_x509_crt_get_issuer_dn21289889
-Ref: gnutls_x509_crt_get_issuer_dn31290736
-Ref: gnutls_x509_crt_get_issuer_dn_by_oid1291727
-Ref: gnutls_x509_crt_get_issuer_dn_oid1293514
-Ref: gnutls_x509_crt_get_issuer_unique_id1294550
-Ref: gnutls_x509_crt_get_key_id1295645
-Ref: gnutls_x509_crt_get_key_purpose_oid1296668
-Ref: gnutls_x509_crt_get_key_usage1297829
-Ref: gnutls_x509_crt_get_name_constraints1298889
-Ref: gnutls_x509_crt_get_pk_algorithm1300297
-Ref: gnutls_x509_crt_get_pk_dsa_raw1301086
-Ref: gnutls_x509_crt_get_pk_ecc_raw1301754
-Ref: gnutls_x509_crt_get_pk_gost_raw1302567
-Ref: gnutls_x509_crt_get_pk_oid1303411
-Ref: gnutls_x509_crt_get_pk_rsa_raw1304037
-Ref: gnutls_x509_crt_get_policy1304615
-Ref: gnutls_x509_crt_get_private_key_usage_period1305561
-Ref: gnutls_x509_crt_get_proxy1306313
-Ref: gnutls_x509_crt_get_raw_dn1307334
-Ref: gnutls_x509_crt_get_raw_issuer_dn1307927
-Ref: gnutls_x509_crt_get_serial1308506
-Ref: gnutls_x509_crt_get_signature1309246
-Ref: gnutls_x509_crt_get_signature_algorithm1309801
-Ref: gnutls_x509_crt_get_signature_oid1310414
-Ref: gnutls_x509_crt_get_spki1311072
-Ref: gnutls_x509_crt_get_subject1311558
-Ref: gnutls_x509_crt_get_subject_alt_name1312201
-Ref: gnutls_x509_crt_get_subject_alt_name21313960
-Ref: gnutls_x509_crt_get_subject_alt_othername_oid1315525
-Ref: gnutls_x509_crt_get_subject_key_id1317165
-Ref: gnutls_x509_crt_get_subject_unique_id1317997
-Ref: gnutls_x509_crt_get_tlsfeatures1319082
-Ref: gnutls_x509_crt_get_version1320194
-Ref: gnutls_x509_crt_import1320521
-Ref: gnutls_x509_crt_import_url1321222
-Ref: gnutls_x509_crt_init1321943
-Ref: gnutls_x509_crt_list_import1322290
-Ref: gnutls_x509_crt_list_import21323657
-Ref: gnutls_x509_crt_list_import_url1324729
-Ref: gnutls_x509_crt_list_verify1325953
-Ref: gnutls_x509_crt_print1327533
-Ref: gnutls_x509_crt_set_activation_time1328425
-Ref: gnutls_x509_crt_set_authority_info_access1328892
-Ref: gnutls_x509_crt_set_authority_key_id1329787
-Ref: gnutls_x509_crt_set_basic_constraints1330369
-Ref: gnutls_x509_crt_set_ca_status1331068
-Ref: gnutls_x509_crt_set_crl_dist_points1331666
-Ref: gnutls_x509_crt_set_crl_dist_points21332318
-Ref: gnutls_x509_crt_set_crq1333017
-Ref: gnutls_x509_crt_set_crq_extension_by_oid1333734
-Ref: gnutls_x509_crt_set_crq_extensions1334370
-Ref: gnutls_x509_crt_set_dn1334836
-Ref: gnutls_x509_crt_set_dn_by_oid1335719
-Ref: gnutls_x509_crt_set_expiration_time1336836
-Ref: gnutls_x509_crt_set_extension_by_oid1337381
-Ref: gnutls_x509_crt_set_flags1338156
-Ref: gnutls_x509_crt_set_inhibit_anypolicy1338664
-Ref: gnutls_x509_crt_set_issuer_alt_name1339174
-Ref: gnutls_x509_crt_set_issuer_alt_othername1340196
-Ref: gnutls_x509_crt_set_issuer_dn1341172
-Ref: gnutls_x509_crt_set_issuer_dn_by_oid1341811
-Ref: gnutls_x509_crt_set_issuer_unique_id1343090
-Ref: gnutls_x509_crt_set_key1343595
-Ref: gnutls_x509_crt_set_key_purpose_oid1344175
-Ref: gnutls_x509_crt_set_key_usage1344943
-Ref: gnutls_x509_crt_set_name_constraints1345402
-Ref: gnutls_x509_crt_set_pin_function1346024
-Ref: gnutls_x509_crt_set_policy1346692
-Ref: gnutls_x509_crt_set_private_key_usage_period1347545
-Ref: gnutls_x509_crt_set_proxy1348052
-Ref: gnutls_x509_crt_set_proxy_dn1348866
-Ref: gnutls_x509_crt_set_serial1349885
-Ref: gnutls_x509_crt_set_spki1350945
-Ref: gnutls_x509_crt_set_subject_alt_name1351800
-Ref: gnutls_x509_crt_set_subject_alt_othername1353040
-Ref: gnutls_x509_crt_set_subject_alternative_name1354048
-Ref: gnutls_x509_crt_set_subject_key_id1354946
-Ref: gnutls_x509_crt_set_subject_unique_id1355466
-Ref: gnutls_x509_crt_set_tlsfeatures1355989
-Ref: gnutls_x509_crt_set_version1356513
-Ref: gnutls_x509_crt_sign1357336
-Ref: gnutls_x509_crt_sign21358031
-Ref: gnutls_x509_crt_verify1359264
-Ref: gnutls_x509_crt_verify_data21360313
-Ref: gnutls_x509_dn_deinit1361317
-Ref: gnutls_x509_dn_export1361579
-Ref: gnutls_x509_dn_export21362473
-Ref: gnutls_x509_dn_get_rdn_ava1363134
-Ref: gnutls_x509_dn_get_str1364166
-Ref: gnutls_x509_dn_get_str21364762
-Ref: gnutls_x509_dn_import1365624
-Ref: gnutls_x509_dn_init1366240
-Ref: gnutls_x509_dn_oid_known1366661
-Ref: gnutls_x509_dn_oid_name1367330
-Ref: gnutls_x509_dn_set_str1367859
-Ref: gnutls_x509_ext_deinit1368458
-Ref: gnutls_x509_ext_export_aia1368702
-Ref: gnutls_x509_ext_export_authority_key_id1369296
-Ref: gnutls_x509_ext_export_basic_constraints1369952
-Ref: gnutls_x509_ext_export_crl_dist_points1370649
-Ref: gnutls_x509_ext_export_inhibit_anypolicy1371317
-Ref: gnutls_x509_ext_export_key_purposes1371985
-Ref: gnutls_x509_ext_export_key_usage1372604
-Ref: gnutls_x509_ext_export_name_constraints1373220
-Ref: gnutls_x509_ext_export_policies1373861
-Ref: gnutls_x509_ext_export_private_key_usage_period1374524
-Ref: gnutls_x509_ext_export_proxy1375189
-Ref: gnutls_x509_ext_export_subject_alt_names1376175
-Ref: gnutls_x509_ext_export_subject_key_id1376824
-Ref: gnutls_x509_ext_export_tlsfeatures1377446
-Ref: gnutls_x509_ext_import_aia1378064
-Ref: gnutls_x509_ext_import_authority_key_id1378769
-Ref: gnutls_x509_ext_import_basic_constraints1379437
-Ref: gnutls_x509_ext_import_crl_dist_points1380063
-Ref: gnutls_x509_ext_import_inhibit_anypolicy1380691
-Ref: gnutls_x509_ext_import_key_purposes1381606
-Ref: gnutls_x509_ext_import_key_usage1382240
-Ref: gnutls_x509_ext_import_name_constraints1383256
-Ref: gnutls_x509_ext_import_policies1384594
-Ref: gnutls_x509_ext_import_private_key_usage_period1385201
-Ref: gnutls_x509_ext_import_proxy1385816
-Ref: gnutls_x509_ext_import_subject_alt_names1386902
-Ref: gnutls_x509_ext_import_subject_key_id1387660
-Ref: gnutls_x509_ext_import_tlsfeatures1388295
-Ref: gnutls_x509_ext_print1389187
-Ref: gnutls_x509_key_purpose_deinit1389898
-Ref: gnutls_x509_key_purpose_get1390152
-Ref: gnutls_x509_key_purpose_init1390880
-Ref: gnutls_x509_key_purpose_set1391241
-Ref: gnutls_x509_name_constraints_add_excluded1391696
-Ref: gnutls_x509_name_constraints_add_permitted1392637
-Ref: gnutls_x509_name_constraints_check1393512
-Ref: gnutls_x509_name_constraints_check_crt1394349
-Ref: gnutls_x509_name_constraints_deinit1395219
-Ref: gnutls_x509_name_constraints_get_excluded1395519
-Ref: gnutls_x509_name_constraints_get_permitted1396590
-Ref: gnutls_x509_name_constraints_init1397644
-Ref: gnutls_x509_othername_to_virtual1398027
-Ref: gnutls_x509_policies_deinit1398646
-Ref: gnutls_x509_policies_get1398926
-Ref: gnutls_x509_policies_init1399712
-Ref: gnutls_x509_policies_set1400077
-Ref: gnutls_x509_policy_release1400544
-Ref: gnutls_x509_privkey_cpy1400908
-Ref: gnutls_x509_privkey_deinit1401378
-Ref: gnutls_x509_privkey_export1401619
-Ref: gnutls_x509_privkey_export21402654
-Ref: gnutls_x509_privkey_export2_pkcs81403532
-Ref: gnutls_x509_privkey_export_dsa_raw1404808
-Ref: gnutls_x509_privkey_export_ecc_raw1405548
-Ref: gnutls_x509_privkey_export_gost_raw1406431
-Ref: gnutls_x509_privkey_export_pkcs81407516
-Ref: gnutls_x509_privkey_export_rsa_raw1409021
-Ref: gnutls_x509_privkey_export_rsa_raw21409882
-Ref: gnutls_x509_privkey_fix1410868
-Ref: gnutls_x509_privkey_generate1411253
-Ref: gnutls_x509_privkey_generate21412778
-Ref: gnutls_x509_privkey_get_key_id1414937
-Ref: gnutls_x509_privkey_get_pk_algorithm1415956
-Ref: gnutls_x509_privkey_get_pk_algorithm21416384
-Ref: gnutls_x509_privkey_get_seed1416875
-Ref: gnutls_x509_privkey_get_spki1417699
-Ref: gnutls_x509_privkey_import1418234
-Ref: gnutls_x509_privkey_import21419029
-Ref: gnutls_x509_privkey_import_dsa_raw1420102
-Ref: gnutls_x509_privkey_import_ecc_raw1420834
-Ref: gnutls_x509_privkey_import_gost_raw1421650
-Ref: gnutls_x509_privkey_import_openssl1422926
-Ref: gnutls_x509_privkey_import_pkcs81423800
-Ref: gnutls_x509_privkey_import_rsa_raw1425247
-Ref: gnutls_x509_privkey_import_rsa_raw21426101
-Ref: gnutls_x509_privkey_init1427097
-Ref: gnutls_x509_privkey_sec_param1427442
-Ref: gnutls_x509_privkey_set_flags1427861
-Ref: gnutls_x509_privkey_set_pin_function1428411
-Ref: gnutls_x509_privkey_set_spki1429029
-Ref: gnutls_x509_privkey_sign_data1429576
-Ref: gnutls_x509_privkey_verify_params1430797
-Ref: gnutls_x509_privkey_verify_seed1431133
-Ref: gnutls_x509_rdn_get1431962
-Ref: gnutls_x509_rdn_get21432780
-Ref: gnutls_x509_rdn_get_by_oid1433688
-Ref: gnutls_x509_rdn_get_oid1434670
-Ref: gnutls_x509_spki_deinit1435415
-Ref: gnutls_x509_spki_get_rsa_pss_params1435697
-Ref: gnutls_x509_spki_init1436258
-Ref: gnutls_x509_spki_set_rsa_pss_params1436774
-Ref: gnutls_x509_tlsfeatures_add1437287
-Ref: gnutls_x509_tlsfeatures_check_crt1437743
-Ref: gnutls_x509_tlsfeatures_deinit1438343
-Ref: gnutls_x509_tlsfeatures_get1438621
-Ref: gnutls_x509_tlsfeatures_init1439181
-Ref: gnutls_x509_trust_list_add_cas1439566
-Ref: gnutls_x509_trust_list_add_crls1440751
-Ref: gnutls_x509_trust_list_add_named_crt1442129
-Ref: gnutls_x509_trust_list_add_system_trust1443344
-Ref: gnutls_x509_trust_list_add_trust_dir1444106
-Ref: gnutls_x509_trust_list_add_trust_file1444969
-Ref: gnutls_x509_trust_list_add_trust_mem1446116
-Ref: gnutls_x509_trust_list_deinit1447035
-Ref: gnutls_x509_trust_list_get_issuer1447661
-Ref: gnutls_x509_trust_list_get_issuer_by_dn1448711
-Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1449440
-Ref: gnutls_x509_trust_list_get_ptr1450248
-Ref: gnutls_x509_trust_list_init1450761
-Ref: gnutls_x509_trust_list_iter_deinit1451266
-Ref: gnutls_x509_trust_list_iter_get_ca1451575
-Ref: gnutls_x509_trust_list_remove_cas1452755
-Ref: gnutls_x509_trust_list_remove_trust_file1453610
-Ref: gnutls_x509_trust_list_remove_trust_mem1454311
-Ref: gnutls_x509_trust_list_set_getissuer_function1454969
-Ref: gnutls_x509_trust_list_set_ptr1456602
-Ref: gnutls_x509_trust_list_verify_crt1457140
-Ref: gnutls_x509_trust_list_verify_crt21458303
-Ref: gnutls_x509_trust_list_verify_named_crt1461237
-Node: PKCS 7 API1463965
-Ref: gnutls_pkcs7_add_attr1464261
-Ref: gnutls_pkcs7_attrs_deinit1465067
-Ref: gnutls_pkcs7_deinit1465302
-Ref: gnutls_pkcs7_delete_crl1465507
-Ref: gnutls_pkcs7_delete_crt1465936
-Ref: gnutls_pkcs7_export1466382
-Ref: gnutls_pkcs7_export21467282
-Ref: gnutls_pkcs7_get_attr1467943
-Ref: gnutls_pkcs7_get_crl_count1468830
-Ref: gnutls_pkcs7_get_crl_raw1469178
-Ref: gnutls_pkcs7_get_crl_raw21469953
-Ref: gnutls_pkcs7_get_crt_count1470584
-Ref: gnutls_pkcs7_get_crt_raw1470959
-Ref: gnutls_pkcs7_get_crt_raw21471859
-Ref: gnutls_pkcs7_get_embedded_data1472713
-Ref: gnutls_pkcs7_get_embedded_data_oid1473713
-Ref: gnutls_pkcs7_get_signature_count1474273
-Ref: gnutls_pkcs7_get_signature_info1474680
-Ref: gnutls_pkcs7_import1475353
-Ref: gnutls_pkcs7_init1475974
-Ref: gnutls_pkcs7_print1476398
-Ref: gnutls_pkcs7_print_signature_info1477143
-Ref: gnutls_pkcs7_set_crl1477948
-Ref: gnutls_pkcs7_set_crl_raw1478349
-Ref: gnutls_pkcs7_set_crt1478739
-Ref: gnutls_pkcs7_set_crt_raw1479223
-Ref: gnutls_pkcs7_sign1479636
-Ref: gnutls_pkcs7_signature_info_deinit1481075
-Ref: gnutls_pkcs7_verify1481428
-Ref: gnutls_pkcs7_verify_direct1482593
-Node: OCSP API1484053
-Ref: gnutls_ocsp_req_add_cert1484337
-Ref: gnutls_ocsp_req_add_cert_id1485297
-Ref: gnutls_ocsp_req_deinit1486617
-Ref: gnutls_ocsp_req_export1486834
-Ref: gnutls_ocsp_req_get_cert_id1487259
-Ref: gnutls_ocsp_req_get_extension1488851
-Ref: gnutls_ocsp_req_get_nonce1490267
-Ref: gnutls_ocsp_req_get_version1490921
-Ref: gnutls_ocsp_req_import1491308
-Ref: gnutls_ocsp_req_init1491804
-Ref: gnutls_ocsp_req_print1492132
-Ref: gnutls_ocsp_req_randomize_nonce1492868
-Ref: gnutls_ocsp_req_set_extension1493301
-Ref: gnutls_ocsp_req_set_nonce1493985
-Ref: gnutls_ocsp_resp_check_crt1494572
-Ref: gnutls_ocsp_resp_deinit1495156
-Ref: gnutls_ocsp_resp_export1495380
-Ref: gnutls_ocsp_resp_export21495806
-Ref: gnutls_ocsp_resp_get_certs1496326
-Ref: gnutls_ocsp_resp_get_extension1497451
-Ref: gnutls_ocsp_resp_get_nonce1498875
-Ref: gnutls_ocsp_resp_get_produced1499541
-Ref: gnutls_ocsp_resp_get_responder1499888
-Ref: gnutls_ocsp_resp_get_responder21500993
-Ref: gnutls_ocsp_resp_get_responder_raw_id1502256
-Ref: gnutls_ocsp_resp_get_response1503087
-Ref: gnutls_ocsp_resp_get_signature1504313
-Ref: gnutls_ocsp_resp_get_signature_algorithm1504802
-Ref: gnutls_ocsp_resp_get_single1505280
-Ref: gnutls_ocsp_resp_get_status1507222
-Ref: gnutls_ocsp_resp_get_version1507651
-Ref: gnutls_ocsp_resp_import1508059
-Ref: gnutls_ocsp_resp_import21508627
-Ref: gnutls_ocsp_resp_init1509255
-Ref: gnutls_ocsp_resp_list_import21509604
-Ref: gnutls_ocsp_resp_print1510795
-Ref: gnutls_ocsp_resp_verify1511521
-Ref: gnutls_ocsp_resp_verify_direct1513138
-Node: PKCS 12 API1515571
-Ref: gnutls_pkcs12_bag_decrypt1515861
-Ref: gnutls_pkcs12_bag_deinit1516293
-Ref: gnutls_pkcs12_bag_enc_info1516531
-Ref: gnutls_pkcs12_bag_encrypt1517904
-Ref: gnutls_pkcs12_bag_get_count1518409
-Ref: gnutls_pkcs12_bag_get_data1518720
-Ref: gnutls_pkcs12_bag_get_friendly_name1519326
-Ref: gnutls_pkcs12_bag_get_key_id1519963
-Ref: gnutls_pkcs12_bag_get_type1520582
-Ref: gnutls_pkcs12_bag_init1520952
-Ref: gnutls_pkcs12_bag_set_crl1521410
-Ref: gnutls_pkcs12_bag_set_crt1521843
-Ref: gnutls_pkcs12_bag_set_data1522289
-Ref: gnutls_pkcs12_bag_set_friendly_name1522760
-Ref: gnutls_pkcs12_bag_set_key_id1523444
-Ref: gnutls_pkcs12_bag_set_privkey1524118
-Ref: gnutls_pkcs12_deinit1524774
-Ref: gnutls_pkcs12_export1524976
-Ref: gnutls_pkcs12_export21525883
-Ref: gnutls_pkcs12_generate_mac1526559
-Ref: gnutls_pkcs12_generate_mac21526950
-Ref: gnutls_pkcs12_get_bag1527394
-Ref: gnutls_pkcs12_import1527980
-Ref: gnutls_pkcs12_init1528701
-Ref: gnutls_pkcs12_mac_info1529134
-Ref: gnutls_pkcs12_set_bag1530443
-Ref: gnutls_pkcs12_simple_parse1530849
-Ref: gnutls_pkcs12_verify_mac1533530
-Node: PKCS 11 API1533886
-Ref: gnutls_pkcs11_add_provider1534215
-Ref: gnutls_pkcs11_copy_attached_extension1534960
-Ref: gnutls_pkcs11_copy_pubkey1535819
-Ref: gnutls_pkcs11_copy_secret_key1536852
-Ref: gnutls_pkcs11_copy_x509_crt1537577
-Ref: gnutls_pkcs11_copy_x509_crt21538225
-Ref: gnutls_pkcs11_copy_x509_privkey1539193
-Ref: gnutls_pkcs11_copy_x509_privkey21540010
-Ref: gnutls_pkcs11_crt_is_known1540955
-Ref: gnutls_pkcs11_deinit1542091
-Ref: gnutls_pkcs11_delete_url1542408
-Ref: gnutls_pkcs11_get_pin_function1542924
-Ref: gnutls_pkcs11_get_raw_issuer1543307
-Ref: gnutls_pkcs11_get_raw_issuer_by_dn1544217
-Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1545256
-Ref: gnutls_pkcs11_init1546367
-Ref: gnutls_pkcs11_obj_deinit1547409
-Ref: gnutls_pkcs11_obj_export1547655
-Ref: gnutls_pkcs11_obj_export21548500
-Ref: gnutls_pkcs11_obj_export31549097
-Ref: gnutls_pkcs11_obj_export_url1549770
-Ref: gnutls_pkcs11_obj_flags_get_str1550297
-Ref: gnutls_pkcs11_obj_get_exts1550776
-Ref: gnutls_pkcs11_obj_get_flags1551712
-Ref: gnutls_pkcs11_obj_get_info1552249
-Ref: gnutls_pkcs11_obj_get_ptr1553513
-Ref: gnutls_pkcs11_obj_get_type1554422
-Ref: gnutls_pkcs11_obj_import_url1554772
-Ref: gnutls_pkcs11_obj_init1555692
-Ref: gnutls_pkcs11_obj_list_import_url31556077
-Ref: gnutls_pkcs11_obj_list_import_url41558018
-Ref: gnutls_pkcs11_obj_set_info1559694
-Ref: gnutls_pkcs11_obj_set_pin_function1560473
-Ref: gnutls_pkcs11_privkey_cpy1560984
-Ref: gnutls_pkcs11_privkey_deinit1561485
-Ref: gnutls_pkcs11_privkey_export_pubkey1561748
-Ref: gnutls_pkcs11_privkey_export_url1562552
-Ref: gnutls_pkcs11_privkey_generate1563062
-Ref: gnutls_pkcs11_privkey_generate21563734
-Ref: gnutls_pkcs11_privkey_generate31564964
-Ref: gnutls_pkcs11_privkey_get_info1566474
-Ref: gnutls_pkcs11_privkey_get_pk_algorithm1567356
-Ref: gnutls_pkcs11_privkey_import_url1567887
-Ref: gnutls_pkcs11_privkey_init1568588
-Ref: gnutls_pkcs11_privkey_set_pin_function1569303
-Ref: gnutls_pkcs11_privkey_status1569823
-Ref: gnutls_pkcs11_reinit1570199
-Ref: gnutls_pkcs11_set_pin_function1570759
-Ref: gnutls_pkcs11_set_token_function1571249
-Ref: gnutls_pkcs11_token_check_mechanism1571667
-Ref: gnutls_pkcs11_token_get_flags1572424
-Ref: gnutls_pkcs11_token_get_info1572966
-Ref: gnutls_pkcs11_token_get_mechanism1573989
-Ref: gnutls_pkcs11_token_get_ptr1574602
-Ref: gnutls_pkcs11_token_get_random1575301
-Ref: gnutls_pkcs11_token_get_url1575932
-Ref: gnutls_pkcs11_token_init1576600
-Ref: gnutls_pkcs11_token_set_pin1577238
-Ref: gnutls_pkcs11_type_get_name1578078
-Ref: gnutls_x509_crt_import_pkcs111578567
-Ref: gnutls_x509_crt_list_import_pkcs111579089
-Node: TPM API1579698
-Ref: gnutls_tpm_get_registered1579977
-Ref: gnutls_tpm_key_list_deinit1580370
-Ref: gnutls_tpm_key_list_get_url1580638
-Ref: gnutls_tpm_privkey_delete1581291
-Ref: gnutls_tpm_privkey_generate1581729
-Node: Abstract key API1583079
-Ref: gnutls_certificate_set_key1583400
-Ref: gnutls_certificate_set_retrieve_function21585536
-Ref: gnutls_certificate_set_retrieve_function31587786
-Ref: gnutls_pcert_deinit1590646
-Ref: gnutls_pcert_export_openpgp1590891
-Ref: gnutls_pcert_export_x5091591240
-Ref: gnutls_pcert_import_openpgp1591890
-Ref: gnutls_pcert_import_openpgp_raw1592289
-Ref: gnutls_pcert_import_rawpk1592858
-Ref: gnutls_pcert_import_rawpk_raw1593711
-Ref: gnutls_pcert_import_x5091594960
-Ref: gnutls_pcert_import_x509_list1595557
-Ref: gnutls_pcert_import_x509_raw1596747
-Ref: gnutls_pcert_list_import_x509_file1597453
-Ref: gnutls_pcert_list_import_x509_raw1598885
-Ref: gnutls_privkey_decrypt_data1600219
-Ref: gnutls_privkey_decrypt_data21600867
-Ref: gnutls_privkey_deinit1601692
-Ref: gnutls_privkey_export_dsa_raw1601941
-Ref: gnutls_privkey_export_dsa_raw21602671
-Ref: gnutls_privkey_export_ecc_raw1603477
-Ref: gnutls_privkey_export_ecc_raw21604339
-Ref: gnutls_privkey_export_gost_raw21605281
-Ref: gnutls_privkey_export_openpgp1606415
-Ref: gnutls_privkey_export_pkcs111606767
-Ref: gnutls_privkey_export_rsa_raw1607379
-Ref: gnutls_privkey_export_rsa_raw21608410
-Ref: gnutls_privkey_export_x5091609456
-Ref: gnutls_privkey_generate1610104
-Ref: gnutls_privkey_generate21611595
-Ref: gnutls_privkey_get_pk_algorithm1613723
-Ref: gnutls_privkey_get_seed1614337
-Ref: gnutls_privkey_get_spki1615136
-Ref: gnutls_privkey_get_type1615716
-Ref: gnutls_privkey_import_dsa_raw1616205
-Ref: gnutls_privkey_import_ecc_raw1616917
-Ref: gnutls_privkey_import_ext1617730
-Ref: gnutls_privkey_import_ext21618880
-Ref: gnutls_privkey_import_ext31620237
-Ref: gnutls_privkey_import_ext41621851
-Ref: gnutls_privkey_import_gost_raw1624611
-Ref: gnutls_privkey_import_openpgp1625819
-Ref: gnutls_privkey_import_openpgp_raw1626228
-Ref: gnutls_privkey_import_pkcs111626817
-Ref: gnutls_privkey_import_pkcs11_url1627575
-Ref: gnutls_privkey_import_rsa_raw1628024
-Ref: gnutls_privkey_import_tpm_raw1629020
-Ref: gnutls_privkey_import_tpm_url1629887
-Ref: gnutls_privkey_import_url1630990
-Ref: gnutls_privkey_import_x5091631537
-Ref: gnutls_privkey_import_x509_raw1632285
-Ref: gnutls_privkey_init1633064
-Ref: gnutls_privkey_set_flags1633982
-Ref: gnutls_privkey_set_pin_function1634507
-Ref: gnutls_privkey_set_spki1635077
-Ref: gnutls_privkey_sign_data1635650
-Ref: gnutls_privkey_sign_data21636670
-Ref: gnutls_privkey_sign_hash1637568
-Ref: gnutls_privkey_sign_hash21639005
-Ref: gnutls_privkey_status1640271
-Ref: gnutls_privkey_verify_params1640815
-Ref: gnutls_privkey_verify_seed1641177
-Ref: gnutls_pubkey_deinit1641889
-Ref: gnutls_pubkey_encrypt_data1642129
-Ref: gnutls_pubkey_export1642771
-Ref: gnutls_pubkey_export21643785
-Ref: gnutls_pubkey_export_dsa_raw1644558
-Ref: gnutls_pubkey_export_dsa_raw21645370
-Ref: gnutls_pubkey_export_ecc_raw1646254
-Ref: gnutls_pubkey_export_ecc_raw21647153
-Ref: gnutls_pubkey_export_ecc_x9621648132
-Ref: gnutls_pubkey_export_gost_raw21648791
-Ref: gnutls_pubkey_export_rsa_raw1649935
-Ref: gnutls_pubkey_export_rsa_raw21650632
-Ref: gnutls_pubkey_get_key_id1651393
-Ref: gnutls_pubkey_get_key_usage1652418
-Ref: gnutls_pubkey_get_openpgp_key_id1652915
-Ref: gnutls_pubkey_get_pk_algorithm1653554
-Ref: gnutls_pubkey_get_preferred_hash_algorithm1654202
-Ref: gnutls_pubkey_get_spki1655143
-Ref: gnutls_pubkey_import1655711
-Ref: gnutls_pubkey_import_dsa_raw1656395
-Ref: gnutls_pubkey_import_ecc_raw1657056
-Ref: gnutls_pubkey_import_ecc_x9621657824
-Ref: gnutls_pubkey_import_gost_raw1658460
-Ref: gnutls_pubkey_import_openpgp1659607
-Ref: gnutls_pubkey_import_openpgp_raw1659999
-Ref: gnutls_pubkey_import_pkcs111660568
-Ref: gnutls_pubkey_import_privkey1661110
-Ref: gnutls_pubkey_import_rsa_raw1661812
-Ref: gnutls_pubkey_import_tpm_raw1662336
-Ref: gnutls_pubkey_import_tpm_url1663113
-Ref: gnutls_pubkey_import_url1664005
-Ref: gnutls_pubkey_import_x5091664478
-Ref: gnutls_pubkey_import_x509_crq1664978
-Ref: gnutls_pubkey_import_x509_raw1665481
-Ref: gnutls_pubkey_init1666058
-Ref: gnutls_pubkey_print1666387
-Ref: gnutls_pubkey_set_key_usage1667121
-Ref: gnutls_pubkey_set_pin_function1667690
-Ref: gnutls_pubkey_set_spki1668255
-Ref: gnutls_pubkey_verify_data21668826
-Ref: gnutls_pubkey_verify_hash21669734
-Ref: gnutls_pubkey_verify_params1670858
-Ref: gnutls_register_custom_url1671216
-Ref: gnutls_system_key_add_x5091672154
-Ref: gnutls_system_key_delete1672899
-Ref: gnutls_system_key_iter_deinit1673323
-Ref: gnutls_system_key_iter_get_info1673591
-Ref: gnutls_x509_crl_privkey_sign1674865
-Ref: gnutls_x509_crq_privkey_sign1676134
-Ref: gnutls_x509_crq_set_pubkey1677496
-Ref: gnutls_x509_crt_privkey_sign1678004
-Ref: gnutls_x509_crt_set_pubkey1679247
-Node: Socket specific API1679700
-Ref: gnutls_transport_set_fastopen1679993
-Node: DANE API1681539
-Ref: dane_cert_type_name1681913
-Ref: dane_cert_usage_name1682203
-Ref: dane_match_type_name1682515
-Ref: dane_query_data1682798
-Ref: dane_query_deinit1683477
-Ref: dane_query_entries1683682
-Ref: dane_query_status1683924
-Ref: dane_query_tlsa1684218
-Ref: dane_query_to_raw_tlsa1684809
-Ref: dane_raw_tlsa1686151
-Ref: dane_state_deinit1687228
-Ref: dane_state_init1687420
-Ref: dane_state_set_dlv_file1687934
-Ref: dane_strerror1688235
-Ref: dane_verification_status_print1688734
-Ref: dane_verify_crt1689328
-Ref: dane_verify_crt_raw1691515
-Ref: dane_verify_session_crt1692748
-Node: Cryptographic API1694150
-Ref: gnutls_aead_cipher_decrypt1694651
-Ref: gnutls_aead_cipher_decryptv21696030
-Ref: gnutls_aead_cipher_deinit1696955
-Ref: gnutls_aead_cipher_encrypt1697283
-Ref: gnutls_aead_cipher_encryptv1698392
-Ref: gnutls_aead_cipher_encryptv21699540
-Ref: gnutls_aead_cipher_init1700468
-Ref: gnutls_cipher_add_auth1701134
-Ref: gnutls_cipher_decrypt1701714
-Ref: gnutls_cipher_decrypt21702338
-Ref: gnutls_cipher_deinit1703264
-Ref: gnutls_cipher_encrypt1703543
-Ref: gnutls_cipher_encrypt21704003
-Ref: gnutls_cipher_get_block_size1704780
-Ref: gnutls_cipher_get_iv_size1705060
-Ref: gnutls_cipher_get_tag_size1705542
-Ref: gnutls_cipher_init1705948
-Ref: gnutls_cipher_set_iv1706678
-Ref: gnutls_cipher_tag1707023
-Ref: gnutls_crypto_register_aead_cipher1707525
-Ref: gnutls_crypto_register_cipher1709129
-Ref: gnutls_crypto_register_digest1710910
-Ref: gnutls_crypto_register_mac1712134
-Ref: gnutls_decode_ber_digest_info1713562
-Ref: gnutls_decode_gost_rs_value1714361
-Ref: gnutls_decode_rs_value1715161
-Ref: gnutls_encode_ber_digest_info1715946
-Ref: gnutls_encode_gost_rs_value1716590
-Ref: gnutls_encode_rs_value1717336
-Ref: gnutls_hash1717956
-Ref: gnutls_hash_copy1718387
-Ref: gnutls_hash_deinit1718904
-Ref: gnutls_hash_fast1719232
-Ref: gnutls_hash_get_len1719749
-Ref: gnutls_hash_init1720082
-Ref: gnutls_hash_output1720618
-Ref: gnutls_hkdf_expand1720950
-Ref: gnutls_hkdf_extract1721653
-Ref: gnutls_hmac1722196
-Ref: gnutls_hmac_copy1722627
-Ref: gnutls_hmac_deinit1723108
-Ref: gnutls_hmac_fast1723435
-Ref: gnutls_hmac_get_key_size1724159
-Ref: gnutls_hmac_get_len1724620
-Ref: gnutls_hmac_init1724950
-Ref: gnutls_hmac_output1725733
-Ref: gnutls_hmac_set_nonce1726068
-Ref: gnutls_mac_get_nonce_size1726435
-Ref: gnutls_pbkdf21726751
-Ref: gnutls_rnd1727384
-Ref: gnutls_rnd_refresh1728022
-Node: Compatibility API1728308
-Ref: gnutls_compression_get1728650
-Ref: gnutls_compression_get_id1729002
-Ref: gnutls_compression_get_name1729366
-Ref: gnutls_compression_list1729748
-Ref: gnutls_global_set_mem_functions1730080
-Ref: gnutls_openpgp_privkey_sign_hash1731455
-Ref: gnutls_priority_compression_list1731884
-Ref: gnutls_x509_crt_get_preferred_hash_algorithm1732336
-Ref: gnutls_x509_privkey_sign_hash1733217
-Node: Copying Information1734087
-Node: Bibliography1759264
-Ref: CBCATT1759403
-Ref: GPGH1759581
-Ref: GUTPKI1759704
-Ref: PRNGATTACKS1759879
-Ref: KEYPIN1760079
-Ref: NISTSP800571760254
-Ref: RFC74131760502
-Ref: RFC79181760669
-Ref: RFC61251760846
-Ref: RFC76851761187
-Ref: RFC76131761362
-Ref: RFC22461761610
-Ref: RFC60831761771
-Ref: RFC44181762008
-Ref: RFC46801762175
-Ref: RFC76331762333
-Ref: RFC79191762505
-Ref: RFC45141762709
-Ref: RFC43461762913
-Ref: RFC43471763063
-Ref: RFC52461763230
-Ref: RFC24401763381
-Ref: RFC48801763563
-Ref: RFC42111763757
-Ref: RFC28171763951
-Ref: RFC28181764104
-Ref: RFC29451764218
-Ref: RFC73011764368
-Ref: RFC29861764588
-Ref: PKIX1764777
-Ref: RFC37491765040
-Ref: RFC38201765206
-Ref: RFC65201765449
-Ref: RFC57461765688
-Ref: RFC52801765897
-Ref: TLSTKT1766164
-Ref: PKCS121766396
-Ref: PKCS111766537
-Ref: RESCORLA1766683
-Ref: SELKEY1766779
-Ref: SSL31766938
-Ref: STEVENS1767129
-Ref: TLSEXT1767237
-Ref: TLSPGP1767454
-Ref: TLSSRP1767619
-Ref: TLSPSK1767816
-Ref: TOMSRP1767985
-Ref: WEGER1768098
-Ref: ECRYPT1768290
-Ref: RFC50561768495
-Ref: RFC57641768648
-Ref: RFC59291768936
-Ref: PKCS11URI1769079
-Ref: TPMURI1769215
-Ref: ANDERSON1769409
-Ref: RFC48211769555
-Ref: RFC25601769708
-Ref: RIVESTCRL1769902
-Node: Function and Data Index1770263
-Node: Concept Index1896190
+Ref: p11tool id313760
+Ref: p11tool mark-wrap314017
+Ref: p11tool mark-trusted314264
+Ref: p11tool mark-distrusted314628
+Ref: p11tool mark-decrypt315082
+Ref: p11tool mark-sign315359
+Ref: p11tool mark-ca315636
+Ref: p11tool mark-private315909
+Ref: p11tool ca316207
+Ref: p11tool private316341
+Ref: p11tool secret-key316496
+Ref: p11tool other-options316659
+Ref: p11tool debug316761
+Ref: p11tool so-login316902
+Ref: p11tool admin-login317146
+Ref: p11tool test-sign317287
+Ref: p11tool sign-params317581
+Ref: p11tool hash317921
+Ref: p11tool generate-random318217
+Ref: p11tool inder318391
+Ref: p11tool inraw318616
+Ref: p11tool outder318742
+Ref: p11tool outraw318994
+Ref: p11tool provider319127
+Ref: p11tool provider-opts319336
+Ref: p11tool batch319609
+Ref: p11tool exit status319762
+Ref: p11tool See Also319992
+Ref: p11tool Examples320040
+Node: Trusted Platform Module322461
+Ref: Trusted Platform Module-Footnote-1324254
+Ref: Trusted Platform Module-Footnote-2324302
+Node: Keys in TPM324359
+Node: Key generation325843
+Node: Using keys328111
+Node: tpmtool Invocation331756
+Ref: tpmtool usage332182
+Ref: tpmtool debug335494
+Ref: tpmtool generate-rsa335635
+Ref: tpmtool user335906
+Ref: tpmtool system336265
+Ref: tpmtool test-sign336619
+Ref: tpmtool sec-param336902
+Ref: tpmtool inder337228
+Ref: tpmtool outder337529
+Ref: tpmtool srk-well-known337748
+Ref: tpmtool exit status337904
+Ref: tpmtool See Also338134
+Ref: tpmtool Examples338195
+Node: How to use GnuTLS in applications338812
+Node: Introduction to the library339381
+Node: General idea339980
+Ref: fig-gnutls-design340829
+Ref: General idea-Footnote-1342134
+Node: Error handling342179
+Node: Common types344406
+Node: Debugging and auditing345740
+Ref: tab:environment346611
+Node: Thread safety349478
+Ref: Thread safety-Footnote-1351624
+Node: Running in a sandbox351836
+Node: Sessions and fork353230
+Node: Callback functions353782
+Node: Preparation354750
+Node: Headers355169
+Node: Initialization355458
+Ref: Initialization-Footnote-1356452
+Node: Version check356745
+Node: Building the source357620
+Node: Session initialization359731
+Ref: gnutls_init_flags_t361208
+Node: Associating the credentials368221
+Ref: tab:key-exchange-cred368997
+Node: Certificate credentials370128
+Node: Raw public-key credentials385713
+Node: SRP credentials387013
+Node: PSK credentials391911
+Node: Anonymous credentials395846
+Node: Setting up the transport layer396692
+Node: Asynchronous operation406245
+Node: Reducing round-trips410546
+Node: Zero-roundtrip mode413986
+Node: Anti-replay protection416191
+Node: DTLS sessions419836
+Ref: DTLS sessions-Footnote-1422140
+Node: DTLS and SCTP422217
+Node: TLS handshake423237
+Node: Data transfer and termination427155
+Node: Buffered data transfer436297
+Node: Handling alerts438098
+Node: Priority Strings441480
+Ref: tab:prio-keywords444080
+Ref: tab:prio-algorithms451158
+Ref: tab:prio-special1456588
+Ref: tab:prio-special2460435
+Ref: Priority Strings-Footnote-1467056
+Node: Selecting cryptographic key sizes467278
+Ref: tab:key-sizes467927
+Node: Advanced topics472676
+Node: Virtual hosts and credentials473174
+Node: Session resumption476499
+Node: Certificate verification484406
+Ref: dane_verify_status_t494127
+Node: TLS 1.2 re-authentication494532
+Node: TLS 1.3 re-authentication and re-key499389
+Node: Parameter generation501048
+Node: Deriving keys for other applications/protocols503695
+Node: Channel Bindings506925
+Node: Interoperability508464
+Node: Compatibility with the OpenSSL library509782
+Node: GnuTLS application examples510509
+Ref: examples510728
+Node: Client examples511021
+Node: Client example with X.509 certificate support511548
+Ref: ex-verify511786
+Node: Datagram TLS client example516830
+Node: Client using a smart card with TLS521235
+Ref: ex-pkcs11-client521472
+Node: Client with Resume capability example526767
+Ref: ex-resume-client527051
+Node: Client example with SSH-style certificate verification532238
+Node: Server examples536445
+Node: Echo server with X.509 authentication536799
+Node: DTLS echo server with X.509 authentication544523
+Node: More advanced client and servers558934
+Node: Client example with anonymous authentication559791
+Node: Using a callback to select the certificate to use563715
+Node: Obtaining session information570098
+Node: Advanced certificate verification example574311
+Ref: ex-verify2574587
+Node: Client example with PSK authentication580017
+Node: Client example with SRP authentication584383
+Node: Legacy client example with X.509 certificate support588667
+Ref: ex-verify-legacy588984
+Node: Client example in C++594937
+Node: Echo server with PSK authentication597509
+Node: Echo server with SRP authentication606240
+Node: Echo server with anonymous authentication613158
+Node: Helper functions for TCP connections618486
+Node: Helper functions for UDP connections620078
+Node: OCSP example621983
+Ref: Generate OCSP request622166
+Node: Miscellaneous examples631773
+Node: Checking for an alert632099
+Node: X.509 certificate parsing example633548
+Ref: ex-x509-info633805
+Node: Listing the ciphersuites in a priority string637834
+Node: PKCS12 structure generation example640151
+Node: System-wide configuration of the library644356
+Node: Application-specific priority strings646183
+Node: Disabling algorithms and protocols647631
+Node: Querying for disabled algorithms and protocols653128
+Node: Overriding the parameter verification profile654250
+Node: Overriding the default priority string655252
+Node: Using GnuTLS as a cryptographic library655869
+Ref: Using GnuTLS as a cryptographic library-Footnote-1656725
+Node: Symmetric algorithms656782
+Ref: gnutls_cipher_algorithm_t657542
+Ref: Symmetric algorithms-Footnote-1665972
+Node: Public key algorithms666057
+Node: Cryptographic Message Syntax / PKCS7670779
+Ref: gnutls_pkcs7_sign_flags674218
+Node: Hash and MAC functions675686
+Ref: gnutls_mac_algorithm_t676298
+Ref: gnutls_digest_algorithm_t679670
+Node: Random number generation680721
+Ref: gnutls_rnd_level_t681083
+Node: Overriding algorithms682190
+Node: Other included programs688508
+Node: gnutls-cli Invocation689079
+Ref: gnutls-cli usage689641
+Ref: gnutls-cli debug697391
+Ref: gnutls-cli tofu697532
+Ref: gnutls-cli strict-tofu697995
+Ref: gnutls-cli dane698397
+Ref: gnutls-cli local-dns698740
+Ref: gnutls-cli ca-verification699055
+Ref: gnutls-cli ocsp699410
+Ref: gnutls-cli resume699652
+Ref: gnutls-cli rehandshake699798
+Ref: gnutls-cli sni-hostname699965
+Ref: gnutls-cli verify-hostname700491
+Ref: gnutls-cli starttls700724
+Ref: gnutls-cli app-proto700908
+Ref: gnutls-cli starttls-proto701070
+Ref: gnutls-cli save-ocsp-multi701581
+Ref: gnutls-cli dh-bits702038
+Ref: gnutls-cli priority702389
+Ref: gnutls-cli rawpkkeyfile702767
+Ref: gnutls-cli rawpkfile703224
+Ref: gnutls-cli ranges703765
+Ref: gnutls-cli benchmark-ciphers704015
+Ref: gnutls-cli benchmark-tls-ciphers704333
+Ref: gnutls-cli list704652
+Ref: gnutls-cli priority-list705019
+Ref: gnutls-cli noticket705265
+Ref: gnutls-cli alpn705426
+Ref: gnutls-cli disable-extensions705735
+Ref: gnutls-cli single-key-share705967
+Ref: gnutls-cli post-handshake-auth706183
+Ref: gnutls-cli inline-commands706380
+Ref: gnutls-cli inline-commands-prefix706700
+Ref: gnutls-cli provider707103
+Ref: gnutls-cli logfile707300
+Ref: gnutls-cli waitresumption707657
+Ref: gnutls-cli ca-auto-retrieve707914
+Ref: gnutls-cli exit status708318
+Ref: gnutls-cli See Also708554
+Ref: gnutls-cli Examples708631
+Node: gnutls-serv Invocation712838
+Ref: gnutls-serv usage713315
+Ref: gnutls-serv debug718835
+Ref: gnutls-serv sni-hostname718976
+Ref: gnutls-serv alpn719308
+Ref: gnutls-serv require-client-cert719595
+Ref: gnutls-serv verify-client-cert719839
+Ref: gnutls-serv heartbeat720068
+Ref: gnutls-serv priority720219
+Ref: gnutls-serv x509keyfile720588
+Ref: gnutls-serv x509certfile721105
+Ref: gnutls-serv x509dsakeyfile721622
+Ref: gnutls-serv x509dsacertfile721786
+Ref: gnutls-serv x509ecckeyfile721953
+Ref: gnutls-serv x509ecccertfile722115
+Ref: gnutls-serv rawpkkeyfile722282
+Ref: gnutls-serv rawpkfile723101
+Ref: gnutls-serv ocsp-response723956
+Ref: gnutls-serv ignore-ocsp-response-errors724273
+Ref: gnutls-serv list724520
+Ref: gnutls-serv provider724758
+Ref: gnutls-serv exit status724955
+Ref: gnutls-serv See Also725193
+Ref: gnutls-serv Examples725271
+Node: gnutls-cli-debug Invocation730579
+Ref: gnutls-cli-debug usage731401
+Ref: gnutls-cli-debug debug733656
+Ref: gnutls-cli-debug app-proto733797
+Ref: gnutls-cli-debug starttls-proto733965
+Ref: gnutls-cli-debug exit status734344
+Ref: gnutls-cli-debug See Also734592
+Ref: gnutls-cli-debug Examples734675
+Node: Internal architecture of GnuTLS738172
+Node: The TLS Protocol738778
+Ref: fig-client-server739254
+Node: TLS Handshake Protocol739344
+Ref: fig-gnutls-handshake739786
+Ref: fig-gnutls-handshake-sequence740295
+Node: TLS Authentication Methods740393
+Ref: TLS Authentication Methods-Footnote-1742697
+Node: TLS Hello Extension Handling742763
+Node: Cryptographic Backend755865
+Ref: fig-crypto-layers756548
+Ref: Cryptographic Backend-Footnote-1759830
+Ref: Cryptographic Backend-Footnote-2759915
+Node: Random Number Generators-internals760023
+Node: FIPS140-2 mode767387
+Ref: gnutls_fips_mode_t770023
+Node: Upgrading from previous versions772170
+Node: Support786164
+Node: Getting help786412
+Node: Commercial Support787000
+Node: Bug Reports787271
+Node: Contributing788635
+Node: Certification790661
+Node: Error codes791125
+Node: Supported ciphersuites815758
+Ref: ciphersuites815931
+Node: API reference830975
+Node: Core TLS API831385
+Ref: gnutls_alert_get831612
+Ref: gnutls_alert_get_name832231
+Ref: gnutls_alert_get_strname832616
+Ref: gnutls_alert_send832951
+Ref: gnutls_alert_send_appropriate833829
+Ref: gnutls_alert_set_read_function834796
+Ref: gnutls_alpn_get_selected_protocol835180
+Ref: gnutls_alpn_set_protocols835844
+Ref: gnutls_anon_allocate_client_credentials836681
+Ref: gnutls_anon_allocate_server_credentials837066
+Ref: gnutls_anon_free_client_credentials837443
+Ref: gnutls_anon_free_server_credentials837732
+Ref: gnutls_anon_set_params_function838013
+Ref: gnutls_anon_set_server_dh_params838689
+Ref: gnutls_anon_set_server_known_dh_params839349
+Ref: gnutls_anon_set_server_params_function840258
+Ref: gnutls_anti_replay_deinit840921
+Ref: gnutls_anti_replay_enable841235
+Ref: gnutls_anti_replay_init841583
+Ref: gnutls_anti_replay_set_add_function842111
+Ref: gnutls_anti_replay_set_ptr843129
+Ref: gnutls_anti_replay_set_window843464
+Ref: gnutls_auth_client_get_type844232
+Ref: gnutls_auth_get_type844859
+Ref: gnutls_auth_server_get_type845671
+Ref: gnutls_base64_decode2846300
+Ref: gnutls_base64_encode2846856
+Ref: gnutls_buffer_append_data847476
+Ref: gnutls_bye847874
+Ref: gnutls_certificate_activation_time_peers849475
+Ref: gnutls_certificate_allocate_credentials849893
+Ref: gnutls_certificate_client_get_request_status850290
+Ref: gnutls_certificate_expiration_time_peers850698
+Ref: gnutls_certificate_free_ca_names851102
+Ref: gnutls_certificate_free_cas851771
+Ref: gnutls_certificate_free_credentials852174
+Ref: gnutls_certificate_free_crls852608
+Ref: gnutls_certificate_free_keys852908
+Ref: gnutls_certificate_get_crt_raw853342
+Ref: gnutls_certificate_get_issuer854413
+Ref: gnutls_certificate_get_ocsp_expiration855496
+Ref: gnutls_certificate_get_ours856667
+Ref: gnutls_certificate_get_peers857497
+Ref: gnutls_certificate_get_peers_subkey_id858620
+Ref: gnutls_certificate_get_verify_flags858976
+Ref: gnutls_certificate_get_x509_crt859389
+Ref: gnutls_certificate_get_x509_key861033
+Ref: gnutls_certificate_send_x509_rdn_sequence862348
+Ref: gnutls_certificate_server_set_request863055
+Ref: gnutls_certificate_set_dh_params863845
+Ref: gnutls_certificate_set_flags864664
+Ref: gnutls_certificate_set_known_dh_params865189
+Ref: gnutls_certificate_set_ocsp_status_request_file866117
+Ref: gnutls_certificate_set_ocsp_status_request_file2868023
+Ref: gnutls_certificate_set_ocsp_status_request_function869541
+Ref: gnutls_certificate_set_ocsp_status_request_function2871029
+Ref: gnutls_certificate_set_ocsp_status_request_mem872995
+Ref: gnutls_certificate_set_params_function874770
+Ref: gnutls_certificate_set_pin_function875467
+Ref: gnutls_certificate_set_rawpk_key_file876120
+Ref: gnutls_certificate_set_rawpk_key_mem879424
+Ref: gnutls_certificate_set_retrieve_function882571
+Ref: gnutls_certificate_set_verify_flags884701
+Ref: gnutls_certificate_set_verify_function885194
+Ref: gnutls_certificate_set_verify_limits886258
+Ref: gnutls_certificate_set_x509_crl886939
+Ref: gnutls_certificate_set_x509_crl_file887767
+Ref: gnutls_certificate_set_x509_crl_mem888548
+Ref: gnutls_certificate_set_x509_key889325
+Ref: gnutls_certificate_set_x509_key_file890993
+Ref: gnutls_certificate_set_x509_key_file2893229
+Ref: gnutls_certificate_set_x509_key_mem895763
+Ref: gnutls_certificate_set_x509_key_mem2897411
+Ref: gnutls_certificate_set_x509_simple_pkcs12_file899224
+Ref: gnutls_certificate_set_x509_simple_pkcs12_mem901354
+Ref: gnutls_certificate_set_x509_system_trust903454
+Ref: gnutls_certificate_set_x509_trust904024
+Ref: gnutls_certificate_set_x509_trust_dir905004
+Ref: gnutls_certificate_set_x509_trust_file905742
+Ref: gnutls_certificate_set_x509_trust_mem906918
+Ref: gnutls_certificate_type_get907861
+Ref: gnutls_certificate_type_get2908708
+Ref: gnutls_certificate_type_get_id910093
+Ref: gnutls_certificate_type_get_name910490
+Ref: gnutls_certificate_type_list910873
+Ref: gnutls_certificate_verification_status_print911227
+Ref: gnutls_certificate_verify_peers911985
+Ref: gnutls_certificate_verify_peers2914781
+Ref: gnutls_certificate_verify_peers3916696
+Ref: gnutls_check_version919006
+Ref: gnutls_cipher_get919748
+Ref: gnutls_cipher_get_id920053
+Ref: gnutls_cipher_get_key_size920435
+Ref: gnutls_cipher_get_name920799
+Ref: gnutls_cipher_list921146
+Ref: gnutls_cipher_suite_get_name921706
+Ref: gnutls_cipher_suite_info922574
+Ref: gnutls_credentials_clear923757
+Ref: gnutls_credentials_get923985
+Ref: gnutls_credentials_set924940
+Ref: gnutls_db_check_entry926304
+Ref: gnutls_db_check_entry_expire_time926761
+Ref: gnutls_db_check_entry_time927167
+Ref: gnutls_db_get_default_cache_expiration927558
+Ref: gnutls_db_get_ptr927753
+Ref: gnutls_db_remove_session928065
+Ref: gnutls_db_set_cache_expiration928602
+Ref: gnutls_db_set_ptr929023
+Ref: gnutls_db_set_remove_function929358
+Ref: gnutls_db_set_retrieve_function929861
+Ref: gnutls_db_set_store_function930547
+Ref: gnutls_deinit931014
+Ref: gnutls_dh_get_group931353
+Ref: gnutls_dh_get_peers_public_bits932205
+Ref: gnutls_dh_get_prime_bits932649
+Ref: gnutls_dh_get_pubkey933289
+Ref: gnutls_dh_get_secret_bits933987
+Ref: gnutls_dh_params_cpy934419
+Ref: gnutls_dh_params_deinit934927
+Ref: gnutls_dh_params_export2_pkcs3935168
+Ref: gnutls_dh_params_export_pkcs3935989
+Ref: gnutls_dh_params_export_raw937008
+Ref: gnutls_dh_params_generate2937761
+Ref: gnutls_dh_params_import_dsa939015
+Ref: gnutls_dh_params_import_pkcs3939492
+Ref: gnutls_dh_params_import_raw940231
+Ref: gnutls_dh_params_import_raw2940861
+Ref: gnutls_dh_params_import_raw3941575
+Ref: gnutls_dh_params_init942275
+Ref: gnutls_dh_set_prime_bits942606
+Ref: gnutls_digest_get_id943709
+Ref: gnutls_digest_get_name944135
+Ref: gnutls_digest_get_oid944481
+Ref: gnutls_digest_list944872
+Ref: gnutls_digest_mark_insecure945251
+Ref: gnutls_digest_mark_secure945570
+Ref: gnutls_early_cipher_get945923
+Ref: gnutls_early_prf_hash_get946296
+Ref: gnutls_ecc_curve_get946714
+Ref: gnutls_ecc_curve_get_id947115
+Ref: gnutls_ecc_curve_get_name947496
+Ref: gnutls_ecc_curve_get_oid947830
+Ref: gnutls_ecc_curve_get_pk948175
+Ref: gnutls_ecc_curve_get_size948479
+Ref: gnutls_ecc_curve_list948708
+Ref: gnutls_ecc_curve_mark_disabled949049
+Ref: gnutls_ecc_curve_mark_enabled949506
+Ref: gnutls_error_is_fatal949986
+Ref: gnutls_error_to_alert950788
+Ref: gnutls_est_record_overhead_size951520
+Ref: gnutls_ext_get_current_msg952428
+Ref: gnutls_ext_get_data953119
+Ref: gnutls_ext_get_name953634
+Ref: gnutls_ext_get_name2953952
+Ref: gnutls_ext_raw_parse954462
+Ref: gnutls_ext_register955612
+Ref: gnutls_ext_set_data957247
+Ref: gnutls_fingerprint957758
+Ref: gnutls_fips140_mode_enabled958764
+Ref: gnutls_fips140_set_mode959318
+Ref: gnutls_get_system_config_file960371
+Ref: gnutls_global_deinit960747
+Ref: gnutls_global_init961197
+Ref: gnutls_global_set_audit_log_function962472
+Ref: gnutls_global_set_log_function963179
+Ref: gnutls_global_set_log_level963687
+Ref: gnutls_global_set_mutex964175
+Ref: gnutls_global_set_time_function965277
+Ref: gnutls_gost_paramset_get_name965714
+Ref: gnutls_gost_paramset_get_oid966090
+Ref: gnutls_group_get966467
+Ref: gnutls_group_get_id966837
+Ref: gnutls_group_get_name967184
+Ref: gnutls_group_list967504
+Ref: gnutls_handshake967826
+Ref: gnutls_handshake_description_get_name969931
+Ref: gnutls_handshake_get_last_in970319
+Ref: gnutls_handshake_get_last_out970944
+Ref: gnutls_handshake_set_hook_function971576
+Ref: gnutls_handshake_set_max_packet_length972968
+Ref: gnutls_handshake_set_post_client_hello_function973753
+Ref: gnutls_handshake_set_private_extensions975079
+Ref: gnutls_handshake_set_random975758
+Ref: gnutls_handshake_set_read_function976478
+Ref: gnutls_handshake_set_secret_function976879
+Ref: gnutls_handshake_set_timeout977258
+Ref: gnutls_handshake_write977948
+Ref: gnutls_heartbeat_allowed978649
+Ref: gnutls_heartbeat_enable979123
+Ref: gnutls_heartbeat_get_timeout979961
+Ref: gnutls_heartbeat_ping980500
+Ref: gnutls_heartbeat_pong981632
+Ref: gnutls_heartbeat_set_timeouts982039
+Ref: gnutls_hex2bin982810
+Ref: gnutls_hex_decode983529
+Ref: gnutls_hex_decode2984255
+Ref: gnutls_hex_encode984684
+Ref: gnutls_hex_encode2985281
+Ref: gnutls_idna_map985796
+Ref: gnutls_idna_reverse_map986926
+Ref: gnutls_init987691
+Ref: gnutls_key_generate988519
+Ref: gnutls_kx_get988936
+Ref: gnutls_kx_get_id989522
+Ref: gnutls_kx_get_name989866
+Ref: gnutls_kx_list990211
+Ref: gnutls_load_file990539
+Ref: gnutls_mac_get991311
+Ref: gnutls_mac_get_id991616
+Ref: gnutls_mac_get_key_size992029
+Ref: gnutls_mac_get_name992366
+Ref: gnutls_mac_list992685
+Ref: gnutls_memcmp993073
+Ref: gnutls_memset993633
+Ref: gnutls_ocsp_status_request_enable_client994027
+Ref: gnutls_ocsp_status_request_get995038
+Ref: gnutls_ocsp_status_request_get2995700
+Ref: gnutls_ocsp_status_request_is_checked996695
+Ref: gnutls_oid_to_digest998083
+Ref: gnutls_oid_to_ecc_curve998492
+Ref: gnutls_oid_to_gost_paramset998818
+Ref: gnutls_oid_to_mac999229
+Ref: gnutls_oid_to_pk999642
+Ref: gnutls_oid_to_sign1000014
+Ref: gnutls_openpgp_send_cert1000418
+Ref: gnutls_packet_deinit1000720
+Ref: gnutls_packet_get1000994
+Ref: gnutls_pem_base64_decode1001499
+Ref: gnutls_pem_base64_decode21002354
+Ref: gnutls_pem_base64_encode1003349
+Ref: gnutls_pem_base64_encode21004178
+Ref: gnutls_perror1005114
+Ref: gnutls_pk_algorithm_get_name1005410
+Ref: gnutls_pk_bits_to_sec_param1005766
+Ref: gnutls_pk_get_id1006240
+Ref: gnutls_pk_get_name1006758
+Ref: gnutls_pk_get_oid1007126
+Ref: gnutls_pk_list1007525
+Ref: gnutls_pk_to_sign1007858
+Ref: gnutls_prf1008269
+Ref: gnutls_prf_early1010264
+Ref: gnutls_prf_hash_get1011919
+Ref: gnutls_prf_raw1012451
+Ref: gnutls_prf_rfc57051014335
+Ref: gnutls_priority_certificate_type_list1016012
+Ref: gnutls_priority_certificate_type_list21016708
+Ref: gnutls_priority_cipher_list1017324
+Ref: gnutls_priority_deinit1017711
+Ref: gnutls_priority_ecc_curve_list1017954
+Ref: gnutls_priority_get_cipher_suite_index1018486
+Ref: gnutls_priority_group_list1019402
+Ref: gnutls_priority_init1019783
+Ref: gnutls_priority_init21020863
+Ref: gnutls_priority_kx_list1025237
+Ref: gnutls_priority_mac_list1025642
+Ref: gnutls_priority_protocol_list1026047
+Ref: gnutls_priority_set1026449
+Ref: gnutls_priority_set_direct1027104
+Ref: gnutls_priority_sign_list1028037
+Ref: gnutls_priority_string_list1028453
+Ref: gnutls_protocol_get_id1029085
+Ref: gnutls_protocol_get_name1029401
+Ref: gnutls_protocol_get_version1029760
+Ref: gnutls_protocol_list1030058
+Ref: gnutls_protocol_mark_disabled1030410
+Ref: gnutls_protocol_mark_enabled1030727
+Ref: gnutls_psk_allocate_client_credentials1031103
+Ref: gnutls_psk_allocate_server_credentials1031523
+Ref: gnutls_psk_client_get_hint1031919
+Ref: gnutls_psk_free_client_credentials1032546
+Ref: gnutls_psk_free_server_credentials1032829
+Ref: gnutls_psk_server_get_username1033104
+Ref: gnutls_psk_server_get_username21033811
+Ref: gnutls_psk_set_client_credentials1034505
+Ref: gnutls_psk_set_client_credentials21035528
+Ref: gnutls_psk_set_client_credentials_function1036308
+Ref: gnutls_psk_set_client_credentials_function21037311
+Ref: gnutls_psk_set_params_function1038468
+Ref: gnutls_psk_set_server_credentials_file1039148
+Ref: gnutls_psk_set_server_credentials_function1040009
+Ref: gnutls_psk_set_server_credentials_function21040963
+Ref: gnutls_psk_set_server_credentials_hint1042086
+Ref: gnutls_psk_set_server_dh_params1042710
+Ref: gnutls_psk_set_server_known_dh_params1043395
+Ref: gnutls_psk_set_server_params_function1044292
+Ref: gnutls_random_art1044933
+Ref: gnutls_range_split1045795
+Ref: gnutls_reauth1046877
+Ref: gnutls_record_can_use_length_hiding1048979
+Ref: gnutls_record_check_corked1049730
+Ref: gnutls_record_check_pending1050113
+Ref: gnutls_record_cork1050524
+Ref: gnutls_record_disable_padding1050938
+Ref: gnutls_record_discard_queued1051546
+Ref: gnutls_record_get_direction1052163
+Ref: gnutls_record_get_max_early_data_size1053144
+Ref: gnutls_record_get_max_size1053696
+Ref: gnutls_record_get_state1054063
+Ref: gnutls_record_overhead_size1055085
+Ref: gnutls_record_recv1055472
+Ref: gnutls_record_recv_early_data1056922
+Ref: gnutls_record_recv_packet1057984
+Ref: gnutls_record_recv_seq1058863
+Ref: gnutls_record_send1059849
+Ref: gnutls_record_send21061907
+Ref: gnutls_record_send_early_data1063059
+Ref: gnutls_record_send_range1064115
+Ref: gnutls_record_set_max_early_data_size1065294
+Ref: gnutls_record_set_max_recv_size1065940
+Ref: gnutls_record_set_max_size1066644
+Ref: gnutls_record_set_state1067823
+Ref: gnutls_record_set_timeout1068481
+Ref: gnutls_record_uncork1069082
+Ref: gnutls_rehandshake1070022
+Ref: gnutls_safe_renegotiation_status1071804
+Ref: gnutls_sec_param_get_name1072219
+Ref: gnutls_sec_param_to_pk_bits1072593
+Ref: gnutls_sec_param_to_symmetric_bits1073263
+Ref: gnutls_server_name_get1073647
+Ref: gnutls_server_name_set1075119
+Ref: gnutls_session_channel_binding1076277
+Ref: gnutls_session_enable_compatibility_mode1076995
+Ref: gnutls_session_etm_status1077702
+Ref: gnutls_session_ext_master_secret_status1078105
+Ref: gnutls_session_ext_register1078596
+Ref: gnutls_session_force_valid1080858
+Ref: gnutls_session_get_data1081279
+Ref: gnutls_session_get_data21081939
+Ref: gnutls_session_get_desc1084212
+Ref: gnutls_session_get_flags1084734
+Ref: gnutls_session_get_id1085272
+Ref: gnutls_session_get_id21086795
+Ref: gnutls_session_get_keylog_function1088265
+Ref: gnutls_session_get_master_secret1088672
+Ref: gnutls_session_get_ptr1089156
+Ref: gnutls_session_get_random1089551
+Ref: gnutls_session_get_verify_cert_status1090172
+Ref: gnutls_session_is_resumed1090845
+Ref: gnutls_session_key_update1091215
+Ref: gnutls_session_resumption_requested1092163
+Ref: gnutls_session_set_data1092545
+Ref: gnutls_session_set_id1093386
+Ref: gnutls_session_set_keylog_function1094061
+Ref: gnutls_session_set_premaster1094460
+Ref: gnutls_session_set_ptr1095555
+Ref: gnutls_session_set_verify_cert1095955
+Ref: gnutls_session_set_verify_cert21097299
+Ref: gnutls_session_set_verify_function1098483
+Ref: gnutls_session_supplemental_register1099595
+Ref: gnutls_session_ticket_enable_client1100853
+Ref: gnutls_session_ticket_enable_server1101346
+Ref: gnutls_session_ticket_key_generate1102140
+Ref: gnutls_session_ticket_send1102568
+Ref: gnutls_set_default_priority1103152
+Ref: gnutls_set_default_priority_append1104237
+Ref: gnutls_sign_algorithm_get1105579
+Ref: gnutls_sign_algorithm_get_client1106022
+Ref: gnutls_sign_algorithm_get_requested1106489
+Ref: gnutls_sign_get_hash_algorithm1107516
+Ref: gnutls_sign_get_id1107928
+Ref: gnutls_sign_get_name1108291
+Ref: gnutls_sign_get_oid1108623
+Ref: gnutls_sign_get_pk_algorithm1109009
+Ref: gnutls_sign_is_secure1109616
+Ref: gnutls_sign_is_secure21109886
+Ref: gnutls_sign_list1110222
+Ref: gnutls_sign_mark_insecure1110566
+Ref: gnutls_sign_mark_secure1111163
+Ref: gnutls_sign_supports_pk_algorithm1111948
+Ref: gnutls_srp_allocate_client_credentials1112532
+Ref: gnutls_srp_allocate_server_credentials1112933
+Ref: gnutls_srp_base64_decode1113306
+Ref: gnutls_srp_base64_decode21114011
+Ref: gnutls_srp_base64_encode1114679
+Ref: gnutls_srp_base64_encode21115480
+Ref: gnutls_srp_free_client_credentials1116211
+Ref: gnutls_srp_free_server_credentials1116494
+Ref: gnutls_srp_server_get_username1116769
+Ref: gnutls_srp_set_client_credentials1117223
+Ref: gnutls_srp_set_client_credentials_function1118113
+Ref: gnutls_srp_set_prime_bits1119360
+Ref: gnutls_srp_set_server_credentials_file1120045
+Ref: gnutls_srp_set_server_credentials_function1120771
+Ref: gnutls_srp_set_server_fake_salt_seed1122486
+Ref: gnutls_srp_verifier1123989
+Ref: gnutls_srtp_get_keys1124917
+Ref: gnutls_srtp_get_mki1126311
+Ref: gnutls_srtp_get_profile_id1126880
+Ref: gnutls_srtp_get_profile_name1127338
+Ref: gnutls_srtp_get_selected_profile1127759
+Ref: gnutls_srtp_set_mki1128203
+Ref: gnutls_srtp_set_profile1128652
+Ref: gnutls_srtp_set_profile_direct1129184
+Ref: gnutls_store_commitment1129907
+Ref: gnutls_store_pubkey1131206
+Ref: gnutls_strerror1132993
+Ref: gnutls_strerror_name1133478
+Ref: gnutls_supplemental_get_name1133947
+Ref: gnutls_supplemental_recv1134369
+Ref: gnutls_supplemental_register1134839
+Ref: gnutls_supplemental_send1135951
+Ref: gnutls_system_recv_timeout1136396
+Ref: gnutls_tdb_deinit1137138
+Ref: gnutls_tdb_init1137353
+Ref: gnutls_tdb_set_store_commitment_func1137712
+Ref: gnutls_tdb_set_store_func1138393
+Ref: gnutls_tdb_set_verify_func1138982
+Ref: gnutls_transport_get_int1139726
+Ref: gnutls_transport_get_int21140134
+Ref: gnutls_transport_get_ptr1140637
+Ref: gnutls_transport_get_ptr21141053
+Ref: gnutls_transport_set_errno1141587
+Ref: gnutls_transport_set_errno_function1142574
+Ref: gnutls_transport_set_int1143111
+Ref: gnutls_transport_set_int21143665
+Ref: gnutls_transport_set_ptr1144394
+Ref: gnutls_transport_set_ptr21144807
+Ref: gnutls_transport_set_pull_function1145451
+Ref: gnutls_transport_set_pull_timeout_function1146231
+Ref: gnutls_transport_set_push_function1147934
+Ref: gnutls_transport_set_vec_push_function1148779
+Ref: gnutls_url_is_supported1149475
+Ref: gnutls_utf8_password_normalize1149895
+Ref: gnutls_verify_stored_pubkey1150684
+Node: Datagram TLS API1153831
+Ref: gnutls_dtls_cookie_send1154107
+Ref: gnutls_dtls_cookie_verify1155362
+Ref: gnutls_dtls_get_data_mtu1156306
+Ref: gnutls_dtls_get_mtu1156749
+Ref: gnutls_dtls_get_timeout1157192
+Ref: gnutls_dtls_prestate_set1157735
+Ref: gnutls_dtls_set_data_mtu1158319
+Ref: gnutls_dtls_set_mtu1159293
+Ref: gnutls_dtls_set_timeouts1159900
+Ref: gnutls_record_get_discarded1160904
+Node: X509 certificate API1161178
+Ref: gnutls_certificate_get_trust_list1161527
+Ref: gnutls_certificate_set_trust_list1162175
+Ref: gnutls_certificate_verification_profile_get_id1162950
+Ref: gnutls_certificate_verification_profile_get_name1163497
+Ref: gnutls_pkcs8_info1163880
+Ref: gnutls_pkcs_schema_get_name1165398
+Ref: gnutls_pkcs_schema_get_oid1165803
+Ref: gnutls_session_set_verify_output_function1166230
+Ref: gnutls_subject_alt_names_deinit1167387
+Ref: gnutls_subject_alt_names_get1167666
+Ref: gnutls_subject_alt_names_init1168676
+Ref: gnutls_subject_alt_names_set1169056
+Ref: gnutls_x509_aia_deinit1169875
+Ref: gnutls_x509_aia_get1170109
+Ref: gnutls_x509_aia_init1171268
+Ref: gnutls_x509_aia_set1171603
+Ref: gnutls_x509_aki_deinit1172398
+Ref: gnutls_x509_aki_get_cert_issuer1172662
+Ref: gnutls_x509_aki_get_id1173728
+Ref: gnutls_x509_aki_init1174267
+Ref: gnutls_x509_aki_set_cert_issuer1174616
+Ref: gnutls_x509_aki_set_id1175731
+Ref: gnutls_x509_cidr_to_rfc52801176160
+Ref: gnutls_x509_crl_check_issuer1177058
+Ref: gnutls_x509_crl_deinit1177506
+Ref: gnutls_x509_crl_dist_points_deinit1177738
+Ref: gnutls_x509_crl_dist_points_get1178033
+Ref: gnutls_x509_crl_dist_points_init1179007
+Ref: gnutls_x509_crl_dist_points_set1179403
+Ref: gnutls_x509_crl_export1180106
+Ref: gnutls_x509_crl_export21180989
+Ref: gnutls_x509_crl_get_authority_key_gn_serial1181709
+Ref: gnutls_x509_crl_get_authority_key_id1183023
+Ref: gnutls_x509_crl_get_crt_count1184086
+Ref: gnutls_x509_crl_get_crt_serial1184444
+Ref: gnutls_x509_crl_get_dn_oid1185348
+Ref: gnutls_x509_crl_get_extension_data1186154
+Ref: gnutls_x509_crl_get_extension_data21187271
+Ref: gnutls_x509_crl_get_extension_info1188150
+Ref: gnutls_x509_crl_get_extension_oid1189414
+Ref: gnutls_x509_crl_get_issuer_dn1190266
+Ref: gnutls_x509_crl_get_issuer_dn21191267
+Ref: gnutls_x509_crl_get_issuer_dn31192101
+Ref: gnutls_x509_crl_get_issuer_dn_by_oid1193079
+Ref: gnutls_x509_crl_get_next_update1194590
+Ref: gnutls_x509_crl_get_number1195024
+Ref: gnutls_x509_crl_get_raw_issuer_dn1195749
+Ref: gnutls_x509_crl_get_signature1196203
+Ref: gnutls_x509_crl_get_signature_algorithm1196750
+Ref: gnutls_x509_crl_get_signature_oid1197312
+Ref: gnutls_x509_crl_get_this_update1197973
+Ref: gnutls_x509_crl_get_version1198298
+Ref: gnutls_x509_crl_import1198606
+Ref: gnutls_x509_crl_init1199230
+Ref: gnutls_x509_crl_iter_crt_serial1199819
+Ref: gnutls_x509_crl_iter_deinit1200965
+Ref: gnutls_x509_crl_list_import1201210
+Ref: gnutls_x509_crl_list_import21202212
+Ref: gnutls_x509_crl_print1203078
+Ref: gnutls_x509_crl_set_authority_key_id1203727
+Ref: gnutls_x509_crl_set_crt1204380
+Ref: gnutls_x509_crl_set_crt_serial1204953
+Ref: gnutls_x509_crl_set_next_update1205585
+Ref: gnutls_x509_crl_set_number1206202
+Ref: gnutls_x509_crl_set_this_update1206779
+Ref: gnutls_x509_crl_set_version1207183
+Ref: gnutls_x509_crl_sign1207726
+Ref: gnutls_x509_crl_sign21208419
+Ref: gnutls_x509_crl_verify1209655
+Ref: gnutls_x509_crq_deinit1210899
+Ref: gnutls_x509_crq_export1211137
+Ref: gnutls_x509_crq_export21212134
+Ref: gnutls_x509_crq_get_attribute_by_oid1212908
+Ref: gnutls_x509_crq_get_attribute_data1213933
+Ref: gnutls_x509_crq_get_attribute_info1215045
+Ref: gnutls_x509_crq_get_basic_constraints1216242
+Ref: gnutls_x509_crq_get_challenge_password1217495
+Ref: gnutls_x509_crq_get_dn1218107
+Ref: gnutls_x509_crq_get_dn21219056
+Ref: gnutls_x509_crq_get_dn31219913
+Ref: gnutls_x509_crq_get_dn_by_oid1220921
+Ref: gnutls_x509_crq_get_dn_oid1222382
+Ref: gnutls_x509_crq_get_extension_by_oid1223169
+Ref: gnutls_x509_crq_get_extension_by_oid21224326
+Ref: gnutls_x509_crq_get_extension_data1225408
+Ref: gnutls_x509_crq_get_extension_data21226538
+Ref: gnutls_x509_crq_get_extension_info1227417
+Ref: gnutls_x509_crq_get_key_id1228678
+Ref: gnutls_x509_crq_get_key_purpose_oid1229745
+Ref: gnutls_x509_crq_get_key_rsa_raw1230760
+Ref: gnutls_x509_crq_get_key_usage1231384
+Ref: gnutls_x509_crq_get_pk_algorithm1232470
+Ref: gnutls_x509_crq_get_pk_oid1233191
+Ref: gnutls_x509_crq_get_private_key_usage_period1233848
+Ref: gnutls_x509_crq_get_signature_algorithm1234563
+Ref: gnutls_x509_crq_get_signature_oid1235202
+Ref: gnutls_x509_crq_get_spki1235863
+Ref: gnutls_x509_crq_get_subject_alt_name1236423
+Ref: gnutls_x509_crq_get_subject_alt_othername_oid1237981
+Ref: gnutls_x509_crq_get_tlsfeatures1239461
+Ref: gnutls_x509_crq_get_version1240590
+Ref: gnutls_x509_crq_import1240936
+Ref: gnutls_x509_crq_init1241618
+Ref: gnutls_x509_crq_print1241966
+Ref: gnutls_x509_crq_set_attribute_by_oid1242622
+Ref: gnutls_x509_crq_set_basic_constraints1243487
+Ref: gnutls_x509_crq_set_challenge_password1244231
+Ref: gnutls_x509_crq_set_dn1244682
+Ref: gnutls_x509_crq_set_dn_by_oid1245300
+Ref: gnutls_x509_crq_set_extension_by_oid1246430
+Ref: gnutls_x509_crq_set_key1247209
+Ref: gnutls_x509_crq_set_key_purpose_oid1247672
+Ref: gnutls_x509_crq_set_key_rsa_raw1248452
+Ref: gnutls_x509_crq_set_key_usage1249028
+Ref: gnutls_x509_crq_set_private_key_usage_period1249532
+Ref: gnutls_x509_crq_set_spki1250037
+Ref: gnutls_x509_crq_set_subject_alt_name1250908
+Ref: gnutls_x509_crq_set_subject_alt_othername1251734
+Ref: gnutls_x509_crq_set_tlsfeatures1252572
+Ref: gnutls_x509_crq_set_version1253122
+Ref: gnutls_x509_crq_sign1253607
+Ref: gnutls_x509_crq_sign21254378
+Ref: gnutls_x509_crq_verify1255710
+Ref: gnutls_x509_crt_check_email1256303
+Ref: gnutls_x509_crt_check_hostname1256831
+Ref: gnutls_x509_crt_check_hostname21257543
+Ref: gnutls_x509_crt_check_ip1259294
+Ref: gnutls_x509_crt_check_issuer1259908
+Ref: gnutls_x509_crt_check_key_purpose1260646
+Ref: gnutls_x509_crt_check_revocation1261340
+Ref: gnutls_x509_crt_cpy_crl_dist_points1261989
+Ref: gnutls_x509_crt_deinit1262578
+Ref: gnutls_x509_crt_equals1262796
+Ref: gnutls_x509_crt_equals21263178
+Ref: gnutls_x509_crt_export1263602
+Ref: gnutls_x509_crt_export21264513
+Ref: gnutls_x509_crt_get_activation_time1265211
+Ref: gnutls_x509_crt_get_authority_info_access1265589
+Ref: gnutls_x509_crt_get_authority_key_gn_serial1269063
+Ref: gnutls_x509_crt_get_authority_key_id1270504
+Ref: gnutls_x509_crt_get_basic_constraints1271635
+Ref: gnutls_x509_crt_get_ca_status1272849
+Ref: gnutls_x509_crt_get_crl_dist_points1273848
+Ref: gnutls_x509_crt_get_dn1275173
+Ref: gnutls_x509_crt_get_dn21276368
+Ref: gnutls_x509_crt_get_dn31277177
+Ref: gnutls_x509_crt_get_dn_by_oid1278137
+Ref: gnutls_x509_crt_get_dn_oid1279906
+Ref: gnutls_x509_crt_get_expiration_time1280934
+Ref: gnutls_x509_crt_get_extension_by_oid1281300
+Ref: gnutls_x509_crt_get_extension_by_oid21282427
+Ref: gnutls_x509_crt_get_extension_data1283500
+Ref: gnutls_x509_crt_get_extension_data21284589
+Ref: gnutls_x509_crt_get_extension_info1285454
+Ref: gnutls_x509_crt_get_extension_oid1286866
+Ref: gnutls_x509_crt_get_fingerprint1287829
+Ref: gnutls_x509_crt_get_inhibit_anypolicy1288717
+Ref: gnutls_x509_crt_get_issuer1289686
+Ref: gnutls_x509_crt_get_issuer_alt_name1290324
+Ref: gnutls_x509_crt_get_issuer_alt_name21292124
+Ref: gnutls_x509_crt_get_issuer_alt_othername_oid1293706
+Ref: gnutls_x509_crt_get_issuer_dn1295355
+Ref: gnutls_x509_crt_get_issuer_dn21296476
+Ref: gnutls_x509_crt_get_issuer_dn31297323
+Ref: gnutls_x509_crt_get_issuer_dn_by_oid1298314
+Ref: gnutls_x509_crt_get_issuer_dn_oid1300101
+Ref: gnutls_x509_crt_get_issuer_unique_id1301137
+Ref: gnutls_x509_crt_get_key_id1302232
+Ref: gnutls_x509_crt_get_key_purpose_oid1303255
+Ref: gnutls_x509_crt_get_key_usage1304416
+Ref: gnutls_x509_crt_get_name_constraints1305476
+Ref: gnutls_x509_crt_get_pk_algorithm1306884
+Ref: gnutls_x509_crt_get_pk_dsa_raw1307673
+Ref: gnutls_x509_crt_get_pk_ecc_raw1308341
+Ref: gnutls_x509_crt_get_pk_gost_raw1309154
+Ref: gnutls_x509_crt_get_pk_oid1309998
+Ref: gnutls_x509_crt_get_pk_rsa_raw1310624
+Ref: gnutls_x509_crt_get_policy1311202
+Ref: gnutls_x509_crt_get_private_key_usage_period1312148
+Ref: gnutls_x509_crt_get_proxy1312900
+Ref: gnutls_x509_crt_get_raw_dn1313921
+Ref: gnutls_x509_crt_get_raw_issuer_dn1314514
+Ref: gnutls_x509_crt_get_serial1315093
+Ref: gnutls_x509_crt_get_signature1315833
+Ref: gnutls_x509_crt_get_signature_algorithm1316388
+Ref: gnutls_x509_crt_get_signature_oid1317001
+Ref: gnutls_x509_crt_get_spki1317659
+Ref: gnutls_x509_crt_get_subject1318145
+Ref: gnutls_x509_crt_get_subject_alt_name1318788
+Ref: gnutls_x509_crt_get_subject_alt_name21320547
+Ref: gnutls_x509_crt_get_subject_alt_othername_oid1322112
+Ref: gnutls_x509_crt_get_subject_key_id1323752
+Ref: gnutls_x509_crt_get_subject_unique_id1324584
+Ref: gnutls_x509_crt_get_tlsfeatures1325669
+Ref: gnutls_x509_crt_get_version1326781
+Ref: gnutls_x509_crt_import1327108
+Ref: gnutls_x509_crt_import_url1327809
+Ref: gnutls_x509_crt_init1328530
+Ref: gnutls_x509_crt_list_import1328877
+Ref: gnutls_x509_crt_list_import21330244
+Ref: gnutls_x509_crt_list_import_url1331316
+Ref: gnutls_x509_crt_list_verify1332540
+Ref: gnutls_x509_crt_print1334120
+Ref: gnutls_x509_crt_set_activation_time1335012
+Ref: gnutls_x509_crt_set_authority_info_access1335479
+Ref: gnutls_x509_crt_set_authority_key_id1336374
+Ref: gnutls_x509_crt_set_basic_constraints1336956
+Ref: gnutls_x509_crt_set_ca_status1337655
+Ref: gnutls_x509_crt_set_crl_dist_points1338253
+Ref: gnutls_x509_crt_set_crl_dist_points21338905
+Ref: gnutls_x509_crt_set_crq1339604
+Ref: gnutls_x509_crt_set_crq_extension_by_oid1340321
+Ref: gnutls_x509_crt_set_crq_extensions1340957
+Ref: gnutls_x509_crt_set_dn1341423
+Ref: gnutls_x509_crt_set_dn_by_oid1342306
+Ref: gnutls_x509_crt_set_expiration_time1343423
+Ref: gnutls_x509_crt_set_extension_by_oid1343968
+Ref: gnutls_x509_crt_set_flags1344743
+Ref: gnutls_x509_crt_set_inhibit_anypolicy1345251
+Ref: gnutls_x509_crt_set_issuer_alt_name1345761
+Ref: gnutls_x509_crt_set_issuer_alt_othername1346783
+Ref: gnutls_x509_crt_set_issuer_dn1347759
+Ref: gnutls_x509_crt_set_issuer_dn_by_oid1348398
+Ref: gnutls_x509_crt_set_issuer_unique_id1349677
+Ref: gnutls_x509_crt_set_key1350182
+Ref: gnutls_x509_crt_set_key_purpose_oid1350762
+Ref: gnutls_x509_crt_set_key_usage1351530
+Ref: gnutls_x509_crt_set_name_constraints1351989
+Ref: gnutls_x509_crt_set_pin_function1352611
+Ref: gnutls_x509_crt_set_policy1353279
+Ref: gnutls_x509_crt_set_private_key_usage_period1354132
+Ref: gnutls_x509_crt_set_proxy1354639
+Ref: gnutls_x509_crt_set_proxy_dn1355453
+Ref: gnutls_x509_crt_set_serial1356472
+Ref: gnutls_x509_crt_set_spki1357532
+Ref: gnutls_x509_crt_set_subject_alt_name1358387
+Ref: gnutls_x509_crt_set_subject_alt_othername1359627
+Ref: gnutls_x509_crt_set_subject_alternative_name1360635
+Ref: gnutls_x509_crt_set_subject_key_id1361533
+Ref: gnutls_x509_crt_set_subject_unique_id1362053
+Ref: gnutls_x509_crt_set_tlsfeatures1362576
+Ref: gnutls_x509_crt_set_version1363100
+Ref: gnutls_x509_crt_sign1363923
+Ref: gnutls_x509_crt_sign21364618
+Ref: gnutls_x509_crt_verify1365851
+Ref: gnutls_x509_crt_verify_data21366900
+Ref: gnutls_x509_dn_deinit1367904
+Ref: gnutls_x509_dn_export1368166
+Ref: gnutls_x509_dn_export21369060
+Ref: gnutls_x509_dn_get_rdn_ava1369721
+Ref: gnutls_x509_dn_get_str1370753
+Ref: gnutls_x509_dn_get_str21371349
+Ref: gnutls_x509_dn_import1372211
+Ref: gnutls_x509_dn_init1372827
+Ref: gnutls_x509_dn_oid_known1373248
+Ref: gnutls_x509_dn_oid_name1373917
+Ref: gnutls_x509_dn_set_str1374446
+Ref: gnutls_x509_ext_deinit1375045
+Ref: gnutls_x509_ext_export_aia1375289
+Ref: gnutls_x509_ext_export_authority_key_id1375883
+Ref: gnutls_x509_ext_export_basic_constraints1376539
+Ref: gnutls_x509_ext_export_crl_dist_points1377236
+Ref: gnutls_x509_ext_export_inhibit_anypolicy1377904
+Ref: gnutls_x509_ext_export_key_purposes1378572
+Ref: gnutls_x509_ext_export_key_usage1379191
+Ref: gnutls_x509_ext_export_name_constraints1379807
+Ref: gnutls_x509_ext_export_policies1380448
+Ref: gnutls_x509_ext_export_private_key_usage_period1381111
+Ref: gnutls_x509_ext_export_proxy1381776
+Ref: gnutls_x509_ext_export_subject_alt_names1382762
+Ref: gnutls_x509_ext_export_subject_key_id1383411
+Ref: gnutls_x509_ext_export_tlsfeatures1384033
+Ref: gnutls_x509_ext_import_aia1384651
+Ref: gnutls_x509_ext_import_authority_key_id1385356
+Ref: gnutls_x509_ext_import_basic_constraints1386024
+Ref: gnutls_x509_ext_import_crl_dist_points1386650
+Ref: gnutls_x509_ext_import_inhibit_anypolicy1387278
+Ref: gnutls_x509_ext_import_key_purposes1388193
+Ref: gnutls_x509_ext_import_key_usage1388827
+Ref: gnutls_x509_ext_import_name_constraints1389843
+Ref: gnutls_x509_ext_import_policies1391181
+Ref: gnutls_x509_ext_import_private_key_usage_period1391788
+Ref: gnutls_x509_ext_import_proxy1392403
+Ref: gnutls_x509_ext_import_subject_alt_names1393489
+Ref: gnutls_x509_ext_import_subject_key_id1394247
+Ref: gnutls_x509_ext_import_tlsfeatures1394882
+Ref: gnutls_x509_ext_print1395774
+Ref: gnutls_x509_key_purpose_deinit1396485
+Ref: gnutls_x509_key_purpose_get1396739
+Ref: gnutls_x509_key_purpose_init1397467
+Ref: gnutls_x509_key_purpose_set1397828
+Ref: gnutls_x509_name_constraints_add_excluded1398283
+Ref: gnutls_x509_name_constraints_add_permitted1399224
+Ref: gnutls_x509_name_constraints_check1400099
+Ref: gnutls_x509_name_constraints_check_crt1400936
+Ref: gnutls_x509_name_constraints_deinit1401806
+Ref: gnutls_x509_name_constraints_get_excluded1402106
+Ref: gnutls_x509_name_constraints_get_permitted1403177
+Ref: gnutls_x509_name_constraints_init1404231
+Ref: gnutls_x509_othername_to_virtual1404614
+Ref: gnutls_x509_policies_deinit1405233
+Ref: gnutls_x509_policies_get1405513
+Ref: gnutls_x509_policies_init1406299
+Ref: gnutls_x509_policies_set1406664
+Ref: gnutls_x509_policy_release1407131
+Ref: gnutls_x509_privkey_cpy1407495
+Ref: gnutls_x509_privkey_deinit1407965
+Ref: gnutls_x509_privkey_export1408206
+Ref: gnutls_x509_privkey_export21409241
+Ref: gnutls_x509_privkey_export2_pkcs81410119
+Ref: gnutls_x509_privkey_export_dsa_raw1411395
+Ref: gnutls_x509_privkey_export_ecc_raw1412135
+Ref: gnutls_x509_privkey_export_gost_raw1413018
+Ref: gnutls_x509_privkey_export_pkcs81414103
+Ref: gnutls_x509_privkey_export_rsa_raw1415608
+Ref: gnutls_x509_privkey_export_rsa_raw21416469
+Ref: gnutls_x509_privkey_fix1417455
+Ref: gnutls_x509_privkey_generate1417840
+Ref: gnutls_x509_privkey_generate21419365
+Ref: gnutls_x509_privkey_get_key_id1421524
+Ref: gnutls_x509_privkey_get_pk_algorithm1422543
+Ref: gnutls_x509_privkey_get_pk_algorithm21422971
+Ref: gnutls_x509_privkey_get_seed1423462
+Ref: gnutls_x509_privkey_get_spki1424286
+Ref: gnutls_x509_privkey_import1424821
+Ref: gnutls_x509_privkey_import21425616
+Ref: gnutls_x509_privkey_import_dsa_raw1426689
+Ref: gnutls_x509_privkey_import_ecc_raw1427421
+Ref: gnutls_x509_privkey_import_gost_raw1428237
+Ref: gnutls_x509_privkey_import_openssl1429513
+Ref: gnutls_x509_privkey_import_pkcs81430387
+Ref: gnutls_x509_privkey_import_rsa_raw1431834
+Ref: gnutls_x509_privkey_import_rsa_raw21432688
+Ref: gnutls_x509_privkey_init1433684
+Ref: gnutls_x509_privkey_sec_param1434029
+Ref: gnutls_x509_privkey_set_flags1434448
+Ref: gnutls_x509_privkey_set_pin_function1434998
+Ref: gnutls_x509_privkey_set_spki1435616
+Ref: gnutls_x509_privkey_sign_data1436163
+Ref: gnutls_x509_privkey_verify_params1437384
+Ref: gnutls_x509_privkey_verify_seed1437720
+Ref: gnutls_x509_rdn_get1438549
+Ref: gnutls_x509_rdn_get21439367
+Ref: gnutls_x509_rdn_get_by_oid1440275
+Ref: gnutls_x509_rdn_get_oid1441257
+Ref: gnutls_x509_spki_deinit1442002
+Ref: gnutls_x509_spki_get_rsa_pss_params1442284
+Ref: gnutls_x509_spki_init1442845
+Ref: gnutls_x509_spki_set_rsa_pss_params1443361
+Ref: gnutls_x509_tlsfeatures_add1443874
+Ref: gnutls_x509_tlsfeatures_check_crt1444330
+Ref: gnutls_x509_tlsfeatures_deinit1444930
+Ref: gnutls_x509_tlsfeatures_get1445208
+Ref: gnutls_x509_tlsfeatures_init1445768
+Ref: gnutls_x509_trust_list_add_cas1446153
+Ref: gnutls_x509_trust_list_add_crls1447338
+Ref: gnutls_x509_trust_list_add_named_crt1448716
+Ref: gnutls_x509_trust_list_add_system_trust1449931
+Ref: gnutls_x509_trust_list_add_trust_dir1450693
+Ref: gnutls_x509_trust_list_add_trust_file1451556
+Ref: gnutls_x509_trust_list_add_trust_mem1452703
+Ref: gnutls_x509_trust_list_deinit1453622
+Ref: gnutls_x509_trust_list_get_issuer1454248
+Ref: gnutls_x509_trust_list_get_issuer_by_dn1455298
+Ref: gnutls_x509_trust_list_get_issuer_by_subject_key_id1456027
+Ref: gnutls_x509_trust_list_get_ptr1456835
+Ref: gnutls_x509_trust_list_init1457348
+Ref: gnutls_x509_trust_list_iter_deinit1457853
+Ref: gnutls_x509_trust_list_iter_get_ca1458162
+Ref: gnutls_x509_trust_list_remove_cas1459342
+Ref: gnutls_x509_trust_list_remove_trust_file1460197
+Ref: gnutls_x509_trust_list_remove_trust_mem1460898
+Ref: gnutls_x509_trust_list_set_getissuer_function1461556
+Ref: gnutls_x509_trust_list_set_ptr1463189
+Ref: gnutls_x509_trust_list_verify_crt1463727
+Ref: gnutls_x509_trust_list_verify_crt21464890
+Ref: gnutls_x509_trust_list_verify_named_crt1467824
+Node: PKCS 7 API1470552
+Ref: gnutls_pkcs7_add_attr1470848
+Ref: gnutls_pkcs7_attrs_deinit1471654
+Ref: gnutls_pkcs7_deinit1471889
+Ref: gnutls_pkcs7_delete_crl1472094
+Ref: gnutls_pkcs7_delete_crt1472523
+Ref: gnutls_pkcs7_export1472969
+Ref: gnutls_pkcs7_export21473869
+Ref: gnutls_pkcs7_get_attr1474530
+Ref: gnutls_pkcs7_get_crl_count1475417
+Ref: gnutls_pkcs7_get_crl_raw1475765
+Ref: gnutls_pkcs7_get_crl_raw21476540
+Ref: gnutls_pkcs7_get_crt_count1477171
+Ref: gnutls_pkcs7_get_crt_raw1477546
+Ref: gnutls_pkcs7_get_crt_raw21478446
+Ref: gnutls_pkcs7_get_embedded_data1479300
+Ref: gnutls_pkcs7_get_embedded_data_oid1480300
+Ref: gnutls_pkcs7_get_signature_count1480860
+Ref: gnutls_pkcs7_get_signature_info1481267
+Ref: gnutls_pkcs7_import1481940
+Ref: gnutls_pkcs7_init1482561
+Ref: gnutls_pkcs7_print1482985
+Ref: gnutls_pkcs7_print_signature_info1483730
+Ref: gnutls_pkcs7_set_crl1484535
+Ref: gnutls_pkcs7_set_crl_raw1484936
+Ref: gnutls_pkcs7_set_crt1485326
+Ref: gnutls_pkcs7_set_crt_raw1485810
+Ref: gnutls_pkcs7_sign1486223
+Ref: gnutls_pkcs7_signature_info_deinit1487662
+Ref: gnutls_pkcs7_verify1488015
+Ref: gnutls_pkcs7_verify_direct1489180
+Node: OCSP API1490640
+Ref: gnutls_ocsp_req_add_cert1490924
+Ref: gnutls_ocsp_req_add_cert_id1491884
+Ref: gnutls_ocsp_req_deinit1493204
+Ref: gnutls_ocsp_req_export1493421
+Ref: gnutls_ocsp_req_get_cert_id1493846
+Ref: gnutls_ocsp_req_get_extension1495438
+Ref: gnutls_ocsp_req_get_nonce1496854
+Ref: gnutls_ocsp_req_get_version1497508
+Ref: gnutls_ocsp_req_import1497895
+Ref: gnutls_ocsp_req_init1498391
+Ref: gnutls_ocsp_req_print1498719
+Ref: gnutls_ocsp_req_randomize_nonce1499455
+Ref: gnutls_ocsp_req_set_extension1499888
+Ref: gnutls_ocsp_req_set_nonce1500572
+Ref: gnutls_ocsp_resp_check_crt1501159
+Ref: gnutls_ocsp_resp_deinit1501743
+Ref: gnutls_ocsp_resp_export1501967
+Ref: gnutls_ocsp_resp_export21502393
+Ref: gnutls_ocsp_resp_get_certs1502913
+Ref: gnutls_ocsp_resp_get_extension1504038
+Ref: gnutls_ocsp_resp_get_nonce1505462
+Ref: gnutls_ocsp_resp_get_produced1506128
+Ref: gnutls_ocsp_resp_get_responder1506475
+Ref: gnutls_ocsp_resp_get_responder21507580
+Ref: gnutls_ocsp_resp_get_responder_raw_id1508843
+Ref: gnutls_ocsp_resp_get_response1509674
+Ref: gnutls_ocsp_resp_get_signature1510900
+Ref: gnutls_ocsp_resp_get_signature_algorithm1511389
+Ref: gnutls_ocsp_resp_get_single1511867
+Ref: gnutls_ocsp_resp_get_status1513809
+Ref: gnutls_ocsp_resp_get_version1514238
+Ref: gnutls_ocsp_resp_import1514646
+Ref: gnutls_ocsp_resp_import21515214
+Ref: gnutls_ocsp_resp_init1515842
+Ref: gnutls_ocsp_resp_list_import21516191
+Ref: gnutls_ocsp_resp_print1517382
+Ref: gnutls_ocsp_resp_verify1518108
+Ref: gnutls_ocsp_resp_verify_direct1519725
+Node: PKCS 12 API1522158
+Ref: gnutls_pkcs12_bag_decrypt1522448
+Ref: gnutls_pkcs12_bag_deinit1522880
+Ref: gnutls_pkcs12_bag_enc_info1523118
+Ref: gnutls_pkcs12_bag_encrypt1524491
+Ref: gnutls_pkcs12_bag_get_count1524996
+Ref: gnutls_pkcs12_bag_get_data1525307
+Ref: gnutls_pkcs12_bag_get_friendly_name1525913
+Ref: gnutls_pkcs12_bag_get_key_id1526550
+Ref: gnutls_pkcs12_bag_get_type1527169
+Ref: gnutls_pkcs12_bag_init1527539
+Ref: gnutls_pkcs12_bag_set_crl1527997
+Ref: gnutls_pkcs12_bag_set_crt1528430
+Ref: gnutls_pkcs12_bag_set_data1528876
+Ref: gnutls_pkcs12_bag_set_friendly_name1529347
+Ref: gnutls_pkcs12_bag_set_key_id1530031
+Ref: gnutls_pkcs12_bag_set_privkey1530705
+Ref: gnutls_pkcs12_deinit1531361
+Ref: gnutls_pkcs12_export1531563
+Ref: gnutls_pkcs12_export21532470
+Ref: gnutls_pkcs12_generate_mac1533146
+Ref: gnutls_pkcs12_generate_mac21533537
+Ref: gnutls_pkcs12_get_bag1533981
+Ref: gnutls_pkcs12_import1534567
+Ref: gnutls_pkcs12_init1535288
+Ref: gnutls_pkcs12_mac_info1535721
+Ref: gnutls_pkcs12_set_bag1537030
+Ref: gnutls_pkcs12_simple_parse1537436
+Ref: gnutls_pkcs12_verify_mac1540117
+Node: PKCS 11 API1540473
+Ref: gnutls_pkcs11_add_provider1540802
+Ref: gnutls_pkcs11_copy_attached_extension1541547
+Ref: gnutls_pkcs11_copy_pubkey1542406
+Ref: gnutls_pkcs11_copy_secret_key1543439
+Ref: gnutls_pkcs11_copy_x509_crt1544164
+Ref: gnutls_pkcs11_copy_x509_crt21544812
+Ref: gnutls_pkcs11_copy_x509_privkey1545780
+Ref: gnutls_pkcs11_copy_x509_privkey21546597
+Ref: gnutls_pkcs11_crt_is_known1547542
+Ref: gnutls_pkcs11_deinit1548678
+Ref: gnutls_pkcs11_delete_url1548995
+Ref: gnutls_pkcs11_get_pin_function1549511
+Ref: gnutls_pkcs11_get_raw_issuer1549894
+Ref: gnutls_pkcs11_get_raw_issuer_by_dn1550804
+Ref: gnutls_pkcs11_get_raw_issuer_by_subject_key_id1551843
+Ref: gnutls_pkcs11_init1552954
+Ref: gnutls_pkcs11_obj_deinit1553996
+Ref: gnutls_pkcs11_obj_export1554242
+Ref: gnutls_pkcs11_obj_export21555087
+Ref: gnutls_pkcs11_obj_export31555684
+Ref: gnutls_pkcs11_obj_export_url1556357
+Ref: gnutls_pkcs11_obj_flags_get_str1556884
+Ref: gnutls_pkcs11_obj_get_exts1557363
+Ref: gnutls_pkcs11_obj_get_flags1558299
+Ref: gnutls_pkcs11_obj_get_info1558836
+Ref: gnutls_pkcs11_obj_get_ptr1560100
+Ref: gnutls_pkcs11_obj_get_type1561009
+Ref: gnutls_pkcs11_obj_import_url1561359
+Ref: gnutls_pkcs11_obj_init1562279
+Ref: gnutls_pkcs11_obj_list_import_url31562664
+Ref: gnutls_pkcs11_obj_list_import_url41564605
+Ref: gnutls_pkcs11_obj_set_info1566281
+Ref: gnutls_pkcs11_obj_set_pin_function1567060
+Ref: gnutls_pkcs11_privkey_cpy1567571
+Ref: gnutls_pkcs11_privkey_deinit1568072
+Ref: gnutls_pkcs11_privkey_export_pubkey1568335
+Ref: gnutls_pkcs11_privkey_export_url1569139
+Ref: gnutls_pkcs11_privkey_generate1569649
+Ref: gnutls_pkcs11_privkey_generate21570321
+Ref: gnutls_pkcs11_privkey_generate31571551
+Ref: gnutls_pkcs11_privkey_get_info1573061
+Ref: gnutls_pkcs11_privkey_get_pk_algorithm1573943
+Ref: gnutls_pkcs11_privkey_import_url1574474
+Ref: gnutls_pkcs11_privkey_init1575175
+Ref: gnutls_pkcs11_privkey_set_pin_function1575890
+Ref: gnutls_pkcs11_privkey_status1576410
+Ref: gnutls_pkcs11_reinit1576786
+Ref: gnutls_pkcs11_set_pin_function1577346
+Ref: gnutls_pkcs11_set_token_function1577836
+Ref: gnutls_pkcs11_token_check_mechanism1578254
+Ref: gnutls_pkcs11_token_get_flags1579011
+Ref: gnutls_pkcs11_token_get_info1579553
+Ref: gnutls_pkcs11_token_get_mechanism1580576
+Ref: gnutls_pkcs11_token_get_ptr1581189
+Ref: gnutls_pkcs11_token_get_random1581888
+Ref: gnutls_pkcs11_token_get_url1582519
+Ref: gnutls_pkcs11_token_init1583187
+Ref: gnutls_pkcs11_token_set_pin1583825
+Ref: gnutls_pkcs11_type_get_name1584665
+Ref: gnutls_x509_crt_import_pkcs111585154
+Ref: gnutls_x509_crt_list_import_pkcs111585676
+Node: TPM API1586285
+Ref: gnutls_tpm_get_registered1586564
+Ref: gnutls_tpm_key_list_deinit1586957
+Ref: gnutls_tpm_key_list_get_url1587225
+Ref: gnutls_tpm_privkey_delete1587878
+Ref: gnutls_tpm_privkey_generate1588316
+Node: Abstract key API1589666
+Ref: gnutls_certificate_set_key1589987
+Ref: gnutls_certificate_set_retrieve_function21592123
+Ref: gnutls_certificate_set_retrieve_function31594373
+Ref: gnutls_pcert_deinit1597233
+Ref: gnutls_pcert_export_openpgp1597478
+Ref: gnutls_pcert_export_x5091597827
+Ref: gnutls_pcert_import_openpgp1598477
+Ref: gnutls_pcert_import_openpgp_raw1598876
+Ref: gnutls_pcert_import_rawpk1599445
+Ref: gnutls_pcert_import_rawpk_raw1600298
+Ref: gnutls_pcert_import_x5091601547
+Ref: gnutls_pcert_import_x509_list1602144
+Ref: gnutls_pcert_import_x509_raw1603334
+Ref: gnutls_pcert_list_import_x509_file1604040
+Ref: gnutls_pcert_list_import_x509_raw1605472
+Ref: gnutls_privkey_decrypt_data1606806
+Ref: gnutls_privkey_decrypt_data21607454
+Ref: gnutls_privkey_deinit1608279
+Ref: gnutls_privkey_export_dsa_raw1608528
+Ref: gnutls_privkey_export_dsa_raw21609258
+Ref: gnutls_privkey_export_ecc_raw1610064
+Ref: gnutls_privkey_export_ecc_raw21610926
+Ref: gnutls_privkey_export_gost_raw21611868
+Ref: gnutls_privkey_export_openpgp1613002
+Ref: gnutls_privkey_export_pkcs111613354
+Ref: gnutls_privkey_export_rsa_raw1613966
+Ref: gnutls_privkey_export_rsa_raw21614997
+Ref: gnutls_privkey_export_x5091616043
+Ref: gnutls_privkey_generate1616691
+Ref: gnutls_privkey_generate21618182
+Ref: gnutls_privkey_get_pk_algorithm1620310
+Ref: gnutls_privkey_get_seed1620924
+Ref: gnutls_privkey_get_spki1621723
+Ref: gnutls_privkey_get_type1622303
+Ref: gnutls_privkey_import_dsa_raw1622792
+Ref: gnutls_privkey_import_ecc_raw1623504
+Ref: gnutls_privkey_import_ext1624317
+Ref: gnutls_privkey_import_ext21625467
+Ref: gnutls_privkey_import_ext31626824
+Ref: gnutls_privkey_import_ext41628438
+Ref: gnutls_privkey_import_gost_raw1631198
+Ref: gnutls_privkey_import_openpgp1632406
+Ref: gnutls_privkey_import_openpgp_raw1632815
+Ref: gnutls_privkey_import_pkcs111633404
+Ref: gnutls_privkey_import_pkcs11_url1634162
+Ref: gnutls_privkey_import_rsa_raw1634611
+Ref: gnutls_privkey_import_tpm_raw1635607
+Ref: gnutls_privkey_import_tpm_url1636474
+Ref: gnutls_privkey_import_url1637577
+Ref: gnutls_privkey_import_x5091638124
+Ref: gnutls_privkey_import_x509_raw1638872
+Ref: gnutls_privkey_init1639651
+Ref: gnutls_privkey_set_flags1640569
+Ref: gnutls_privkey_set_pin_function1641094
+Ref: gnutls_privkey_set_spki1641664
+Ref: gnutls_privkey_sign_data1642237
+Ref: gnutls_privkey_sign_data21643257
+Ref: gnutls_privkey_sign_hash1644155
+Ref: gnutls_privkey_sign_hash21645592
+Ref: gnutls_privkey_status1646858
+Ref: gnutls_privkey_verify_params1647402
+Ref: gnutls_privkey_verify_seed1647764
+Ref: gnutls_pubkey_deinit1648476
+Ref: gnutls_pubkey_encrypt_data1648716
+Ref: gnutls_pubkey_export1649358
+Ref: gnutls_pubkey_export21650372
+Ref: gnutls_pubkey_export_dsa_raw1651145
+Ref: gnutls_pubkey_export_dsa_raw21651957
+Ref: gnutls_pubkey_export_ecc_raw1652841
+Ref: gnutls_pubkey_export_ecc_raw21653740
+Ref: gnutls_pubkey_export_ecc_x9621654719
+Ref: gnutls_pubkey_export_gost_raw21655378
+Ref: gnutls_pubkey_export_rsa_raw1656522
+Ref: gnutls_pubkey_export_rsa_raw21657219
+Ref: gnutls_pubkey_get_key_id1657980
+Ref: gnutls_pubkey_get_key_usage1659005
+Ref: gnutls_pubkey_get_openpgp_key_id1659502
+Ref: gnutls_pubkey_get_pk_algorithm1660141
+Ref: gnutls_pubkey_get_preferred_hash_algorithm1660789
+Ref: gnutls_pubkey_get_spki1661730
+Ref: gnutls_pubkey_import1662298
+Ref: gnutls_pubkey_import_dsa_raw1662982
+Ref: gnutls_pubkey_import_ecc_raw1663643
+Ref: gnutls_pubkey_import_ecc_x9621664411
+Ref: gnutls_pubkey_import_gost_raw1665047
+Ref: gnutls_pubkey_import_openpgp1666194
+Ref: gnutls_pubkey_import_openpgp_raw1666586
+Ref: gnutls_pubkey_import_pkcs111667155
+Ref: gnutls_pubkey_import_privkey1667697
+Ref: gnutls_pubkey_import_rsa_raw1668399
+Ref: gnutls_pubkey_import_tpm_raw1668923
+Ref: gnutls_pubkey_import_tpm_url1669700
+Ref: gnutls_pubkey_import_url1670592
+Ref: gnutls_pubkey_import_x5091671065
+Ref: gnutls_pubkey_import_x509_crq1671565
+Ref: gnutls_pubkey_import_x509_raw1672068
+Ref: gnutls_pubkey_init1672645
+Ref: gnutls_pubkey_print1672974
+Ref: gnutls_pubkey_set_key_usage1673708
+Ref: gnutls_pubkey_set_pin_function1674277
+Ref: gnutls_pubkey_set_spki1674842
+Ref: gnutls_pubkey_verify_data21675413
+Ref: gnutls_pubkey_verify_hash21676321
+Ref: gnutls_pubkey_verify_params1677445
+Ref: gnutls_register_custom_url1677803
+Ref: gnutls_system_key_add_x5091678741
+Ref: gnutls_system_key_delete1679486
+Ref: gnutls_system_key_iter_deinit1679910
+Ref: gnutls_system_key_iter_get_info1680178
+Ref: gnutls_x509_crl_privkey_sign1681452
+Ref: gnutls_x509_crq_privkey_sign1682721
+Ref: gnutls_x509_crq_set_pubkey1684083
+Ref: gnutls_x509_crt_privkey_sign1684591
+Ref: gnutls_x509_crt_set_pubkey1685834
+Node: Socket specific API1686287
+Ref: gnutls_transport_set_fastopen1686580
+Node: DANE API1688126
+Ref: dane_cert_type_name1688500
+Ref: dane_cert_usage_name1688790
+Ref: dane_match_type_name1689102
+Ref: dane_query_data1689385
+Ref: dane_query_deinit1690064
+Ref: dane_query_entries1690269
+Ref: dane_query_status1690511
+Ref: dane_query_tlsa1690805
+Ref: dane_query_to_raw_tlsa1691396
+Ref: dane_raw_tlsa1692738
+Ref: dane_state_deinit1693815
+Ref: dane_state_init1694007
+Ref: dane_state_set_dlv_file1694521
+Ref: dane_strerror1694822
+Ref: dane_verification_status_print1695321
+Ref: dane_verify_crt1695915
+Ref: dane_verify_crt_raw1698102
+Ref: dane_verify_session_crt1699335
+Node: Cryptographic API1700737
+Ref: gnutls_aead_cipher_decrypt1701238
+Ref: gnutls_aead_cipher_decryptv21702617
+Ref: gnutls_aead_cipher_deinit1703542
+Ref: gnutls_aead_cipher_encrypt1703870
+Ref: gnutls_aead_cipher_encryptv1704979
+Ref: gnutls_aead_cipher_encryptv21706127
+Ref: gnutls_aead_cipher_init1707055
+Ref: gnutls_cipher_add_auth1707721
+Ref: gnutls_cipher_decrypt1708301
+Ref: gnutls_cipher_decrypt21708925
+Ref: gnutls_cipher_deinit1709851
+Ref: gnutls_cipher_encrypt1710130
+Ref: gnutls_cipher_encrypt21710590
+Ref: gnutls_cipher_get_block_size1711367
+Ref: gnutls_cipher_get_iv_size1711647
+Ref: gnutls_cipher_get_tag_size1712129
+Ref: gnutls_cipher_init1712535
+Ref: gnutls_cipher_set_iv1713265
+Ref: gnutls_cipher_tag1713610
+Ref: gnutls_crypto_register_aead_cipher1714112
+Ref: gnutls_crypto_register_cipher1715716
+Ref: gnutls_crypto_register_digest1717497
+Ref: gnutls_crypto_register_mac1718721
+Ref: gnutls_decode_ber_digest_info1720149
+Ref: gnutls_decode_gost_rs_value1720948
+Ref: gnutls_decode_rs_value1721748
+Ref: gnutls_encode_ber_digest_info1722533
+Ref: gnutls_encode_gost_rs_value1723177
+Ref: gnutls_encode_rs_value1723923
+Ref: gnutls_hash1724543
+Ref: gnutls_hash_copy1724974
+Ref: gnutls_hash_deinit1725491
+Ref: gnutls_hash_fast1725819
+Ref: gnutls_hash_get_len1726336
+Ref: gnutls_hash_init1726669
+Ref: gnutls_hash_output1727205
+Ref: gnutls_hkdf_expand1727537
+Ref: gnutls_hkdf_extract1728240
+Ref: gnutls_hmac1728783
+Ref: gnutls_hmac_copy1729214
+Ref: gnutls_hmac_deinit1729695
+Ref: gnutls_hmac_fast1730022
+Ref: gnutls_hmac_get_key_size1730746
+Ref: gnutls_hmac_get_len1731207
+Ref: gnutls_hmac_init1731537
+Ref: gnutls_hmac_output1732320
+Ref: gnutls_hmac_set_nonce1732655
+Ref: gnutls_mac_get_nonce_size1733022
+Ref: gnutls_pbkdf21733338
+Ref: gnutls_rnd1733971
+Ref: gnutls_rnd_refresh1734609
+Node: Compatibility API1734895
+Ref: gnutls_compression_get1735237
+Ref: gnutls_compression_get_id1735589
+Ref: gnutls_compression_get_name1735953
+Ref: gnutls_compression_list1736335
+Ref: gnutls_global_set_mem_functions1736667
+Ref: gnutls_openpgp_privkey_sign_hash1738042
+Ref: gnutls_priority_compression_list1738471
+Ref: gnutls_x509_crt_get_preferred_hash_algorithm1738923
+Ref: gnutls_x509_privkey_sign_hash1739804
+Node: Copying Information1740674
+Node: Bibliography1765851
+Ref: CBCATT1765990
+Ref: GPGH1766168
+Ref: GUTPKI1766291
+Ref: PRNGATTACKS1766466
+Ref: KEYPIN1766666
+Ref: NISTSP800571766841
+Ref: RFC74131767089
+Ref: RFC79181767256
+Ref: RFC61251767433
+Ref: RFC76851767774
+Ref: RFC76131767949
+Ref: RFC22461768197
+Ref: RFC60831768358
+Ref: RFC44181768595
+Ref: RFC46801768762
+Ref: RFC76331768920
+Ref: RFC79191769092
+Ref: RFC45141769296
+Ref: RFC43461769500
+Ref: RFC43471769650
+Ref: RFC52461769817
+Ref: RFC24401769968
+Ref: RFC48801770150
+Ref: RFC42111770344
+Ref: RFC28171770538
+Ref: RFC28181770691
+Ref: RFC29451770805
+Ref: RFC73011770955
+Ref: RFC29861771175
+Ref: PKIX1771364
+Ref: RFC37491771627
+Ref: RFC38201771793
+Ref: RFC65201772036
+Ref: RFC57461772275
+Ref: RFC52801772484
+Ref: TLSTKT1772751
+Ref: PKCS121772983
+Ref: PKCS111773124
+Ref: RESCORLA1773270
+Ref: SELKEY1773366
+Ref: SSL31773525
+Ref: STEVENS1773716
+Ref: TLSEXT1773824
+Ref: TLSPGP1774041
+Ref: TLSSRP1774206
+Ref: TLSPSK1774403
+Ref: TOMSRP1774572
+Ref: WEGER1774685
+Ref: ECRYPT1774877
+Ref: RFC50561775082
+Ref: RFC57641775235
+Ref: RFC59291775523
+Ref: PKCS11URI1775666
+Ref: TPMURI1775802
+Ref: ANDERSON1775996
+Ref: RFC48211776142
+Ref: RFC25601776295
+Ref: RIVESTCRL1776489
+Node: Function and Data Index1776850
+Node: Concept Index1903361

End Tag Table
diff -ruN gnutls-3.7.2/doc/gnutls.info-1 gnutls-3.7.2-bootstrapped/doc/gnutls.info-1
--- gnutls-3.7.2/doc/gnutls.info-1 2021-05-29 10:19:34.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-1 2021-06-28 09:39:56.000000000 +0200
@@ -7426,6 +7426,12 @@
to a token. Must be combined with one of -load-privkey, -load-pubkey,
-load-certificate option.
+When writing a certificate object, its CKA_ID is set to the same CKA_ID
+of the corresponding public key, if it exists on the token; otherwise it
+will be derived from the X.509 Subject Key Identifier of the
+certificate. If this behavior is undesired, write the public key to the
+token beforehand.
+
id option.
..........
diff -ruN gnutls-3.7.2/doc/gnutls.info-3 gnutls-3.7.2-bootstrapped/doc/gnutls.info-3
--- gnutls-3.7.2/doc/gnutls.info-3 2021-05-29 10:19:36.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-3 2021-06-28 09:39:58.000000000 +0200
@@ -1350,6 +1350,7 @@
* 'insecure-hash': to mark the hash algorithm as insecure for digital
signature use (provides a more generic way to disable digital
signatures for broken hash algorithms).
+ * 'disabled-curve': to disable the specified elliptic curve.
* 'disabled-version': to disable the specified TLS versions.
* 'tls-disabled-cipher': to disable the specified ciphers for use in
the TLS or DTLS protocols.
@@ -1362,12 +1363,54 @@
earlier).
Each of the options can be repeated multiple times when multiple values
-need to be disabled.
+need to be disabled or enabled.
The valid values for the options above can be found in the 'Protocols',
'Digests' 'PK-signatures', 'Protocols', 'Ciphrers', and 'MACs' fields of
the output of 'gnutls-cli --list'.
+Sometimes the system administrator wants to enable only specific
+algorithms, despite the library defaults. GnuTLS provides an
+alternative mode of overriding: allowlisting.
+
+In the allowlisting mode, all the algorithms are initially marked as
+insecure or disabled, and shall be explicitly turned on by the options
+in the '[overrides]' section. Those options are mutually exclusive to
+the above ones for the blocklisting mode (the default)
+ * 'secure-sig-for-cert': to mark the signature algorithm as secure
+ when used in certificates.
+ * 'secure-sig': to mark the signature algorithm as secure for any
+ use.
+ * 'secure-hash': to mark the hash algorithm as secure for digital
+ signature use (provides a more generic way to enable digital
+ signatures for broken hash algorithms).
+ * 'enabled-curve': to enable the specified elliptic curve.
+ * 'enabled-version': to enable the specified TLS versions.
+ * 'tls-enabled-cipher': to enable the specified ciphers for use in
+ the TLS or DTLS protocols.
+ * 'tls-enabled-mac': to enable the specified MAC algorithms for use
+ in the TLS or DTLS protocols.
+ * 'tls-enabled-group': to enable the specified group for use in the
+ TLS or DTLS protocols.
+ * 'tls-enabled-kx': to enable the specified key exchange algorithms
+ for use in the TLS or DTLS protocols (applies to TLS1.2 or
+ earlier).
+
+The allowlisting mode can be enabled by adding 'override-mode =
+allowlist' in the '[global]' section.
+
+When the allowlisting mode is in effect, it is also possible for the
+applications to modify the setting through the API.
+
+'INT *note gnutls_ecc_curve_mark_enabled:: (gnutls_ecc_curve_t CURVE)'
+'INT *note gnutls_sign_mark_secure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
+'INT *note gnutls_digest_mark_secure:: (gnutls_digest_algorithm_t DIG)'
+'INT *note gnutls_protocol_mark_enabled:: (gnutls_protocol_t VERSION)'
+'INT *note gnutls_ecc_curve_mark_disabled:: (gnutls_ecc_curve_t CURVE)'
+'INT *note gnutls_sign_mark_insecure:: (gnutls_sign_algorithm_t SIGN, unsigned FLAGS)'
+'INT *note gnutls_digest_mark_insecure:: (gnutls_digest_algorithm_t DIG)'
+'INT *note gnutls_protocol_mark_disabled:: (gnutls_protocol_t VERSION)'
+
8.2.1 Examples
--------------
@@ -1396,6 +1439,17 @@
tls-disabled-mac = sha1
tls-disabled-group = group-ffdhe8192
+The following example demonstrates the use of the allowlisting mode. It
+disables all the signature algorithms but 'RSA-SHA256'. Note that the
+hash algorithm 'SHA256' also needs to be explicitly enabled.
+
+ [global]
+ override-mode = allowlist
+
+ [overrides]
+ secure-hash = sha256
+ secure-sig = rsa-sha256
+

File: gnutls.info, Node: Querying for disabled algorithms and protocols, Next: Overriding the parameter verification profile, Prev: Disabling algorithms and protocols, Up: System-wide configuration of the library
@@ -8538,6 +8592,31 @@
'gnutls_digest_algorithm_t' integers indicating the available
digests.
+gnutls_digest_mark_insecure
+---------------------------
+
+ -- Function: int gnutls_digest_mark_insecure (gnutls_digest_algorithm_t
+ DIG)
+ DIG: is a digest algorithm
+
+ Mark 'dig' as insecure system wide. This only works if the
+ allowlisting mode is used in the configuration file.
+
+ *Since:* 3.7.3
+
+gnutls_digest_mark_secure
+-------------------------
+
+ -- Function: int gnutls_digest_mark_secure (gnutls_digest_algorithm_t
+ DIG)
+ DIG: is a digest algorithm
+
+ Invalidate previous system wide setting that marked 'dig' as
+ insecure. This only works if the allowlisting mode is used in the
+ configuration file.
+
+ *Since:* 3.7.3
+
gnutls_early_cipher_get
-----------------------
@@ -8657,6 +8736,37 @@
*Returns:* Return a (0)-terminated list of 'gnutls_ecc_curve_t'
integers indicating the available curves.
+gnutls_ecc_curve_mark_disabled
+------------------------------
+
+ -- Function: int gnutls_ecc_curve_mark_disabled (gnutls_ecc_curve_t
+ CURVE)
+ CURVE: is an ECC curve
+
+ Mark 'curve' as disabled system wide. This setting can be reverted
+ with 'gnutls_ecc_curve_mark_enabled()' . This only works if the
+ configuration file uses the allowlisting mode.
+
+ *Returns:* 0 on success or negative error code otherwise.
+
+ *Since:* 3.7.3
+
+gnutls_ecc_curve_mark_enabled
+-----------------------------
+
+ -- Function: int gnutls_ecc_curve_mark_enabled (gnutls_ecc_curve_t
+ CURVE)
+ CURVE: is an ECC curve
+
+ Invalidate previous system wide setting that marked 'curve' as
+ disabled. This only works if the curve is disabled with
+ 'gnutls_ecc_curve_mark_disabled()' or through the allowlisting mode
+ in the configuration file.
+
+ *Returns:* 0 on success or negative error code otherwise.
+
+ *Since:* 3.7.3
+
gnutls_error_is_fatal
---------------------
@@ -11047,6 +11157,27 @@
*Returns:* a (0)-terminated list of 'gnutls_protocol_t' integers
indicating the available protocols.
+gnutls_protocol_mark_disabled
+-----------------------------
+
+ -- Function: int gnutls_protocol_mark_disabled (gnutls_protocol_t
+ VERSION)
+ VERSION: is a (gnutls) version number
+
+ Mark 'version' as disabled system wide. This only works if the
+ allowlisting mode is used in the configuration file.
+
+gnutls_protocol_mark_enabled
+----------------------------
+
+ -- Function: int gnutls_protocol_mark_enabled (gnutls_protocol_t
+ VERSION)
+ VERSION: is a (gnutls) version number
+
+ Invalidate previous system wide setting that marked 'version' as
+ disabled. This only works if the allowlisting mode is used in the
+ configuration file.
+
gnutls_psk_allocate_client_credentials
--------------------------------------
@@ -13235,6 +13366,45 @@
*Returns:* a (0)-terminated list of 'gnutls_sign_algorithm_t'
integers indicating the available ciphers.
+gnutls_sign_mark_insecure
+-------------------------
+
+ -- Function: int gnutls_sign_mark_insecure (gnutls_sign_algorithm_t
+ SIGN, unsigned FLAGS)
+ SIGN: the sign algorithm
+
+ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
+
+ Mark 'sign' as insecure system wide. This only works if the
+ allowlisting mode is used in the configuration file.
+
+ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, and the
+ algorithm was previously considered secure for all purposes, it
+ only marks the algorithm as insecure for the use with certificates.
+
+ *Since:* 3.7.3
+
+gnutls_sign_mark_secure
+-----------------------
+
+ -- Function: int gnutls_sign_mark_secure (gnutls_sign_algorithm_t SIGN,
+ unsigned FLAGS)
+ SIGN: the sign algorithm
+
+ FLAGS: 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' or 0
+
+ Invalidate previous system wide setting that marked 'sign' as
+ insecure. This only works if the algorithm is marked as insecure
+ with 'gnutls_sign_mark_insecure()' or through the allowlisting mode
+ in the configuration file.
+
+ If 'flags' has 'GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS' bit set, it
+ marks it the algorithm as secure for all purposes. If the absence
+ of this flag, it will mark it as "secure, but not for certificates"
+ at most, but it won't restrict anything either.
+
+ *Since:* 3.7.3
+
gnutls_sign_supports_pk_algorithm
---------------------------------
diff -ruN gnutls-3.7.2/doc/gnutls.info-6 gnutls-3.7.2-bootstrapped/doc/gnutls.info-6
--- gnutls-3.7.2/doc/gnutls.info-6 2021-05-29 10:19:38.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/gnutls.info-6 2021-06-28 09:40:00.000000000 +0200
@@ -7847,6 +7847,8 @@
* gnutls_digest_get_name: Core TLS API. (line 3005)
* gnutls_digest_get_oid: Core TLS API. (line 3017)
* gnutls_digest_list: Core TLS API. (line 3032)
+* gnutls_digest_mark_insecure: Core TLS API. (line 3046)
+* gnutls_digest_mark_secure: Core TLS API. (line 3058)
* gnutls_dtls_cookie_send: Datagram TLS API. (line 11)
* gnutls_dtls_cookie_verify: Datagram TLS API. (line 45)
* gnutls_dtls_get_data_mtu: Datagram TLS API. (line 74)
@@ -7858,71 +7860,73 @@
* gnutls_dtls_set_data_mtu: Datagram TLS API. (line 139)
* gnutls_dtls_set_mtu: Datagram TLS API. (line 165)
* gnutls_dtls_set_timeouts: Datagram TLS API. (line 182)
-* gnutls_early_cipher_get: Core TLS API. (line 3046)
-* gnutls_early_prf_hash_get: Core TLS API. (line 3060)
-* gnutls_ecc_curve_get: Core TLS API. (line 3075)
-* gnutls_ecc_curve_get_id: Core TLS API. (line 3089)
-* gnutls_ecc_curve_get_name: Core TLS API. (line 3103)
-* gnutls_ecc_curve_get_oid: Core TLS API. (line 3117)
-* gnutls_ecc_curve_get_pk: Core TLS API. (line 3131)
-* gnutls_ecc_curve_get_size: Core TLS API. (line 3143)
-* gnutls_ecc_curve_list: Core TLS API. (line 3153)
+* gnutls_early_cipher_get: Core TLS API. (line 3071)
+* gnutls_early_prf_hash_get: Core TLS API. (line 3085)
+* gnutls_ecc_curve_get: Core TLS API. (line 3100)
+* gnutls_ecc_curve_get_id: Core TLS API. (line 3114)
+* gnutls_ecc_curve_get_name: Core TLS API. (line 3128)
+* gnutls_ecc_curve_get_oid: Core TLS API. (line 3142)
+* gnutls_ecc_curve_get_pk: Core TLS API. (line 3156)
+* gnutls_ecc_curve_get_size: Core TLS API. (line 3168)
+* gnutls_ecc_curve_list: Core TLS API. (line 3178)
+* gnutls_ecc_curve_mark_disabled: Core TLS API. (line 3190)
+* gnutls_ecc_curve_mark_enabled: Core TLS API. (line 3205)
* gnutls_encode_ber_digest_info: Cryptographic API. (line 689)
* gnutls_encode_gost_rs_value: Cryptographic API. (line 709)
* gnutls_encode_rs_value: Cryptographic API. (line 732)
* gnutls_error_is_fatal: Data transfer and termination.
(line 82)
-* gnutls_error_is_fatal <1>: Core TLS API. (line 3165)
+* gnutls_error_is_fatal <1>: Core TLS API. (line 3221)
* gnutls_error_to_alert: Handling alerts. (line 66)
-* gnutls_error_to_alert <1>: Core TLS API. (line 3185)
-* gnutls_est_record_overhead_size: Core TLS API. (line 3204)
-* gnutls_ext_get_current_msg: Core TLS API. (line 3231)
-* gnutls_ext_get_data: Core TLS API. (line 3249)
-* gnutls_ext_get_name: Core TLS API. (line 3268)
-* gnutls_ext_get_name2: Core TLS API. (line 3279)
-* gnutls_ext_raw_parse: Core TLS API. (line 3296)
-* gnutls_ext_register: Core TLS API. (line 3327)
-* gnutls_ext_set_data: Core TLS API. (line 3374)
-* gnutls_fingerprint: Core TLS API. (line 3391)
-* gnutls_fips140_mode_enabled: Core TLS API. (line 3418)
-* gnutls_fips140_set_mode: Core TLS API. (line 3436)
+* gnutls_error_to_alert <1>: Core TLS API. (line 3241)
+* gnutls_est_record_overhead_size: Core TLS API. (line 3260)
+* gnutls_ext_get_current_msg: Core TLS API. (line 3287)
+* gnutls_ext_get_data: Core TLS API. (line 3305)
+* gnutls_ext_get_name: Core TLS API. (line 3324)
+* gnutls_ext_get_name2: Core TLS API. (line 3335)
+* gnutls_ext_raw_parse: Core TLS API. (line 3352)
+* gnutls_ext_register: Core TLS API. (line 3383)
+* gnutls_ext_set_data: Core TLS API. (line 3430)
+* gnutls_fingerprint: Core TLS API. (line 3447)
+* gnutls_fips140_mode_enabled: Core TLS API. (line 3474)
+* gnutls_fips140_set_mode: Core TLS API. (line 3492)
* gnutls_get_system_config_file: System-wide configuration of the library.
(line 24)
-* gnutls_get_system_config_file <1>: Core TLS API. (line 3462)
-* gnutls_global_deinit: Core TLS API. (line 3476)
-* gnutls_global_init: Core TLS API. (line 3489)
+* gnutls_get_system_config_file <1>: Core TLS API. (line 3518)
+* gnutls_global_deinit: Core TLS API. (line 3532)
+* gnutls_global_init: Core TLS API. (line 3545)
* gnutls_global_set_audit_log_function: Debugging and auditing.
(line 64)
-* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3518)
-* gnutls_global_set_log_function: Core TLS API. (line 3537)
-* gnutls_global_set_log_level: Core TLS API. (line 3552)
+* gnutls_global_set_audit_log_function <1>: Core TLS API. (line 3574)
+* gnutls_global_set_log_function: Core TLS API. (line 3593)
+* gnutls_global_set_log_level: Core TLS API. (line 3608)
* gnutls_global_set_mem_functions: Compatibility API. (line 60)
-* gnutls_global_set_mutex: Core TLS API. (line 3565)
-* gnutls_global_set_time_function: Core TLS API. (line 3594)
-* gnutls_gost_paramset_get_name: Core TLS API. (line 3608)
-* gnutls_gost_paramset_get_oid: Core TLS API. (line 3622)
-* gnutls_group_get: Core TLS API. (line 3636)
-* gnutls_group_get_id: Core TLS API. (line 3649)
-* gnutls_group_get_name: Core TLS API. (line 3662)
-* gnutls_group_list: Core TLS API. (line 3675)
+* gnutls_global_set_mutex: Core TLS API. (line 3621)
+* gnutls_global_set_time_function: Core TLS API. (line 3650)
+* gnutls_gost_paramset_get_name: Core TLS API. (line 3664)
+* gnutls_gost_paramset_get_oid: Core TLS API. (line 3678)
+* gnutls_group_get: Core TLS API. (line 3692)
+* gnutls_group_get_id: Core TLS API. (line 3705)
+* gnutls_group_get_name: Core TLS API. (line 3718)
+* gnutls_group_list: Core TLS API. (line 3731)
* gnutls_handshake: TLS handshake. (line 10)
-* gnutls_handshake <1>: Core TLS API. (line 3689)
-* gnutls_handshake_description_get_name: Core TLS API. (line 3732)
-* gnutls_handshake_get_last_in: Core TLS API. (line 3744)
-* gnutls_handshake_get_last_out: Core TLS API. (line 3761)
+* gnutls_handshake <1>: Core TLS API. (line 3745)
+* gnutls_handshake_description_get_name: Core TLS API. (line 3788)
+* gnutls_handshake_get_last_in: Core TLS API. (line 3800)
+* gnutls_handshake_get_last_out: Core TLS API. (line 3817)
* gnutls_handshake_set_hook_function: Virtual hosts and credentials.
(line 56)
-* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3778)
-* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3815)
+* gnutls_handshake_set_hook_function <1>: Core TLS API. (line 3834)
+* gnutls_handshake_set_max_packet_length: Core TLS API. (line 3871)
* gnutls_handshake_set_post_client_hello_function: Core TLS API.
- (line 3836)
-* gnutls_handshake_set_private_extensions: Core TLS API. (line 3867)
-* gnutls_handshake_set_random: Core TLS API. (line 3886)
-* gnutls_handshake_set_read_function: Core TLS API. (line 3908)
-* gnutls_handshake_set_secret_function: Core TLS API. (line 3922)
+ (line 3892)
+* gnutls_handshake_set_private_extensions: Core TLS API. (line 3923)
+* gnutls_handshake_set_random: Core TLS API. (line 3942)
+* gnutls_handshake_set_read_function: Core TLS API. (line 3964)
+* gnutls_handshake_set_secret_function: Core TLS API. (line 3978)
* gnutls_handshake_set_timeout: TLS handshake. (line 50)
-* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3936)
-* gnutls_handshake_write: Core TLS API. (line 3956)
+* gnutls_handshake_set_timeout <1>: Core TLS API. (line 3992)
+* gnutls_handshake_write: Core TLS API. (line 4012)
* gnutls_hash: Cryptographic API. (line 753)
* gnutls_hash_copy: Cryptographic API. (line 771)
* gnutls_hash_deinit: Cryptographic API. (line 787)
@@ -7930,17 +7934,17 @@
* gnutls_hash_get_len: Cryptographic API. (line 821)
* gnutls_hash_init: Cryptographic API. (line 835)
* gnutls_hash_output: Cryptographic API. (line 853)
-* gnutls_heartbeat_allowed: Core TLS API. (line 3977)
-* gnutls_heartbeat_enable: Core TLS API. (line 3994)
-* gnutls_heartbeat_get_timeout: Core TLS API. (line 4018)
-* gnutls_heartbeat_ping: Core TLS API. (line 4034)
-* gnutls_heartbeat_pong: Core TLS API. (line 4066)
-* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4082)
-* gnutls_hex2bin: Core TLS API. (line 4104)
-* gnutls_hex_decode: Core TLS API. (line 4127)
-* gnutls_hex_decode2: Core TLS API. (line 4149)
-* gnutls_hex_encode: Core TLS API. (line 4164)
-* gnutls_hex_encode2: Core TLS API. (line 4183)
+* gnutls_heartbeat_allowed: Core TLS API. (line 4033)
+* gnutls_heartbeat_enable: Core TLS API. (line 4050)
+* gnutls_heartbeat_get_timeout: Core TLS API. (line 4074)
+* gnutls_heartbeat_ping: Core TLS API. (line 4090)
+* gnutls_heartbeat_pong: Core TLS API. (line 4122)
+* gnutls_heartbeat_set_timeouts: Core TLS API. (line 4138)
+* gnutls_hex2bin: Core TLS API. (line 4160)
+* gnutls_hex_decode: Core TLS API. (line 4183)
+* gnutls_hex_decode2: Core TLS API. (line 4205)
+* gnutls_hex_encode: Core TLS API. (line 4220)
+* gnutls_hex_encode2: Core TLS API. (line 4239)
* gnutls_hkdf_expand: Cryptographic API. (line 867)
* gnutls_hkdf_extract: Cryptographic API. (line 891)
* gnutls_hmac: Cryptographic API. (line 912)
@@ -7952,25 +7956,25 @@
* gnutls_hmac_init: Cryptographic API. (line 1015)
* gnutls_hmac_output: Cryptographic API. (line 1041)
* gnutls_hmac_set_nonce: Cryptographic API. (line 1055)
-* gnutls_idna_map: Core TLS API. (line 4201)
-* gnutls_idna_reverse_map: Core TLS API. (line 4232)
+* gnutls_idna_map: Core TLS API. (line 4257)
+* gnutls_idna_reverse_map: Core TLS API. (line 4288)
* gnutls_init: Session initialization.
(line 14)
-* gnutls_init <1>: Core TLS API. (line 4258)
-* gnutls_key_generate: Core TLS API. (line 4281)
-* gnutls_kx_get: Core TLS API. (line 4298)
-* gnutls_kx_get_id: Core TLS API. (line 4315)
-* gnutls_kx_get_name: Core TLS API. (line 4327)
-* gnutls_kx_list: Core TLS API. (line 4339)
-* gnutls_load_file: Core TLS API. (line 4351)
-* gnutls_mac_get: Core TLS API. (line 4374)
-* gnutls_mac_get_id: Core TLS API. (line 4386)
-* gnutls_mac_get_key_size: Core TLS API. (line 4399)
-* gnutls_mac_get_name: Core TLS API. (line 4411)
+* gnutls_init <1>: Core TLS API. (line 4314)
+* gnutls_key_generate: Core TLS API. (line 4337)
+* gnutls_kx_get: Core TLS API. (line 4354)
+* gnutls_kx_get_id: Core TLS API. (line 4371)
+* gnutls_kx_get_name: Core TLS API. (line 4383)
+* gnutls_kx_list: Core TLS API. (line 4395)
+* gnutls_load_file: Core TLS API. (line 4407)
+* gnutls_mac_get: Core TLS API. (line 4430)
+* gnutls_mac_get_id: Core TLS API. (line 4442)
+* gnutls_mac_get_key_size: Core TLS API. (line 4455)
+* gnutls_mac_get_name: Core TLS API. (line 4467)
* gnutls_mac_get_nonce_size: Cryptographic API. (line 1070)
-* gnutls_mac_list: Core TLS API. (line 4423)
-* gnutls_memcmp: Core TLS API. (line 4435)
-* gnutls_memset: Core TLS API. (line 4456)
+* gnutls_mac_list: Core TLS API. (line 4479)
+* gnutls_memcmp: Core TLS API. (line 4491)
+* gnutls_memset: Core TLS API. (line 4512)
* gnutls_ocsp_req_add_cert: OCSP API. (line 12)
* gnutls_ocsp_req_add_cert_id: OCSP API. (line 36)
* gnutls_ocsp_req_deinit: OCSP API. (line 69)
@@ -8011,20 +8015,20 @@
* gnutls_ocsp_resp_print: OCSP API. (line 757)
* gnutls_ocsp_resp_verify: OCSP API. (line 780)
* gnutls_ocsp_resp_verify_direct: OCSP API. (line 818)
-* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4471)
-* gnutls_ocsp_status_request_get: Core TLS API. (line 4499)
-* gnutls_ocsp_status_request_get2: Core TLS API. (line 4518)
-* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4544)
-* gnutls_oid_to_digest: Core TLS API. (line 4578)
-* gnutls_oid_to_ecc_curve: Core TLS API. (line 4593)
-* gnutls_oid_to_gost_paramset: Core TLS API. (line 4605)
-* gnutls_oid_to_mac: Core TLS API. (line 4620)
-* gnutls_oid_to_pk: Core TLS API. (line 4635)
-* gnutls_oid_to_sign: Core TLS API. (line 4649)
+* gnutls_ocsp_status_request_enable_client: Core TLS API. (line 4527)
+* gnutls_ocsp_status_request_get: Core TLS API. (line 4555)
+* gnutls_ocsp_status_request_get2: Core TLS API. (line 4574)
+* gnutls_ocsp_status_request_is_checked: Core TLS API. (line 4600)
+* gnutls_oid_to_digest: Core TLS API. (line 4634)
+* gnutls_oid_to_ecc_curve: Core TLS API. (line 4649)
+* gnutls_oid_to_gost_paramset: Core TLS API. (line 4661)
+* gnutls_oid_to_mac: Core TLS API. (line 4676)
+* gnutls_oid_to_pk: Core TLS API. (line 4691)
+* gnutls_oid_to_sign: Core TLS API. (line 4705)
* gnutls_openpgp_privkey_sign_hash: Compatibility API. (line 95)
-* gnutls_openpgp_send_cert: Core TLS API. (line 4664)
-* gnutls_packet_deinit: Core TLS API. (line 4677)
-* gnutls_packet_get: Core TLS API. (line 4688)
+* gnutls_openpgp_send_cert: Core TLS API. (line 4720)
+* gnutls_packet_deinit: Core TLS API. (line 4733)
+* gnutls_packet_get: Core TLS API. (line 4744)
* gnutls_pbkdf2: Cryptographic API. (line 1083)
* gnutls_pcert_deinit: Abstract key API. (line 176)
* gnutls_pcert_export_openpgp: Abstract key API. (line 186)
@@ -8038,11 +8042,11 @@
* gnutls_pcert_import_x509_raw: Abstract key API. (line 370)
* gnutls_pcert_list_import_x509_file: Abstract key API. (line 393)
* gnutls_pcert_list_import_x509_raw: Abstract key API. (line 430)
-* gnutls_pem_base64_decode: Core TLS API. (line 4706)
-* gnutls_pem_base64_decode2: Core TLS API. (line 4730)
-* gnutls_pem_base64_encode: Core TLS API. (line 4758)
-* gnutls_pem_base64_encode2: Core TLS API. (line 4781)
-* gnutls_perror: Core TLS API. (line 4809)
+* gnutls_pem_base64_decode: Core TLS API. (line 4762)
+* gnutls_pem_base64_decode2: Core TLS API. (line 4786)
+* gnutls_pem_base64_encode: Core TLS API. (line 4814)
+* gnutls_pem_base64_encode2: Core TLS API. (line 4837)
+* gnutls_perror: Core TLS API. (line 4865)
* gnutls_pkcs11_add_provider: PKCS11 Manual Initialization.
(line 13)
* gnutls_pkcs11_add_provider <1>: PKCS 11 API. (line 12)
@@ -8183,39 +8187,39 @@
(line 122)
* gnutls_pkcs_schema_get_oid: X509 certificate API.
(line 137)
-* gnutls_pk_algorithm_get_name: Core TLS API. (line 4818)
+* gnutls_pk_algorithm_get_name: Core TLS API. (line 4874)
* gnutls_pk_bits_to_sec_param: Selecting cryptographic key sizes.
(line 91)
-* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4830)
-* gnutls_pk_get_id: Core TLS API. (line 4847)
-* gnutls_pk_get_name: Core TLS API. (line 4862)
-* gnutls_pk_get_oid: Core TLS API. (line 4876)
-* gnutls_pk_list: Core TLS API. (line 4891)
-* gnutls_pk_to_sign: Core TLS API. (line 4905)
-* gnutls_prf: Core TLS API. (line 4920)
-* gnutls_prf_early: Core TLS API. (line 4970)
-* gnutls_prf_hash_get: Core TLS API. (line 5015)
-* gnutls_prf_raw: Core TLS API. (line 5032)
+* gnutls_pk_bits_to_sec_param <1>: Core TLS API. (line 4886)
+* gnutls_pk_get_id: Core TLS API. (line 4903)
+* gnutls_pk_get_name: Core TLS API. (line 4918)
+* gnutls_pk_get_oid: Core TLS API. (line 4932)
+* gnutls_pk_list: Core TLS API. (line 4947)
+* gnutls_pk_to_sign: Core TLS API. (line 4961)
+* gnutls_prf: Core TLS API. (line 4976)
+* gnutls_prf_early: Core TLS API. (line 5026)
+* gnutls_prf_hash_get: Core TLS API. (line 5071)
+* gnutls_prf_raw: Core TLS API. (line 5088)
* gnutls_prf_rfc5705: Deriving keys for other applications/protocols.
(line 16)
-* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5077)
-* gnutls_priority_certificate_type_list: Core TLS API. (line 5124)
-* gnutls_priority_certificate_type_list2: Core TLS API. (line 5145)
-* gnutls_priority_cipher_list: Core TLS API. (line 5165)
+* gnutls_prf_rfc5705 <1>: Core TLS API. (line 5133)
+* gnutls_priority_certificate_type_list: Core TLS API. (line 5180)
+* gnutls_priority_certificate_type_list2: Core TLS API. (line 5201)
+* gnutls_priority_cipher_list: Core TLS API. (line 5221)
* gnutls_priority_compression_list: Compatibility API. (line 111)
-* gnutls_priority_deinit: Core TLS API. (line 5180)
-* gnutls_priority_ecc_curve_list: Core TLS API. (line 5189)
-* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5207)
-* gnutls_priority_group_list: Core TLS API. (line 5232)
-* gnutls_priority_init: Core TLS API. (line 5247)
-* gnutls_priority_init2: Core TLS API. (line 5275)
-* gnutls_priority_kx_list: Core TLS API. (line 5383)
-* gnutls_priority_mac_list: Core TLS API. (line 5399)
-* gnutls_priority_protocol_list: Core TLS API. (line 5414)
-* gnutls_priority_set: Core TLS API. (line 5430)
-* gnutls_priority_set_direct: Core TLS API. (line 5448)
-* gnutls_priority_sign_list: Core TLS API. (line 5472)
-* gnutls_priority_string_list: Core TLS API. (line 5488)
+* gnutls_priority_deinit: Core TLS API. (line 5236)
+* gnutls_priority_ecc_curve_list: Core TLS API. (line 5245)
+* gnutls_priority_get_cipher_suite_index: Core TLS API. (line 5263)
+* gnutls_priority_group_list: Core TLS API. (line 5288)
+* gnutls_priority_init: Core TLS API. (line 5303)
+* gnutls_priority_init2: Core TLS API. (line 5331)
+* gnutls_priority_kx_list: Core TLS API. (line 5439)
+* gnutls_priority_mac_list: Core TLS API. (line 5455)
+* gnutls_priority_protocol_list: Core TLS API. (line 5470)
+* gnutls_priority_set: Core TLS API. (line 5486)
+* gnutls_priority_set_direct: Core TLS API. (line 5504)
+* gnutls_priority_sign_list: Core TLS API. (line 5528)
+* gnutls_priority_string_list: Core TLS API. (line 5544)
* gnutls_privkey_decrypt_data: Operations. (line 144)
* gnutls_privkey_decrypt_data <1>: Abstract key API. (line 465)
* gnutls_privkey_decrypt_data2: Abstract key API. (line 488)
@@ -8275,33 +8279,35 @@
* gnutls_privkey_status: Abstract key API. (line 1705)
* gnutls_privkey_verify_params: Abstract key API. (line 1721)
* gnutls_privkey_verify_seed: Abstract key API. (line 1734)
-* gnutls_protocol_get_id: Core TLS API. (line 5508)
-* gnutls_protocol_get_name: Core TLS API. (line 5520)
-* gnutls_protocol_get_version: Core TLS API. (line 5532)
-* gnutls_protocol_list: Core TLS API. (line 5543)
-* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5555)
-* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5567)
-* gnutls_psk_client_get_hint: Core TLS API. (line 5579)
-* gnutls_psk_free_client_credentials: Core TLS API. (line 5598)
-* gnutls_psk_free_server_credentials: Core TLS API. (line 5607)
-* gnutls_psk_server_get_username: Core TLS API. (line 5616)
-* gnutls_psk_server_get_username2: Core TLS API. (line 5636)
-* gnutls_psk_set_client_credentials: Core TLS API. (line 5657)
-* gnutls_psk_set_client_credentials2: Core TLS API. (line 5683)
+* gnutls_protocol_get_id: Core TLS API. (line 5564)
+* gnutls_protocol_get_name: Core TLS API. (line 5576)
+* gnutls_protocol_get_version: Core TLS API. (line 5588)
+* gnutls_protocol_list: Core TLS API. (line 5599)
+* gnutls_protocol_mark_disabled: Core TLS API. (line 5611)
+* gnutls_protocol_mark_enabled: Core TLS API. (line 5621)
+* gnutls_psk_allocate_client_credentials: Core TLS API. (line 5632)
+* gnutls_psk_allocate_server_credentials: Core TLS API. (line 5644)
+* gnutls_psk_client_get_hint: Core TLS API. (line 5656)
+* gnutls_psk_free_client_credentials: Core TLS API. (line 5675)
+* gnutls_psk_free_server_credentials: Core TLS API. (line 5684)
+* gnutls_psk_server_get_username: Core TLS API. (line 5693)
+* gnutls_psk_server_get_username2: Core TLS API. (line 5713)
+* gnutls_psk_set_client_credentials: Core TLS API. (line 5734)
+* gnutls_psk_set_client_credentials2: Core TLS API. (line 5760)
* gnutls_psk_set_client_credentials_function: PSK credentials.
(line 22)
* gnutls_psk_set_client_credentials_function <1>: Core TLS API.
- (line 5706)
-* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5731)
-* gnutls_psk_set_params_function: Core TLS API. (line 5760)
+ (line 5783)
+* gnutls_psk_set_client_credentials_function2: Core TLS API. (line 5808)
+* gnutls_psk_set_params_function: Core TLS API. (line 5837)
* gnutls_psk_set_server_credentials_file: PSK credentials. (line 59)
-* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5778)
-* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5800)
-* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5825)
-* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5854)
-* gnutls_psk_set_server_dh_params: Core TLS API. (line 5873)
-* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5891)
-* gnutls_psk_set_server_params_function: Core TLS API. (line 5915)
+* gnutls_psk_set_server_credentials_file <1>: Core TLS API. (line 5855)
+* gnutls_psk_set_server_credentials_function: Core TLS API. (line 5877)
+* gnutls_psk_set_server_credentials_function2: Core TLS API. (line 5902)
+* gnutls_psk_set_server_credentials_hint: Core TLS API. (line 5931)
+* gnutls_psk_set_server_dh_params: Core TLS API. (line 5950)
+* gnutls_psk_set_server_known_dh_params: Core TLS API. (line 5968)
+* gnutls_psk_set_server_params_function: Core TLS API. (line 5992)
* gnutls_pubkey_deinit: Abstract key API. (line 1758)
* gnutls_pubkey_encrypt_data: Operations. (line 60)
* gnutls_pubkey_encrypt_data <1>: Abstract key API. (line 1768)
@@ -8351,169 +8357,171 @@
* gnutls_pubkey_verify_hash2: Operations. (line 33)
* gnutls_pubkey_verify_hash2 <1>: Abstract key API. (line 2681)
* gnutls_pubkey_verify_params: Abstract key API. (line 2711)
-* gnutls_random_art: Core TLS API. (line 5933)
-* gnutls_range_split: Core TLS API. (line 5960)
-* gnutls_reauth: Core TLS API. (line 5986)
-* gnutls_record_can_use_length_hiding: Core TLS API. (line 6032)
-* gnutls_record_check_corked: Core TLS API. (line 6050)
+* gnutls_random_art: Core TLS API. (line 6010)
+* gnutls_range_split: Core TLS API. (line 6037)
+* gnutls_reauth: Core TLS API. (line 6063)
+* gnutls_record_can_use_length_hiding: Core TLS API. (line 6109)
+* gnutls_record_check_corked: Core TLS API. (line 6127)
* gnutls_record_check_pending: Data transfer and termination.
(line 138)
-* gnutls_record_check_pending <1>: Core TLS API. (line 6064)
+* gnutls_record_check_pending <1>: Core TLS API. (line 6141)
* gnutls_record_cork: Buffered data transfer.
(line 12)
-* gnutls_record_cork <1>: Core TLS API. (line 6077)
-* gnutls_record_disable_padding: Core TLS API. (line 6091)
-* gnutls_record_discard_queued: Core TLS API. (line 6106)
+* gnutls_record_cork <1>: Core TLS API. (line 6154)
+* gnutls_record_disable_padding: Core TLS API. (line 6168)
+* gnutls_record_discard_queued: Core TLS API. (line 6183)
* gnutls_record_get_direction: Asynchronous operation.
(line 65)
-* gnutls_record_get_direction <1>: Core TLS API. (line 6125)
+* gnutls_record_get_direction <1>: Core TLS API. (line 6202)
* gnutls_record_get_discarded: Datagram TLS API. (line 209)
-* gnutls_record_get_max_early_data_size: Core TLS API. (line 6148)
-* gnutls_record_get_max_size: Core TLS API. (line 6164)
-* gnutls_record_get_state: Core TLS API. (line 6176)
-* gnutls_record_overhead_size: Core TLS API. (line 6207)
+* gnutls_record_get_max_early_data_size: Core TLS API. (line 6225)
+* gnutls_record_get_max_size: Core TLS API. (line 6241)
+* gnutls_record_get_state: Core TLS API. (line 6253)
+* gnutls_record_overhead_size: Core TLS API. (line 6284)
* gnutls_record_recv: Data transfer and termination.
(line 53)
-* gnutls_record_recv <1>: Core TLS API. (line 6220)
-* gnutls_record_recv_early_data: Core TLS API. (line 6252)
-* gnutls_record_recv_packet: Core TLS API. (line 6280)
+* gnutls_record_recv <1>: Core TLS API. (line 6297)
+* gnutls_record_recv_early_data: Core TLS API. (line 6329)
+* gnutls_record_recv_packet: Core TLS API. (line 6357)
* gnutls_record_recv_seq: Data transfer and termination.
(line 108)
-* gnutls_record_recv_seq <1>: Core TLS API. (line 6304)
+* gnutls_record_recv_seq <1>: Core TLS API. (line 6381)
* gnutls_record_send: Data transfer and termination.
(line 12)
-* gnutls_record_send <1>: Core TLS API. (line 6331)
+* gnutls_record_send <1>: Core TLS API. (line 6408)
* gnutls_record_send2: On Record Padding. (line 23)
-* gnutls_record_send2 <1>: Core TLS API. (line 6375)
-* gnutls_record_send_early_data: Core TLS API. (line 6408)
-* gnutls_record_send_range: Core TLS API. (line 6436)
-* gnutls_record_set_max_early_data_size: Core TLS API. (line 6465)
-* gnutls_record_set_max_recv_size: Core TLS API. (line 6484)
-* gnutls_record_set_max_size: Core TLS API. (line 6506)
-* gnutls_record_set_state: Core TLS API. (line 6535)
-* gnutls_record_set_timeout: Core TLS API. (line 6556)
+* gnutls_record_send2 <1>: Core TLS API. (line 6452)
+* gnutls_record_send_early_data: Core TLS API. (line 6485)
+* gnutls_record_send_range: Core TLS API. (line 6513)
+* gnutls_record_set_max_early_data_size: Core TLS API. (line 6542)
+* gnutls_record_set_max_recv_size: Core TLS API. (line 6561)
+* gnutls_record_set_max_size: Core TLS API. (line 6583)
+* gnutls_record_set_state: Core TLS API. (line 6612)
+* gnutls_record_set_timeout: Core TLS API. (line 6633)
* gnutls_record_uncork: Buffered data transfer.
(line 23)
-* gnutls_record_uncork <1>: Core TLS API. (line 6575)
+* gnutls_record_uncork <1>: Core TLS API. (line 6652)
* gnutls_register_custom_url: Application-specific keys.
(line 69)
* gnutls_register_custom_url <1>: Abstract key API. (line 2724)
* gnutls_rehandshake: TLS 1.2 re-authentication.
(line 70)
-* gnutls_rehandshake <1>: Core TLS API. (line 6600)
+* gnutls_rehandshake <1>: Core TLS API. (line 6677)
* gnutls_rnd: Random number generation.
(line 21)
* gnutls_rnd <1>: Cryptographic API. (line 1108)
* gnutls_rnd_refresh: Cryptographic API. (line 1130)
* gnutls_safe_renegotiation_status: TLS 1.2 re-authentication.
(line 44)
-* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6640)
-* gnutls_sec_param_get_name: Core TLS API. (line 6655)
+* gnutls_safe_renegotiation_status <1>: Core TLS API. (line 6717)
+* gnutls_sec_param_get_name: Core TLS API. (line 6732)
* gnutls_sec_param_to_pk_bits: Selecting cryptographic key sizes.
(line 75)
-* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6669)
-* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6688)
-* gnutls_server_name_get: Core TLS API. (line 6702)
-* gnutls_server_name_set: Core TLS API. (line 6741)
-* gnutls_session_channel_binding: Core TLS API. (line 6772)
-* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6793)
-* gnutls_session_etm_status: Core TLS API. (line 6813)
-* gnutls_session_ext_master_secret_status: Core TLS API. (line 6826)
-* gnutls_session_ext_register: Core TLS API. (line 6840)
-* gnutls_session_force_valid: Core TLS API. (line 6896)
-* gnutls_session_get_data: Core TLS API. (line 6907)
-* gnutls_session_get_data2: Core TLS API. (line 6927)
-* gnutls_session_get_desc: Core TLS API. (line 6975)
-* gnutls_session_get_flags: Core TLS API. (line 6992)
-* gnutls_session_get_id: Core TLS API. (line 7011)
+* gnutls_sec_param_to_pk_bits <1>: Core TLS API. (line 6746)
+* gnutls_sec_param_to_symmetric_bits: Core TLS API. (line 6765)
+* gnutls_server_name_get: Core TLS API. (line 6779)
+* gnutls_server_name_set: Core TLS API. (line 6818)
+* gnutls_session_channel_binding: Core TLS API. (line 6849)
+* gnutls_session_enable_compatibility_mode: Core TLS API. (line 6870)
+* gnutls_session_etm_status: Core TLS API. (line 6890)
+* gnutls_session_ext_master_secret_status: Core TLS API. (line 6903)
+* gnutls_session_ext_register: Core TLS API. (line 6917)
+* gnutls_session_force_valid: Core TLS API. (line 6973)
+* gnutls_session_get_data: Core TLS API. (line 6984)
+* gnutls_session_get_data2: Core TLS API. (line 7004)
+* gnutls_session_get_desc: Core TLS API. (line 7052)
+* gnutls_session_get_flags: Core TLS API. (line 7069)
+* gnutls_session_get_id: Core TLS API. (line 7088)
* gnutls_session_get_id2: Session resumption. (line 49)
-* gnutls_session_get_id2 <1>: Core TLS API. (line 7045)
-* gnutls_session_get_keylog_function: Core TLS API. (line 7078)
-* gnutls_session_get_master_secret: Core TLS API. (line 7092)
-* gnutls_session_get_ptr: Core TLS API. (line 7108)
-* gnutls_session_get_random: Core TLS API. (line 7120)
-* gnutls_session_get_verify_cert_status: Core TLS API. (line 7140)
+* gnutls_session_get_id2 <1>: Core TLS API. (line 7122)
+* gnutls_session_get_keylog_function: Core TLS API. (line 7155)
+* gnutls_session_get_master_secret: Core TLS API. (line 7169)
+* gnutls_session_get_ptr: Core TLS API. (line 7185)
+* gnutls_session_get_random: Core TLS API. (line 7197)
+* gnutls_session_get_verify_cert_status: Core TLS API. (line 7217)
* gnutls_session_is_resumed: Session resumption. (line 40)
-* gnutls_session_is_resumed <1>: Core TLS API. (line 7160)
-* gnutls_session_key_update: Core TLS API. (line 7172)
+* gnutls_session_is_resumed <1>: Core TLS API. (line 7237)
+* gnutls_session_key_update: Core TLS API. (line 7249)
* gnutls_session_resumption_requested: Session resumption. (line 150)
-* gnutls_session_resumption_requested <1>: Core TLS API. (line 7199)
-* gnutls_session_set_data: Core TLS API. (line 7212)
-* gnutls_session_set_id: Core TLS API. (line 7235)
-* gnutls_session_set_keylog_function: Core TLS API. (line 7256)
-* gnutls_session_set_premaster: Core TLS API. (line 7270)
-* gnutls_session_set_ptr: Core TLS API. (line 7305)
+* gnutls_session_resumption_requested <1>: Core TLS API. (line 7276)
+* gnutls_session_set_data: Core TLS API. (line 7289)
+* gnutls_session_set_id: Core TLS API. (line 7312)
+* gnutls_session_set_keylog_function: Core TLS API. (line 7333)
+* gnutls_session_set_premaster: Core TLS API. (line 7347)
+* gnutls_session_set_ptr: Core TLS API. (line 7382)
* gnutls_session_set_verify_cert: Certificate credentials.
(line 267)
-* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7318)
-* gnutls_session_set_verify_cert2: Core TLS API. (line 7351)
-* gnutls_session_set_verify_function: Core TLS API. (line 7383)
+* gnutls_session_set_verify_cert <1>: Core TLS API. (line 7395)
+* gnutls_session_set_verify_cert2: Core TLS API. (line 7428)
+* gnutls_session_set_verify_function: Core TLS API. (line 7460)
* gnutls_session_set_verify_output_function: X509 certificate API.
(line 152)
-* gnutls_session_supplemental_register: Core TLS API. (line 7412)
-* gnutls_session_ticket_enable_client: Core TLS API. (line 7448)
+* gnutls_session_supplemental_register: Core TLS API. (line 7489)
+* gnutls_session_ticket_enable_client: Core TLS API. (line 7525)
* gnutls_session_ticket_enable_server: Session resumption. (line 117)
-* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7464)
+* gnutls_session_ticket_enable_server <1>: Core TLS API. (line 7541)
* gnutls_session_ticket_key_generate: Session resumption. (line 137)
-* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7487)
+* gnutls_session_ticket_key_generate <1>: Core TLS API. (line 7564)
* gnutls_session_ticket_send: Session resumption. (line 170)
-* gnutls_session_ticket_send <1>: Core TLS API. (line 7503)
-* gnutls_set_default_priority: Core TLS API. (line 7521)
-* gnutls_set_default_priority_append: Core TLS API. (line 7547)
-* gnutls_sign_algorithm_get: Core TLS API. (line 7583)
-* gnutls_sign_algorithm_get_client: Core TLS API. (line 7597)
-* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7612)
-* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7639)
-* gnutls_sign_get_id: Core TLS API. (line 7654)
-* gnutls_sign_get_name: Core TLS API. (line 7666)
-* gnutls_sign_get_oid: Core TLS API. (line 7678)
-* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7692)
-* gnutls_sign_is_secure: Core TLS API. (line 7710)
-* gnutls_sign_is_secure2: Core TLS API. (line 7720)
-* gnutls_sign_list: Core TLS API. (line 7732)
-* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7743)
-* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7761)
-* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7773)
-* gnutls_srp_base64_decode: Core TLS API. (line 7785)
-* gnutls_srp_base64_decode2: Core TLS API. (line 7807)
-* gnutls_srp_base64_encode: Core TLS API. (line 7827)
-* gnutls_srp_base64_encode2: Core TLS API. (line 7849)
-* gnutls_srp_free_client_credentials: Core TLS API. (line 7870)
-* gnutls_srp_free_server_credentials: Core TLS API. (line 7879)
-* gnutls_srp_server_get_username: Core TLS API. (line 7888)
-* gnutls_srp_set_client_credentials: Core TLS API. (line 7901)
+* gnutls_session_ticket_send <1>: Core TLS API. (line 7580)
+* gnutls_set_default_priority: Core TLS API. (line 7598)
+* gnutls_set_default_priority_append: Core TLS API. (line 7624)
+* gnutls_sign_algorithm_get: Core TLS API. (line 7660)
+* gnutls_sign_algorithm_get_client: Core TLS API. (line 7674)
+* gnutls_sign_algorithm_get_requested: Core TLS API. (line 7689)
+* gnutls_sign_get_hash_algorithm: Core TLS API. (line 7716)
+* gnutls_sign_get_id: Core TLS API. (line 7731)
+* gnutls_sign_get_name: Core TLS API. (line 7743)
+* gnutls_sign_get_oid: Core TLS API. (line 7755)
+* gnutls_sign_get_pk_algorithm: Core TLS API. (line 7769)
+* gnutls_sign_is_secure: Core TLS API. (line 7787)
+* gnutls_sign_is_secure2: Core TLS API. (line 7797)
+* gnutls_sign_list: Core TLS API. (line 7809)
+* gnutls_sign_mark_insecure: Core TLS API. (line 7820)
+* gnutls_sign_mark_secure: Core TLS API. (line 7838)
+* gnutls_sign_supports_pk_algorithm: Core TLS API. (line 7859)
+* gnutls_srp_allocate_client_credentials: Core TLS API. (line 7877)
+* gnutls_srp_allocate_server_credentials: Core TLS API. (line 7889)
+* gnutls_srp_base64_decode: Core TLS API. (line 7901)
+* gnutls_srp_base64_decode2: Core TLS API. (line 7923)
+* gnutls_srp_base64_encode: Core TLS API. (line 7943)
+* gnutls_srp_base64_encode2: Core TLS API. (line 7965)
+* gnutls_srp_free_client_credentials: Core TLS API. (line 7986)
+* gnutls_srp_free_server_credentials: Core TLS API. (line 7995)
+* gnutls_srp_server_get_username: Core TLS API. (line 8004)
+* gnutls_srp_set_client_credentials: Core TLS API. (line 8017)
* gnutls_srp_set_client_credentials_function: SRP credentials.
(line 19)
* gnutls_srp_set_client_credentials_function <1>: Core TLS API.
- (line 7924)
-* gnutls_srp_set_prime_bits: Core TLS API. (line 7957)
+ (line 8040)
+* gnutls_srp_set_prime_bits: Core TLS API. (line 8073)
* gnutls_srp_set_server_credentials_file: SRP credentials. (line 56)
-* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 7978)
+* gnutls_srp_set_server_credentials_file <1>: Core TLS API. (line 8094)
* gnutls_srp_set_server_credentials_function: SRP credentials.
(line 72)
* gnutls_srp_set_server_credentials_function <1>: Core TLS API.
- (line 7997)
-* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8035)
+ (line 8113)
+* gnutls_srp_set_server_fake_salt_seed: Core TLS API. (line 8151)
* gnutls_srp_verifier: Authentication using SRP.
(line 45)
-* gnutls_srp_verifier <1>: Core TLS API. (line 8072)
+* gnutls_srp_verifier <1>: Core TLS API. (line 8188)
* gnutls_srtp_get_keys: SRTP. (line 31)
-* gnutls_srtp_get_keys <1>: Core TLS API. (line 8101)
-* gnutls_srtp_get_mki: Core TLS API. (line 8139)
-* gnutls_srtp_get_profile_id: Core TLS API. (line 8157)
-* gnutls_srtp_get_profile_name: Core TLS API. (line 8173)
-* gnutls_srtp_get_selected_profile: Core TLS API. (line 8188)
-* gnutls_srtp_set_mki: Core TLS API. (line 8204)
-* gnutls_srtp_set_profile: Core TLS API. (line 8221)
-* gnutls_srtp_set_profile_direct: Core TLS API. (line 8238)
+* gnutls_srtp_get_keys <1>: Core TLS API. (line 8217)
+* gnutls_srtp_get_mki: Core TLS API. (line 8255)
+* gnutls_srtp_get_profile_id: Core TLS API. (line 8273)
+* gnutls_srtp_get_profile_name: Core TLS API. (line 8289)
+* gnutls_srtp_get_selected_profile: Core TLS API. (line 8304)
+* gnutls_srtp_set_mki: Core TLS API. (line 8320)
+* gnutls_srtp_set_profile: Core TLS API. (line 8337)
+* gnutls_srtp_set_profile_direct: Core TLS API. (line 8354)
* gnutls_store_commitment: Certificate verification.
(line 115)
-* gnutls_store_commitment <1>: Core TLS API. (line 8259)
+* gnutls_store_commitment <1>: Core TLS API. (line 8375)
* gnutls_store_pubkey: Certificate verification.
(line 64)
-* gnutls_store_pubkey <1>: Core TLS API. (line 8299)
-* gnutls_strerror: Core TLS API. (line 8348)
-* gnutls_strerror_name: Core TLS API. (line 8362)
+* gnutls_store_pubkey <1>: Core TLS API. (line 8415)
+* gnutls_strerror: Core TLS API. (line 8464)
+* gnutls_strerror_name: Core TLS API. (line 8478)
* gnutls_subject_alt_names_deinit: X509 certificate API.
(line 181)
* gnutls_subject_alt_names_get: X509 certificate API.
@@ -8522,22 +8530,22 @@
(line 221)
* gnutls_subject_alt_names_set: X509 certificate API.
(line 235)
-* gnutls_supplemental_get_name: Core TLS API. (line 8377)
-* gnutls_supplemental_recv: Core TLS API. (line 8390)
-* gnutls_supplemental_register: Core TLS API. (line 8405)
-* gnutls_supplemental_send: Core TLS API. (line 8436)
+* gnutls_supplemental_get_name: Core TLS API. (line 8493)
+* gnutls_supplemental_recv: Core TLS API. (line 8506)
+* gnutls_supplemental_register: Core TLS API. (line 8521)
+* gnutls_supplemental_send: Core TLS API. (line 8552)
* gnutls_system_key_add_x509: Abstract key API. (line 2750)
* gnutls_system_key_delete: Abstract key API. (line 2776)
* gnutls_system_key_iter_deinit: Abstract key API. (line 2792)
* gnutls_system_key_iter_get_info: Application-specific keys.
(line 20)
* gnutls_system_key_iter_get_info <1>: Abstract key API. (line 2803)
-* gnutls_system_recv_timeout: Core TLS API. (line 8450)
-* gnutls_tdb_deinit: Core TLS API. (line 8473)
-* gnutls_tdb_init: Core TLS API. (line 8482)
-* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8493)
-* gnutls_tdb_set_store_func: Core TLS API. (line 8513)
-* gnutls_tdb_set_verify_func: Core TLS API. (line 8532)
+* gnutls_system_recv_timeout: Core TLS API. (line 8566)
+* gnutls_tdb_deinit: Core TLS API. (line 8589)
+* gnutls_tdb_init: Core TLS API. (line 8598)
+* gnutls_tdb_set_store_commitment_func: Core TLS API. (line 8609)
+* gnutls_tdb_set_store_func: Core TLS API. (line 8629)
+* gnutls_tdb_set_verify_func: Core TLS API. (line 8648)
* gnutls_tpm_get_registered: TPM API. (line 12)
* gnutls_tpm_key_list_deinit: TPM API. (line 27)
* gnutls_tpm_key_list_get_url: TPM API. (line 38)
@@ -8546,44 +8554,44 @@
* gnutls_tpm_privkey_delete <2>: TPM API. (line 60)
* gnutls_tpm_privkey_generate: Key generation. (line 9)
* gnutls_tpm_privkey_generate <1>: TPM API. (line 76)
-* gnutls_transport_get_int: Core TLS API. (line 8554)
-* gnutls_transport_get_int2: Core TLS API. (line 8568)
-* gnutls_transport_get_ptr: Core TLS API. (line 8585)
-* gnutls_transport_get_ptr2: Core TLS API. (line 8598)
+* gnutls_transport_get_int: Core TLS API. (line 8670)
+* gnutls_transport_get_int2: Core TLS API. (line 8684)
+* gnutls_transport_get_ptr: Core TLS API. (line 8701)
+* gnutls_transport_get_ptr2: Core TLS API. (line 8714)
* gnutls_transport_set_errno: Setting up the transport layer.
(line 116)
-* gnutls_transport_set_errno <1>: Core TLS API. (line 8614)
-* gnutls_transport_set_errno_function: Core TLS API. (line 8637)
+* gnutls_transport_set_errno <1>: Core TLS API. (line 8730)
+* gnutls_transport_set_errno_function: Core TLS API. (line 8753)
* gnutls_transport_set_fastopen: Reducing round-trips.
(line 22)
* gnutls_transport_set_fastopen <1>: Socket specific API.
(line 11)
-* gnutls_transport_set_int: Core TLS API. (line 8655)
-* gnutls_transport_set_int2: Core TLS API. (line 8673)
-* gnutls_transport_set_ptr: Core TLS API. (line 8695)
-* gnutls_transport_set_ptr2: Core TLS API. (line 8708)
+* gnutls_transport_set_int: Core TLS API. (line 8771)
+* gnutls_transport_set_int2: Core TLS API. (line 8789)
+* gnutls_transport_set_ptr: Core TLS API. (line 8811)
+* gnutls_transport_set_ptr2: Core TLS API. (line 8824)
* gnutls_transport_set_pull_function: Setting up the transport layer.
(line 56)
-* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8725)
+* gnutls_transport_set_pull_function <1>: Core TLS API. (line 8841)
* gnutls_transport_set_pull_timeout_function: Setting up the transport layer.
(line 71)
* gnutls_transport_set_pull_timeout_function <1>: Setting up the transport layer.
(line 156)
* gnutls_transport_set_pull_timeout_function <2>: Core TLS API.
- (line 8743)
+ (line 8859)
* gnutls_transport_set_push_function: Setting up the transport layer.
(line 23)
-* gnutls_transport_set_push_function <1>: Core TLS API. (line 8783)
+* gnutls_transport_set_push_function <1>: Core TLS API. (line 8899)
* gnutls_transport_set_vec_push_function: Setting up the transport layer.
(line 40)
-* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8803)
+* gnutls_transport_set_vec_push_function <1>: Core TLS API. (line 8919)
* gnutls_url_is_supported: Abstract public keys.
(line 57)
-* gnutls_url_is_supported <1>: Core TLS API. (line 8822)
-* gnutls_utf8_password_normalize: Core TLS API. (line 8836)
+* gnutls_url_is_supported <1>: Core TLS API. (line 8938)
+* gnutls_utf8_password_normalize: Core TLS API. (line 8952)
* gnutls_verify_stored_pubkey: Certificate verification.
(line 18)
-* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8861)
+* gnutls_verify_stored_pubkey <1>: Core TLS API. (line 8977)
* gnutls_x509_aia_deinit: X509 certificate API.
(line 262)
* gnutls_x509_aia_get: X509 certificate API.
diff -ruN gnutls-3.7.2/doc/invoke-p11tool.texi gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi
--- gnutls-3.7.2/doc/invoke-p11tool.texi 2021-05-29 10:19:05.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/invoke-p11tool.texi 2021-06-28 09:39:25.000000000 +0200
@@ -403,8 +403,9 @@
@anchor{p11tool write}
This is the ``writes the loaded objects to a pkcs #11 token'' option.
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
- one of --load-privkey, --load-pubkey, --load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
+
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
@subsubheading id option.
@anchor{p11tool id}
diff -ruN gnutls-3.7.2/doc/Makefile.am gnutls-3.7.2-bootstrapped/doc/Makefile.am
--- gnutls-3.7.2/doc/Makefile.am 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/Makefile.am 2021-06-28 09:09:14.000000000 +0200
@@ -974,6 +974,10 @@
FUNCS += functions/gnutls_digest_get_oid.short
FUNCS += functions/gnutls_digest_list
FUNCS += functions/gnutls_digest_list.short
+FUNCS += functions/gnutls_digest_mark_insecure
+FUNCS += functions/gnutls_digest_mark_insecure.short
+FUNCS += functions/gnutls_digest_mark_secure
+FUNCS += functions/gnutls_digest_mark_secure.short
FUNCS += functions/gnutls_dtls_cookie_send
FUNCS += functions/gnutls_dtls_cookie_send.short
FUNCS += functions/gnutls_dtls_cookie_verify
@@ -1010,6 +1014,10 @@
FUNCS += functions/gnutls_ecc_curve_get_size.short
FUNCS += functions/gnutls_ecc_curve_list
FUNCS += functions/gnutls_ecc_curve_list.short
+FUNCS += functions/gnutls_ecc_curve_mark_disabled
+FUNCS += functions/gnutls_ecc_curve_mark_disabled.short
+FUNCS += functions/gnutls_ecc_curve_mark_enabled
+FUNCS += functions/gnutls_ecc_curve_mark_enabled.short
FUNCS += functions/gnutls_encode_ber_digest_info
FUNCS += functions/gnutls_encode_ber_digest_info.short
FUNCS += functions/gnutls_encode_gost_rs_value
@@ -1730,6 +1738,10 @@
FUNCS += functions/gnutls_protocol_get_version.short
FUNCS += functions/gnutls_protocol_list
FUNCS += functions/gnutls_protocol_list.short
+FUNCS += functions/gnutls_protocol_mark_disabled
+FUNCS += functions/gnutls_protocol_mark_disabled.short
+FUNCS += functions/gnutls_protocol_mark_enabled
+FUNCS += functions/gnutls_protocol_mark_enabled.short
FUNCS += functions/gnutls_psk_allocate_client_credentials
FUNCS += functions/gnutls_psk_allocate_client_credentials.short
FUNCS += functions/gnutls_psk_allocate_server_credentials
@@ -2024,6 +2036,10 @@
FUNCS += functions/gnutls_sign_is_secure2.short
FUNCS += functions/gnutls_sign_list
FUNCS += functions/gnutls_sign_list.short
+FUNCS += functions/gnutls_sign_mark_insecure
+FUNCS += functions/gnutls_sign_mark_insecure.short
+FUNCS += functions/gnutls_sign_mark_secure
+FUNCS += functions/gnutls_sign_mark_secure.short
FUNCS += functions/gnutls_sign_supports_pk_algorithm
FUNCS += functions/gnutls_sign_supports_pk_algorithm.short
FUNCS += functions/gnutls_srp_allocate_client_credentials
diff -ruN gnutls-3.7.2/doc/Makefile.in gnutls-3.7.2-bootstrapped/doc/Makefile.in
--- gnutls-3.7.2/doc/Makefile.in 2021-05-29 10:11:20.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/Makefile.in 2021-06-28 09:11:37.000000000 +0200
@@ -2697,6 +2697,10 @@
functions/gnutls_digest_get_oid.short \
functions/gnutls_digest_list \
functions/gnutls_digest_list.short \
+ functions/gnutls_digest_mark_insecure \
+ functions/gnutls_digest_mark_insecure.short \
+ functions/gnutls_digest_mark_secure \
+ functions/gnutls_digest_mark_secure.short \
functions/gnutls_dtls_cookie_send \
functions/gnutls_dtls_cookie_send.short \
functions/gnutls_dtls_cookie_verify \
@@ -2733,6 +2737,10 @@
functions/gnutls_ecc_curve_get_size.short \
functions/gnutls_ecc_curve_list \
functions/gnutls_ecc_curve_list.short \
+ functions/gnutls_ecc_curve_mark_disabled \
+ functions/gnutls_ecc_curve_mark_disabled.short \
+ functions/gnutls_ecc_curve_mark_enabled \
+ functions/gnutls_ecc_curve_mark_enabled.short \
functions/gnutls_encode_ber_digest_info \
functions/gnutls_encode_ber_digest_info.short \
functions/gnutls_encode_gost_rs_value \
@@ -3403,6 +3411,10 @@
functions/gnutls_protocol_get_version.short \
functions/gnutls_protocol_list \
functions/gnutls_protocol_list.short \
+ functions/gnutls_protocol_mark_disabled \
+ functions/gnutls_protocol_mark_disabled.short \
+ functions/gnutls_protocol_mark_enabled \
+ functions/gnutls_protocol_mark_enabled.short \
functions/gnutls_psk_allocate_client_credentials \
functions/gnutls_psk_allocate_client_credentials.short \
functions/gnutls_psk_allocate_server_credentials \
@@ -3692,6 +3704,10 @@
functions/gnutls_sign_is_secure2 \
functions/gnutls_sign_is_secure2.short \
functions/gnutls_sign_list functions/gnutls_sign_list.short \
+ functions/gnutls_sign_mark_insecure \
+ functions/gnutls_sign_mark_insecure.short \
+ functions/gnutls_sign_mark_secure \
+ functions/gnutls_sign_mark_secure.short \
functions/gnutls_sign_supports_pk_algorithm \
functions/gnutls_sign_supports_pk_algorithm.short \
functions/gnutls_srp_allocate_client_credentials \
diff -ruN gnutls-3.7.2/doc/manpages/certtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1
--- gnutls-3.7.2/doc/manpages/certtool.1 2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/certtool.1 2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH certtool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH certtool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/danetool.1 gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1
--- gnutls-3.7.2/doc/manpages/danetool.1 2021-05-29 10:15:24.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/danetool.1 2021-06-28 09:35:24.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH danetool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH danetool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1
--- gnutls-3.7.2/doc/manpages/gnutls-cli.1 2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli.1 2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH gnutls-cli 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-cli 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1
--- gnutls-3.7.2/doc/manpages/gnutls-cli-debug.1 2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-cli-debug.1 2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH gnutls-cli-debug 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-cli-debug 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3
--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_digest_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_digest_mark_insecure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t " dig ");"
+.SH ARGUMENTS
+.IP "gnutls_digest_algorithm_t dig" 12
+is a digest algorithm
+.SH "DESCRIPTION"
+Mark \fIdig\fP as insecure system wide. This only works if the allowlisting mode
+is used in the configuration file.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3
--- gnutls-3.7.2/doc/manpages/gnutls_digest_mark_secure.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_digest_mark_secure.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_digest_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_digest_mark_secure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_digest_mark_secure(gnutls_digest_algorithm_t " dig ");"
+.SH ARGUMENTS
+.IP "gnutls_digest_algorithm_t dig" 12
+is a digest algorithm
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked \fIdig\fP as insecure. This
+only works if the allowlisting mode is used in the configuration file.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_disabled.3 2021-06-28 09:35:38.000000000 +0200
@@ -0,0 +1,39 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_ecc_curve_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_ecc_curve_mark_disabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t " curve ");"
+.SH ARGUMENTS
+.IP "gnutls_ecc_curve_t curve" 12
+is an ECC curve
+.SH "DESCRIPTION"
+Mark \fIcurve\fP as disabled system wide. This setting can be reverted with
+\fBgnutls_ecc_curve_mark_enabled()\fP. This only works if the configuration file
+uses the allowlisting mode.
+.SH "RETURNS"
+0 on success or negative error code otherwise.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_ecc_curve_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_ecc_curve_mark_enabled.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,39 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_ecc_curve_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_ecc_curve_mark_enabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t " curve ");"
+.SH ARGUMENTS
+.IP "gnutls_ecc_curve_t curve" 12
+is an ECC curve
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked \fIcurve\fP as disabled. This
+only works if the curve is disabled with \fBgnutls_ecc_curve_mark_disabled()\fP or
+through the allowlisting mode in the configuration file.
+.SH "RETURNS"
+0 on success or negative error code otherwise.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_disabled.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_disabled.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,34 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_protocol_mark_disabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_protocol_mark_disabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_protocol_mark_disabled(gnutls_protocol_t " version ");"
+.SH ARGUMENTS
+.IP "gnutls_protocol_t version" 12
+is a (gnutls) version number
+.SH "DESCRIPTION"
+Mark \fIversion\fP as disabled system wide. This only works if the allowlisting
+mode is used in the configuration file.
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3
--- gnutls-3.7.2/doc/manpages/gnutls_protocol_mark_enabled.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_protocol_mark_enabled.3 2021-06-28 09:35:40.000000000 +0200
@@ -0,0 +1,35 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_protocol_mark_enabled" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_protocol_mark_enabled \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_protocol_mark_enabled(gnutls_protocol_t " version ");"
+.SH ARGUMENTS
+.IP "gnutls_protocol_t version" 12
+is a (gnutls) version number
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked \fIversion\fP as
+disabled. This only works if the allowlisting mode is used in the
+configuration file.
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls-serv.1 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1
--- gnutls-3.7.2/doc/manpages/gnutls-serv.1 2021-05-29 10:15:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls-serv.1 2021-06-28 09:35:22.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH gnutls-serv 1 "29 May 2021" "3.7.2" "User Commands"
+.TH gnutls-serv 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3
--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_insecure.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_insecure.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,42 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_sign_mark_insecure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_sign_mark_insecure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
+.SH ARGUMENTS
+.IP "gnutls_sign_algorithm_t sign" 12
+the sign algorithm
+.IP "unsigned flags" 12
+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
+.SH "DESCRIPTION"
+Mark \fIsign\fP as insecure system wide. This only works if the
+allowlisting mode is used in the configuration file.
+
+If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
+and the algorithm was previously considered secure for all purposes,
+it only marks the algorithm as insecure for the use with certificates.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3
--- gnutls-3.7.2/doc/manpages/gnutls_sign_mark_secure.3 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/doc/manpages/gnutls_sign_mark_secure.3 2021-06-28 09:35:39.000000000 +0200
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "gnutls_sign_mark_secure" 3 "3.7.2" "gnutls" "gnutls"
+.SH NAME
+gnutls_sign_mark_secure \- API function
+.SH SYNOPSIS
+.B #include <gnutls/gnutls.h>
+.sp
+.BI "int gnutls_sign_mark_secure(gnutls_sign_algorithm_t " sign ", unsigned " flags ");"
+.SH ARGUMENTS
+.IP "gnutls_sign_algorithm_t sign" 12
+the sign algorithm
+.IP "unsigned flags" 12
+\fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP or 0
+.SH "DESCRIPTION"
+Invalidate previous system wide setting that marked \fIsign\fP as
+insecure. This only works if the algorithm is marked as insecure
+with \fBgnutls_sign_mark_insecure()\fP or through the allowlisting mode
+in the configuration file.
+
+If \fIflags\fP has \fBGNUTLS_SIGN_FLAG_SECURE_FOR_CERTS\fP bit set,
+it marks it the algorithm as secure for all purposes.
+If the absence of this flag, it will mark it as
+"secure, but not for certificates" at most,
+but it won't restrict anything either.
+.SH "SINCE"
+3.7.3
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
diff -ruN gnutls-3.7.2/doc/manpages/Makefile.am gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am
--- gnutls-3.7.2/doc/manpages/Makefile.am 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.am 2021-06-28 09:09:14.000000000 +0200
@@ -289,6 +289,8 @@
APIMANS += gnutls_digest_get_name.3
APIMANS += gnutls_digest_get_oid.3
APIMANS += gnutls_digest_list.3
+APIMANS += gnutls_digest_mark_insecure.3
+APIMANS += gnutls_digest_mark_secure.3
APIMANS += gnutls_dtls_cookie_send.3
APIMANS += gnutls_dtls_cookie_verify.3
APIMANS += gnutls_dtls_get_data_mtu.3
@@ -307,6 +309,8 @@
APIMANS += gnutls_ecc_curve_get_pk.3
APIMANS += gnutls_ecc_curve_get_size.3
APIMANS += gnutls_ecc_curve_list.3
+APIMANS += gnutls_ecc_curve_mark_disabled.3
+APIMANS += gnutls_ecc_curve_mark_enabled.3
APIMANS += gnutls_encode_ber_digest_info.3
APIMANS += gnutls_encode_gost_rs_value.3
APIMANS += gnutls_encode_rs_value.3
@@ -667,6 +671,8 @@
APIMANS += gnutls_protocol_get_name.3
APIMANS += gnutls_protocol_get_version.3
APIMANS += gnutls_protocol_list.3
+APIMANS += gnutls_protocol_mark_disabled.3
+APIMANS += gnutls_protocol_mark_enabled.3
APIMANS += gnutls_psk_allocate_client_credentials.3
APIMANS += gnutls_psk_allocate_server_credentials.3
APIMANS += gnutls_psk_client_get_hint.3
@@ -814,6 +820,8 @@
APIMANS += gnutls_sign_is_secure.3
APIMANS += gnutls_sign_is_secure2.3
APIMANS += gnutls_sign_list.3
+APIMANS += gnutls_sign_mark_insecure.3
+APIMANS += gnutls_sign_mark_secure.3
APIMANS += gnutls_sign_supports_pk_algorithm.3
APIMANS += gnutls_srp_allocate_client_credentials.3
APIMANS += gnutls_srp_allocate_server_credentials.3
diff -ruN gnutls-3.7.2/doc/manpages/Makefile.in gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in
--- gnutls-3.7.2/doc/manpages/Makefile.in 2021-05-29 10:11:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/Makefile.in 2021-06-28 09:11:38.000000000 +0200
@@ -2185,6 +2185,7 @@
gnutls_dh_params_init.3 gnutls_dh_set_prime_bits.3 \
gnutls_digest_get_id.3 gnutls_digest_get_name.3 \
gnutls_digest_get_oid.3 gnutls_digest_list.3 \
+ gnutls_digest_mark_insecure.3 gnutls_digest_mark_secure.3 \
gnutls_dtls_cookie_send.3 gnutls_dtls_cookie_verify.3 \
gnutls_dtls_get_data_mtu.3 gnutls_dtls_get_mtu.3 \
gnutls_dtls_get_timeout.3 gnutls_dtls_prestate_set.3 \
@@ -2194,6 +2195,8 @@
gnutls_ecc_curve_get_id.3 gnutls_ecc_curve_get_name.3 \
gnutls_ecc_curve_get_oid.3 gnutls_ecc_curve_get_pk.3 \
gnutls_ecc_curve_get_size.3 gnutls_ecc_curve_list.3 \
+ gnutls_ecc_curve_mark_disabled.3 \
+ gnutls_ecc_curve_mark_enabled.3 \
gnutls_encode_ber_digest_info.3 gnutls_encode_gost_rs_value.3 \
gnutls_encode_rs_value.3 gnutls_error_is_fatal.3 \
gnutls_error_to_alert.3 gnutls_est_record_overhead_size.3 \
@@ -2399,7 +2402,8 @@
gnutls_privkey_status.3 gnutls_privkey_verify_params.3 \
gnutls_privkey_verify_seed.3 gnutls_protocol_get_id.3 \
gnutls_protocol_get_name.3 gnutls_protocol_get_version.3 \
- gnutls_protocol_list.3 \
+ gnutls_protocol_list.3 gnutls_protocol_mark_disabled.3 \
+ gnutls_protocol_mark_enabled.3 \
gnutls_psk_allocate_client_credentials.3 \
gnutls_psk_allocate_server_credentials.3 \
gnutls_psk_client_get_hint.3 \
@@ -2498,6 +2502,7 @@
gnutls_sign_get_name.3 gnutls_sign_get_oid.3 \
gnutls_sign_get_pk_algorithm.3 gnutls_sign_is_secure.3 \
gnutls_sign_is_secure2.3 gnutls_sign_list.3 \
+ gnutls_sign_mark_insecure.3 gnutls_sign_mark_secure.3 \
gnutls_sign_supports_pk_algorithm.3 \
gnutls_srp_allocate_client_credentials.3 \
gnutls_srp_allocate_server_credentials.3 \
diff -ruN gnutls-3.7.2/doc/manpages/ocsptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1
--- gnutls-3.7.2/doc/manpages/ocsptool.1 2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/ocsptool.1 2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ocsptool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH ocsptool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/p11tool.1 gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1
--- gnutls-3.7.2/doc/manpages/p11tool.1 2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/p11tool.1 2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH p11tool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH p11tool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
@@ -230,8 +230,9 @@
.NOP \f\*[B-Font]\-\-write\f[]
Writes the loaded objects to a PKCS #11 token.
.sp
-It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
- one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of \--load-privkey, \--load-pubkey, \--load-certificate option.
+.sp
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.
.TP
.NOP \f\*[B-Font]\-\-delete\f[]
Deletes the objects matching the given PKCS #11 URL.
diff -ruN gnutls-3.7.2/doc/manpages/psktool.1 gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1
--- gnutls-3.7.2/doc/manpages/psktool.1 2021-05-29 10:15:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/psktool.1 2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH psktool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH psktool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/srptool.1 gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1
--- gnutls-3.7.2/doc/manpages/srptool.1 2021-05-29 10:15:24.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/srptool.1 2021-06-28 09:35:24.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH srptool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH srptool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/manpages/tpmtool.1 gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1
--- gnutls-3.7.2/doc/manpages/tpmtool.1 2021-05-29 10:15:23.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/manpages/tpmtool.1 2021-06-28 09:35:23.000000000 +0200
@@ -10,7 +10,7 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH tpmtool 1 "29 May 2021" "3.7.2" "User Commands"
+.TH tpmtool 1 "28 Jun 2021" "3.7.2" "User Commands"
.\"
.\" DO NOT EDIT THIS FILE (in-mem file)
.\"
diff -ruN gnutls-3.7.2/doc/reference/gnutls-sections.txt gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt
--- gnutls-3.7.2/doc/reference/gnutls-sections.txt 2021-05-29 10:23:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/doc/reference/gnutls-sections.txt 2021-06-28 09:56:37.000000000 +0200
@@ -267,6 +267,8 @@
encipher_type
GNUTLS_SIGN_FLAG_TLS13_OK
GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE
+GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE
+GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE
gnutls_sign_entry_st
gnutls_ecc_curve_entry_st
MAX_ECC_CURVE_SIZE
@@ -1486,6 +1488,14 @@
gnutls_sign_algorithm_get_requested
gnutls_cipher_get_name
gnutls_oid_to_digest
+gnutls_ecc_curve_mark_disabled
+gnutls_ecc_curve_mark_enabled
+gnutls_sign_mark_insecure
+gnutls_sign_mark_secure
+gnutls_digest_mark_insecure
+gnutls_digest_mark_secure
+gnutls_protocol_mark_disabled
+gnutls_protocol_mark_enabled
gnutls_error_is_fatal
gnutls_perror
gnutls_strerror
@@ -2268,6 +2278,8 @@
gnutls_group_entry_st
GNUTLS_MAC_FLAG_PREIMAGE_INSECURE
GNUTLS_MAC_FLAG_CONTINUOUS_MAC
+GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE
+GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE
mac_entry_st
version_entry_st
sign_algorithm_st
diff -ruN gnutls-3.7.2/lib/algorithms/ecc.c gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c
--- gnutls-3.7.2/lib/algorithms/ecc.c 2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/ecc.c 2021-06-28 09:09:14.000000000 +0200
@@ -351,13 +351,83 @@
return ret;
}
-int _gnutls_ecc_curve_mark_disabled(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
{
gnutls_ecc_curve_entry_st *p;
for(p = ecc_curves; p->name != NULL; p++) {
- if (c_strcasecmp(p->name, name) == 0) {
- p->supported = 0;
+ if (p->id == curve) {
+ p->supported = false;
+ return 0;
+ }
+ }
+
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_ecc_curve_mark_disabled_all(void)
+{
+ gnutls_ecc_curve_entry_st *p;
+
+ for(p = ecc_curves; p->name != NULL; p++) {
+ p->supported = false;
+ p->supported_revertible = true;
+ }
+}
+
+/**
+ * gnutls_ecc_curve_mark_enabled:
+ * @curve: is an ECC curve
+ *
+ * Mark @curve as disabled system wide. This setting can be reverted with
+ * gnutls_ecc_curve_mark_enabled(). This only works if the configuration file
+ * uses the allowlisting mode.
+ *
+ * Returns: 0 on success or negative error code otherwise.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve)
+{
+ gnutls_ecc_curve_entry_st *p;
+
+ for(p = ecc_curves; p->name != NULL; p++) {
+ if (p->id == curve) {
+ if (!p->supported_revertible) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ p->supported = false;
+ return 0;
+ }
+ }
+
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/**
+ * gnutls_ecc_curve_mark_enabled:
+ * @curve: is an ECC curve
+ *
+ * Invalidate previous system wide setting that marked @curve as disabled. This
+ * only works if the curve is disabled with gnutls_ecc_curve_mark_disabled() or
+ * through the allowlisting mode in the configuration file.
+ *
+ * Returns: 0 on success or negative error code otherwise.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve)
+{
+ gnutls_ecc_curve_entry_st *p;
+
+ for(p = ecc_curves; p->name != NULL; p++) {
+ if (p->id == curve) {
+ if (!p->supported_revertible) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ p->supported = true;
return 0;
}
}
diff -ruN gnutls-3.7.2/lib/algorithms/groups.c gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c
--- gnutls-3.7.2/lib/algorithms/groups.c 2021-04-19 09:28:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/groups.c 2021-06-28 09:09:14.000000000 +0200
@@ -276,6 +276,24 @@
return ret;
}
+
+/* Similar to gnutls_group_get_id, except that it does not check if
+ * the curve is supported.
+ */
+gnutls_group_t _gnutls_group_get_id(const char *name)
+{
+ gnutls_group_t ret = GNUTLS_GROUP_INVALID;
+
+ GNUTLS_GROUP_LOOP(
+ if (c_strcasecmp(p->name, name) == 0) {
+ ret = p->id;
+ break;
+ }
+ );
+
+ return ret;
+}
+
/**
* gnutls_group_get_name:
* @group: is an element from %gnutls_group_t
diff -ruN gnutls-3.7.2/lib/algorithms/mac.c gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c
--- gnutls-3.7.2/lib/algorithms/mac.c 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/mac.c 2021-06-28 09:09:14.000000000 +0200
@@ -291,13 +291,56 @@
return ret;
}
-int _gnutls_digest_mark_insecure(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
{
#ifndef DISABLE_SYSTEM_CONFIG
mac_entry_st *p;
for(p = hash_algorithms; p->name != NULL; p++) {
- if (p->oid != NULL && c_strcasecmp(p->name, name) == 0) {
+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+ return 0;
+ }
+ }
+
+#endif
+ return GNUTLS_E_INVALID_REQUEST;
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_digest_mark_insecure_all(void)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ mac_entry_st *p;
+
+ for(p = hash_algorithms; p->name != NULL; p++) {
+ p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE |
+ GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+ }
+
+#endif
+}
+
+/**
+ * gnutls_digest_mark_insecure:
+ * @dig: is a digest algorithm
+ *
+ * Mark @dig as insecure system wide. This only works if the allowlisting mode
+ * is used in the configuration file.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ mac_entry_st *p;
+
+ for(p = hash_algorithms; p->name != NULL; p++) {
+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
p->flags |= GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
return 0;
}
@@ -307,6 +350,34 @@
return GNUTLS_E_INVALID_REQUEST;
}
+/**
+ * gnutls_digest_mark_secure:
+ * @dig: is a digest algorithm
+ *
+ * Invalidate previous system wide setting that marked @dig as insecure. This
+ * only works if the allowlisting mode is used in the configuration file.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ mac_entry_st *p;
+
+ for(p = hash_algorithms; p->name != NULL; p++) {
+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+ if (!(p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE)) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ p->flags &= ~GNUTLS_MAC_FLAG_PREIMAGE_INSECURE;
+ return 0;
+ }
+ }
+
+#endif
+ return GNUTLS_E_INVALID_REQUEST;
+}
+
unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig)
{
const mac_entry_st *p;
@@ -320,6 +391,21 @@
return 1;
}
+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags)
+{
+ const mac_entry_st *p;
+
+ for(p = hash_algorithms; p->name != NULL; p++) {
+ if (p->oid != NULL && p->id == (gnutls_mac_algorithm_t)dig) {
+ return (p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE &&
+ !(flags & GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE &&
+ p->flags & GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE));
+ }
+ }
+
+ return true;
+}
+
/**
* gnutls_mac_get_id:
* @name: is a MAC algorithm name
diff -ruN gnutls-3.7.2/lib/algorithms/protocols.c gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c
--- gnutls-3.7.2/lib/algorithms/protocols.c 2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/protocols.c 2021-06-28 09:09:14.000000000 +0200
@@ -198,14 +198,82 @@
return 0;
}
-int _gnutls_version_mark_disabled(const char *name)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_version_mark_disabled(gnutls_protocol_t version)
{
#ifndef DISABLE_SYSTEM_CONFIG
version_entry_st *p;
for (p = sup_versions; p->name != NULL; p++)
- if (c_strcasecmp(p->name, name) == 0) {
- p->supported = 0;
+ if (p->id == version) {
+ p->supported = false;
+ return 0;
+ }
+
+#endif
+ return GNUTLS_E_INVALID_REQUEST;
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_version_mark_disabled_all(void)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ version_entry_st *p;
+
+ for (p = sup_versions; p->name != NULL; p++) {
+ p->supported = false;
+ p->supported_revertible = true;
+ }
+
+#endif
+}
+
+/**
+ * gnutls_protocol_mark_disabled:
+ * @version: is a (gnutls) version number
+ *
+ * Mark @version as disabled system wide. This only works if the allowlisting
+ * mode is used in the configuration file.
+ *
+ */
+int gnutls_protocol_mark_disabled(gnutls_protocol_t version)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ version_entry_st *p;
+
+ for (p = sup_versions; p->name != NULL; p++)
+ if (p->id == version) {
+ if (!p->supported_revertible) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ p->supported = false;
+ return 0;
+ }
+
+#endif
+ return GNUTLS_E_INVALID_REQUEST;
+}
+
+/**
+ * gnutls_protocol_mark_enabled:
+ * @version: is a (gnutls) version number
+ *
+ * Invalidate previous system wide setting that marked @version as
+ * disabled. This only works if the allowlisting mode is used in the
+ * configuration file.
+ *
+ */
+int gnutls_protocol_mark_enabled(gnutls_protocol_t version)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ version_entry_st *p;
+
+ for (p = sup_versions; p->name != NULL; p++)
+ if (p->id == version) {
+ if (!p->supported_revertible) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ p->supported = true;
return 0;
}
@@ -469,6 +537,25 @@
return supported_protocols;
}
+/* Return all versions, including non-supported ones.
+ */
+const gnutls_protocol_t *_gnutls_protocol_list(void)
+{
+ const version_entry_st *p;
+ static gnutls_protocol_t protocols[MAX_ALGOS] = { 0 };
+
+ if (protocols[0] == 0) {
+ int i = 0;
+
+ for (p = sup_versions; p->name != NULL; p++) {
+ protocols[i++] = p->id;
+ }
+ protocols[i++] = 0;
+ }
+
+ return protocols;
+}
+
/* Returns a version number given the major and minor numbers.
*/
gnutls_protocol_t _gnutls_version_get(uint8_t major, uint8_t minor)
diff -ruN gnutls-3.7.2/lib/algorithms/sign.c gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c
--- gnutls-3.7.2/lib/algorithms/sign.c 2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms/sign.c 2021-06-28 09:09:14.000000000 +0200
@@ -453,16 +453,23 @@
bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags)
{
- if (se->hash != GNUTLS_DIG_UNKNOWN && _gnutls_digest_is_insecure(se->hash))
- return gnutls_assert_val(0);
+ if (se->hash != GNUTLS_DIG_UNKNOWN &&
+ _gnutls_digest_is_insecure2(se->hash,
+ flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE ?
+ GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE :
+ 0)) {
+ return gnutls_assert_val(false);
+ }
- if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS)
- return (se->slevel==_SECURE)?1:0;
- else
- return (se->slevel==_SECURE || se->slevel == _INSECURE_FOR_CERTS)?1:0;
+ return (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS ?
+ se->slevel == _SECURE :
+ (se->slevel == _SECURE || se->slevel == _INSECURE_FOR_CERTS)) ||
+ (flags & GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE &&
+ se->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE);
}
-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t level)
+/* This is only called by cfg_apply in priority.c, in blocklisting mode. */
+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, hash_security_level_t level)
{
#ifndef DISABLE_SYSTEM_CONFIG
gnutls_sign_entry_st *p;
@@ -471,11 +478,106 @@
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
for(p = sign_algorithms; p->name != NULL; p++) {
- if (c_strcasecmp(p->name, name) == 0) {
+ if (p->id && p->id == sign) {
+ if (p->slevel < level)
p->slevel = level;
return 0;
}
}
+#endif
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+
+/* This is only called by cfg_apply in priority.c, in allowlisting mode. */
+void _gnutls_sign_mark_insecure_all(hash_security_level_t level)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ gnutls_sign_entry_st *p;
+
+ for(p = sign_algorithms; p->name != NULL; p++) {
+ if (p->slevel < level)
+ p->slevel = level;
+ p->flags |= GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE;
+ }
+#endif
+}
+
+/**
+ * gnutls_sign_mark_insecure:
+ * @sign: the sign algorithm
+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
+ *
+ * Mark @sign as insecure system wide. This only works if the
+ * allowlisting mode is used in the configuration file.
+ *
+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
+ * and the algorithm was previously considered secure for all purposes,
+ * it only marks the algorithm as insecure for the use with certificates.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ gnutls_sign_entry_st *p;
+
+ for(p = sign_algorithms; p->name != NULL; p++) {
+ if (p->id && p->id == sign) {
+ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
+ if (p->slevel < _INSECURE_FOR_CERTS)
+ p->slevel = _INSECURE_FOR_CERTS;
+ } else {
+ p->slevel = _INSECURE;
+ }
+ return 0;
+ }
+ }
+#endif
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+}
+// TODO: really not sure about the intuitiveness of the interface of this one,
+// the flag naming isn't ideal here
+
+/**
+ * gnutls_sign_mark_secure:
+ * @sign: the sign algorithm
+ * @flags: %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS or 0
+ *
+ * Invalidate previous system wide setting that marked @sign as
+ * insecure. This only works if the algorithm is marked as insecure
+ * with gnutls_sign_mark_insecure() or through the allowlisting mode
+ * in the configuration file.
+ *
+ * If @flags has %GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS bit set,
+ * it marks it the algorithm as secure for all purposes.
+ * If the absence of this flag, it will mark it as
+ * "secure, but not for certificates" at most,
+ * but it won't restrict anything either.
+ *
+ * Since: 3.7.3
+ */
+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags)
+{
+#ifndef DISABLE_SYSTEM_CONFIG
+ gnutls_sign_entry_st *p;
+
+ for(p = sign_algorithms; p->name != NULL; p++) {
+ if (p->id && p->id == sign) {
+ if (!(p->flags & GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE)) {
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+ }
+ if (flags & GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) {
+ p->slevel = _SECURE;
+ } else {
+ if (p->slevel > _INSECURE_FOR_CERTS)
+ p->slevel = _INSECURE_FOR_CERTS;
+ }
+ return 0;
+ }
+ }
#endif
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
}
diff -ruN gnutls-3.7.2/lib/algorithms.h gnutls-3.7.2-bootstrapped/lib/algorithms.h
--- gnutls-3.7.2/lib/algorithms.h 2021-05-10 16:34:47.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/algorithms.h 2021-06-28 09:09:14.000000000 +0200
@@ -345,15 +345,27 @@
_INSECURE
} hash_security_level_t;
-int _gnutls_ecc_curve_mark_disabled(const char *name);
-int _gnutls_sign_mark_insecure(const char *name, hash_security_level_t);
-int _gnutls_digest_mark_insecure(const char *name);
+int _gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
+int _gnutls_sign_mark_insecure(gnutls_sign_algorithm_t, hash_security_level_t);
+int _gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
unsigned _gnutls_digest_is_insecure(gnutls_digest_algorithm_t dig);
-int _gnutls_version_mark_disabled(const char *name);
+bool _gnutls_digest_is_insecure2(gnutls_digest_algorithm_t dig, unsigned flags);
+const gnutls_protocol_t *_gnutls_protocol_list(void);
+int _gnutls_version_mark_disabled(gnutls_protocol_t version);
gnutls_protocol_t _gnutls_protocol_get_id_if_supported(const char *name);
+/* these functions are for revertible settings, meaning that algorithms marked
+ * as disabled/insecure with mark_*_all functions can be re-enabled with
+ * mark_{enabled,secure} functions */
+void _gnutls_ecc_curve_mark_disabled_all(void);
+void _gnutls_sign_mark_insecure_all(hash_security_level_t level);
+void _gnutls_digest_mark_insecure_all(void);
+void _gnutls_version_mark_disabled_all(void);
+
#define GNUTLS_SIGN_FLAG_TLS13_OK 1 /* if it is ok to use under TLS1.3 */
#define GNUTLS_SIGN_FLAG_CRT_VRFY_REVERSE (1 << 1) /* reverse order of bytes in CrtVrfy signature */
+#define GNUTLS_SIGN_FLAG_INSECURE_REVERTIBLE (1 << 2)
+#define GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3)
struct gnutls_sign_entry_st {
const char *name;
const char *oid;
@@ -448,6 +460,7 @@
unsigned sig_size; /* the size of curve signatures in bytes (EdDSA) */
unsigned gost_curve;
bool supported;
+ bool supported_revertible;
gnutls_group_t group;
} gnutls_ecc_curve_entry_st;
@@ -459,6 +472,7 @@
gnutls_group_t _gnutls_ecc_curve_get_group(gnutls_ecc_curve_t);
const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
const gnutls_group_entry_st * _gnutls_id_to_group(unsigned id);
+gnutls_group_t _gnutls_group_get_id(const char *name);
gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk, int bits);
#define MAX_ECC_CURVE_SIZE 66
diff -ruN gnutls-3.7.2/lib/gnutls_int.h gnutls-3.7.2-bootstrapped/lib/gnutls_int.h
--- gnutls-3.7.2/lib/gnutls_int.h 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/gnutls_int.h 2021-06-28 09:09:14.000000000 +0200
@@ -662,6 +662,8 @@
#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE 1 /* if this algorithm should not be trusted for pre-image attacks */
#define GNUTLS_MAC_FLAG_CONTINUOUS_MAC (1 << 1) /* if this MAC should be used in a 'continuous' way in TLS */
+#define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE_REVERTIBLE (1 << 2) /* if this algorithm should not be trusted for pre-image attacks, but can be enabled through API */
+#define GNUTLS_MAC_FLAG_ALLOW_INSECURE_REVERTIBLE (1 << 3) /* when checking with _gnutls_digest_is_insecure2, don't treat revertible setting as fatal */
/* This structure is used both for MACs and digests
*/
typedef struct mac_entry_st {
@@ -685,6 +687,7 @@
uint8_t minor; /* defined by the protocol */
transport_t transport; /* Type of transport, stream or datagram */
bool supported; /* 0 not supported, > 0 is supported */
+ bool supported_revertible;
bool explicit_iv;
bool extensions; /* whether it supports extensions */
bool selectable_sighash; /* whether signatures can be selected */
diff -ruN gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in
--- gnutls-3.7.2/lib/includes/gnutls/gnutls.h.in 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/includes/gnutls/gnutls.h.in 2021-06-28 09:09:14.000000000 +0200
@@ -1438,6 +1438,16 @@
gnutls_mac_algorithm_t * mac,
gnutls_protocol_t * min_version);
+ /* functions for run-time enablement of algorithms */
+int gnutls_ecc_curve_mark_disabled(gnutls_ecc_curve_t curve);
+int gnutls_ecc_curve_mark_enabled(gnutls_ecc_curve_t curve);
+int gnutls_sign_mark_insecure(gnutls_sign_algorithm_t sign, unsigned flags);
+int gnutls_sign_mark_secure(gnutls_sign_algorithm_t sign, unsigned flags);
+int gnutls_digest_mark_insecure(gnutls_digest_algorithm_t dig);
+int gnutls_digest_mark_secure(gnutls_digest_algorithm_t dig);
+int gnutls_protocol_mark_disabled(gnutls_protocol_t version);
+int gnutls_protocol_mark_enabled(gnutls_protocol_t version);
+
/* error functions */
int gnutls_error_is_fatal(int error) __GNUTLS_CONST__;
int gnutls_error_to_alert(int err, int *level);
diff -ruN gnutls-3.7.2/lib/libgnutls.map gnutls-3.7.2-bootstrapped/lib/libgnutls.map
--- gnutls-3.7.2/lib/libgnutls.map 2021-05-29 07:16:27.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/libgnutls.map 2021-06-28 09:09:14.000000000 +0200
@@ -1355,6 +1355,21 @@
*;
} GNUTLS_3_7_0;
+GNUTLS_3_7_3
+{
+ global:
+ gnutls_ecc_curve_mark_disabled;
+ gnutls_ecc_curve_mark_enabled;
+ gnutls_sign_mark_insecure;
+ gnutls_sign_mark_secure;
+ gnutls_digest_mark_insecure;
+ gnutls_digest_mark_secure;
+ gnutls_protocol_mark_disabled;
+ gnutls_protocol_mark_enabled;
+ local:
+ *;
+} GNUTLS_3_7_2;
+
GNUTLS_FIPS140_3_4 {
global:
gnutls_cipher_self_test;
diff -ruN gnutls-3.7.2/lib/priority.c gnutls-3.7.2-bootstrapped/lib/priority.c
--- gnutls-3.7.2/lib/priority.c 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/lib/priority.c 2021-06-28 09:09:14.000000000 +0200
@@ -700,6 +700,7 @@
#define LEVEL_SUITEB128 "SUITEB128"
#define LEVEL_SUITEB192 "SUITEB192"
#define LEVEL_LEGACY "LEGACY"
+#define LEVEL_SYSTEM "SYSTEM"
struct priority_groups_st {
const char *name;
@@ -1001,17 +1002,22 @@
static gnutls_certificate_verification_profiles_t system_wide_verification_profile = GNUTLS_PROFILE_UNKNOWN;
static name_val_array_t system_wide_priority_strings = NULL;
+static char *system_wide_priority_string = NULL;
static unsigned system_wide_priority_strings_init = 0;
static unsigned system_wide_default_priority_string = 0;
static unsigned fail_on_invalid_config = 0;
-static unsigned system_wide_disabled_ciphers[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_macs[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_groups[MAX_ALGOS+1] = {0};
-static unsigned system_wide_disabled_kxs[MAX_ALGOS+1] = {0};
+static bool system_wide_allowlisting;
+static unsigned system_wide_tls_ciphers[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_macs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_groups[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_kxs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_sigs[MAX_ALGOS+1] = {0};
+static unsigned system_wide_tls_vers[MAX_ALGOS+1] = {0};
static const char *system_priority_file = SYSTEM_PRIORITY_FILE;
static time_t system_priority_last_mod = 0;
+#define GLOBAL_SECTION "global"
#define CUSTOM_PRIORITY_SECTION "priorities"
#define OVERRIDES_SECTION "overrides"
#define MAX_ALGO_NAME 2048
@@ -1051,108 +1057,479 @@
return out;
}
-/* This function parses a gnutls configuration file and updates internal
- * settings accordingly.
+struct cfg {
+ bool allowlisting;
+
+ name_val_array_t priority_strings;
+ bool priority_strings_init;
+ char *default_priority_string;
+ gnutls_certificate_verification_profiles_t verification_profile;
+
+ gnutls_cipher_algorithm_t ciphers[MAX_ALGOS+1];
+ gnutls_mac_algorithm_t macs[MAX_ALGOS+1];
+ gnutls_group_t groups[MAX_ALGOS+1];
+ gnutls_kx_algorithm_t kxs[MAX_ALGOS+1];
+
+ gnutls_digest_algorithm_t *hashes;
+ size_t hashes_size;
+ gnutls_sign_algorithm_t *sigs;
+ size_t sigs_size;
+ gnutls_sign_algorithm_t *sigs_for_cert;
+ size_t sigs_for_cert_size;
+ gnutls_protocol_t *versions;
+ size_t versions_size;
+ gnutls_ecc_curve_t *curves;
+ size_t curves_size;
+};
+
+static inline void
+cfg_deinit(struct cfg *cfg)
+{
+ if (cfg->priority_strings) {
+ _name_val_array_clear(&cfg->priority_strings);
+ }
+ cfg->priority_strings_init = false;
+ gnutls_free(cfg->default_priority_string);
+ gnutls_free(cfg->hashes);
+ gnutls_free(cfg->sigs);
+ gnutls_free(cfg->sigs_for_cert);
+ gnutls_free(cfg->versions);
+ gnutls_free(cfg->curves);
+}
+
+static inline int
+cfg_apply(struct cfg *cfg)
+{
+ size_t i;
+
+ system_wide_verification_profile = cfg->verification_profile;
+
+ if (cfg->priority_strings_init) {
+ system_wide_priority_strings = cfg->priority_strings;
+ cfg->priority_strings = NULL;
+ cfg->priority_strings_init = false;
+ system_wide_priority_strings_init = 1;
+ }
+
+ if (cfg->default_priority_string) {
+ _clear_default_system_priority();
+ _gnutls_default_priority_string = cfg->default_priority_string;
+ cfg->default_priority_string = NULL;
+ system_wide_default_priority_string = 1;
+ }
+
+ system_wide_allowlisting = cfg->allowlisting;
+ memcpy(system_wide_tls_ciphers, cfg->ciphers, sizeof(cfg->ciphers));
+ memcpy(system_wide_tls_macs, cfg->macs, sizeof(cfg->macs));
+ memcpy(system_wide_tls_groups, cfg->groups, sizeof(cfg->groups));
+ memcpy(system_wide_tls_kxs, cfg->kxs, sizeof(cfg->kxs));
+
+ if (cfg->allowlisting) {
+ unsigned tls_sig_sem = 0;
+ size_t j;
+
+ _gnutls_digest_mark_insecure_all();
+ for (i = 0; i < cfg->hashes_size; i++) {
+ int ret = gnutls_digest_mark_secure(cfg->hashes[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ _gnutls_sign_mark_insecure_all(_INSECURE);
+ for (i = 0; i < cfg->sigs_size; i++) {
+ int ret = gnutls_sign_mark_secure(cfg->sigs[i], 0);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0; i < cfg->sigs_for_cert_size; i++) {
+ int ret = gnutls_sign_mark_secure(cfg->sigs_for_cert[i],
+ GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ _gnutls_version_mark_disabled_all();
+ for (i = 0, j = 0; i < cfg->versions_size; i++) {
+ const version_entry_st *vers;
+ int ret = gnutls_protocol_mark_enabled(cfg->versions[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ vers = version_to_entry(cfg->versions[i]);
+ if (vers && vers->supported) {
+ tls_sig_sem |= vers->tls_sig_sem;
+ system_wide_tls_vers[j++] = vers->id;
+ }
+ }
+ _gnutls_ecc_curve_mark_disabled_all();
+ for (i = 0; i < cfg->curves_size; i++) {
+ int ret = gnutls_ecc_curve_mark_enabled(cfg->curves[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0, j = 0; i < cfg->sigs_size; i++) {
+ const gnutls_sign_entry_st *se;
+
+ se = _gnutls_sign_to_entry(cfg->sigs[i]);
+ if (se != NULL && se->aid.tls_sem & tls_sig_sem &&
+ _gnutls_sign_is_secure2(se, 0)) {
+ system_wide_tls_sigs[j++] = se->id;
+ }
+ }
+ } else {
+ for (i = 0; i < cfg->hashes_size; i++) {
+ int ret = _gnutls_digest_mark_insecure(cfg->hashes[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0; i < cfg->sigs_size; i++) {
+ int ret = _gnutls_sign_mark_insecure(cfg->sigs[i], _INSECURE);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0; i < cfg->sigs_for_cert_size; i++) {
+ int ret = _gnutls_sign_mark_insecure(cfg->sigs_for_cert[i], _INSECURE_FOR_CERTS);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0; i < cfg->versions_size; i++) {
+ int ret = _gnutls_version_mark_disabled(cfg->versions[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ for (i = 0; i < cfg->curves_size; i++) {
+ int ret = _gnutls_ecc_curve_mark_disabled(cfg->curves[i]);
+ if (unlikely(ret < 0)) {
+ return ret;
+ }
+ }
+ }
+
+ return 0;
+}
+
+/* This function parse the global section of the configuration file.
+ */
+static int global_ini_handler(void *ctx, const char *section, const char *name, const char *value)
+{
+ char *p;
+ char str[MAX_ALGO_NAME];
+ struct cfg *cfg = ctx;
+
+ if (section != NULL && c_strcasecmp(section, GLOBAL_SECTION) == 0) {
+ if (c_strcasecmp(name, "override-mode") == 0) {
+ p = clear_spaces(value, str);
+ if (c_strcasecmp(value, "allowlist") == 0) {
+ cfg->allowlisting = true;
+ } else if (c_strcasecmp(value, "blocklist") == 0) {
+ cfg->allowlisting = false;
+ } else {
+ _gnutls_debug_log("cfg: unknown override mode %s\n",
+ p);
+ if (fail_on_invalid_config)
+ return 0;
+ }
+ } else {
+ _gnutls_debug_log("unknown parameter %s\n", name);
+ if (fail_on_invalid_config)
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static bool
+override_allowed(struct cfg *cfg, const char *name)
+{
+ static const struct {
+ const char *allowlist_name;
+ const char *blocklist_name;
+ } names[] = {
+ { "secure-hash", "insecure-hash" },
+ { "secure-sig", "insecure-sig" },
+ { "secure-sig-for-cert", "insecure-sig-for-cert" },
+ { "enabled-version", "disabled-version" },
+ { "enabled-curve", "disabled-curve" },
+ { "tls-enabled-cipher", "tls-disabled-cipher" },
+ { "tls-enabled-group", "tls-disabled-group" },
+ { "tls-enabled-kx", "tls-disabled-kx" },
+ { "tls-enabled-mac", "tls-disabled-mac" }
+ };
+ size_t i;
+
+ for (i = 0; i < sizeof(names) / sizeof(names[0]); i++) {
+ if (c_strcasecmp(name,
+ cfg->allowlisting ?
+ names[i].blocklist_name :
+ names[i].allowlist_name) == 0)
+ return false;
+ }
+
+ return true;
+}
+
+/* This function parses a gnutls configuration file. Updating internal settings
+ * according to the parsed configuration is done by cfg_apply.
*/
-static int cfg_ini_handler(void *_ctx, const char *section, const char *name, const char *value)
+static int cfg_ini_handler(void *ctx, const char *section, const char *name, const char *value)
{
char *p;
- int ret, type;
+ int ret;
unsigned i;
char str[MAX_ALGO_NAME];
+ struct cfg *cfg = ctx;
/* Note that we intentionally overwrite the value above; inih does
* not use that value after we handle it. */
/* Parse sections */
if (section == NULL || section[0] == 0 || c_strcasecmp(section, CUSTOM_PRIORITY_SECTION)==0) {
- if (system_wide_priority_strings_init == 0) {
- _name_val_array_init(&system_wide_priority_strings);
- system_wide_priority_strings_init = 1;
+ if (!cfg->priority_strings_init) {
+ _name_val_array_init(&cfg->priority_strings);
+ cfg->priority_strings_init = true;
}
_gnutls_debug_log("cfg: adding priority: %s -> %s\n", name, value);
- ret = _name_val_array_append(&system_wide_priority_strings, name, value);
+ ret = _name_val_array_append(&cfg->priority_strings, name, value);
if (ret < 0)
return 0;
} else if (c_strcasecmp(section, OVERRIDES_SECTION)==0) {
- if (c_strcasecmp(name, "default-priority-string")==0) {
- _clear_default_system_priority();
+ if (!override_allowed(cfg, name)) {
+ _gnutls_debug_log("cfg: %s is not allowed in this mode\n",
+ name);
+ if (fail_on_invalid_config)
+ return 0;
+ } else if (c_strcasecmp(name, "default-priority-string")==0) {
+ if (cfg->default_priority_string) {
+ gnutls_free(cfg->default_priority_string);
+ cfg->default_priority_string = NULL;
+ }
p = clear_spaces(value, str);
_gnutls_debug_log("cfg: setting default-priority-string to %s\n", p);
if (strlen(p) > 0) {
- _gnutls_default_priority_string = gnutls_strdup(p);
- if (!_gnutls_default_priority_string) {
- _gnutls_default_priority_string = DEFAULT_PRIORITY_STRING;
+ cfg->default_priority_string = gnutls_strdup(p);
+ if (!cfg->default_priority_string) {
_gnutls_debug_log("cfg: failed setting default-priority-string\n");
return 0;
}
- system_wide_default_priority_string = 1;
} else {
_gnutls_debug_log("cfg: empty default-priority-string, using default\n");
if (fail_on_invalid_config)
return 0;
}
- } else if (c_strcasecmp(name, "insecure-hash")==0) {
+ } else if (c_strcasecmp(name, "insecure-hash") == 0 ||
+ c_strcasecmp(name, "secure-hash") == 0) {
+ gnutls_digest_algorithm_t dig, *tmp;
+
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: marking hash %s as insecure\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: marking hash %s as secure\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: marking hash %s as insecure\n",
+ p);
+ }
- ret = _gnutls_digest_mark_insecure(p);
- if (ret < 0) {
+ dig = gnutls_digest_get_id(p);
+ if (dig == GNUTLS_DIG_UNKNOWN) {
_gnutls_debug_log("cfg: found unknown hash %s in %s\n",
p, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
+ }
+ tmp = _gnutls_reallocarray(cfg->hashes,
+ cfg->hashes_size + 1,
+ sizeof(gnutls_digest_algorithm_t));
+ if (!tmp) {
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: failed marking hash %s as secure\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: failed marking hash %s as insecure\n",
+ p);
+ }
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
}
- } else if (c_strcasecmp(name, "insecure-sig")==0 || c_strcasecmp(name, "insecure-sig-for-cert")==0) {
+
+ cfg->hashes = tmp;
+ cfg->hashes[cfg->hashes_size] = dig;
+ cfg->hashes_size++;
+ } else if (c_strcasecmp(name, "insecure-sig") == 0 ||
+ c_strcasecmp(name, "secure-sig") == 0) {
+ gnutls_sign_algorithm_t sig, *tmp;
+
p = clear_spaces(value, str);
- if (c_strcasecmp(name, "insecure-sig")==0) {
- type = _INSECURE;
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: marking signature %s as secure\n",
+ p);
+ } else {
_gnutls_debug_log("cfg: marking signature %s as insecure\n",
p);
+ }
+
+ sig = gnutls_sign_get_id(p);
+ if (sig == GNUTLS_SIGN_UNKNOWN) {
+ _gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
+ p, name);
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
+ }
+ tmp = _gnutls_reallocarray(cfg->sigs,
+ cfg->sigs_size + 1,
+ sizeof(gnutls_sign_algorithm_t));
+ if (!tmp) {
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: failed marking signature %s as secure\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: failed marking signature %s as insecure\n",
+ p);
+ }
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
+ }
+
+ cfg->sigs = tmp;
+ cfg->sigs[cfg->sigs_size] = sig;
+ cfg->sigs_size++;
+ } else if (c_strcasecmp(name, "insecure-sig-for-cert") == 0 ||
+ c_strcasecmp(name, "secure-sig-for-cert") == 0) {
+ gnutls_sign_algorithm_t sig, *tmp;
+
+ p = clear_spaces(value, str);
+
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: marking signature %s as secure for certs\n",
+ p);
} else {
_gnutls_debug_log("cfg: marking signature %s as insecure for certs\n",
p);
- type = _INSECURE_FOR_CERTS;
}
- ret = _gnutls_sign_mark_insecure(p, type);
- if (ret < 0) {
+ sig = gnutls_sign_get_id(p);
+ if (sig == GNUTLS_SIGN_UNKNOWN) {
_gnutls_debug_log("cfg: found unknown signature algorithm %s in %s\n",
p, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
+ }
+ tmp = _gnutls_reallocarray(cfg->sigs_for_cert,
+ cfg->sigs_for_cert_size + 1,
+ sizeof(gnutls_sign_algorithm_t));
+ if (!tmp) {
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: failed marking signature %s as secure for certs\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: failed marking signature %s as insecure for certs\n",
+ p);
+ }
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
}
- } else if (c_strcasecmp(name, "disabled-version")==0) {
+
+ cfg->sigs_for_cert = tmp;
+ cfg->sigs_for_cert[cfg->sigs_for_cert_size] = sig;
+ cfg->sigs_for_cert_size++;
+ } else if (c_strcasecmp(name, "disabled-version") == 0 ||
+ c_strcasecmp(name, "enabled-version") == 0) {
+ gnutls_protocol_t prot, *tmp;
+
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: disabling version %s\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling version %s\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling version %s\n",
+ p);
+ }
- ret = _gnutls_version_mark_disabled(p);
- if (ret < 0) {
+ prot = gnutls_protocol_get_id(p);
+ if (prot == GNUTLS_VERSION_UNKNOWN) {
_gnutls_debug_log("cfg: found unknown version %s in %s\n",
p, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
}
- } else if (c_strcasecmp(name, "disabled-curve")==0) {
+ tmp = _gnutls_reallocarray(cfg->versions,
+ cfg->versions_size + 1,
+ sizeof(gnutls_protocol_t));
+ if (!tmp) {
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: failed enabling version %s\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: failed disabling version %s\n",
+ p);
+ }
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
+ }
+
+ cfg->versions = tmp;
+ cfg->versions[cfg->versions_size] = prot;
+ cfg->versions_size++;
+ } else if (c_strcasecmp(name, "disabled-curve") == 0 ||
+ c_strcasecmp(name, "enabled-curve") == 0) {
+ gnutls_ecc_curve_t curve, *tmp;
+
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: disabling curve %s\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling curve %s\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling curve %s\n",
+ p);
+ }
- ret = _gnutls_ecc_curve_mark_disabled(p);
- if (ret < 0) {
+ curve = gnutls_ecc_curve_get_id(p);
+ if (curve == GNUTLS_ECC_CURVE_INVALID) {
_gnutls_debug_log("cfg: found unknown curve %s in %s\n",
p, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
+ }
+ tmp = _gnutls_reallocarray(cfg->curves,
+ cfg->curves_size + 1,
+ sizeof(gnutls_ecc_curve_t));
+ if (!tmp) {
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: failed enabling curve %s\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: failed disabling curve %s\n",
+ p);
+ }
+ if (fail_on_invalid_config)
+ return 0;
+ goto exit;
}
+
+ cfg->curves = tmp;
+ cfg->curves[cfg->curves_size] = curve;
+ cfg->curves_size++;
} else if (c_strcasecmp(name, "min-verification-profile")==0) {
gnutls_certificate_verification_profiles_t profile;
profile = gnutls_certificate_verification_profile_get_id(value);
@@ -1162,47 +1539,65 @@
value, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
}
- system_wide_verification_profile = profile;
- } else if (c_strcasecmp(name, "tls-disabled-cipher")==0) {
- unsigned algo;
+ cfg->verification_profile = profile;
+ } else if (c_strcasecmp(name, "tls-disabled-cipher") == 0 ||
+ c_strcasecmp(name, "tls-enabled-cipher") == 0) {
+ gnutls_cipher_algorithm_t algo;
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
- p);
-
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling cipher %s for TLS\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling cipher %s for TLS\n",
+ p);
+ }
algo = gnutls_cipher_get_id(p);
- if (algo == 0) {
+ if (algo == GNUTLS_CIPHER_UNKNOWN) {
_gnutls_debug_log("cfg: unknown algorithm %s listed at %s\n",
p, name);
if (fail_on_invalid_config)
return 0;
+ goto exit;
}
i = 0;
- while (system_wide_disabled_ciphers[i] != 0)
+ while (cfg->ciphers[i] != 0)
i++;
if (i > MAX_ALGOS-1) {
- _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
- i, name);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: too many (%d) enabled ciphers from %s\n",
+ i, name);
+ } else {
+ _gnutls_debug_log("cfg: too many (%d) disabled ciphers from %s\n",
+ i, name);
+ }
if (fail_on_invalid_config)
return 0;
goto exit;
}
- system_wide_disabled_ciphers[i] = algo;
- system_wide_disabled_ciphers[i+1] = 0;
+ cfg->ciphers[i] = algo;
+ cfg->ciphers[i+1] = 0;
- } else if (c_strcasecmp(name, "tls-disabled-mac")==0) {
- unsigned algo;
+ } else if (c_strcasecmp(name, "tls-disabled-mac") == 0 ||
+ c_strcasecmp(name, "tls-enabled-mac") == 0) {
+ gnutls_mac_algorithm_t algo;
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling MAC %s for TLS\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling MAC %s for TLS\n",
+ p);
+ }
algo = gnutls_mac_get_id(p);
if (algo == 0) {
@@ -1214,30 +1609,41 @@
}
i = 0;
- while (system_wide_disabled_macs[i] != 0)
+ while (cfg->macs[i] != 0)
i++;
if (i > MAX_ALGOS-1) {
- _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
- i, name);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: too many (%d) enabled MACs from %s\n",
+ i, name);
+ } else {
+ _gnutls_debug_log("cfg: too many (%d) disabled MACs from %s\n",
+ i, name);
+ }
if (fail_on_invalid_config)
return 0;
goto exit;
}
- system_wide_disabled_macs[i] = algo;
- system_wide_disabled_macs[i+1] = 0;
- } else if (c_strcasecmp(name, "tls-disabled-group")==0) {
- unsigned algo;
+ cfg->macs[i] = algo;
+ cfg->macs[i+1] = 0;
+ } else if (c_strcasecmp(name, "tls-disabled-group") == 0 ||
+ c_strcasecmp(name, "tls-enabled-group") == 0) {
+ gnutls_group_t algo;
p = clear_spaces(value, str);
- if (strlen(p) > 6)
- p += 6; // skip GROUP-
+ if (c_strncasecmp(p, "GROUP-", 6) == 0)
+ p += 6;
- _gnutls_debug_log("cfg: disabling group %s for TLS\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling group %s for TLS\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling group %s for TLS\n",
+ p);
+ }
- algo = gnutls_group_get_id(p);
+ algo = _gnutls_group_get_id(p);
if (algo == 0) {
_gnutls_debug_log("cfg: unknown group %s listed at %s\n",
p, name);
@@ -1247,25 +1653,36 @@
}
i = 0;
- while (system_wide_disabled_groups[i] != 0)
+ while (cfg->groups[i] != 0)
i++;
if (i > MAX_ALGOS-1) {
- _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
- i, name);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: too many (%d) enabled groups from %s\n",
+ i, name);
+ } else {
+ _gnutls_debug_log("cfg: too many (%d) disabled groups from %s\n",
+ i, name);
+ }
if (fail_on_invalid_config)
return 0;
goto exit;
}
- system_wide_disabled_groups[i] = algo;
- system_wide_disabled_groups[i+1] = 0;
- } else if (c_strcasecmp(name, "tls-disabled-kx")==0) {
+ cfg->groups[i] = algo;
+ cfg->groups[i+1] = 0;
+ } else if (c_strcasecmp(name, "tls-disabled-kx") == 0 ||
+ c_strcasecmp(name, "tls-enabled-kx") == 0) {
unsigned algo;
p = clear_spaces(value, str);
- _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
- p);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: enabling key exchange %s for TLS\n",
+ p);
+ } else {
+ _gnutls_debug_log("cfg: disabling key exchange %s for TLS\n",
+ p);
+ }
algo = gnutls_kx_get_id(p);
if (algo == 0) {
@@ -1277,24 +1694,29 @@
}
i = 0;
- while (system_wide_disabled_kxs[i] != 0)
+ while (cfg->kxs[i] != 0)
i++;
if (i > MAX_ALGOS-1) {
- _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
- i, name);
+ if (cfg->allowlisting) {
+ _gnutls_debug_log("cfg: too many (%d) enabled key exchanges from %s\n",
+ i, name);
+ } else {
+ _gnutls_debug_log("cfg: too many (%d) disabled key exchanges from %s\n",
+ i, name);
+ }
if (fail_on_invalid_config)
return 0;
goto exit;
}
- system_wide_disabled_kxs[i] = algo;
- system_wide_disabled_kxs[i+1] = 0;
+ cfg->kxs[i] = algo;
+ cfg->kxs[i+1] = 0;
} else {
_gnutls_debug_log("unknown parameter %s\n", name);
if (fail_on_invalid_config)
return 0;
}
- } else {
+ } else if (c_strcasecmp(section, GLOBAL_SECTION) != 0) {
_gnutls_debug_log("cfg: unknown section %s\n",
section);
if (fail_on_invalid_config)
@@ -1310,6 +1732,7 @@
int ret;
struct stat sb;
FILE *fp;
+ struct cfg cfg;
if (stat(system_priority_file, &sb) < 0) {
_gnutls_debug_log("cfg: unable to access: %s: %d\n",
@@ -1327,21 +1750,41 @@
if (system_wide_priority_strings_init != 0)
_name_val_array_clear(&system_wide_priority_strings);
+ gnutls_free(system_wide_priority_string);
+ system_wide_priority_string = NULL;
+
fp = fopen(system_priority_file, "re");
if (fp == NULL) {
_gnutls_debug_log("cfg: unable to open: %s: %d\n",
system_priority_file, errno);
return;
}
- ret = ini_parse_file(fp, cfg_ini_handler, NULL);
+ /* Parsing the configuration file needs to be done in 2 phases: first
+ * parsing the [global] section and then the other sections, because the
+ * [global] section modifies the parsing behavior.
+ */
+ memset(&cfg, 0, sizeof(cfg));
+ ret = ini_parse_file(fp, global_ini_handler, &cfg);
+ if (ret == 0) {
+ if (fseek(fp, 0L, SEEK_SET) < 0) {
+ _gnutls_debug_log("cfg: unable to rewind: %s: %d\n",
+ system_priority_file, ret);
+ if (fail_on_invalid_config)
+ exit(1);
+ }
+ ret = ini_parse_file(fp, cfg_ini_handler, &cfg);
+ }
fclose(fp);
if (ret != 0) {
+ cfg_deinit(&cfg);
_gnutls_debug_log("cfg: unable to parse: %s: %d\n",
system_priority_file, ret);
if (fail_on_invalid_config)
exit(1);
return;
}
+ cfg_apply(&cfg);
+ cfg_deinit(&cfg);
_gnutls_debug_log("cfg: loaded system priority %s mtime %lld\n",
system_priority_file,
@@ -1368,6 +1811,7 @@
void _gnutls_unload_system_priorities(void)
{
_name_val_array_clear(&system_wide_priority_strings);
+ gnutls_free(system_wide_priority_string);
_clear_default_system_priority();
system_priority_last_mod = 0;
}
@@ -1391,6 +1835,124 @@
return NULL;
}
+static const char *
+resolve_priorities_from_system_wide_allowlisting(void)
+{
+ gnutls_buffer_st buf;
+ int ret;
+ size_t i;
+
+ if (system_wide_priority_string) {
+ return system_wide_priority_string;
+ }
+
+ assert(system_wide_allowlisting);
+
+ _gnutls_buffer_init(&buf);
+
+ ret = _gnutls_buffer_append_str(&buf, "NONE");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ for (i = 0; system_wide_tls_kxs[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_kx_get_name(system_wide_tls_kxs[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ for (i = 0; system_wide_tls_groups[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+GROUP-");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_group_get_name(system_wide_tls_groups[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ for (i = 0; system_wide_tls_ciphers[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_cipher_get_name(system_wide_tls_ciphers[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ for (i = 0; system_wide_tls_macs[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_mac_get_name(system_wide_tls_macs[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ for (i = 0; system_wide_tls_sigs[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+SIGN-");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_sign_get_name(system_wide_tls_sigs[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ for (i = 0; system_wide_tls_vers[i] != 0; i++) {
+ ret = _gnutls_buffer_append_str(&buf, ":+VERS-");
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+
+ ret = _gnutls_buffer_append_str(&buf,
+ gnutls_protocol_get_name(system_wide_tls_vers[i]));
+ if (ret < 0) {
+ _gnutls_buffer_clear(&buf);
+ return NULL;
+ }
+ }
+
+ gnutls_free(system_wide_priority_string);
+ system_wide_priority_string = gnutls_strdup((char *)buf.data);
+ _gnutls_buffer_clear(&buf);
+
+ return system_wide_priority_string;
+}
+
#define S(str) ((str!=NULL)?str:"")
/* Returns the new priorities if a priority string prefixed
@@ -1445,7 +2007,13 @@
*/
_gnutls_update_system_priorities();
- p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
+ if (system_wide_allowlisting &&
+ ss_len == sizeof(LEVEL_SYSTEM) - 1 &&
+ strncmp(LEVEL_SYSTEM, ss, ss_len) == 0) {
+ p = resolve_priorities_from_system_wide_allowlisting();
+ } else {
+ p = _name_val_array_value(system_wide_priority_strings, ss, ss_len);
+ }
_gnutls_debug_log("resolved '%.*s' to '%s', next '%.*s'\n",
ss_len, ss, S(p), ss_next_len, S(ss_next));
@@ -1548,48 +2116,52 @@
priority_cache->groups.size = 0;
priority_cache->groups.have_ffdhe = 0;
- /* disable key exchanges which are globally disabled */
- z = 0;
- while (system_wide_disabled_kxs[z] != 0) {
- for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
- if (priority_cache->_kx.priorities[i] != system_wide_disabled_kxs[z])
- priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
- }
- priority_cache->_kx.num_priorities = j;
- z++;
- }
-
- /* disable groups which are globally disabled */
- z = 0;
- while (system_wide_disabled_groups[z] != 0) {
- for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
- if (priority_cache->_supported_ecc.priorities[i] != system_wide_disabled_groups[z])
- priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
- }
- priority_cache->_supported_ecc.num_priorities = j;
- z++;
- }
-
- /* disable ciphers which are globally disabled */
- z = 0;
- while (system_wide_disabled_ciphers[z] != 0) {
- for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
- if (priority_cache->_cipher.priorities[i] != system_wide_disabled_ciphers[z])
- priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
- }
- priority_cache->_cipher.num_priorities = j;
- z++;
- }
-
- /* disable MACs which are globally disabled */
- z = 0;
- while (system_wide_disabled_macs[z] != 0) {
- for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
- if (priority_cache->_mac.priorities[i] != system_wide_disabled_macs[z])
- priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
+ /* in blocklisting mode, apply system wide disablement of key exchanges,
+ * groups, MACs, and ciphers. */
+ if (!system_wide_allowlisting) {
+ /* disable key exchanges which are globally disabled */
+ z = 0;
+ while (system_wide_tls_kxs[z] != 0) {
+ for (i = j = 0; i < priority_cache->_kx.num_priorities; i++) {
+ if (priority_cache->_kx.priorities[i] != system_wide_tls_kxs[z])
+ priority_cache->_kx.priorities[j++] = priority_cache->_kx.priorities[i];
+ }
+ priority_cache->_kx.num_priorities = j;
+ z++;
+ }
+
+ /* disable groups which are globally disabled */
+ z = 0;
+ while (system_wide_tls_groups[z] != 0) {
+ for (i = j = 0; i < priority_cache->_supported_ecc.num_priorities; i++) {
+ if (priority_cache->_supported_ecc.priorities[i] != system_wide_tls_groups[z])
+ priority_cache->_supported_ecc.priorities[j++] = priority_cache->_supported_ecc.priorities[i];
+ }
+ priority_cache->_supported_ecc.num_priorities = j;
+ z++;
+ }
+
+ /* disable ciphers which are globally disabled */
+ z = 0;
+ while (system_wide_tls_ciphers[z] != 0) {
+ for (i = j = 0; i < priority_cache->_cipher.num_priorities; i++) {
+ if (priority_cache->_cipher.priorities[i] != system_wide_tls_ciphers[z])
+ priority_cache->_cipher.priorities[j++] = priority_cache->_cipher.priorities[i];
+ }
+ priority_cache->_cipher.num_priorities = j;
+ z++;
+ }
+
+ /* disable MACs which are globally disabled */
+ z = 0;
+ while (system_wide_tls_macs[z] != 0) {
+ for (i = j = 0; i < priority_cache->_mac.num_priorities; i++) {
+ if (priority_cache->_mac.priorities[i] != system_wide_tls_macs[z])
+ priority_cache->_mac.priorities[j++] = priority_cache->_mac.priorities[i];
+ }
+ priority_cache->_mac.num_priorities = j;
+ z++;
}
- priority_cache->_mac.num_priorities = j;
- z++;
}
for (j=0;j<priority_cache->_cipher.num_priorities;j++) {
@@ -1737,10 +2309,15 @@
for (i = 0; i < priority_cache->_sign_algo.num_priorities; i++) {
se = _gnutls_sign_to_entry(priority_cache->_sign_algo.priorities[i]);
if (se != NULL && priority_cache->sigalg.size < sizeof(priority_cache->sigalg.entry)/sizeof(priority_cache->sigalg.entry[0])) {
- /* if the signature algorithm semantics are not compatible with
- * the protocol's, then skip. */
- if ((se->aid.tls_sem & tls_sig_sem) == 0)
+ /* if the signature algorithm semantics is not
+ * compatible with the protocol's, or the algorithm is
+ * marked as insecure, then skip. */
+ if ((se->aid.tls_sem & tls_sig_sem) == 0 ||
+ !_gnutls_sign_is_secure2(se, system_wide_allowlisting ?
+ GNUTLS_SIGN_FLAG_ALLOW_INSECURE_REVERTIBLE :
+ 0)) {
continue;
+ }
priority_cache->sigalg.entry[priority_cache->sigalg.size++] = se;
}
}
@@ -2017,6 +2594,9 @@
(*priority_cache)->min_record_version = 1;
gnutls_atomic_init(&(*priority_cache)->usage_cnt);
+ if (system_wide_allowlisting && !priorities) {
+ priorities = "@" LEVEL_SYSTEM;
+ }
if (priorities == NULL) {
priorities = _gnutls_default_priority_string;
resolved_match = 0;
@@ -2150,7 +2730,7 @@
_supported_groups_gost);
} else {
if ((algo =
- gnutls_group_get_id
+ _gnutls_group_get_id
(&broken_list[i][7])) !=
GNUTLS_GROUP_INVALID)
fn(&(*priority_cache)->
diff -ruN gnutls-3.7.2/Makefile.in gnutls-3.7.2-bootstrapped/Makefile.in
--- gnutls-3.7.2/Makefile.in 2021-05-29 10:11:20.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/Makefile.in 2021-06-28 09:11:37.000000000 +0200
@@ -35,7 +35,7 @@
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# aminclude_static.am generated automatically by Autoconf
-# from AX_AM_MACROS_STATIC on Sat May 29 10:11:18 CEST 2021
+# from AX_AM_MACROS_STATIC on Mon Jun 28 09:11:35 CEST 2021
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
diff -ruN gnutls-3.7.2/NEWS gnutls-3.7.2-bootstrapped/NEWS
--- gnutls-3.7.2/NEWS 2021-05-29 10:08:56.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/NEWS 2021-06-28 09:09:14.000000000 +0200
@@ -5,6 +5,23 @@
Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
See the end for copying conditions.
+* Version 3.7.3 (unreleased)
+
+** libgnutls: The allowlisting configuration mode has been added to the system-wide
+ settings. In this mode, all the algorithms are initially marked as insecure
+ or disabled, while the applications can re-enable them either through the
+ [overrides] section of the configuration file or the new API (#1172).
+
+** API and ABI modifications:
+gnutls_ecc_curve_mark_disabled: Added.
+gnutls_ecc_curve_mark_enabled: Added.
+gnutls_sign_mark_insecure: Added.
+gnutls_sign_mark_secure: Added.
+gnutls_digest_mark_insecure: Added.
+gnutls_digest_mark_secure: Added.
+gnutls_protocol_mark_disabled: Added.
+gnutls_protocol_mark_enabled: Added.
+
* Version 3.7.2 (released 2021-05-29)
** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
diff -ruN gnutls-3.7.2/po/cs.po gnutls-3.7.2-bootstrapped/po/cs.po
--- gnutls-3.7.2/po/cs.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/cs.po 2021-06-28 09:35:00.000000000 +0200
@@ -9,7 +9,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-06-18 07:01+02:00\n"
"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
"Language-Team: Czech <translation-team-cs@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/de.po gnutls-3.7.2-bootstrapped/po/de.po
--- gnutls-3.7.2/po/de.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/de.po 2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.2.3\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-05-16 20:42+0200\n"
"Last-Translator: Roland Illig <roland.illig@gmx.de>\n"
"Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/eo.po gnutls-3.7.2-bootstrapped/po/eo.po
--- gnutls-3.7.2/po/eo.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/eo.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-07-15 13:25-0300\n"
"Last-Translator: Felipe Castro <fefcas@gmail.com>\n"
"Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/es.po gnutls-3.7.2-bootstrapped/po/es.po
--- gnutls-3.7.2/po/es.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/es.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: libgnutls 3.2.3\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2018-05-02 19:11+0200\n"
"Last-Translator: Francisco Javier Serrador <fserrador@gmail.com>\n"
"Language-Team: Spanish <es@tp.org.es>\n"
diff -ruN gnutls-3.7.2/po/fi.po gnutls-3.7.2-bootstrapped/po/fi.po
--- gnutls-3.7.2/po/fi.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/fi.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: libgnutls 3.2.1\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2013-06-19 17:09+0300\n"
"Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
"Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/fr.po gnutls-3.7.2-bootstrapped/po/fr.po
--- gnutls-3.7.2/po/fr.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/fr.po 2021-06-28 09:35:00.000000000 +0200
@@ -12,7 +12,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-08-12 01:03+0200\n"
"Last-Translator: Stéphane Aulery <lkppo@free.fr>\n"
"Language-Team: French <traduc@traduc.org>\n"
diff -ruN gnutls-3.7.2/po/gnutls.pot gnutls-3.7.2-bootstrapped/po/gnutls.pot
--- gnutls-3.7.2/po/gnutls.pot 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/gnutls.pot 2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.7.2\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
diff -ruN gnutls-3.7.2/po/it.po gnutls-3.7.2-bootstrapped/po/it.po
--- gnutls-3.7.2/po/it.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/it.po 2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: gnutls-3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-08-02 11:43+0200\n"
"Last-Translator: Milo Casagrande <milo@milo.name>\n"
"Language-Team: Italian <tp@lists.linux.it>\n"
Binary files gnutls-3.7.2/po/ms.gmo and gnutls-3.7.2-bootstrapped/po/ms.gmo differ
diff -ruN gnutls-3.7.2/po/ms.po gnutls-3.7.2-bootstrapped/po/ms.po
--- gnutls-3.7.2/po/ms.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/ms.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,8 +7,8 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
-"PO-Revision-Date: 2021-04-20 16:03+0800\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
+"PO-Revision-Date: 2021-06-14 00:17+0800\n"
"Last-Translator: Sharuzzaman Ahmat Raslan <sharuzzaman@gmail.com>\n"
"Language-Team: Malay <translation-team-ms@lists.sourceforge.net>\n"
"Language: ms\n"
@@ -16,7 +16,7 @@
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Bugs: Report translation errors to the Language-Team address.\n"
-"X-Generator: Poedit 2.4.2\n"
+"X-Generator: Poedit 3.0\n"
#: lib/alert.c:39
msgid "Close notify"
@@ -139,7 +139,7 @@
#: lib/alert.c:83
#, fuzzy
msgid "An extension was expected but was not seen"
-msgstr "')' dijangka\n"
+msgstr "Sambungan tidak disokong telah dihantar"
#: lib/alert.c:86
msgid "No supported application protocol could be negotiated"
@@ -1224,20 +1224,19 @@
msgstr "%s\t\t\tnamaLain OID: %.*s\n"
#: lib/x509/output.c:152
-#, fuzzy, c-format
-#| msgid "\t\t\tXMPP Address: %.*s\n"
+#, c-format
msgid "%sXMPP Address: %.*s\n"
-msgstr "\t\t\tAlamat XMPP: %.*s\n"
+msgstr "%sAlamat XMPP: %.*s\n"
#: lib/x509/output.c:156
-#, fuzzy, c-format
+#, c-format
msgid "%sKRB5Principal: %.*s\n"
-msgstr "%s: %s.\n"
+msgstr "%sKRB5Principal: %.*s\n"
#: lib/x509/output.c:160
-#, fuzzy, c-format
+#, c-format
msgid "%sUnknown name: "
-msgstr "Nama"
+msgstr "%sNama tidak diketahui: "
#: lib/x509/output.c:302
#, c-format
@@ -1266,14 +1265,14 @@
"\t\t\tLambakan Hex: "
#: lib/x509/output.c:347
-#, fuzzy, c-format
+#, c-format
msgid "%s\t\t\tPermitted:\n"
-msgstr "TDB: Tulis tidak dibenarkan"
+msgstr "%s\t\t\tDibenarkan:\n"
#: lib/x509/output.c:359
-#, fuzzy, c-format
+#, c-format
msgid "%s\t\t\tExcluded:\n"
-msgstr "%s%s: %.*s (%s)\n"
+msgstr "%s\t\t\tDikecualikan:\n"
#: lib/x509/output.c:399 lib/x509/output.c:401 lib/x509/output.c:403
#, c-format
diff -ruN gnutls-3.7.2/po/nl.po gnutls-3.7.2-bootstrapped/po/nl.po
--- gnutls-3.7.2/po/nl.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/nl.po 2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
msgstr ""
"Project-Id-Version: libgnutls-3.2.1\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2013-06-13 19:56+0200\n"
"Last-Translator: Benno Schulenberg <benno@vertaalt.nl>\n"
"Language-Team: Dutch <vertaling@vrijschrift.org>\n"
diff -ruN gnutls-3.7.2/po/pl.po gnutls-3.7.2-bootstrapped/po/pl.po
--- gnutls-3.7.2/po/pl.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/pl.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: gnutls-3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-06-01 08:22+0200\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/pt_BR.po gnutls-3.7.2-bootstrapped/po/pt_BR.po
--- gnutls-3.7.2/po/pt_BR.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/pt_BR.po 2021-06-28 09:35:00.000000000 +0200
@@ -7,7 +7,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-06-11 03:55-0200\n"
"Last-Translator: Rafael Fontenelle <rafaelff@gnome.org>\n"
"Language-Team: Brazilian Portuguese <ldpbr-translation@lists.sourceforge."
diff -ruN gnutls-3.7.2/po/sr.po gnutls-3.7.2-bootstrapped/po/sr.po
--- gnutls-3.7.2/po/sr.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/sr.po 2021-06-28 09:35:00.000000000 +0200
@@ -6,7 +6,7 @@
msgstr ""
"Project-Id-Version: gnutls-3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2020-08-04 15:21+0200\n"
"Last-Translator: Мирослав Николић <miroslavnikolic@rocketmail.com>\n"
"Language-Team: Serbian <(nothing)>\n"
diff -ruN gnutls-3.7.2/po/sv.po gnutls-3.7.2-bootstrapped/po/sv.po
--- gnutls-3.7.2/po/sv.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/sv.po 2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: libgnutls 3.2.3\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2017-06-22 13:44+0200\n"
"Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
"Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
diff -ruN gnutls-3.7.2/po/uk.po gnutls-3.7.2-bootstrapped/po/uk.po
--- gnutls-3.7.2/po/uk.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/uk.po 2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: gnutls 3.6.8\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2019-06-06 21:38+0300\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <trans-uk@lists.fedoraproject.org>\n"
diff -ruN gnutls-3.7.2/po/vi.po gnutls-3.7.2-bootstrapped/po/vi.po
--- gnutls-3.7.2/po/vi.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/vi.po 2021-06-28 09:35:00.000000000 +0200
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: libgnutls-3.2.3\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2013-08-06 07:13+0700\n"
"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
"Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
diff -ruN gnutls-3.7.2/po/zh_CN.po gnutls-3.7.2-bootstrapped/po/zh_CN.po
--- gnutls-3.7.2/po/zh_CN.po 2021-05-29 10:15:00.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/po/zh_CN.po 2021-06-28 09:35:00.000000000 +0200
@@ -10,7 +10,7 @@
msgstr ""
"Project-Id-Version: libgnutls 3.2.3\n"
"Report-Msgid-Bugs-To: bug-gnutls@gnu.org\n"
-"POT-Creation-Date: 2021-05-29 10:15+0200\n"
+"POT-Creation-Date: 2021-06-28 09:35+0200\n"
"PO-Revision-Date: 2015-11-10 09:47-0500\n"
"Last-Translator: Mingye Wang (Arthur2e5) <arthur200126@gmail.com>\n"
"Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
diff -ruN gnutls-3.7.2/src/p11tool-args.def gnutls-3.7.2-bootstrapped/src/p11tool-args.def
--- gnutls-3.7.2/src/p11tool-args.def 2021-04-19 09:28:28.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/src/p11tool-args.def 2021-06-25 17:46:01.000000000 +0200
@@ -268,8 +268,9 @@
flag = {
name = write;
descrip = "Writes the loaded objects to a PKCS #11 token";
- doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
- one of --load-privkey, --load-pubkey, --load-certificate option.";
+ doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.
+
+When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand.";
};
flag = {
diff -ruN gnutls-3.7.2/tests/Makefile.am gnutls-3.7.2-bootstrapped/tests/Makefile.am
--- gnutls-3.7.2/tests/Makefile.am 2021-05-27 08:10:21.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/Makefile.am 2021-06-28 09:09:42.000000000 +0200
@@ -108,7 +108,7 @@
libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
libutils_la_LIBADD = ../lib/libgnutls.la
-indirect_tests = system-override-hash system-override-sig
+indirect_tests = system-override-hash system-override-sig system-override-sig-tls
ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
tls13/post-handshake-with-cert tls13/post-handshake-without-cert \
@@ -509,7 +509,13 @@
dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
system-override-versions.sh system-override-invalid.sh \
system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
- system-override-kx.sh system-override-default-priority-string.sh
+ system-override-kx.sh system-override-default-priority-string.sh \
+ system-override-sig-tls.sh
+
+dist_check_SCRIPTS += system-override-sig-allowlist.sh \
+ system-override-hash-allowlist.sh \
+ system-override-versions-allowlist.sh \
+ system-override-curves-allowlist.sh
endif
dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh
@@ -605,6 +611,7 @@
endif
TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
LOG_COMPILER = $(VALGRIND)
distclean-local:
diff -ruN gnutls-3.7.2/tests/Makefile.in gnutls-3.7.2-bootstrapped/tests/Makefile.in
--- gnutls-3.7.2/tests/Makefile.in 2021-05-29 10:11:25.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/Makefile.in 2021-06-28 09:11:42.000000000 +0200
@@ -191,11 +191,20 @@
@WINDOWS_FALSE@ gnutls-cli-resume.sh profile-tests.sh \
@WINDOWS_FALSE@ server-weak-keys.sh
@WINDOWS_FALSE@am__append_17 = dtls-stress
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh system-override-hash.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh system-override-invalid.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \
-@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh system-override-default-priority-string.sh
-
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@am__append_18 = system-override-sig.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-invalid.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-profiles.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-tls.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-kx.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-default-priority-string.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-tls.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-sig-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-hash-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-versions-allowlist.sh \
+@DISABLE_SYSTEM_CONFIG_FALSE@@WINDOWS_FALSE@ system-override-curves-allowlist.sh
@WINDOWS_FALSE@am__append_19 = gnutls-cli-self-signed.sh \
@WINDOWS_FALSE@ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
@WINDOWS_FALSE@ dh-fips-approved.sh
@@ -662,8 +671,8 @@
@ENABLE_PKCS11_TRUE@@HAVE_PKCS11_TRUST_STORE_TRUE@@P11KIT_0_23_11_API_TRUE@@WINDOWS_FALSE@ pkcs11/list-objects$(EXEEXT)
@WINDOWS_FALSE@am__EXEEXT_18 = datefudge-check$(EXEEXT)
am__EXEEXT_19 = system-override-hash$(EXEEXT) \
- system-override-sig$(EXEEXT) $(am__EXEEXT_16) $(am__EXEEXT_17) \
- $(am__EXEEXT_18)
+ system-override-sig$(EXEEXT) system-override-sig-tls$(EXEEXT) \
+ $(am__EXEEXT_16) $(am__EXEEXT_17) $(am__EXEEXT_18)
PROGRAMS = $(noinst_PROGRAMS)
LTLIBRARIES = $(noinst_LTLIBRARIES)
@ENABLE_PKCS11_TRUE@@WINDOWS_FALSE@libpkcs11mock1_la_DEPENDENCIES = \
@@ -2366,6 +2375,11 @@
system_override_sig_LDADD = $(LDADD)
system_override_sig_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) libutils.la \
$(am__DEPENDENCIES_2)
+system_override_sig_tls_SOURCES = system-override-sig-tls.c
+system_override_sig_tls_OBJECTS = system-override-sig-tls.$(OBJEXT)
+system_override_sig_tls_LDADD = $(LDADD)
+system_override_sig_tls_DEPENDENCIES = $(COMMON_GNUTLS_LDADD) \
+ libutils.la $(am__DEPENDENCIES_2)
system_prio_file_SOURCES = system-prio-file.c
system_prio_file_OBJECTS = system-prio-file.$(OBJEXT)
system_prio_file_LDADD = $(LDADD)
@@ -2997,10 +3011,13 @@
system-override-profiles.sh system-override-tls.sh \
system-override-kx.sh \
system-override-default-priority-string.sh \
- gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh \
- gnutls-cli-rawpk.sh dh-fips-approved.sh p11-kit-trust.sh \
- testpkcs11.sh certtool-pkcs11.sh p11-kit-load.sh danetool.sh \
- tpmtool_test.sh
+ system-override-sig-tls.sh system-override-sig-allowlist.sh \
+ system-override-hash-allowlist.sh \
+ system-override-versions-allowlist.sh \
+ system-override-curves-allowlist.sh gnutls-cli-self-signed.sh \
+ gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh \
+ dh-fips-approved.sh p11-kit-trust.sh testpkcs11.sh \
+ certtool-pkcs11.sh p11-kit-load.sh danetool.sh tpmtool_test.sh
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -3216,6 +3233,7 @@
./$(DEPDIR)/status-request.Po ./$(DEPDIR)/str-idna.Po \
./$(DEPDIR)/str-unicode.Po ./$(DEPDIR)/strict-der.Po \
./$(DEPDIR)/system-override-hash.Po \
+ ./$(DEPDIR)/system-override-sig-tls.Po \
./$(DEPDIR)/system-override-sig.Po \
./$(DEPDIR)/system-prio-file.Po ./$(DEPDIR)/time.Po \
./$(DEPDIR)/tls-channel-binding.Po \
@@ -3522,16 +3540,16 @@
ssl30-server-kx-neg.c status-request.c status-request-ext.c \
status-request-ok.c status-request-revoked.c str-idna.c \
str-unicode.c strict-der.c system-override-hash.c \
- system-override-sig.c system-prio-file.c time.c \
- tls-channel-binding.c tls-client-with-seccomp.c \
- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
- tls-record-size-limit-asym.c tls-session-ext-override.c \
- tls-session-ext-register.c tls-session-supplemental.c \
- tls-supplemental.c tls-with-seccomp.c \
- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
- tls10-prf.c tls10-server-kx-neg.c \
+ system-override-sig.c system-override-sig-tls.c \
+ system-prio-file.c time.c tls-channel-binding.c \
+ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
+ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
+ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
+ tls-record-size-limit.c tls-record-size-limit-asym.c \
+ tls-session-ext-override.c tls-session-ext-register.c \
+ tls-session-supplemental.c tls-supplemental.c \
+ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
+ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
$(tls11_cert_key_exchange_SOURCES) \
$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
@@ -3707,16 +3725,16 @@
ssl30-server-kx-neg.c status-request.c status-request-ext.c \
status-request-ok.c status-request-revoked.c str-idna.c \
str-unicode.c strict-der.c system-override-hash.c \
- system-override-sig.c system-prio-file.c time.c \
- tls-channel-binding.c tls-client-with-seccomp.c \
- tls-crt_type-neg.c tls-etm.c tls-ext-not-in-dtls.c \
- tls-ext-register.c tls-force-etm.c tls-neg-ext-key.c \
- tls-neg-ext4-key.c tls-pthread.c tls-record-size-limit.c \
- tls-record-size-limit-asym.c tls-session-ext-override.c \
- tls-session-ext-register.c tls-session-supplemental.c \
- tls-supplemental.c tls-with-seccomp.c \
- $(tls10_cert_key_exchange_SOURCES) tls10-cipher-neg.c \
- tls10-prf.c tls10-server-kx-neg.c \
+ system-override-sig.c system-override-sig-tls.c \
+ system-prio-file.c time.c tls-channel-binding.c \
+ tls-client-with-seccomp.c tls-crt_type-neg.c tls-etm.c \
+ tls-ext-not-in-dtls.c tls-ext-register.c tls-force-etm.c \
+ tls-neg-ext-key.c tls-neg-ext4-key.c tls-pthread.c \
+ tls-record-size-limit.c tls-record-size-limit-asym.c \
+ tls-session-ext-override.c tls-session-ext-register.c \
+ tls-session-supplemental.c tls-supplemental.c \
+ tls-with-seccomp.c $(tls10_cert_key_exchange_SOURCES) \
+ tls10-cipher-neg.c tls10-prf.c tls10-server-kx-neg.c \
$(tls11_cert_key_exchange_SOURCES) \
$(tls11_check_rollback_val_SOURCES) tls11-cipher-neg.c \
$(tls11_rollback_detection_SOURCES) tls11-server-kx-neg.c \
@@ -5822,7 +5840,8 @@
libutils_la_SOURCES = utils.h utils.c seccomp.c utils-adv.c
libutils_la_LIBADD = ../lib/libgnutls.la
indirect_tests = system-override-hash system-override-sig \
- $(am__append_17) $(am__append_22) $(am__append_28)
+ system-override-sig-tls $(am__append_17) $(am__append_22) \
+ $(am__append_28)
ctests = tls13/supported_versions tls13/tls12-no-tls13-exts \
tls13/post-handshake-with-cert \
tls13/post-handshake-without-cert tls13/cookie tls13/key_share \
@@ -6115,6 +6134,7 @@
@ENABLE_CXX_TRUE@@HAVE_CMOCKA_TRUE@ -I$(top_builddir)/gl
TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
LOG_COMPILER = $(VALGRIND)
all: all-recursive
@@ -7590,6 +7610,10 @@
@rm -f system-override-sig$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(system_override_sig_OBJECTS) $(system_override_sig_LDADD) $(LIBS)
+system-override-sig-tls$(EXEEXT): $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_DEPENDENCIES) $(EXTRA_system_override_sig_tls_DEPENDENCIES)
+ @rm -f system-override-sig-tls$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(system_override_sig_tls_OBJECTS) $(system_override_sig_tls_LDADD) $(LIBS)
+
system-prio-file$(EXEEXT): $(system_prio_file_OBJECTS) $(system_prio_file_DEPENDENCIES) $(EXTRA_system_prio_file_DEPENDENCIES)
@rm -f system-prio-file$(EXEEXT)
$(AM_V_CCLD)$(LINK) $(system_prio_file_OBJECTS) $(system_prio_file_LDADD) $(LIBS)
@@ -8396,6 +8420,7 @@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str-unicode.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strict-der.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-hash.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig-tls.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-override-sig.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system-prio-file.Po@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ # am--include-marker
@@ -12588,6 +12613,7 @@
-rm -f ./$(DEPDIR)/str-unicode.Po
-rm -f ./$(DEPDIR)/strict-der.Po
-rm -f ./$(DEPDIR)/system-override-hash.Po
+ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po
-rm -f ./$(DEPDIR)/system-override-sig.Po
-rm -f ./$(DEPDIR)/system-prio-file.Po
-rm -f ./$(DEPDIR)/time.Po
@@ -13075,6 +13101,7 @@
-rm -f ./$(DEPDIR)/str-unicode.Po
-rm -f ./$(DEPDIR)/strict-der.Po
-rm -f ./$(DEPDIR)/system-override-hash.Po
+ -rm -f ./$(DEPDIR)/system-override-sig-tls.Po
-rm -f ./$(DEPDIR)/system-override-sig.Po
-rm -f ./$(DEPDIR)/system-prio-file.Po
-rm -f ./$(DEPDIR)/time.Po
diff -ruN gnutls-3.7.2/tests/suite/Makefile.am gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am
--- gnutls-3.7.2/tests/suite/Makefile.am 2021-05-27 08:08:22.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.am 2021-06-28 09:09:42.000000000 +0200
@@ -115,4 +115,5 @@
prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
LOG_COMPILER = $(VALGRIND)
diff -ruN gnutls-3.7.2/tests/suite/Makefile.in gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in
--- gnutls-3.7.2/tests/suite/Makefile.in 2021-05-29 10:11:26.000000000 +0200
+++ gnutls-3.7.2-bootstrapped/tests/suite/Makefile.in 2021-06-28 09:11:43.000000000 +0200
@@ -2351,6 +2351,7 @@
nodist_check_SCRIPTS = $(scripts_to_test)
prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
TEST_EXTENSIONS = .sh
+SH_LOG_COMPILER = $(SHELL)
LOG_COMPILER = $(VALGRIND)
all: all-am
diff -ruN gnutls-3.7.2/tests/system-override-curves-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh
--- gnutls-3.7.2/tests/system-override-curves-allowlist.sh 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-curves-allowlist.sh 2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+ exit 77
+fi
+
+if ! test -x "${CLI}"; then
+ exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+ exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+# This test doesn't work in FIPS mode
+if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then
+ exit 77
+fi
+
+# We intentionally add stray spaces and tabs to check our parser
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-curve = secp384r1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list|grep ^Groups >${TMPFILE2}
+cat ${TMPFILE2}
+if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then
+ echo "Found disabled curve with --list"
+ exit 1
+fi
+
+if ! grep -i "SECP384R1" ${TMPFILE2};then
+ echo "Could not found secp384r1"
+ exit 1
+fi
+
+# Try whether a client connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null ||
+ fail "expected connection to succeed (1)"
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with a disabled curve will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0
diff -ruN gnutls-3.7.2/tests/system-override-hash-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh
--- gnutls-3.7.2/tests/system-override-hash-allowlist.sh 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-hash-allowlist.sh 2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-hash"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-sig-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh
--- gnutls-3.7.2/tests/system-override-sig-allowlist.sh 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-allowlist.sh 2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+secure-hash = sha256
+secure-sig = rsa-sha256
+secure-hash = sha384
+secure-sig = rsa-pss-sha384
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-sig"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.c gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c
--- gnutls-3.7.2/tests/system-override-sig-tls.c 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.c 2021-06-25 17:46:13.000000000 +0200
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2015-2021 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include "utils.h"
+
+#define SKIP16(pos, total) { \
+ uint16_t _s; \
+ if (pos+2 > total) fail("error\n"); \
+ _s = (msg->data[pos] << 8) | msg->data[pos+1]; \
+ if ((size_t)(pos+2+_s) > total) fail("error\n"); \
+ pos += 2+_s; \
+ }
+
+#define SKIP8(pos, total) { \
+ uint8_t _s; \
+ if (pos+1 > total) fail("error\n"); \
+ _s = msg->data[pos]; \
+ if ((size_t)(pos+1+_s) > total) fail("error\n"); \
+ pos += 1+_s; \
+ }
+
+#define HANDSHAKE_SESSION_ID_POS 34
+
+#include "eagain-common.h"
+#include "cert-common.h"
+
+/* This tests whether the client omits signature algorithms marked as insecure,
+ * from the signature_algorithms extension.
+ */
+
+const char *side;
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define PRIO "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:" \
+ "+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384"
+/* rsa_pss_rsae_sha384 */
+#define SIGALGS_EXP "\x00\x02\x08\x05"
+
+static int
+ext_callback(void *ctx, unsigned tls_id,
+ const unsigned char *data, unsigned size)
+{
+ if (tls_id == 13) { /* signature algorithms */
+ if (size != sizeof(SIGALGS_EXP) - 1) {
+ fail("invalid signature_algorithms length: %u != 4\n",
+ size);
+ }
+ if (memcmp(data, SIGALGS_EXP, sizeof(SIGALGS_EXP) - 1) != 0) {
+ fail("invalid signature_algorithms\n");
+ }
+ }
+ return 0;
+}
+
+static int
+handshake_callback(gnutls_session_t session, unsigned int htype,
+ unsigned post, unsigned int incoming,
+ const gnutls_datum_t *msg)
+{
+ assert(post);
+
+ if (!incoming && htype == GNUTLS_HANDSHAKE_CLIENT_HELLO) {
+ int ret;
+ unsigned pos;
+ gnutls_datum_t mmsg;
+
+ assert(msg->size >= HANDSHAKE_SESSION_ID_POS);
+ pos = HANDSHAKE_SESSION_ID_POS;
+ SKIP8(pos, msg->size);
+ SKIP16(pos, msg->size);
+ SKIP8(pos, msg->size);
+
+ mmsg.data = &msg->data[pos];
+ mmsg.size = msg->size - pos;
+ ret = gnutls_ext_raw_parse(NULL, ext_callback, &mmsg, 0);
+ assert(ret >= 0);
+ }
+ return 0;
+}
+
+void doit(void)
+{
+ int ret;
+ /* Server stuff. */
+ gnutls_certificate_credentials_t serverx509cred;
+ gnutls_session_t server;
+ int sret = GNUTLS_E_AGAIN;
+ /* Client stuff. */
+ gnutls_certificate_credentials_t clientx509cred;
+ gnutls_session_t client;
+ int cret = GNUTLS_E_AGAIN;
+
+ global_init();
+
+ /* General init. */
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(6);
+
+ /* Init server */
+ gnutls_certificate_allocate_credentials(&serverx509cred);
+ gnutls_certificate_set_x509_key_mem(serverx509cred,
+ &server2_cert, &server2_key,
+ GNUTLS_X509_FMT_PEM);
+
+ gnutls_init(&server, GNUTLS_SERVER);
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+ serverx509cred);
+
+ gnutls_priority_set_direct(server, PRIO, NULL);
+
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+ gnutls_transport_set_pull_timeout_function(server,
+ server_pull_timeout_func);
+ gnutls_transport_set_ptr(server, server);
+
+ /* Init client */
+ ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca2_cert, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_init(&client, GNUTLS_CLIENT);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+ clientx509cred);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_priority_set_direct(client, PRIO, NULL);
+ if (ret < 0)
+ exit(1);
+
+ gnutls_transport_set_push_function(client, client_push);
+ gnutls_transport_set_pull_function(client, client_pull);
+ gnutls_transport_set_pull_timeout_function(client,
+ client_pull_timeout_func);
+ gnutls_transport_set_ptr(client, client);
+
+ gnutls_handshake_set_hook_function(client,
+ GNUTLS_HANDSHAKE_ANY,
+ GNUTLS_HOOK_POST,
+ handshake_callback);
+
+ HANDSHAKE(client, server);
+
+ gnutls_bye(client, GNUTLS_SHUT_RDWR);
+ gnutls_bye(server, GNUTLS_SHUT_RDWR);
+
+ gnutls_deinit(client);
+ gnutls_deinit(server);
+
+ gnutls_certificate_free_credentials(serverx509cred);
+ gnutls_certificate_free_credentials(clientx509cred);
+
+ gnutls_global_deinit();
+
+ reset_buffers();
+}
diff -ruN gnutls-3.7.2/tests/system-override-sig-tls.sh gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh
--- gnutls-3.7.2/tests/system-override-sig-tls.sh 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-sig-tls.sh 2021-06-25 17:46:13.000000000 +0200
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Nikos Mavrogiannopoulos
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos, Daiki Ueno
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${builddir=.}
+TMPFILE=c.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+cat <<_EOF_ > ${TMPFILE}
+[overrides]
+
+insecure-sig = rsa-pss-rsae-sha256
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${builddir}/system-override-sig-tls"
+rc=$?
+rm ${TMPFILE}
+exit $rc
diff -ruN gnutls-3.7.2/tests/system-override-versions-allowlist.sh gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh
--- gnutls-3.7.2/tests/system-override-versions-allowlist.sh 1970-01-01 01:00:00.000000000 +0100
+++ gnutls-3.7.2-bootstrapped/tests/system-override-versions-allowlist.sh 2021-06-28 09:09:14.000000000 +0200
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+: ${srcdir=.}
+: ${SERV=../src/gnutls-serv${EXEEXT}}
+: ${CLI=../src/gnutls-cli${EXEEXT}}
+TMPFILE=config.$$.tmp
+TMPFILE2=log.$$.tmp
+export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1
+
+if ! test -x "${SERV}"; then
+ exit 77
+fi
+
+if ! test -x "${CLI}"; then
+ exit 77
+fi
+
+if test "${WINDIR}" != ""; then
+ exit 77
+fi
+
+. "${srcdir}/scripts/common.sh"
+
+cat <<_EOF_ > ${TMPFILE}
+[global]
+override-mode = allowlist
+
+[overrides]
+enabled-version = tls1.1
+_EOF_
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+export GNUTLS_DEBUG_LEVEL=3
+
+"${CLI}" --list|grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
+ echo "Found disabled protocol with --list"
+ exit 1
+fi
+
+PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL
+
+"${CLI}" --priority "$PRIO" --list|grep Protocols >${TMPFILE2}
+cat ${TMPFILE2}
+if grep "VERS-TLS1.2" ${TMPFILE2} || grep "VERS-TLS1.3" ${TMPFILE2};then
+ echo "Found disabled protocol with --list --priority $PRIO"
+ exit 1
+fi
+
+# Try whether a client connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+eval "${GETPORT}"
+launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ fail "expected connection to fail (1)"
+
+kill ${PID}
+wait
+
+# Try whether a server connection with these protocols will succeed.
+
+KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem
+CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem
+
+eval "${GETPORT}"
+launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1}
+PID=$!
+wait_server ${PID}
+
+unset GNUTLS_SYSTEM_PRIORITY_FILE
+
+"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ fail "expected connection to fail (2)"
+
+kill ${PID}
+wait
+
+exit 0